1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

Slides:



Advertisements
Similar presentations
Understanding the Impact of Route Reflection in Internal BGP Ph.D. Final Defense presented by Jong Han (Jonathan) Park July 15 th,
Advertisements

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)
1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 Tutorial 5 Safe “Peering Backup” Routing With BGP Based on:
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.
Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
On the Stability of Rational, Heterogeneous Interdomain Route Selection Hao Wang Yale University Joint work with Haiyong Xie, Y. Richard Yang, Avi Silberschatz,
Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
BGP Wedgies ---- Bad Policy Interactions that Cannot be Debugged JaNOG / Kyushu
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
A Case Study in Understanding OSPFv2 and BGP4 Interactions Using Efficient Experiment Design David Bauer†, Murat Yuksel‡, Christopher Carothers† and Shivkumar.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Efficient Secure BGP AS Path using FS-BGP Xia Yin, Yang Xiang, Zhiliang Wang, Jianping Wu Tsinghua University, Beijing 81th Quebec.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Measuring and Mitigating AS-level Adversaries Against Tor
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
BGP security some slides borrowed from Jen Rexford (Princeton U)
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Border Gateway Protocol
COS 561: Advanced Computer Networks
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
Why don’t we have a Secure and Trusted Inter-Domain Routing System?
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
BGP Instability Jennifer Rexford
Presentation transcript:

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University

2  Many widely used communication protocols on the Internet were not originally designed with security considerations in mind  When working on designing and deploying new secure protocols we are faced with the following question: o How can we provide sufficient protection against attackers, while minimizing our resources and without introducing new complications?  This is especially crucial, when the new secure protocols have to be partially deployed together with legacy insecure protocols

3 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323, 2828, Orgn, prefix In deployment Crypto done offline In standardization Crypto done online What does (partially-deployed) BGPSEC offer over RPKI? (Or, is the juice worth the squeeze?) Security Benefits or Juice BGP and BGPSEC coexistence  road to BGPSEC full-deployment is very tricky because introducing security only partially introduces new vulnerabilities  not fully deployed BGPSEC provides only meager benefits over RPKI if network operators do not prioritize security in their routing policies

4 1. Background: 1. BGP, RPKI, BGPSEC 2. routing policies when BGPSEC is only partially deployed 2. BGPSEC in partial deployment is tricky 3. Is the juice worth the squeeze? 4. Summary

55 Sprint Origin prefix Orgn prefix Orgn prefix 2828, Orgn prefix 2828, Orgn prefix 4323, 2828, Orgn prefix 4323, 2828, Orgn prefix A Sprint,4323,2828,Orgn prefix Sprint,4323,2828,Orgn prefix

66 Sprint Origin A prefix 4323, 2828, Orgn prefix 4323, 2828, Orgn prefix A prefix A prefix A Which route to choose? Use routing policies: e.g. prefer shorter routes. ?

A 77 Sprint Origin RPKI Binds prefixes to ASes authorized to originate them. RPKI invalid! Sprint checks that A is not authorized for this prefix prefix A prefix A prefix 4323, 2828, Orgn prefix 4323, 2828, Orgn prefix

88 Sprint Origin Which route to choose? Use routing policies: e.g. prefer shorter routes. 4323, 2828, Orgn prefix 4323, 2828, Orgn prefix ? A A, Orgn prefix A, Orgn prefix RPKI Binds prefixes to ASes authorized to originate them. RPKI invalid! A prefix A prefix

A S S SP,A,Orgn,prefix A,Orgn,prefix BGPSEC invalid! 99 Sprint Origin prefix P/S S S 4323,2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323,2828,Orgn, prefix S S 4323,2828,Orgn, prefix 2828, Orgn, prefix S S P/S ? Sprint can verify that the Origin never sent A, Orgn, prefix S S RPKI S S 2828, Orgn, prefix

What happens when BGP and BGPSEC coexist? 10 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323, 2828, Orgn, prefix Security Benefits or Juice prevent prefix hijacks suppose RPKI is fully deployed and focus on 1-hop hijack prevent route manipulations

A 11 Sprint Origin Siemens P/S Should Sprint choose the long secure route OR the short insecure one? P/S ? In BGPSEC insecure ASes use legacy BGP, and secure ASes must accept legacy insecure routes! It depends on how Sprint prioritizes security in its routing decision! S S 4323, 2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323, 2828, Orgn, prefix A, Orgn prefix A, Orgn prefix A P/S RPKI prefix

12 1. local preference (often based on business relationships with neighbors) 2.prefer short routes … 3.break ties in a consistent manner

Security 1 st 1. local preference (often based on business relationships with neighbors) Security 2 nd 2.prefer short routes Security 3 rd 3.break ties in a consistent manner 13  NANOG survey of 100 network operators shows that 10%, 20%, and 41% would place security 1 st, 2 nd, and 3 rd respectively [Gill, Schapira, Goldberg’12] Security Local Pref, Route Length Security Local Pref, Route Length

14 Security 1 st 1. local preference (prefer customer routes over peer over provider routes) Security 2 nd 2.prefer short routes Security 3 rd 3.break ties in a consistent manner  To study routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]  Our results are robust with respect to various local pref models

15 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 1. Protocol downgrade attacks 2. Collateral damages 3. Routing anomalies (Routing instabilities and BGP Wedgies) 3. Is the Juice worth the squeeze? 4. Summary

A 16 Sprint Origin prefix P/S S S 4323,2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323, 2828, Orgn, prefix P/S Security 3 rd : Route length trumps route security! ? Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route. During the attack, Sprint downgrades to an insecure bogus route. A, Orgn prefix A, Orgn prefix

17 A Origin Siemens prefix P/S A, Orgn prefix A, Orgn prefix P/S ? Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack. Sprint P/S

M prefix P/S

W XZ Y M Before X deploys BGPSEC ? X offers the shorter route ? Shorter route! prefix Orgn V P/S Secure ASes: 5 Happy ASes: 8

Y experiences collateral damage because X is secure! W XVZ Y M ? W offers the shorter route! ? Security 2 nd : Security trumps route length! P/S Secure ASes: 6 Happy ASes: 7 After X deploys BGPSEC prefix Orgn P/S

A ? ? 5617 Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes prefix P/S

22  Routing policies can also interact in ways that can cause BGP Wedgies [Griffin and Huston, rfc-4264, 2005] o can result in unpredictable and undesirable routing configurations

for 29518, local pref is more important than security P/S P/S Origin P/S prefix intended routing configuration for security is more important than local pref

P/S P/S Origin P/S prefix unintended routing configuration for 29518, local pref is more important than security for security is more important than local pref

25 Routing anomalies such as BGPSEC Wedgies and persistent routing oscillations and can be avoided as long as all ASes prioritize security the same way. Otherwise, these routing anomalies could happen.

26 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 3. Is the Juice worth the Squeeze? 1. How can we quantify BGPSEC benefits? 2. Can we bound BGPSEC benefits without knowing who may deploy it? 3. What are BGPSEC benefits beyond what RPKI can provide? 4. Summary

Fix a particular Origin, attacker A and let S be the set of ASes deploying BGPSEC The set of ASes choosing a legitimate route is Happy S,, 27 A S = | Happy(S, A, Origin) | = 3 prefix Sprint A Siemens Origin prefix 27 Origin prefix

Fix a particular Origin, attacker A and let S be the set of ASes deploying BGPSEC The set of ASes choosing a legitimate route is Happy S,, 28 Origin prefix 28 S = everyone | Happy(S, A, Origin) | = 5 prefix Sprint A Siemens Origin prefix P/S A

Fix a particular Origin, attacker A and let S be the set of ASes deploying BGPSEC Our metric is the average of the set of Happy ASes 29 S = everyone | Happy(S, A, Origin) | = 5 prefix Sprint A Siemens Origin prefix P/S ∑ all A all O Happy S,, |V| 3 1 Metric(S) = Origin prefix A

 We can efficiently compute bounds on BGPSEC benefits independently of who deploys it o to do this we figure out which ASes do not benefit from BGPSEC by considering only the scenario when no AS deploys BGPSEC 30

A 31 Sprint Origin Siemens prefix A, Orgn prefix A, Orgn prefix The bogus route is shorter!

A 32 Sprint Origin Siemens P/S Sprint is doomed The bogus route is shorter! P/S Regardless of who is secure, Sprint will select the shorter bogus route! A, Orgn prefix A, Orgn prefix

A 33 Sprint Origin Siemens P/S A, Orgn prefix A, Orgn prefix The legitimate route is shorter! Sprint is doomed The bogus route is shorter! prefix P/S

A 34 Sprint Origin Siemens 2828 and 4323 are immune The legitimate route is shorter! A, Orgn prefix A, Orgn prefix Regardless of who is secure, 4323 and 2828 will select legitimate routes! Sprint is doomed The bogus route is shorter! prefix

A 35 Sprint Origin Siemens 2828 and 4323 are immune The legitimate route is shorter! A, Orgn prefix A, Orgn prefix Sprint is doomed The bogus route is shorter! prefix Only Siemans is neither doomed nor immune!

A 36 Sprint Origin Siemens P/S Regardless of who is secure, only Siemans can benefit from BGPSEC! Only Siemans is neither doomed nor immune! A, Orgn prefix A, Orgn prefix 2828 and 4323 are immune The legitimate route is shorter! Sprint is doomed The bogus route is shorter! prefix

37  Regardless of who deploys BGPSEC: 1.Doomed ASes will always choose bogus routes 2.Immune ASes will always choose legitimate routes 3.Only protectable ASes can be benefit from BGPSEC  Security benefits lower bound = fraction of immune ASes  Security benefits upper bound = 1 - fraction of doomed ASes  Most ASes are immune or doomed when security is 3 rd

38 lower bound with RPKI 17% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 53% 36% 47% Average Fraction of Happy ASes

39 lower bound with RPKI 17% 53% 36% 47% Securing 56% of ASes on the Internet Improvements in the security 3 rd and 2 nd models are only 5% and 10% respectively. 25% Average Fraction of Happy ASes

40  Graph: A UCLA AS-level topology from o 40K ASes, 73.5K and 62K customer-provider and peer links  Used large-scale simulations to determine o upper and lower bounds on metric improvement o security-benefits for many different BGPSEC deployments  Robustness Tests o added 550K extra peering links inferred from IXP data on o accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers o repeated analysis with respect to different local pref models

41  Survey shows ~80% of network operators prefer customer over peer routes, but some (e.g. content providers) prefer shorter peer routes over longer customer routes [Gill, Schapira, Goldberg 2012]  In the LP k model, for any k ≥ 0, rank routes as follows: o customer routes of length 1 o peer routes of length 1 o … o customer routes of length k o peer route of length k o customer routes of length > k o peer routes of length > k o provider routes

42 Securing 56% of ASes on the Internet Average Fraction of Happy ASes As k increases, metric improvements are 5%, 4%, 4%, and 6%. 53%68% 80% 81% % 12% 9% 12% Sec 3 rd LP 0 LP 1 LP 2 LP 50

43 BGP RPKI ( origin authentication ) BGPSEC Security Benefits or Juice  Unless Security is 1 st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meager on average  On average, not much observable difference between Sec 2 nd and 3 rd  Tier 1 ASes are good candidates for initial deployment when security is 1 st but terrible candidates otherwise (see paper for details) BGP and BGPSEC coexistence: very tricky protocol downgrades collateral damages routing anomalies S S 4323,2828, Orgn, prefix S S 2828, Orgn, prefix S S SP, 4323, 2828, Orgn prefix (very important)

44 check out the full version at 1More empirical analysis and plots 2More Robustness tests 3BGPSEC deployment guidelines

45 Securing 56% of ASes on the Internet Average Fraction of ASes LP 0 LP 1 LP 2 LP Sec 3 rd As k increases, the fraction of ASes with secure routes grows, but most of them are happy anyway. 6% 4% 3% 10% 18% 21%

46 Average Fraction of ASes As ASes become more stubborn (i.e. k increases), metric improvements are 9.9%, 9.7%, 10.1%, and 9.8% LP 0 LP 1 LP 2 LP 50 53%68% 80% 81% % 24% 15% 14% Sec 2 nd Securing 56% of ASes on the Internet

47 Average Fraction of ASes LP 0 LP 1 LP 2 LP Sec 2 nd Securing 56% of ASes on the Internet As ASes become more stubborn (i.e. k increases), fraction of ASes with secure routes grows, but most of them are happy anyway 4% 3% 12% 19% 21%

48 Average Fraction of ASes As ASes become more stubborn (i.e. k increases), metric improvements are 24.8%, 24.7%, 17.2%, and 16.1% LP 0 LP 1 LP 2 LP 50 53%68% 80% 81% % 32% 20% 19% Sec 1 st Securing 56% of ASes on the Internet

LP 0 LP 1 LP 2 LP 50 As ASes become more stubborn (i.e. k increases), fraction of happy ASes with secure routes grows Sec 1 st Securing 56% of ASes on the Internet Average Fraction of ASes 18% 22%23% 14% 10%9%

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.