BGP update profiles and the implications for secure BGP update validation processing Geoff Huston Swinburne University of Technology PAM2007 5 April 2007.

Slides:

Advertisements

Similar presentations

NOPEER Route Attribute Propose a well-known transitive advisory scope attribute Applied by originating AS to route prefixes Interpretable as advice to.

Advertisements

BGP01 An Examination of the Internets BGP Table Behaviour in 2001 Geoff Huston Telstra.

Allocation vs Announcement A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston February 2004 (Supported by APNIC)

RPKI Standards Activity Geoff Huston APNIC February 2010.

ARIN Public Policy Meeting

An Operational Perspective on BGP Security Geoff Huston February 2005.

BGP Unallocated Address Route Server Geoff Huston March 2002.

Update Damping in BGP Geoff Huston Chief Scientist, APNIC.

4-Byte AS Numbers The view from the old BGP world Geoff Huston October 2006 APNIC.

BGP Status Update Geoff Huston September What Happening (AS4637) Date.

1 BGP Policy Atoms Yehuda Afek Omer Ben-Shalom Anat Bremler-Barr Tel-Aviv University.

Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.

Part IV: BGP Routing Instability. March 8, BGP routing updates  Route updates at prefix level  No activity in “steady state”  Routing messages.

An Introduction to Routing the Internet Geoff Huston APNIC.

2006 – (Almost another) BGP Year in Review A BRIEF update to the 2005 report 18 October 2006 IAB Routing Workshop Geoff Huston APNIC.

DSN 2003 A Study of Packet Delivery Performance during Routing Convergence Dan Pei, Lan Wang, Lixia Zhang, UCLA Dan Massey, USC/ISI S. Felix Wu, UC Davis.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

The Border Gateway Protocol (BGP) Sharad Jaiswal.

CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.

Internet Routing Instability Labovitz et al. Sigcomm 1997 Largely adopted from Ion Stoica’s slide at UCB.

Root cause analysis of BGP routing dynamics Matt Caesar, Lakshmi Subramanian, Randy H. Katz.

DARPA NMS PI Meeting November 14, 2002 Understanding BGP in Action Dan Massey USC/ISI.

Allocations vs Announcements A comparison of RIR IPv4 Allocation Records with Global Routing Announcements Geoff Huston May 2004 (Activity supported by.

IPv4 Address Lifetime Expectancy Geoff Huston Research activity supported by APNIC The Regional Internet Registries s do not make forecasts or predictions.

I-4 routing scalability Taekyoung Kwon Some slides are from Geoff Huston, Michalis Faloutsos, Paul Barford, Jim Kurose, Paul Francis, and Jennifer Rexford.

1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking BGP, Flooding, Multicast routing.

Interconnectivity Density Compare number of AS’s to average AS path length A uniform density model would predict an increasing AS Path length (“Radius”)

Dongkee LEE 1 BorderGuard: Detecting Cold Potatoes from Peers Nick Feamster, et al.

CS 3830 Day 29 Introduction 1-1. Announcements r Quiz 4 this Friday r Signup to demo prog4 (all group members must be present) r Written homework on chapter.

Measuring IPv6 Deployment Geoff Huston George Michaelson

CAIA Seminar – 18 August 2007 – Taming BGP An incremental approach to improving the dynamic properties of BGP Geoff Huston.

BGP in 2011 Geoff Huston APNIC. Conventional (Historical) BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

Inter-Domain Routing Trends Geoff Huston APNIC March 2007.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

Presented by: Tony Reveldez GEOFF HUSTON B.Sc., M.Sc. Australian National University MATTIA ROSSI B.Eng.,M.Sc. Leopold- Franzens- Universitaet GEOFF ARMITAGE.

By, Matt Guidry Yashas Shankar.  Analyze BGP beacons which are announced and withdrawn, usually within two hour intervals.  The withdraws have an effect.

1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.

Transport Layer3-1 Network Layer Every man dies. Not every man really lives.

1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

Tracking the Internet’s BGP Table Geoff Huston Telstra December 2000.

Border Gateway Protocol. Intra-AS v.s. Inter-AS Intra-AS Inter-AS.

BGP Validation Russ White Rule11.us.

1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.

BGP Routing Stability of Popular Destinations

Geoff Huston APNIC March 2017

Auto-Detecting Hijacked Prefixes?

Auto-Detecting Hijacked Prefixes?

More Specific Announcements in BGP

Border Gateway Protocol

Measuring BGP Geoff Huston.

BGP supplement Abhigyan Sharma.

Early Measurements of a Cluster-based Architecture for P2P Systems

BGP update profiles and the implications for secure BGP update validation processing Geoff Huston PAM April 2007.

More Specific Announcements in BGP

Geoff Huston APNIC 7th caida/wide measurement workshop Nov

APNIC Trial of Certification of IP Addresses and ASes

Routers Routing algorithms

Geoff Huston September 2002

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

2005 – A BGP Year in Review February 2006 Geoff Huston

IPv4 Address Lifetime Expectancy

BGP: 2008 Geoff Huston APNIC.

Geoff Huston APNIC 7th caida/wide measurement workshop Nov

Presentation transcript:

BGP update profiles and the implications for secure BGP update validation processing Geoff Huston Swinburne University of Technology PAM April 2007

Why? Secure BGP proposals all rely on some form of validation of BGP update messages Validation typically involves cryptographic validation, and may refer to further validation via a number resource PKI This validation may take considerable resources to complete. This implies that the overheads securing BGP updates in terms of validity of payload may contribute to: –Slower BGP processing –Slower propagation of BGP updates –Slower BGP convergence following withdrawal –Greater route instability –Potential implications in the stability of the forwarding plane

What is the question here? Validation information has some time span –Validation outcomes can be assumed to be valid for a period of hours Should BGP-related validation outcomes be locally cached? What size and cache lifetime would yield high hit rates for BGP update validation processing?

Method Use a BGP update log from a single eBGP peering session with AS 4637 over a 14 day period –10 September 2006 – 23 September 2006 Examine time and space distributions of BGP Updates that have similar properties in terms of validation tasks

Update Statistics for the session DayPrefix Updates Duplicates: Prefix Duplicates: Prefix + Origin AS Duplicates Prefix + AS Path Duplicates Prefix + Comp-Path 172,93460,105 (82%)54,924 (75%)34,822 (48%)35,312 (48%) 279,36171,714 (90%)67,942 (86%)49,290 (62%)50,974 (64%) 3104,76493,708 (89%)87,835 (84%)65,510 (63%)66,789 (64%) 4107,57694,127 (87%)87,275 (81%)64,335 (60%)66,487 (62%) 5139,483110,994 (80%)99,171 (71%)68,096 (49%)69,886 (50%) 6100,44492,944 (92%)88,765 (88%)70,759 (70%)72,108 (72%) 775,51971,935 (95%)69,383 (92%)56,743 (75%)58,212 (77%) 864,01060,642 (95%)57,767 (90%)49,151 (77%)49,807 (78%) 994,94489,777 (95%)86,517 (91%)71,118 (75%)72,087 (76%) 1081,57678,245 (96%)75,529 (93%)63,607 (78%)64,696 (79%) 1195,06291,144 (96%)87,486 (92%)72,678 (76%)74,226 (78%) 12108,987103,463 (95%)99,662 (91%)80,720 (74%)82,290 (76%) 1391,73287,998 (96%)85,030 (93%)72,660 (79%)74,116 (81%) 1478,40776,174 (97%)74,035 (94%)64,994 (83%)65,509 (84%)

CDF by Prefix and Originating AS

Time Distribution

Time Spread

Space Distribution Use a variable size cache simulator Assume 36 hour cache lifetime Want to know the hit rate of validation queries against cache size

Prefix Similarity

Prefix + Origin Similarity

Prefix + Path Similarity

Observations A large majority of BGP updates explore diverse paths for the same origination True origination instability occurs relatively infrequently (1:4) ? Validation workloads can be reduced by considering origination (prefix plus origin) and the path vector as separable validation tasks Further processing reduction can be achieved by treating a AS path vector as a sequence of AS paired adjacencies

AS Path Similarity

AS Pair Similarity

Observations Validation caching appears to be a useful approach to addressing some of the potential overheads of validation of BGP updates Separating origination from path processing, using a 36 hour validation cache can achieve 80% validation hit rate using a cache of 10,000 Prefix + AS originations and a cache of 1,000 AS pairs

What do we want from secure BGP? Validation that the received BGP Update has been processed by the ASs in the AS Path, in the same order as the AS Path, and reflects a valid prefix, valid origination and valid propagation along the AS Path? or Validation that the received Update reflects a valid prefix and valid origination, and that the AS Path represents a plausible sequence of validated AS peerings?

Thank You