Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University August, 2006

2 Overview: Insecure Internet Infrastructure Border Gateway Protocol is important –BGP is the glue that holds the Internet together BGP is extremely vulnerable –Easy to inject false information –Easy to trigger routing instability Vulnerabilities are being exploited –Configuration errors and malicious attacks –Route hijacking, blackholes, denial-of-service, … Changing to a secure protocol is hard –Can’t have a flag day to reboot the Internet

3 Overview: Incrementally Deployable Solution Backwards compatibility –Work with existing routers and protocols Incentive compatibility –Offer significant benefits, even to the first adopter AS 3 AS 2 AS 1 BGP Inter-AS Protocol RCP Routing Control Platform tells routers how to forward traffic Use BGP to communicate with the legacy routers Use RCP to simplify management and enable new servicesUse RCP to detect (and avoid) suspicious routes Other ASes can deploy an RCP independently ASes with RCPs can cooperate to detect suspicious routes ASes can upgrade to secure interdomain routing protocol … all while still using BGP to control the legacy routers Distributed detection

4 Overview: Potential Security Impact Breaking the “flag day” stalemate –Viable approach to incremental deployment –Backwards compatible with the legacy routers –Incentive-compatible with goals of each AS Immediate benefits to participating ASes –Avoiding anomalous and suspicious routes –Secure routing with participating neighbors Tipping point leads to ubiquitous deployment –Increasing incentives for ASes to participate –Ultimately, full deployment of secure protocol Insights for other protocols (such as DNSSEC)

5 Technical Accomplishments: Outline Prototyping and deployment –Routing Control Platform (RCP) prototype –Virtual Network Infrastructure (VINI) platform Anomaly detection techniques –Pretty Good BGP (PGBGP) –Update-clustering algorithms Incremental deployability –Multi-path Interdomain ROuting (MIRO)

6 Accomplishment #1: Prototyping & Deployment RCP prototype –Prototype as extension to XORP/Vyatta –Learns BGP routers from neighbor ASes –Selects a “best route” for each router per prefix –API for anomaly detection and path selection Virtual Network Infrastructure (VINI) –Platform for demonstrating the RCP in operation –Shared WAN facility for network experimentation –Initial evaluation of the existing routing protocols –A step toward the NSF’s GENI backbone design AS 1 RCP

7 Accomplishment #2: Anomaly Detection Pretty Good BGP (PGBGP) –Maintain history of AS originating a prefix –Flag announcements with new AS as suspicious –Prefer “normal” routes over suspicious ones –Natural application to run on the RCP /16 prevent hijack

8 Accomplishment #2: Anomaly Detection (Cont.) Aggregation and analysis of route updates –A single event can trigger instability in routes to many destinations. High volume of updates makes this an MDS-algorithmic challenge. –Use statistical correlation to form clusters of routes that change frequently and (approx’ly) simultaneously. Provide tools to aid anomaly detection and root-cause diagnosis. –MDS clustering algorithms have been designed, implemented, and tested on RouteViews data. To be deployed in RCP.

9 Accomplishment #3: Incremental Deployability Multipath Interdomain Routing (MIRO) –Increase chance of learning a valid path –Availability providers advertise extra paths –Stub ASes direct packets on alternate paths Design of the protocol –RCP application running in participating ASes –Packet encapsulation to send packets on paths Evaluation of incremental deployment –Incremental deployment offers significant gains –Small set of large ASes see most of path diversity

10 Milestones, Deliverables, Schedule RCP prototype, and API to data- analysis engine Offline algorithms and upper bounds Identify today’s policies and select notation RCP with API to trust-management system Online analysis algorithm to detect anomalies Integrate policy language in trust management Deployment of RCP in operational networks Deploy online algorithm; create distributed Deploy in trust management system RCP Prototype Anomaly Detection Routing Policy Evaluate incentive compatibility Quantify gains of a partial deployment Investigate new secure inter-AS protocols Secure Routing Focus thus far For PGBGP and MIRO

11 Public Relations Activities NANOG presentation –PGBGP talk at NANOG in June 2006 –Discovered deployment opportunity at IXNM Interaction with ISPs and vendors –ISPs: AT&T, NLR, and Abilene –Vendors: XORP/Vyatta, Cisco, and Lucent –Natural focus for influencing interdomain routing Research publications –Anomaly detection (IEEE ICNP’06, ACM CIKM’06) –VINI (ACM SIGCOMM’06) –MIRO (ACM SIGCOMM’06)

12 Technology Transition Plans RCP: Routing Control Platform –Initial discussions with Cisco on RCP –Continued collaboration with AT&T –Possible deployment path with Vyatta (start-up) VINI: Virtual Network Infrastructure –Running on PlanetLab nodes in Abilene backbone –Deploying in six sites in National Lambda Rail –Planning dedicated bandwidth & ISP connectivity –A step toward the NSF’s GENI backbone design

13 Technology Transition Plans (Continued) PGBGP: Pretty Good BGP –Internet Alert Registry deployed and in use –Prototype in progress for IXNM exchange point –In discussion with Cisco about router support –… and using PGBGP to enable soBGP deployment MIRO: Multipath Interdomain ROuting –In discussion with Cisco about router extensions –Many of the building blocks are already available –IP-in-IP encapsulation & “add paths” BGP feature

14 Publication Activity: Published Papers Prototyping and deployment –“In VINI veritas: Realistic and controlled network experimentation” (ACM SIGCOMM, 2006) Anomaly detection –“Learning-based anomaly detection in BGP updates” (ACM SIGCOMM MineNet Workshop, 2005) –“A distributed reputation approach to cooperative Internet routing protection” (Workshop on Secure Network Protocols, 2005) –“Pretty Good BGP: Improving BGP by cautiously adopting routes” (IEEE International Conference on Network Protocols, 2006) –“Finding Highly Correlated Pairs Efficiently with Powerful Pruning” (ACM Conference on Information and Knowledge Management, 2006)

15 Publication Activity: Published Papers (Cont) Incrementally deployable security techniques –“Pretty Good BGP: Improving BGP by cautiously adopting routes" (IEEE International Conference on Network Protocols, 2006) –“Stealth probing: Efficient data-plane security for IP routing” (USENIX, May/Jun 06) –“MIRO: Multipath Interdomain ROuting” (ACM SIGCOMM, 2006) Incentive-compatible routing protocols –"Distributed algorithmic mechanism design” (Algorithmic Game Theory, 2007) –"Incentive-compatible interdomain routing" (ACM Conference on Electronic Commerce, 2006) BGP routing policies –“BGP policies in ISP networks” (IEEE Network, 2005)

16 DESCRIPTION / OBJECTIVES / METHODS Routing-Control Platform (RCP) Selects routes on behalf of routers Possible today on high-end PC Incrementally deployable security Speak BGP to the legacy routers Detect and avoid suspicious routes Update RCPs to use secure protocol DHS/Cyber Security IMPACT Internet-routing system is vulnerable Core communication infrastructure Very vulnerable to cyber attacks Hard to have “flag day” for upgrades Phased deployment of secure routing Network manager deploys locally Participating domains detect attacks Neighbor domains upgrade protocol Cyber Security R&D Incrementally Deployable Security for Interdomain Routing Network A BGP RCP Network B Secure routing protocol BUDGET & SCHEDULE TASK FY05FY06FY07 RCP prototype Anomaly detection Policy manager Secure routing Total cost