slide 1 Vitaly Shmatikov CS 378 Routing Security
slide 2 Network of Networks uInternet is a network of networks Autonomous system (AS) is a collection of IP networks under control of a single administrator (e.g., ISP) ASes connect through Internet Exchange (IX), Network Access Points (NAP), Metropolitan Area Exchange (MAE) local network Internet service provider (ISP) backbone ISP local network
slide 3 Routing Through the Network uIP address is a 32-bit host identifier (IPv4) 128-bit identifier in IPv6 uRouting protocols propagate information about routes to hosts and networks Host is identified by IP address, network by IP prefix uMany types of routing protocols Distance vector, link-state, path vector uBGP (Border Gateway Protocol) is one of the core routing protocols on the Internet Inter-domain routing between different ASes
slide 4 Distance-Vector Routing uEach node keeps vector with distances to all nodes uPeriodically sends distance vector to all neighbors uNeighbors send their distance vectors, too; node updates its vector based on received information Bellman-Ford algorithm: for each destination, router picks the neighbor advertising the cheapest route, adds his entry into its own routing table and re-advertises Used in RIP (routing information protocol) uSplit-horizon update Do not advertise a route on an interface from which you learned the route in the first place!
slide 5 A: 0A: 1A: 2A: 3A: 4A: G1G2G3G4G5 Good News Travels Fast uG1 advertises route to network A with distance 1 uG2-G5 quickly learn the good news and install the routes to A via G1 in their local routing tables uG1 advertises route to network A with distance 1 uG2-G5 quickly learn the good news and install the routes to A via G1 in their local routing tables
slide 6 A: 0A: 1A: 2A: 3A: 4A: G1G2G3G4G5 Bad News Travels Slowly uG1’s link to A goes down uG2 is advertising a pretty good route to G1 (cost=2) uG1’s packets to A are forever looping between G2 and G1 uG1 is now advertising a route to A with cost=3, so G2 updates its own route to A via G1 to have cost=4, and so on G1 and G2 are slowly counting to infinity Split-horizon updates only prevent two-node loops Exchange routing tables
slide 7 Overview of BGP uBGP is a path-vector protocol between ASes uJust like distance-vector, but routing updates contain an actual path to destination node List of traversed ASes and a set of network prefixes belonging to the first AS on the list uEach BGP router receives UPDATE messages from neighbors, selects one “best” path for each prefix, and advertises it to the neighbors Can be shortest path, but doesn’t have to be –“Hot-potato” vs. “cold-potato” routing AS doesn’t have to use the path it advertises!
slide 8 BGP Example [D. Wetherall] uAS 2 provides transit for AS 7 Traffic to and from AS 7 travels through AS
slide 9 Some BGP Statistics uBGP routing tables contain about 125,000 address prefixes mapping to about 17-18,000 paths uApprox. 10,000 BGP routers uApprox. 2,000 organizations own AS uApprox. 6,000 organizations own prefixes uAverage route length is about 3.7 u50% of routes have length less than 4 ASes u95% of routes have length less than 5 ASes
slide 10 BGP Issues uBGP convergence problems Protocol allows policy flexibility Some legal policies prevent convergence Even shortest-path policy converges slowly uIncentive for dishonesty ISP pays for some routes, others free uSecurity problems Potential for disruptive attacks
slide 11 Evidence: Asymmetric Routes AliceBob uAlice, Bob use cheapest routes to each other uThese are not always shortest paths uAsymmetic routes are prevalent AS asymmetry in 30% of measured routes Finer-grained asymmetry far more prevalent
slide 12 Side Note: TCP Congestion Control uIf packets are lost, assume congestion Reduce transmission rate by half, repeat If loss stops, increase rate very slowly Design assumes routers blindly obey this policy Source Destination
slide 13 Protocol Rewards Dishonesty uAmiable Alice yields to boisterous Bob Alice and Bob both experience packet loss Alice backs off Bob disobeys protocol, gets better results Source A Source B Destination
slide 14 BGP Threats: Misconfiguration uMisconfiguration: AS advertises good routes to addresses it does not known how to reach Result: packets go into a network “black hole” uApril 25, 1997: “The day the Internet died” AS7007 (Florida Internet Exchange) de-aggregated the full BGP table and re-advertised all prefixes as if it originated paths to them In effect, AS7007 was advertising that it has the best route to every host on the Internet Huge network instability as incorrect routing data propagated and routers crashed under traffic
slide 15 BGP Threats: Security uBGP update messages contain no authentication or integrity protection uAttacker may falsify the advertised routes Modify the IP prefixes associated with the route –Can blackhole traffic to certain IP prefixes Change the AS path –Either attract traffic to attacker’s AS, or divert traffic away –Interesting economic incentive: an ISP wants to dump its traffic on other ISPs without routing their traffic in exchange Re-advertise/propagate AS path without permission –For example, multi-homed customer may end up advertising transit capability between two large ISPs
slide 16 Protecting BGP uSimple authentication of packet sources and packet integrity is not enough uBefore AS advertises a set of IP addresses, the owner of these addresses must authorize it Goal: verify path origin uEach AS along the path must be authorized by the preceding AS to advertise the prefixes contained in the UPDATE message Goal: verify propagation of the path vector
slide 17 S-BGP Protocol [Kent, Lynn, Seo] uAddress attestation Owner of one or more prefixes certifies that the origin AS is authorized to advertise the prefixes Need a public-key infrastructure (PKI) –X.509 certificates prove prefix ownership; owner can then delegate his “prefix advertising rights” to his ISP uRoute attestation Router belonging to an AS certifies (using digital signatures) that the next AS is authorized to propagate this route advertisement to its neighbors Need a separate public-key infrastructure –Certificates prove that AS owns a particular router
slide 18 S-BGP Update Message R6R6 R7R7 R8R8 S4S4 S5S5 S1S1 S2S2 S3S3 R9R9 R 10 R 12 AS 1 AS 2 uAn update message from R 9 advertising this route must contain: Ownership certificate certifying that some X owns IP address S 1 Signed statement from X that AS 1 is authorized to advertise S 1 Ownership certificate certifying that AS 1 owns router R 6 –If AS is represented by a router Signed statement from R 6 that AS 2 is authorized to propagate AS 1 ’s routes Ownership certificate certifying that AS 2 owns router R 9 Lots of public-key operations!
slide 19 Wormhole Attack on BGP uMultiple colluding malicious BGP routers exchange BGP update messages over a tunneled connection uRouters can claim better paths than actually exist Path vector is not increased by intermediate ASes when update message is tunneled through a “wormhole” uRoute attestation does not help! Malicious routers sign attestations for each other Host H AS4AS3AS2AS1 update I have a great route to H: AS4 - AS1 - H I attest that AS4 is authorized