A Pluralist Approach to Interdomain Communication Security Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford

Economics & the Internet Inertness Internet infrastructure is insecure Despite the obvious threat, countermeasures are not being deployed –E.g., Secure-BGP We argue that the reason is mainly economic Autonomous systems (ASes) in commercial Internet are independent, rational, and pay-off maximizing entities

Overview Economic Case for Pluralism Architectural Framework for Pluralism Example of Using the Architectural Framework

Background: Economics of Groups and Goods Good: Secure communication between domains –Goods are confidentiality, integrity, and availability Producing such goods requires action in groups –Group members are ASes Goods can be –purely public (e.g., public television broadcasting) –purely private (e.g., recorded music sold in stores) –impurely public (e.g., cable television broadcasting) Type of good can be engineered

Background: Routing Protocols

The Case for Pluralism: Purism is not Economically Viable Purism: Ubiquitous deployment of a secure routing protocol Purism treats secure interdomain communication as a pure public good –Therefore, purism is not economically viable

The Case for Pluralism: Smaller Groups are More Effective Olson classifies interaction among group members in three categories: –Large group; good will not be provided unless there is coercion –Small group; good may be provided by unilateral action –Medium group; good may be provided by strategic interaction

The Case for Pluralism: Custom Security Solutions Per Group Many options (mechanisms) to improve communication security –E.g., confidentiality can be protected by a secure routing protocol or encryption ciphers No single mechanism can address the full gamut of threats –E.g., during a DoS attack you prefer unreachability Network architecture should support the graceful coexistence of different mechanisms

SBone Architectural Framework for Pluralism Objective: support the formation of groups of any size---irrespective of IP connectivity of group members---without compromising security

Formation of Arbitrary Groups Irrespective of IP Connectivity island Archipelago

Threat Model DoS attacks –against targets inside the overlay –against virtual links Routing-protocol attacks –to intercept cross-island traffic Data-plane attacks –to manipulate cross-island traffic

Secure Virtual Link: Surelink Connects a relay point in one island to a relay point in another forming an IP tunnel Surelinks enhance the service model of a vanilla IP tunnel with –an encryption cipher to protect confidentiality –an authentication cipher to protect integrity and enforce access control –secure availability monitoring capability

Secure Virtual Topology Collection of multiple surelinks giving control of the underlying paths traffic takes Path control can be leveraged to –proactively prevent routing attacks –proactively bypass untrusted non-participants –proactively spread traffic over multiple paths –reactively reroute traffic to alternate paths

Example of Archipelago Backbone-provider trusted VPN –Example of revenue-generating service based on coalitions among providers

Example of Archipelago AT&T Telstra US branch Australian branch surelinks

Example of Archipelago Backbone-provider trusted VPN –Example of revenue-generating service based on coalitions among providers Coalition-based trusted VPNs can serve multinational customers without additional investment on infrastructure

Conclusion Purism is not economically viable Deployment of communication security mechanism should be based on pluralism; –I.e., the formation of variable-sized groups deploying mechanism customized to group-specific needs Proposed an architectural framework to support pluralism that is backward compatible with existing infrastructure

Thank you! Questions