1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)
1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Tutorial 5 Safe Routing With BGP Based on: Internet.
Internet Networking Spring 2004 Tutorial 5 Safe “Peering Backup” Routing With BGP.
Stable Internet Routing Without Global Coordination Jennifer Rexford Princeton University Joint work with Lixin Gao (UMass-Amherst)
Interdomain Routing Establish routes between autonomous systems (ASes). Currently done with the Border Gateway Protocol (BGP). AT&T Qwest Comcast Verizon.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Graphs and Topology Yao Zhao. Background of Graph A graph is a pair G =(V,E) –Undirected graph and directed graph –Weighted graph and unweighted graph.
Economic Incentives in Internet Routing Jennifer Rexford Princeton University
Stable Internet Routing Without Global Coordination Jennifer Rexford AT&T Labs--Research Joint work with Lixin Gao.
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
ROUTING PROTOCOLS Rizwan Rehman. Static routing  each router manually configured with a list of destinations and the next hop to reach those destinations.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Lecture 8 Page 1 Advanced Network Security Review of Networking Basics: Internet Architecture, Routing, and Naming Advanced Network Security Peter Reiher.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014.
Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.
Aemen Lodhi (Georgia Tech) Amogh Dhamdhere (CAIDA)
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
BGP security some slides borrowed from Jen Rexford (Princeton U)
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
Are We There Yet? On RPKI Deployment and Security
(Inter)Network Protocols: Theory and Practice Lecture 3 Dr
Border Gateway Protocol
COS 561: Advanced Computer Networks
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Fixing the Internet: Think Locally, Impact Globally
Presentation transcript:

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University

YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan The Internet I’m YouTube: IP /22 I’m YouTube: IP /22

What should have happened… YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan I’m YouTube: IP /22 I’m YouTube: IP /22 X drop packets

YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan I’m YouTube: IP /22 I’m YouTube: IP /22 Pakistan Telecom Pakistan Telecom No, I’m YouTube! IP /24 No, I’m YouTube! IP /24 What did happen

5

Rare Occurances? Not Really!

7 1. Background: 1. BGP, RPKI, BGPSEC 2. routing policies in BGPSEC partial deployment 2. BGPSEC in partial deployment is tricky 3. Is the juice worth the squeeze? 4. Summary

Microsoft Verizon Comcast AT&T Over 45,000 Autonomous Systems (ASes)

99 Sprint D /24 D /24 D / , D / , D / , 2828, D / , 2828, D /24 A Sprint, 4323, 2828, D /24 Sprint, 4323, 2828, D /24

10 Sprint D /24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D / , 2828, D /24 ? A A, D /24 A, D /24

11 Sprint D /24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D / , 2828, D /24 ? A A /24 A /24 A, D /24 A, D /24

A A /24 A /24 12 Sprint D /24 RPKI Binds prefixes to ASes authorized to originate them. X RPKI invalid! Sprint checks that A is not authorized for / /24

13 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

A S S SP, A, D, prefix A, D, prefix X BGPSEC invalid! 14 Sprint D /24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix S S 2828, D, prefix S S 4323, 2828, D, prefix 2828, D, prefix S S P/S ? Sprint can verify that D never sent A, D prefix S S RPKI

What happens when BGP and BGPSEC coexist? 15 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

A 16 Sprint D Siemens /24 P/S Should Sprint choose the long secure path OR the short insecure one? P/S ? Secure ASes must accept legacy insecure routes Depends on the interaction between BGPSEC and routing policies! RPKI S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix A, D /24 A, D /24

17 1. local preference (often based on business relationships with neighbors) 2.prefer short routes … 3.break ties in a consistent manner

Security 1 st 1. local preference (cost) (often based on business relationships with neighbors) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner 18  Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd, [Gill, Schapira, Goldberg’12] Security Cost,Performance SecurityCost,Performance

19 Security 1 st 1. local preference (cost) (prefer customer routes over peer over provider routes) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner  To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]  We test the robustness of this local pref model.

20 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 1. Protocol downgrade attacks 2. Collateral damages 3. Routing instabilities 3. Is the Juice worth the squeeze? 4. Summary

A 21 Sprint D /24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix P/S Security 3 rd : Path length trumps path security! ? Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route. During the attack, Sprint downgrades to an insecure bogus route. A, D /24 A, D /24

22 A D Siemens /24 P/S A, D /2 4 A, D /2 4 P/S ? Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack. Sprint P/S

M prefix P/S

W XZ Y M Before X deploys BGPSEC ? X offers the shorter path ? Shorter path! prefix D V P/S Secure ASes: 5 Happy ASes: 8

W XVZ Y M ? W offers the shorter path! ? Security 2 nd : Security trumps path length! Y experiences collateral damage because X is secure! P/S Secure ASes: 6 Happy ASes: 7 After X deploys BGPSEC prefix D P/S

A ? ? 5617 Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes prefix P/S

27 Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.  But, if they don’t, there can be BGP Wedgies and oscillations.

28 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 3. Is the Juice worth the Squeeze? 1. Can we efficiently select the optimal set of secure ASes? 2. Can we bound security benefits invariant to who is secure? 3. Is the BGPSEC juice worth the squeeze given RPKI? 4. Summary

∑ all A all d Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination Our metric is the average of the set of Happy ASes Happy S,, 29 | Happy(S, A, d) | = 7 |V| 3 1 Metric(S) = prefix ? d A A d prefix

Problem: find set S of secure ASes that maximizes s. t. |S| = k, for a fixed attacker A and destination d Theorem: This problem is NP-hard for all three routing models. Happy S,, 30 A d prefix

A 31 Sprint D Siemens /24 A, D /24 A, D /24 The bogus path is shorter!

A 32 Sprint D Siemens P/S Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, Sprint will select the shorter bogus route! /24 A, D /24 A, D /24

A 33 Sprint D Siemens P/S /24 A, D /24 A, D /24 The legitimate path is shorter! Sprint is doomed The bogus path is shorter!

A 34 Sprint D Siemens / and 4323 are immune The legitimate path is shorter! A, D /24 A, D /24 Regardless of who is secure, 4323 and 2828 will select legitimate routes! Sprint is doomed The bogus path is shorter!

∑ all A all d Problem: Find upper and lower bound on 35  Key observation. Regardless of who is secure: 1.Doomed ASes will always choose bogus routes 2.Immune ASes will always choose legitimate routes  Lower bound on Metric(S) = fraction of immune ASes  Upper bound on Metric(S) = 1 – fraction of doomed ASes Happy S,, |V| 3 1 Metric(S) = A d prefix

36 lower bound with RPKI 17% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 53% 36% 47% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

37 lower bound with RPKI 17% 53% 36% 47% Securing 50% of ASes on the Internet Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 24% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

38 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijack  Unless Security is 1 st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre  Typically little observable difference between Sec 2 nd and 3 rd prevent route manipulations BGP and BGPSEC coexistence: very tricky *protocol downgrades collateral damages routing instabilities

1. A grassroots approach to routing security  anonymity service in lieu of a PKI 2. Outsourcing interdomain routing to a non- trusted center  via Secure MultiParty Computation (SMPC)

40 check out the full version at 1Proofs 2More empirical analysis and plots 3Robustness tests 4BGPSEC deployment guidelines

41  Graph: A UCLA AS-level topology from  39K ASes, 73.5K and 62K customer-provider and peer links  For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes  Quantified security-benefit improvements for many different BGPSEC deployment scenarios  Robustness Tests  added 550K extra peering links inferred from IXP data on  accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers  currently repeating all analysis with respect to different local pref models

A 42 Sprint D Siemens / and 4323 are immune The legitimate path is shorter! Sprint is doomed The bogus path is shorter! Only Siemans is neither doomed nor immune! A, D /24 A, D /24

A 43 Sprint D Siemens P/S 2828 and 4323 are immune The legitimate path is shorter! Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, only Siemans can benefits from BGPSEC! Only Siemans is neither doomed nor immune! /24 A, D /24 A, D /24

44 lower bound with RPKI 53% 17% 79% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 10% 30% 11% upper bound with BGPSEC

45 lower bound with RPKI 53% Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 10% 30% 11% 17% 79% Securing 50% of the Internet 24%

46  we highlight operational issues of BGPSEC partial deployment  results are not meant to be predictive, but our trends are robust

47  Network administrators have to agree on security prioritization  otherwise, unpredictable routing behavior may be encountered  ASes deploying BGPSEC experience noticeable security benefit improvements when routing to secure destinations  secure islands could form with different security prioritizations  Overall security benefits are almost the same even when STUBs deploying BGPSEC do not verify routes themselves  Tier 1 networks are not a good choice for initial deployment  protocol downgrades  most ASes are immune (i.e. happy to begin with)

48 lower bound with RPKI 60% 15% 77% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 15% happy with security! 12% 25% 11%

49 lower bound with RPKI 62% 16% 80% upper bound with BGPSEC 10% 22% 10% IXP-links augmented graph average over all attackers

50 lower bound with RPKI 54% 19% 82% upper bound with BGPSEC 8% 27% 10% IXP-links augmented graph average over only non-stub attackers

51 lower bound with RPKI 72% 11% 51% upper bound with BGPSEC 41% 17% 8% average over all attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

52 lower bound with RPKI 63% 15% 55% upper bound with BGPSEC 35% 22% 10% average over only non-stub attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

53 lower bound with RPKI 75% 13% 39% upper bound with BGPSEC 55% 12% 6% IXP-links augmented graph average over all attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

54 lower bound with RPKI 64% 16% 44% upper bound with BGPSEC 47% 20% 9% IXP-links augmented graph average over only non-stub attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

55 Sec 3 rd model

56 Sec 2 nd model

57 Sec 3 rd model IXP-links augmented graph

58 Sec 2 nd model IXP-links augmented graph

59 pessimistic: consider all neutral ASes as unhappy optimistic: consider all neutral ASes as happy 0 20K ASes deploying S*BGP Improvement in Happy(S) Securing 50% of the Internet

60 pessimistic: consider all neutral ASes as unhappy optimistic: consider all neutral ASes as happy 0 20K ASes deploying S*BGP Improvement in Happy S (S) Securing 50% of the Internet

61 downgrades and collateral benefits play a significant role in the security metric improvement Sec 3rd Sec 1st

62 cost is more important than security security is more important than cost (AS 4, AS 5, AS 1 ) … AS 5 (AS 3, AS 2, AS 1 ) … AS 4 P/S AS 2 P/S AS 3 P/S AS 1 P/S AS1, /24 S S (AS 1 ) … (AS 1 ) … $ $ $ $ $

63 cost is more important than security security is more important than cost (AS 4, AS 5, AS 1 ) … AS 5 (AS 3, AS 2, AS 1 ) … AS 4 P/S AS 2 P/S AS 3 P/S AS 1 P/S AS1, /24 S S (AS 1 ) … (AS 1 ) … P/S

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.