Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Delayed Internet Routing Convergence due to Flap Dampening Z. Morley Mao Ramesh Govindan, Randy Katz, George Varghese
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
BGP Convergence Jennifer Rexford. Outline Border Gateway Protocol (BGP) –Prefix-based routing at the AS level –Policy-based path-vector protocol –Incremental.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Pretty Good BGP Josh Karlin 8/15/2006. Towards Securing BGP Authenticate Origins –Prefix hijacks –Sub-prefix hijacks –Often caused by router misconfiguration.
HLP: A Next Generation Interdomain Routing Protocol Lakshminarayanan Subramanian* Matthew Caesar* Cheng Tien Ee*, Mark Handley° Morley Maoª, Scott Shenker*
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University
Internet Routing Instability Labovitz et al. Sigcomm 1997 Largely adopted from Ion Stoica’s slide at UCB.
Slide -1- February, 2006 Interdomain Routing Gordon Wilfong Distinguished Member of Technical Staff Algorithms Research Department Mathematical and Algorithmic.
Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University August,
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Inter-domain Routing security Problems Solutions.
Advanced Computer Networks cs538, Fall UIUC
Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Position Statement Debbie Perouli, PhD Student Sonia Fahmy, Associate Professor Computer Science Department Purdue University WODNAFO 10.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
Stochastic sleep scheduling (SSS) for large scale wireless sensor networks Yaxiong Zhao Jie Wu Computer and Information Sciences Temple University.
SECURING BGP Matthew Nickasch University of Wisconsin-Platteville Dept. of Computer Science & Software Engineering.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Guidance for Running Multiple IPv6 Prefixes (draft-liu-v6ops-running-multiple-prefixes-02) Bing Liu, Sheng Jiang (Speaker), Yang Bo IETF91
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
Interdomain Routing Security Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—3-1 Route Selection Using Policy Controls Using Multihomed BGP Networks.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
COS 561: Advanced Computer Networks
Are We There Yet? On RPKI Deployment and Security
COS 561: Advanced Computer Networks
Anupam Das , Nikita Borisov
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Fixing the Internet: Think Locally, Impact Globally
BGP Instability Jennifer Rexford
Presentation transcript:

Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network Protocols 2006

Outline What are current BGP security issues? What is PGBGP trying to solve? How does PGBGP solve it? How good is PGBGP? How bad is PGBGP? Shall we use it?

What are current BGP security issues? BGP4 (RFC1771) –Inter-domain routing, internet core –Link state protocol, distributed system Vulnerabilities –No encryption: eavesdropping –No timestamp: replaying –No signature: man-in-the-middle

What are current BGP security issues? Examples

What is PGBGP trying to solve? General requirements of a good solution –BGP is widely deployed: don’t modify the protocol –Route’s resource is stretched thin: don’t consume too much resource –ISPs are conservative: incremental deployable –ISPs are greedy: show good results!

What is PGBGP trying to solve? Prefix hijack –Shorter AS_PATH (man-in-the-middle) –MOAS (multiple origin AS)

How does PGBGP solve it? Basic idea –Suspicious  Cautious –Use historical prefix-origin records –Damping suspicious prefix-origin announcement for 24 hours –Human investigation –Good for prefix/sub-prefix hijacks

How does PGBGP solve it? Algorithm  History period – h hours  clean  Suspicious period – s hours  quarantined  Move h forward  remove staleness, get freshness Parameters sensitivity  h = 10 days : short  FP, long  repeat slips  s = 24 hours : human response time

How does PGBGP solve it? Prefix Hijacks: conflict w/ unknown origins Sub-prefix hijacks: Conflict w/ known origins [Q1]?

How does PGBGP solve it? Mitigation –Avoid suspicious routes: lower preference Sub-prefix: quarantine, choose neighbor not having the suspicious routes (not really helpful) Never seen prefix / super-prefix will be adopted –Convergence consideration Obey relationship-based policy Dampened as if not announced

How good is PGBGP? Simulation –18,943 ASes, average 4 links per AS-AS –Simulator w/ policy-based routing –Deployment strategries: random -- p core+random (15 degree+) + p –500 attacks per setup –Parameters: h = 3, s = 1 –Day 1, O; Day 2 O’

How good is PGBGP?

Conclusion: pretty good –Core + random deployment, 90%+ effective –Incrementally deployable –Out-of-core computation possible –Centralized computation possible –Overhead is small, real time possible –Extension: IAR (internet alert registry)

How bad is PGBGP? Limitations: –FP: Origin change, multi-homed –DoS + no other choice –lucky slips –Man-in-the-middle (put itself in AS_PATH) Conclusion: not to bad

Shall we use it? Critiques for the paper –FP delay propagation: –Model human correction rate with prob. p1, FP rate p2 … –Some analysis is not thorough (e.g. Fig 3) –Undeployed ASes at risk (good & bad) –Distributed/Co-operated version Conclusion: try if you like

Shall we use it?

Questions Ask me: Josh Karlin: Interested in security research?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.