1. Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Elliott Karpilovsky, Princeton University on behalf of Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University February 2007

2. 2 Overview: Insecure Internet Infrastructure Border Gateway Protocol is important –BGP is the glue that holds the Internet together BGP is extremely vulnerable –Easy to inject false information –Easy to trigger routing instability Vulnerabilities are being exploited –Configuration errors and malicious attacks –Route hijacking, blackholes, denial-of-service, … Changing to a secure protocol is hard –Can’t have a flag day to reboot the Internet

3. 3 Overview: Incrementally Deployable Solution Backwards compatibility –Work with existing routers and protocols Incentive compatibility –Offer significant benefits, even to the first adopter AS 3 AS 2 AS 1 BGP Inter-AS Protocol RCP Routing Control Platform tells routers how to forward traffic Use BGP to communicate with the legacy routers Use RCP to simplify management and enable new servicesUse RCP to detect (and avoid) suspicious routes Other ASes can deploy an RCP independently ASes with RCPs can cooperate to detect suspicious routes ASes can upgrade to secure interdomain routing protocol … all while still using BGP to control the legacy routers Distributed detection

4. 4 Overview: Potential Security Impact Breaking the “flag day” stalemate –Viable approach to incremental deployment –Backwards compatible with the legacy routers –Incentive-compatible with goals of each AS Immediate benefits to participating ASes –Avoiding anomalous and suspicious routes –Secure routing with participating neighbors Tipping point leads to ubiquitous deployment –Increasing incentives for ASes to participate –Ultimately, full deployment of secure protocol Insights for other protocols (such as DNSSEC)

5. 5 Accomplishments in Last Six Months Routing Control Platform –Evaluation of our XORP-based prototype –Design of extensions for multipath routing –Industry connections with Cisco and AT&T Preventing resource exhaustion –Reducing number of routes per address block –Reducing the number of address blocks Measuring path quality in adversarial setting –Prototyping and evaluation of stealth probing –Theoretical results on minimum crypto machinery

6. 6 Accomplishments: Routing Control Platform RCP prototype –Prototype as extension to XORP/Vyatta –Learns BGP routers from neighbor ASes –Selects a “best route” for each router per prefix –API for anomaly detection and path selection Extensible design –Modular design to add and compose policies –E.g., new ways to detecting suspicious routes –Weighing security against other policy objectives Scalable implementation –Stress-testing under BGP message traces AS 1 RCP

7. 7 Accomplishments: Routing Control Platform Security benefits for multi-path routing –More routes enable flexible path selection –E.g., avoid routes with suspicious AS paths –E.g., avoid routes that fail a data-plane check Incremental deployment of multi-path routing –ISP offers path diversity as “availability provider” –RCP propagates the extra routes to customer –Customer AS selects among multiple routes Industry connections –Cisco: routers support for multi-path forwarding –AT&T: commercial viability of multi-path service

8. 8 Accomplishments: Preventing Resource Exhaustion Memory and I/O demands on routers –Large number of address block (e.g., 200K) –Multiple BGP routes per address block –Many attributes for each BGP route Vulnerability for the routers –Running out of memory is a serious problem –High risk especially during route leaks RCP can reduce the risk –Selects routes on behalf of the routers –Stays within the router’s memory footprint –… but, must also avoid overloading the RCP

9. 9 Accomplishments: Preventing Resource Exhaustion Can significantly reduce the number of routes needed in memory at any time –Treat routing as a type of cache replacement problem –“Forgetful routing” introduced to significantly cut back on required memory –Backwards compatible, incrementally deployable –Reachability unaffected –Secure against point attacks or small collusions of attackers

10. 10 Accomplishments: Preventing Resource Exhaustion Can significantly reduce the number of address blocks needed in memory at any time –Aggregate blocks of addresses that have the same forwarding information –Allows edge routers to store significantly less information –Increases robustness –Backwards compatible –Incrementally deployable

11. 11 Accomplishments: Accurate Path-Quality Measurements Secure routing protocols are not enough –Adversary may drop, modify, or deflect packets –Data path may not match the routing information Detecting and localizing availability problems –Measuring packet loss and identifying bad link –Avoiding paths that fail a data-plane check Must be robust to adversaries along the path –Who try to bias measurements to evade detection ? Alice Bob

12. 12 Accomplishments: Accurate Path-Quality Measurements Stealth probing: probes are indistinguishable –Edges sample packets based on keyed hash –ACKs indicate if sampled packets were delivered –Adversary can’t identify samples in advance Prototype implementation –Extension to the Click modular router –Packet encryption, sampling, ACKs, statistics –Can run at 160 Mbps, even on a software router ? stealth sample stealth sample Alice Bob

13. 13 Accomplishments: Accurate Path-Quality Measurements Theoretical results –Identify the minimum crypto machinery –Derive practical schemes that achieve the bounds Statistical detection: practically feasible –Accurate estimate of the loss rate on e2e path –Requires keys, crypto, and storage at edge nodes –Either shared secret keys or with public keys Statistical localization: hard; poor incentives –Accurate estimate of per-link loss rates –Requires keys, crypto, and storage at each hop –Not aligned with deployment incentives Best to do end-to-end measurements coupled with multi-path routing!

14. 14 Putting it all Together Routing Control Platform –Flexible path selection to improve BGP security –Control-plane check and data-plane measurement –Multi-path routing to avoid suspicious paths Preventing resource exhaustion –RCP prevents resource exhaustion on routers –Forgetful routing reduces overhead on RCP itself Data-plane measurements –Accurate detection of availability problems –To drive selection of good end-to-end paths Complete solution addressing both the control plane and data plane

15. 15 Milestones: Recent Publications Routing Control Platform –“A modular RCP for flexible interdomain route control," CoNext student workshop, Dec’06 Multi-path routing for security –“Don't secure routing protocols, secure data delivery,” ACM HotNets Workshop, Nov’06 Preventing resource exhaustion –“Using Forgetful Routing to control BGP table size,” Proc. CoNext, Dec’06 Path-quality measurement in an adversarial setting –“Secure availability monitoring using stealth probes,” Oct’06 –“Measuring path quality in the presence of adversaries: The role of cryptography in network accountability,” Jan’06

16. 16 Schedule: Ongoing Work RCP prototype –Extensions for multi-path BGP routing –Security modules that detect anomalous paths –Interface to data-plane measurement results –Flexible policy specification for network operators –Interaction with AT&T on multi-path routing Router extensions –Disseminating multiple BGP paths in control plane –Forwarding packets along the selected paths –Secure packet sampling for stealth probing –Interaction with Cisco on router extensions

17. 17 Conclusion BGP is a serious security risk –The glue that holds the Internet together –Highly vulnerable, yet also hard to change Routing Control Platform –Easy to support new, flexible routing policies –Control-plane check and data-plane measurement Breaking the deployment stalemate –RCP as a way to deploy BGP security solutions –Incremental deployability & incentive compatibility –Practically feasible, and offers real security gains

18. 18 DESCRIPTION / OBJECTIVES / METHODS Routing-Control Platform (RCP) Selects routes on behalf of routers Possible today on high-end PC Incrementally deployable security Speak BGP to the legacy routers Detect and avoid suspicious routes Update RCPs to use secure protocol DHS/Cyber Security IMPACT Internet-routing system is vulnerable Core communication infrastructure Very vulnerable to cyber attacks Hard to have “flag day” for upgrades Phased deployment of secure routing Network manager deploys locally Participating domains detect attacks Neighbor domains upgrade protocol Cyber Security R&D Incrementally Deployable Security for Interdomain Routing Network A BGP RCP Network B Secure routing protocol BUDGET & SCHEDULE TASK FY05FY06FY07 RCP prototype Anomaly detection Policy manager Secure routing Total cost