Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

Published byJack Anchors Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University."— Presentation transcript:

1 1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University

2 2 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix In deployment Crypto done offline In standardization Crypto done online What does (partially-deployed) BGPSEC offer over RPKI? (Or, is the juice worth the squeeze?) Security Benefits or Juice BGP and BGPSEC coexistence  road to BGPSEC full-deployment is very tricky because introducing security only partially introduces new vulnerabilities  not fully deployed BGPSEC provides only meagre benefits over RPKI if network operators do not prioritize security in their routing policies

3 3 1. Background: 1. BGP, RPKI, BGPSEC 2. routing policies in BGPSEC partial deployment 2. BGPSEC in partial deployment is tricky 3. Is the juice worth the squeeze? 4. Summary

4 44 Sprint 2828 4323 D 69.63.176.0/24 D 69.63.176.0/24 D 69.63.176.0/24 2828, D 69.63.176.0/24 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 A Sprint, 4323, 2828, D 69.63.176.0/24 Sprint, 4323, 2828, D 69.63.176.0/24

5 55 Sprint 2828 4323 D 69.63.176.0/24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 ? A A, D 69.63.176.0/24 A, D 69.63.176.0/24

6 66 Sprint 2828 4323 D 69.63.176.0/24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 ? A A 69.63.176.0/24 A 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24

7 A A 69.63.176.0/24 A 69.63.176.0/24 77 Sprint 2828 4323 D 69.63.176.0/24 RPKI Binds prefixes to ASes authorized to originate them. X RPKI invalid! Sprint checks that A is not authorized for 69.63.176.0/24 69.63.176.0/24

8 8 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

9 A S S SP, A, D, prefix A, D, prefix X BGPSEC invalid! 99 Sprint 2828 4323 D 69.63.176.0/24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix S S 2828, D, prefix S S 4323, 2828, D, prefix 2828, D, prefix S S P/S ? Sprint can verify that D never sent A, D prefix S S RPKI

10 What happens when BGP and BGPSEC coexist? 10 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

11 A 11 Sprint 2828 4323 D Siemens 69.63.176.0/24 P/S Should Sprint choose the long secure path OR the short insecure one? P/S ? Secure ASes must accept legacy insecure routes Depends on the interaction between BGPSEC and routing policies! RPKI S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix A, D 69.63.176.0/24 A, D 69.63.176.0/24

12 12 1. local preference (often based on business relationships with neighbors) 2.prefer short routes … 3.break ties in a consistent manner

13 Security 1 st 1. local preference (cost) (often based on business relationships with neighbors) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner 13  Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd, [Gill, Schapira, Goldberg’12] Security Cost,Performance SecurityCost,Performance

14 14 Security 1 st 1. local preference (cost) (prefer customer routes over peer over provider routes) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner  To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]  Our ongoing work tests the robustness of this local pref model.

15 15 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 1. Protocol downgrade attacks 2. Collateral damages 3. Routing instabilities 3. Is the Juice worth the squeeze? 4. Summary

16 A 16 Sprint 2828 4323 D 69.63.176.0/24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix P/S Security 3 rd : Path length trumps path security! ? Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route. During the attack, Sprint downgrades to an insecure bogus route. A, D 69.63.176.0/24 A, D 69.63.176.0/24

17 17 A 2828 4323 D Siemens 69.63.176.0/24 P/S A, D 69.63.176.0/2 4 A, D 69.63.176.0/2 4 P/S ? Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack. Sprint P/S

18 325720960 56173356 52142 12389 M prefix 10310 40426 7922 174 3491 P/S

19 W XZ Y M Before X deploys BGPSEC ? X offers the shorter path ? Shorter path! prefix D V P/S Secure ASes: 5 Happy ASes: 8

20 W XVZ Y M ? W offers the shorter path! ? Security 2 nd : Security trumps path length! Y experiences collateral damage because X is secure! P/S Secure ASes: 6 Happy ASes: 7 After X deploys BGPSEC prefix D P/S

21 21 325720960 56173356 52142 12389 A ? ? 5617 Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes 10310 40426 7922 174 3491 prefix P/S

22 22 Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.  But, if they don’t, there can be BGP Wedgies and oscillations.

23 23 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 3. Is the Juice worth the Squeeze? 1. Can we efficiently select the optimal set of secure ASes? 2. Can we bound security benefits invariant to who is secure? 3. Is the BGPSEC juice worth the squeeze given RPKI? 4. Summary

24 Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination The set of ASes choosing a legitimate route is Happy S,, prefix 24 325720960 5617 3356 52142 12389 ? 10310 d 7922 5617174 3491 A d prefix A | Happy(S, A, d) | = 7

25 ∑ all A all d Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination Our metric is the average of the set of Happy ASes Happy S,, 25 | Happy(S, A, d) | = 7 |V| 3 1 Metric(S) = prefix 325720960 5617 3356 52142 12389 ? 10310 d 7922 5617174 3491 A A d prefix

26 Problem: find set S of secure ASes that maximizes s. t. |S| = k, for a fixed attacker A and destination d Theorem: This problem is NP-hard for all three routing models. Happy S,, 26 A d prefix

27 ∑ all A all d Problem: Compute upper and lower bounds on for any BGPSEC deployment set S 27 Happy S,, |V| 3 1 Metric(S) = A d prefix

28 A 28 Sprint 2828 4323 D Siemens 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24 The bogus path is shorter!

29 A 29 Sprint 2828 4323 D Siemens P/S Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, Sprint will select the shorter bogus route! 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24

30 A 30 Sprint 2828 4323 D Siemens P/S 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24 The legitimate path is shorter! Sprint is doomed The bogus path is shorter!

31 A 31 Sprint 2828 4323 D Siemens 69.63.176.0/24 2828 and 4323 are immune The legitimate path is shorter! A, D 69.63.176.0/24 A, D 69.63.176.0/24 Regardless of who is secure, 4323 and 2828 will select legitimate routes! Sprint is doomed The bogus path is shorter!

32 ∑ all A all d Problem: Find upper and lower bound on 32  Key observation. Regardless of who is secure: 1.Doomed ASes will always choose bogus routes 2.Immune ASes will always choose legitimate routes  Lower bound on Metric(S) = fraction of immune ASes  Upper bound on Metric(S) = 1 – fraction of doomed ASes Happy S,, |V| 3 1 Metric(S) = A d prefix

33 33 lower bound with RPKI 17% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 53% 36% 47% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

34 34 lower bound with RPKI 17% 53% 36% 47% Securing 50% of ASes on the Internet Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 24% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

35 35  Graph: A UCLA AS-level topology from 09-24-2012  39K ASes, 73.5K and 62K customer-provider and peer links  For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes  Quantified security-benefit improvements for many different BGPSEC deployment scenarios  Robustness Tests  added 550K extra peering links inferred from IXP data on 09-24-2012  accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers  currently repeating all analysis with respect to different local pref models

36 36 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijack  Unless Security is 1 st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre  Typically little observable difference between Sec 2 nd and 3 rd prevent route manipulations BGP and BGPSEC coexistence: very tricky *protocol downgrades collateral damages routing instabilities

37 37 check out the full version at http://arxiv.org/abs/1307.2690 1Proofs 2More empirical analysis and plots 3Robustness tests 4BGPSEC deployment guidelines

Download ppt "1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.

Locating Prefix Hijackers using LOCK Tongqing Qiu +, Lusheng Ji *, Dan Pei * Jia Wang *, Jun (Jim) Xu +, Hitesh Ballani ++ + College of Computing, Georgia.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
An Introduction to Routing the Internet Geoff Huston APNIC.

An Introduction to Routing the Internet Geoff Huston APNIC.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)
1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.

1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Announcement  Slides and reference materials available at  Slides and reference materials available.

Announcement  Slides and reference materials available at  Slides and reference materials available.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.

Similar presentations

Ads by Google