Presentation is loading. Please wait.

Presentation is loading. Please wait.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Published byKaleb Timblin Modified over 9 years ago

Similar presentations

Presentation on theme: "Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing."— Presentation transcript:

1 Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing

2 2 Interdomain Routing (BGP) is not Secure  Yet, users demand:  Confidentiality  Integrity  Availability  BGP is vulnerable to:  Deliberate attacks  Misconfigurations

3 3 Securing Interdomain Routing  Focus of this work  Existing crypto solutions  Users demand:  Confidentiality  Integrity  Availability

4 4 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

5 5 Interdomain Routing – Terminology AS #1 Yale AS #1 Yale AS #2 AT&T AS #2 AT&T AS #3 Princeton AS #3 Princeton  Autonomous Systems (ASes) = independently administered networks in a loose federation  Prefix = set of IP addresses  Origin = genuine owner of an address prefix  Route = AS-level path to the origin Origin of 12.34.*12121 Data packetsRouting announcements

6 6 Interdomain Routing – Protocol Based on Trust AS #1 12.34.* AS #1 12.34.*  BGP is prefix-based path-vector protocol  Each AS maintains a set of routes to all prefixes  One “best” route is used AS1→12.34.*AS2 → AS1 → 12.34.* Originate 12.34.* AS1→12.34.* 2121 AS2 → AS1 → 12.34.* 1 AS4 → AS1 → 12.34.* AS #2 1 AS #3 AS #4

7 7 Interdomain Routing – Export & Policies National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 Regional ISP (#4) 12.34.* peer-peer customer- provider

8 8 Interdomain Routing – Export & Policies National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 Regional ISP (#4) Use: 6 Remember: 3  6 12.34.*

9 9 Interdomain Routing – One Cannot Learn Many Routes National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 AS3 → AS6 → 12.34.* 12.34.* Regional ISP (#4) Use: 6 Remember: 3  6

10 10 Vulnerabilities – Example 1 1 1 3 3 2 2  Invalid origin attack  Nodes 1, 3 and 4 route to the adversary  The true destination is blackholed 5 5 7 7 Genuine origin Attacker 6 6 4 4 12.34.*

11 11 Vulnerabilities – Example 2 1 1 3 3 2 2  Adversary spoofs a shorter path  Node 4 routes through 1 instead of 2  The traffic may be blackholed or intercepted 5 5 7 7 Genuine origin 4 4 6 6 Thinks route thru 2 shorter 12.34.* No attack

12 12 Vulnerabilities – Example 2 1 1 3 3 2 2  Adversary spoofs a shorter path  Node 4 routes through 1 instead of 2  The traffic may be blackholed or intercepted 5 5 7 7 Genuine origin Announce 1  7 4 4 6 6 Thinks route thru 1 shorter 12.34.*

13 13 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

14 14 State of the Art – S-BGP and soBGP  S-BGP  Certificates to verify origin AS  Cryptographic attestations added to routing announcements at each hop  Mechanism: identify which routes are invalid and filter them  soBGP  Build a (partial) AS level topology database

15 15 Limitations of the Secure Protocols  Previous solutions  Benefits only for large deployments (~10,000s)  No incentive for early adopters  No deployment for over a decade  Our goal: Provide incentives to early adopters!

16 16 Our Approach  Challenges  Non-participants outnumber participants  Participants rely on non-participants  Each AS exports only one route  Focus on raising the bar for the adversary rather than residual vulnerabilities  Secure routing within a small group  10-20 cooperating nodes  All participants’ routes are secured

17 17 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) Sbone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

18 18 Experimental Evaluations  Performance of existing techniques  They work well in large scale deployments  How do they do in small groups?  Evaluate performance of state-of-the art: soBGP  Evaluate partial deployment  If two ASes participate, a valid link connecting them must be in the registry

19 19 Experimental Setup – All Experiments  Method – simulation of BGP announcements on the AS-level Internet topology  Topology information from RouteViews  Adversary and origin chosen at random  Participants implement secure protocol  1 or 5 adversaries  Performance metric – fraction of the Internet ASes with valid routes  Average of 100 runs

20 20 soBGP – Random Participation, 1 adversary Participants have a higher chance to have a valid route! Groups of 1 – 30 participants Number of Participant ASes Percentage of ASes % of the Internet with valid routes Participant ASes All ASes

21 21 soBGP – Deployment by 30 Random + Some Largest ISPs Better performance Cooperation of many large ISPs needed! Number of Large ISPs Percentage of ASes Participant ASes All ASes

22 22 Perfect Detection  Simulations: give ability to detect routes that don’t work  Is this sufficient to secure routing?  How useful is it to have perfect detection?  Can be done in practice:  Data-plane probing verifies validity of route by using it

23 23 Perfect Detection at 30 Random + Some Largest ISPs Perfect detection helps but not sufficient by itself! Percentage of ASes Number of Large ISPs Participant ASes All ASes

24 24 Lessons Learned

25 25 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) Sbone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

26 26 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

27 27 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

28 28 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

29 29 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

30 30 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

31 Secure Overlay Routing (SBone)  Overlay of participants’ networks  Protects intra-group traffic  Bad paths detected by probing 5 5 4 4 6 6 3 3 7 7 1 1 2 2 Use longer route Use peer route 1 1 5 5 2 2 7 7 Use provider route 12.34.* 31 12.34.* ; 12.34.1.1 Detected as bad Nonparticipant Participant

32 Secure Overlay Routing (SBone)  Traffic may go thru an intermediate node 32 4 4 7 7 Uses path thru intermediate node 3 3 3 6 6 ? ? ? 1 1 ? 12.34.* ; 12.34.1.1 5 5 12.8.1.1 ; 12.8.1.1 Forwards traffic for 1 2 2

33 33 SBone – 30 Random + Help of Some Large ISPs Good performance even for small groups! Percentage of Participating ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

34 34 SBone – Multiple Adversaries With 5 adversaries, the performance degrades Solution: enlist more large ISPs! Group Size (ASes) Percentage of Participating ASes 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

35 35 SBone - Summary

36 36 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

37 Hijacking the Hijacker – Shout  Secure traffic from non-participants  All participants announce the protected prefix  Once the traffic enters the overlay, it is securely forwarded to the true prefix owner 37 1 1 3 3 2 2 4 4 6 6 5 5 7 7 Prefers short customer’s path leading to adversary 12.34.* Node 4 shouts Use shortest path 1  4  12.34.* 12.34.*

38 38 Shout + SBone – 1 Adversary With as few as 10 participants + 3 large ISPs, 95% of all ASes can reach the victim! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

39 39 Shout + SBone – 5 Adversaries More adversaries  larger groups required! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

40 40 Performance and Scalability of Shout  Shout can be used reactively  Only shout if an attack is detected  Changes in routing table sizes negligible  Alternate routes must be saved in routing tables  The average table size increased by less than 5%  After shouting path lengths increase modestly  Paths less than 1.35 times longer  Detailed results next

41 41 Shout + SBone – Increase in Path Length With as few as 3 large ISPs the penalty is negligible! Length Ratio Group Size (ASes) 0 large ISPs 1 large ISP 3 large ISPs 5 large ISPs

42 42 Shout - Summary

43 43 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

44 44 Conclusion  BGP should be secured by small groups  To be effective, the group members should

45 45 Conclusion  The proposed solution  SBone and Shout are novel mechanisms that achieve these goals

46 46 Future Work  Deployment in larger groups where participants don’t trust each other  Secure routing protocol on the overlay?  Analytic models of the deployment  Predict which additional ASes to enlist to boost performance?  Effects of the structure of the graph on the outcomes?

47 47 Thank you for your attention!

48 48 Discussion 1.Effects of subprefix hijacking 2.What if participants not willing to choose less profitable routes? 3.What if N large ISPs are used instead of N largest ones? 4.Average results and error bars

49 1. Subprefix Hijacking  Threat: adversary deaggregates the victim’s prefix, all traffic is directed to the adversary  Key security mechanisms  Deaggregate the prefix and use shout to announce it  Tunnel endpoints already secure if announced with /24 prefixes  Only deaggregate when attack detected  Attack detected if at least one participant sees an unauthorized subprefix

50 50 1. Subprefix Hijacking – Avoiding Detection If the adversary conceals the attack, <5% ASes are affected! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP

51 51 1. Subprefix Hijacking - Summary

52 52 2. SBone – Preserve Business Relationships? Participants do not have visibility into BGP; just route through intermediate nodes Participants can influence route selection Group Size (ASes) Percentage of Participating ASes underlay rerouting no underlay rerouting

53 3. Effect of Choosing the Largest ISPs  The largest ISPs are similar in terms of connectivity and size  Which one of these we enlist among the participants does not matter much

54 54 SBone vs. Perfect Detection Alone With 5 adversaries and 10 participants the SBone is better and variance lower! Stdev: 15% Stdev: 8% Percentage of ASes 0 large ISPs 1 large ISP 3 large ISPs 5 large ISPs Perfect detection alone SBone

Download ppt "Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing."

Similar presentations

Reliable Internet Routing

Reliable Internet Routing
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.

Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Don’t Secure Routing, Secure Data Delivery Dan Wendlandt (CMU) With: Ioannis Avramopoulos (Princeton), David G. Andersen (CMU), and Jennifer Rexford (Princeton)

Don’t Secure Routing, Secure Data Delivery Dan Wendlandt (CMU) With: Ioannis Avramopoulos (Princeton), David G. Andersen (CMU), and Jennifer Rexford (Princeton)

Similar presentations

Ads by Google