Presentation is loading. Please wait.

Presentation is loading. Please wait.

Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004."— Presentation transcript:

1 Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004

2 Need for Route Verification Internet routing protocols, today, blindly assume that routes advertised by neighboring nodes are correct –Examples: BGP, OSPF What if a node propagates spurious routes? Potential Causes –Router mis-configurations –Malicious behavior Potential Effects –Drop packets and render a destination unreachable –Eavesdrop the traffic to a given destination –Impersonate the destination

3 Effect: Blackhole Attack B F C D A E CNN X M Drop Packets Renders Destination Network Unreachable

4 Effect: Impersonation B F C D A E CNN X M CNN’ Impersonates end-hosts in destination network

5 Effect: Eavesdropping B F C D A E CNN X M Eavesdrop on the traffic: Hard to detect

6 Some Real-world examples Examples of Misconfigurations –A single misconfigured router in AS7007 claims ownership for many IP addresses in April 1997 Caused an outage lasting 2 hours –AS3561 propagates 5000 improper announcements in April 2001 –Minor misconfigurations are common [Mahajan02] Malicious adversaries: a potential threat –Routers with default passwords [Rob Thomas, NANOG] –Cisco IOS security advisories –What if we have a large scale worm attack on routers?

7 Route Verification Problem? How do we design routing protocols when nodes in the system propagate invalid announcements? Requirements: –Prior key distribution mechanisms may not always be deployable –Need for decentralized verification techniques –Verification operations should be lightweight

8 BGP: A Case Study Invalid Routes in the Control Plane –Route advertisements with an invalid AS path 200-1200 prefixes affected every day [Mahajan02] Causes: Misconfigurations, malicious nodes Invalid routes in the Data Plane –Data plane path does not match the path advertised in control plane Covers 8% of Internet routes [Mao03] Causes: Stale routes, Forwarding problems, route aggregation, Blackhole attacks Need a combination of control plane and data plane verification

9 Our Approach: Listen and Whisper What best security can one provide without a PKI or the support of a centralized infrastructure? Whisper: Control plane verification –checks for consistency of routes using cryptographic signatures –Can ensure that any invalid route from a misconfigured router or isolated adversary will raise an alarm –Can isolate and contain the effects of independent adversaries propagating many invalid announcements Listen: Data plane verification –checks for reachability problems in the data plane –Useful for detecting problems due to stale routes, forwarding errors, adversaries performing blackhole attacks

10 Comparison to Related Work Control Plane Verification Data Plane Verification Key-distribution based approaches Good security; hard to deploy Not applicable Using centralized databases Incomplete, no security properties Not applicable Configuration checking tools Useful for misconfigurations Not applicable Data-plane Route probing tools Not applicableUseful for our work Listen and WhisperTrigger alarms + Containment Notify existence of data-plane problems

11 Whisper: Route Consistency Test Every path P is associated with a hash value h P A route consistency test compares two routes R and S to a common destination: –R and S are genuine routes => consistent –R genuine, S spurious => inconsistent –R and S spurious => consistent or inconsistent Route consistency provides the ability to trigger alarms if any node generate spurious update. AD CB YX hAhA h AB h ABC hAhA h AX h AXY R S

12 Strong Split Whisper (SSW) A YX D CB N= p.q g- generator Seed= g z mod N g z.A mod N g z.A.X mod N g z.A.B mod N s 1 =g z.A.B.C mod N s 2 =g z.A.X.Y mod N Consistency Checking of Routes (C,B,A) and (Y,X,A) s 1 X.Y = s 2 B.C = g z.A.B.C.X.Y An Example route consistency test construction

13 Containment Strategy Consistency check: (DA,MA), (EB,MB), (FC,MC) –Assign penalty of 1 to each intermediary node in a pair of inconsistent paths Penalty based Filtering: Choose routes with least penalty value –Contains the effect of an isolated adversary –Not applicable when #(adversaries) is large V BA FED C M A,B,C p(M)=3 p(D)=1

14 An Isolated Adversary Containment Region Uses penalty based Filtering Malicious Normal node Only nodes within the containment region are vulnerable to an isolated adversary

15 Dealing with an Isolated Adversary Containment region of an isolated adversary is reduced to roughly 1% of the nodes in the Internet topology

16 Whisper Implementation 512-bit1024-bit2048-bit VerifySign 0.18 msec 0.45 msec 1.42 msec UpdateSign0.25 msec 0.6 msec 1.94 msec GenSign 0.4 sec 8.0 sec 68 sec Our Implementation: – Hash library uses RSA-like signatures using OpenSSL library – Whisper library integrated with Zebra version 0.93b bgpd – Overhead of Whisper operations is small – For 1024-bit keys, process rate >100,000 adv/minute – BGP maximum update rate is 9300 adv/min (avg=130)

17 Listen: Summary of Results Basic approach: A router passively observes a TCP flow for SYN and DATA packets –If so, the ACK has been received by sender => Route to destination is verifiable Challenge: Dealing with false positives and false negatives –Have developed techniques to reduce the probability of false positives and negatives to less than 1% Implementation results: –Deployed in the local area /24 network (KatzNet consisting of 40 machines) for over 2 months –Determined 571 routing problems with a false negative ratio of 0.93% (verified using active probing)

18 Summary: Listen and Whisper We identified three forms of threats to BGP –Mis-configurations, isolated adversaries, colluding adversaries Remedies –Whisper flags control plane route inconsistencies –Listen is necessary for flagging data plane anomalies –A single isolated node (compromised or mis-configured) propagating several bogus announcements can be isolated and contained Limitations –Does not work well when the number of adversaries is large –Limited protection against colluding adversaries

19 Our Current Focus Verification in Link-state routing –Extend Whisper to support verification of link- state advertisements –Analyze dependence of the level of verification on the connectivity of the underlying graph OSPF: a case study –Incorporate link-state verification primitives in the Zebra OSPF implementation –Deploy on top of the DETER testbed

Download ppt "Verification in Routing Protocols Lakshminarayanan Subramanian Sahara Retreat, Jan 2004."

Similar presentations

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
RIP2 CCNA Exploration Semester 2 Chapter 7

RIP2 CCNA Exploration Semester 2 Chapter 7
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: EIGRP Advanced Configurations and Troubleshooting Scaling.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: EIGRP Advanced Configurations and Troubleshooting Scaling.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.

Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.

© 2007 Levente Buttyán and Jean-Pierre Hubaux Security and Cooperation in Wireless Networks Chapter 4: Naming and addressing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.

Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.
Listen and Whisper: How to verify BGP route updates? Lakshmi Joint work with: Volker Roth, Ion Stoica, Scott Shenker, Randy Katz.

Listen and Whisper: How to verify BGP route updates? Lakshmi Joint work with: Volker Roth, Ion Stoica, Scott Shenker, Randy Katz.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.

1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Listen and Whisper: How to verify BGP route updates? Lakshmi Joint work with: Volker Roth(ICSI), Ion Stoica, Scott Shenker, Randy Katz.

Listen and Whisper: How to verify BGP route updates? Lakshmi Joint work with: Volker Roth(ICSI), Ion Stoica, Scott Shenker, Randy Katz.
Challenge: Securing Routing Protocols Adrian Perrig

Challenge: Securing Routing Protocols Adrian Perrig
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Similar presentations

Ads by Google