Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

Published byLaurel Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University."— Presentation transcript:

1 1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University

2 YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan The Internet I’m YouTube: IP 208.65.153.0/22 I’m YouTube: IP 208.65.153.0/22

3 What should have happened… YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan I’m YouTube: IP 208.65.153.0/22 I’m YouTube: IP 208.65.153.0/22 X drop packets

4 YouTube Pakistan Telecom Pakistan Telecom Telnor Pakistan Telnor Pakistan Aga Khan University Aga Khan University Multinet Pakistan Multinet Pakistan I’m YouTube: IP 208.65.153.0/22 I’m YouTube: IP 208.65.153.0/22 Pakistan Telecom Pakistan Telecom No, I’m YouTube! IP 208.65.153.0/24 No, I’m YouTube! IP 208.65.153.0/24 What did happen

5 5

6 Rare Occurances? Not Really!

7 7 1. Background: 1. BGP, RPKI, BGPSEC 2. routing policies in BGPSEC partial deployment 2. BGPSEC in partial deployment is tricky 3. Is the juice worth the squeeze? 4. Summary

8 Microsoft Verizon Comcast AT&T Over 45,000 Autonomous Systems (ASes)

9 99 Sprint 2828 4323 D 69.63.176.0/24 D 69.63.176.0/24 D 69.63.176.0/24 2828, D 69.63.176.0/24 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 A Sprint, 4323, 2828, D 69.63.176.0/24 Sprint, 4323, 2828, D 69.63.176.0/24

10 10 Sprint 2828 4323 D 69.63.176.0/24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 ? A A, D 69.63.176.0/24 A, D 69.63.176.0/24

11 11 Sprint 2828 4323 D 69.63.176.0/24 Which route to choose? Use routing policies. e.g. “Prefer short paths” 4323, 2828, D 69.63.176.0/24 4323, 2828, D 69.63.176.0/24 ? A A 69.63.176.0/24 A 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24

12 A A 69.63.176.0/24 A 69.63.176.0/24 12 Sprint 2828 4323 D 69.63.176.0/24 RPKI Binds prefixes to ASes authorized to originate them. X RPKI invalid! Sprint checks that A is not authorized for 69.63.176.0/24 69.63.176.0/24

13 13 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

14 A S S SP, A, D, prefix A, D, prefix X BGPSEC invalid! 14 Sprint 2828 4323 D 69.63.176.0/24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix S S 2828, D, prefix S S 4323, 2828, D, prefix 2828, D, prefix S S P/S ? Sprint can verify that D never sent A, D prefix S S RPKI

15 What happens when BGP and BGPSEC coexist? 15 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijacks assume RPKI is fully deployed, and focus on 1-hop hijack. prevent route manipulations

16 A 16 Sprint 2828 4323 D Siemens 69.63.176.0/24 P/S Should Sprint choose the long secure path OR the short insecure one? P/S ? Secure ASes must accept legacy insecure routes Depends on the interaction between BGPSEC and routing policies! RPKI S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix A, D 69.63.176.0/24 A, D 69.63.176.0/24

17 17 1. local preference (often based on business relationships with neighbors) 2.prefer short routes … 3.break ties in a consistent manner

18 Security 1 st 1. local preference (cost) (often based on business relationships with neighbors) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner 18  Survey of 100 network operators shows that 10%, 20% and 41% would place security 1 st, 2 nd, and 3 rd, [Gill, Schapira, Goldberg’12] Security Cost,Performance SecurityCost,Performance

19 19 Security 1 st 1. local preference (cost) (prefer customer routes over peer over provider routes) Security 2 nd 2.prefer short routes (performance) Security 3 rd 3.break ties in a consistent manner  To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]  We test the robustness of this local pref model.

20 20 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 1. Protocol downgrade attacks 2. Collateral damages 3. Routing instabilities 3. Is the Juice worth the squeeze? 4. Summary

21 A 21 Sprint 2828 4323 D 69.63.176.0/24 P/S S S 4323,2828, D, prefix S S 2828, D, prefix S S SP, 4323, 2828, D, prefix P/S Security 3 rd : Path length trumps path security! ? Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route. During the attack, Sprint downgrades to an insecure bogus route. A, D 69.63.176.0/24 A, D 69.63.176.0/24

22 22 A 2828 4323 D Siemens 69.63.176.0/24 P/S A, D 69.63.176.0/2 4 A, D 69.63.176.0/2 4 P/S ? Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack. Sprint P/S

23 325720960 56173356 52142 12389 M prefix 10310 40426 7922 174 3491 P/S

24 W XZ Y M Before X deploys BGPSEC ? X offers the shorter path ? Shorter path! prefix D V P/S Secure ASes: 5 Happy ASes: 8

25 W XVZ Y M ? W offers the shorter path! ? Security 2 nd : Security trumps path length! Y experiences collateral damage because X is secure! P/S Secure ASes: 6 Happy ASes: 7 After X deploys BGPSEC prefix D P/S

26 26 325720960 56173356 52142 12389 A ? ? 5617 Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes 10310 40426 7922 174 3491 prefix P/S

27 27 Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.  But, if they don’t, there can be BGP Wedgies and oscillations.

28 28 1. Background: BGP, RPKI, BGPSEC, routing policies 2. BGPSEC in partial deployment is tricky 3. Is the Juice worth the Squeeze? 1. Can we efficiently select the optimal set of secure ASes? 2. Can we bound security benefits invariant to who is secure? 3. Is the BGPSEC juice worth the squeeze given RPKI? 4. Summary

29 ∑ all A all d Let S be the set of ASes deploying BGPSEC, A be the attacker and d be the destination Our metric is the average of the set of Happy ASes Happy S,, 29 | Happy(S, A, d) | = 7 |V| 3 1 Metric(S) = prefix 325720960 5617 3356 52142 12389 ? 10310 d 7922 5617174 3491 A A d prefix

30 Problem: find set S of secure ASes that maximizes s. t. |S| = k, for a fixed attacker A and destination d Theorem: This problem is NP-hard for all three routing models. Happy S,, 30 A d prefix

31 A 31 Sprint 2828 4323 D Siemens 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24 The bogus path is shorter!

32 A 32 Sprint 2828 4323 D Siemens P/S Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, Sprint will select the shorter bogus route! 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24

33 A 33 Sprint 2828 4323 D Siemens P/S 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24 The legitimate path is shorter! Sprint is doomed The bogus path is shorter!

34 A 34 Sprint 2828 4323 D Siemens 69.63.176.0/24 2828 and 4323 are immune The legitimate path is shorter! A, D 69.63.176.0/24 A, D 69.63.176.0/24 Regardless of who is secure, 4323 and 2828 will select legitimate routes! Sprint is doomed The bogus path is shorter!

35 ∑ all A all d Problem: Find upper and lower bound on 35  Key observation. Regardless of who is secure: 1.Doomed ASes will always choose bogus routes 2.Immune ASes will always choose legitimate routes  Lower bound on Metric(S) = fraction of immune ASes  Upper bound on Metric(S) = 1 – fraction of doomed ASes Happy S,, |V| 3 1 Metric(S) = A d prefix

36 36 lower bound with RPKI 17% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 53% 36% 47% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

37 37 lower bound with RPKI 17% 53% 36% 47% Securing 50% of ASes on the Internet Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 24% Average Fraction of Happy ASes results based on simulations on empirical AS-level graphs

38 38 BGP RPKI ( origin authentication ) BGPSEC S S 4323,2828, FB, prefix S S 2828, FB, prefix S S SP, 4323, 2828, FB, prefix Security Benefits or Juice prevent prefix hijack  Unless Security is 1 st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre  Typically little observable difference between Sec 2 nd and 3 rd prevent route manipulations BGP and BGPSEC coexistence: very tricky *protocol downgrades collateral damages routing instabilities

39 1. A grassroots approach to routing security  anonymity service in lieu of a PKI 2. Outsourcing interdomain routing to a non- trusted center  via Secure MultiParty Computation (SMPC)

40 40 check out the full version at http://arxiv.org/abs/1307.2690 1Proofs 2More empirical analysis and plots 3Robustness tests 4BGPSEC deployment guidelines

41 41  Graph: A UCLA AS-level topology from 09-24-2012  39K ASes, 73.5K and 62K customer-provider and peer links  For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes  Quantified security-benefit improvements for many different BGPSEC deployment scenarios  Robustness Tests  added 550K extra peering links inferred from IXP data on 09-24-2012  accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers  currently repeating all analysis with respect to different local pref models

42 A 42 Sprint 2828 4323 D Siemens 69.63.176.0/24 2828 and 4323 are immune The legitimate path is shorter! Sprint is doomed The bogus path is shorter! Only Siemans is neither doomed nor immune! A, D 69.63.176.0/24 A, D 69.63.176.0/24

43 A 43 Sprint 2828 4323 D Siemens P/S 2828 and 4323 are immune The legitimate path is shorter! Sprint is doomed The bogus path is shorter! P/S Regardless of who is secure, only Siemans can benefits from BGPSEC! Only Siemans is neither doomed nor immune! 69.63.176.0/24 A, D 69.63.176.0/24 A, D 69.63.176.0/24

44 44 lower bound with RPKI 53% 17% 79% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 17% happy with security! 10% 30% 11% upper bound with BGPSEC

45 45 lower bound with RPKI 53% Improvements in the security 3 rd and 2 nd models are only 4% and 8% respectively. 10% 30% 11% 17% 79% Securing 50% of the Internet 24%

46 46  we highlight operational issues of BGPSEC partial deployment  results are not meant to be predictive, but our trends are robust

47 47  Network administrators have to agree on security prioritization  otherwise, unpredictable routing behavior may be encountered  ASes deploying BGPSEC experience noticeable security benefit improvements when routing to secure destinations  secure islands could form with different security prioritizations  Overall security benefits are almost the same even when STUBs deploying BGPSEC do not verify routes themselves  Tier 1 networks are not a good choice for initial deployment  protocol downgrades  most ASes are immune (i.e. happy to begin with)

48 48 lower bound with RPKI 60% 15% 77% upper bound with BGPSEC In the most realistic security 3 rd model, the best we could do is make extra 15% happy with security! 12% 25% 11%

49 49 lower bound with RPKI 62% 16% 80% upper bound with BGPSEC 10% 22% 10% IXP-links augmented graph average over all attackers

50 50 lower bound with RPKI 54% 19% 82% upper bound with BGPSEC 8% 27% 10% IXP-links augmented graph average over only non-stub attackers

51 51 lower bound with RPKI 72% 11% 51% upper bound with BGPSEC 41% 17% 8% average over all attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

52 52 lower bound with RPKI 63% 15% 55% upper bound with BGPSEC 35% 22% 10% average over only non-stub attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

53 53 lower bound with RPKI 75% 13% 39% upper bound with BGPSEC 55% 12% 6% IXP-links augmented graph average over all attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

54 54 lower bound with RPKI 64% 16% 44% upper bound with BGPSEC 47% 20% 9% IXP-links augmented graph average over only non-stub attackers Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes longer than 1 and 2 hops respectively

55 55 Sec 3 rd model

56 56 Sec 2 nd model

57 57 Sec 3 rd model IXP-links augmented graph

58 58 Sec 2 nd model IXP-links augmented graph

59 59 pessimistic: consider all neutral ASes as unhappy optimistic: consider all neutral ASes as happy 0 20K ASes deploying S*BGP Improvement in Happy(S) Securing 50% of the Internet

60 60 pessimistic: consider all neutral ASes as unhappy optimistic: consider all neutral ASes as happy 0 20K ASes deploying S*BGP Improvement in Happy S (S) Securing 50% of the Internet

61 61 downgrades and collateral benefits play a significant role in the security metric improvement Sec 3rd Sec 1st

62 62 cost is more important than security security is more important than cost (AS 4, AS 5, AS 1 ) … AS 5 (AS 3, AS 2, AS 1 ) … AS 4 P/S AS 2 P/S AS 3 P/S AS 1 P/S AS1,66.174.161.0/24 S S (AS 1 ) … (AS 1 ) … $ $ $ $ $

63 63 cost is more important than security security is more important than cost (AS 4, AS 5, AS 1 ) … AS 5 (AS 3, AS 2, AS 1 ) … AS 4 P/S AS 2 P/S AS 3 P/S AS 1 P/S AS1,66.174.161.0/24 S S (AS 1 ) … (AS 1 ) … P/S

Download ppt "1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.

1 Incentive-Compatible Interdomain Routing Joan Feigenbaum Yale University Vijay Ramachandran Stevens Institute of Technology Michael Schapira The Hebrew.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira Joint work with Yaping Zhu and Jennifer Rexford (Princeton University)
1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.

1 Interdomain Routing and Games Hagay Levin, Michael Schapira and Aviv Zohar The Hebrew University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.

Towards a Logic for Wide-Area Internet Routing Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Kunal.
Part II: Inter-domain Routing Policies. March 8, 20042 What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!

Part II: Inter-domain Routing Policies. March 8, What is routing policy? ISP1 ISP4ISP3 Cust1Cust2 ISP2 traffic Connectivity DOES NOT imply reachability!
Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.

Putting BGP on the Right Path: A Case for Next-Hop Routing Michael Schapira (Yale University and UC Berkeley) Joint work with Yaping Zhu and Jennifer Rexford.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Similar presentations

Ads by Google