Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.

Published byMelinda Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network."— Presentation transcript:

1 Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network Protocols 2006

2 Outline What are current BGP security issues? What is PGBGP trying to solve? How does PGBGP solve it? How good is PGBGP? How bad is PGBGP? Shall we use it?

3 What are current BGP security issues? BGP4 (RFC1771) –Inter-domain routing, internet core –Link state protocol, distributed system Vulnerabilities –No encryption: eavesdropping –No timestamp: replaying –No signature: man-in-the-middle

4 What are current BGP security issues? Examples

5 What is PGBGP trying to solve? General requirements of a good solution –BGP is widely deployed: don’t modify the protocol –Route’s resource is stretched thin: don’t consume too much resource –ISPs are conservative: incremental deployable –ISPs are greedy: show good results!

6 What is PGBGP trying to solve? Prefix hijack –Shorter AS_PATH (man-in-the-middle) –MOAS (multiple origin AS)

7 How does PGBGP solve it? Basic idea –Suspicious  Cautious –Use historical prefix-origin records –Damping suspicious prefix-origin announcement for 24 hours –Human investigation –Good for prefix/sub-prefix hijacks

8 How does PGBGP solve it? Algorithm  History period – h hours  clean  Suspicious period – s hours  quarantined  Move h forward  remove staleness, get freshness Parameters sensitivity  h = 10 days : short  FP, long  repeat slips  s = 24 hours : human response time

9 How does PGBGP solve it? Prefix Hijacks: conflict w/ unknown origins Sub-prefix hijacks: Conflict w/ known origins [Q1]?

10 How does PGBGP solve it? Mitigation –Avoid suspicious routes: lower preference Sub-prefix: quarantine, choose neighbor not having the suspicious routes (not really helpful) Never seen prefix / super-prefix will be adopted –Convergence consideration Obey relationship-based policy Dampened as if not announced

11 How good is PGBGP? Simulation –18,943 ASes, average 4 links per AS-AS –Simulator w/ policy-based routing –Deployment strategries: random -- p core+random -- 16 (15 degree+) + p –500 attacks per setup –Parameters: h = 3, s = 1 –Day 1, O; Day 2 O’

12 How good is PGBGP?

13

14

15

16

17 Conclusion: pretty good –Core + random deployment, 90%+ effective –Incrementally deployable –Out-of-core computation possible –Centralized computation possible –Overhead is small, real time possible –Extension: IAR (internet alert registry)

18 How bad is PGBGP? Limitations: –FP: Origin change, multi-homed –DoS + no other choice –lucky slips –Man-in-the-middle (put itself in AS_PATH) Conclusion: not to bad

19 Shall we use it? Critiques for the paper –FP delay propagation: 24+24+24+24+24 –Model human correction rate with prob. p1, FP rate p2 … –Some analysis is not thorough (e.g. Fig 3) –Undeployed ASes at risk (good & bad) –Distributed/Co-operated version Conclusion: try if you like

20 Shall we use it?

21 Questions Ask me: kuh205@lehigh.edu Email Josh Karlin: karlinjf@cs.unm.edu Interested in security research? chuah@cse.lehigh.edu

Download ppt "Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Delayed Internet Routing Convergence due to Flap Dampening Z. Morley Mao Ramesh Govindan, Randy Katz, George Varghese

Delayed Internet Routing Convergence due to Flap Dampening Z. Morley Mao Ramesh Govindan, Randy Katz, George Varghese
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
BGP Convergence Jennifer Rexford. Outline Border Gateway Protocol (BGP) –Prefix-based routing at the AS level –Policy-based path-vector protocol –Incremental.

BGP Convergence Jennifer Rexford. Outline Border Gateway Protocol (BGP) –Prefix-based routing at the AS level –Policy-based path-vector protocol –Incremental.
Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.

Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.
Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.

Does BGP Solve the Shortest Paths Problem? Timothy G. Griffin Joint work with Bruce Shepherd and Gordon Wilfong Bell Laboratories, Lucent Technologies.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Consensus Routing: The Internet as a Distributed System 2009. 2. 26 John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.

Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL 6788 11.

Security and Privacy Issues in Wireless Communication By: Michael Glus, MSEE EEL
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,

Distributed Route Aggregation on the Global Network (DRAGON) João Luís Sobrinho 1 Laurent Vanbever 2, Franck Le 3, Jennifer Rexford 2 1 Instituto Telecomunicações,
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Pretty Good BGP Josh Karlin 8/15/2006. Towards Securing BGP Authenticate Origins –Prefix hijacks –Sub-prefix hijacks –Often caused by router misconfiguration.

Pretty Good BGP Josh Karlin 8/15/2006. Towards Securing BGP Authenticate Origins –Prefix hijacks –Sub-prefix hijacks –Often caused by router misconfiguration.

Similar presentations

Ads by Google