Presentation is loading. Please wait.

Presentation is loading. Please wait.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Similar presentations


Presentation on theme: "Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing."— Presentation transcript:

1 Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing

2 2 Interdomain Routing (BGP) is not Secure  Yet, users demand:  Confidentiality  Integrity  Availability  BGP is vulnerable to:  Deliberate attacks  Misconfigurations

3 3 Securing Interdomain Routing  Focus of this work  Existing crypto solutions  Users demand:  Confidentiality  Integrity  Availability

4 4 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

5 5 Interdomain Routing – Terminology AS #1 Yale AS #1 Yale AS #2 AT&T AS #2 AT&T AS #3 Princeton AS #3 Princeton  Autonomous Systems (ASes) = independently administered networks in a loose federation  Prefix = set of IP addresses  Origin = genuine owner of an address prefix  Route = AS-level path to the origin Origin of *12121 Data packetsRouting announcements

6 6 Interdomain Routing – Protocol Based on Trust AS # * AS # *  BGP is prefix-based path-vector protocol  Each AS maintains a set of routes to all prefixes  One “best” route is used AS1→12.34.*AS2 → AS1 → * Originate * AS1→12.34.* 2121 AS2 → AS1 → * 1 AS4 → AS1 → * AS #2 1 AS #3 AS #4

7 7 Interdomain Routing – Export & Policies National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 Regional ISP (#4) * peer-peer customer- provider

8 8 Interdomain Routing – Export & Policies National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 Regional ISP (#4) Use: 6 Remember: 3  *

9 9 Interdomain Routing – One Cannot Learn Many Routes National ISP (#1) Regional ISP (#3) National ISP (#2)  Customer-provider and peer-peer relationships  Selecting a route: by assumption the most profitable, shortest route preferred  At most one profitable route exported Regional ISP (#5) Cust. #7 Cust. #6 AS3 → AS6 → * * Regional ISP (#4) Use: 6 Remember: 3  6

10 10 Vulnerabilities – Example  Invalid origin attack  Nodes 1, 3 and 4 route to the adversary  The true destination is blackholed Genuine origin Attacker *

11 11 Vulnerabilities – Example  Adversary spoofs a shorter path  Node 4 routes through 1 instead of 2  The traffic may be blackholed or intercepted Genuine origin Thinks route thru 2 shorter * No attack

12 12 Vulnerabilities – Example  Adversary spoofs a shorter path  Node 4 routes through 1 instead of 2  The traffic may be blackholed or intercepted Genuine origin Announce 1  Thinks route thru 1 shorter *

13 13 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

14 14 State of the Art – S-BGP and soBGP  S-BGP  Certificates to verify origin AS  Cryptographic attestations added to routing announcements at each hop  Mechanism: identify which routes are invalid and filter them  soBGP  Build a (partial) AS level topology database

15 15 Limitations of the Secure Protocols  Previous solutions  Benefits only for large deployments (~10,000s)  No incentive for early adopters  No deployment for over a decade  Our goal: Provide incentives to early adopters!

16 16 Our Approach  Challenges  Non-participants outnumber participants  Participants rely on non-participants  Each AS exports only one route  Focus on raising the bar for the adversary rather than residual vulnerabilities  Secure routing within a small group  cooperating nodes  All participants’ routes are secured

17 17 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) Sbone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

18 18 Experimental Evaluations  Performance of existing techniques  They work well in large scale deployments  How do they do in small groups?  Evaluate performance of state-of-the art: soBGP  Evaluate partial deployment  If two ASes participate, a valid link connecting them must be in the registry

19 19 Experimental Setup – All Experiments  Method – simulation of BGP announcements on the AS-level Internet topology  Topology information from RouteViews  Adversary and origin chosen at random  Participants implement secure protocol  1 or 5 adversaries  Performance metric – fraction of the Internet ASes with valid routes  Average of 100 runs

20 20 soBGP – Random Participation, 1 adversary Participants have a higher chance to have a valid route! Groups of 1 – 30 participants Number of Participant ASes Percentage of ASes % of the Internet with valid routes Participant ASes All ASes

21 21 soBGP – Deployment by 30 Random + Some Largest ISPs Better performance Cooperation of many large ISPs needed! Number of Large ISPs Percentage of ASes Participant ASes All ASes

22 22 Perfect Detection  Simulations: give ability to detect routes that don’t work  Is this sufficient to secure routing?  How useful is it to have perfect detection?  Can be done in practice:  Data-plane probing verifies validity of route by using it

23 23 Perfect Detection at 30 Random + Some Largest ISPs Perfect detection helps but not sufficient by itself! Percentage of ASes Number of Large ISPs Participant ASes All ASes

24 24 Lessons Learned

25 25 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) Sbone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

26 26 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

27 27 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

28 28 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

29 29 Our Approach – Key Ideas  Hijack the hijacker: all participants announce the protected prefix  Hire a few large ISPs to help  Detect invalid routes accurately with data plane detectors  Circumvent the adversary with secure overlay routing

30 30 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

31 Secure Overlay Routing (SBone)  Overlay of participants’ networks  Protects intra-group traffic  Bad paths detected by probing Use longer route Use peer route Use provider route * * ; Detected as bad Nonparticipant Participant

32 Secure Overlay Routing (SBone)  Traffic may go thru an intermediate node Uses path thru intermediate node ? ? ? 1 1 ? * ; ; Forwards traffic for 1 2 2

33 33 SBone – 30 Random + Help of Some Large ISPs Good performance even for small groups! Percentage of Participating ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

34 34 SBone – Multiple Adversaries With 5 adversaries, the performance degrades Solution: enlist more large ISPs! Group Size (ASes) Percentage of Participating ASes 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

35 35 SBone - Summary

36 36 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

37 Hijacking the Hijacker – Shout  Secure traffic from non-participants  All participants announce the protected prefix  Once the traffic enters the overlay, it is securely forwarded to the true prefix owner Prefers short customer’s path leading to adversary * Node 4 shouts Use shortest path 1  4  * *

38 38 Shout + SBone – 1 Adversary With as few as 10 participants + 3 large ISPs, 95% of all ASes can reach the victim! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

39 39 Shout + SBone – 5 Adversaries More adversaries  larger groups required! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP 0 large ISPs

40 40 Performance and Scalability of Shout  Shout can be used reactively  Only shout if an attack is detected  Changes in routing table sizes negligible  Alternate routes must be saved in routing tables  The average table size increased by less than 5%  After shouting path lengths increase modestly  Paths less than 1.35 times longer  Detailed results next

41 41 Shout + SBone – Increase in Path Length With as few as 3 large ISPs the penalty is negligible! Length Ratio Group Size (ASes) 0 large ISPs 1 large ISP 3 large ISPs 5 large ISPs

42 42 Shout - Summary

43 43 Overview I. The routing system and its vulnerabilities III. Securing BGP in small groups – effectiveness of techniques IV. Our approach a) SBone – secure overlay routing b) Shout – hijacking the hijacker V. Conclusion II. Why should small groups secure BGP

44 44 Conclusion  BGP should be secured by small groups  To be effective, the group members should

45 45 Conclusion  The proposed solution  SBone and Shout are novel mechanisms that achieve these goals

46 46 Future Work  Deployment in larger groups where participants don’t trust each other  Secure routing protocol on the overlay?  Analytic models of the deployment  Predict which additional ASes to enlist to boost performance?  Effects of the structure of the graph on the outcomes?

47 47 Thank you for your attention!

48 48 Discussion 1.Effects of subprefix hijacking 2.What if participants not willing to choose less profitable routes? 3.What if N large ISPs are used instead of N largest ones? 4.Average results and error bars

49 1. Subprefix Hijacking  Threat: adversary deaggregates the victim’s prefix, all traffic is directed to the adversary  Key security mechanisms  Deaggregate the prefix and use shout to announce it  Tunnel endpoints already secure if announced with /24 prefixes  Only deaggregate when attack detected  Attack detected if at least one participant sees an unauthorized subprefix

50 50 1. Subprefix Hijacking – Avoiding Detection If the adversary conceals the attack, <5% ASes are affected! Percentage of ASes Group Size (ASes) 5 large ISPs 3 large ISPs 1 large ISP

51 51 1. Subprefix Hijacking - Summary

52 52 2. SBone – Preserve Business Relationships? Participants do not have visibility into BGP; just route through intermediate nodes Participants can influence route selection Group Size (ASes) Percentage of Participating ASes underlay rerouting no underlay rerouting

53 3. Effect of Choosing the Largest ISPs  The largest ISPs are similar in terms of connectivity and size  Which one of these we enlist among the participants does not matter much

54 54 SBone vs. Perfect Detection Alone With 5 adversaries and 10 participants the SBone is better and variance lower! Stdev: 15% Stdev: 8% Percentage of ASes 0 large ISPs 1 large ISP 3 large ISPs 5 large ISPs Perfect detection alone SBone


Download ppt "Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing."

Similar presentations


Ads by Google