Presentation is loading. Please wait.

Presentation is loading. Please wait.

Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006.

Published byMark Kelly Modified over 9 years ago

Similar presentations

Presentation on theme: "Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006."— Presentation transcript:

1 Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006

2 Current Routing Security Focus Current proposals like S-BGP, etc. use cryptography to provide control plane: 1) origin authentication 2) path validity

3 Too Much and Too Little? These proposals are: 1) Heavy-weight: requiring modifications to routers, continually updated address registries, increased BGP complexity. 2) Insufficient: providing no protection from malicious routers in the data-plane or links made unusable by congestion or bad route convergence.

4 A Different Approach Today end-hosts/edge routers often already provide end-to-end security using mechanisms such as SSL or IPSec. With end-to-end security, we claim that: The routing infrastructure only has to worry about providing availability, i.e. the ability to find and use a valid path if it exists.

5 High-level Approach 1) Clients learn multiple potential paths to a destination, instead of a single “best path”. 2) Clients use end-to-end security mechanisms and monitor path performance to detect good paths. 3) Clients can use adequate paths and change routes if necessary.

6 Taxonomy of Attacks Snooping & Traffic Modification Traffic Analysis Destination Impersonation Spam Sources (unused space hijack) Black-holing Traffic Traffic Degradation Let’s think about whether the routing system should handle them….

7 Attack: Data Confidentiality & Integrity Where: Data & Control Plane A secure control plane could make it harder for an attacker to get on path, but data-plane adversaries can access traffic. Verdict: Use end-to-end encryption & MACs, rather than rely on routing protocol.

8 Attack: Traffic Analysis Where: Data & Control Plane Again, secure control plane makes attack more difficult, but providing real guarantees at the network layer is extremely difficult or even impossible (data worm-hole attack). Verdict: Use mix-nets or other end-to-end mechanisms if needed, as Internet routing cannot provide an guarantees.

9 Attack: Destination Impersonation Where: Data & Control Plane Problems with data-plane attacker (local or router) or DNS compromise means that even with secure control plane identity is not certain. Difficulty in having ISPs create and update address registry. Verdict: End-to-End certificates or other authentication are still needed, and obviate requirement for identity in control plane (still useful as an optimization though).

10 Attack: Spam Sources (unused hijack) Where: Control Plane Spam is really caused by incentives and identity problems within higher-level systems (e.g. email), which would exist even with secure routing. The real “cost” of this vulnerability is minimal. Verdict: While authenticated address ownership may be desirable, it is not a requirement for reliable communication.

11 Attack: Black-holing Traffic Where: Data & Control Plane The ability to completely prevent communication, particularly when another valid path exists, is the key threat to a routing protocol. Verdict: Yes, this is central to routing.

12 Attack: Traffic Degradation / DoS Where: Data Plane, remote hosts Paths can be rendered unusable for an application even if they are not completely unavailable according to the control plane. Verdict: Yes, a routing protocol should allow destinations to avoid such links.

13 Defense Taxonomy: Control Plane Attack S-BGP*WhisperACR Snoop/Modify traffic -- Impersonate destination -- Black-hole traffic -- Traffic Analysis -- Traffic Degradation/DoS NA Spam (unused hijack) Note: Whisper only detects attacks, and only at a limited number of ASes.

14 Defense Taxonomy: Data Plane Attack S-BGP* + SSL ListenACR + SSL Snoop/Modify traffic Impersonate destination Black-hole traffic - Traffic Analysis Traffic Degradation/DoS Spam (unused hijack) NA

15 What should routing security achieve? It’s very hard to get guarantees about the identity of the path of data-flow. Furthermore, why would we care? If applications already use e2e security to handle these risks. As a result, they care about path quality, not path identity.

16 Availability Centric Routing Goals: 1)Communication in the face of control plane, data plane, and link-DoS attacks. 2)Incentivized deployment and low barriers to adoption. 3)No requirements for globally coordinated adoption.

17 What is done end-to-end? Assume: 1)Confidentiality, integrity and destination identity are handled end-to-end, e.g. SSL/IPSec. 2) Path quality monitoring, to decide when to change paths.

18 Packet “Deflections” ISPs offer users alternate paths (deflections) in addition to the normal path advertised via BGP. ABC E D F A,B,C,D,F is normal BGP path for A -> F. To avoid D, A could request that C deflects packets to E, yielding path A,B,C,E,F

19 Availability Providers Most path diversity comes from the densely connected tier-1 ISPs. To simplify, what if just these ASes acted as “availability providers” (APs) to offer deflections?

20 ACR Overview: 1) Source attempts to set-up a secure channel using default path. 2) If set-up fails, it can request alternate paths from its AP, “probing” until it finds a working path. 3) Sources monitor path performance, requesting alternate paths if the current path is inadequate.

21 Threats Against ACR with APs Deployment “gaps” between AP and source or destination create attack opportunities. Large number of invalid paths from AP makes probing time unrealistic. Path performance attacks

22 Attacks Exploiting Deployment “Gaps” If a provider ISP is duped, it is possible that a stub AS will not be reachable by any path seen by the AP. D A U M If U does not offer deflections, a malicious AS M could fool U by announce D’s prefix, making it completely unreachable by the availability provider A.

23 Handling Deployment Gaps Dests: Business preferences help destinations (only fellow customers can attack). Sources: Paths to a limited number of core APs are easy to manage. Local filtering can provide significant benefit. As can identifying “expected links” based on well-known core topology.

24 Attacking Probing Efficiency With BGP, each malicious AS can introduce one bad path to its neighbors. Total # of paths limited by an AS’s # of neighbors, (more likely peers + providers). Claim: It is non-trivial to introduce many attractive paths quickly, especially without getting noticed.

25 More Efficient Probing Base: Shortest AS-Path Anomaly Detection: Most paths are stable, keep with what has worked (e.g. PGBGP). Destination Hints: Let destination sign & distribute hints about its upstream connectivity. Forces attacker paths to be longer.

26 Monitoring for Path Performance Attacks Data serves as probes to avoid preferential treatments of probe packets. Tricky Attack: Malicious AS makes path appear valid, then black-holes or degrades performance.

27 Path Performance Monitoring Solutions: 1) Have traffic that is robust to “hiccups” (e.g. non-realtime) 2) Duplicate traffic over paths that are likely to be “trust disjoint” 3) Use smart probing techniques to help avoid bad control plane paths.

28 Deployability No requirement for address registries, cryptographic hardware, ICANN-based PKI, or new routing software. Deflections can be implemented using IP-in-IP encapsulation and MPLS over IP, which already exists in routers today. Deflections also improve performance.

29 Dirty Laundry CIDR and sub-prefix hijacks (Answer: Use /24’s, which approximates flat routing) Datagram communication (Answer: either run over long-term secure channel, or have data be the identifier, ala DNSSEC)

30 ACR Summary Secure interdomain routing proposals are heavy-weight, but still insufficient. If end-points set up secure channels, the routing infrastructure must only provide multiple paths to guarantee availability. This approach has highly attractive properties for incentivized deployment

Download ppt "Availability Centric Routing (ACR) Robust Interdomain Routing Without BGP Security July 25 th, 2006."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Similar presentations

Ads by Google