Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004."— Presentation transcript:

1 1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004

2 2 Content Background Current protocol Security problems Solutions Conclusion Reference

3 3 Background Routing Determine the path that IP packets take to go from their source to their destination Interdomain Routing Routers (compute desired path) are grouped together called Autonomous Systems (Management Domains). Inter-Autonomous System routing.

4 4 Current Protocol Border Gateway Protocol RFC 1771 & 1772, March 1995 BGP-4 along with Interior Gateway Protocol (IGP) AS announces IP address ranges called prefixes Full AS paths enforces routing policies Local traffic, transit traffic AS – Stub AS, Multihomed AS, Transit AS

5 5 Attributes Weight Local preference Multi-exit discriminator Origin AS_path NextHop Community

6 6 Security Problems Message may not be correct and authentic Path may not be authentic AS may not have the authority to advertise a prefix

7 7 Solutions Secure Border Gateway Protocol (S- BGP) Internet Route validation (IRV) Secure Origin BGP (soBGP) Origin Authentication Services

8 8 S-BGP IP security protocol suite Encapsulating Security Payload (ESP) new BGP path attribute with attestations - route attestations - address attestations Public Key Infrastrcture(PKI) - public key certificates

9 9 IRV IRV servers maintain routing data received and advertised Validation by out-of-band mechanism and potentially secure protocol

10 10 soBGP EntityCert – ties an AS number to a public key with attested keys as root keys AuthCert (in Prefix PolicyCert) – ties an AS to a block of addresses ASPolicyCert – verifies that the advertiser does have a path to the destination Note: new BGP message (SECURITY)

11 11 Deployment Option Direct Certificate Exchange - exchange certificates with their peers Exchange by Edge Router - edge routers exchange certificates - internal servers process information

12 12 Origin Authentication Services Formalization Modeling Simulation Evaluation

13 13 Formalization ASN = {1,2,…K} be the set of all Autonomous System Numbers, K = 2 16 O be the set of all organizations which can own prefixes S be the set of all BGP speaking organizations C be an organization; C  S and ASN(C) be the set of AS numbers current assigned to C IPA = {0,1} l be the set of all l -bit IP addresses; l =32 for IPv4 and l =64 for IPv6 x/j is the address prefix (often called prefix) If y/k is a prefix of C. Address assignments or delegations can be formally expressed as a) (C, y/k, n) where n ASN; C assigns y/k to an AS number n b) (C, y/k, C’) where C’ O; C delegates y/k to C’ c) (C, y/k, R); C declares y/k as RESERVED thus neither advertised nor delegated

14 14 Delegation Path Valid - ownership source is IANA - path is monotonic - path is acyclic - assignment edge is ASN-respecting ( ASN(C), R or  )

15 15 Modeling Origin Authentication Services - Delegation path is valid - Set of delegation attestations is verified - assignment edge is certified Delegation Attestations - Simple delegation attestation - Authenticated delegation list - Authentication Delegation Tree - Authentication Delegation Dictionaries

16 16 Simulation Trace-based simulation on a single BGP speaker on April 2, 2003. 653649 UPDATE messages are recorded over a 24 hour period Four models are implemented:- - simple attestation - AS authenticated delegation list - Authenticated list - Authenticated delegation trees

17 17 Observation Signature validation (ordered most costly to the least) - simple attestation - AS authenticated delegation list - Authenticated list - Authenticated delegation trees On-line and Off-line Origin Authentication - Authenticated delegation lists are significantly more expensive Caching - Tree scheme outperforms the others Caching without organization load - authenticated delegation lists out-performs AS authenticated delegation list

18 18 Evaluation Discussed Origin Authentication Services Models are feasible Approximation of the delegation graph is supported by studies of BGP Underestimated ownership sources and delegation would not affect the quality of the result

19 19 Conclusion BGP is problematic Secure Border Gateway Protocol - studied since 1996 is not complete Internet Route Verification - solved only part of the problems Secure Origin Border Gateway Protocol - not deployed Origin authentication service – resource costs can be significantly reduced

20 20 Reference 1. W. Aiello, J. Ioannidis, P. McDaniel. Origin Authentication in Interdomain Routing. In Proceedings of the 10 th ACM Conference on Computer and Communication Security, page 165 – 178, October 2003, Washington, DC, USA 2. K. Seo, C. Lynn, and S. Kent. Public-Key Infrastruture for the Secure Border Gateway Protocol (S-BGP). In Proceedings of DARPA Information Survivability Conference and Exposition II. IEEE, June 2001 3. Y. Rekhter and T. Li. A Border Gateway Protocol 4 (BGP4). Internet Engineering Task Force, March 1995. RFC 1771. 4. Y. Rekhter and P. Gross. Application of the Border Gateway Protocol in the Internet, March 1995. RFC 1772

Download ppt "1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004."

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)

Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
Securing BGP Geoff Huston November 2007. Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.

Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
S ufficient C onditions to G uarantee P ath V isibility Akeel ur Rehman Faridee 2005-03-0021.

S ufficient C onditions to G uarantee P ath V isibility Akeel ur Rehman Faridee
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK

Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
3/9/2004Presenter: Lan Gao1 Origin Authentication in Interdomain Routing William Aiello, John Ioannidis, and Patrick McDaniel Proceedings of 10th ACM Conference.

3/9/2004Presenter: Lan Gao1 Origin Authentication in Interdomain Routing William Aiello, John Ioannidis, and Patrick McDaniel Proceedings of 10th ACM Conference.
Analysis of BGP Routing Tables

Analysis of BGP Routing Tables
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
COS 420 Day 16. Agenda Finish Individualized Project Please Have Grading sheets to me by Tomorrow Group Project Discussion Assignment 3 moved back to.

COS 420 Day 16. Agenda Finish Individualized Project Please Have Grading sheets to me by Tomorrow Group Project Discussion Assignment 3 moved back to.
CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim 02.18.2009.

CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim
1 Origin Authentication in Interdomain Routing Security Reading Group September 3, 2004 William Aiello, John Ioannidis, and Patrick McDaniel Proceedings.

1 Origin Authentication in Interdomain Routing Security Reading Group September 3, 2004 William Aiello, John Ioannidis, and Patrick McDaniel Proceedings.

Similar presentations

Ads by Google