Presentation on theme: "Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang."— Presentation transcript:
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang
2 Goal of the Panel Understand and discuss –The threats on the routing system –Lessons learned from todays routing system –Challenges of architecting a secure routing system –A few specific architectural proposals
3 Questions What are the threats? –End hosts –Compromised routers –Greedy providers What security properties do we need? –Just availability? –Knowing traffic is reaching the right destination? –Knowing end-to-end path? At what granularity? –Avoiding certain paths, countries, or companies? –Do paths need to be symmetric? Enable multiple levels of security in parallel?
4 Questions Where should security functions be placed? –End hosts vs. routers –Data, control, and management planes How do we ensure participation? –Economic incentives for deployment? –Role (if any) for government regulation? –Any need for accountability/liability for problems? –Enable partial deployment scenarios?
5 Organization Morley Mao, U. Michigan –Threats, and an operator perspective (15 min) Jen Rexford, Princeton –Multi-path routing and secure monitoring (10 min) Xiaowei Yang, UC Irvine –User-controlled routes (15 min) Discussion, debate, …
Helping Edge Networks to Help Themselves Jen Rexford Joint work with Dave Andersen, Ioannis Avramopoulos, and Dan Wendlandt
7 Dont Need Secure Routing Protocols Secure routing protocols –Securing info communicated within the protocol Secure routing protocols are too much –Require large-scale (ubiquitous?) deployment –Heavy weight crypto operations –Global public key infrastructure Secure routing protocols are too little –Packets might not follow the path –Adversary can deflect packets or DoS links –Colluding ASes can claim fake links
8 Secure End-to-End Communication An architectural proposal –Multi-path routing exposes possible paths –Edge nodes find and securely use working paths End-to-end security (e.g., SSL & IPsec) Confidentiality of Data Integrity of Data Availability of Communication Channel Depends on Routing and Forwarding
9 Where do Multiple Paths Come From? Multi-homing –Connecting to multiple neighboring ASes –Connecting to a neighbor at multiple places Deflecting through intermediate nodes –Overlay networks of end hosts –Deflection services offered by other networks Multi-path routing protocols A A B B C D
10 How Do Edge Nodes Switch Forwarding Paths? Tagging –Mark tag bits in the data packets –Routers interpret the bits in forwarding Encapsulation –Specifying intermediate deflection point –Routers forward based on deflection address B A C 101 B
11 How Do Edge Nodes Decide to Change Paths? End-to-end integrity check –IPsec and SSL –Client authentication and server certificates –Vote among users from many vantage points Secure availability monitoring –End-host applications judge the performance –Edge routers securely sample the performance
12 Conclusion Secure routing is not the goal –The control plane is just one part of the system –Jen, the Internet is not a network for delivering BGP update messages. – Randy Bush Secure communication should be the goal –Integrity, confidentiality, and availability Leading to a combination of mechanisms –End-to-end integrity and confidentiality –Multi-path routing and forwarding –Secure availability monitoring