Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.

Published byBeatrice Holt Modified over 8 years ago

Similar presentations

Presentation on theme: "Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011."— Presentation transcript:

1 Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011 @ Deajeon

2 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Outline Introduction –Background –Our Proposal: FS-BGP FS-BGP: Fast Secure BGP Evaluation Discussion 2

3 IP Prefix Hijacking Routing information in BGP can not be verified Through prefix hijacking, attacker may drop, intercept or tamper traffic towards specific prefix –Malicious attack : DoD prefix be hijacked, spammer –Mis-configuration: Pakistan Telecom hijacked Youtube, China Telecom hijacked 10% Internet Prefix hijacking: AS4 hijacks prefix f Aug 12, 2011FS-BGP, THU, AsiaFI 20113

4 How to … Short-term goal: detect –Analyze anomalies in routing information –Whisper [NSDI`04], PGBGP [ICNP`06], … –Cons: can not grantee correctness and real-time Long-term goal: prevent –Information authentication, secure routing info. –S-BGP –S-BGP, IRV, S-A, soBGP, psBGP, SPV, … –Cons: high security and low cost, can not have both. Aug 12, 2011FS-BGP, THU, AsiaFI 20114

5 S-BGP The most secure schema Route Attestations (RA) to secure the path {msg}a i – {msg}a i : signature on msg signed by a i Aug 12, 2011FS-BGP, THU, AsiaFI 20115

6 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Cons of S-BGP S-BGP actually singed the whole path, including the recipient AS So many paths –unbearable computational cost Dilemma of the Expiration-date –Long: unable to defend replay attack –Short: destroy the whole system 6

7 Substitutes for S-BGP soBGP –Infeasible paths exist IRV –Query Latency; hard to maintain authority server SPV –Complex state info.; probabilistically guarantee S-A –Only for signing; need to pre-establish neighbor list Aug 12, 2011FS-BGP, THU, AsiaFI 20117

8 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Our Proposal FS-BGP: Fast Secure BGP How to secure the path –CSA (Critical path Segment Attestation) to secure the AS path –SPP (Suppressed Path Padding) to protect the optimal path and prevent effective hijacking Security –All the authenticated paths are feasible path –Achieves similar level of security as S-BGP Computational cost (on backbone router) –Singing cost: ~0.6% of S-BGP –Verification cost: ~3.9% of S-BGP 8

9 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Outline Introduction FS-BGP: Fast Secure BGP –CSA: Critical Segment Attestation –SPP: Suppressed Path Padding Evaluation Discussion 9

10 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Announcement Restrictions in BGP Best route announcing –Temporary restriction –Local preference and other metrics Selective import & export policy –Persistent restriction –Neighbor based import and export $$ –Neighbor based import and export: contracts ($$) are between neighbor Ases –Feasible path: exist in AS-level graph & obey the policy 10

11 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Critical Path Segment In path: p n =, the Critical Path Segment c i owned by a i is Those adjacent AS triples actually describes part of routing policies of the corresponding owner – c i = means a i can (and already) announce routes to a i+1 which are import from a i-1 –If every owner signs the critical segment in a current announcing path, the consequent ASes will be able to verify the received whole path 11

12 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 a0a0 〈a0〉〈a0〉 {a1 a0}a0{a1 a0}a0 a1a1 a2a2 a3a3 a4a4 〈a1 a0〉〈a1 a0〉〈a2 a1 a0〉〈a2 a1 a0〉〈a3 a2 a1 a0〉〈a3 a2 a1 a0〉 {a2 a1 a0}a1{a2 a1 a0}a1 {a3 a2 a1 a0}a2{a3 a2 a1 a0}a2 {a4 a3 a2 a1 a0}a3{a4 a3 a2 a1 a0}a3 {a1 a0}a0{a1 a0}a0 {a2 a1 a0}a1{a2 a1 a0}a1 {a3 a2 a1}a2{a3 a2 a1}a2 {a4 a3 a2}a3{a4 a3 a2}a3 √√√√√ √ √√ √ √ √ √√ √ √√ √ √ √√ {msg}a i : signature of msg signed by a i FS-BGP : CSA S-BGP : RA 12

13 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Signatures in FS-BGP and S-BGP Signatures for the path: p n = FS-BGP S-BGP 13

14 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Cost Reduction (# total critical segment) << (# total AS path) If we use a small cache, the cost will be sharply decreased k – S-BGP: a n receives k paths, signs k signatures 1 –FS-BGP: a n receives k paths, signs 1 signature 14

15 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Outline Introduction FS-BGP: Fast Secure BGP –CSA: Critical Segment Attestation –SPP: Suppressed Path Padding Evaluation Discussion 15

16 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Paths can be verified in FS-BGP are all feasible paths [Theorem 1] CSA achieves Feasible Path Authentication Signed paths in S-BGP Signed paths in FS-BGP All feasible paths 1. Outdated path 2. Current path 1. Outdated path 2. Current path 3. Revealed path 1. Outdated path 2. Current path 3. All not announced path 16

17 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Forge a path in FS-BGP is possible Forged path (Revealed path) in FS-BGP –Using authenticated path segments, manipulator can construct forged path, which is feasible but currently not announced.  a m forge path p d a 4 construct path p f, then hijack prefix f 17

18 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Conditions of Effective Hijacking (1) Forge a path in FS-BGP is very difficult –Must be constructed using received authenticated path segments –Must not be announced by the intermediate ASes –Can not be shorter than 5 hops [Theorem 3] (2) Forged path is still feasible, and only temporarily not received by the attacker! –Consider effective hijacking: the traffic is not forwarded by the attacker under normal status (3) Only short enough forge-path can be used for an effective hijacking [Theorem 2] 18

19 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Prevent Effective Hijacking Using ASPP, can grantee that attacker can not concatenate short enough forge path Not short enough: other paths are not shorter than the optimal path (longest live-time) {a 4, a 3, a 2 }a 3 {a 4, a 3, 3, a 2 }a 3 p f = 19

20 Aug 12, 2011 SPP: Suppressed Path Padding Suppressed Path: paths with lower local preference in the decision process Suppressed path may shorter than optimal path SPP: –General –Optional –Easy to Implement k i Compute k i : Basic decision process: 1.Highest Local Preference (LP) 2.Shortest Path Length (PL) 3.Tie Breaks (TB) Path categories: 1.Suppressed Path 2.Sub-optimal Path 3.Optimal Path FS-BGP, THU, AsiaFI 201120

21 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Outline Introduction FS-BGP: Fast Secure BGP Evaluation –Security Level –Computational Cost Discussion 21

22 Security Level Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Security Infeasible Path Feasible Path Cost Current Path soBGP LowHigh FSBGP (no SPP) S-BGP FSBGP 22

23 Computational Cost 30 days’ real BGP updates from backbone routers Aug 12, 2011FS-BGP, THU, AsiaFI 2011 FS-BGP S-BGP FS-BGP S-BGP # verifications in every second # signings in every second 23

24 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Outline Introduction FS-BGP: Fast Secure BGP Evaluation Discussion –Support complicated routing policies –Protect privacy 24

25 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Complicated Routing Policies AS may use complicate route filters to describe their routing policies –Prefix filter : –Path filter : –Origin filter : FS-BGP can flexibly extend and support route filters  Included feasible prefixes into CSA  Sign whole path  Included feasible origins into CSA 25

26 Revisit the route filters Quantity of route filter –According our statistical result in IRR database, only a very small portion of policies use route filters Purpose of route filter –Some (i.e., origin/path filter) are set for security considerations, rather than policy requirements. –Others (i.e., prefix filter) are set for traffic engineering, to identifying the preference of a route, rather than the feasibility of a path Aug 12, 2011FS-BGP, THU, AsiaFI 201126

27 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Privacy Protection Privacy: customer list … FS-BGP can protect privacy data –Message spreading manner is same to BGP –Path segments not reveal additional info. –Path segments can only be passively received by valid BGP UPDATE receivers –Do NOT offer any kinds of public accessible policy database 27

28 Aug 12, 2011FS-BGP, THU, AsiaFI 2011 Thanks! FS-BGP: Fast Secure BGP –CSA: Critical Segment Attestation –SPP: Suppressed Path Padding Evaluation –Similar security level as S-BGP –Reduced the cost by orders of magnitude –Support complicated routing policies –Protect privacy Q&A 28

Download ppt "Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011."

Similar presentations

A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
SCION: Scalability, Control and Isolation On Next-Generation Networks

SCION: Scalability, Control and Isolation On Next-Generation Networks
How Secure are Secure Interdomain Routing Protocols? B96209044 大氣四 鍾岳霖 B97703099 財金三 婁瀚升 1.

How Secure are Secure Interdomain Routing Protocols? B 大氣四 鍾岳霖 B 財金三 婁瀚升 1.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Interdomain Routing Security COS 461: Computer Networks Michael Schapira.

Similar presentations

Ads by Google