Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson

Overview  Background and theory  Implementation  Applications  Related works

Brief Review of LSRR Loose Source Record Routing (LSRR) is an option in IP.  The sender specifies a list of IP addresses that the datagram must traverse.  The route is “loose”: the datagram can pass through other routers between any two addresses on the list.

LSRR Continued SR1R2R3D dest=R1 {#R2, R3, D} dest=R2 {R1, #R3, D} dest=R3 {R1, R2, #D} dest=D {R1, R2, R3#} dest=D {#R1, R2, R3} code len ptr IP addr #1 IP addr #2 IP addr # bytes 4 bytes 4 bytes 39 bytes General Format of the IP Source Route Option Example of IP Source Routing

WRAP: Wide-Area Relay Addressing Protocol WRAP runs on top of IP and uses loose-source routing, but implements it differently from IP’s LSRR. WRAP and LSRR are…  Similar: A WRAP packet includes a forward path and a reverse path. Every time a relay on the forward path is traversed, it is moved to the reverse path.  Different: The WRAP header (including the forward and reverse paths) is included as the beginning of the IP payload. The source and destination in the IP header are the next and previous “hops” taken by the packet.

WRAP Advantages Over LSRR  Relaying of WRAP packets is easier to implement in hardware.  Filtering of WRAP packets can be done with conventional wire-speed filters (similar to TCP/UDP-level filters).  LSRR relaying or filtering requires processing the variable-length IP options field, typically requiring the CPU.

Transmit Policies  WRAP enables a node to specify a transmit policy for each packet.  An edge system can compute multiple paths to a destination, monitor them, and choose between them based on QoS needs.  An access router that connects an edge network to the Internet computes paths and choices, or…  The end user (PC application, person) can specify outgoing traffic paths.  Either way, the Internet core becomes purely a forwarding engine.

Receive Policies  WRAP enables a node to specify a receive policy for each packet (accept, block, rate-limit) according to its end-to-end path.  A victim of a DDoS attack can ask routers close to the attack sources to block “bad” traffic from them.  This is implemented with Active Internet Traffic Filtering (AITF), which verifies requests are real: node M cannot disrupt traffic between A and B unless M is on the path between them.

Alternatives to LSRR/WRAP Transmit policies with labels: edge system tags each packet with a policy label that indicates how it should be routed.  Good: less burdensome on edge systems  Bad: each ISP knows only its own internal performance Receive policies via hop-by-hop traceback: requests to rate-limit traffic propagate hop-by-hop upstream.  Good: again, less burdensome  Bad: core routers become a filtering bottleneck

protocol – The higher layer protocol (UDP, TCP etc.). length – The number of 32-bit addresses the reverse and forward paths foffset – The offset into the list of addresses where forward path field starts reverse path – List of 32-bit addresses corresponding to the end-point and relays already traversed forward path – List of 32-bit addresses corresponding to the relays and end-point still ahead data – Contains the higher level (protocol format) packet protocollengthfoffsetreserved reverse path forward path data

RELAYING AB SD IP Src: S IP Dst: A Fpath: [B,D] Rpath: [ ] IP Src: A IP Dst: B Fpath: [D] Rpath: [S] IP Src: B IP Dst: D Fpath: [ ] Rpath: [S,A]

WRAP: IMPLEMENTATION Name-To-Path Resolution  Wrap requires modification of current DNS  Current – DNS maps names to IP addresses  Modified – DNS maps names to domain-level paths  How?  Each realm gets internal & external DNS server  Internal responds to requests originating inside the realm. Provides mappings from domain names to WRAP paths  External responds to requests originating outside the realm. Provides mappings from domain names to a tuple { global prefix, IP }  Forward Reference (Incremental Deployment)  State for WRAPID gateways can be instantiated during name resolution

WRAP: IMPLEMENTATION Name-To-Path Resolution AB SD S: DNS Name Lookup (D) A: propagates request to B B: { prefix = P, IP = D } A: path = [A,B,D]

DESIRABLE PROPERTIES: Limited Path Spoofing  WRAP limits the effectiveness of spoofing by it’s design.  Property A: Just as a destination addr. must be correct for delivery in IP, the forward path must be correct for delivery in WRAP.  A malicious node may still spoof some other node by placing that node’s address in the reverse path.  However, because of property A, the malicious node’s gateway will necessarily appear in the reverse path.

DESIRABLE PROPERTIES: Limited Path Spoofing A B C V MD IP Src: A IP Dst: B Fpath: [C,D] Rpath: [V] IP Src: B IP Dst: C Fpath: [D] Rpath: [V,A] IP Src: C IP Dst: D Fpath: [ ] Rpath:[ V,A,B]

DESIRABLE PROPERTIES: Low Packet Overhead  WRAP chooses to explicitly include variable length lists of IP addresses in it’s headers.  Seems as though it might introduce much larger headers than a scheme like NIRA, but how bad is it in practice?  Mangoni and Pansiot [14], find that AS path distance appears to have a Gaussian distribution with a mean m, with 3 < m < 4  75% of AS pairs have a path length < 4, and 95% of AS pairs have a path length < 6.  WRAP authors make the conservative assumption that each AS may be a collection of networks behind a NAT. This shifts the distribution average by 2.  Still, 75% of WRAP headers would have a path length < 6 and 95% of WRAP headers would have a path length < 8  Also Mangoni and Pansiot found the “empirical law”:  The average distance, diameter and radius of the inter-domain graph of AS networks stays constant  This “law” holds despite the fact that the # of ASs grew by 40% during the duration of their study

 Make IP addresses become routing tags and have NO end-to-end significance AB S D D [S, B, D] [S, A, D] DESIRABLE PROPERTIES: Address Space

 Unlike NIRA and other schemes, globally unique addresses are not required:  IP addresses must only be unique within a realm.  4 billion addresses per realm.  Relay addresses specify not just a specific router, but a pair { router, outgoing realm }. This is an artifact of a router’s non-uniqueness in the global address space.

Similarity to IPNL  IPNL is an NAT-extended architecture  An address has 10 bytes, consists of  Global IPv4 address  Realm number  Local IPv4 address  Packets must be routed to global address first, then to the realm, and local address.

WRAPID Gateways  Deploying WRAP is similar to placing every administrative domain behind NAT  can be incremental  must upgrade routers to WRAP capable  hosts can be upgraded or not  can support non-WRAP hosts by WRAPID gateways (WRAP to IP Domain)  WRAPID gateways can implement IP  WRAP and WRAP  IP translating functionality.

WRAPID Gateways AB WRAPID gateway IP Src: S IP Dst: X S D IP Src: Y IP Dst: D IP Src: A IP Dst: B Fpath: [D] Rpath: [S] Problems?

Applications  Virtual Private Network  Different sites are connected by WRAP relay nodes  Policy-based routing  Extended forwarding path check  The source can be verified up to the trusted relay node.  Multicast  WRAPsec

Related works  TRIAD (Translating Relaying Internet Architecture integrating Active Directories)  RouteScience  RON  NIRA (Tuesday)  IPNL and IPv4+4  “shim protocol”  router upgrade  routing information in header

Q & A