1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

Slides:



Advertisements
Similar presentations
Advanced Computer Networks cs538, Fall UIUC Klara Nahrstedt Lecture 7, September 16, 2014 Based on M. Caesar, J. Rexford, “BGP Routing Policies.
Advertisements

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Lecture 9 Overview. Hierarchical Routing scale – with 200 million destinations – can’t store all dests in routing tables! – routing table exchange would.
Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.
BGP Multiple Origin AS (MOAS) Conflict Analysis Xiaoliang Zhao, NCSU S. Felix Wu, UC Davis Allison Mankin, Dan Massey, USC/ISI Dan Pei, Lan Wang, Lixia.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Analysis of BGP Routing Tables
The Border Gateway Protocol (BGP) Sharad Jaiswal.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
Spring Routing & Switching Umar Kalim Dept. of Communication Systems Engineering 04/05/2007.
14 – Inter/Intra-AS Routing
Feb 12, 2008CS573: Network Protocols and Standards1 Border Gateway Protocol (BGP) Network Protocols and Standards Winter
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.
Computer Networks Layering and Routing Dina Katabi
Inter-domain Routing Outline Border Gateway Protocol.
Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.
I-4 routing scalability Taekyoung Kwon Some slides are from Geoff Huston, Michalis Faloutsos, Paul Barford, Jim Kurose, Paul Francis, and Jennifer Rexford.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Understanding and Limiting BGP Instabilities Zhi-Li Zhang Jaideep Chandrashekar Kuai Xu
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Lecture 4: BGP Presentations Lab information H/W update.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Chapter 9. Implementing Scalability Features in Your Internetwork.
Border Gateway Protocol
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Finding Vulnerable Network Gadgets in the Internet Topology Author: Nir Amar Supervisor: Dr. Gabi Nakibly Author: Nir Amar Supervisor: Dr. Gabi Nakibly.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.
An internet is a combination of networks connected by routers. When a datagram goes from a source to a destination, it will probably pass through many.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Inter-domain Routing Outline Border Gateway Protocol.
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Border Gateway Protocol. Intra-AS v.s. Inter-AS Intra-AS Inter-AS.
ROUTING ON THE INTERNET COSC Jun-16. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
Border Gateway Protocol
Goals of soBGP Verify the origin of advertisements
COS 561: Advanced Computer Networks
BGP supplement Abhigyan Sharma.
Lixin Gao ECE Dept. UMASS, Amherst
Department of Computer and IT Engineering University of Kurdistan
BGP Multiple Origin AS (MOAS) Conflict Analysis
BGP Instability Jennifer Rexford
Presentation transcript:

1 BGP Security -- Zhen Wu

2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday –“Secure Border Gateway Protocol (S-BGP)” –“Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues”

3 Outline Background “Detection of Invalid Routing Announcement in the Internet” Paper Related Open Problems

4 BGP Components –Autonomous System (AS) –BGP speaker –BGP Routing table: Prefix + AS Path AS4 AS3 AS1 AS 2 BGP

5 BGP Routing Table Maintain the reachability information (AS path) for each prefix Default-free Incremental updates Prefix Next-Hop AS-Path Type Best Route

6 BGP Update AS 566 PrefixAS Path …… Routing Table /8 : 1221, 34 Prefix : AS Path Incoming update /8 : 1221, 34, 566 Outgoing update /81221, 34

7 General Operations Pick the best path and install it in forwarding table –BGP routing table V.S forwarding table –The definition of “best” depends on local policy Policies could influence import, the best path selection, export. Each AS only sends its best route for a prefix to its neighbors, append its AS# in the path

8 BGP Table Growth AS1221 ASN-TELSTRA Telstra Pty Ltd Source:

9 Average Prefix Length

10 Average length of AS path Denser mesh

11 Other Trends More multi-homed small networks A denser interconnectivity mesh Reduction in hierarchical nature

12 Outline Background “Detection of Invalid Routing Announcement in the Internet” Paper Related Open Problems

13 Multiple Origin AS (MOAS) /16 Path: /16 Path: /16 Path: X, 4 AS X AS Y /16 Path: Z, 226 AS Z MOAS case ! Is it a valid policy or a fault/attack? AS 226 AS 4

14 Previous work How many MOAS cases have happened? How long did they last? What’s the distribution of prefix length having MOAS conflicts? Possible explanations

15 Possible Explanations Multi-homing Faulty or Malicious Configurations

16 Problem How to prevent BGP routers from accepting invalid MOAS

17 Idea: MOAS list –A list of legitimate ASes who are authorized to announce the prefix –Attached to route announcement AS4 AS3 AS1 AS /8, MOAS list {1,2} /8, MOAS list {4} Detect MOAS lists conflict /8, MOAS list {1,2}

18 Assumption Rich interconnectivity It is very difficult, if not impossible, for the attacker to totally block the propagation of valid route announcement with MOAS list AS1AS2 AS3AS4 Prefix: /8 MOAS list: {1, 2} Controlled by attack AS6 AS5

19 Limitations in Design Only detects invalid MOAS conflicts –Correct origin AS with a false path ??? Valid path: 4, 231, 55, 1024 False path: 4, XXX, YYY, 1024 Rely on other mechanisms to identify the correct origin AS –DNS lookup verification

20 Discussion & Critiques Topology Generation –Route Views only has a partial view of Internet topology –The view is also filtered by best path selection –Is node number reducing process reasonable? Selection of the two origin ASes –Is random selection reasonable? Adjacent –Is selection only from stub (NO transit) ASes reasonable?

21 Outline Background “Detection of Invalid Routing Announcement in the Internet” Paper Related Open Problems

22 Challenge - Abnormal BGP behaviors Reasons –Implementation / protocol bugs –Misconfigurations –Attack Problems –How to define? –How to detect? –How to distinguish them? –How to trace back? What information do we need to collect?

23 Challenge - Opaque Policy Some strength and complexity of BGP come from the usage of local policy IRR project aims to collect global routing policy knowledge - obsolete and incomplete But: –peer policy agreement are often confidential –There is no way to verify whether received updates abided the intermediate AS’s policies –Are these policies reasonable –Local sound policies may have global conflicts

24 Challenge - Topology How to generate realistic Internet topology? –So huge, complicated, dynamic –What are the essential characteristics of Internet topology? How to model them?

25 BGP Security Problems Outsider attacks –TCP session spoofing –BGP session spoofing –DoS attack Misbehaved, misconfigured, and compromised legitimate BGP routers are the main threat currently –E.g 1997 AS7007 incident

26 Securing Announcement Announcement is not authenticated We don’t know who is allowed to advertise a prefix Anyone could (almost) announce any prefix –Malicious attacks –Accidentally mistakes

27 Securing Path Attribute Each router chooses among multiple routes for a destination Need to select the best path Path attribute is also not authenticated Path modification could disrupt routing –Cause suboptimal path to be adopted Direct to longer path Bring to path with adversary eavesdrop –Interfere with policy decisions – Make some destinations unreachable

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.