Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University July 11, 2005

2 Problem: Insecure Internet Infrastructure Border Gateway Protocol is important –BGP is the glue that holds the Internet together BGP is extremely vulnerable –Easy to inject false information –Easy to trigger routing instability Vulnerabilities are being exploited –Configuration errors and malicious attacks –Route hijacking, blackholes, denial-of-service, … Changing to a secure protocol is hard –Can’t have a flag day to reboot the Internet

3 Example: Route Hijacking /16 Consequences for the data traffic –Discarded: denial of service –Snooped: violating the user’s privacy –Redirected: identity theft, propagating false info, etc.

4 Solution: Incremental Deployability Backwards compatibility –Work with existing routers and protocols Incentive compatibility –Offer significant benefits, even to the first adopter AS 3 AS 2 AS 1 BGP Inter-AS Protocol RCP Routing Control Platform tells routers how to forward traffic Use BGP to communicate with the legacy routers Use RCP to simplify management and enable new servicesUse RCP to detect (and avoid) suspicious routes Other ASes can deploy an RCP independently ASes with RCPs can cooperate to detect suspicious routes ASes can upgrade to secure interdomain routing protocol … all while still using BGP to control the legacy routers Distributed detection

5 RCP System is Feasible Reliability –Problem: single point of failure –Solution: simple replication of RCP components Consistency –Problem: inconsistent decisions by replicas –Solution: consistency without inter-replica protocol Scalability –Problem: memory and processing demands –Solution: one copy per route; avoid recomputation Can build an RCP for a large ISP on a single high-end PC AT&T prototype:

6 Problem #1: BGP Anomaly Detection Avoid using suspicious/unstable routes –Data-streaming algorithms for anomaly detection –Single AS, and then distributed collection of ASes –Evaluation on data from AT&T and RouteViews –Initial work: detecting known anomalies; wavelets AS 3 AS 2 AS 1 RCP share diagnostic information

7 Problem #2: Routing Policy Management Centralize policy management in the RCP –Policies for filtering, selecting, & exporting routes –Build on a trust-management system Notation for precise policy specification Procedures for deciding an action complies –Initial work: survey study on ISP routing policies AS 1 RCP Filter: discard routes for small subnets; discard suspicious routes Select: prefer routes learned from customers; prefer closer egress points; prefer stable routes Export: do not export peer-learned routes to other peers; do not export infrastructure addresses

8 Problem #3: Secure Inter-AS Protocol Incremental deployment of secure protocol –Analysis of incentives for ASes to upgrade For customer-provider and peer-peer relationships –Analysis of incremental security gain End-to-end security for some traffic Security along a sub-path for the rest –Initial work: sBGP and soBGP as the protocol AS 3 AS 2 AS 1 secure protocol RCP regular BGP

9 Teaming Information: Two PIs Jennifer Rexford, Princeton University –Border Gateway Protocol (BGP) –Internet measurement –Systems and prototyping –Operational experience from AT&T Joan Feigenbaum, Yale University –Security and cryptography –Massive data streams –Trust-management systems –Economics and incentive analysis

10 Teaming Information: Deployment Strategies PlanetLab/Abilene –PlanetLab overlay, managed at Princeton –Nodes deployed in all Internet2 PoPs –Plan: build RCP prototype on XORP open-source router, to drive Click forwarder in PlanetLab nodes –Exploring: direct BGP sessions with other ISPs AT&T backbone –Tier-1 ISP backbone (AS 7018) –Initial RCP prototype built at AT&T –Plan: evaluate RCP applications on archive of AT&T routing and configuration data –Exploring: deployment on top of the AT&T RCP

11 Project Milestones: Three-Year Timeline RCP prototype, and API to data- analysis engine Offline algorithms and upper bounds Identify today’s policies and select notation RCP with API to trust-management system Online analysis algorithm to detect anomalies Integrate policy language in trust management Deployment of RCP in operational networks Deploy online algorithm; create distributed Deploy in trust management system RCP Prototype Anomaly Detection Routing Policy Evaluate incentive compatibility Quantify gains of a partial deployment Investigate new secure inter-AS protocols Secure Routing

12 Anticipated Deliverables Software –RCP prototype built on XORP –Anomaly detection algorithms –Routing-policy management Deployment platform –Integration of RCP in PlanetLab –Supported testbed in the Abilene backbone Analysis –Fundamental limits of anomaly detection –Security benefits of incremental deployment –Incentives for groups of ASes to cooperate

13 Technology Transition Plan Proof-of-concept on PlanetLab/Abilene –Open-source prototype based on XORP –Open interfaces for others to build applications –Large scale deployment as part of PlanetLab AT&T prototype –RCP prototype already built and tested –Evaluation of new RCP applications –Possible deployment in the AT&T backbone Other possibilities –Identifying partners for commercial development

14 Potential Impact: Secure Interdomain Routing Breaking the “flag day” stalemate –Viable approach to incremental deployment –Backwards compatible with the legacy routers –Incentive compatible with goals of each AS Immediate benefits to participating ASes –Avoiding anomalous and suspicious routes –Secure routing with participating neighbors Tipping point leads to ubiquitous deployment –Increasing incentives for ASes to participate –Ultimately, full deployment of secure protocol Insights for other protocols (such as DNSSEC)

15 DESCRIPTION / OBJECTIVES / METHODS Routing Control Platform (RCP) Selects routes on behalf of routers Possible today on high-end PC Incrementally-deployable security Speak BGP to the legacy routers Detect and avoid suspicious routes Update RCPs to use secure protocol DHS/Cyber Security IMPACT Internet routing system is vulnerable Core communication infrastructure Very vulnerable to cyber attacks Hard to have “flag day” for upgrades Phased deployment of secure routing Network manager deploys locally Participating domains detect attacks Neighbor domains upgrade protocol Cyber Security R&D Incrementally Deployable Security for Interdomain Routing Network A BGP RCP Network B Secure routing protocol BUDGET & SCHEDULE TASK FY05FY06FY07 RCP prototype Anomaly detection Policy manager Secure routing Total cost