Security implications of source- controlled routes Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Source-controlled routing is controversial Secure routing depends on source routes Security is the #1 reason to disable source routes Why we can reconcile these two ISP1 ISP4 ISP3 ISP2
Byzantine-tolerant routing [Perlman88] [Wendlandt06] A discriminatory/nosy ISP, a hostile country ISP1 ISP3 ISP2
Accountable routing Accountability is key to innovation [Laskowski06] User knows the path responsible for the performance [Goldberg07] ISP1 ISP4 ISP3 ISP2
Symmetric return path DDoS defense Network capabilities [Yang05] Private path-based addressing [Handley04] Accountability ISP1 ISP4 ISP3 ISP2 token
Source-controlled routing is controversial Secure routing depends on source routes Security is the #1 reason to disable source routes Why we can reconcile these two ISP1 ISP4 ISP3 ISP2
Source routing breaks address- based authentication attackerIP attackerIP Source routing in IPv4 is largely disabled Without source routing, packets will not return to spoofed addresses
Bandwidth amplification attack IPv6 makes it worse Allows 44 intermediate nodes [BIONDI07] ( CanSecWest 2007 ) Source: [Biondi07] R1 R2 R1 R2 R1 R2….
Increased power to DDoS ISP1 ISP3 ISP2 … Targeted link flooding Multi-path flooding
Forced path oscillation ISP1 ISP4 ISP3 ISP2 …
Interfere with ISP policies Make your ISP broke ISP1 ISP4 ISP3 ISP2 $$$ $ ISP Source
Slow down the routers
Can we make source- controlled routes innocuous?
Main causes of the security issues Control and exposure Source-controlled routing Source routing option in IPv4 or Routing header in IPv6 A set of design goals: Security, accountability, economic incentives, overhead A variety of mechanisms Amplified security issues Lack of mechanisms Explicitly list the routers Deflect without Knowing the paths Choose paths Knowing entities on the paths No control
Bandwidth amplification attacks Select paths, not arbitrary waypoints Path 1 Path 2 Path 3 Source: [Biondi07]
Interfere with ISP policies Provide policy-allowed paths Pricing Inter-domain choices ISP1 ISP4 ISP3 ISP2 $$$ $ Path 1: $$$ Path 2: $
Source routing breaks address- based authentication Light-weight network-layer authentication Unspoofable source identifiers [Liu06] attackerIP X
Increased power to DDoS ISP1 ISP3 ISP2 … A DoS-defense system that cuts off attack traffic at its source
Forced path oscillation ISP1 ISP4 ISP3 ISP2 … Stable path selection protocol Do not switch all at once Use multiple paths [He06] Admission control and resource reservation
Slow down routers Fix the routers Do not let the present hardware implementation limit future innovations Encapsulation/decapsulation at line speed
Conclusion The desirable goals Byzantine-tolerant, accountability, availability, economic incentives, overhead, QoS, manageability… The right balance of control and exposure Source-controlled routing Source routing option in IPv4 or Routing header in IPv6 Deflect without Knowing the paths Choose paths knowing entities on the paths Explicitly list the routers No control