1. Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I) Jennifer Rexford, Princeton University Joan Feigenbaum, Yale University January 23, 2006

2. 2 Problem: Insecure Internet Infrastructure Border Gateway Protocol is important –BGP is the glue that holds the Internet together BGP is extremely vulnerable –Easy to inject false information –Easy to trigger routing instability Vulnerabilities are being exploited –Configuration errors and malicious attacks –Route hijacking, blackholes, denial-of-service, … Changing to a secure protocol is hard –Can’t have a flag day to reboot the Internet

3. 3 Example: Route Hijacking 1 2 3 4 5 6 7 12.34.0.0/16 Consequences for the data traffic –Discarded: denial of service –Snooped: violating the user’s privacy –Redirected: identity theft, propagating false info, etc.

4. 4 Solution: Incremental Deployability Backwards compatibility –Work with existing routers and protocols Incentive compatibility –Offer significant benefits, even to the first adopter AS 3 AS 2 AS 1 BGP Inter-AS Protocol RCP Routing Control Platform tells routers how to forward traffic Use BGP to communicate with the legacy routers Use RCP to simplify management and enable new servicesUse RCP to detect (and avoid) suspicious routes Other ASes can deploy an RCP independently ASes with RCPs can cooperate to detect suspicious routes ASes can upgrade to secure interdomain routing protocol … all while still using BGP to control the legacy routers Distributed detection

5. 5 Problem #1: BGP Anomaly Detection Avoid using suspicious/unstable routes –Data-streaming algorithms for anomaly detection –Single AS, and then distributed collection of ASes –Evaluation on data from AT&T and RouteViews AS 3 AS 2 AS 1 RCP share diagnostic information

6. 6 Anomaly Detection: Accomplishments Wavelet analysis to detect BGP anomalies –Detect anomalies in the temporal dynamics of updates –Anomalous patterns for a prefix & across prefixes –Highlights a small # of deviations from the norm http://www.cs.princeton.edu/~jrex/papers/minenet05.pdf Distributed reputation system for ASes –ASes cooperate based on trust relationships –Similar to “friends” and “friends of friends” system –Distributed validation of BGP routing information http://www.cs.princeton.edu/~jrex/papers/npsec05.pdf Algorithm that prevents prefix highjacking –Detect AS that does not normally originate a prefix –Distrust new information until you can validate it –Select other “normal” routes instead for period of time http://www.cs.princeton.edu/~jrex/papers/pgbgp.pdf

7. 7 Problem #2: Networks for RCP Deployment Creating a Virtual Network Infrastructure (VINI) –National Lambda Rail (NLR) Servers shipping to six sites in the next few months Connections to layer-2 network and BGP peering with routers –Abilene Internet2 backbone PlanetLab servers in eleven sites Gbps share of each link and upstream to exchange points VINI software already running on the Abilene nodes –Routing and forwarding: XORP & Click running on servers –Connecting to real users: OpenVPN, NAT, and PlanetLab Draft paper in preparation for submission in February 2006

8. 8 Problem #3: Routing Policy Management Centralize policy management in the RCP –Policies for filtering, selecting, & exporting routes –Build on a trust-management system –Accomplishments: survey of ISP routing policies Biz relationships, traffic engineering, security, scalability http://www.cs.princeton.edu/~jrex/papers/policies.pdf AS 1 RCP Filter: discard routes for small subnets; discard suspicious routes Select: prefer routes learned from customers; prefer closer egress points; prefer stable routes Export: do not export peer-learned routes to other peers; do not export infrastructure addresses

9. 9 Project Milestones: Three-Year Timeline RCP prototype, and API to data- analysis engine Offline algorithms and upper bounds Identify today’s policies and select notation RCP with API to trust-management system Online analysis algorithm to detect anomalies Integrate policy language in trust management Deployment of RCP in operational networks Deploy online algorithm; create distributed Deploy in trust management system RCP Prototype Anomaly Detection Routing Policy Evaluate incentive compatibility Quantify gains of a partial deployment Investigate new secure inter-AS protocols Secure Routing Focus thus far

10. 10 Anticipated Deliverables and Tech Transfer Publicly available software –RCP prototype built on XORP and/or Quagga –Anomaly detection algorithms –Routing-policy management Deployment platform and technology demonstration –RCP deployment and evaluation in AT&T –Integration of RCP in VINI on NLR and Abilene –Supported VINI testbed in NLR and Abilene Analysis –Fundamental limits of anomaly detection –Security benefits of incremental deployment –Incentives for groups of ASes to cooperate Discussions with vendors (Cisco, Lucent)

11. 11 Publication Activity: Past Six Months Anomaly detection –“Learning-based anomaly detection in BGP updates" (SIGCOMM MineNet Workshop, Aug 05) –“A distributed reputation approach to cooperative Internet routing protection” (Workshop on Secure Network Protocols, Nov 05) –"Pretty Good BGP: Protecting BGP by cautiously selecting routes" (in submission) Routing policies –“BGP policies in ISP networks” (IEEE Network, Nov/Dec 05) Incentive analysis –“Incentive-compatible interdomain routing” (in submission)

12. 12 Publication Activity: Next Six Months In active preparation –“In VINI veritas: Realistic and controlled experimentation with new network architectures” (Feb 06) –“Using Forgetful Routing to control BGP-Table size” (Feb 06) –“Multi-path interdomain routing for flexible policy control” (Feb 06) –“A survey of BGP security issues and solutions” (Mar/Apr 06) Plans for the mid-to-late spring –Extended version of the wavelet-analysis paper –Evaluation of the RCP prototype running in VINI –API to streaming algorithms for anomaly detection –Active probing to test the validity of interdomain paths

13. 13 Potential Impact: Secure Interdomain Routing Breaking the “flag day” stalemate –Viable approach to incremental deployment –Backwards compatible with the legacy routers –Incentive compatible with goals of each AS Immediate benefits to participating ASes –Avoiding anomalous and suspicious routes –Secure routing with participating neighbors Tipping point leads to ubiquitous deployment –Increasing incentives for ASes to participate –Ultimately, full deployment of secure protocol Insights for other protocols (such as DNSSEC)

14. 14 DESCRIPTION / OBJECTIVES / METHODS Routing Control Platform (RCP) Selects routes on behalf of routers Possible today on high-end PC Incrementally-deployable security Speak BGP to the legacy routers Detect and avoid suspicious routes Update RCPs to use secure protocol DHS/Cyber Security IMPACT Internet routing system is vulnerable Core communication infrastructure Very vulnerable to cyber attacks Hard to have “flag day” for upgrades Phased deployment of secure routing Network manager deploys locally Participating domains detect attacks Neighbor domains upgrade protocol Cyber Security R&D Incrementally Deployable Security for Interdomain Routing Network A BGP RCP Network B Secure routing protocol BUDGET & SCHEDULE TASK FY05FY06FY07 RCP prototype Anomaly detection Policy manager Secure routing Total cost