Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen.

Published byRoss Benson Modified over 8 years ago

Similar presentations

Presentation on theme: "SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen."— Presentation transcript:

1 SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen * Micah Sherr + Boon Thau Loo * * University of Pennsylvania + Georgetown University 1

2 SIGCOMM 2012 (August 16, 2012) Motivating Scenario 2 Charlie Doris Eliot Alice Bob 2 hop 3 hop 5 hop (2+1) hop I will always give you my shortest route to Google! ASes are making “promises” about their routing behavior Needed to implement various routing goals, e.g., meeting peer traffic ratios, avoiding use of expensive uplinks, … Neighbors may depend on these being implemented correctly

3 SIGCOMM 2012 (August 16, 2012) Problem: Detecting broken promises 3 Charlie Doris Eliot Alice Bob 2 hop 3 hop 5 hop (2+1) hop (3+1) hop How do I know whether Bob is keeping his promise? Goal: Verify whether the promise is kept

4 SIGCOMM 2012 (August 16, 2012) Can auditing help? 4 Charlie Doris Eliot Alice Bob 2 hop 3 hop 5 hop (3+1) hop Audit log 3 hop 5 hop 2 hop Is this enough? Example: NetReview (NSDI 2009)

5 SIGCOMM 2012 (August 16, 2012) Challenge: Privacy 5 Charlie Doris Eliot Alice Bob 2 hop 3 hop 5 hop (3+1) hop I do not want to reveal all my routes to Alice!

6 SIGCOMM 2012 (August 16, 2012) Security Can we have our cake and eat it too? 6 Privacy Security S-BGP, soBGP, psBGP, NetReview, …

7 SIGCOMM 2012 (August 16, 2012) Goals Security: If Bob breaks his promise, Alice will detect it. Privacy: Verification does not reveal more information than BGP. Evidence: If Bob breaks his promise, Alice can prove it. Accuracy: If Bob does not break his promise, nobody can prove he did. 7

8 SIGCOMM 2012 (August 16, 2012) Approach: Collaborative Verification 8 Alice Bob Charlie DorisEliot Idea: break the verification into small pieces Assign each piece to someone who can verify it with only local knowledge Successful verification of all pieces implies that the promise has been kept

9 SIGCOMM 2012 (August 16, 2012) Outline Motivation Goal: Verify promises about routing decisions Challenge: Privacy The SPIDeR system Evaluation Summary 9

10 SIGCOMM 2012 (August 16, 2012) Modeling promises 10 3 hop route 4 hop route 5 hop route Indifference Class 3 hop Asia Customer 3 hop Euro peer 3 hop Africa Provider 4 hop Africa Customer 5 hop Asia Provider 5 hop Euro Provider 4 hop Euro peer >>

11 SIGCOMM 2012 (August 16, 2012) Modeling promises 11 Customer route Peer route Provider route Indifference Class 3 hop Asia Customer 4 hop Africa Customer 5 hop Asia Provider 5 hop Euro Provider 4 hop Euro peer 3 hop Euro peer 3 hop Africa Provider >> Our study of 88 real AS policies shows that most of the popular promises can be modeled in this way.

12 SIGCOMM 2012 (August 16, 2012) Background: Merkle Hash Tree Merkle Tree 12 b1b1 b2b2 b3b3 b4b4 Hash b2b2 Proof that the second value is b 2 Reveals nothing about b 1, b 3, b 4 ! Path to the root Values Commitment

13 SIGCOMM 2012 (August 16, 2012) Charlie Doris Eliot Alice Bob SPIDeR: single prefix case 1 2 3 4 5 6 Bit k set to 1: "I have a route that is at most k hops long" 1 11 1 1 Bit 3 is set! Bob acknowledges the 3-hop route! a) No bit below 2 is set; this is the shortest route! b) All bits above 2 are set; Bob didn't lie to the others! Merkle hash tree 0 13 2 hop 3 hop 5 hop (2+1) hop

14 SIGCOMM 2012 (August 16, 2012) Charlie Doris Eliot Alice Bob SPIDeR: single prefix case 1 2 3 4 5 6 Bit k set to 1: "I have a route that is at most k hops long" 1 11 1 1 Merkle hash tree 0 14 2 hop 3 hop 5 hop (3+1) hop Bit 2 is set; there is a better route. If Bob picks the correct route, no neighbor learns anything new! If Bob picks the wrong route, at least one neighbor can detect it!

15 SIGCOMM 2012 (August 16, 2012) Making SPIDeR practical So far: We can verify promises about a single prefix and a single decision We have a protocol It meets all four goals We proved the correctness (in a TR) Guarantees hold even if an AS is malicious Practical issues, temporal privacy, loose synchronization, logging system, withdrawals, incremental deployment Loose synchronization, Logging sys 15 Multiple prefixes

16 SIGCOMM 2012 (August 16, 2012) Multi-Prefix: Additional Challenges 16

17 SIGCOMM 2012 (August 16, 2012) Modified Ternary Tree 0 E 0 0 0 1 1 1 1 E E E 0 0 1 1 E E 17 Efficiency: run one instance to verify all the prefixes Privacy: verifiers cannot learn anything about other prefixes.

18 SIGCOMM 2012 (August 16, 2012) Outline Motivation The SPIDeR system Single prefix Practical Challenges Evaluation Functionality check Microbenchmarks Overhead Summary 18

19 SIGCOMM 2012 (August 16, 2012) Evaluation: Microbenchmarks An important metric is how fast we can make hash trees. How quickly can we capture transient routing configuration problems? Experiment: generate a tree for a full BGP routing table on Dell PowerEdge 860. Result: 17.4s (with three cores) Scales almost linearly with the number of cores 19

20 SIGCOMM 2012 (August 16, 2012) Evaluation: Experimental Overhead Small AS topology with Quagga routers Injected a RouteViews trace AS 5’s SPIDeR ran on a single machine 20 Data Collected

21 SIGCOMM 2012 (August 16, 2012) Evaluation: Overhead Computation 2.4 GHz core: 81.3% utilized Commodity workstation is sufficient Bandwidth Signatures etc.: 20.8kbps Verifying 1% of commitments per minute: 3.0Mbps On the order of a single DSL upstream link Storage Keeping 1 year’s worth of logs: 145.7GB Fits on a commodity hard drive 21 A small AS could run SPIDeR on a single machine

22 SIGCOMM 2012 (August 16, 2012) Summary Goal: Verify promises about interdomain routing decisions Problem: Offer both security and privacy Solution: Collaborative verification Implemented in the SPIDeR system Provable security and privacy guarantees Efficient enough to run on a single commodity workstation 22 More information: http://snp.cis.upenn.edu/

Download ppt "SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen."

Similar presentations

Path Splicing with Network Slicing

Path Splicing with Network Slicing
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Diagnosing Missing Events in Distributed Systems with Negative Provenance Yang Wu* Mingchen Zhao* Andreas Haeberlen* Wenchao Zhou + Boon Thau Loo* * University.

Diagnosing Missing Events in Distributed Systems with Negative Provenance Yang Wu* Mingchen Zhao* Andreas Haeberlen* Wenchao Zhou + Boon Thau Loo* * University.
Secure Network Provenance Wenchao Zhou *, Qiong Fei*, Arjun Narayan*, Andreas Haeberlen*, Boon Thau Loo*, Micah Sherr + * University of Pennsylvania +

Secure Network Provenance Wenchao Zhou *, Qiong Fei*, Arjun Narayan*, Andreas Haeberlen*, Boon Thau Loo*, Micah Sherr + * University of Pennsylvania +
LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.

LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Consensus Routing: The Internet as a Distributed System 2009. 2. 26 John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.

Consensus Routing: The Internet as a Distributed System John P. John, Ethan Katz-Bassett, Arvind Krishnamurthy, and Thomas Anderson Presented.
A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.
The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.

The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.
BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.

BGP Safety with Spurious Updates Martin Suchara in collaboration with: Alex Fabrikant and Jennifer Rexford IEEE INFOCOM April 14, 2011.
1 Path Splicing Author: Murtaza Motiwala, Megan Elmore, Nick Feamster and Santosh Vempala Publisher: SIGCOMM’08 Presenter: Hsin-Mao Chen Date:2009/12/09.

1 Path Splicing Author: Murtaza Motiwala, Megan Elmore, Nick Feamster and Santosh Vempala Publisher: SIGCOMM’08 Presenter: Hsin-Mao Chen Date:2009/12/09.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?

Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?
Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.

Shadow Configurations: A Network Management Primitive Richard Alimi, Ye Wang, Y. Richard Yang Laboratory of Networked Systems Yale University.
NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.

NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

Inherently Safe Backup Routing with BGP Lixin Gao (U. Mass Amherst) Timothy Griffin (AT&T Research) Jennifer Rexford (AT&T Research)

Similar presentations

Ads by Google