security analysis of bgp
Post on 31-Dec-2015
38 Views
Preview:
DESCRIPTION
TRANSCRIPT
Security Analysis of BGPSecurity Analysis of BGP
Anupam GargAnupam Garg
Dungjade ShiowattanaDungjade Shiowattana
Introduction to BGPIntroduction to BGP
BGP – Border Gateway ProtocolBGP – Border Gateway Protocol Protocol for inter and intra domain routing Protocol for inter and intra domain routing
among Autonomous Systems (AS’s).among Autonomous Systems (AS’s). How it worksHow it works
• Neighboring peers advertise Neighboring peers advertise their routing informationtheir routing information
• The AS decides on the best The AS decides on the best route among the information route among the information it getsit gets
• It then advertises its best It then advertises its best route to its neighborsroute to its neighbors
AS
Vulnerabilities in BGPVulnerabilities in BGP
No mechanism to verify the authenticity and No mechanism to verify the authenticity and integrity of advertised routesintegrity of advertised routes
Routers can send incorrect information to its Routers can send incorrect information to its peers (either intentionally or by misconfiguration)peers (either intentionally or by misconfiguration) Blackhole effect : 1997 – A router misconfiguration Blackhole effect : 1997 – A router misconfiguration
advertised short routes to every IP address, advertised short routes to every IP address, disconnecting a significant portion of the Internetdisconnecting a significant portion of the Internet
Altering traffic flowsAltering traffic flows Eavesdropping or Tampering with Internet trafficEavesdropping or Tampering with Internet traffic DoS attacksDoS attacks
Threat ModelThreat Model
Routers can advertise Routers can advertise invalidinvalid routes routes (either intentionally or by misconfiguration)(either intentionally or by misconfiguration)
An An invalidinvalid route is a route that does not route is a route that does not exist in the Internet topologyexist in the Internet topology
Related WorkRelated Work
Two main approachesTwo main approaches Assuming a Public Key InfrastructureAssuming a Public Key Infrastructure
• High overheadHigh overhead• High securityHigh security
Not assuming a Public Key InfrastructureNot assuming a Public Key Infrastructure• More efficientMore efficient• Less secureLess secure
Whisper ProtocolWhisper Protocol
The recipient V verifies that two paths are The recipient V verifies that two paths are consistent, if not raise an alarmconsistent, if not raise an alarm
P
A B C
V
X YgzP
Verify sVerify s11ABCABC=s=s22
XYXY
gzP
gzPA gzPAB
s2 = gzPABC
gzPX
s1 = gzPXY
z : Secret
Secure BGP (S-BGP)Secure BGP (S-BGP)
Assumes a Assumes a Public Key InfrastructurePublic Key Infrastructure Communication over Communication over IPsecIPsec Uses Uses digital signaturesdigital signatures to assure the to assure the
authenticityauthenticity and and integrityintegrity of routing of routing informationinformation
Each router signs the proposed path Each router signs the proposed path together with the recipient AStogether with the recipient AS
Signature stored in PATH ATTRIBUTE Signature stored in PATH ATTRIBUTE field of BGP’s UPDATE packetfield of BGP’s UPDATE packet
S-BGPS-BGP
1 25 8
Path AttributesAS path : 1Attestations: RA: Signer: AS 1 Signature Expiry: … Target: AS 5
Path AttributesAS path : 5,1Attestations: RA: Signer: AS 5 Signature Expiry: … Target: AS 2RA: Signer: AS 1 Signature Expiry: … Target: AS 5
Path AttributesAS path : 2,5,1Attestations: RA: Signer: AS 2 Signature Expiry: … Target: AS 8RA: Signer: AS 5 Signature Expiry: … Target: AS 2
RA = Route Attestation
Concerns about S-BGPConcerns about S-BGP
Replay attacksReplay attacks Deployment issuesDeployment issues
Signature Signature computationcomputation and and verificationverification Additional bandwidth & memory for Additional bandwidth & memory for signaturessignatures
and and certificatescertificates Key distribution depends on correctness of Key distribution depends on correctness of
BGP itselfBGP itself
Our AnalysisOur Analysis
An unavoidable attackAn unavoidable attack Analysis of WhisperAnalysis of Whisper Analysis of S-BGPAnalysis of S-BGP Proposed improvement for S-BGPProposed improvement for S-BGP
Unavoidable AttackUnavoidable Attack
S D
A B
X
N M
Packet tunneling to X Packet tunneling to B
Actual Path Advertised Path
Unavoidable AttackUnavoidable Attack Due to nature of BGPDue to nature of BGP Any protocol built on BGP allows 3 Any protocol built on BGP allows 3
colluding routers to propose a direct link colluding routers to propose a direct link between 2 of thembetween 2 of them
This cannot be detected even if all other This cannot be detected even if all other nodes cooperate.nodes cooperate. If only If only AA and and BB collude, collude, SS cooperating with cooperating with NN
can detect this (can detect this (AA claims a direct link to claims a direct link to BB, but , but sends traffic to sends traffic to BB through through NN))
It cannot create a black hole effectIt cannot create a black hole effect
Analysis of the Whisper ProtocolAnalysis of the Whisper Protocol
Needs a Needs a densedense network network A large number of nodes in the current A large number of nodes in the current
Internet have few connectionsInternet have few connections Cannot determine the point of errorCannot determine the point of error Two colluding routers canTwo colluding routers can
advertise any path between themselvesadvertise any path between themselves may successfully advertise a forged path to may successfully advertise a forged path to
any nodeany node
Analysis of the Whisper ProtocolAnalysis of the Whisper Protocol
V
B
A
M N
P
W Y
gzP
gzP
gzPM
gzPW
gxPMNBgzPMN
gzPWY
gxPA
Whisper verifies (gxPA)MNB=(gxPMNB)A
Actual Path Advertised Path
Analysis of S-BGPAnalysis of S-BGP
Two nodes can forge a direct link between Two nodes can forge a direct link between themthem
VB A
Actual Path Advertised Path
NX
P
Packet signed by B with N as next node in the path
Packet signed by B with A as next node in the path
P1
P2P1
P2
Analysis of S-BGPAnalysis of S-BGP
Replay attacksReplay attacks Cannot replay expired packetsCannot replay expired packets Must compromise IPsec session or the routerMust compromise IPsec session or the router
Expiring dateExpiring date When a signature expires the router needs to resend the When a signature expires the router needs to resend the
advertisementadvertisement Routing information of the whole network has to be refreshed in Routing information of the whole network has to be refreshed in
a certain time perioda certain time period S-BGP allows the expiration date to be determined locallyS-BGP allows the expiration date to be determined locally
• Many routers refreshing the same day will cause a flood of UPDATE Many routers refreshing the same day will cause a flood of UPDATE messagesmessages
• Otherwise, many routes will be refreshed frequently (i.e. every time Otherwise, many routes will be refreshed frequently (i.e. every time a router along the route refreshes)a router along the route refreshes)
Analysis of S-BGPAnalysis of S-BGP
Withdraw messagesWithdraw messages Withdraw messages are not verifiedWithdraw messages are not verified Authenticity of sender relies on IPsecAuthenticity of sender relies on IPsec A compromised IPsec session or bad A compromised IPsec session or bad
implementation (not verifying the sender implementation (not verifying the sender against the route to be withdrawn) could allow against the route to be withdrawn) could allow an adversary to withdraw routes he is not an adversary to withdraw routes he is not authorized to withdrawauthorized to withdraw
Analysis of S-BGPAnalysis of S-BGP
Interoperation with BGPInteroperation with BGP In the transition phase BGP packets will be In the transition phase BGP packets will be
sent encrypted (between S-BGP routers) and sent encrypted (between S-BGP routers) and in the clear (to non S-BGP routers)in the clear (to non S-BGP routers)
This gives large amount of known plaintextThis gives large amount of known plaintext Could compromise security of IPsecCould compromise security of IPsec
Proposed Improvement to S-BGPProposed Improvement to S-BGP
Threshold securityThreshold security Threshold Threshold kk Upon receiving an UPDATE packetUpon receiving an UPDATE packet
• Verify the (at most Verify the (at most kk) signatures) signatures• Keep at most the Keep at most the k-1k-1 latest signatures latest signatures• Append own signatureAppend own signature• Send UPDATE to neighborSend UPDATE to neighbor
Same security guarantees as S-BGP as long Same security guarantees as S-BGP as long as the number of colluding adversaries is less as the number of colluding adversaries is less than than kk
Proposed Improvement to S-BGPProposed Improvement to S-BGP
AdvantagesAdvantages Needs to verify at most k signaturesNeeds to verify at most k signatures
• Reduces the overhead and memory requirement for Reduces the overhead and memory requirement for signature verificationsignature verification
Needs certificates of nodes at most k hops awayNeeds certificates of nodes at most k hops away• Reduces workload of PKIReduces workload of PKI• Reduces memory for storing certificatesReduces memory for storing certificates
Update message contains at most k signaturesUpdate message contains at most k signatures• Less amount of bandwidth requiredLess amount of bandwidth required• Less amount of memory required to store signaturesLess amount of memory required to store signatures
ConclusionsConclusions
Whisper is weakWhisper is weak S-BGP is promising, but is heavy weightS-BGP is promising, but is heavy weight Threshold security can reduce the Threshold security can reduce the
overheads involved with S-BGP, making it overheads involved with S-BGP, making it more practicalmore practical
Any Questions?Any Questions?
top related