internet routing security: past, current, and future s. felix wu computer science department...
TRANSCRIPT
![Page 1: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/1.jpg)
Internet Routing Security: Past, Current, and Future
S. Felix WuComputer Science DepartmentUniversity of California, Davis
[email protected]://www.cs.ucdavis.edu/~wu/
![Page 2: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/2.jpg)
11/23/2006 France Telecom 2
Outline
• Routing security• Secure Routing
![Page 3: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/3.jpg)
11/23/2006 France Telecom 3
Internet (1969 ~ )
• Basic datagram service between one IP address and another
![Page 4: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/4.jpg)
11/23/2006 France Telecom 4
Internet (1969 ~ )
• Basic datagram service between one IP address and another
• The End2End Principle
![Page 5: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/5.jpg)
11/23/2006 France Telecom 5
Internet (1969 ~ )
• Basic datagram service between one IP address and another
• The End2End Principle
A B
IPsec Tunneling, MobileIP…
![Page 6: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/6.jpg)
11/23/2006 France Telecom 6
Internet (1969 ~ )
• Basic datagram service between one IP address and another
• Routing is quite straightforward!
![Page 7: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/7.jpg)
11/23/2006 France Telecom 7
Internet (1969 ~ )
• Basic datagram service between one IP address and another
• Routing: exchanging the information regarding the address space and how to reach them.– Routing versus Forwarding
![Page 8: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/8.jpg)
11/23/2006 France Telecom 8
Internet (1969 ~ )
• Basic datagram service between one IP address and another
• Routing: exchanging the information regarding the address space and how to reach them.
• Applications built on top of the services– QoS over the Internet, still a challenge
![Page 9: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/9.jpg)
11/23/2006 France Telecom 9
Internet Infrastructure
• It enables many cool applications.– Email, Web+, IM, Skype, Google, Bittorrent,
Infospace, LinkedIn,...
![Page 10: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/10.jpg)
11/23/2006 France Telecom 10
Internet Infrastructure
• It enables many cool applications.– Email, Web+, IM, Skype, Google, Bittorrent,
Infospace, LinkedIn,...
• We are connected, at least in the “IP address” sense!!
![Page 11: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/11.jpg)
11/23/2006 France Telecom 11
Internet Infrastructure
• It enables many cool applications.– Email, Web+, IM, Skype, Google, Bittorrent,
Infospace, LinkedIn,...
• We are connected, at least in the “IP address” sense!!
• Who is the “hero” to make all these possible?
![Page 12: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/12.jpg)
11/23/2006 France Telecom 12
“BGP”
• Border Gateway Protocol– the inter-domain routing protocol for the
Internet
![Page 13: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/13.jpg)
11/23/2006 France Telecom 13
“BGP”
• Autonomous System (AS):– A set of routers owned by one single system
administrative domain
• Address Prefix:
• Example:– AS6192 consists of routers in UC Davis– UC Davis owns 169.237/16
UCDavis:169.237/16
AS6192
![Page 14: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/14.jpg)
11/23/2006 France Telecom 14
“BGP”
• How would I let the whole world know about 169.237/16?– I announce that I owned 169.237/16
• More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16?– Others would know how to send packets to
169.237/16–
UCDavis:169.237/16
AS6192
![Page 15: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/15.jpg)
11/23/2006 France Telecom 15
Peering ASes
UCDavis:169.237/16
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
Peering is a local/decentralized trust based on a business contract!
![Page 16: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/16.jpg)
11/23/2006 France Telecom 16
AS6192
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 6192
![Page 17: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/17.jpg)
11/23/2006 France Telecom 17
AS6192 AS11423
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 11423 6192
![Page 18: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/18.jpg)
11/23/2006 France Telecom 18
AS11423 AS11537
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 1153711423 6192
![Page 19: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/19.jpg)
11/23/2006 France Telecom 19
AS11537 AS513
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 5131153711423 6192
![Page 20: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/20.jpg)
11/23/2006 France Telecom 20
Packet Forwarding
UCDavis:169.237/16
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 5131153711423 6192
![Page 21: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/21.jpg)
11/23/2006 France Telecom 21
The Scale of the “Internet”
![Page 22: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/22.jpg)
11/23/2006 France Telecom 22
The Scale of the “Internet”
• 20464 Autonomous Systems• 167138 IP Address Prefixes announced
• Every single prefix, and their “dynamics”, must be propagated to every single AS.
• Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the 167138 prefixes to the right destination.
• BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes.
![Page 23: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/23.jpg)
11/23/2006 France Telecom 23
The “Internet”
![Page 24: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/24.jpg)
11/23/2006 France Telecom 24
Semi-Good News
• Aggregation works (or worked)!
• An existing issue:– Multi-homing is countering the effort
though.
• A new issue:– Routing on Flat-Labels (ROFL)
![Page 25: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/25.jpg)
11/23/2006 France Telecom 25
“Not so sure” news
• No hierarchy, no infrastructure, no tier-one service providers, no government censorship, no centralized managed DNS, no google, … and no nothing!!
![Page 26: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/26.jpg)
11/23/2006 France Telecom 26
“Not so sure” news
• No hierarchy, no infrastructure, no tier-one service providers, no government censorship, no centralized managed DNS, no google, … and no nothing!!
• And, we expect Internet works much better than today:– 40 billions nodes/ASes– The whole Internet is a giant Sensor
network
And, yet it needs to be scalable in every measure….
![Page 27: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/27.jpg)
11/23/2006 France Telecom 27
BGP Security Issues
![Page 28: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/28.jpg)
11/23/2006 France Telecom 28
Origin AS in an AS Path
• UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• AS Path: 5131153711423 6192– 12654 13129 6461 3356 11423 6192– 12654 9177 3320 209 11423 6192– 12654 4608 1221 4637 11423 6192– 12654 777 2497 209 11423 6192– 12654 3549 3356 11423 6192– 12654 3257 3356 11423 6192– 12654 1103 11537 11423 6192– 12654 3333 3356 11423 6192– 12654 7018 209 11423 6192– 12654 2914 209 11423 6192– 12654 3549 209 11423 6192
12654
6192
11423
2091153733564637
2914701835493333
![Page 29: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/29.jpg)
11/23/2006 France Telecom 29
Trust in BGP Updates
UCDavis:169.237/16
AS513
an AS Path:169.237/16 5131153711423 6192
An BGP Update message consists of a sequence of local trust relations. But, how to form the global trust?
![Page 30: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/30.jpg)
11/23/2006 France Telecom 30
Security of BGP
• Authentication/validation of BGP update messages
AS513
an AS Path:169.237/16 5131153711423 6192
How to validate? What to trust?
![Page 31: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/31.jpg)
11/23/2006 France Telecom 31
Trust Model in BGP??
AS513
an AS Path:169.237/16 5131153711423 6192
![Page 32: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/32.jpg)
11/23/2006 France Telecom 32
Remember…
• Internet, based on the E2E argument, has to be simple…
• BGP has to be simple…• Security & trust has to be simple…
![Page 33: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/33.jpg)
11/23/2006 France Telecom 33
Remember…
• Internet, based on the E2E argument, has to be simple…
• BGP has to be simple.• Security & trust has to be simple.• And, our minds have to be simple…
![Page 34: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/34.jpg)
11/23/2006 France Telecom 34
Trust Model in BGP
• Naïve/unconditional trust
AS513
an AS Path:169.237/16 5131153711423 6192
![Page 35: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/35.jpg)
11/23/2006 France Telecom 35
The bad news is…
• The Internet community (e.g., IETF, Cisco, AT&T, and their similar) won’t fix the Internet until it breaks
![Page 36: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/36.jpg)
11/23/2006 France Telecom 36
And, the real good news is…
• The Internet community (e.g., IETF, Cisco, AT&T, and their similar) won’t fix the Internet until it breaks
![Page 37: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/37.jpg)
11/23/2006 France Telecom 37
And, the real good news is…
• The Internet community (e.g., IETF, Cisco, AT&T, and their similar) won’t fix the Internet until it breaks
• Internet will break!!– It has broken a few times GLOBALLY!!
![Page 38: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/38.jpg)
11/23/2006 France Telecom 38
“BGP”
• How would I let the whole world know about 169.237/16?– I announce that I owned 169.237/16
• More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16?– Others would know how to send packets to
169.237/16–
UCDavis:169.237/16
AS6192
![Page 39: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/39.jpg)
11/23/2006 France Telecom 39
“BGP”
• How would I let the whole world know about 169.237/16?– I announce that I owned 169.237/16– Prefix hijacking
• More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16?– Others would know how to send packets to
169.237/16–
UCDavis:169.237/16
AS6192
![Page 40: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/40.jpg)
11/23/2006 France Telecom 40
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
12654
6192
11423
209
2914
169.237/16
![Page 41: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/41.jpg)
11/23/2006 France Telecom 41
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– even worse: 169.237.6/24
12654
6192
11423
2093011
273
2914
81
169.237/16169.237.6/24
![Page 42: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/42.jpg)
11/23/2006 France Telecom 42
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– even worse: 169.237.6/24
• Which route path to use?
12654
6192
11423
2093011
273
2914
81
169.237/16169.237.6/24
![Page 43: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/43.jpg)
11/23/2006 France Telecom 43
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– even worse: 169.237.6/24
• Which route path to use?• Legitimate or Abnormal??
12654
6192
11423
2093011
273
2914
81
169.237/16169.237.6/24
![Page 44: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/44.jpg)
11/23/2006 France Telecom 44
Let’s extend it a little bit…
![Page 45: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/45.jpg)
11/23/2006 France Telecom 45
Internet Global Failures
• AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours.
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
169.237/16142.7.6/24204.5.68/24….
Black Hole
![Page 46: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/46.jpg)
11/23/2006 France Telecom 46
Active BGP Entries
![Page 47: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/47.jpg)
11/23/2006 France Telecom 47
Active BGP Entries
![Page 48: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/48.jpg)
11/23/2006 France Telecom 48
Active BGP Entries
![Page 49: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/49.jpg)
11/23/2006 France Telecom 49
Internet Global Failures
• How to fix it?
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
169.237/16142.7.6/24204.5.68/24….
Black Hole
![Page 50: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/50.jpg)
11/23/2006 France Telecom 50
New Prefix Rate-limiting
• For any given time window, a BGP peer can only introduce a X number of new IP prefixes.
• But, tier-1 ISPs will not be rate-limited.
![Page 51: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/51.jpg)
11/23/2006 France Telecom 51
New Prefix Rate-limiting
• For any given time window, a BGP peer can only introduce a X number of new IP prefixes.
• But, tier-1 ISPs will not be rate-limited.• It worked/works, but…
![Page 52: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/52.jpg)
11/23/2006 France Telecom 52
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– even worse: 169.237.6/24
• Which route path to use?• Legitimate or Abnormal??
• It won’t help if a specific prefix is hijacked!!
12654
6192
11423
2093011
273
2914
81
169.237/16169.237.6/24
![Page 53: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/53.jpg)
11/23/2006 France Telecom 53
BGP MOAS/OASC Events(IMW’2001, Explanation DSOM’2003)
year Median number increase rate #BGP table entries increase rate1998 683 520001999 810.5 18.7% 60000 15.40%2000 951 17.3% 80000 33.30%2001 1294 34.8% 109000 36%
Max: 10226(9177 from a single AS)
![Page 54: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/54.jpg)
11/23/2006 France Telecom 54
Real-Time OASC Detection
• Low level events: BGP Route Updates• High level events: OASC
– 1000+ per day and max 10226 per day– per 3-minutes window in real-time demo
• IP address blocks• Origin AS in BGP Update Messages• Different Types of OASC Events
![Page 55: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/55.jpg)
11/23/2006 France Telecom 55
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110
AS#
Qua-Tree Representation ofIP Address Prefixes
169.237/1610101001.11101101/16
![Page 56: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/56.jpg)
11/23/2006 France Telecom 56
1101
1000
1001
110001110011111001111011
110000110010111000111010
00110110AS#
AS# Representation
AS-1
AS-7777
AS-15412
AS-6192
AS-81
![Page 57: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/57.jpg)
11/23/2006 France Telecom 57
AS81 punched a “hole” on 169.237/16
yesterday169.237/16
today169.237/16169.237.6/24
yesterdayAS-6192
todayAS-81
victim
offender
![Page 58: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/58.jpg)
11/23/2006 France Telecom 58
OASC Event Types
• Using different colors to represent types of OASC events
• C type: CSS, CSM, CMS, CMM• H type: H• B type: B• O type: OS, OM
![Page 59: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/59.jpg)
11/23/2006 France Telecom 59
“Normal”
![Page 60: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/60.jpg)
11/23/2006 France Telecom 60
AS15412 in April, 2001
![Page 61: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/61.jpg)
11/23/2006 France Telecom 61
April 6, 2001
AS15412 caused 40K+ MOAS/OASC events within 2 weeks…
![Page 62: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/62.jpg)
11/23/2006 France Telecom 62
April 7-10, 2001
04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412
04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412
![Page 63: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/63.jpg)
11/23/2006 France Telecom 63
April 11-14, 2001
04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412
04/14/2001 all 04/14/2001 1541204/13/2001 1541204/13/2001 all
![Page 64: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/64.jpg)
11/23/2006 France Telecom 64
April 18-19, 2001 – Again??
04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412
![Page 65: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/65.jpg)
11/23/2006 France Telecom 65
How to authenticate or validate?
• Authentication/validation of BGP update messages
AS513
an AS Path:169.237/16 5131153711423 6192
![Page 66: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/66.jpg)
11/23/2006 France Telecom 66
SBGP
• PKI• Every relationship is certified by related
ASes (with some certificates issued by the CA).
![Page 67: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/67.jpg)
11/23/2006 France Telecom 67
Peering ASes
UCDavis:169.237/16
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
![Page 68: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/68.jpg)
11/23/2006 France Telecom 68
AS6192 AS11423
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 11423 6192
![Page 69: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/69.jpg)
11/23/2006 France Telecom 69
AS11423 AS11537
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 1153711423 6192
![Page 70: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/70.jpg)
11/23/2006 France Telecom 70
AS11537 AS513
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 5131153711423 6192
![Page 71: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/71.jpg)
11/23/2006 France Telecom 71
PKI and Global Trust
• Certificates for everyone and everything• Verification through a chain of trust
relationship
![Page 72: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/72.jpg)
11/23/2006 France Telecom 72
PKI and Global Trust
• Certificates for everyone and everything• Verification through a chain of trust relationshipBUT Is it reasonable to have a global PKI or any weaker
form of centralized trust servers?Chicken and Egg problem:
which infrastructure depends on which?Internet Trust ServiceTrust Service Internet
![Page 73: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/73.jpg)
11/23/2006 France Telecom 73
SoBGP
• Distributed Registry– Checking for Topology relationship
• Similar to DNS (and many others)– Checking for binding between IP address
and name
![Page 74: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/74.jpg)
11/23/2006 France Telecom 74
SoBGP
• Authentication/validation of BGP update messages
AS513an AS Path:169.237/16 5131153711423 6192
AS6192 owns 169.237/16AS6192 peers with AS11423AS11423 peers with AS11537AS11537 peers with AS513
![Page 75: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/75.jpg)
11/23/2006 France Telecom 75
SoBGP
• Authentication/validation of BGP update messages
AS513an AS Path:169.237/16 5131153711423 6192
AS6192 owns 169.237/16AS6192 peers with AS11423AS11423 peers with AS11537AS11537 peers with AS513
![Page 76: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/76.jpg)
11/23/2006 France Telecom 76
Peering ASes
UCDavis:169.237/16
AS6192 AS11423 (UC)
AS11537 (CENIC)AS513
AS6192 owns 169.237/16AS6192 peers with AS11423
AS11423 peers with AS11537AS11537 peers with AS513
![Page 77: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/77.jpg)
11/23/2006 France Telecom 77
AS6192 AS11423
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 11423 6192
AS6192 owns 169.237/16AS6192 peers with AS11423
AS11423 peers with AS11537AS11537 peers with AS513
![Page 78: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/78.jpg)
11/23/2006 France Telecom 78
AS11423 AS11537
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 1153711423 6192
AS6192 owns 169.237/16AS6192 peers with AS11423
AS11423 peers with AS11537AS11537 peers with AS513
![Page 79: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/79.jpg)
11/23/2006 France Telecom 79
AS11537 AS513
UCDavis:169.237/16
AS6192
AS11423 (UC)
AS11537 (CENIC)AS513
an AS Path:169.237/16 5131153711423 6192AS6192 owns 169.237/16
AS6192 peers with AS11423AS11423 peers with AS11537
AS11537 peers with AS513
![Page 80: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/80.jpg)
11/23/2006 France Telecom 80
AS6192 owns 169.237/16AS6192 peers with AS11423
AS11423 peers with AS11537AS11537 peers with AS513
![Page 81: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/81.jpg)
11/23/2006 France Telecom 81
SBGP vs SoBGP
• What is the difference?
![Page 82: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/82.jpg)
11/23/2006 France Telecom 82
AS6192 owns 169.237/16AS6192 peers with AS11423
AS11423 peers with AS11537AS11537 peers with AS513
![Page 83: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/83.jpg)
11/23/2006 France Telecom 83
![Page 84: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/84.jpg)
11/23/2006 France Telecom 84
Verification/Validation for the Truth
• Verifying the truth about the routing information
• SoBGP or SBGP
• But, MOAS/OASC:– Inherently, they assume that if EVERYTHING
has been verified, then MOAS/OASC is irrelevant.
![Page 85: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/85.jpg)
11/23/2006 France Telecom 85
Descartes BGP
• A Conflict Detection and Response Framework for Inter-Domain Routing
«au contraire de cela, même que je pensais à douter de la vérité des autres choses, il suivait très évidemment et très certainement que j'étais.»
“to the contrary, in the very act of thinking about doubting the truth of other things, it very clearly and certainly followed that I existed.”
- René Descartes (1596-1650), Le Discours de la Méthode, Quatrieme Partie
![Page 86: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/86.jpg)
11/23/2006 France Telecom 86
Origin AS Changes (OASC)
• Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS
• Current– AS Path: 291420911423 6192– for prefix: 169.237/16
• New– AS Path: 29143011273 81– For prefix: 169.237/16
12654
6192
11423
2093011
273
2914
81
169.237/16
![Page 87: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/87.jpg)
11/23/2006 France Telecom 87
Origin AS Change
• Without ANY centrally managed service– DNS, PKI, BGP Certificate Authority– That is the spirit of Inter-domain Internet
• Without ANY global management!
• We do NOT know which one is correct or incorrect as the ground truth ANSWER is not being provided!– We don’t have the oracle…
• Then, how do we deal with this problem?
![Page 88: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/88.jpg)
11/23/2006 France Telecom 88
Descartes BGP
• Collaborative Conflict Detection and Resolution, while some of the collaborators might be malicious…
• Every IP prefix:
Agreement ConflictPersistentConflict
![Page 89: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/89.jpg)
11/23/2006 France Telecom 89
Prevention vs. Tolerance
• No invalid route will be allowed.– SBGP
• The system can still work, to a certain degree, even with one or more invalid routes.
![Page 90: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/90.jpg)
11/23/2006 France Telecom 90
Byzantine/Persistent Failures
• Very expensive to prevent/eliminate– You will need the ground truth!!
![Page 91: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/91.jpg)
11/23/2006 France Telecom 91
Byzantine/Persistent Failures
• Very expensive to prevent/eliminate– You will need the ground truth!!
• An alternative approach:– We can NOT completely eliminate certain
faults.– But, those faults can not completely
eliminate our service as well.
![Page 92: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/92.jpg)
11/23/2006 France Telecom 92
Conflict
• Ground Truth about a prefix absolute– must rely on some centralized services
• Conflict relative– Two peers disagree but we don’t know
which one is right
![Page 93: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/93.jpg)
11/23/2006 France Telecom 93
Descartes BGP
AS-6192 AS-81
169.237/16169.237/16
Agreement ConflictPersistentConflict
![Page 94: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/94.jpg)
11/23/2006 France Telecom 94
12654
6192
11423
2093011
273
2914
81
169.237/16
![Page 95: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/95.jpg)
11/23/2006 France Telecom 95
6192114232093011273 291481
169.237/16
![Page 96: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/96.jpg)
11/23/2006 France Telecom 96
6192114232093011273 291481
169.237/16
![Page 97: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/97.jpg)
11/23/2006 France Telecom 97
6192114232093011273 291481
169.237/16
![Page 98: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/98.jpg)
11/23/2006 France Telecom 98
6192114232093011273 291481
169.237/16
![Page 99: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/99.jpg)
11/23/2006 France Telecom 99
6192114232093011273 291481
169.237/16
Traffic Split Line
![Page 100: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/100.jpg)
11/23/2006 France Telecom 100
Detectability & Detector
• Which ASes can detect the conflict?• Which ASes should raise the flag?
![Page 101: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/101.jpg)
11/23/2006 France Telecom 101
Who can detect??
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
![Page 102: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/102.jpg)
11/23/2006 France Telecom 102
Who can detect??
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
![Page 103: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/103.jpg)
11/23/2006 France Telecom 103
Who can detect??
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
6192114232093011273 291481
![Page 104: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/104.jpg)
11/23/2006 France Telecom 104
Detector
• Who should be the detector?
6192114232093011273 291481
![Page 105: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/105.jpg)
11/23/2006 France Telecom 105
6192114232093011273 291481
169.237/16
81
27381
301127381
6192
114236192
209114236192
Minimizing the detectors
![Page 106: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/106.jpg)
11/23/2006 France Telecom 106
Detector
• The AS detects the conflict and will not use the new conflicting BGP update.
6192114232093011273 291481
![Page 107: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/107.jpg)
11/23/2006 France Telecom 107
6192114232093011273 291481
169.237/16
81
27381
301127381
6192
114236192
209114236192
Detector
169.237/16
![Page 108: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/108.jpg)
11/23/2006 France Telecom 108
Self-Stabilization
• Detection– Who should detect it?
• Conflict resolution– Who can possibly verify better than the
detector?
![Page 109: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/109.jpg)
11/23/2006 France Telecom 109
6192114232093011273 291481
169.237/16
301127381
209114236192
Detector
169.237/16
CheckerChecker
![Page 110: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/110.jpg)
11/23/2006 France Telecom 110
6192 81
169.237/16
Local configuration and resolution
If the checkers don’t care, nobody else will.
Agreement ConflictPersistentConflict
![Page 111: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/111.jpg)
11/23/2006 France Telecom 111
Assuming AS81 is faulty
• AS6192 (checker) confirms with local routing policies for 169.237/16.
• AS81 (checker) realizes that it made a mistake withdraw.
![Page 112: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/112.jpg)
11/23/2006 France Telecom 112
6192114232093011273 291481
169.237/16
301127381
209114236192
Detector
169.237/16
CheckerChecker
![Page 113: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/113.jpg)
11/23/2006 France Telecom 113
6192114232093011273 291481
169.237/16
301127381
209114236192
Detector
169.237/16
CheckerAbnormal
![Page 114: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/114.jpg)
11/23/2006 France Telecom 114
Self-Stabilization
• Transient/Simple Faults
![Page 115: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/115.jpg)
11/23/2006 France Telecom 115
But, what happens…
• AS81 disagrees that it is at fault!– It even believes that AS6192 is faulty.– The basic service will NOT know the answer– We really need “outside” help to resolve the
problem “completely”.
• But, the basic service should still operate as much as possible before the resolution.
![Page 116: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/116.jpg)
11/23/2006 France Telecom 116
6192114232093011273 291481
169.237/16
301127381
209114236192
Detector
169.237/16
CheckerChecker
Who should the Network trust?
Skeptical“Shared” Trust
![Page 117: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/117.jpg)
11/23/2006 France Telecom 117
Persistent Conflict
• How to resolve?
![Page 118: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/118.jpg)
11/23/2006 France Telecom 118
Management
• The right information to the management plane
• Before the issue is “completely” resolved, the Internet still operates to provide the basic service.
![Page 119: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/119.jpg)
11/23/2006 France Telecom 119
6192114232093011273 291481
169.237/16
Detector
CheckerChecker
![Page 120: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/120.jpg)
11/23/2006 France Telecom 120
6192114232093011273 291481
169.237.0/17
169.237.128/17
Detector
CheckerChecker
169.237.128/17
![Page 121: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/121.jpg)
11/23/2006 France Telecom 121
IP Prefix P/n
n Network bits 32 – n host bits
IP Header
address restoration bitb
Local Decision
0 or 1Outbound at source AS
Inbound at destination AS
![Page 122: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/122.jpg)
11/23/2006 France Telecom 122
Descartes BGP Recovery
• All the ASes between AS81 & AS6192 are aware of the persistent conflict for 169.237/16.
• No further new BGP prefix announcement under 169.237/16 (e.g., 169.237.6/24) until the persistent conflict is removed by management plane.
• Application-level IP address re-mapping, based on some trust, is required.
![Page 123: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/123.jpg)
11/23/2006 France Telecom 123
Conflict Detection
prefix
![Page 124: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/124.jpg)
11/23/2006 France Telecom 124
Conflict Resolution
?
?
prefix
![Page 125: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/125.jpg)
11/23/2006 France Telecom 125
Persistent Conflict
?
?
prefix
![Page 126: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/126.jpg)
11/23/2006 France Telecom 126
Robustness against Persistent Fault
• The faults can not be eliminated completely– Due to no ground truth within the basic
service!
• But, the faults can not completely eliminate the basic service either!!– We will still have enough/some bandwidth to
run SNMP, DNS, and PKI, for instance.
![Page 127: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/127.jpg)
11/23/2006 France Telecom 127
# of Detectors
• AS-15412 (30,088 affected prefixes)
• 933 detectors totally• Average 8.88 per prefix• AS-3549 detected 77%
![Page 128: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/128.jpg)
11/23/2006 France Telecom 128
140.113.0.0/16 NCTU,Taiwan2001/04/06/5pm GMT
![Page 129: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/129.jpg)
11/23/2006 France Telecom 129
140.113.0.0/16 NCTU,Taiwan2001/04/07/1am GMT
Fault Line
![Page 130: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/130.jpg)
11/23/2006 France Telecom 130
73 BGP msg73 BGP msg
![Page 131: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/131.jpg)
11/23/2006 France Telecom 131
83 BGP msg83 BGP msg40 D-BGP msg40 D-BGP msg
![Page 132: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/132.jpg)
11/23/2006 France Telecom 132
Descartes BGPthe principle of ABCD
• A: Anomalous Advertiser• B: Blocker• C: Checker• D: Detector
![Page 133: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/133.jpg)
11/23/2006 France Telecom 133
Routing SecuritySecure Routing
• Routing security– Make sure the basic IP service work
correctly!
• Secure Routing– Enhance Internet security via a better
routing service!
![Page 134: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/134.jpg)
11/23/2006 France Telecom 134
Internet Infrastructure
• It enables many cool applications.– Email, Web+, IM, Skype, Google, Bittorrent,
Infospace, LinkedIn,...
• We are connected, at least in the “IP address” sense!!
![Page 135: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/135.jpg)
11/23/2006 France Telecom 135
Internet Infrastructure
• It enables many cool applications.– Email, Web+, IM, Skype, Google, Bittorrent,
Infospace, LinkedIn,...
• We are connected, at least in the “IP address” sense!!
• Many other forms of connections:– Peer2Peer, Friend2Friend, community
![Page 136: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/136.jpg)
11/23/2006 France Telecom 136
Internet Infrastructure
• It enables many cool applications.• It enables many cool attacks.
![Page 137: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/137.jpg)
11/23/2006 France Telecom 137
Internet Infrastructure
• It enables many cool applications.• It enables many cool attacks.
– David Clark on Morris Worms to DARPA in 1988
![Page 138: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/138.jpg)
11/23/2006 France Telecom 138
Internet Infrastructure
• It enables many cool applications.• It enables many cool attacks.
– David Clark on Morris Worms to DARPA in 1988 “Internet is doing exactly what it supposed to do”
![Page 139: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/139.jpg)
11/23/2006 France Telecom 139
We can not blame everything to Microsoft!
• It enables many cool applications.• It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
![Page 140: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/140.jpg)
11/23/2006 France Telecom 140
We can not blame everything to Microsoft!
• It enables many cool applications.• It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
Related to our Inter-domain routing today…
![Page 141: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/141.jpg)
11/23/2006 France Telecom 141
We can not blame everything to Microsoft!
• It enables many cool applications.• It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
A B
Is “end2end security” the right abstraction?
![Page 142: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/142.jpg)
11/23/2006 France Telecom 142
• It enables many cool applications.• It enables many cool attacks.
– Worm, DDoS, spamming, phishing,… (the list is still growing)
– Spyware (I mainly blame Microsoft for this, but can we do something in the Internet infrastructure to ensure the information accountability across domains?)
We can not blame everything to Microsoft!
![Page 143: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/143.jpg)
11/23/2006 France Telecom 143
“BGP”
• How would I let the whole world know about 169.237/16?– I announce that I owned 169.237/16– Prefix hijacking
• More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16?– Others would know how to send packets to
169.237/16–
UCDavis:169.237/16
AS6192
![Page 144: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/144.jpg)
11/23/2006 France Telecom 144
“BGP”
• How would I let the whole world know about 169.237/16?– I announce that I owned 169.237/16– Prefix hijacking
• More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16?– Others would know how to send packets to
169.237/16– DDoS, Spam – no receiver/owner controllability
UCDavis:169.237/16
AS6192
![Page 145: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/145.jpg)
11/23/2006 France Telecom 145
DSL (Davis Social Links)
Principle:– Communication should reflect the (social)
relationship between the sender and the receiver, and the receiver should have ways to control that.
Design:– Route discovery based on social keywords
and their potential aggregation– Separation of identity and routability– Penalty and Reputation framework
A B
A BF
FF
![Page 146: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/146.jpg)
11/23/2006 France Telecom 146
The same message content
• “M” from Felix Wu
• “M” from Felix Wu via an IETF mailing list
• “M” from Felix Wu via Herve Debar
![Page 147: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/147.jpg)
11/23/2006 France Telecom 147
The same message content
• “M” from Felix Wu Probably a spam• “M” from Felix Wu via an IETF mailing
list Probably not interesting• “M” from Felix Wu via Herve Debar Do I seriously want to keep the job?
![Page 148: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/148.jpg)
11/23/2006 France Telecom 148
This is nothing new!
Principle:– Communication should reflect the (social)
relationship between the sender and the receiver, and the receiver should have ways to control that.
Design:– Route discovery based on social keywords
and their potential aggregation– Separation of identity and routability– Penalty and Reputation framework
A B
A BF
FF
![Page 149: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/149.jpg)
11/23/2006 France Telecom 149
Social Routers
![Page 150: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/150.jpg)
11/23/2006 France Telecom 150
Social Routers
Proxy
![Page 151: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/151.jpg)
11/23/2006 France Telecom 151
Social Router Identity
Identity: an X-bits stringwith a public key
![Page 152: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/152.jpg)
11/23/2006 France Telecom 152
Social Router Identity
Identity: an X-bits stringwith a public key
The identity doesn’t have to be globally unique.
There are many “Felix Wu” in this world, but Herve won’t be confused under different social contexts.
![Page 153: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/153.jpg)
11/23/2006 France Telecom 153
Go beyond HIP
• Host Identity Protocol– Separation of host identity and routable
addresses
![Page 154: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/154.jpg)
11/23/2006 France Telecom 154
Go beyond HIP
• Host Identity Protocol– Separation of host identity and routable
addresses
• Host Person/Object• “Identification” should be an application
issue.• Routing only provides services to
forward packets to the IP address which can be mapped to the identity by the application!
![Page 155: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/155.jpg)
11/23/2006 France Telecom 155
A Social Link
representing a trust relationship
![Page 156: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/156.jpg)
11/23/2006 France Telecom 156
A Social Link
representing a trust relationship
Without a social link, messages will be either dropped or lower prioritized in the “networking” layer
![Page 157: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/157.jpg)
11/23/2006 France Telecom 157
A Social Link
representing a trust relationship
The link can be revoked or downgraded at any time!
![Page 158: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/158.jpg)
11/23/2006 France Telecom 158
Social Keywords
Soccer, BGP, Davis, California, Intrusion Detection,…
![Page 159: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/159.jpg)
11/23/2006 France Telecom 159
Social Keywords
Soccer, BGP, Davis, California, Intrusion Detection,…
Social keywords represents your interests and the semantic/social interpretation of you (and your identity).
![Page 160: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/160.jpg)
11/23/2006 France Telecom 160
Social Keywords
BGP, Intrusion Detection
Soccer, Davis, California
![Page 161: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/161.jpg)
11/23/2006 France Telecom 161
Social Keywords
Soccer, BGP, Davis, California, Intrusion Detection, Liechtenstein
Social keywords represents your interests and the semantic/social interpretation of you (and your identity).Sometimes, it can be anything you like!
![Page 162: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/162.jpg)
11/23/2006 France Telecom 162
Incoming Route Discovery Messages
Soccer, BGP, Davis, California, Intrusion Detection, Liechtenstein
AND/OR expression
Soccer, BGP, Davis, California, Intrusion Detection, Liechtenstein
![Page 163: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/163.jpg)
11/23/2006 France Telecom 163
Incoming Route Discovery Messages
Soccer, BGP, Davis, California, Intrusion Detection, Liechtenstein
AND/OR expression
Soccer, BGP, Davis, California, Intrusion Detection, Liechtenstein+ a few extra
{ a bag of expected words}
Accepted or not??
![Page 164: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/164.jpg)
11/23/2006 France Telecom 164
Routing Information Exchange
AND/OR expressions of keywords
![Page 165: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/165.jpg)
11/23/2006 France Telecom 165
Scalable, scalable, scalable???
• 40 billions of ASes or nodes• “Lots” of keywords and keyword
expressions
![Page 166: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/166.jpg)
11/23/2006 France Telecom 166
Keyword Aggregation
AND/OR expressions of keywords
![Page 167: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/167.jpg)
11/23/2006 France Telecom 167
Limited Resources
.
.
.
.
![Page 168: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/168.jpg)
11/23/2006 France Telecom 168
M
.
.
.
.
Keywords and aggregated keywords
“content addressable emails”
![Page 169: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/169.jpg)
11/23/2006 France Telecom 169
DSL Route Discovery& Trust Management
DSL Forwarding Plane
![Page 170: Internet Routing Security: Past, Current, and Future S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu wu](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649cfe5503460f949cfa3d/html5/thumbnails/170.jpg)
11/23/2006 France Telecom 170
Remarks
• Routing security involves several complex issues without good definitive answers..
• We should really think about “communication” first, and then worry about the best routing framework to support it.– E.g., P2P applications, hijacking, fairness, spam,
phishing, penalty, matching with social networks, identity and receiver control…