routing security - penn state college of engineeringpdm12/cse545-s11/slides/cse545-routing.pdf ·...

CSE545 - Advanced Network Security - Professor McDaniel Page

Routing Security

Professor Patrick McDanielCSE545 - Advanced Network Security

Spring 2011

1


AS7007

2


Routing 101• Network routing exists to provide

hosts desirable paths from the source to destination

‣ What desirable means depends on the types of protocols being used

• Two main approaches to routing

‣ Link state - collected/metrics of paths between hosts, e.g., OSPF

‣ Distance vector - shortest path based on exchanged routing tables, e.g., BGP

3


Routing Security• Bad guys play games with routing protocols.

• Traffic is diverted.

‣ Enemy can see the traffic.

‣ Enemy can easily modify the traffic.

‣ Enemy can drop the traffic.

• Cryptography can mitigate effects, but not stop them.

• History: we don’t have a lot of good answers!

4


How is it Different?• Most communications security failures happen because

of buggy code or broken protocols.

• Routing security failures often happen despite good code and functioning protocols. The problem is a dishonest participant.

‣ Hop-by-hop authentication isn't sufficient.

5


Routing ...

6

X

Z

X

Host A

Host B

X

X

X

X

X

X

X


The Enemy's Goal?

7

X

Z

X

Host A

Host B

X

X

X

X

X

X

X


Routing Protocols• Routers speak to each other.

• They exchange topology and cost information.

• Each router calculates the shortest path to each destination.

• Routers forward packets along locally shortest path.

• Attacker can lie to other routers

8


Normal Behavior

9

Y → X:B(10)Y → Z :B(10)Z → X :Y (5), B(15)X → A:Z(5), Y (5), B(15)

X

Z

Y

Host A

Host B

5

5

5

10

10

Y → X:B(10)Y → Z :B(10)Z → X :Y (5), B(3)X → A:Z(5), Y (5), B(8)


Malicious Behavior

10

X

Z

Y

Host A

Host B

5

5

5

10

10

3


Why is the Problem Hard?• X has no knowledge of Z's real connectivity.

• Even Y has no such knowledge.

• The problem isn't the link from X to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.)

11


Worm-Holing

12

X

X

X

Host A

Host B

X

X

Z

X

X

Z

X


Worm-Holing

13

X

X

X

Host A

Host B

X

X

Z

X

X

Z

X


Link Cutting

14

X

X

X

Host A

Host B

X

X

Z

X

X

Z

X


Link Cutting

15

X

X

X

Host A

Host B

X

X

Z

X

X

Z

X


Why So Little Progress?• It's a really, really hard problem.

• Actually, getting routing to work well is hard enough.

• Has been outside the scope of traditional communications security.

16


Routing in the Internet• Two types, internal and external routing.

‣ Intradomain - Internal (within ISP, company): primarily OSPF.

‣ Interdomain routing - external (between ISPs, and some customers): BGP.

• Topology matters.

17


OSPF (Open Shortest Path First)

• Each node announces its own connectivity. Announcement includes link cost.

‣ Each node reannounces all information received from peers.

‣ Every node learns the full map of the network.

‣ Each node calculates the shortest path to all destinations.

• Note: limited to a few thousand nodes at most.18

X

Z

X

Host A

Host B

5

5

5

10

10


Characteristics of Internal Networks

• Common management.

• Common agreement on cost metrics.

• Companies have less rich topologies, but less controlled networks.

• ISPs have very rich---but very specialized---topologies, but well-controlled networks.

19


Secure OSPF?• Simple link security is hard: multiple-access net.

• Shared secrets guard against new machines being plugged in but not against an authorized party being dishonest.

• Solution: digitally sign each routing update (expensive!)‣ List authorizations in certificate.

• Experimental RFC by Murphy et al., 1997.• Note: everyone sees the whole map; monitoring station

can note discrepancies from reality. (But bad guys can send out different announcements in different directions.)

20


BGP (Border Gateway Protocol)

• BGP is the protocol used to route information at the autonomous system level - (distance vector protocol)

‣ Everyone builds a route to every AS in the internet based on paths received from neighbors

‣ Routes are flooded to neighbors

‣ Path selection is based on policy (not always shortest path)

21


Routing in a nutshell• The Internet ...

22


Routing in a nutshell• …is made up of Autonomous Systems (ASes)…

23


Routing in a nutshell• …linked at Border Routers.

24


Routing in a nutshell• The Border Gateway Protocol determines which ASes to

follow from source to destination.

25


Routing in a nutshell• Each AS is responsible for moving packets inside it.• Intra-AS routing is (mostly) independent from Inter-AS

routing.

26

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

The BGP Protocol• BGP messages‣ Origin announcements:

• “I own this block of addresses”

‣ Route advertisements: • “To get to this address block, send

packets destined for it to me. And by the way, here is the path of ASes it will take”

‣ Route withdrawals:• “Remember the route to this

address block I told you about, that path of ASes no longer works”

• Route decisions‣ Border routers receive many

origin announcements/ route advertisements, one from each of their peers

‣ They choose the “best” path and send their selection downstream

• BGP Attributes‣ BGP messages have additional

attributes to help routers choose the “best” path

‣ AS_path (above), MED, community strings, …

27

192.168.28.0/24 768 4014 664 quest:bkup

CIDR Block Path Attributes


Routing in a nutshell• Propagate throughout the network.

28


BGP announcementsn Which path gets picked depends on the

advertised attributes.

29


BGP Connection FSM

30


BGP Operation: Connection Setup

• A router is speak BGP with another router, generally physically connected to it, in another AS‣ These two routers are called BGP peers

‣ Before coming online, the router is in the Idle state

• When the router comes on line, it creates a BGP session with its peer‣ BGP runs over TCP, and a TCP connection is made first between

the two peers (port 179)

‣ The router is in the Connect state during this time

‣ When the connection is established, the router moves into the Established state

31


BGP Operation: Information Exchange

• Once the BGP session is active, the peers exchange routing data

‣ This information is passed through the UPDATE message

• Contains a list of advertised prefixes, known as network layer reachability information (NLRI), and withdrawn routes

• Prefixes with different policy attributes are sent in separate UPDATE messages

• Route setup can create heavy exchanges of messages and be computationally intensive for the router

32


BGP Operation: Path Attributes

• ORIGIN: shows whether prefix was learned through interior or exterior routing

• AS_PATH: the ASes that the prefix has passed through during this advertisement

‣ BGP is a path vector protocol, and the prefix with the fewest ASes traversed is usually preferred

‣ Including AS path vector prevents looping

• NEXT-HOP: the node to send packets back to in order to get them closer to their destination

33


Other Common Path Attributes

• MULTI-EXIT DISCRIMINATOR: if two ASes connect in multiple locations, the MED can be used by a peer to favour a particular link to improve routing

• LOCAL-PREF: used by the local AS to assign a degree of preference of one link for a given prefix over another

• ATOMIC-AGGREGATE: lets the router know not to deaggregate an advertisement into more specific prefixes

• AGGREGATOR: specifies AS and router that performed aggregation of a prefix

34

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24


In class exercise• Fill in the routing tables ...

35

AS 1

Addresses:

192.10.10.0/24

AS 2

Addresses:

192.10.0.0/16

AS 3

Addresses:

192.10.12.0/24

AS 4

Addresses:

192.10.11.0/24

AS 5

Addresses:

192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

1. Initialize: advertise yourself as ORIGIN all of your CIDR blocks to allpeers in UPDATE messages

2. Steady State: repeat

(a) If a link fails, remove every route involving that link from the internalrouting table

(b) Receive UPDATES from peers, add new routes to internal table,remove all WITHDRAWN routes from internal tables

(c) Selected “best” route for every CIDR block you have heard(d) If a previously advertised route is no longer best for that CIDR block,

WITHDRAW it from all peers you advertised it to(e) Send a UPDATE for every best route that you have not perviously

advertised to all peers except the AS in the path


BGP: simplified routing algorithm

36


BGP Misconfiguration• One of the largest problems with BGP is

misconfiguration

‣ Leading cause of instability on the Internet

‣ Causes

• Stupidity

• Poor configuration tools

• Under-specified network requirements

‣ Often misconfiguration can lurk for months or years before it is detected or its effects felt

• Changing network topology

• Unexpected network states

37


Mahajan et al.• SIGCOMM ’02 study of BGP misconfiguration‣ Those instances where configurations caused problems:

• unintended suppression of legitimate advertisement

• unintended creation of illegitimate advertisement

‣ Human factors terminology• slip - inadvertent errors, e.g., typos

• mistakes - design errors, e.g.,

• Methodology: use data from RouteViews routing repository collected over 3 years and 23 vantage points located located over the globe.‣ contacted ASes for information on causes

38


Study Results• Errors detected‣ prefix hijacking - incorrect advertisement of addresses‣ improper route export - exporting routes/paths in violation of

stated ISP policies

• Problems are universal, pervasive, and pathological‣ 200-1200 prefixes seeing misconfiguration per day (0.2-1.0% of

2002 table size)‣ 3 in 4 new prefix advertisements result of misconfigurations‣ About 15 hijacks per day (how about today?)

• Result: constant stream of incorrect information being received by routers.*

• Interesting thought: how to secure in this environment?

39

*only gets worse after 2002.


Attacks Against BGP• Control Plane

‣ Timing

‣ Availability

• Data Plane

‣ Origin

‣ Path

40


Prefix Hijacking• An attacker can forge an UPDATE

message that claims to originate a known prefix

• For example, my organization could decide to be AT&T for a day, and advertise 12.0.0.0/8

• Outbound route filtering should catch this, but many operators do not perform proper filtering policy within their AS

41


Prefix Destabilization• By forcing route flapping on a given link, an

attacker to a peer can cause BGP dampening to occur‣ Routes that flap are penalized by being

suppressed

‣ The period of suppression increases depending on how many times the BGP session changes state and length of the prefix (longer prefixes are penalized more than shorter ones)

• Black holes are a major problem of origin attacks

42


Black Holes are out of sight• If another AS advertises one of our prefixes, bad things

happen:

43

AS 1

C1C4

AS 6AS 5

AS 4

AS 2

AS 3

128.59.0.0/16legitimate

128.59.0.0/16

not legitimate!


Black Holes are out of sight• Prefix becomes unreachable from the part of the net

believing C4’s announcement.

44

AS 1

C1C4

AS 6AS 5

AS 4

AS 2

AS 3

legitimate

128.59.0.0/16

not legitimate!128.59.0.0/16


Self-deaggregation• Within the AS, a prefix can be broken into smaller

blocks and advertised as such• Because of longest-prefix matching, these will be

preferred (eg. 12.10.8.0/24 is preferred over 12.0.0.0/8 because it is more specific)

• This is the heart of the AS7007 incident, where much of the Internet lost its routing

• It can also cause a large burden on the routers, because of increase in computation and routing table size

45


Path Modification• BGP is a path-vector protocol, so the

length of the path is a major factor in accepting a route

• AS path prepending can be used to bias a route (adding the same AS number repeatedly to a route)

• An attacker with the ability to modify the AS path can force traffic to follow patterns it otherwise wouldn’t

46


Path Forgery• If an AS_PATH attribute is completely

forged, the attacker has even more control over traffic

• This can allow for traffic analysis since traffic is engineered in the direction the attacker desires

• This can also lead to black holes, as previously discussed

47


Policy Modification• By modifying policy attributes, traffic can

be be biased in certain ways and routing can be compromised

• Examples: changing the MED or Local_Pref values can cause suboptimal routing within the peer’s or local AS, respectively

48


TCP SYN Attacks• SYN forgery

‣ If the attacker sends a SYN, the peer may think this is a legitimate connection

‣ If the attacker guesses the correct SYN ACK, a collision will result, causing the legitimate connection to fail

• SYN-ACK forgery

‣ Attacker timing a SYN ACK and sending it during TCP setup can bring down connection

• SYN flood

‣ Overwhelm the router resources with SYN packets until it runs out of connections

49


Spoofing• A forged BGP OPEN message can bring down

a connection‣ If a connection is in the process of being opened, an

attacker sending an OPEN message can cause a collision

‣ Legitimate connection would be terminated

• Similarly, a BGP KEEPALIVE sent while peers are connecting will cause the session to fail‣ If peers are in Connect, Active or OpenSent state

50


Modifying BGP Timers• If the attacker can gain control of timer

functionality, messages can be delayed and connections forced closed

‣ KeepAlive timer, Hold timer and OpenDelay timer - if altered, messages and the connection itself may be dropped

• KEEPALIVE messages are “heartbeat” messages to ensure the BGP connection exists

51


Availability Attacks through BGP

• Forged NOTIFICATION message‣ NOTIFICATION is indicative of an error, so whenever this

message is passed, the connection is brought down and the peer states change to Idle

• Syntax or parse errors with BGP messages‣ If a packet is malformed, values are invalid or message headers

contain errors, the peer will drop the connection

52


Route Flooding• Any attack that brings down the causes a connection to

bounce will force its peers to dump their routing tables to it

‣ These can overwhelm the router depending on the number of routes it receives, and is computationally and bandwidth intensive in any case

• Route flapping also an availability attack

‣ Penalized by BGP dampening algorithms that force suppression of the advertisement

53


Physical Attacks• Link cutting

‣ If the attacker knows the network topology, bringing down certain links (through DoS attacks, or a backhoe) can force traffic into the pattern they desire

• Taking control of the router

‣ For example, exploiting a buffer overflow (such as the SNMP attack)

‣ Can cause the router to reboot

• Physical destruction of the router

‣ As always, network security is dependent on physical security

54


Bellovin/Gansner Link Cutting

55

Given :network Gvertex (routers) V = {v1 . . . vn}edges (links) L = {l1, . . . lm}adversary controlled vertices(routers) � ⊂ Vsource s ∈ Vdestination t ∈ V

Goal :route s to t through vi ∈ �

CSE545 - Advanced Network Security - Professor McDaniel

1. If some vi ∈ � on path from s to t, done.

2. For each vi ∈ �, computer shortest simple∗ path from s to t through vi. Ifnone exists, no solution possible.

3. Pick shortest path P of length l, set each edge an inifinite cut cost, set allothers to 1.

4. Find the min s− t cut of the graph C ⊂ L.

5. For each edge ci in the cut, remove it if the shortest path for s to t throughci is less than l.

1. If some vi ∈ � on path from s to t, done.

S → A→ G→ T


Example

57

S

TA

G

F

C

D

E

B

3. Pick shortest path P of length l, set each edge an inifinite cut cost, set allothers to 1.

S → A→ E → F → G→ T

∞ 1


Example

59

S

TA

G

F

C

D

E

B

∞

∞∞

∞1 1 1

11

S

TA

G

F

C

D

E

B

∞ 1

4. Find the min s− t cut C of the graph C ⊂ L− �.


Example

60

∞

∞∞

∞1 1 1

11

S

TA

G

F

C

D

E

B

5. For each edge ci in the cut, remove it if the shortest path for s to t throughci is less than or equal to l.


Example

61

|SAGT | = 3|SABCDGT | = 6

|SAEFGT | = 5


Class notes• Next Tue: Enck Thesis 3:00 @

• Next Tue: 6-7:15pm @ cybertorium (113 IST)

62

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24


In class exercise• Fill in the routing tables ...

63

AS 1

Addresses:

192.10.10.0/24

AS 2

Addresses:

192.10.0.0/16

AS 3

Addresses:

192.10.12.0/24

AS 4

Addresses:

192.10.11.0/24

AS 5

Addresses:

192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24

CIDR Block AS PATH

192.10.10.0/24192.10.0.0/16192.10.12.0/24192.10.11.0/24192.10.14.0/24


Problems to Solutions?• Independent of the type, routing requires securing the

following information for a source:

‣ where the destination address?

‣ what is the best path to that address?

• Answering these questions in practice is complex, as it necessarily requires us to trust foreign entities or devices for which we may know little (if anything).

• This is the nasty secure distributed computation and everyone on the Internet must play.

64

CSE598K/CSE545 - Advanced Network Security - McDaniel Page

Solving BGP Security• Reality: most deployed techniques for securing BGP

have been at the local level‣ Filtering‣ Securing BGP peering

• Future: a number of complex protocols have been proposed to solve some or all BGP security issue‣ S-BGP‣ soBGP‣ IRV‣ SPV

• We will be looking at these solutions over the next couple of lectures

65

BGPSEC


Filtering• Filtering just drops BGP message (typically

advertisements) as they are passed between ASes

‣ Ingress filtering (as it is received)

‣ Egress filtering (as it is sent)

• Types of filtering

‣ By prefix (e.g., bogon/martian list)

‣ By path (e.g., customer advertisement of provider routes)

‣ By policy (e.g., some “community” strings that represent paths/policies that an AS does not want to support)

• ISP ASes aggressively filter (the security mechanism)

66


Protecting Peer Communication

• Two routers exchanging BGP messages (in a BGP session) need to secure communication.

‣ Integrity

‣ Confidentiality?

‣ Authenticity

‣ Non-repudability?

• Note: This is often defined as a transport security issue, where just secure point-to-point communication is necessary.

67


MD5• A simple solution (RFC 2385)

‣ Share a private secret (e.g., password)

‣ Compute an keyed message authentication code on each TCP packet passed between the two routers

‣ Check MAC upon receipt of each packet

• You get

‣ Integrity

‣ Authenticity

• Problem: this is manual configuration, which neither scales to many routers or supports key maintenance

68


Generalized TTL Security Mechanism

• TCP time-to-live (RFC 3682)‣ At a packets origin, the TTL is set to the maximum number

of hops that the packet can traverse‣ TTL decremented at each hop‣ Packets are dropped when TTL goes to 0

• This ensures that packets stuck in transient routing loops do not congest the network

• Idea: can we use the TTL to ensure that every packet received came from peer (assuming one hop)?‣ Set TTL = 255 (Q: how about TTL=1?)‣ Receiver checks TTL on all packets, if not 254, then forged

• Issue: how much does this really tell you? 69


HOP Integrity• HOP integrity protocols implement peering secure

communication that provides integrity/authentication

‣ Diffie-Hellman style key negotiation, data integrity, data authentication

‣ Idea: provide public key based per hop security, and simple constructions to enforce integrity constraints

• Two protocols

‣ Weak - just per hop integrity (MAC)

‣ Strong - adds replay protection (sequence numbers)

• Note: used to secure communication between a range of peers via a per-hop security (limitation?)

70


Smith/Garcia-Luna-Aceves• An (ad hoc?) suite of countermeasures

1. Encrypt all messages between peers

2. Add a message sequence number to all BGP messages

• Protects against replayed or deleted messages

3. Add a sequence number (or time-stamps) to UPDATES

4. Add a PREDECESSOR path attribute

5. Digitally sign all the UPDATEs

• Note: this gets beyond the basic peer security, and bleeds into the more general BGP security issues.

71


Question?• What attacks do these measures prevent?

• If yes, how?

‣ Message replay

‣ Route replay

‣ Path forgery

‣ Path modification

‣ Forged route withdrawal

‣ Prefix hijacking

72


IPsec• IPsec provides all of the basic guarantees needed to

implement router-to-router BGP security

‣ Independent of intermediate connectivity

‣ IKE/ISAKMP used to establish transient keys

• Avoids cryptanalysis of long running keys

‣ ESP/AH provide confidentiality, integrity, replay protection ...

• Problems: this is just a start

‣ Overheads can be expensive if not managed correctly

‣ Backward compatibility (less now)

‣ Key management

73


Peering Summary

• Reality: most of these schemes were hacks or stop-gap measures until IPsec became widely available

‣ Where secured at all, IPsec is generally used

‣ AH/ESP w/out confidentiality is popular

‣ Singly-homed customer/ISP peering is often not secured at all

• Question: why is this reasonable?

74

Integrity Confidentiality Replay Prevention DOS PreventionIPsec (ESP) yes yes yes yesIPsec (AH) yes no yes yesMD5 Integrity yes no yes noHOP Protocol yes no yes noGTSM no no no noSmith .et al. yes yes yes no


BGP Security Protocols• The big two, plus one

• sBGP (Secure Border Gateway Protocol)

‣ [Kent et al. 99]

• soBGP (Secure Origin BGP)

‣ [White et al. 03]

• IRV (Internet Routing Validation)

‣ [Goodell et al. 03]

75


sBGP• sBGP was the first leading candidate for routing

security, and highlighted much of IR security issues

‣ Still under consideration, but somewhat limited

‣ Model: Routing and origination announcements are signed

• signatures are validated based on shared trust associations (CAs)

• It all begins with the keys (really two parallel PKIs)

1. Binding routers and organizations to ASes.

2. Origin authentication PKI

76


Organization PKI• Keys for routers, AS numbers

• Route attestations - attestations to the transient state of the network, e.g., the advertisements/routes

‣ Keys used to create these advertisements

• Router certificates need to ascertain validity of instantaneous advertisements.

‣ You need to prove association between the network elements making statements and AS/organizations

77


Route Attestations

• Signing recursively: each advertisement signs everything it receives, plus the last hop.

78

(5, (4, (3, (2, 1)kAS1)kAS2

)kAS3)kAS4

AS3AS 1 AS

5AS

2AS

4


Address Attestations• Attestations of ownership and delegation

‣ These are the “simple attestations”

‣ For example, assume that organization A delegates prefix p to organization B:

• Note: (surprisingly) sBGP distributes with address attestations out-of-band

‣ Thus everyone is required to obtain and validate their own copies of origin/ownership proving certificates.

‣ As in OA, validate path to ICANN

79

(p, B)kA


sBGP Issues• Single point of trust: is an authority that everyone will

trust to provide address/path certification?

‣ Chinese Military vs. NSA?

• Cost: validating signatures is very computationally expensive

‣ Can a router sustain the load?

• Incremental deployability: requires changes to BGP message formats

‣ All implementations must change

80


soBGP• CISCO’s entry in the securing Internet routing rodeo

‣ Viewed as the manufacturer approach to implementing security within BGP

• Released as a kind of refutation of sBGP, which was seen as too expensive and unwieldy to be practical.

‣ A more “open” model that allows providers to implement security much more flexibly, i.e., within the confines of existing policy and infrastructure

• Basic approach: network providers themselves act as a joint authority, and issue certificates for all relevant routing data, e.g., policy, address management, paths.

81


soBGP Design Requirements• System should take advantage of operational

experience and existing Internet Architecture.

• Implicit trust built into the Internet

• IP address assignment and delegation system

• Minimize impact to current implementations of the BGP protocol

• Minimum changes to existing protocol formats.

• Optimize memory and processing requirements.

82


soBGP Design Requirements• Must not rely on a central authority of any type.

‣ Distributed processing and trust

• Must be incrementally deployable (it must provide some level of security without the participation of every AS).

83


Solution*• Verifies originator of a route is authorized to do so. ‣ Verifies that the advertised AS_PATH represents a valid path

to the originator. (plausible path?)• BGP Security Message (extension to BGP) New BGP

Message used to carry security information ‣ No changes to existing messages for backwards compatibility

and incremental deployment. (removal of messages?)• Leverages existing protocol and security mechanisms ‣ Fixed additional scalability requirements Per-AS information

and route policies advertised once. (caching)• No additional information in UPDATES, resulting in

low processing impact. (well, sort of)

84

*CISCO text in black, my text in red.


BGPSEC

85


Certificates• Databases of certificates that advertise and correlate

AS identity, prefix ownership and route policy.

• Certificate types:

‣ Entity Certificate = Used to establish (AS) identity

‣ Authorization Certificate = Assigns/delegates IP addresses

‣ Policy Certificate = Used to define per-AS or pre-prefix policies and propagate AS interconnectivity topology map

• Certificate exchanges/trust relations are not defined

‣ Prior to or within routing exchanges

‣ Uses Web-of-Trust model to validate certificates.

86


PolicyCerts

• Pairwise signing: the topology database contains peering attestations.

87

AS3AS 1 AS

5AS

2AS

4

(2, 1)kAS1, (3, 2)kAS2

, (4, 3)kAS3, (4, 5)kAS4


AuthCert and EntityCert• AuthCerts define the delegation of address space

‣ Operates in essentially the same way as sBGP/OA

‣ Some looked at OA in soBGP and looked to learn the correct address assignment by viewing history

• Kinda intrusion detection for address usage (open problem)

• EntityCerts identifies who/what router is associated with which AS.

• Again note: which of these certs you believe is up to you (its a web of trust, caveat emptor)

88


Path Authentication vs. Path Plausibility

• Is Path Authentication stronger than Path Plausibility?

‣ “Since each AS in sBGP is authentication a relationship between itself and its predecessor and successor ASes, the set of acceptable AS paths in sBGP is a subset of the set paths acceptable under SoBGP”

• Argue for (and explain why or why not):

‣ Q1: Is Path Lengthening in soBGP but not sBGP?

‣ Q2: Is Path Shortening possible in sBGP but not soBGP?89

AS3AS 1 AS

5AS

2AS

4

(5, (4, (3, (2, 1)kAS1)kAS2

)kAS3)kAS4

(2, 1)kAS1, (3, 2)kAS2

, (4, 3)kAS3, (4, 5)kAS4


soBGP Issues• “Soft” security: the guarantees

provided are limited

‣ E.g., plausible, not actual secure paths

• Nebulus trust: not clear under what conditions or trust model a certificate was created

‣ Signatures in web of trust have unclear semantics

‣ Assumes transitive trust

90


IRV• Intended to solve BGP without changing any of existing

routing infrastructure

‣ [Goodell et al. 2003]

• Idea: validate all information by actively querying databases of policy, address, and path information provided by

‣ Post-facto verification - receive and optimistically accept routing information

‣ AS-centralized verification - an IRV service exists outside the domain of the AS, provides validation information in real time to all routers (win--no per router cost)

91


IRV Operation• ASes provide a well-known IRV server from which any

external party can query for the validity of information‣ Authenticated responses provide assurance that

advertisements are correct

‣ Routing Policy Specification Language (RPSL)

92

AS2

AS3

AS1

BGP Router

IRV

IRV

IRV I R V Q u e r y


IRV Issues• DOS opportunities - IRV can get flooded with requests

by malicious party

‣ Under normal operation following, for example, a table reset.

• Offline operation - when the network fails, little ability to return system to stable state

‣ Possible solutions:

• Peering repositories

• Shadow control network

93


BGP Security• Now: After almost two decades of work, we are not

much closer to a global security solution ...

‣ Problems are often not technical ...

• Cost of building routers

• Backward compatibility

• Incremental deployment

• Future: we will move from a border filtering to more and more cryptographically aided solutions.

‣ Mining past advertisements and understanding “expected” routing advertisements will also be key where crypto is not appropriate or feasible.

94

routing security - penn state college of engineeringpdm12/cse545-s11/slides/cse545-routing.pdf ·...

Documents