Upload
christmas
View
47
Download
2
Tags:
Embed Size (px)
DESCRIPTION
How Small Groups Can Secure Interdomain Routing. Martin Suchara in collaboration with I. Avramopoulos and J. Rexford. Interdomain Routing (BGP) is not Secure. BGP is vulnerable to: Deliberate attacks Misconfigurations. Yet, users demand: Confidentiality Integrity Availability. - PowerPoint PPT Presentation
Citation preview
Martin Suchara
in collaboration with I. Avramopoulos and J. Rexford
How Small Groups Can Secure Interdomain Routing
2
Interdomain Routing (BGP) is not Secure
Yet, users demand:
Confidentiality
Integrity
Availability
BGP is vulnerable to:
Deliberate attacks
Misconfigurations
3
Securing Interdomain Routing
Focus of this work
Existing crypto solutions
Users demand:
Confidentiality
Integrity
Availability
4
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
5
Interdomain Routing – Terminology
AS #1Yale
AS #1Yale
AS #2AT&T
AS #2AT&T
AS #3Princeton
AS #3Princeton
Autonomous Systems (ASes) = independently administered networks in a loose federation
Prefix = set of IP addresses
Origin = genuine owner of an address prefix
Route = AS-level path to the origin
Origin of 12.34.*
1 21
Data packets Routing announcements
6
Interdomain Routing – Protocol Based on Trust
AS #112.34.*
AS #112.34.*
BGP is prefix-based path-vector protocol
Each AS maintains a set of routes to all prefixes
One “best” route is used
AS1→12.34.* AS2 → AS1 → 12.34.*Originate 12.34.*
AS1→12.34.*
21
AS2 → AS1 → 12.34.*
1
AS4 → AS1 → 12.34.*
AS #2AS #2
1
AS #3AS #3
AS #4AS #4
7
Interdomain Routing – Export & Policies
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
Regional ISP (#4)
Regional ISP (#4)
12.34.*
peer-peer
customer-provider
8
Interdomain Routing – Export & Policies
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
Regional ISP (#4)
Regional ISP (#4)
Use: 6Remember: 36
12.34.*
9
Interdomain Routing – One Cannot Learn Many Routes
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
AS3 → AS6
→ 12.34.*
12.34.*
Regional ISP (#4)
Regional ISP (#4)
Use: 6Remember: 36
10
Vulnerabilities – Example 1
11
33
22
Invalid origin attack
Nodes 1, 3 and 4 route to the adversary
The true destination is blackholed
55
77Genuine originAttacker
66
44
12.34.* 12.34.*
11
Vulnerabilities – Example 2
11
33
22
Adversary spoofs a shorter path
Node 4 routes through 1 instead of 2
The traffic may be blackholed or intercepted
55
77Genuine origin
44
66 Thinks route thru 2 shorter
12.34.*
No attack
12
Vulnerabilities – Example 2
11
33
22
Adversary spoofs a shorter path
Node 4 routes through 1 instead of 2
The traffic may be blackholed or intercepted
55
77Genuine origin
Announce 17
44
66 Thinks route thru 1 shorter
12.34.*
13
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
14
State of the Art – S-BGP and soBGP
S-BGP
Certificates to verify origin AS
Cryptographic attestations added to routing announcements at each hop
Mechanism: identify which routes are invalid and filter them
soBGP
Build a (partial) AS level topology database
15
Limitations of the Secure Protocols
Previous solutions
Benefits only for large deployments (~10,000s)
No incentive for early adopters
No deployment for over a decade
Our goal: Provide incentives to early adopters!
16
Our Approach
Challenges
Non-participants outnumber participants
Participants rely on non-participants
Each AS exports only one route
Focus on raising the bar for the adversary rather than residual vulnerabilities
Secure routing within a small group
10-20 cooperating nodes
All participants’ routes are secured
17
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) Sbone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
18
Experimental Evaluations
Performance of existing techniques
They work well in large scale deployments
How do they do in small groups?
Evaluate performance of state-of-the art: soBGP
Evaluate partial deployment
If two ASes participate, a valid link connecting them must be in the registry
19
Experimental Setup – All Experiments
Method – simulation of BGP announcements on the AS-level Internet topology
Topology information from RouteViews
Adversary and origin chosen at random
Participants implement secure protocol
1 or 5 adversaries
Performance metric – fraction of the Internet ASes with valid routes
Average of 100 runs
20
soBGP – Random Participation, 1 adversary
Participants have a higher chance to have a valid route!
Groups of 1 – 30 participants
Number of Participant ASes
Per
cent
age
of
AS
es
% of the Internet with valid routes
Participant ASesAll ASes
21
soBGP – Deployment by 30 Random + Some Largest ISPs
Better performance
Cooperation of many large ISPs needed!
Number of Large ISPs
Per
cent
age
of
AS
es
Participant ASesAll ASes
22
Perfect Detection
Simulations: give ability to detect routes that don’t work
Is this sufficient to secure routing?
How useful is it to have perfect detection?
Can be done in practice:
Data-plane probing verifies validity of route by using it
23
Perfect Detection at 30 Random + Some Largest ISPs
Perfect detection helps but not sufficient by itself!
Per
cent
age
of
AS
es
Number of Large ISPs
Participant ASesAll ASes
24
Lessons Learned
25
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) Sbone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
26
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
27
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
28
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
29
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
30
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
Secure Overlay Routing (SBone)
Overlay of participants’ networks
Protects intra-group traffic
Bad paths detected by probing
55 44
66
33
77
11 22
Use longer route
Use peer route
11
55
22
77
Use provider route
12.34.*31
12.34.*
; 12.34.1.1
; 12.34.1.1Detected as bad
Nonparticipant
Participant
Secure Overlay Routing (SBone) Traffic may go thru an intermediate node
32
44
77
Uses path thru intermediate node 3
33
66
?
?
?11
?
12.34.*
12.34.*
; 12.34.1.1
; 12.34.1.1
55
12.8.1.1
; 12.8.1.1
Forwards traffic for 1
22
33
SBone – 30 Random + Help of SomeLarge ISPs
Good performance even for small groups! P
erce
ntag
e of
Par
ticip
atin
g A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
34
SBone – Multiple Adversaries
With 5 adversaries, the performance degrades
Solution: enlist more large ISPs!
Group Size (ASes)
Per
cent
age
of P
artic
ipat
ing
AS
es
5 large ISPs3 large ISPs1 large ISP0 large ISPs
35
SBone - Summary
36
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
Hijacking the Hijacker – Shout Secure traffic from non-participants All participants announce the protected prefix Once the traffic enters the overlay, it is securely
forwarded to the true prefix owner
37
11
33
22
44
66
55
77
Prefers short customer’s path leading to adversary
12.34.*
Node 4 shouts
Use shortest path 1412.34.*
12.34.*
12.34.* 12.34.*
38
Shout + SBone – 1 Adversary
With as few as 10 participants + 3 large ISPs, 95% of all ASes can reach the victim!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
39
Shout + SBone – 5 Adversaries
More adversaries larger groups required!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
40
Performance and Scalability of Shout
Shout can be used reactively
Only shout if an attack is detected
Changes in routing table sizes negligible
Alternate routes must be saved in routing tables
The average table size increased by less than 5%
After shouting path lengths increase modestly
Paths less than 1.35 times longer
Detailed results next
41
Shout + SBone – Increase in Path Length
With as few as 3 large ISPs the penalty is negligible!
Leng
th R
atio
Group Size (ASes)
0 large ISPs1 large ISP3 large ISPs5 large ISPs
42
Shout - Summary
43
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
44
Conclusion
BGP should be secured by small groups
To be effective, the group members should
45
Conclusion
The proposed solution
SBone and Shout are novel mechanisms that achieve these goals
46
Future Work
Deployment in larger groups where participants don’t trust each other
Secure routing protocol on the overlay?
Analytic models of the deployment
Predict which additional ASes to enlist to boost performance?
Effects of the structure of the graph on the outcomes?
47
Thank you for your attention!
48
Discussion
1. Effects of subprefix hijacking
2. What if participants not willing to choose less profitable routes?
3. What if N large ISPs are used instead of N largest ones?
4. Average results and error bars
1. Subprefix Hijacking Threat: adversary deaggregates the victim’s prefix,
all traffic is directed to the adversary
Key security mechanisms
Deaggregate the prefix and use shout to announce it
Tunnel endpoints already secure if announced with /24 prefixes
Only deaggregate when attack detected
Attack detected if at least one participant sees an unauthorized subprefix
50
1. Subprefix Hijacking – Avoiding Detection
If the adversary conceals the attack, <5% ASes are affected!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP
51
1. Subprefix Hijacking - Summary
52
2. SBone – Preserve Business Relationships?
Participants do not have visibility into BGP; just route through intermediate nodes
Participants can influence route selection
Group Size (ASes)
Per
cent
age
of P
artic
ipat
ing
AS
es
underlay reroutingno underlay rerouting
3. Effect of Choosing the Largest ISPs
The largest ISPs are similar in terms of connectivity and size
Which one of these we enlist among the participants does not matter much
54
SBone vs. Perfect Detection Alone
With 5 adversaries and 10 participants the SBone is better and variance lower!
Stdev: 15%
Stdev: 8%
Per
cent
age
of A
Ses
0 large ISPs
1 large ISP
3 large ISPs
5 large ISPs
Perfect detection aloneSBone