How Small Groups Can Secure Interdomain Routing

Martin Suchara

in collaboration with I. Avramopoulos and J. Rexford

How Small Groups Can Secure Interdomain Routing

2

Interdomain Routing (BGP) is not Secure

Yet, users demand:

Confidentiality

Integrity

Availability

BGP is vulnerable to:

Deliberate attacks

Misconfigurations

3

Securing Interdomain Routing

Focus of this work

Existing crypto solutions

Users demand:

Confidentiality

Integrity

Availability

4

Overview

I. The routing system and its vulnerabilities

III. Securing BGP in small groups – effectiveness of techniques

IV. Our approach

a) SBone – secure overlay routing

b) Shout – hijacking the hijacker

V. Conclusion

II. Why should small groups secure BGP

5

Interdomain Routing – Terminology

AS #1Yale

AS #1Yale

AS #2AT&T

AS #2AT&T

AS #3Princeton

AS #3Princeton

Autonomous Systems (ASes) = independently administered networks in a loose federation

Prefix = set of IP addresses

Origin = genuine owner of an address prefix

Route = AS-level path to the origin

Origin of 12.34.*

1 21

Data packets Routing announcements

6

Interdomain Routing – Protocol Based on Trust

AS #112.34.*

AS #112.34.*

BGP is prefix-based path-vector protocol

Each AS maintains a set of routes to all prefixes

One “best” route is used

AS1→12.34.* AS2 → AS1 → 12.34.*Originate 12.34.*

AS1→12.34.*

21

AS2 → AS1 → 12.34.*

1

AS4 → AS1 → 12.34.*

AS #2AS #2

1

AS #3AS #3

AS #4AS #4

7

Interdomain Routing – Export & Policies

National ISP (#1)

National ISP (#1)

Regional ISP (#3)

Regional ISP (#3)

National ISP (#2)

National ISP (#2)

Customer-provider and peer-peer relationships

Selecting a route: by assumption the most profitable, shortest route preferred

At most one profitable route exported

Regional ISP (#5)

Regional ISP (#5)

Cust. #7Cust. #7Cust. #6Cust. #6

Regional ISP (#4)

Regional ISP (#4)

12.34.*

peer-peer

customer-provider

8

Interdomain Routing – Export & Policies

National ISP (#1)

National ISP (#1)

Regional ISP (#3)

Regional ISP (#3)

National ISP (#2)

National ISP (#2)




Regional ISP (#5)

Regional ISP (#5)


Regional ISP (#4)

Regional ISP (#4)

Use: 6Remember: 36

12.34.*

9

Interdomain Routing – One Cannot Learn Many Routes

National ISP (#1)

National ISP (#1)

Regional ISP (#3)

Regional ISP (#3)

National ISP (#2)

National ISP (#2)




Regional ISP (#5)

Regional ISP (#5)


AS3 → AS6

→ 12.34.*

12.34.*

Regional ISP (#4)

Regional ISP (#4)

Use: 6Remember: 36

10

Vulnerabilities – Example 1

11

33

22

Invalid origin attack

Nodes 1, 3 and 4 route to the adversary

The true destination is blackholed

55

77Genuine originAttacker

66

44

12.34.* 12.34.*

11


11

33

22

Adversary spoofs a shorter path

Node 4 routes through 1 instead of 2

The traffic may be blackholed or intercepted

55

77Genuine origin

44

66 Thinks route thru 2 shorter

12.34.*

No attack

12


11

33

22

Adversary spoofs a shorter path

Node 4 routes through 1 instead of 2

The traffic may be blackholed or intercepted

55

77Genuine origin

Announce 17

44

66 Thinks route thru 1 shorter

12.34.*

13

Overview



IV. Our approach



V. Conclusion


14

State of the Art – S-BGP and soBGP

S-BGP

Certificates to verify origin AS

Cryptographic attestations added to routing announcements at each hop

Mechanism: identify which routes are invalid and filter them

soBGP

Build a (partial) AS level topology database

15

Limitations of the Secure Protocols

Previous solutions

Benefits only for large deployments (~10,000s)

No incentive for early adopters

No deployment for over a decade

Our goal: Provide incentives to early adopters!

16

Our Approach

Challenges

Non-participants outnumber participants

Participants rely on non-participants

Each AS exports only one route

Focus on raising the bar for the adversary rather than residual vulnerabilities

Secure routing within a small group

10-20 cooperating nodes

All participants’ routes are secured

17

Overview



IV. Our approach

a) Sbone – secure overlay routing


V. Conclusion


18

Experimental Evaluations

Performance of existing techniques

They work well in large scale deployments

How do they do in small groups?

Evaluate performance of state-of-the art: soBGP

Evaluate partial deployment

If two ASes participate, a valid link connecting them must be in the registry

19

Experimental Setup – All Experiments

Method – simulation of BGP announcements on the AS-level Internet topology

Topology information from RouteViews

Adversary and origin chosen at random

Participants implement secure protocol

1 or 5 adversaries

Performance metric – fraction of the Internet ASes with valid routes

Average of 100 runs

20

soBGP – Random Participation, 1 adversary

Participants have a higher chance to have a valid route!

Groups of 1 – 30 participants

Number of Participant ASes

Per

cent

age

of

AS

es

% of the Internet with valid routes

Participant ASesAll ASes

21

soBGP – Deployment by 30 Random + Some Largest ISPs

Better performance

Cooperation of many large ISPs needed!

Number of Large ISPs

Per

cent

age

of

AS

es


22

Perfect Detection

Simulations: give ability to detect routes that don’t work

Is this sufficient to secure routing?

How useful is it to have perfect detection?

Can be done in practice:

Data-plane probing verifies validity of route by using it

23

Perfect Detection at 30 Random + Some Largest ISPs

Perfect detection helps but not sufficient by itself!

Per

cent

age

of

AS

es

Number of Large ISPs


24

Lessons Learned

25

Overview



IV. Our approach

a) Sbone – secure overlay routing


V. Conclusion


26

Our Approach – Key Ideas

Hijack the hijacker: all participants announce the protected prefix

Hire a few large ISPs to help

Detect invalid routes accurately with data plane detectors

Circumvent the adversary with secure overlay routing

27






28






29






30

Overview



IV. Our approach



V. Conclusion


Secure Overlay Routing (SBone)

Overlay of participants’ networks

Protects intra-group traffic

Bad paths detected by probing

55 44

66

33

77

11 22

Use longer route

Use peer route

11

55

22

77

Use provider route

12.34.*31

12.34.*

; 12.34.1.1

; 12.34.1.1Detected as bad

Nonparticipant

Participant

Secure Overlay Routing (SBone) Traffic may go thru an intermediate node

32

44

77

Uses path thru intermediate node 3

33

66

?

?

?11

?

12.34.*

12.34.*

; 12.34.1.1

; 12.34.1.1

55

12.8.1.1

; 12.8.1.1

Forwards traffic for 1

22

33

SBone – 30 Random + Help of SomeLarge ISPs

Good performance even for small groups! P

erce

ntag

e of

Par

ticip

atin

g A

Ses

Group Size (ASes)

5 large ISPs3 large ISPs1 large ISP0 large ISPs

34

SBone – Multiple Adversaries

With 5 adversaries, the performance degrades

Solution: enlist more large ISPs!

Group Size (ASes)

Per

cent

age

of P

artic

ipat

ing

AS

es


35

SBone - Summary

36

Overview



IV. Our approach



V. Conclusion


Hijacking the Hijacker – Shout Secure traffic from non-participants All participants announce the protected prefix Once the traffic enters the overlay, it is securely

forwarded to the true prefix owner

37

11

33

22

44

66

55

77

Prefers short customer’s path leading to adversary

12.34.*

Node 4 shouts

Use shortest path 1412.34.*

12.34.*

12.34.* 12.34.*

38

Shout + SBone – 1 Adversary

With as few as 10 participants + 3 large ISPs, 95% of all ASes can reach the victim!

Per

cent

age

of A

Ses

Group Size (ASes)


39

Shout + SBone – 5 Adversaries

More adversaries larger groups required!

Per

cent

age

of A

Ses

Group Size (ASes)


40

Performance and Scalability of Shout

Shout can be used reactively

Only shout if an attack is detected

Changes in routing table sizes negligible

Alternate routes must be saved in routing tables

The average table size increased by less than 5%

After shouting path lengths increase modestly

Paths less than 1.35 times longer

Detailed results next

41

Shout + SBone – Increase in Path Length

With as few as 3 large ISPs the penalty is negligible!

Leng

th R

atio

Group Size (ASes)

0 large ISPs1 large ISP3 large ISPs5 large ISPs

42

Shout - Summary

43

Overview



IV. Our approach



V. Conclusion


44

Conclusion

BGP should be secured by small groups

To be effective, the group members should

45

Conclusion

The proposed solution

SBone and Shout are novel mechanisms that achieve these goals

46

Future Work

Deployment in larger groups where participants don’t trust each other

Secure routing protocol on the overlay?

Analytic models of the deployment

Predict which additional ASes to enlist to boost performance?

Effects of the structure of the graph on the outcomes?

47

Thank you for your attention!

48

Discussion

1. Effects of subprefix hijacking

2. What if participants not willing to choose less profitable routes?

3. What if N large ISPs are used instead of N largest ones?

4. Average results and error bars

1. Subprefix Hijacking Threat: adversary deaggregates the victim’s prefix,

all traffic is directed to the adversary

Key security mechanisms

Deaggregate the prefix and use shout to announce it

Tunnel endpoints already secure if announced with /24 prefixes

Only deaggregate when attack detected

Attack detected if at least one participant sees an unauthorized subprefix

50

1. Subprefix Hijacking – Avoiding Detection

If the adversary conceals the attack, <5% ASes are affected!

Per

cent

age

of A

Ses

Group Size (ASes)

5 large ISPs3 large ISPs1 large ISP

51

1. Subprefix Hijacking - Summary

52

2. SBone – Preserve Business Relationships?

Participants do not have visibility into BGP; just route through intermediate nodes

Participants can influence route selection

Group Size (ASes)

Per

cent

age

of P

artic

ipat

ing

AS

es

underlay reroutingno underlay rerouting

3. Effect of Choosing the Largest ISPs

The largest ISPs are similar in terms of connectivity and size

Which one of these we enlist among the participants does not matter much

54

SBone vs. Perfect Detection Alone

With 5 adversaries and 10 participants the SBone is better and variance lower!

Stdev: 15%

Stdev: 8%

Per

cent

age

of A

Ses

0 large ISPs

1 large ISP

3 large ISPs

5 large ISPs

Perfect detection aloneSBone

Documents

How Small Groups Can Secure Interdomain Routing