How Small Groups Can Secure Interdomain Routing
description
Transcript of How Small Groups Can Secure Interdomain Routing
![Page 1: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/1.jpg)
Martin Suchara
in collaboration with I. Avramopoulos and J. Rexford
How Small Groups Can Secure Interdomain Routing
![Page 2: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/2.jpg)
2
Interdomain Routing (BGP) is not Secure
Yet, users demand:
Confidentiality
Integrity
Availability
BGP is vulnerable to:
Deliberate attacks
Misconfigurations
![Page 3: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/3.jpg)
3
Securing Interdomain Routing
Focus of this work
Existing crypto solutions
Users demand:
Confidentiality
Integrity
Availability
![Page 4: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/4.jpg)
4
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 5: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/5.jpg)
5
Interdomain Routing – Terminology
AS #1Yale
AS #1Yale
AS #2AT&T
AS #2AT&T
AS #3Princeton
AS #3Princeton
Autonomous Systems (ASes) = independently administered networks in a loose federation
Prefix = set of IP addresses
Origin = genuine owner of an address prefix
Route = AS-level path to the origin
Origin of 12.34.*
1 21
Data packets Routing announcements
![Page 6: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/6.jpg)
6
Interdomain Routing – Protocol Based on Trust
AS #112.34.*
AS #112.34.*
BGP is prefix-based path-vector protocol
Each AS maintains a set of routes to all prefixes
One “best” route is used
AS1→12.34.* AS2 → AS1 → 12.34.*Originate 12.34.*
AS1→12.34.*
21
AS2 → AS1 → 12.34.*
1
AS4 → AS1 → 12.34.*
AS #2AS #2
1
AS #3AS #3
AS #4AS #4
![Page 7: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/7.jpg)
7
Interdomain Routing – Export & Policies
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
Regional ISP (#4)
Regional ISP (#4)
12.34.*
peer-peer
customer-provider
![Page 8: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/8.jpg)
8
Interdomain Routing – Export & Policies
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
Regional ISP (#4)
Regional ISP (#4)
Use: 6Remember: 36
12.34.*
![Page 9: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/9.jpg)
9
Interdomain Routing – One Cannot Learn Many Routes
National ISP (#1)
National ISP (#1)
Regional ISP (#3)
Regional ISP (#3)
National ISP (#2)
National ISP (#2)
Customer-provider and peer-peer relationships
Selecting a route: by assumption the most profitable, shortest route preferred
At most one profitable route exported
Regional ISP (#5)
Regional ISP (#5)
Cust. #7Cust. #7Cust. #6Cust. #6
AS3 → AS6
→ 12.34.*
12.34.*
Regional ISP (#4)
Regional ISP (#4)
Use: 6Remember: 36
![Page 10: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/10.jpg)
10
Vulnerabilities – Example 1
11
33
22
Invalid origin attack
Nodes 1, 3 and 4 route to the adversary
The true destination is blackholed
55
77Genuine originAttacker
66
44
12.34.* 12.34.*
![Page 11: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/11.jpg)
11
Vulnerabilities – Example 2
11
33
22
Adversary spoofs a shorter path
Node 4 routes through 1 instead of 2
The traffic may be blackholed or intercepted
55
77Genuine origin
44
66 Thinks route thru 2 shorter
12.34.*
No attack
![Page 12: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/12.jpg)
12
Vulnerabilities – Example 2
11
33
22
Adversary spoofs a shorter path
Node 4 routes through 1 instead of 2
The traffic may be blackholed or intercepted
55
77Genuine origin
Announce 17
44
66 Thinks route thru 1 shorter
12.34.*
![Page 13: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/13.jpg)
13
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 14: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/14.jpg)
14
State of the Art – S-BGP and soBGP
S-BGP
Certificates to verify origin AS
Cryptographic attestations added to routing announcements at each hop
Mechanism: identify which routes are invalid and filter them
soBGP
Build a (partial) AS level topology database
![Page 15: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/15.jpg)
15
Limitations of the Secure Protocols
Previous solutions
Benefits only for large deployments (~10,000s)
No incentive for early adopters
No deployment for over a decade
Our goal: Provide incentives to early adopters!
![Page 16: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/16.jpg)
16
Our Approach
Challenges
Non-participants outnumber participants
Participants rely on non-participants
Each AS exports only one route
Focus on raising the bar for the adversary rather than residual vulnerabilities
Secure routing within a small group
10-20 cooperating nodes
All participants’ routes are secured
![Page 17: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/17.jpg)
17
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) Sbone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 18: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/18.jpg)
18
Experimental Evaluations
Performance of existing techniques
They work well in large scale deployments
How do they do in small groups?
Evaluate performance of state-of-the art: soBGP
Evaluate partial deployment
If two ASes participate, a valid link connecting them must be in the registry
![Page 19: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/19.jpg)
19
Experimental Setup – All Experiments
Method – simulation of BGP announcements on the AS-level Internet topology
Topology information from RouteViews
Adversary and origin chosen at random
Participants implement secure protocol
1 or 5 adversaries
Performance metric – fraction of the Internet ASes with valid routes
Average of 100 runs
![Page 20: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/20.jpg)
20
soBGP – Random Participation, 1 adversary
Participants have a higher chance to have a valid route!
Groups of 1 – 30 participants
Number of Participant ASes
Per
cent
age
of
AS
es
% of the Internet with valid routes
Participant ASesAll ASes
![Page 21: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/21.jpg)
21
soBGP – Deployment by 30 Random + Some Largest ISPs
Better performance
Cooperation of many large ISPs needed!
Number of Large ISPs
Per
cent
age
of
AS
es
Participant ASesAll ASes
![Page 22: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/22.jpg)
22
Perfect Detection
Simulations: give ability to detect routes that don’t work
Is this sufficient to secure routing?
How useful is it to have perfect detection?
Can be done in practice:
Data-plane probing verifies validity of route by using it
![Page 23: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/23.jpg)
23
Perfect Detection at 30 Random + Some Largest ISPs
Perfect detection helps but not sufficient by itself!
Per
cent
age
of
AS
es
Number of Large ISPs
Participant ASesAll ASes
![Page 24: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/24.jpg)
24
Lessons Learned
![Page 25: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/25.jpg)
25
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) Sbone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 26: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/26.jpg)
26
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
![Page 27: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/27.jpg)
27
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
![Page 28: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/28.jpg)
28
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
![Page 29: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/29.jpg)
29
Our Approach – Key Ideas
Hijack the hijacker: all participants announce the protected prefix
Hire a few large ISPs to help
Detect invalid routes accurately with data plane detectors
Circumvent the adversary with secure overlay routing
![Page 30: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/30.jpg)
30
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 31: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/31.jpg)
Secure Overlay Routing (SBone)
Overlay of participants’ networks
Protects intra-group traffic
Bad paths detected by probing
55 44
66
33
77
11 22
Use longer route
Use peer route
11
55
22
77
Use provider route
12.34.*31
12.34.*
; 12.34.1.1
; 12.34.1.1Detected as bad
Nonparticipant
Participant
![Page 32: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/32.jpg)
Secure Overlay Routing (SBone) Traffic may go thru an intermediate node
32
44
77
Uses path thru intermediate node 3
33
66
?
?
?11
?
12.34.*
12.34.*
; 12.34.1.1
; 12.34.1.1
55
12.8.1.1
; 12.8.1.1
Forwards traffic for 1
22
![Page 33: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/33.jpg)
33
SBone – 30 Random + Help of SomeLarge ISPs
Good performance even for small groups! P
erce
ntag
e of
Par
ticip
atin
g A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
![Page 34: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/34.jpg)
34
SBone – Multiple Adversaries
With 5 adversaries, the performance degrades
Solution: enlist more large ISPs!
Group Size (ASes)
Per
cent
age
of P
artic
ipat
ing
AS
es
5 large ISPs3 large ISPs1 large ISP0 large ISPs
![Page 35: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/35.jpg)
35
SBone - Summary
![Page 36: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/36.jpg)
36
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 37: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/37.jpg)
Hijacking the Hijacker – Shout Secure traffic from non-participants All participants announce the protected prefix Once the traffic enters the overlay, it is securely
forwarded to the true prefix owner
37
11
33
22
44
66
55
77
Prefers short customer’s path leading to adversary
12.34.*
Node 4 shouts
Use shortest path 1412.34.*
12.34.*
12.34.* 12.34.*
![Page 38: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/38.jpg)
38
Shout + SBone – 1 Adversary
With as few as 10 participants + 3 large ISPs, 95% of all ASes can reach the victim!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
![Page 39: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/39.jpg)
39
Shout + SBone – 5 Adversaries
More adversaries larger groups required!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP0 large ISPs
![Page 40: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/40.jpg)
40
Performance and Scalability of Shout
Shout can be used reactively
Only shout if an attack is detected
Changes in routing table sizes negligible
Alternate routes must be saved in routing tables
The average table size increased by less than 5%
After shouting path lengths increase modestly
Paths less than 1.35 times longer
Detailed results next
![Page 41: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/41.jpg)
41
Shout + SBone – Increase in Path Length
With as few as 3 large ISPs the penalty is negligible!
Leng
th R
atio
Group Size (ASes)
0 large ISPs1 large ISP3 large ISPs5 large ISPs
![Page 42: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/42.jpg)
42
Shout - Summary
![Page 43: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/43.jpg)
43
Overview
I. The routing system and its vulnerabilities
III. Securing BGP in small groups – effectiveness of techniques
IV. Our approach
a) SBone – secure overlay routing
b) Shout – hijacking the hijacker
V. Conclusion
II. Why should small groups secure BGP
![Page 44: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/44.jpg)
44
Conclusion
BGP should be secured by small groups
To be effective, the group members should
![Page 45: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/45.jpg)
45
Conclusion
The proposed solution
SBone and Shout are novel mechanisms that achieve these goals
![Page 46: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/46.jpg)
46
Future Work
Deployment in larger groups where participants don’t trust each other
Secure routing protocol on the overlay?
Analytic models of the deployment
Predict which additional ASes to enlist to boost performance?
Effects of the structure of the graph on the outcomes?
![Page 47: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/47.jpg)
47
Thank you for your attention!
![Page 48: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/48.jpg)
48
Discussion
1. Effects of subprefix hijacking
2. What if participants not willing to choose less profitable routes?
3. What if N large ISPs are used instead of N largest ones?
4. Average results and error bars
![Page 49: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/49.jpg)
1. Subprefix Hijacking Threat: adversary deaggregates the victim’s prefix,
all traffic is directed to the adversary
Key security mechanisms
Deaggregate the prefix and use shout to announce it
Tunnel endpoints already secure if announced with /24 prefixes
Only deaggregate when attack detected
Attack detected if at least one participant sees an unauthorized subprefix
![Page 50: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/50.jpg)
50
1. Subprefix Hijacking – Avoiding Detection
If the adversary conceals the attack, <5% ASes are affected!
Per
cent
age
of A
Ses
Group Size (ASes)
5 large ISPs3 large ISPs1 large ISP
![Page 51: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/51.jpg)
51
1. Subprefix Hijacking - Summary
![Page 52: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/52.jpg)
52
2. SBone – Preserve Business Relationships?
Participants do not have visibility into BGP; just route through intermediate nodes
Participants can influence route selection
Group Size (ASes)
Per
cent
age
of P
artic
ipat
ing
AS
es
underlay reroutingno underlay rerouting
![Page 53: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/53.jpg)
3. Effect of Choosing the Largest ISPs
The largest ISPs are similar in terms of connectivity and size
Which one of these we enlist among the participants does not matter much
![Page 54: How Small Groups Can Secure Interdomain Routing](https://reader035.fdocuments.us/reader035/viewer/2022070405/56813fd2550346895daab484/html5/thumbnails/54.jpg)
54
SBone vs. Perfect Detection Alone
With 5 adversaries and 10 participants the SBone is better and variance lower!
Stdev: 15%
Stdev: 8%
Per
cent
age
of A
Ses
0 large ISPs
1 large ISP
3 large ISPs
5 large ISPs
Perfect detection aloneSBone