Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I)

1
Incrementally Deployable Security for
Interdomain Routing(TTA-4, Type-I)

• Jennifer Rexford, Princeton UniversityJoan
  Feigenbaum, Yale University
• July 11, 2005

2
Problem Insecure Internet Infrastructure

• Border Gateway Protocol is important
• BGP is the glue that holds the Internet together
• BGP is extremely vulnerable
• Easy to inject false information
• Easy to trigger routing instability
• Vulnerabilities are being exploited
• Configuration errors and malicious attacks
• Route hijacking, blackholes, denial-of-service,
• Changing to a secure protocol is hard
• Cant have a flag day to reboot the Internet

3
Example Route Hijacking
12.34.0.0/16
12.34.0.0/16

• Consequences for the data traffic
• Discarded denial of service
• Snooped violating the users privacy
• Redirected identity theft, propagating false
  info, etc.

4
Solution Incremental Deployability

• Backwards compatibility
• Work with existing routers and protocols
• Incentive compatibility
• Offer significant benefits, even to the first
  adopter

Routing Control Platform tells routers how to
forward traffic
ASes can upgrade to secure interdomain routing
protocol
Use RCP to simplify management and enable new
services
Use RCP to detect (and avoid) suspicious routes
ASes with RCPs can cooperate to detect suspicious
routes
all while still using BGP to control the legacy
routers
Use BGP to communicate with the legacy routers
Other ASes can deploy an RCP independently
Inter-AS Protocol
BGP
AS 1
AS 2
AS 3
5
RCP System is Feasible

• Reliability
• Problem single point of failure
• Solution simple replication of RCP components
• Consistency
• Problem inconsistent decisions by replicas
• Solution consistency without inter-replica
  protocol
• Scalability
• Problem memory and processing demands
• Solution one copy per route avoid recomputation

Can build an RCP for a large ISP on a single
high-end PC ATT prototype http//www.cs.princeto
n.edu/jrex/papers/rcp-nsdi05.pdf
6
Problem 1 BGP Anomaly Detection

• Avoid using suspicious/unstable routes
• Data-streaming algorithms for anomaly detection
• Single AS, and then distributed collection of
  ASes
• Evaluation on data from ATT and RouteViews
• Initial work detecting known anomalies wavelets

share diagnostic information
AS 1
AS 2
AS 3
7
Problem 2 Routing Policy Management

• Centralize policy management in the RCP
• Policies for filtering, selecting, exporting
  routes
• Build on a trust-management system
• Notation for precise policy specification
• Procedures for deciding an action complies
• Initial work survey study on ISP routing
  policies

• Filter discard routes for small subnets discard
  suspicious routes
• Select prefer routes learned from customers
  prefer closer egress points prefer stable routes
• Export do not export peer-learned routes to
  other peers do not export infrastructure
  addresses

RCP
AS 1
8
Problem 3 Secure Inter-AS Protocol

• Incremental deployment of secure protocol
• Analysis of incentives for ASes to upgrade
• For customer-provider and peer-peer relationships
• Analysis of incremental security gain
• End-to-end security for some traffic
• Security along a sub-path for the rest
• Initial work sBGP and soBGP as the protocol

secure protocol
regular BGP
RCP
AS 1
AS 2
AS 3
9
Teaming Information Two PIs

• Jennifer Rexford, Princeton University
• Border Gateway Protocol (BGP)
• Internet measurement
• Systems and prototyping
• Operational experience from ATT
• Joan Feigenbaum, Yale University
• Security and cryptography
• Massive data streams
• Trust-management systems
• Economics and incentive analysis

10
Teaming Information Deployment Strategies

• PlanetLab/Abilene
• PlanetLab overlay, managed at Princeton
• Nodes deployed in all Internet2 PoPs
• Plan build RCP prototype on XORP open-source
  router, to drive Click forwarder in PlanetLab
  nodes
• Exploring direct BGP sessions with other ISPs
• ATT backbone
• Tier-1 ISP backbone (AS 7018)
• Initial RCP prototype built at ATT
• Plan evaluate RCP applications on archive of
  ATT routing and configuration data
• Exploring deployment on top of the ATT RCP

11
Project Milestones Three-Year Timeline
RCP Prototype
Anomaly Detection
Routing Policy
Secure Routing
RCP prototype, and API to data-analysis engine
Offline algorithms and upper bounds
Identify todays policies and select notation
Evaluate incentive compatibility
RCP with API to trust-management system
Online analysis algorithm to detect anomalies
Integrate policy language in trust management
Quantify gains of a partial deployment
Deployment of RCP in operational networks
Deploy online algorithm create distributed
Deploy in trust management system
Investigate new secure inter-AS protocols
12
Anticipated Deliverables

• Software
• RCP prototype built on XORP
• Anomaly detection algorithms
• Routing-policy management
• Deployment platform
• Integration of RCP in PlanetLab
• Supported testbed in the Abilene backbone
• Analysis
• Fundamental limits of anomaly detection
• Security benefits of incremental deployment
• Incentives for groups of ASes to cooperate

13
Technology Transition Plan

• Proof-of-concept on PlanetLab/Abilene
• Open-source prototype based on XORP
• Open interfaces for others to build applications
• Large scale deployment as part of PlanetLab
• ATT prototype
• RCP prototype already built and tested
• Evaluation of new RCP applications
• Possible deployment in the ATT backbone
• Other possibilities
• Identifying partners for commercial development

14
Potential Impact Secure Interdomain Routing

• Breaking the flag day stalemate
• Viable approach to incremental deployment
• Backwards compatible with the legacy routers
• Incentive compatible with goals of each AS
• Immediate benefits to participating ASes
• Avoiding anomalous and suspicious routes
• Secure routing with participating neighbors
• Tipping point leads to ubiquitous deployment
• Increasing incentives for ASes to participate
• Ultimately, full deployment of secure protocol
• Insights for other protocols (such as DNSSEC)

15

Cyber Security RDIncrementally Deployable
Security for Interdomain Routing
Secure routing protocol

• DESCRIPTION / OBJECTIVES / METHODS
• Routing Control Platform (RCP)
• Selects routes on behalf of routers
• Possible today on high-end PC
• Incrementally-deployable security
• Speak BGP to the legacy routers
• Detect and avoid suspicious routes
• Update RCPs to use secure protocol

RCP
RCP
BGP
Network A
Network B
BUDGET SCHEDULE

• DHS/Cyber Security IMPACT
• Internet routing system is vulnerable
• Core communication infrastructure
• Very vulnerable to cyber attacks
• Hard to have flag day for upgrades
• Phased deployment of secure routing
• Network manager deploys locally
• Participating domains detect attacks
• Neighbor domains upgrade protocol

TASK
FY05
FY06
FY07
RCP prototype
Anomaly detection
Policy manager
Secure routing
Total cost