Title: Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I)
1Incrementally Deployable Security for
Interdomain Routing(TTA-4, Type-I)
- Jennifer Rexford, Princeton UniversityJoan
Feigenbaum, Yale University - July 11, 2005
2Problem Insecure Internet Infrastructure
- Border Gateway Protocol is important
- BGP is the glue that holds the Internet together
- BGP is extremely vulnerable
- Easy to inject false information
- Easy to trigger routing instability
- Vulnerabilities are being exploited
- Configuration errors and malicious attacks
- Route hijacking, blackholes, denial-of-service,
- Changing to a secure protocol is hard
- Cant have a flag day to reboot the Internet
3Example Route Hijacking
12.34.0.0/16
12.34.0.0/16
- Consequences for the data traffic
- Discarded denial of service
- Snooped violating the users privacy
- Redirected identity theft, propagating false
info, etc.
4Solution Incremental Deployability
- Backwards compatibility
- Work with existing routers and protocols
- Incentive compatibility
- Offer significant benefits, even to the first
adopter
Routing Control Platform tells routers how to
forward traffic
ASes can upgrade to secure interdomain routing
protocol
Use RCP to simplify management and enable new
services
Use RCP to detect (and avoid) suspicious routes
ASes with RCPs can cooperate to detect suspicious
routes
all while still using BGP to control the legacy
routers
Use BGP to communicate with the legacy routers
Other ASes can deploy an RCP independently
Inter-AS Protocol
BGP
AS 1
AS 2
AS 3
5RCP System is Feasible
- Reliability
- Problem single point of failure
- Solution simple replication of RCP components
- Consistency
- Problem inconsistent decisions by replicas
- Solution consistency without inter-replica
protocol - Scalability
- Problem memory and processing demands
- Solution one copy per route avoid recomputation
Can build an RCP for a large ISP on a single
high-end PC ATT prototype http//www.cs.princeto
n.edu/jrex/papers/rcp-nsdi05.pdf
6Problem 1 BGP Anomaly Detection
- Avoid using suspicious/unstable routes
- Data-streaming algorithms for anomaly detection
- Single AS, and then distributed collection of
ASes - Evaluation on data from ATT and RouteViews
- Initial work detecting known anomalies wavelets
share diagnostic information
AS 1
AS 2
AS 3
7Problem 2 Routing Policy Management
- Centralize policy management in the RCP
- Policies for filtering, selecting, exporting
routes - Build on a trust-management system
- Notation for precise policy specification
- Procedures for deciding an action complies
- Initial work survey study on ISP routing
policies
- Filter discard routes for small subnets discard
suspicious routes - Select prefer routes learned from customers
prefer closer egress points prefer stable routes - Export do not export peer-learned routes to
other peers do not export infrastructure
addresses
RCP
AS 1
8Problem 3 Secure Inter-AS Protocol
- Incremental deployment of secure protocol
- Analysis of incentives for ASes to upgrade
- For customer-provider and peer-peer relationships
- Analysis of incremental security gain
- End-to-end security for some traffic
- Security along a sub-path for the rest
- Initial work sBGP and soBGP as the protocol
secure protocol
regular BGP
RCP
AS 1
AS 2
AS 3
9Teaming Information Two PIs
- Jennifer Rexford, Princeton University
- Border Gateway Protocol (BGP)
- Internet measurement
- Systems and prototyping
- Operational experience from ATT
- Joan Feigenbaum, Yale University
- Security and cryptography
- Massive data streams
- Trust-management systems
- Economics and incentive analysis
10Teaming Information Deployment Strategies
- PlanetLab/Abilene
- PlanetLab overlay, managed at Princeton
- Nodes deployed in all Internet2 PoPs
- Plan build RCP prototype on XORP open-source
router, to drive Click forwarder in PlanetLab
nodes - Exploring direct BGP sessions with other ISPs
- ATT backbone
- Tier-1 ISP backbone (AS 7018)
- Initial RCP prototype built at ATT
- Plan evaluate RCP applications on archive of
ATT routing and configuration data - Exploring deployment on top of the ATT RCP
11Project Milestones Three-Year Timeline
RCP Prototype
Anomaly Detection
Routing Policy
Secure Routing
RCP prototype, and API to data-analysis engine
Offline algorithms and upper bounds
Identify todays policies and select notation
Evaluate incentive compatibility
RCP with API to trust-management system
Online analysis algorithm to detect anomalies
Integrate policy language in trust management
Quantify gains of a partial deployment
Deployment of RCP in operational networks
Deploy online algorithm create distributed
Deploy in trust management system
Investigate new secure inter-AS protocols
12Anticipated Deliverables
- Software
- RCP prototype built on XORP
- Anomaly detection algorithms
- Routing-policy management
- Deployment platform
- Integration of RCP in PlanetLab
- Supported testbed in the Abilene backbone
- Analysis
- Fundamental limits of anomaly detection
- Security benefits of incremental deployment
- Incentives for groups of ASes to cooperate
13Technology Transition Plan
- Proof-of-concept on PlanetLab/Abilene
- Open-source prototype based on XORP
- Open interfaces for others to build applications
- Large scale deployment as part of PlanetLab
- ATT prototype
- RCP prototype already built and tested
- Evaluation of new RCP applications
- Possible deployment in the ATT backbone
- Other possibilities
- Identifying partners for commercial development
14Potential Impact Secure Interdomain Routing
- Breaking the flag day stalemate
- Viable approach to incremental deployment
- Backwards compatible with the legacy routers
- Incentive compatible with goals of each AS
- Immediate benefits to participating ASes
- Avoiding anomalous and suspicious routes
- Secure routing with participating neighbors
- Tipping point leads to ubiquitous deployment
- Increasing incentives for ASes to participate
- Ultimately, full deployment of secure protocol
- Insights for other protocols (such as DNSSEC)
15Cyber Security RDIncrementally Deployable
Security for Interdomain Routing
Secure routing protocol
- DESCRIPTION / OBJECTIVES / METHODS
- Routing Control Platform (RCP)
- Selects routes on behalf of routers
- Possible today on high-end PC
- Incrementally-deployable security
- Speak BGP to the legacy routers
- Detect and avoid suspicious routes
- Update RCPs to use secure protocol
RCP
RCP
BGP
Network A
Network B
BUDGET SCHEDULE
- DHS/Cyber Security IMPACT
- Internet routing system is vulnerable
- Core communication infrastructure
- Very vulnerable to cyber attacks
- Hard to have flag day for upgrades
- Phased deployment of secure routing
- Network manager deploys locally
- Participating domains detect attacks
- Neighbor domains upgrade protocol
TASK
FY05
FY06
FY07
RCP prototype
Anomaly detection
Policy manager
Secure routing
Total cost