Title: Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher
1Advanced Research Issues In Security Securing
Key Internet TechnologiesCS 236On-Line MS
ProgramNetworks and Systems Security Peter
Reiher
2Outline
- Routing security
- DNS security
3Routing Security
- Routing protocols control how packets flow
through the Internet - If they arent protected, attackers can alter
packet flows at their whim - Most routing protocols were not built with
security in mind
4Routing Protocol Security Threats
- Threats to routing data secrecy
- Usually not critical
- Threats to routing protocol integrity
- Very important, since tampering with routing
integrity can be bad - Threats to routing protocol availability
- Potential to disrupt Internet service
5What Could Really Go Wrong?
- Packets could be routed through an attacker
- Packets could be dropped
- Routing loops, blackhole routing, etc.
- Some users service could be degraded
- The Internets overall effectiveness could be
degraded - Slow response to failures
- Total overload of some links
- Many types of defenses against other attacks
presume correct routing
6Where Does the Threat Occur?
- At routers, mostly
- Most routers are well-protected
- But . . .
- Several vulnerabilities have been found in
routers - Also, should we always trust those running
routers?
7Different Types of Routing Protocols
- Link state
- Tell everyone the state of your links
- Distance vector
- Tell nodes how far away things are
- Path vector
- Tell nodes the complete path between various
points - On demand protocols
- Figure out routing once you know you two nodes
need to communicate
8Popular Routing Protocols
- BGP
- Path vector protocol used in core Internet
routing - Arguably most important protocol to secure
- RIP
- Distance vector protocol for small networks
- OSPF
- ISIS
- Ad hoc routing protocols
9Fundamental Operations To Be Protected
- One router tells another router something about
routing - A path, a distance, contents of local routing
table, etc. - A router updates its routing information
- A router gathers information to decide on routing
10Protecting BGP
- BGP is probably the most important protocol to
protect - Handles basic Internet routing
- Works at autonomous system (AS) level
- Rather than router level
11BGP Issues
- BGP is spoken (mostly) between routers in
autonomous systems - On direct network links to their partner
- Over TCP sessions that are established with known
partners - Isnt that enough to give reasonable security?
12A Recent Counterexample
- Pakistan became upset with YouTube over posting
of blasphemous video - Responded by injecting a BGP update that sent all
traffic to YouTube to a site in Pakistan - Which probably dropped it all
- Rendered YouTube unavailable worldwide (well,
2/3s of world)
13How Did This Happen?
- Pakistan injected a BGP update advertising a path
to YouTube - Which they had no right to do
- It got automatically propagated by BGP
- Everyone knows YouTube isnt in Pakistan
- But the routing protocol didnt
- Security required to prevent other future
incidents
14A Side Issues on This Story
- Much thinking about Internet predicated on
assumption that major players play by the rules - Pakistan didnt
- Not desirable to base Internets security on this
assumption - Though sometimes not many other choices
15Basic BGP Security Issue
A
B
C
D
E
1.2.3.
What do we need to protect?
F
G
A wants to tell everyone how to get to 1.2.3.
16Well, What Could Go Wrong?
A
B
C
D
E
What if A doesnt own 1.2.3.?
What if router D alters the path?
F
G
What if router A isnt authorized to advertise
1.2.3.?
17How Do We Solve These Problems?
- Advertising routers must prove ownership and
right to advertise - Paths must be signed by routers on them
- Must avoid cut-and-paste attacks
- And replay attacks
18S-BGP
- A protocol designed to solve most of the routing
security issues for BGP - Intended to be workable with existing BGP
protocol - Key idea is to tie updates to those who are
allowed to make them - And to those who build them
19Some S-BGP Constraints
- Cant change BGP protocol
- Or packet format
- Cant have messages larger than max BGP size
- Must be deployable in reasonable way
20An S-BGP Example
A
B
C
D
E
1.2.3.
A can provide a certificate proving ownership
F
G
How can B know that A should advertise 1.2.3.?
21Securing BGP Updates
A
B
C
D
E
1.2.3.
What are these signatures actually attesting to?
F
G
A wants to tell everyone how to get to 1.2.3.
22Who Needs To Prove What?
- A needs to prove (to B-E) that he owns the prefix
- B needs to prove (to C-E) that A wants the prefix
path to go through B - C needs to prove (to D-E) the same
- D needs to prove (to E) the same
23So What Does A Sign?
- A clearly must provide proof he owns the prefix
- He also must prove he originated the update
- And only A can prove that he intended the path to
go through B - So he has to sign for all of that
24Address Attestations in S-BGP
- These are used to prove ownership of IP prefix
spaces - IP prefix owner provides attestation that a
particular AS can originate its BGP updates - That AS includes attestation in updates
25Route Attestations
- To prove that path for a prefix should go through
an AS - The previous AS on the path makes this
attestation - E.g., B attests that C is the next AS hop
26How Are These Signatures Done?
- Via public key cryptography
- Certificates issued by proper authorities
- ICANN at the top
- Hierarchical below ICANN
- Certificates not carried with updates
- Otherwise, messages would be too big
- Off-line delivery method proposed
27S-BGP and IPSec
- S-BGP generates the attestations itself
- But it uses IPSec to deliver the BGP messages
- Doing so prevents injections of replayed messages
- Also helps with some TCP-based attacks
- E.g., SYN floods
28Protecting Other Styles of Protocols
- Generally, how do you know you should believe
another router? - About distance to some address space
- About reachability to some address space
- About other characteristics of a path
- About what other nodes have told you
29How Routing Protocols Pass Information
- Some protocols pass full information
- E.g., BGP
- So they can pass signed information
- Others pass summary information
- E.g., RIP
- They use other updates to create new summaries
- How can we be sure they did so properly?
30Who Are You Worried About?
- Random attackers?
- Generally solvable by encrypting/authenticating
routing updates - Misbehaving insiders?
- A much harder problem
- Theyre supposed to make decisions
- How do you know theyre lying?
31A Sample Problem
1
2
3
1
B
C
D
E
0
A
H
1.2.3.
0
F
G
How can H tell someone lied?
1
2
Assume a distance vector protocol
How can H tell that E lied?
32Types of Attacks on Distance Vector Routing
Protocols
- Blackhole attacks
- Claim short route to target
- Claim longer distance
- To avoid traffic going through you
- Inject routing loops
- Which cause traffic to be dropped
- Inject lots of routing updates
- Generally for denial of service
33How To Secure a Distance Vector Protocol?
- Cant just sign the hop count
- Not tied to the path
- Instead, sign a length and a second-to-last
router identity - By iterating, you can verify path length
34An Example
B
C
D
E
A
H
1.2.3.
F
G
H needs to build a routing table entry for 1.2.3.
Should show hop count of 3 via G, 5 via E
35One Way to Do It
B
C
D
E
A
H
F
G
H directly verifies that its one hop to E
Now we can trust its five hops to A
H gets signed info that D is 2 hops through E
Then we iterate
36Who Does the Signing?
- The destination
- A in the example
- It only signs the unchanging part
- Not the hop count
- But an update eventually reaches H that was
signed by A
37What About That Hop Count?
- E could lie about the hop count
- But he cant lie that A is next to B
- Nor that B next to C, nor C next to D, nor D next
to E - Unless other nodes collude, E cant claim to be
closer to A than he is
38What If Someone Lies?
B
C
D
E
A
H
F
G
Theres limited scope for effective lies
E cant claim to be closer to A
Since E cant produce a routing update signed by
A that substantiates that
39A Difficulty
- This approach relies on a PKI
- H must be able to check the various signatures
- Breaks down if someone doesnt sign
- Thats a hole in the network, from the
verification point of view - Consider, in example, what happens if C doesnt
sign
40What If C Doesnt Sign?
B
C
D
E
A
H
C
3
D
F
G
A message coming through D tells us that its
three hops to C
But how can he be sure D is next to C?
But H cant verify that
Other than trusting D . . .
H knows C is next to B
And that B is next to A
41Whats the Problem?
B
C
D
E
A
H
C
3
D
F
G
For this graph, no problem
But how about for this one?