Title: Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I)
1Incrementally Deployable Security for
Interdomain Routing(TTA-4, Type-I)
- Jennifer Rexford, Princeton UniversityJoan
Feigenbaum, Yale University - January 23, 2006
2Problem Insecure Internet Infrastructure
- Border Gateway Protocol is important
- BGP is the glue that holds the Internet together
- BGP is extremely vulnerable
- Easy to inject false information
- Easy to trigger routing instability
- Vulnerabilities are being exploited
- Configuration errors and malicious attacks
- Route hijacking, blackholes, denial-of-service,
- Changing to a secure protocol is hard
- Cant have a flag day to reboot the Internet
3Example Route Hijacking
12.34.0.0/16
12.34.0.0/16
- Consequences for the data traffic
- Discarded denial of service
- Snooped violating the users privacy
- Redirected identity theft, propagating false
info, etc.
4Solution Incremental Deployability
- Backwards compatibility
- Work with existing routers and protocols
- Incentive compatibility
- Offer significant benefits, even to the first
adopter
Routing Control Platform tells routers how to
forward traffic
ASes can upgrade to secure interdomain routing
protocol
Use RCP to simplify management and enable new
services
Use RCP to detect (and avoid) suspicious routes
ASes with RCPs can cooperate to detect suspicious
routes
all while still using BGP to control the legacy
routers
Use BGP to communicate with the legacy routers
Other ASes can deploy an RCP independently
Inter-AS Protocol
BGP
AS 1
AS 2
AS 3
5Problem 1 BGP Anomaly Detection
- Avoid using suspicious/unstable routes
- Data-streaming algorithms for anomaly detection
- Single AS, and then distributed collection of
ASes - Evaluation on data from ATT and RouteViews
share diagnostic information
AS 1
AS 2
AS 3
6Anomaly Detection Accomplishments
- Wavelet analysis to detect BGP anomalies
- Detect anomalies in the temporal dynamics of
updates - Anomalous patterns for a prefix across prefixes
- Highlights a small of deviations from the norm
- http//www.cs.princeton.edu/jrex/papers/minenet05
.pdf - Distributed reputation system for ASes
- ASes cooperate based on trust relationships
- Similar to friends and friends of friends
system - Distributed validation of BGP routing information
- http//www.cs.princeton.edu/jrex/papers/npsec05.p
df - Algorithm that prevents prefix highjacking
- Detect AS that does not normally originate a
prefix - Distrust new information until you can validate
it - Select other normal routes instead for period
of time - http//www.cs.princeton.edu/jrex/papers/pgbgp.pdf
7Problem 2 Networks for RCP Deployment
- Creating a Virtual Network Infrastructure (VINI)
- National Lambda Rail (NLR)
- Servers shipping to six sites in the next few
months - Connections to layer-2 network and BGP peering
with routers - Abilene Internet2 backbone
- PlanetLab servers in eleven sites
- Gbps share of each link and upstream to exchange
points - VINI software already running on the Abilene
nodes - Routing and forwarding XORP Click running on
servers - Connecting to real users OpenVPN, NAT, and
PlanetLab - Draft paper in preparation for submission in
February 2006
8Problem 3 Routing Policy Management
- Centralize policy management in the RCP
- Policies for filtering, selecting, exporting
routes - Build on a trust-management system
- Accomplishments survey of ISP routing policies
- Biz relationships, traffic engineering, security,
scalability - http//www.cs.princeton.edu/jrex/papers/policies.
pdf
- Filter discard routes for small subnets discard
suspicious routes - Select prefer routes learned from customers
prefer closer egress points prefer stable routes - Export do not export peer-learned routes to
other peers do not export infrastructure
addresses
RCP
AS 1
9Project Milestones Three-Year Timeline
RCP Prototype
Anomaly Detection
Routing Policy
Secure Routing
RCP prototype, and API to data-analysis engine
Offline algorithms and upper bounds
Identify todays policies and select notation
Evaluate incentive compatibility
Focus thus far
RCP with API to trust-management system
Online analysis algorithm to detect anomalies
Integrate policy language in trust management
Quantify gains of a partial deployment
Deployment of RCP in operational networks
Deploy online algorithm create distributed
Deploy in trust management system
Investigate new secure inter-AS protocols
10Anticipated Deliverables and Tech Transfer
- Publicly available software
- RCP prototype built on XORP and/or Quagga
- Anomaly detection algorithms
- Routing-policy management
- Deployment platform and technology demonstration
- RCP deployment and evaluation in ATT
- Integration of RCP in VINI on NLR and Abilene
- Supported VINI testbed in NLR and Abilene
- Analysis
- Fundamental limits of anomaly detection
- Security benefits of incremental deployment
- Incentives for groups of ASes to cooperate
- Discussions with vendors (Cisco, Lucent)
11Publication Activity Past Six Months
- Anomaly detection
- Learning-based anomaly detection in BGP updates"
(SIGCOMM MineNet Workshop, Aug 05) - A distributed reputation approach to cooperative
Internet routing protection (Workshop on Secure
Network Protocols, Nov 05) - "Pretty Good BGP Protecting BGP by cautiously
selecting routes" (in submission) - Routing policies
- BGP policies in ISP networks (IEEE Network,
Nov/Dec 05) - Incentive analysis
- Incentive-compatible interdomain routing (in
submission)
12Publication Activity Next Six Months
- In active preparation
- In VINI veritas Realistic and controlled
experimentation with new network architectures
(Feb 06) - Using Forgetful Routing to control BGP-Table
size (Feb 06) - Multi-path interdomain routing for flexible
policy control (Feb 06) - A survey of BGP security issues and solutions
(Mar/Apr 06) - Plans for the mid-to-late spring
- Extended version of the wavelet-analysis paper
- Evaluation of the RCP prototype running in VINI
- API to streaming algorithms for anomaly detection
- Active probing to test the validity of
interdomain paths
13Potential Impact Secure Interdomain Routing
- Breaking the flag day stalemate
- Viable approach to incremental deployment
- Backwards compatible with the legacy routers
- Incentive compatible with goals of each AS
- Immediate benefits to participating ASes
- Avoiding anomalous and suspicious routes
- Secure routing with participating neighbors
- Tipping point leads to ubiquitous deployment
- Increasing incentives for ASes to participate
- Ultimately, full deployment of secure protocol
- Insights for other protocols (such as DNSSEC)
14Cyber Security RDIncrementally Deployable
Security for Interdomain Routing
Secure routing protocol
- DESCRIPTION / OBJECTIVES / METHODS
- Routing Control Platform (RCP)
- Selects routes on behalf of routers
- Possible today on high-end PC
- Incrementally-deployable security
- Speak BGP to the legacy routers
- Detect and avoid suspicious routes
- Update RCPs to use secure protocol
RCP
RCP
BGP
Network A
Network B
BUDGET SCHEDULE
- DHS/Cyber Security IMPACT
- Internet routing system is vulnerable
- Core communication infrastructure
- Very vulnerable to cyber attacks
- Hard to have flag day for upgrades
- Phased deployment of secure routing
- Network manager deploys locally
- Participating domains detect attacks
- Neighbor domains upgrade protocol
TASK
FY05
FY06
FY07
RCP prototype
Anomaly detection
Policy manager
Secure routing
Total cost