Incrementally Deployable Security for Interdomain Routing (TTA-4, Type-I)

1
Incrementally Deployable Security for
Interdomain Routing(TTA-4, Type-I)

• Jennifer Rexford, Princeton UniversityJoan
  Feigenbaum, Yale University
• January 23, 2006

2
Problem Insecure Internet Infrastructure

• Border Gateway Protocol is important
• BGP is the glue that holds the Internet together
• BGP is extremely vulnerable
• Easy to inject false information
• Easy to trigger routing instability
• Vulnerabilities are being exploited
• Configuration errors and malicious attacks
• Route hijacking, blackholes, denial-of-service,
• Changing to a secure protocol is hard
• Cant have a flag day to reboot the Internet

3
Example Route Hijacking
12.34.0.0/16
12.34.0.0/16

• Consequences for the data traffic
• Discarded denial of service
• Snooped violating the users privacy
• Redirected identity theft, propagating false
  info, etc.

4
Solution Incremental Deployability

• Backwards compatibility
• Work with existing routers and protocols
• Incentive compatibility
• Offer significant benefits, even to the first
  adopter

Routing Control Platform tells routers how to
forward traffic
ASes can upgrade to secure interdomain routing
protocol
Use RCP to simplify management and enable new
services
Use RCP to detect (and avoid) suspicious routes
ASes with RCPs can cooperate to detect suspicious
routes
all while still using BGP to control the legacy
routers
Use BGP to communicate with the legacy routers
Other ASes can deploy an RCP independently
Inter-AS Protocol
BGP
AS 1
AS 2
AS 3
5
Problem 1 BGP Anomaly Detection

• Avoid using suspicious/unstable routes
• Data-streaming algorithms for anomaly detection
• Single AS, and then distributed collection of
  ASes
• Evaluation on data from ATT and RouteViews

share diagnostic information
AS 1
AS 2
AS 3
6
Anomaly Detection Accomplishments

• Wavelet analysis to detect BGP anomalies
• Detect anomalies in the temporal dynamics of
  updates
• Anomalous patterns for a prefix across prefixes
• Highlights a small of deviations from the norm
• http//www.cs.princeton.edu/jrex/papers/minenet05
  .pdf
• Distributed reputation system for ASes
• ASes cooperate based on trust relationships
• Similar to friends and friends of friends
  system
• Distributed validation of BGP routing information
• http//www.cs.princeton.edu/jrex/papers/npsec05.p
  df
• Algorithm that prevents prefix highjacking
• Detect AS that does not normally originate a
  prefix
• Distrust new information until you can validate
  it
• Select other normal routes instead for period
  of time
• http//www.cs.princeton.edu/jrex/papers/pgbgp.pdf

7
Problem 2 Networks for RCP Deployment

• Creating a Virtual Network Infrastructure (VINI)
• National Lambda Rail (NLR)
• Servers shipping to six sites in the next few
  months
• Connections to layer-2 network and BGP peering
  with routers
• Abilene Internet2 backbone
• PlanetLab servers in eleven sites
• Gbps share of each link and upstream to exchange
  points
• VINI software already running on the Abilene
  nodes
• Routing and forwarding XORP Click running on
  servers
• Connecting to real users OpenVPN, NAT, and
  PlanetLab
• Draft paper in preparation for submission in
  February 2006

8
Problem 3 Routing Policy Management

• Centralize policy management in the RCP
• Policies for filtering, selecting, exporting
  routes
• Build on a trust-management system
• Accomplishments survey of ISP routing policies
• Biz relationships, traffic engineering, security,
  scalability
• http//www.cs.princeton.edu/jrex/papers/policies.
  pdf

• Filter discard routes for small subnets discard
  suspicious routes
• Select prefer routes learned from customers
  prefer closer egress points prefer stable routes
• Export do not export peer-learned routes to
  other peers do not export infrastructure
  addresses

RCP
AS 1
9
Project Milestones Three-Year Timeline
RCP Prototype
Anomaly Detection
Routing Policy
Secure Routing
RCP prototype, and API to data-analysis engine
Offline algorithms and upper bounds
Identify todays policies and select notation
Evaluate incentive compatibility
Focus thus far
RCP with API to trust-management system
Online analysis algorithm to detect anomalies
Integrate policy language in trust management
Quantify gains of a partial deployment
Deployment of RCP in operational networks
Deploy online algorithm create distributed
Deploy in trust management system
Investigate new secure inter-AS protocols
10
Anticipated Deliverables and Tech Transfer

• Publicly available software
• RCP prototype built on XORP and/or Quagga
• Anomaly detection algorithms
• Routing-policy management
• Deployment platform and technology demonstration
• RCP deployment and evaluation in ATT
• Integration of RCP in VINI on NLR and Abilene
• Supported VINI testbed in NLR and Abilene
• Analysis
• Fundamental limits of anomaly detection
• Security benefits of incremental deployment
• Incentives for groups of ASes to cooperate
• Discussions with vendors (Cisco, Lucent)

11
Publication Activity Past Six Months

• Anomaly detection
• Learning-based anomaly detection in BGP updates"
  (SIGCOMM MineNet Workshop, Aug 05)
• A distributed reputation approach to cooperative
  Internet routing protection (Workshop on Secure
  Network Protocols, Nov 05)
• "Pretty Good BGP Protecting BGP by cautiously
  selecting routes" (in submission)
• Routing policies
• BGP policies in ISP networks (IEEE Network,
  Nov/Dec 05)
• Incentive analysis
• Incentive-compatible interdomain routing (in
  submission)

12
Publication Activity Next Six Months

• In active preparation
• In VINI veritas Realistic and controlled
  experimentation with new network architectures
  (Feb 06)
• Using Forgetful Routing to control BGP-Table
  size (Feb 06)
• Multi-path interdomain routing for flexible
  policy control (Feb 06)
• A survey of BGP security issues and solutions
  (Mar/Apr 06)
• Plans for the mid-to-late spring
• Extended version of the wavelet-analysis paper
• Evaluation of the RCP prototype running in VINI
• API to streaming algorithms for anomaly detection
• Active probing to test the validity of
  interdomain paths

13
Potential Impact Secure Interdomain Routing

• Breaking the flag day stalemate
• Viable approach to incremental deployment
• Backwards compatible with the legacy routers
• Incentive compatible with goals of each AS
• Immediate benefits to participating ASes
• Avoiding anomalous and suspicious routes
• Secure routing with participating neighbors
• Tipping point leads to ubiquitous deployment
• Increasing incentives for ASes to participate
• Ultimately, full deployment of secure protocol
• Insights for other protocols (such as DNSSEC)

14

Cyber Security RDIncrementally Deployable
Security for Interdomain Routing
Secure routing protocol

• DESCRIPTION / OBJECTIVES / METHODS
• Routing Control Platform (RCP)
• Selects routes on behalf of routers
• Possible today on high-end PC
• Incrementally-deployable security
• Speak BGP to the legacy routers
• Detect and avoid suspicious routes
• Update RCPs to use secure protocol

RCP
RCP
BGP
Network A
Network B
BUDGET SCHEDULE

• DHS/Cyber Security IMPACT
• Internet routing system is vulnerable
• Core communication infrastructure
• Very vulnerable to cyber attacks
• Hard to have flag day for upgrades
• Phased deployment of secure routing
• Network manager deploys locally
• Participating domains detect attacks
• Neighbor domains upgrade protocol

TASK
FY05
FY06
FY07
RCP prototype
Anomaly detection
Policy manager
Secure routing
Total cost