Title: Reliable communication and Secure Routing Protocols
1Reliable communication and Secure Routing
Protocols
- Lakshminarayanan Subramanian
- New York University
2A lie gets halfway around the world before the
truth has a chance to get its pants on.
Sir Winston
Churchill
Today, a single router can hijack a large
fraction of Internet routes by propagating bogus
information.
3Path vector routing an illustration
A
C
B
(D,M,A)
M
A single lie can affect several routes by
corrupting the routing state of several nodes in
the network.
4Internet routing structure
Sprint
CW
AS 1239
AS 3561
Internet is composed of Autonomous Systems (AS)
which use the Border Gateway Protocol (BGP) to
exchange routing information.
5Things to know about BGP
- BGP is a path-vector routing protocol at the
Autonomous system (AS) level - Every AS has a unique AS number
- Control plane where routes are set-up
- Data plane where packets are forwarded
6What if a router propagates bogus information?
Threat A router within an autonomous system
claims to have direct routes for several
destinations
Outcome In todays Internet, a single randomly
placed router propagating bogus information can
hijack 37 of Internet routes S04
7Why will a router misbehave?
- Misconfigurations
- Major events in 1997, 2001, 2003
- 200-1200 misconfigurations per day M02
- Malice
- Address space hijacking NANOG
- Attacker propagates lies from compromised routers
CERT - default passwords Thomas, NANOG
- Cisco IOS security advisories
- Visit http//www.blackhat.com
8Case for decentralized security
- Prior proposals that offer good security need
- Public key infrastructure (PKI)
- Trusted central authority
- Internet-wide PKI with a central authority is
very hard to deploy - Secure-BGP, DNSSEC have not succeeded
- Political, economic boundaries
- Can we develop decentralized and deployable
security mechanisms for Internet routing?
9Outline of my talk
- Secure routing problem definition
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms to achieve secure routing
- Internet routing a specific case
- Solution for an arbitrary network
- Implications and Conclusions
10Outline of my talk
- Secure routing problem definition
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms to achieve secure routing
- Internet routing a specific case
- Solution for an arbitrary network
- Implications and Conclusions
11Secure routing in an arbitrary network
Genuine route consists only of edges in the graph
Given a graph G with adversarial nodes where each
node is initially aware of only its neighbors
but not the entire graph, how can a good node
determine genuine routes to every other good
node.
12A fundamental limitation
- Two colluding adversaries can fake a genuine link
between them - Even a PKI cannot detect this problem
- Implication genuine routes may traverse these
fake links
13Identity assumption
AS B
- Nodes have unique identities that they cannot
fake to their neighbors - Holds for many large-scale networks
- Internet routing Autonomous system (AS) number
- Intra-domain routing router IP address
- Domain Name System (DNS) server IP address
- Pair-wise trust easier to set than Internet-wide
PKI - Socially/legally enforced in Internet routing
- Does not hold for ad-hoc,P2P networks
14Reliable communication problem
Given a graph G with (adversaries) ? k, under
what constraints can two good nodes reliably
communicate provided the underlying graph G is
not known to the nodes?
- Implications of reliable communication
- Secure route propagation
- Decentralized key distribution
15Reliable communication in known networks
Dolev81 If every node is aware of the entire
graph G and given (adversaries) ? k, then two
good nodes can reliably communicate if and only
if G is (2k1)-vertex connected.
16What if the network is not known?
Unknown
Neighbor
Node under consideration
Problem In an unknown network G, given that
(adversaries) ? k, under what constraints can
two good nodes reliably communicate?
17Our result for unknown networks
- Theorem In an unknown network comprising n
nodes, given adversaries ? k, two good nodes
can reliably communicate if the underlying
connectivity graph, G, is (2k1) vertex
connected. - Note With a PKI, we require only (k1) vertex
connectivity to achieve reliable communication
Proof-sketch later in the talk
18Breaking the identity assumption
- Negative Result For any value m, there exists an
m-vertex connected graph G where one cannot
achieve reliable communication against a single
adversary that can fake different identities to
its neighbors.
19Sparse networks
Group A
Group B
m
m
X
m
m
Y
Group A cannot reliably communicate with Group B
The Internet topology is 1-vertex connected
Goal limit the damage that adversaries can cause
20Problem space
? (2k1) connectivity
lt (2k1) connectivity
kgt1
k1
Internet routing Isolated adversary
Internet routing Colluding adversaries
Portions of the Internet topology, Intra-domain
routing
21Outline of my talk
- What is the secure routing problem ?
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms for reliable communication
- Internet routing reliable communication in
sparse networks - Reliable communication in dense networks
- Implications and conclusions
22Techniques for reliable communication
- Detect the presence of a lie
- Whisper check consistency of routing information
- Which information is genuine?
- Penalty-based filtering limits the number of
lies of an adversary in a sparse network - Flows determine the genuine source of an
information in a dense network
23Chinese whispers(modern version)
Split Whisper
24Route Consistency Testing
- Route consistency (R,S)
- R and S are genuine routes ? consistent
- R genuine, S spurious ? inconsistent
- R and S spurious ? consistent or inconsistent
- Route inconsistency ? Trigger alarm
R
S
25Whisper signature construction
(hA sgn((A,B)), PA)
(kA sgn((A,M)), QA)
Claimed Public-keyPA
- Consistency checking of routes (C,B,A) and
(N,M,A) - Does the signature match the public key?
- Do the public keys match?
26Outline of my talk
- What is the secure routing problem ?
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms for reliable communication
- Internet routing reliable communication in
sparse networks - Whisper
- Penalty-based filtering
- Reliable communication in dense networks
- Implications and conclusions
27Penalty-based route selection
- Choose routes with least penalty
- Optimal for an isolated adversary
- Not applicable for colluding adversaries
28 Minimum damage of an adversary
From Vs perspective M and A are indistinguishable
min_damage(M,G) number of nodes that a single
adversary M can affect in a graph G while being
indistinguishable from at least one good node in
G.
29Containing the additional damage
If M affects both groups A and B, V avoids M
Containment region M can affect the Vs
routes to Group M Group (A or B)
30Result for isolated adversary
Special case If G is a power-law random graph on
n nodes, min_damage(M,G) is bounded by O(?n)
w.h.p.
31Outline of my talk
- What is the secure routing problem ?
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms for reliable communication
- Internet routing reliable communication in
sparse networks - Reliable communication in dense networks
- Implications and Conclusions
32Our result for unknown networks
- Theorem In an unknown network comprising n
nodes, given adversaries ? k, two good nodes can
reliably communicate if the underlying
connectivity graph, G, is (2k1)-vertex
connected. - Reminder In an unknown network, nodes are aware
of only their neighbors and not the entire graph.
33Path based Flooding
- Flood along every possible path in the graph
- Each node appends its identity to the path
- X identifies vertex-disjoint paths to A and
computes majority
34Whisper-based flow computation
Flow (X, (A,PA)) gt Flow (X, (A, QA))
- If G is (2k1) connected with k adversaries, then
for any (X,PX) - Flow((X,PX), (Y,PY)) gt (k1) if (Y,PY) is a
good node - Flow((X,PX), (Z,QZ)) ltk if (Z,QZ) is a
spurious node
35Path suppression
- Number of paths in a graph is exponential
- Path suppression
- A node only forwards a path-vector message if the
path contains a new edge or a new source.
End-result In the absence of any adversary,
number of messages along a link is equal to the
number of edges in the graph.
36Solution summary
lt(2k1) connectivity
gt(2k1) connectivity
37Outline of my talk
- What is the secure routing problem ?
- Relationship to the reliable communication
problem - How does Internet routing fit?
- Mechanisms for reliable communication
- Internet routing reliable communication in
sparse networks - Reliable communication in dense networks
- Implications and Conclusions
38Internet routing levels of protection
Tier-1 Important Tier-2 ISPs (75 ASs,
19-vertex connected)
39Internet routing implications (contd)
- Inter-domain routing
- For Internet-like graphs, single adversary can
cause little damage - Multi-homing ? better reliable communication
- Intra-domain routing
- Engineering the network for connectivity
- Subsequent secure link-state update complexity
is equivalent to a flood
40Concluding Remarks
- Take-away message Decentralized security is
possible, practical and not expensive (if the
number of adversaries is bounded) - Even a PKI cannot provide good security in the
presence of several adversaries - Whisper path-vector signature is an underlying
enabling technique - Protection is also possible in sparse networks