Reliable communication and Secure Routing Protocols - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Reliable communication and Secure Routing Protocols

Description:

R and S spurious consistent or inconsistent. Route inconsistency Trigger alarm. A. D ... If M affects both groups A and B, V avoids M. Result for isolated adversary ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 41
Provided by: dominoRes
Category:

less

Transcript and Presenter's Notes

Title: Reliable communication and Secure Routing Protocols


1
Reliable communication and Secure Routing
Protocols
  • Lakshminarayanan Subramanian
  • New York University

2
A lie gets halfway around the world before the
truth has a chance to get its pants on.
Sir Winston
Churchill
Today, a single router can hijack a large
fraction of Internet routes by propagating bogus
information.
3
Path vector routing an illustration
A
C
B
(D,M,A)
M
A single lie can affect several routes by
corrupting the routing state of several nodes in
the network.
4
Internet routing structure
Sprint
CW
AS 1239
AS 3561
Internet is composed of Autonomous Systems (AS)
which use the Border Gateway Protocol (BGP) to
exchange routing information.
5
Things to know about BGP
  • BGP is a path-vector routing protocol at the
    Autonomous system (AS) level
  • Every AS has a unique AS number
  • Control plane where routes are set-up
  • Data plane where packets are forwarded

6
What if a router propagates bogus information?
Threat A router within an autonomous system
claims to have direct routes for several
destinations
Outcome In todays Internet, a single randomly
placed router propagating bogus information can
hijack 37 of Internet routes S04
7
Why will a router misbehave?
  • Misconfigurations
  • Major events in 1997, 2001, 2003
  • 200-1200 misconfigurations per day M02
  • Malice
  • Address space hijacking NANOG
  • Attacker propagates lies from compromised routers
    CERT
  • default passwords Thomas, NANOG
  • Cisco IOS security advisories
  • Visit http//www.blackhat.com

8
Case for decentralized security
  • Prior proposals that offer good security need
  • Public key infrastructure (PKI)
  • Trusted central authority
  • Internet-wide PKI with a central authority is
    very hard to deploy
  • Secure-BGP, DNSSEC have not succeeded
  • Political, economic boundaries
  • Can we develop decentralized and deployable
    security mechanisms for Internet routing?

9
Outline of my talk
  • Secure routing problem definition
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms to achieve secure routing
  • Internet routing a specific case
  • Solution for an arbitrary network
  • Implications and Conclusions

10
Outline of my talk
  • Secure routing problem definition
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms to achieve secure routing
  • Internet routing a specific case
  • Solution for an arbitrary network
  • Implications and Conclusions

11
Secure routing in an arbitrary network
Genuine route consists only of edges in the graph
Given a graph G with adversarial nodes where each
node is initially aware of only its neighbors
but not the entire graph, how can a good node
determine genuine routes to every other good
node.
12
A fundamental limitation
  • Two colluding adversaries can fake a genuine link
    between them
  • Even a PKI cannot detect this problem
  • Implication genuine routes may traverse these
    fake links

13
Identity assumption
AS B
  • Nodes have unique identities that they cannot
    fake to their neighbors
  • Holds for many large-scale networks
  • Internet routing Autonomous system (AS) number
  • Intra-domain routing router IP address
  • Domain Name System (DNS) server IP address
  • Pair-wise trust easier to set than Internet-wide
    PKI
  • Socially/legally enforced in Internet routing
  • Does not hold for ad-hoc,P2P networks

14
Reliable communication problem
Given a graph G with (adversaries) ? k, under
what constraints can two good nodes reliably
communicate provided the underlying graph G is
not known to the nodes?
  • Implications of reliable communication
  • Secure route propagation
  • Decentralized key distribution

15
Reliable communication in known networks
Dolev81 If every node is aware of the entire
graph G and given (adversaries) ? k, then two
good nodes can reliably communicate if and only
if G is (2k1)-vertex connected.
16
What if the network is not known?
Unknown
Neighbor
Node under consideration
Problem In an unknown network G, given that
(adversaries) ? k, under what constraints can
two good nodes reliably communicate?
17
Our result for unknown networks
  • Theorem In an unknown network comprising n
    nodes, given adversaries ? k, two good nodes
    can reliably communicate if the underlying
    connectivity graph, G, is (2k1) vertex
    connected.
  • Note With a PKI, we require only (k1) vertex
    connectivity to achieve reliable communication

Proof-sketch later in the talk
18
Breaking the identity assumption
  • Negative Result For any value m, there exists an
    m-vertex connected graph G where one cannot
    achieve reliable communication against a single
    adversary that can fake different identities to
    its neighbors.

19
Sparse networks
Group A
Group B

m
m
X
m
m
Y
Group A cannot reliably communicate with Group B
The Internet topology is 1-vertex connected
Goal limit the damage that adversaries can cause
20
Problem space
? (2k1) connectivity
lt (2k1) connectivity
kgt1
k1
Internet routing Isolated adversary
Internet routing Colluding adversaries
Portions of the Internet topology, Intra-domain
routing
21
Outline of my talk
  • What is the secure routing problem ?
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms for reliable communication
  • Internet routing reliable communication in
    sparse networks
  • Reliable communication in dense networks
  • Implications and conclusions

22
Techniques for reliable communication
  • Detect the presence of a lie
  • Whisper check consistency of routing information
  • Which information is genuine?
  • Penalty-based filtering limits the number of
    lies of an adversary in a sparse network
  • Flows determine the genuine source of an
    information in a dense network

23
Chinese whispers(modern version)
Split Whisper
24
Route Consistency Testing
  • Route consistency (R,S)
  • R and S are genuine routes ? consistent
  • R genuine, S spurious ? inconsistent
  • R and S spurious ? consistent or inconsistent
  • Route inconsistency ? Trigger alarm

R
S
25
Whisper signature construction
(hA sgn((A,B)), PA)
(kA sgn((A,M)), QA)
Claimed Public-keyPA
  • Consistency checking of routes (C,B,A) and
    (N,M,A)
  • Does the signature match the public key?
  • Do the public keys match?

26
Outline of my talk
  • What is the secure routing problem ?
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms for reliable communication
  • Internet routing reliable communication in
    sparse networks
  • Whisper
  • Penalty-based filtering
  • Reliable communication in dense networks
  • Implications and conclusions

27
Penalty-based route selection
  • Choose routes with least penalty
  • Optimal for an isolated adversary
  • Not applicable for colluding adversaries

28
Minimum damage of an adversary
From Vs perspective M and A are indistinguishable
min_damage(M,G) number of nodes that a single
adversary M can affect in a graph G while being
indistinguishable from at least one good node in
G.
29
Containing the additional damage
If M affects both groups A and B, V avoids M
Containment region M can affect the Vs
routes to Group M Group (A or B)
30
Result for isolated adversary
Special case If G is a power-law random graph on
n nodes, min_damage(M,G) is bounded by O(?n)
w.h.p.
31
Outline of my talk
  • What is the secure routing problem ?
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms for reliable communication
  • Internet routing reliable communication in
    sparse networks
  • Reliable communication in dense networks
  • Implications and Conclusions

32
Our result for unknown networks
  • Theorem In an unknown network comprising n
    nodes, given adversaries ? k, two good nodes can
    reliably communicate if the underlying
    connectivity graph, G, is (2k1)-vertex
    connected.
  • Reminder In an unknown network, nodes are aware
    of only their neighbors and not the entire graph.

33
Path based Flooding
  • Flood along every possible path in the graph
  • Each node appends its identity to the path
  • X identifies vertex-disjoint paths to A and
    computes majority

34
Whisper-based flow computation
Flow (X, (A,PA)) gt Flow (X, (A, QA))
  • If G is (2k1) connected with k adversaries, then
    for any (X,PX)
  • Flow((X,PX), (Y,PY)) gt (k1) if (Y,PY) is a
    good node
  • Flow((X,PX), (Z,QZ)) ltk if (Z,QZ) is a
    spurious node

35
Path suppression
  • Number of paths in a graph is exponential
  • Path suppression
  • A node only forwards a path-vector message if the
    path contains a new edge or a new source.

End-result In the absence of any adversary,
number of messages along a link is equal to the
number of edges in the graph.
36
Solution summary
lt(2k1) connectivity
gt(2k1) connectivity
37
Outline of my talk
  • What is the secure routing problem ?
  • Relationship to the reliable communication
    problem
  • How does Internet routing fit?
  • Mechanisms for reliable communication
  • Internet routing reliable communication in
    sparse networks
  • Reliable communication in dense networks
  • Implications and Conclusions

38
Internet routing levels of protection
Tier-1 Important Tier-2 ISPs (75 ASs,
19-vertex connected)
39
Internet routing implications (contd)
  • Inter-domain routing
  • For Internet-like graphs, single adversary can
    cause little damage
  • Multi-homing ? better reliable communication
  • Intra-domain routing
  • Engineering the network for connectivity
  • Subsequent secure link-state update complexity
    is equivalent to a flood

40
Concluding Remarks
  • Take-away message Decentralized security is
    possible, practical and not expensive (if the
    number of adversaries is bounded)
  • Even a PKI cannot provide good security in the
    presence of several adversaries
  • Whisper path-vector signature is an underlying
    enabling technique
  • Protection is also possible in sparse networks
Write a Comment
User Comments (0)
About PowerShow.com