network security - isa 656 routing securityastavrou/courses/isa_656_f07/... · network security -...
TRANSCRIPT
![Page 1: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/1.jpg)
Network Security - ISA 656Routing Security
Angelos Stavrou
December 4, 2007
![Page 2: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/2.jpg)
What is Routing Security?
Routing Security
What is RoutingSecurity?
History of RoutingSecurity
Why So LittleWork?
How is it Different?
The Enemy’s Goal?
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
2 / 41
■ Bad guys play games with routing protocols.
■ Traffic is diverted.◆ Enemy can see the traffic.
◆ Enemy can easily modify the traffic.
◆ Enemy can drop the traffic.
■ Cryptography can mitigate the effects, but notstop them.
![Page 3: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/3.jpg)
History of Routing Security
Routing Security
What is RoutingSecurity?
History of RoutingSecurity
Why So LittleWork?
How is it Different?
The Enemy’s Goal?
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
3 / 41
■ Radia Perlman’s dissertation: Network Layer
Protocols with Byzantine Robustness, 1988.
■ Bellovin’s “Security Problems in the TCP/IPProtocol Suite”.
■ More work starting around 1996.
■ Kent et al., 2000 (two papers).
![Page 4: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/4.jpg)
Why So Little Work?
Routing Security
What is RoutingSecurity?
History of RoutingSecurity
Why So LittleWork?
How is it Different?
The Enemy’s Goal?
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
4 / 41
■ It’s a really hard problem.
■ Actually, getting routing to work well is hardenough.
■ It’s outside the scope of traditionalcommunications security.
![Page 5: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/5.jpg)
How is it Different?
Routing Security
What is RoutingSecurity?
History of RoutingSecurity
Why So LittleWork?
How is it Different?
The Enemy’s Goal?
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
5 / 41
■ Most communications security failures happenbecause of buggy code or broken protocols.
■ Routing security failures happen despite goodcode and functioning protocols. The problemis a dishonest participant.
■ Hop-by-hop authentication isn’t sufficient.
![Page 6: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/6.jpg)
The Enemy’s Goal?
Routing Security
What is RoutingSecurity?
History of RoutingSecurity
Why So LittleWork?
How is it Different?
The Enemy’s Goal?
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
6 / 41
Host A
X
Y
Z
Good: A−>X−>Y−>B
Bad: A−>X−>Z−>Y−>B
Host B
But how can this happen?
![Page 7: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/7.jpg)
Routing Protocols
Routing Security
Routing Protocols
Routing Protocols
Normal Behavior
But Z Can LieUsing a Tunnel forPacket Re-injection
Why is the ProblemHard?
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
7 / 41
■ Routers speak to each other.
■ They exchange topology information and costinformation.
■ Each router calculates the shortest path toeach destination.
■ Routers forward packets along locally shortestpath.
■ Attacker can lie to other routers.
![Page 8: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/8.jpg)
Normal Behavior
Routing Security
Routing Protocols
Routing Protocols
Normal Behavior
But Z Can LieUsing a Tunnel forPacket Re-injection
Why is the ProblemHard?
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
8 / 41
X−>A: Z(5), Y(5), B(15)
X
Y
Z Host B
Host A10
5
5
5 10
Y−>X, Y−>Z: B(10)Z−>X: Y(5), B(15)
![Page 9: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/9.jpg)
But Z Can Lie
Routing Security
Routing Protocols
Routing Protocols
Normal Behavior
But Z Can LieUsing a Tunnel forPacket Re-injection
Why is the ProblemHard?
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
9 / 41
Z−>X: Y(5), B(3)
X
Y
Z Host B
Host A10
5
5
5 10
Y−>X, Y−>Z: B(10)
X−>A: Z(5), Y(5), B(8)
Note that X is telling the truth as it knows it.
![Page 10: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/10.jpg)
Using a Tunnel for Packet
Re-injectionRouting Security
Routing Protocols
Routing Protocols
Normal Behavior
But Z Can LieUsing a Tunnel forPacket Re-injection
Why is the ProblemHard?
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
10 / 41
Z’
X
Z
Host A
Y Host BQ
![Page 11: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/11.jpg)
Why is the Problem Hard?
Routing Security
Routing Protocols
Routing Protocols
Normal Behavior
But Z Can LieUsing a Tunnel forPacket Re-injection
Why is the ProblemHard?
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
11 / 41
■ X has no knowledge of Z’s real connectivity.
■ Even Y has no such knowledge.
■ The problem isn’t the link from X to Z; theproblem is the information being sent. (Notethat Z might be deceived by some otherneighbor Q.)
![Page 12: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/12.jpg)
Routing in the Internet
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
12 / 41
■ Two types, internal and external routing.
■ Internal (within ISP, company): primarilyOSPF.
■ External (between ISPs, and some customers):BGP.
■ Topology matters.
![Page 13: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/13.jpg)
OSPF (Open Shortest Path First)
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
13 / 41
■ Each node announces its own connectivity.Announcement includes link cost.
■ Each node re-announces all informationreceived from peers.
■ Every node learns the full map of the network.
■ Each node calculates the shortest path to alldestinations.
■ Note: limited to a few thousand nodes atmost.
![Page 14: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/14.jpg)
Characteristics of Internal Networks
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
14 / 41
■ Common management.
■ Common agreement on cost metrics.
■ Companies have less rich topologies, but lesscontrolled networks.
■ ISPs have very rich—but veryspecialized—topologies, but well-controllednetworks.
■ Often based on Ethernet and its descendants.
![Page 15: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/15.jpg)
How Do You Secure OSPF?
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
15 / 41
■ Simple link security is hard: multiple-accessnet.
■ Shared secrets guard against new machinesbeing plugged in, but not against anauthorized party being dishonest.
■ Solution: digitally sign each routing update(expensive!). List authorizations in certificate.
■ Experimental RFC by Murphy et al., 1997.
■ Note: everyone sees the whole map;monitoring station can note discrepancies fromreality. (But bad guys can send out differentannouncements in different directions.)
![Page 16: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/16.jpg)
Address Authorization Certificate
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
16 / 41
■ Each router has certain interfaces and hencedirect network reachability
■ Each router therefore has a certificate bindingits public key to its valid addresses
■ Note well: the CA has to know the properaddresses for each router
■ But that’s the norm in OSPF environments
![Page 17: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/17.jpg)
External Routing via BGP
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
17 / 41
■ No common management (hence no metricsbeyond hop count).
■ No shared trust.
■ Policy considerations: by intent, not all pathsare actually usable.
![Page 18: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/18.jpg)
POP Topology
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
18 / 41
access router
R1 R2
access router access router access router
![Page 19: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/19.jpg)
Noteworthy Points
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
19 / 41
■ A lot of attention to redundancy.
■ Rarely-used links (i.e., R1→R2)Link cost must be carefully chosen to avoidexternal hops.
■ May have intermediate level of routers tohandle fan-out.
![Page 20: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/20.jpg)
Routing Security
Routing Protocols
Routing in theInternetRouting in theInternetOSPF (OpenShortest Path First)
Characteristics ofInternal NetworksHow Do You SecureOSPF?AddressAuthorizationCertificateExternal Routing viaBGP
POP Topology
Noteworthy Points
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
20 / 41
![Page 21: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/21.jpg)
InterISP Routing
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions21 / 41
B
W
X Y
Z
L
A
C
![Page 22: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/22.jpg)
InterISP Routing
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions22 / 41
■ “Tier 1” ISPs are peers, and freely exchangetraffic.
■ Small ISPs buy service from big ISPs.
■ Different grades of service: link L-Z is forcustomer access, not transit. C→B goes viaL-Y-X-W, not L-Z-W.
■ A is multi-homed, but W-A-Z is not a legalpath, even for backup.
■ BGP is distance vector, based on ISP hops.Announcement is full path to origin, not justmetric.
![Page 23: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/23.jpg)
Path Vectors
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions23 / 41
■ Route advertisements contain a prefix and alist of ASs to traverse to reach that prefix
■ Example: if B owns address block 10.0/16, Lwould see 〈10.0/16, {Y,X,W,B}〉
■ ASs do not see paths filtered by upstreamnodes. Y sees 〈10.0/16, {X,W,B}〉 and〈10.0/16, {Z,W,B}〉; since only forwards theformer to L, L knows nothing of the path via Z
![Page 24: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/24.jpg)
Policies
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions24 / 41
■ ISPs have a great deal of freedom whenchoosing the “best” path
■ While hop count is one metric, local policies(i.e., for traffic engineering) count more
■ These policies — in general, not disclosedpublicly — affect with path neighbors will see
![Page 25: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/25.jpg)
Long Prefixes and Loop-Free Routing
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions25 / 41
■ Routers ignore advertisements with their ownAS number in the path
■ This is essential to provide loop-free paths
■ Routers use longest match on prefixes whencalculating a path
■ These two facts can be combined to form anattack
![Page 26: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/26.jpg)
Longer Prefix Attack
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions26 / 41
■ Suppose B owns 10.0/16. Z sees 〈10.0/16,{W,B}〉
■ A advertises 〈10.0.0/17, {A,W}〉
■ Z will route packets for 10.0.0/17to A — ithas a longer prefix
■ W will never see that path, and hence won’tpass it to B — the path (falsely) contains W,so it will be rejected by W
![Page 27: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/27.jpg)
Filtering
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions27 / 41
■ ISPs can filter route advertisements from theircustomers.
■ Doesn’t always happen: AS7007 incident,spammers, etc.
■ Not feasible at peering links.
![Page 28: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/28.jpg)
Secure BGP (Kent et al.)
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions28 / 41
■ Each node signs its announcements.
■ That is, X will send {W}X , {Y }X , {Z}X .
■ W will send{B}W , {A}W , {X}W , {X : {Z}X}W .
■ Chain of accountability.
![Page 29: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/29.jpg)
Problems with SBGP
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions29 / 41
■ Lots of digital signatures to calculate andverify.◆ Can use cache
◆ Verification can be delayed
■ Calculation expense is greatest when topologyis changing—i.e., just when you want rapidrecovery. (About 120K routes. . . )
■ How to deal with route aggregation?
■ What about secure route withdrawals whenlink or node fails?
■ Dirty data on address ownership.
![Page 30: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/30.jpg)
Certificate Issuance
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions30 / 41
■ Who issues prefix ownership certificates?
■ Address space comes from upstream ISP orRIRs
■ RIRs really are authoritative — hence they’re amonopoly
■ If an RIR makes a mistake, the prefix is off theair
■ Is this a risk worth taking?
![Page 31: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/31.jpg)
Certificate Tree
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions31 / 41
■ The RIRs (Regional Internet Registries) giveaddresses to big ISPs and big end users
■ Accordingly, the RIRs should issue certificates
■ (Really, it should be ICANN, but the politics ofthat are too painful)
■ Small ISPs and small customers get addressspace from their own ISPs
■ Every ISP is thus a certificate holder and acertificate issuer
■ These are authorization certificates, notidentity certificates
![Page 32: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/32.jpg)
Authorization Certificates
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions32 / 41
■ The identity of the certificate holder isirrelevant
■ What matters is the authorization: thecertificate contains IP address ranges
■ The signing party has its own certificate listinglarger ranges of IP addresses, and hence theright to delegate them
![Page 33: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/33.jpg)
Signed Origin BGP
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions33 / 41
■ Suppose only the origin was digitally signed:〈10.0/16, B〉
■ In addition, all polices are (securely) publishedin some database
■ Receiving node verifies origin, then comparesreceived path against all policies
■ Query: is the received path consistent withpolicies?
■ Advantage: many fewer signatures
![Page 34: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/34.jpg)
Problems with SOBGP
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions34 / 41
■ Sill have monopoly RIRs
■ ISPs don’t like to publish policies
■ Clever attackers can play games in the middleof the path
![Page 35: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/35.jpg)
Happy Packets
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Path Vectors
PoliciesLong Prefixes andLoop-Free Routing
Longer Prefix Attack
Filtering
Secure BGP (Kentet al.)
Problems withSBGP
Certificate Issuance
Certificate TreeAuthorizationCertificates
Signed Origin BGP
Problems withSOBGP
Happy Packets
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions35 / 41
■ Philosophy: don’t worry too much aboutrouting security
■ Crucial metric: do packets reach theirdestination?
■ What about confidentiality? If it matters,encrypt end-to-end
■ But what about traffic analysis?
![Page 36: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/36.jpg)
Link-Cutting Attack (Bellovin and
Gansner)Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Link-Cutting Attack(Bellovin andGansner)
Is Link-CuttingFeasible?Sample Link-CuttingAttackCost of Link-CuttingAttacks on theBackbone
Defenses
Conclusions
36 / 41
■ Suppose that we have SBGP and SOSPF.
■ Suppose the enemy controls a few links ornodes. Can he or she force traffic to traversethose paths?
■ Yes. . .
![Page 37: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/37.jpg)
Is Link-Cutting Feasible?
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Link-Cutting Attack(Bellovin andGansner)
Is Link-CuttingFeasible?Sample Link-CuttingAttackCost of Link-CuttingAttacks on theBackbone
Defenses
Conclusions
37 / 41
■ Attacker must have network map.Easy for OSPF; probably doable for BGP—see“Rocketfuel” paper.
■ Can attacker determine peering policy?Unclear.
■ How can links be cut?Backhoes? “Ping of death”? DDoS attack onlink bandwidth?
![Page 38: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/38.jpg)
Sample Link-Cutting Attack
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Link-Cutting Attack(Bellovin andGansner)
Is Link-CuttingFeasible?Sample Link-CuttingAttackCost of Link-CuttingAttacks on theBackbone
Defenses
Conclusions
38 / 41
AWa0
D
Za0
Wb0Wb1
Xb1
Zb0
Wa1
Wa2
Wa3
Xb0
Xa0
Xa1Xa2
Xa3
Yb0
Yb1
Ya0
Ya1
Ya2Ya3
Zb1
Za1
Za2
Za3
BC
![Page 39: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/39.jpg)
Cost of Link-Cutting Attacks on the
BackboneRouting Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Link-Cutting Attack(Bellovin andGansner)
Is Link-CuttingFeasible?Sample Link-CuttingAttackCost of Link-CuttingAttacks on theBackbone
Defenses
Conclusions
39 / 41
0
10
20
30
40
50
60
70
80
0 20 40 60 80 100 120 140 160 180
Link
cut
s re
quire
d
Number of nodes
"cut-effort-full""cut-effort-reduced"
"cut-avg-full""cut-avg-reduced"
![Page 40: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/40.jpg)
Defenses
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Defenses
Conclusions
40 / 41
■ Hard to defend against—routing protocols aredoing what they’re supposed to!
■ Keeping attacker from learning the map isprobably infeasible.
■ Feed routing data into IDS?
■ Link-level restoration is a good choice, but canbe expensive.
■ Others?
![Page 41: Network Security - ISA 656 Routing Securityastavrou/courses/isa_656_F07/... · Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007. ... Bellovin’s “Security](https://reader035.vdocuments.mx/reader035/viewer/2022070818/5f16e0298ffdbe189514b382/html5/thumbnails/41.jpg)
Conclusions
Routing Security
Routing Protocols
Routing in theInternet
Inter-ISP Routing
Link-Cutting Attack(Bellovin andGansner)
Defenses
Conclusions
Conclusions
41 / 41
■ Routing security is a major challenge.
■ Mentioned specifically in White HouseCybersecurity document.
■ Lots of room for new ideas.