security implications of source- controlled routes xiaowei yang [email protected] uc irvine nsf find pi...
TRANSCRIPT
![Page 1: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/1.jpg)
Security implications of source-controlled routes
Xiaowei [email protected]
UC Irvine
NSF FIND PI meeting, June 27 2007
![Page 2: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/2.jpg)
Source-controlled routing is controversial
Secure routing depends on source routes Security is the #1 reason to disable source
routes Why we can reconcile these two
ISP1
ISP4
ISP3
ISP2
![Page 3: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/3.jpg)
Byzantine-tolerant routing
[Perlman88] [Wendlandt06] A discriminatory/nosy ISP, a hostile country
ISP1
ISP3
ISP2
![Page 4: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/4.jpg)
Accountable routing
Accountability is key to innovation [Laskowski06]
User knows the path responsible for the performance [Goldberg07]
ISP1
ISP4
ISP3
ISP2
![Page 5: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/5.jpg)
Symmetric return path
DDoS defense Network capabilities [Yang05] Private path-based addressing [Handley04]
Accountability
ISP1
ISP4
ISP3
ISP2
token
token
![Page 6: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/6.jpg)
Source-controlled routing is controversial
Secure routing depends on source routes Security is the #1 reason to disable source
routes Why we can reconcile these two
ISP1
ISP4
ISP3
ISP2
![Page 7: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/7.jpg)
Source routing breaks address-based authentication
10.0.0.1
10.0.0.2
10.0.0.1 attackerIP 10.0.0.210.0.0.2 attackerIP 10.0.0.1
Source routing in IPv4 is largely disabled Without source routing, packets will not return
to spoofed addresses
![Page 8: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/8.jpg)
Bandwidth amplification attack
IPv6 makes it worse Allows 44 intermediate nodes [BIONDI07] (
http://www.natisbad.org/, CanSecWest 2007)
Source: [Biondi07]
R1 R2 R1 R2 R1 R2….
![Page 9: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/9.jpg)
![Page 10: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/10.jpg)
Increased power to DDoS
ISP1
ISP3
ISP2
…
Targeted link flooding Multi-path flooding
![Page 11: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/11.jpg)
Forced path oscillation
ISP1
ISP4
ISP3
ISP2
…
![Page 12: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/12.jpg)
Interfere with ISP policies
Make your ISP broke
ISP1
ISP4
ISP3
ISP2$$$
$
ISP
Source
![Page 13: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/13.jpg)
Slow down the routers
CPU
Memory
RouteProcessor
Memory
RouteProcessing
MAC
SwitchFabricInterface
SwitchFabric
Memory
RouteProcessing
MAC
SwitchFabricInterface
![Page 14: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/14.jpg)
Can we make source-controlled routes
innocuous?
![Page 15: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/15.jpg)
Main causes of the security issues
Control and exposure Source-controlled routing Source routing
option in IPv4 or Routing header in IPv6 A set of design goals:
Security, accountability, economic incentives, overhead A variety of mechanisms
Amplified security issues Lack of mechanisms
Explicitly list the routersDeflect withoutKnowing the paths
Choose pathsKnowing entities on the paths
Nocontrol
![Page 16: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/16.jpg)
Bandwidth amplification attacks
Select paths, not arbitrary waypoints
Path 1
Path 2
Path 3
Source: [Biondi07]
![Page 17: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/17.jpg)
Interfere with ISP policies
Provide policy-allowed paths Pricing Inter-domain choices
ISP1
ISP4
ISP3
ISP2$$$
$
Path 1: $$$Path 2: $
![Page 18: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/18.jpg)
Source routing breaks address-based authentication
Light-weight network-layer authentication Unspoofable source identifiers [Liu06]
10.0.0.1
10.0.0.1
10.0.0.2
attackerIP 10.0.0.2 X
![Page 19: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/19.jpg)
Increased power to DDoS
ISP1
ISP3
ISP2
…
A DoS-defense system that cuts off attack traffic at its source
![Page 20: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/20.jpg)
Forced path oscillation
ISP1
ISP4
ISP3
ISP2
…
Stable path selection protocol Do not switch all at once Use multiple paths [He06] Admission control and resource reservation
![Page 21: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/21.jpg)
Slow down routers
Fix the routers Do not let the present hardware
implementation limit future innovations Encapsulation/decapsulation at line speed
CPU
Memory
RouteProcessor
Memory
RouteProcessing
MAC
SwitchFabricInterface
SwitchFabric
Memory
RouteProcessing
MAC
SwitchFabricInterface
![Page 22: Security implications of source- controlled routes Xiaowei Yang xwy@uci.edu UC Irvine NSF FIND PI meeting, June 27 2007](https://reader035.vdocuments.mx/reader035/viewer/2022070305/55148c30550346b0158b5dc7/html5/thumbnails/22.jpg)
Conclusion
The desirable goals Byzantine-tolerant, accountability, availability,
economic incentives, overhead, QoS, manageability…
The right balance of control and exposure Source-controlled routing Source routing
option in IPv4 or Routing header in IPv6
Deflect without Knowing thepaths
Choose pathsknowing entities on the paths
Explicitly list the routersNocontrol