A Pluralist Approach to
Interdomain Communication
Security
Ioannis Avramopoulos
Princeton University
Joint work with Jennifer Rexford
Economics & the Internet Inertness
• Internet infrastructure is insecure
• Despite the obvious threat, countermeasures
are not being deployed
– E.g., Secure-BGP
• We argue that the reason is mainly economic
• Autonomous systems (ASes) in commercial
Internet are independent, rational, and pay-off
maximizing entities
Overview
• Economic Case for Pluralism
• Architectural Framework for Pluralism
• Example of Using the Architectural
Framework
Background: Economics of Groups
and Goods
• Good: Secure communication between domains
– Goods are confidentiality, integrity, and availability
• Producing such goods requires action in groups
– Group members are ASes
• Goods can be
– purely public (e.g., public television broadcasting)
– purely private (e.g., recorded music sold in stores)
– impurely public (e.g., cable television broadcasting)
• Type of good can be engineered
Background: Routing Protocols
The Case for Pluralism: Purism is
not Economically Viable
• Purism: Ubiquitous deployment of a
secure routing protocol
• Purism treats secure interdomain
communication as a pure public good
– Therefore, purism is not economically viable
The Case for Pluralism: Smaller
Groups are More Effective
• Olson classifies interaction among group
members in three categories:
– Large group; good will not be provided
unless there is coercion
– Small group; good may be provided by
unilateral action
– Medium group; good may be provided by
strategic interaction
The Case for Pluralism: Custom
Security Solutions Per Group
• Many options (mechanisms) to improve
communication security
– E.g., confidentiality can be protected by a secure
routing protocol or encryption ciphers
• No single mechanism can address the full gamut
of threats
– E.g., during a DoS attack you prefer unreachability
• Network architecture should support the
graceful coexistence of different
mechanisms
SBone Architectural Framework
for Pluralism
• Objective: support the formation of
groups of any size---irrespective of IP
connectivity of group members---without
compromising security
Formation of Arbitrary Groups
Irrespective of IP Connectivity
island
Archipelago
Threat Model
• DoS attacks
– against targets inside the overlay
– against virtual links
• Routing-protocol attacks
– to intercept cross-island traffic
• Data-plane attacks
– to manipulate cross-island traffic
Secure Virtual Link: Surelink
• Connects a relay point in one island to a
relay point in another forming an IP tunnel
• Surelinks enhance the service model of a
vanilla IP tunnel with
– an encryption cipher to protect confidentiality
– an authentication cipher to protect integrity
and enforce access control
– secure availability monitoring capability
Secure Virtual Topology
• Collection of multiple surelinks giving
control of the underlying paths traffic takes
• Path control can be leveraged to
– proactively prevent routing attacks
– proactively bypass untrusted non-participants
– proactively spread traffic over multiple paths
– reactively reroute traffic to alternate paths
Example of Archipelago
• Backbone-provider trusted VPN
– Example of revenue-generating service based
on coalitions among providers
Example of Archipelago
Australian
branch
surelinks
Telstra
AT&T
US branch
Example of Archipelago
• Backbone-provider trusted VPN
– Example of revenue-generating service based
on coalitions among providers
• Coalition-based trusted VPNs can serve
multinational customers without additional
investment on infrastructure
Conclusion
• Purism is not economically viable
• Deployment of communication security
mechanism should be based on pluralism;
– I.e., the formation of variable-sized groups deploying
mechanism customized to group-specific needs
• Proposed an architectural framework to support
pluralism that is backward compatible with
existing infrastructure
Thank you!
Questions