Slides

advertisement
Robert Lychev Sharon Goldberg Michael Schapira
Georgia Tech
Boston University
Boston University
Hebrew University
1
Security Benefits or Juice
What does (partially-deployed) BGPSEC offer over RPKI?
 road to BGPSEC full-deployment is very tricky because introducing
security only
introduces
new
vulnerabilities
(Or, partially
is the juice
worth the
squeeze?)
 not fully deployed BGPSEC provides only meagre benefits over RPKI
if network operators do not prioritize security in their routing policies
BGP
• In deployment
• Crypto done offline
• In standardization
• Crypto done online
BGP and BGPSEC
coexistence
RPKI
(origin authentication)
BGPSEC
2
1.
Background:
1.
BGP, RPKI, BGPSEC
2.
routing policies in BGPSEC partial deployment
2.
BGPSEC in partial deployment is tricky
3.
Is the juice worth the squeeze?
4.
Summary
3
4323, 2828, D
69.63.176.0/24
Sprint
Sprint, 4323, 2828, D
69.63.176.0/24
4323
2828, D
69.63.176.0/24
2828
A
D
69.63.176.0/24
D
69.63.176.0/24
4
4323, 2828, D
69.63.176.0/24
Sprint
4323
2828
D
?
Which route to choose?
Use routing policies.
e.g. “Prefer short paths”
A, D
69.63.176.0/24
A
69.63.176.0/24
5
4323, 2828, D
69.63.176.0/24
Sprint
4323
2828
D
?
A,AD
69.63.176.0/24
Which route to choose?
Use routing policies.
e.g. “Prefer short paths”
69.63.176.0/24
A
69.63.176.0/24
6
Sprint
RPKI invalid!
4323
X
A
69.63.176.0/24
2828
Sprint checks that
A is not authorized
for 69.63.176.0/24
A
D
RPKI
69.63.176.0/24
69.63.176.0/24
Binds prefixes to ASes authorized to originate them.
7
Security Benefits or Juice
BGP
assume RPKI is fully deployed, and focus on 1-hop hijack.
prevent
prefix
hijacks
RPKI
(origin authentication)
prevent
route
manipulations
BGPSEC
8
P/S
?
S
P/S
2828
Sprint can verify that
D never sent
X
A, D, prefix
SP, A, D, prefix
A, D prefix
S
2828, D, prefix
A
P/S
4323
BGPSEC invalid!
S
P/S
Sprint
RPKI
P/S
D
69.63.176.0/24
9
Security Benefits or Juice
BGP
assume RPKI is fully deployed, and focus on 1-hop hijack.
prevent
route
manipulations
prevent
prefix
hijacks
What happens when BGP and
BGPSEC coexist?
RPKI
(origin authentication)
BGPSEC
10
Secure ASes must
accept legacy
insecure routes
P/S
Sprint
?
Should Sprint choose
the long secure path OR
the short insecure one?
P/S
4323
A, D
69.63.176.0/24
A
P/S
Siemens
P/S
D
RPKI
P/S
P/S
2828
69.63.176.0/24
Depends on the interaction between BGPSEC and routing policies!
11
1.
local preference
(often based on business relationships with neighbors)
2. prefer short routes
…
3. break ties in a consistent manner
12
Security 1st
1.
Cost,
Performance
Security
local preference (cost)
(often based on business relationships with neighbors)
Security 2nd
2. prefer short routes (performance)
Cost,
Performance
Security
Security 3rd
3. break ties in a consistent manner
 Survey of 100 network operators shows that 10%, 20% and 41%
would place security 1st, 2nd, and 3rd, [Gill, Schapira, Goldberg’12]
13
Security 1st
1.
local preference (cost)
(prefer customer routes over peer over provider routes)
Security 2nd
2. prefer short routes (performance)
Security 3rd
3. break ties in a consistent manner
 To simulate routing outcomes, we use a concrete model of local
preference. [Gao-Rexford’00, Huston’99, etc.]
 Our ongoing work tests the robustness of this local pref model.
14
1.
Background: BGP, RPKI, BGPSEC, routing policies
2.
BGPSEC in partial deployment is tricky
1.
Protocol downgrade attacks
2.
Collateral damages
3.
Routing instabilities
3.
Is the Juice worth the squeeze?
4.
Summary
15
P/S
Sprint
?
Security 3rd:
Path length trumps
path security!
P/S
4323
A, D
69.63.176.0/24
P/S
2828
P/S
D
A
69.63.176.0/24
Protocol downgrade attack:
Before the attack, Sprint has a legitimate secure route.
During the attack, Sprint downgrades to an insecure bogus route .
16
No protocol No collateral
No
We prove…
downgrades? damages? instabilities?



Security 1st
Security 2nd
Security 3rd
?
Protocol downgrade attack:
P/S
Sprint
4323
P/S
A, D
69.63.176.0/2
4
A
Siemens
P/S
D
P/S
P/S
2828
A secure AS with a secure route before
the attack, downgrades to an insecure
bogus route during the attack.
69.63.176.0/24
17
20960
3257
52142
12389
5617
174
P/S
3356
P/S
3491
P/S
10310
P/S
40426
P/S
prefix
7922
M
Before X deploys
BGPSEC
?
Y
Z
X
V
?
D
P/S
prefix
P/S
P/S
P/S
Shorter
path!
P/S
X offers the
Secure ASes: 5
shorter path
Happy ASes: 8
W
M
After X deploys
BGPSEC
X
V
D
P/S
prefix
P/S
P/S
P/S
?
Security 2nd:
Secure
ASes:
6
Security
trumps
Happy
path ASes:
length!7
P/S
Z
?
Y
P/S
Y experiences
W offers the
collateral damage
shorter path!
because X is secure!
W
M
No protocol No collateral
No
We prove…
downgrades? damages? instabilities?



Security 1st
Security 2nd
Security 3rd
20960
3257
?
52142
12389
5617
Collateral damage (during the attack):
More secure ASes leads to more insecure
ASes choosing bogus routes
174
P/S
?
P/S
3356



P/S
3491
7922
P/S
40426
A
P/S
P/S
10310
prefix
21
No protocol No collateral
No
We prove…
downgrades? damages? instabilities?
Security 1st
Security 2nd
Security 3rd









Theorem: Routing converges to a unique stable state if all ASes
use the same secure routing policy model.
 But, if they don’t, there can be BGP Wedgies and oscillations.
22
1.
Background: BGP, RPKI, BGPSEC, routing policies
2.
BGPSEC in partial deployment is tricky
3.
Is the Juice worth the Squeeze?
4.
1.
Can we efficiently select the optimal set of secure ASes?
2.
Can we bound security benefits invariant to who is secure?
3.
Is the BGPSEC juice worth the squeeze given RPKI?
Summary
23
Let S be the set of ASes deploying BGPSEC,
A be the attacker and d be the destination
20960
3257
52142
12389
3356
5617
5617
174
?
3491
| Happy(S, A, d)| = 7
10310
7922
prefix
A
d
The set of ASes choosing a legitimate route is
Happy S,
A ,
d
prefix
Let S be the set of ASes deploying BGPSEC,
A be the attacker and d be the destination
20960
3257
52142
12389
3356
5617
5617
174
?
3491
| Happy(S, A, d)| = 7
10310
7922
prefix
d
A
Our metric is the average of the set of Happy ASes
1
Metric(S) =
|V| 3
∑
all A
all d
Happy S,
A ,
d
prefix
Problem: find set S of secure ASes that maximizes
Happy S,
A ,
d
prefix
s. t. |S| = k, for a fixed attacker A and destination d
Theorem:
This problem is NP-hard for all three routing models.
26
Problem: Compute upper and lower bounds on
1
Metric(S) =
|V| 3
∑
Happy S,
A ,
d
prefix
all A
all d
for any BGPSEC deployment set S
27
Sprint
The bogus path is shorter!
4323
A, D
69.63.176.0/24
2828
A
Siemens
D
69.63.176.0/24
28
P/S
Sprint
Sprint is doomed
The bogus path is shorter!
P/S
4323
A, D
69.63.176.0/24
P/S
2828
A
P/S
D
69.63.176.0/24
Regardless of who is secure, Sprint
will select the shorter bogus route!
P/S
Siemens
29
P/S
Sprint
Sprint is doomed
The bogus path is shorter!
4323
P/S
The legitimate
path is shorter!
A, D
69.63.176.0/24
P/S
2828
A
P/S
D
69.63.176.0/24
P/S
Siemens
30
Sprint
2828 and 4323
are immune
The legitimate
path is shorter!
Sprint is doomed
The bogus path is shorter!
4323
A, D
69.63.176.0/24
2828
A
Siemens
D
69.63.176.0/24
Regardless of who is secure, 4323 and
2828 will select legitimate routes!
31
Problem: Find upper and lower bound on
1
Metric(S) =
|V| 3
∑
Happy S,
A ,
d
prefix
all A
all d
 Key observation. Regardless of who is secure:
1. Doomed ASes will always choose bogus routes
2. Immune ASes will always choose legitimate routes
 Lower bound on Metric(S) = fraction of immune ASes
 Upper bound on Metric(S) = 1 – fraction of doomed ASes
32
Average Fraction of Happy ASes
upper bound
with BGPSEC
47%
36%
17%
53%
lower bound
with RPKI
results based on simulations on empirical AS-level graphs
In the most realistic security 3rd model, the best
we could do is make extra 17% happy with security!
33
Average Fraction of Happy ASes
Securing 50% of ASes on the Internet
47%
24%
36%
17%
53%
lower bound
with RPKI
results based on simulations on empirical AS-level graphs
Improvements in the security 3rd and 2nd models
are only 4% and 8% respectively.
34

Graph: A UCLA AS-level topology from 09-24-2012
 39K ASes, 73.5K and 62K customer-provider and peer links

For each attacker-destination pair, simulated routing and
determined the sets of doomed and immune ASes

Quantified security-benefit improvements for many different
BGPSEC deployment scenarios

Robustness Tests
 added 550K extra peering links inferred from IXP data on 09-24-2012
 accounted for traffic patterns by focusing on only certain destinations
(e.g. content providers) and attackers
 currently repeating all analysis with respect to different local pref models
35
Security Benefits or Juice

Unless Security is 1st or BGPSEC deployment is very large,
security benefits from partially deployed BGPSEC are meagre

Typically little observable difference between Sec 2nd and 3rd
BGP
prevent
prefix
hijack
prevent
route
manipulations
*protocol downgrades
collateral damages
routing instabilities
BGP and BGPSEC
coexistence: very tricky
RPKI
(origin authentication)
BGPSEC
36
check out the full version at
http://arxiv.org/abs/1307.2690
1
2
3
4
Proofs
More empirical analysis and plots
Robustness tests
BGPSEC deployment guidelines
37
Download