Towards Deployment of a Next- Generation Secure Internet Architecture
|
|
- Matthew Crawford
- 5 years ago
- Views:
Transcription
1 Towards Deployment of a Next- Generation Secure Internet Architecture Adrian Perrig Network Security Group, ETH Zürich 1
2 monumental structure stood the test of time & seems immutable 2
3 Just like today s Internet? Can we fix its issues, though? Control Transparency Availability Trust 3
4 Problem 1: Non-Scalability of Trust Control Transparency Availability Trust 4
5 Pervasive Trust in Early Internet There were only two other Dannys on the Internet then. I knew them both. We didn't all know each other, but we all kind of trusted each other, and that basic feeling of trust permeated the whole network. Danny Hillis, about the Internet in the early 1980s, TED talk, Feb
6 Non-Scalability of Trust As the Internet has grown to encompass a large part of the global population, not everyone trusts everyone else on the Internet anymore The heterogeneity of global environment complicates entity authentication infrastructures Relevant in this context: authentication of routing updates, DNS replies, TLS certificates Two models for trust roots for authentication Monopoly model Oligarchy model 6
7 Monopoly Model for Trust Root Single root of trust (i.e., root public key) that is globally accepted to authenticate entities Examples: RPKI for BGPSEC or DNSSEC rely on a public key that forms root of trust All AS certificates or DNS records are authenticated based on that root of trust Problems Entire world needs to agree on one entity to hold root of trust Single point of failure Inefficient revocation / update 7
8 Oligarchy Model for Trust Root Numerous roots of trust that are globally accepted to validate entities Example: TLS PKI relies on > 1000 roots of trust TLS certificate accepted if signed by any root of trust Problems Single point of failure: any single compromised root of trust can create any bogus TLS certificate Revocation/updates are handled through OS or browser update 8
9 Proposed Approach: Isolation Domains Observation: subset of the Internet can agree on roots of trust! form Isolation Domain with that root of trust Authenticate entities (only) within each Isolation Domain Users & domains can select Isolation Domain based on root of trust Also supports modern log-based PKI approaches: CT, AKI, ARPKI, Challenge: retain global verifiability 9
10 Problem 2: Control Control Transparency Availability 10
11 Who controls Internet Paths? Current Internet offers limited control of paths Border Gateway Protocol (BGP) floods announcements for destinations 11
12 Who controls Internet Paths? Current Internet offers limited control of paths Border Gateway Protocol (BGP) floods announcements for destinations No inbound traffic control 12
13 Who controls Internet Paths? Current Internet offers limited control of paths Paths can be hijacked and redirected 13
14 Who should control Paths? Clearly, ISPs need some amount of path control to enact their policies. How much path control should end points (sender and receiver) have? Control is a tricky issue how to empower end points without providing too much control? No Endpoint Control Limited Endpoint Control Complete Endpoint Control
15 Problem 3: Transparency Transparency Availability 15
16 Transparency: Internet Paths Today, sender cannot obtain guarantee that packet will travel along intended path Impossible to gain assurance of packet path Because router forwarding state can be inconsistent with routing messages sent 16
17 Proposed Approach: Packet-Carried State Packets carrying forwarding information provides path transparency Note: orthogonal issue to path control, as network can still define permitted paths
18 Problem 4: Availability Availability 18
19 Poor Availability Well-connected entity: 99.9% availability (86 s/day unavailability) [Katz-Bassett et al., Sigcomm 2012] Numerous short-lived outages due to BGP route changes Route convergence delays Outages due to misconfigurations Outages due to attacks E.g., prefix hijacking, DDoS 19
20 Is a 10s Outage per Day Harmful? 99.99% reliability! average 8.6 s/day outage Level of availability achieved by Amazon datacenter Insufficient for many applications Critical infrastructure command and control E.g., air traffic control, smart grid control Internet-based business Financial trading / transactions Telemedicine 20
21 Proposed Approach: Replace BGP BGPSEC suffers several fundamental problems Trust: Uses single root of trust (RPKI / BGPSEC) Control: Almost no path choice by end points Transparency: no path guarantees Availability Frequent periods of unavailability when paths change Slow convergence during iterative route computation Susceptible to attacks and misconfigurations 21
22 Evolutionary vs. Revolutionary Change Revolutionary approach is necessary Some problems are fundamental, not fixable through evolution Revolutionary approach is desirable A fresh redesign can cleanly incorporate new mechanisms Revolutionary technology change is easy through evolutionary deployment If IP is relegated to provide local (intra-domain) communication, only a small fraction of border routers need to change Simultaneous operation with current Internet possible Strong properties provide motivation for deployment 22
23 SCION Project Scalability, Control, and Isolation On Next-Generation Networks [IEEE S&P 2011, CCS 2015, NDSS 2016] Current main team: Daniele Asoni, David Barrera, Cristina Basescu, Chen Chen, Laurent Chuat, Sam Hitz, Jason Lee, Tae-Ho Lee, Steve Matsumoto, Chris Pappas, Adrian Perrig, Raphael Reischuk, Stephen Shirley, Pawel Szalachowski, Ercan Ucan 23
24 SCION Architectural Design Goals High availability, even for networks with malicious parties Adversary: access to management plane of router Communication should be available if adversary-free path exists Secure entity authentication that scales to global heterogeneous (dis)trusted environment Flexible trust: operate in heterogeneous trust environment Transparent operation: Clear what is happening to packets and whom needs to be relied upon for operation Balanced control among ISPs, Senders, and Receiver Scalability, efficiency, flexibility 24
25 SCION Isolation Domain (ISD) SCION Isolation Domain requirements Region that can agree on a common root of trust groups a number of ASes Set of ISPs to operate Isolation Domain Core to manage ISD Certificates for roots of trust Manage core path and beacon servers Other ISDs need to agree to connect as peer or as provider Open research issue how to best structure ISDs: political and legal issues arise Possible partition is along geographical regions 25
26 SCION Isolation Domain (ISD) SCION Isolation Domain composition ISD Core with ISD Core ASes Other ISP ASes or end-domain ASes ISD Core TD1 ISD Core
27 Beaconing for Route Discovery Periodic Path Construction Beacon (PCBs) Scalable and secure dissemination of path/topological information from core to edge Policy-constrained multi-path flood to provide multiple paths TD1 Core
28 SCION Forwarding (Data Plane) Domains register paths at DNS-like server in ISD Core End-to-end communication Source fetches destination paths Source path + destination path! end-to-end path Packet contains forwarding information Advantages Isolates forwarding from routing No forwarding table at routers Transparent forwarding Balanced route control TD1 Core path server
29 Path Construction and Usage Path Construction Beacon (PCB) construction: PCB 1 = < T exp Int 1 OF 1 S 1 > Opaque field OF 1 = Int 1 MAC K ( T exp Int 1 ) TD Signature S 1 = { PCB 1 } K PCB 2 = < T exp Int 1 OF 1 S 1 Int 2 Int 3 OF 2 S 2 > Int 1 Opaque field OF 2 = Int 2 Int 3 MAC K ( T exp Int 2 Int 3 OF 1 ) Signature S 2 = { PCB 2 } K Int 2 Int 3 AS receiving PCB 2 : Verify signatures Use opaque fields O 1 O 2 to send packet to ISD Core 29
30 Inter-ISD Communication ISD1 Core PS1 ISD2 Core ISD Core Interconnect ISD 4 Core ISD 3 Core PS3 A D G H I E B C F
31 Shortcuts through Peering Links ISD1 Core ISD2 Core ISD Core Interconnect ISD 4 Core ISD 3 Core A D G Peer H I C B Peer E F
32 Handling Link Failures SCION clients use multi-path communication by default, other paths are likely to still function Path construction beacons are constantly sent, disseminating new functioning paths Link withdrawal message sent upstream to cause path servers to remove paths with broken link downstream to cause beacon servers to remove paths with broken link 32
33 SCION Implementation Status V1.0 specification almost completed 3 rd generation C/C++ implementation 4 th generation: Python implementation High-speed router implementation switching 120Gbps on off-the-shelf PC So far ~60 person-years of effort invested Growing testbed 33
34 SCION Packet Header Type Vers Src Type Dst Type Total Len TS* Source Address (variable size) Destination Address (variable size) Curr OF* Next Hdr. HDR Len Info EXP Time ISD ID hops reserved Opaque Field (0) Next Ext. Ext Hdr Len extension-related data more extension-related data Next Ext. Ext Hdr Len extension-related data L4 Proto 34
35 Incremental Deployment Aspects Current ISP topologies consistent with SCION ISDs Minor changes for ISPs SCION edge router deployment Beacon / certificate / path server deployment (inexpensive commodity hardware) Regular MPLS/IP/SDN forwarding internally IP tunnels connect SCION edge routers in different ADs Minor changes in end-domains IP routing used for basic connectivity SCION gateway enables legacy end hosts to benefit from SCION network 35
36 ISD1 Core DENA Project Initial deployment without any changes to host ISD2 Core ISD Core Interconnect G ISD 3 Core ISD 4 Core A D Peer H I E B C F
37 Demo: High-Speed Router Standard PC with dual Intel Xeon E processors (~$500) 8 cores per processor Intel 82599EB X520-DA2 NIC (2x 10Gbps) (~$600) Spirent SPTN4U-220 traffic generator 37
38 38
39 SCION Summary Complete re-design of network architecture resolves numerous fundamental problems BGP protocol convergence issues Separation of control and data planes Isolation of mutually untrusted control planes Path control by senders and receivers Simpler routers (no forwarding tables) Root of trust selectable by each ISD SCION is an isolation architecture only for the control plane, in the data plane it is a transparency architecture. 39
40 Multipath Communication SCION provides end-to-end paths to clients Using multiple paths can provide many benefits: Reliability avoid a single point of failure Bandwidth use more total bandwidth (subject to fairness constraints) Cost use cheaper links Latency use paths with lower propagation delays Different strategies are possible based on applications, path characteristics, and topology 40
41 41
42 Anonymous Communication: HORNET HORNET: High-speed Onion Routing at the Network Layer, Chen Chen, Daniele Enrico Asoni, David Barrera, George Danezis, and Adrian Perrig. [ACM CCS 2015] HORNET is a high-speed Onion Router using SCION No per-flow state on routers Highly efficient processing: 93 Gbps on our node Strong anonymity properties 42
43 OPT: Origin and Path Trace Source Authentication and Path Validation SCION-authenticated paths enable ASes to verify path compliance What about such assurances for sources and destinations? Path validation enables source and destination to check if packets exactly follow the intended AS-level path Source authentication enables routers to authenticate source and packet content High-speed operation, negligible processing overhead, no per-flow state on routers [ Lightweight Source Authentication and Path Validation, Sigcomm 2014] 43
44 SCION Extensions DRKey SIBRA OPT Multi-path Communication DENA Faultprints RainCheck HORNET FAIR ARPKI SAINT APNA 44
45 SCION Deployment at Swisscom and Switch Swisscom AS Level3 AS 3356 Cogent AS 174 TeliaSonera AS 1299 S1 C2 C1 C1 S2 S2 S1 S3 S3 S4 S4 C2 Edge router SCION router E1 E1 ETH E2 E2 45
46 Early Deployment Scenarios Properties desired by banks Guaranteed communication DDoS defense Hijacking resilience Secure certificates Properties desired by government Path control, path guarantees High availability for critical infrastructures Properties desired by education Multi-path communication Research platform 46
47 Opportunities / Trends Mobility SCION supports in-connection path update Multi-path system immediately makes use of new path DNS / path server system enables dynamic updates SDN SCION can work with SDN within domains SCION has properties of an intra-domain SDN Content-centric communication support Cloud computing 47
48 SCION Dangers Too many top-level ISDs Too many ISPs part of ISD core Large packet header size Too many extensions used Higher complexity (Extensions, PKI) Extremely high path fluctuations, changes 48
49 Summary Complete re-design of network architecture resolves fundamental problems BGP protocol convergence issues Separation of control and data planes Isolation of mutually untrusted control planes Path control by senders and receivers Simpler routers (no forwarding tables) Root of trust selectable by Isolation Domain SCION provides new properties, enabling new applications and services Communication transparency Guaranteed bandwidth Anonymity Several ISPs and corporations are now engaging in a pilot deployment 49
SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich
SCION: A Secure Multipath Interdomain Routing Architecture Adrian Perrig Network Security Group, ETH Zürich SCION: Next-generation Internet Architecture Path-aware networking: sender knows packet s path
More informationSCION Secure Next-generation Internet Architecture
SCION Secure Next-generation Internet Architecture Adrian Perrig Network Security Group, ETH Zürich scion- architecture.net 1 The Internet is perceived to be like the pyramids: monumental structure that
More informationSCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich
SCION: PKI Overview Adrian Perrig Network Security Group, ETH Zürich PKI Concepts: Brief Introduction PKI: Public-Key Infrastructure Purpose of PKI: enable authentication of an entity Various types of
More information2 The SCION Architecture
2 The SCION Architecture DAVID BARRERA, LAURENT CHUAT, ADRIAN PERRIG, RAPHAEL M. REISCHUK, PAWEL SZALACHOWSKI This chapter provides an overview of SCION. The goals to be met by a secure Internet architecture
More informationSCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich
SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich March 2019 Internet: The network of networks The Internet is a network of Autonomous Systems (ASes). Each AS is itself a
More informationVerified Secure Routing
Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research Institute June 2017 Team Members Verification Team Information Security David Basin Tobias Klenze Ralf Sasse Christoph Sprenger Thilo
More informationSCION: Scalability, Control and Isolation On Next-Generation Networks
SCION: Scalability, Control and Isolation On Next-Generation Networks Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen 1 After years of patching, the Internet is Reliable
More informationSCION Project Testbed Trials. David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig
SCION Project Testbed Trials David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig SCION Project Testbed Trials 2 SCION: A Secure Internet Architecture SCION: Scalability, Control, and Isolation
More informationInternet Kill Switches Demystified
Internet Kill Switches Demystified Benjamin Rothenberger, Daniele E. Asoni, David Barrera, Adrian Perrig EuroSec 17, Belgrade B.Rothenberger 23.04.2017 1 B.Rothenberger 23.04.2017 2 Internet Kill Switches
More informationDissemination of Paths in Path-Aware Networks
Dissemination of Paths in Path-Aware Networks Christos Pappas Network Security Group, ETH Zurich IETF, November 16, 2017 PANRG Motivation How does path-awareness extend to the edge? 2 PANRG Motivation
More informationSCION: Scalability, Control and Isola2on On Next- Genera2on Networks
SCION: Scalability, Control and Isola2on On Next- Genera2on Networks Xin Zhang, Hsu- Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen 1 Reasons for Clean-Slate Design Someone may just
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationTo Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xiaowei Yang Duke Unversity Denial of Service (DoS) flooding attacks Send packet floods to a targeted victim Exhaust
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationComputer Science 461 Final Exam May 22, :30-3:30pm
NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge
More informationCNT Computer and Network Security: BGP Security
CNT 5410 - Computer and Network Security: BGP Security Professor Kevin Butler Fall 2015 Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means
More informationSecuring BGP Networks using Consistent Check Algorithm
Securing BGP Networks using Consistent Check Algorithm C. K. Man, K.Y. Wong, and K. H. Yeung Abstract The Border Gateway Protocol (BGP) is the critical routing protocol in the Internet infrastructure.
More informationActive BGP Measurement with BGP-Mux. Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius
Active BGP Measurement with BGP-Mux Ethan Katz-Bassett (USC) with testbed and some slides hijacked from Nick Feamster and Valas Valancius 2 Before I Start Georgia Tech system, I am just an enthusiastic
More informationInter-AS routing. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley
Inter-AS routing Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley Some materials copyright 1996-2012 J.F Kurose and K.W. Ross, All Rights Reserved Chapter 4:
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationBootstrapping evolvability for inter-domain routing with D-BGP. Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste
Bootstrapping evolvability for inter-domain routing with D-BGP Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste This talk in one slide Q What evolvability features needed in any inter-domain
More informationA Routing Infrastructure for XIA
A Routing Infrastructure for XIA Aditya Akella and Peter Steenkiste Dave Andersen, John Byers, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang FIA PI Meeting,
More informationSDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich
SDN-based Network Obfuscation Roland Meier PhD Student ETH Zürich This Talk This thesis vs. existing solutions Alice Bob source: Alice destination: Bob Hi Bob, Hi Bob, Payload encryption ǾǼōĦ
More informationCommunication Networks
Communication Networks Spring 2018 Q&A Session Rüdiger Birkner Tobias Bühler https://comm-net.ethz.ch/ ETH Zürich August 6 2018 Old exam from 2016 3 hours instead of 2.5 Topics which we did not discuss
More informationSENSS: Software-defined Security Service
SENSS: Software-defined Security Service Minlan Yu University of Southern California Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic 1 Growing DDoS Attacks Average monthly size of DDoS attacks
More informationCS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal
CS4450 Computer Networks: Architecture and Protocols Lecture 15 BGP Spring 2018 Rachit Agarwal Autonomous System (AS) or Domain Region of a network under a single administrative entity Border Routers Interior
More informationAdding Path Awareness to the Internet Architecture
COLUMN: Standards Adding Path Awareness to the Internet Architecture Brian Trammell ETH Zurich Jean-Pierre Smith ETH Zurich Adrian Perrig ETH Zurich Editor: Yong Cui, cuiyong@tsinghua.edu.cn This article
More informationSDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged
SDN Use-Cases internet exchange, home networks TELE4642: Week8 Materials from Prof. Nick Feamster is gratefully acknowledged Overview n SDX: A Software-Defined Internet Exchange n SDN-enabled Home Networks
More informationCS 43: Computer Networks. 24: Internet Routing November 19, 2018
CS 43: Computer Networks 24: Internet Routing November 19, 2018 Last Class Link State + Fast convergence (reacts to events quickly) + Small window of inconsistency Distance Vector + + Distributed (small
More informationInter-Domain Routing: BGP
Inter-Domain Routing: BGP Brad Karp UCL Computer Science (drawn mostly from lecture notes by Hari Balakrishnan and Nick Feamster, MIT) CS 3035/GZ01 4 th December 2014 Outline Context: Inter-Domain Routing
More informationRouting Support for Wide Area Network Mobility. Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan
Routing Support for Wide Area Network Mobility Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan 1 Outline Introduction Inter-AS Mobility Support Intra-AS Mobility
More informationJ. A. Drew Hamilton, Jr., Ph.D. Director, Information Assurance Laboratory and Associate Professor Computer Science & Software Engineering
Auburn Information Assurance Laboratory J. A. Drew Hamilton, Jr., Ph.D. Director, Information Assurance Laboratory and Associate Professor Computer Science & Software Engineering 107 Dunstan Hall Auburn
More informationCS4700/CS5700 Fundamentals of Computer Networks
CS4700/CS5700 Fundamentals of Computer Networks Lecture 12: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang Alan Mislove amislove at ccs.neu.edu
More informationCSE 123b Communications Software
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Stefan Savage Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to
More informationQuick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to be part of the
More informationNamed Data Networking (NDN) CLASS WEB SITE: NDN. Introduction to NDN. Updated with Lecture Notes. Data-centric addressing
CLASS WEB SITE: http://upmcsms.weebly.com/ Updated with Lecture Notes Named Data Networking (NDN) Introduction to NDN Named Data Networking (NDN) IP NDN Host-centric addressing Data-centric addressing
More informationSaaS Providers. ThousandEyes for. Summary
USE CASE ThousandEyes for SaaS Providers Summary With Software-as-a-Service (SaaS) applications rapidly replacing onpremise solutions, the onus of ensuring a great user experience for these applications
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationTag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER
CHAPTER 23 Tag Switching Background Rapid changes in the type (and quantity) of traffic handled by the Internet and the explosion in the number of Internet users is putting an unprecedented strain on the
More informationCommunications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage
CSE 123b CSE 123b Communications Software Spring 2003 Lecture 10: Mobile Networking Stefan Savage Quick announcement My office hours tomorrow are moved to 12pm May 6, 2003 CSE 123b -- Lecture 10 Mobile
More informationQuick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003
CSE 123b Communications Software Quick announcement My office hours tomorrow are moved to 12pm Spring 2003 Lecture 10: Mobile Networking Stefan Savage May 6, 2003 CSE 123b -- Lecture 10 Mobile IP 2 Last
More informationOPT: LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIDATION
OPT: LIGHTWEIGHT SOURCE AUTHENTICATION & PATH VALIATION Tiffany Hyun- Jin Kim, 1 Cris(na Basescu, 2 Limin Jia, 1 Soo Bum Lee, 3 Yih- Chun Hu, 4 and Adrian Perrig 2 1 Carnegie Mellon University, 2 ETH Zurich,
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #12 Routing Security; Forwarding Security 2016 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5 minutes
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationInternet Infrastructure
Internet Infrastructure Internet Infrastructure Local and inter-domain routing TCP/IP for routing and messaging BGP for routing announcements Domain Name System Find IP address from symbolic name (www.cc.gatech.edu)
More informationLecture 13: Traffic Engineering
Lecture 13: Traffic Engineering CSE 222A: Computer Communication Networks Alex C. Snoeren Thanks: Mike Freedman, Nick Feamster Lecture 13 Overview Evolution of routing in the ARPAnet Today s TE: Adjusting
More informationThousandEyes for. Application Delivery White Paper
ThousandEyes for Application Delivery White Paper White Paper Summary The rise of mobile applications, the shift from on-premises to Software-as-a-Service (SaaS), and the reliance on third-party services
More informationCOMP/ELEC 429 Introduction to Computer Networks
COMP/ELEC 429 Introduction to Computer Networks Lecture 11: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang T. S. Eugene Ng eugeneng at
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationInterdomain Routing (plus Transport Wrapup) Tom Anderson
Interdomain Routing (plus Transport Wrapup) Tom Anderson A good network is one that I never have to think about Greg Minshall 2 Window TCP Known to be Suboptimal Small to moderate sized connections Intranets
More informationVirtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing
Virtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing Zhi Li, Prasant Mohapatra, and Chen-Nee Chuah University of California, Davis, CA 95616, USA {lizhi, prasant}@cs.ucdavis.edu,
More informationBGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University
Daniel Zappala CS 460 Computer Networking Brigham Young University 2/20 Scaling Routing for the Internet scale 200 million destinations - can t store all destinations or all prefixes in routing tables
More informationMutually Agreed Norms for Routing Security NAME
Mutually Agreed Norms for Routing Security NAME EMAIL The Problem A Routing Security Overview 2 Routing Incidents are Increasing In 2017 alone, 14,000 routing outages or attacks such as hijacking, leaks,
More informationCSE 123A Computer Netwrking
CSE 123A Computer Netwrking Winter 2005 Mobile Networking Alex Snoeren presenting in lieu of Stefan Savage Today s s issues What are implications of hosts that move? Remember routing? It doesn t work anymore
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #11 Routing and Forwarding Security 2015 Patrick Tague 1 Class #11 Basics of routing in ad hoc networks Control-plane attacks and defenses Data-plane
More informationMANRS Mutually Agreed Norms for Routing Security
27 March 2018 MANRS Mutually Agreed Norms for Routing Security Kevin Meynell meynell@isoc.org Presentation title Client name Internet Society 1992 2016 1 The Problem A Routing Security Overview 2 The Basics:
More informationMultihoming Complex Cases & Caveats
Multihoming Complex Cases & Caveats ISP Workshops Last updated 6 October 2011 Complex Cases & Caveats p Complex Cases n Multiple Transits n Multi-exit backbone n Disconnected Backbone n IDC Multihoming
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationSecuring the Internet at the Exchange Point Fernando M. V. Ramos
Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 There are vulnerabilities in the Internet architecture
More informationImplementing Cisco IP Routing
ROUTE Implementing Cisco IP Routing Volume 3 Version 1.0 Student Guide Text Part Number: 97-2816-02 DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED AS IS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES
More informationLecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011
Lecture 4: Intradomain Routing CS 598: Advanced Internetworking Matthew Caesar February 1, 011 1 Robert. How can routers find paths? Robert s local DNS server 10.1.8.7 A 10.1.0.0/16 10.1.0.1 Routing Table
More informationImpactful Routing Research with the PEERING Testbed
1 Impactful Routing Research with the PEERING Testbed Combining intradomain emulation with real BGP connectivity Ethan Katz-Bassett (University of Southern California) with: Brandon Schlinker and Kyriakos
More informationRouting Security We can do better!
Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17
More informationAnanta: Cloud Scale Load Balancing. Nitish Paradkar, Zaina Hamid. EECS 589 Paper Review
Ananta: Cloud Scale Load Balancing Nitish Paradkar, Zaina Hamid EECS 589 Paper Review 1 Full Reference Patel, P. et al., " Ananta: Cloud Scale Load Balancing," Proc. of ACM SIGCOMM '13, 43(4):207-218,
More informationSENSS Against Volumetric DDoS Attacks
SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1, Jelena Mirkovic 1, Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook
More informationIdentifier Binding Attacks and Defenses in Software-Defined Networks
Identifier Binding Attacks and Defenses in Software-Defined Networks Samuel Jero 1, William Koch 2, Richard Skowyra 3, Hamed Okhravi 3, Cristina Nita-Rotaru 4, and David Bigelow 3 1 Purdue University,
More informationBGP Route Hijacking - What Can Be Done Today?
BGP Route Hijacking - What Can Be Done Today? Version 1.2 Barry Raveendran Greene Principle Architect Carrier, Enterprise & Security bgreene@akamai.com @Akamai BGP - the Core Protocol that Glues all of
More informationRule-Based Forwarding
Building Extensible Networks with Rule-Based Forwarding Lucian Popa Norbert Egi Sylvia Ratnasamy Ion Stoica UC Berkeley/ICSI Lancaster Univ. Intel Labs Berkeley UC Berkeley Making Internet forwarding flexible
More informationInternet Architecture and Experimentation
Internet Architecture and Experimentation Today l Internet architecture l Principles l Experimentation A packet switched network Modern comm. networks are packet switched Data broken into packets, packet
More informationLecture 19: Network Layer Routing in the Internet
Lecture 19: Network Layer Routing in the Internet COMP 332, Spring 2018 Victoria Manfredi Acknowledgements: materials adapted from Computer Networking: A Top Down Approach 7 th edition: 1996-2016, J.F
More informationA Survey of BGP Security: Issues and Solutions
A Survey of BGP Security: Issues and Solutions Butler, Farley, McDaniel, Rexford Kyle Super CIS 800/003 October 3, 2011 Outline Introduction/Motivation Sources of BGP Insecurity BGP Security Today BGP
More informationLeveraging SDN for Collaborative DDoS Mitigation
Leveraging SDN for Collaborative DDoS Mitigation Sufian Hameed, Hassan Ahmed Khan IT Security Labs National University of Computer and Emerging Sciences, Pakistan Introduction The legacy of DDoS continues
More informationBGP Route Stability. Alexander Asimov Highload Lab
BGP Route Stability Alexander Asimov Highload Lab Research history 9-2010 study of BGP convergence process: Imitation testbed (BGPC + PRIME); BGP convergence time equations; Experiments
More informationSome Thoughts on Integrity in Routing
Some Thoughts on Integrity in Routing Geoff Huston Chief Scientist, APNIC What we want We want the routing system to advertise the correct reachability information for legitimately connected prefixes at
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationA Policy Framework for a Secure
A Policy Framework for a Secure Future Internet Jad Naous(Stanford University) Arun Seehra(UT Austin) Michael Walfish(UT Austin) David Mazières(Stanford University) Antonio Nicolosi(Stevens Institute of
More informationSDX: A Software Defined Internet Exchange
SDX: A Software Defined Internet Exchange @SIGCOMM 2014 Laurent Vanbever Princeton University FGRE Workshop (Ghent, iminds) July, 8 2014 The Internet is a network of networks, referred to as Autonomous
More informationNetwork Security (and related topics)
Network Security (and related topics) EE122 Fall 2012 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton
More informationPathlet Routing. P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica SIGCOMM (maurizio patrignani)
Pathlet Routing P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica SIGCOMM 2009 (maurizio patrignani) Reti di Calcolatori di Nuova Generazione http://www.dia.uniroma3.it/~rimondin/courses/rcng1011/
More informationA scalable NAT-based solution to Internet access denial by higher-tier ISPs
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2012) Published online in Wiley Online Library (wileyonlinelibrary.com)..557 RESEARCH ARTICLE A scalable NAT-based solution to Internet access
More informationInter-Domain Routing: BGP
Inter-Domain Routing: BGP Richard T. B. Ma School of Computing National University of Singapore CS 3103: Compute Networks and Protocols Inter-Domain Routing Internet is a network of networks Hierarchy
More informationComputer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS
Computer Network Architectures and Multimedia Guy Leduc Chapter 2 MPLS networks Chapter based on Section 5.5 of Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley,
More informationIntroduction to Cisco ASR 9000 Series Network Virtualization Technology
White Paper Introduction to Cisco ASR 9000 Series Network Virtualization Technology What You Will Learn Service providers worldwide face high customer expectations along with growing demand for network
More informationRAPTOR: Routing Attacks on Privacy in Tor. Yixin Sun. Princeton University. Acknowledgment for Slides. Joint work with
RAPTOR: Routing Attacks on Privacy in Tor Yixin Sun Princeton University Joint work with Annie Edmundson, Laurent Vanbever, Oscar Li, Jennifer Rexford, Mung Chiang, Prateek Mittal Acknowledgment for Slides
More informationRouting Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols
Routing Basics 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 Addresses are 32 bits long Range from 1.0.0.0 to 223.255.255.255 0.0.0.0
More informationOpFlex: An Open Policy Protocol
White Paper OpFlex: An Open Policy Protocol Data Center Challenges As data center environments become increasingly dynamic, networks are increasingly asked to provide agility and flexibility without compromising
More informationRouting, Routing Algorithms & Protocols
Routing, Routing Algorithms & Protocols Computer Networks Lecture 6 http://goo.gl/pze5o8 Circuit-Switched and Packet-Switched WANs 2 Circuit-Switched Networks Older (evolved from telephone networks), a
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationLecture 13: Routing in multihop wireless networks. Mythili Vutukuru CS 653 Spring 2014 March 3, Monday
Lecture 13: Routing in multihop wireless networks Mythili Vutukuru CS 653 Spring 2014 March 3, Monday Routing in multihop networks Figure out a path from source to destination. Basic techniques of routing
More informationThe Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Presented By: Kamalakar Kambhatla
The Design and Implementation of a Next Generation Name Service for the Internet (CoDoNS) Venugopalan Ramasubramanian Emin Gün Sirer Presented By: Kamalakar Kambhatla * Slides adapted from the paper -
More informationAn Operational Perspective on BGP Security. Geoff Huston February 2005
An Operational Perspective on BGP Security Geoff Huston February 2005 Disclaimer This is not a description of the approach taken by any particular service provider in securing their network. It is intended
More informationInternet Research Task Force (IRTF) Category: Informational May 2011 ISSN:
Internet Research Task Force (IRTF) T. Li, Ed. Request for Comments: 6227 Cisco Systems, Inc. Category: Informational May 2011 ISSN: 2070-1721 Abstract Design Goals for Scalable Internet Routing It is
More informationVXLAN Overview: Cisco Nexus 9000 Series Switches
White Paper VXLAN Overview: Cisco Nexus 9000 Series Switches What You Will Learn Traditional network segmentation has been provided by VLANs that are standardized under the IEEE 802.1Q group. VLANs provide
More informationCentralization of Network using Openflow Protocol
Indian Journal of Science and Technology, Vol 8(S2), 165 170, January 2015 ISSN (Print) : 0974-6846 ISSN (Online) : 0974-5645 DOI : 10.17485/ijst/2015/v8iS2/61217 Centralization of Network using Openflow
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationModule: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring 2009 1 Routing 101 Network routing exists to provide hosts desirable paths from the source
More informationBringing SDN to the Internet, one exchange point at the time
Bringing SDN to the Internet, one exchange point at the time Joint work with: Arpit Gupta, Muhammad Shahbaz, Sean P. Donovan, Russ Clark, Brandon Schlinker, E. Katz-Bassett, Nick Feamster, Jennifer Rexford
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More information