Routing Security. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Transcription

1 Routing Security Professor Patrick McDaniel CSE545 - Advanced Network Security Spring

2 AS7007 2

3 Routing 101 Network routing exists to provide hosts desirable paths from the source to destination What desirable means depends on the types of protocols being used Two main approaches to routing Link state - collected/metrics of paths between hosts, e.g., OSPF Distance vector - shortest path based on exchanged routing tables, e.g., BGP 3

4 Routing Security Bad guys play games with routing protocols. Traffic is diverted. Enemy can see the traffic. Enemy can easily modify the traffic. Enemy can drop the traffic. Cryptography can mitigate effects, but not stop them. History: we don t have a lot of good answers! 4

5 How is it Different? Most communications security failures happen because of buggy code or broken protocols. Routing security failures often happen despite good code and functioning protocols. The problem is a dishonest participant. Hop-by-hop authentication isn't sufficient. 5

6 Routing... Z Host B Host A 6

7 The Enemy's Goal? Z Host B Host A 7

8 Routing Protocols Routers speak to each other. They exchange topology and cost information. Each router calculates the shortest path to each destination. Routers forward packets along locally shortest path. Attacker can lie to other routers 8

9 Normal Behavior Z Host B 5 5 Y 10 5 Host A 10 Y :B(10) Y Z :B(10) Z :Y (5),B(15) A:Z(5),Y(5),B(15) 9

10 Malicious Behavior Z 3 Host B 5 5 Y 10 5 Host A 10 Y :B(10) Y Z :B(10) Z :Y (5), B(3) A:Z(5),Y(5), B(8) 10

11 Why is the Problem Hard? has no knowledge of Z's real connectivity. Even Y has no such knowledge. The problem isn't the link from to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.) 11

12 Worm-Holing Host B Host A Z Z 12

13 Worm-Holing Host B Host A Z Z 13

14 Link Cutting Host B Host A Z Z 14

15 Link Cutting Host B Host A Z Z 15

16 Why So Little Progress? It's a really, really hard problem. Actually, getting routing to work well is hard enough. Has been outside the scope of traditional communications security. 16

17 Routing in the Internet Two types, internal and external routing. Intradomain - Internal (within ISP, company): primarily OSPF. Interdomain routing - external (between ISPs, and some customers): BGP. Topology matters. 17

18 OSPF (Open Shortest Path First) Each node announces its own connectivity. Announcement includes link cost. Each node reannounces all information received from peers. Every node learns the full map of the network. Each node calculates the shortest path to all destinations. Z Host B Host A 10 5 Note: limited to a few thousand nodes at most. 18

19 Characteristics of Internal Networks Common management. Common agreement on cost metrics. Companies have less rich topologies, but less controlled networks. ISPs have very rich---but very specialized---topologies, but well-controlled networks. 19

20 Secure OSPF? Simple link security is hard: multiple-access net. Shared secrets guard against new machines being plugged in but not against an authorized party being dishonest. Solution: digitally sign each routing update (expensive!) List authorizations in certificate. Experimental RFC by Murphy et al., Note: everyone sees the whole map; monitoring station can note discrepancies from reality. (But bad guys can send out different announcements in different directions.) 20

21 BGP (Border Gateway Protocol) BGP is the protocol used to route information at the autonomous system level - (distance vector protocol) Everyone builds a route to every AS in the internet based on paths received from neighbors Routes are flooded to neighbors Path selection is based on policy (not always shortest path) 21

22 Routing in a nutshell The Internet... 22

23 Routing in a nutshell is made up of Autonomous Systems (ASes) 23

24 Routing in a nutshell linked at Border Routers. 24

25 Routing in a nutshell The Border Gateway Protocol determines which ASes to follow from source to destination. 25

26 Routing in a nutshell Each AS is responsible for moving packets inside it. Intra-AS routing is (mostly) independent from Inter-AS routing. 26

27 The BGP Protocol BGP messages Origin announcements: I own this block of addresses Route advertisements: To get to this address block, send packets destined for it to me. And by the way, here is the path of ASes it will take Route withdrawals: Remember the route to this address block I told you about, that path of ASes no longer works Route decisions Border routers receive many origin announcements/ route advertisements, one from each of their peers They choose the best path and send their selection downstream BGP Attributes BGP messages have additional attributes to help routers choose the best path AS_path (above), MED, community strings, CIDR Block Path Attributes / quest:bkup Systems and Internet Infrastructure Security Laboratory (SIIS) 27

28 Routing in a nutshell Propagate throughout the network. 28

29 BGP announcements n Which path gets picked depends on the advertised attributes. 29

30 BGP Connection FSM 30

31 BGP Operation: Connection Setup A router is speak BGP with another router, generally physically connected to it, in another AS These two routers are called BGP peers Before coming online, the router is in the Idle state When the router comes on line, it creates a BGP session with its peer BGP runs over TCP, and a TCP connection is made first between the two peers (port 179) The router is in the Connect state during this time When the connection is established, the router moves into the Established state 31

32 BGP Operation: Information Exchange Once the BGP session is active, the peers exchange routing data This information is passed through the UPDATE message Contains a list of advertised prefixes, known as network layer reachability information (NLRI), and withdrawn routes Prefixes with different policy attributes are sent in separate UPDATE messages Route setup can create heavy exchanges of messages and be computationally intensive for the router 32

33 BGP Operation: Path Attributes ORIGIN: shows whether prefix was learned through interior or exterior routing AS_PATH: the ASes that the prefix has passed through during this advertisement BGP is a path vector protocol, and the prefix with the fewest ASes traversed is usually preferred Including AS path vector prevents looping NET-HOP: the node to send packets back to in order to get them closer to their destination 33

34 Other Common Path Attributes MULTI-EIT DISCRIMINATOR: if two ASes connect in multiple locations, the MED can be used by a peer to favour a particular link to improve routing LOCAL-PREF: used by the local AS to assign a degree of preference of one link for a given prefix over another ATOMIC-AGGREGATE: lets the router know not to deaggregate an advertisement into more specific prefixes AGGREGATOR: specifies AS and router that performed aggregation of a prefix 34

35 In class exercise Fill in the routing tables... CIDR Block / / / / /24 AS PATH AS 1 Addresses: /24 CIDR Block / / / / /24 AS 4 Addresses: /24 AS PATH CIDR Block / / / / /24 AS PATH CIDR Block / / / / /24 AS PATH AS 3 Addresses: /24 AS 5 Addresses: /24 AS 2 Addresses: /16 CIDR Block / / / / /24 AS PATH 35

36 BGP: simplified routing algorithm 1. Initialize: advertise yourself as ORIGIN all of your CIDR blocks to all peers in UPDATE messages 2. Steady State: repeat (a) If a link fails, remove every route involving that link from the internal routing table (b) Receive UPDATES from peers, add new routes to internal table, remove all WITHDRAWN routes from internal tables (c) Selected best route for every CIDR block you have heard (d) If a previously advertised route is no longer best for that CIDR block, WITHDRAW it from all peers you advertised it to (e) Send a UPDATE for every best route that you have not perviously advertised to all peers except the AS in the path 36

37 BGP Misconfiguration One of the largest problems with BGP is misconfiguration Leading cause of instability on the Internet Causes Stupidity Poor configuration tools Under-specified network requirements Often misconfiguration can lurk for months or years before it is detected or its effects felt Changing network topology Unexpected network states 37

38 Mahajan et al. SIGCOMM 02 study of BGP misconfiguration Those instances where configurations caused problems: unintended suppression of legitimate advertisement unintended creation of illegitimate advertisement Human factors terminology slip - inadvertent errors, e.g., typos mistakes - design errors, e.g., Methodology: use data from RouteViews routing repository collected over 3 years and 23 vantage points located located over the globe. contacted ASes for information on causes 38

39 Study Results Errors detected prefix hijacking - incorrect advertisement of addresses improper route export - exporting routes/paths in violation of stated ISP policies Problems are universal, pervasive, and pathological prefixes seeing misconfiguration per day ( % of 2002 table size) 3 in 4 new prefix advertisements result of misconfigurations About 15 hijacks per day (how about today?) Result: constant stream of incorrect information being received by routers.* Interesting thought: how to secure in this environment? *only gets worse after

40 Attacks Against BGP Control Plane Timing Availability Data Plane Origin Path 40

41 Prefix Hijacking An attacker can forge an UPDATE message that claims to originate a known prefix For example, my organization could decide to be AT&T for a day, and advertise /8 Outbound route filtering should catch this, but many operators do not perform proper filtering policy within their AS 41

42 Prefix Destabilization By forcing route flapping on a given link, an attacker to a peer can cause BGP dampening to occur Routes that flap are penalized by being suppressed The period of suppression increases depending on how many times the BGP session changes state and length of the prefix (longer prefixes are penalized more than shorter ones) Black holes are a major problem of origin attacks 42

43 Black Holes are out of sight If another AS advertises one of our prefixes, bad things happen: AS 1 AS 2 AS 3 AS 5 AS 6 AS /16 C /16 legitimate not legitimate! C4 43

44 Black Holes are out of sight Prefix becomes unreachable from the part of the net believing C4 s announcement. AS 1 AS 2 AS 3 AS 5 AS 6 AS /16 C1 legitimate not legitimate! /16 C4 44

45 Self-deaggregation Within the AS, a prefix can be broken into smaller blocks and advertised as such Because of longest-prefix matching, these will be preferred (eg /24 is preferred over /8 because it is more specific) This is the heart of the AS7007 incident, where much of the Internet lost its routing It can also cause a large burden on the routers, because of increase in computation and routing table size 45

46 Path Modification BGP is a path-vector protocol, so the length of the path is a major factor in accepting a route AS path prepending can be used to bias a route (adding the same AS number repeatedly to a route) An attacker with the ability to modify the AS path can force traffic to follow patterns it otherwise wouldn t 46

47 Path Forgery If an AS_PATH attribute is completely forged, the attacker has even more control over traffic This can allow for traffic analysis since traffic is engineered in the direction the attacker desires This can also lead to black holes, as previously discussed 47

48 Policy Modification By modifying policy attributes, traffic can be be biased in certain ways and routing can be compromised Examples: changing the MED or Local_Pref values can cause suboptimal routing within the peer s or local AS, respectively 48

49 TCP SYN Attacks SYN forgery If the attacker sends a SYN, the peer may think this is a legitimate connection If the attacker guesses the correct SYN ACK, a collision will result, causing the legitimate connection to fail SYN-ACK forgery Attacker timing a SYN ACK and sending it during TCP setup can bring down connection SYN flood Overwhelm the router resources with SYN packets until it runs out of connections 49

50 Spoofing A forged BGP OPEN message can bring down a connection If a connection is in the process of being opened, an attacker sending an OPEN message can cause a collision Legitimate connection would be terminated Similarly, a BGP KEEPALIVE sent while peers are connecting will cause the session to fail If peers are in Connect, Active or OpenSent state 50

51 Modifying BGP Timers If the attacker can gain control of timer functionality, messages can be delayed and connections forced closed KeepAlive timer, Hold timer and OpenDelay timer - if altered, messages and the connection itself may be dropped KEEPALIVE messages are heartbeat messages to ensure the BGP connection exists 51

52 Availability Attacks through BGP Forged NOTIFICATION message NOTIFICATION is indicative of an error, so whenever this message is passed, the connection is brought down and the peer states change to Idle Syntax or parse errors with BGP messages If a packet is malformed, values are invalid or message headers contain errors, the peer will drop the connection 52

53 Route Flooding Any attack that brings down the causes a connection to bounce will force its peers to dump their routing tables to it These can overwhelm the router depending on the number of routes it receives, and is computationally and bandwidth intensive in any case Route flapping also an availability attack Penalized by BGP dampening algorithms that force suppression of the advertisement 53

54 Physical Attacks Link cutting If the attacker knows the network topology, bringing down certain links (through DoS attacks, or a backhoe) can force traffic into the pattern they desire Taking control of the router For example, exploiting a buffer overflow (such as the SNMP attack) Can cause the router to reboot Physical destruction of the router As always, network security is dependent on physical security 54

55 Bellovin/Gansner Link Cutting Given : network G vertex (routers) V = {v 1...v n } edges (links) L = {l 1,...l m } adversary controlled vertices(routers) V source s V destination t V Goal : route s to t through v i 55

56 1. If some v i on path from s to t, done. 2. For each v i, computer shortest simple path from s to t through v i.if none exists, no solution possible. 3. Pick shortest path P of length l, set each edge an inifinite cut cost, set all others to Find the min s t cut of the graph C L. 5. For each edge c i in the cut, remove it if the shortest path for s to t through c i is less than l. 56

57 Example 1. If some v i on path from s to t, done. F E S A G T B D C S A G T 57

58 Example 2. For each v i, computer shortest simple path from s to t through v i.if none exists, no solution possible. F E S A G T B D SAGT =3 SABCDGT =6 C SAEF GT =5 58

59 Example 3. Pick shortest path P of length l, set each edge an inifinite cut cost, set all others to 1. F S A E F G T S A 1 1 B E D 1 1 G T 1 1 C 59

60 Example 4. Find the min s t cut C of the graph C L. F S A 1 1 B E D 1 1 G T 1 1 C 60

61 Example 5. For each edge c i in the cut, remove it if the shortest path for s to t through c i is less than or equal to l. F E S A G T B D SAGT =3 SABCDGT =6 C SAEF GT =5 61

62 Class notes Next Tue: Enck Thesis Next Tue: cybertorium (113 IST) 62

63 In class exercise Fill in the routing tables... CIDR Block / / / / /24 AS PATH AS 1 Addresses: /24 CIDR Block / / / / /24 AS 4 Addresses: /24 AS PATH CIDR Block / / / / /24 AS PATH CIDR Block / / / / /24 AS PATH AS 3 Addresses: /24 AS 5 Addresses: /24 AS 2 Addresses: /16 CIDR Block / / / / /24 AS PATH 63

64 Problems to Solutions? Independent of the type, routing requires securing the following information for a source: where the destination address? what is the best path to that address? Answering these questions in practice is complex, as it necessarily requires us to trust foreign entities or devices for which we may know little (if anything). This is the nasty secure distributed computation and everyone on the Internet must play. 64

65 Solving BGP Security Reality: most deployed techniques for securing BGP have been at the local level Filtering Securing BGP peering Future: a number of complex protocols have been proposed to solve some or all BGP security issue S-BGP sobgp IRV SPV BGPSEC We will be looking at these solutions over the next couple of lectures CSE598K/CSE545 - Advanced Network Security - McDaniel 65

66 Filtering Filtering just drops BGP message (typically advertisements) as they are passed between ASes Ingress filtering (as it is received) Egress filtering (as it is sent) Types of filtering By prefix (e.g., bogon/martian list) By path (e.g., customer advertisement of provider routes) By policy (e.g., some community strings that represent paths/policies that an AS does not want to support) ISP ASes aggressively filter (the security mechanism) CSE598K/CSE545 - Advanced Network Security - McDaniel 66

67 Protecting Peer Communication Two routers exchanging BGP messages (in a BGP session) need to secure communication. Integrity Confidentiality? Authenticity Non-repudability? Note: This is often defined as a transport security issue, where just secure point-to-point communication is necessary. CSE598K/CSE545 - Advanced Network Security - McDaniel 67

68 MD5 A simple solution (RFC 2385) Share a private secret (e.g., password) Compute an keyed message authentication code on each TCP packet passed between the two routers Check MAC upon receipt of each packet You get Integrity Authenticity Problem: this is manual configuration, which neither scales to many routers or supports key maintenance CSE598K/CSE545 - Advanced Network Security - McDaniel 68

69 Generalized TTL Security Mechanism TCP time-to-live (RFC 3682) At a packets origin, the TTL is set to the maximum number of hops that the packet can traverse TTL decremented at each hop Packets are dropped when TTL goes to 0 This ensures that packets stuck in transient routing loops do not congest the network Idea: can we use the TTL to ensure that every packet received came from peer (assuming one hop)? Set TTL = 255 (Q: how about TTL=1?) Receiver checks TTL on all packets, if not 254, then forged Issue: how much does this really tell you? CSE598K/CSE545 - Advanced Network Security - McDaniel 69

70 HOP Integrity HOP integrity protocols implement peering secure communication that provides integrity/authentication Diffie-Hellman style key negotiation, data integrity, data authentication Idea: provide public key based per hop security, and simple constructions to enforce integrity constraints Two protocols Weak - just per hop integrity (MAC) Strong - adds replay protection (sequence numbers) Note: used to secure communication between a range of peers via a per-hop security (limitation?) CSE598K/CSE545 - Advanced Network Security - McDaniel 70

71 Smith/Garcia-Luna-Aceves An (ad hoc?) suite of countermeasures 1. Encrypt all messages between peers 2. Add a message sequence number to all BGP messages Protects against replayed or deleted messages 3. Add a sequence number (or time-stamps) to UPDATES 4. Add a PREDECESSOR path attribute 5. Digitally sign all the UPDATEs Note: this gets beyond the basic peer security, and bleeds into the more general BGP security issues. CSE598K/CSE545 - Advanced Network Security - McDaniel 71

72 Question? What attacks do these measures prevent? If yes, how? Message replay Route replay Path forgery Path modification Forged route withdrawal Prefix hijacking CSE598K/CSE545 - Advanced Network Security - McDaniel 72

73 IPsec IPsec provides all of the basic guarantees needed to implement router-to-router BGP security Independent of intermediate connectivity IKE/ISAKMP used to establish transient keys Avoids cryptanalysis of long running keys ESP/AH provide confidentiality, integrity, replay protection... Problems: this is just a start Overheads can be expensive if not managed correctly Backward compatibility (less now) Key management CSE598K/CSE545 - Advanced Network Security - McDaniel 73

74 Peering Summary Integrity Confidentiality Replay Prevention DOS Prevention IPsec (ESP) yes yes yes yes IPsec (AH) yes no yes yes MD5 Integrity yes no yes no HOP Protocol yes no yes no GTSM no no no no Smith.et al. yes yes yes no Reality: most of these schemes were hacks or stop-gap measures until IPsec became widely available Where secured at all, IPsec is generally used AH/ESP w/out confidentiality is popular Singly-homed customer/isp peering is often not secured at all Question: why is this reasonable? CSE598K/CSE545 - Advanced Network Security - McDaniel 74

75 BGP Security Protocols The big two, plus one sbgp (Secure Border Gateway Protocol) [Kent et al. 99] sobgp (Secure Origin BGP) [White et al. 03] IRV (Internet Routing Validation) [Goodell et al. 03] CSE598K/CSE545 - Advanced Network Security - McDaniel 75

76 sbgp sbgp was the first leading candidate for routing security, and highlighted much of IR security issues Still under consideration, but somewhat limited Model: Routing and origination announcements are signed signatures are validated based on shared trust associations (CAs) It all begins with the keys (really two parallel PKIs) 1. Binding routers and organizations to ASes. 2. Origin authentication PKI CSE598K/CSE545 - Advanced Network Security - McDaniel 76

77 Organization PKI Keys for routers, AS numbers Route attestations - attestations to the transient state of the network, e.g., the advertisements/routes Keys used to create these advertisements Router certificates need to ascertain validity of instantaneous advertisements. You need to prove association between the network elements making statements and AS/organizations CSE598K/CSE545 - Advanced Network Security - McDaniel 77

78 Route Attestations AS 1 AS 2 AS 3 AS 4 AS 5 Signing recursively: each advertisement signs everything it receives, plus the last hop. (5, (4, (3, (2, 1) kas1 ) kas2 ) kas3 ) kas4 CSE598K/CSE545 - Advanced Network Security - McDaniel 78

79 Address Attestations Attestations of ownership and delegation These are the simple attestations For example, assume that organization A delegates prefix p to organization B: (p, B) ka Note: (surprisingly) sbgp distributes with address attestations out-of-band Thus everyone is required to obtain and validate their own copies of origin/ownership proving certificates. As in OA, validate path to ICANN CSE598K/CSE545 - Advanced Network Security - McDaniel 79

80 sbgp Issues Single point of trust: is an authority that everyone will trust to provide address/path certification? Chinese Military vs. NSA? Cost: validating signatures is very computationally expensive Can a router sustain the load? Incremental deployability: requires changes to BGP message formats All implementations must change CSE598K/CSE545 - Advanced Network Security - McDaniel 80

81 sobgp CISCO s entry in the securing Internet routing rodeo Viewed as the manufacturer approach to implementing security within BGP Released as a kind of refutation of sbgp, which was seen as too expensive and unwieldy to be practical. A more open model that allows providers to implement security much more flexibly, i.e., within the confines of existing policy and infrastructure Basic approach: network providers themselves act as a joint authority, and issue certificates for all relevant routing data, e.g., policy, address management, paths. CSE598K/CSE545 - Advanced Network Security - McDaniel 81

82 sobgp Design Requirements System should take advantage of operational experience and existing Internet Architecture. Implicit trust built into the Internet IP address assignment and delegation system Minimize impact to current implementations of the BGP protocol Minimum changes to existing protocol formats. Optimize memory and processing requirements. CSE598K/CSE545 - Advanced Network Security - McDaniel 82

83 sobgp Design Requirements Must not rely on a central authority of any type. Distributed processing and trust Must be incrementally deployable (it must provide some level of security without the participation of every AS). CSE598K/CSE545 - Advanced Network Security - McDaniel 83

84 Solution* Verifies originator of a route is authorized to do so. Verifies that the advertised AS_PATH represents a valid path to the originator. (plausible path?) BGP Security Message (extension to BGP) New BGP Message used to carry security information No changes to existing messages for backwards compatibility and incremental deployment. (removal of messages?) Leverages existing protocol and security mechanisms Fixed additional scalability requirements Per-AS information and route policies advertised once. (caching) No additional information in UPDATES, resulting in low processing impact. (well, sort of) CSE598K/CSE545 - Advanced Network Security - McDaniel *CISCO text in black, my text in red. 84

85 BGPSEC CSE598K/CSE545 - Advanced Network Security - McDaniel 85

86 Certificates Databases of certificates that advertise and correlate AS identity, prefix ownership and route policy. Certificate types: Entity Certificate = Used to establish (AS) identity Authorization Certificate = Assigns/delegates IP addresses Policy Certificate = Used to define per-as or pre-prefix policies and propagate AS interconnectivity topology map Certificate exchanges/trust relations are not defined Prior to or within routing exchanges Uses Web-of-Trust model to validate certificates. CSE598K/CSE545 - Advanced Network Security - McDaniel 86

87 PolicyCerts AS 1 AS 2 AS 3 AS 4 AS 5 Pairwise signing: the topology database contains peering attestations. (2, 1) kas1, (3, 2) kas2, (4, 3) kas3, (4, 5) kas4 CSE598K/CSE545 - Advanced Network Security - McDaniel 87

88 AuthCert and EntityCert AuthCerts define the delegation of address space Operates in essentially the same way as sbgp/oa Some looked at OA in sobgp and looked to learn the correct address assignment by viewing history Kinda intrusion detection for address usage (open problem) EntityCerts identifies who/what router is associated with which AS. Again note: which of these certs you believe is up to you (its a web of trust, caveat emptor) CSE598K/CSE545 - Advanced Network Security - McDaniel 88

89 Path Authentication vs. Path Plausibility Is Path Authentication stronger than Path Plausibility? Since each AS in sbgp is authentication a relationship between itself and its predecessor and successor ASes, the set of acceptable AS paths in sbgp is a subset of the set paths acceptable under SoBGP Argue for (and explain why or why not): AS 1 AS 2 AS 3 AS 4 AS 5 (5, (4, (3, (2, 1) kas1 ) kas2 ) kas3 ) kas4 (2, 1) kas1, (3, 2) kas2, (4, 3) kas3, (4, 5) kas4 Q1: Is Path Lengthening in sobgp but not sbgp? Q2: Is Path Shortening possible in sbgp but not sobgp? CSE598K/CSE545 - Advanced Network Security - McDaniel 89

90 sobgp Issues Soft security: the guarantees provided are limited E.g., plausible, not actual secure paths Nebulus trust: not clear under what conditions or trust model a certificate was created Signatures in web of trust have unclear semantics Assumes transitive trust CSE598K/CSE545 - Advanced Network Security - McDaniel 90

91 IRV Intended to solve BGP without changing any of existing routing infrastructure [Goodell et al. 2003] Idea: validate all information by actively querying databases of policy, address, and path information provided by Post-facto verification - receive and optimistically accept routing information AS-centralized verification - an IRV service exists outside the domain of the AS, provides validation information in real time to all routers (win--no per router cost) CSE598K/CSE545 - Advanced Network Security - McDaniel 91

92 IRV Operation ASes provide a well-known IRV server from which any external party can query for the validity of information Authenticated responses provide assurance that advertisements are correct Routing Policy Specification Language (RPSL) BGP Router IRV AS1 IRV I R V Q u e r y IRV AS2 AS3 CSE598K/CSE545 - Advanced Network Security - McDaniel 92

93 IRV Issues DOS opportunities - IRV can get flooded with requests by malicious party Under normal operation following, for example, a table reset. Offline operation - when the network fails, little ability to return system to stable state Possible solutions: Peering repositories Shadow control network CSE598K/CSE545 - Advanced Network Security - McDaniel 93

94 BGP Security Now: After almost two decades of work, we are not much closer to a global security solution... Problems are often not technical... Cost of building routers Backward compatibility Incremental deployment Future: we will move from a border filtering to more and more cryptographically aided solutions. Mining past advertisements and understanding expected routing advertisements will also be key where crypto is not appropriate or feasible. CSE598K/CSE545 - Advanced Network Security - McDaniel 94