Alibi Routing. D. Levin, Y. Lee, L. Valenta Z. Li, V. Lai, C. Lumezanu N. Spring, B. Bhattacharjee SIGCOMM 2015

Transcription

1 Alibi Routing D. Levin, Y. Lee, L. Valenta Z. Li, V. Lai, C. Lumezanu N. Spring, B. Bhattacharjee SIGCOMM 2015

2 Sniff sniff State agencies censor and log citizens internet traffic Abundant in certain regions China Syria North Korea Saudi Arabia Bahrain Iran Vietnam

3 Censor-avoidance Censorship and Surveillance Dropping packets Injecting data into packets Logging packets Routing protocols often don t consider intermediate nodes Traffic can route through geographic region which might inject data into packet Data integrity Nations may log routing info + drop packets

4 Users lack control over routing Mostly relegated to destination-based routing Send to 4

5 Users lack control over routing Collateral damage of censorship Send to Censor-free Censor-free Censoring country Encryption (HTTPS) Anonymity (Tor) Hide info, but are still subject to censorship 5

6 This paper Provable avoidance routing Send to but avoid Censor-free Censor-free Censoring country 6

7 Probably route avoidance goals Flexibility Users request their traffic to avoid transiting arbitrary geographic regions Without having to know underlying routes Proof Provide proofs of avoidance Goal: proof that it did not traverse Non-goal: proof that it cannot traverse Unadulterated roundtrip of communication Assurance of reliable communication, just a proof that it didn t enter the region AFTER transmission 7

8 Past Approaches BGP Poisoning (avoidance) Failure prone regions blacklisted in BGP Tor (other overlay systems) Anonymized Internet usage May pass through censored region when going between hops Geographical routing Greedy routing, no avoidance Some systems provide means to monitor regions visited, but no insurance/proof that certain places were not visited

9 Proof of avoidance Proving something did not happen is difficult Proving something related cannot possibly happen is less difficult How do you prove packet did not go through forbidden region? Consider event X depicting a situation in which a packet traverses through a forbidden region Consider event A depicting a situation where a packet does not traverse through a forbidden region A and X are mutually exclusive Showing X is impossible, authors show A is true

10 Mutually exclusive routing events The event X we wish to prove impossible A packet and its response from s to d transited forbidden region F We need To know a subset of the path that the packet took Forward a packet through a relay node r - r signs the packet and thus if r can be trusted not to have shared its key, then this proves that the packet must have gone through r For any possible path that includes s, r and d, the packets could not have also gone through F Key idea choose a relay that is so distant from F that transmitting both would induce noticeable high delays

11 Relay Guarantees Given path s è r èd with an RTT rtt_time Calculate RTT through s, r, and d AND the closest possible f to be rtt_forbidden If rtt_time is a factor of delta smaller than rtt_forbidden, initial path could not have possibly traversed f R(s,r)+R(r, d) R(s,r)+min f2f R(s, r) min f2f {R(r, f)+r(f,d)} {R(s, f)+r(f,r)} (1) d d f F F f s r s r

12 Assumptions All non-forbidden nodes are trustworthy Nodes cannot lie about smaller RTTs Based on various signing schemes, returned packet will show all (trustworthy) nodes it traversed

13 Terminology and definitions Forbidden Region Geographical location that should not be entered Represented by a list of <lat, long> coordinates depicting a geopolygon Alibi Relay that can be safely used to divert traffic around forbidden region Picked such that passing through Alibi AND forbidden region will cause noticeable delay increase Target regions Regions in which Alibis might reside Aid in locating Alibi δ (delta) Coefficient to ensure safety under latency fluctuations Used to determine target regions

14 Targeting the target region Alibi Routing consists of an overlay network of P2P nodes, each with coarse GPS coords Target region contains Alibi node A node at GPS coordinate g is included in target region if it satisfies the alibi conditions discussed (1 + ) D(s, g) < min f2f (1 + ) D(g, d) < min f2f {D(s, f)+d(f,g)}, and {D(g, f)+d(f,d)} (2) Authors partition world into grid of points For each point, consider it as g, calculate δ threshold All calculations based on greater-circle distance

15 Target region based on δ Example target regions, with end-hosts in Italy and Norway who seek to avoid Germany Contours represent different values of δ

16 Alibi, where art thou? When a source node s wishes to find alibis, it constructs and forwards a query message, <s, d, F, T> Each node keeps an active peer list and a neighbor list Occasionally sends out random nonces to get neighbors GPS coords Ping responses come with correct RTT as nonce is random and thus response cannot be preconstructed Each hop from source tries to minimize distance to target region

17 Security Concerns Time/distance calculations prevent underselling of RTT from malicious nodes Eclipse attack: surround node with all malicious nodes Requires attack nodes to be physically close to trustworthy nodes Algorithm should route hops away from forbidden regions Sending data copies to attackers End to end encryption can solve this, otherwise, nothing would effectively prevent this Laundering traffic: using relays to attack hosts Similar approach as to other systems, whitelisting, solutions exist

18 Evaluation Authors simulated deployment of 20,000 nodes and PlanetLab simulation of 245 hosts Enemies of the Internet labeled as forbidden regions + countries with most Internet users (USA, India, Japan) Most source-destination pairs successful 100 percent Path exists to a relay in the target region Source is in target region No path to target region No hosts in target region No target region China India Japan PR Korea Saudi Arabia Syria USA

19 Evaluation Protocol success using simulation and PlanetLab deployment showed almost 100% success in most δ value cases Due to limited PlanetLab deployment, at most 2 hops were needed to find relay. Around 40 in simulation.

20 Proximity effects on target regions Number of nodes in target region (b) China is the forbidden region. Number of nodes in target region Effect of source/destination distance on the number of nodes deployment in the target region nodes.) in the target region. (Simulated of 20, δ = 0.0 δ = 0.5 δ = China is forbidden region ) Min distance between src to F and dst to F (103 km) China when is the forbidden region. Failure is(b)likely source or destination areinvery close to the forbidden regionof the mber of nodes the target region. The x-axis is the minimum 20

21 Other results Routes through alibis incur little increase in latency Sometimes even lower latencies Alibi Routing incurs little communication overhead Countries with higher routing centrality are harder, but not impossible, to avoid Provable avoidance is possible safely and efficiently 21

22 Summary Provable avoidance routing Users to specify where they want their packets not to go Proof by alibi makes it possible to provably avoid arbitrary geographic regions without ISP/BGP support Alibi Routing finds potential alibis Successfully, so long as src/dst not too close At low cost in terms of latency inflation Code and data: alibi.cs.umd.edu 22

23 Other comments Current implementation has to be manually configured Does not tackle various downsides of the algorithm, for example being surrounded by forbidden region or having several forbidden regions, or failure cases where alibis incur too much of a latency to be effective Authors mention Alibi routing can be used in tandem with Tor, which should be very beneficial to both technologies P2P design requires lots of nodes to be online/active