How Secure are. BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University. Michael Schapira. Pete Hummon AT&T Research
|
|
- Dora Tucker
- 5 years ago
- Views:
Transcription
1 How Secure are NANOG 49, San Francisco Tuesday June BGP Security Protocols? Sharon Goldberg Microsoft Research & Boston University Michael Schapira Princeton University Yale & Berkeley Pete Huon AT&T Research Jennifer Rexford Princeton
2 Overview (1) BGP traffic attraction attacks can cause ajor probles Prefix hijacks causing blackholes, loss of connectivity e.g., Pakistan Teleco / YouTube incident BGP Man-In-The-Middle attacks e.g., Pilosov & Kapela traffic interception deo If we had BGP security these probles go away. right? Different protocols have different properties. Which one is ost effective at stopping attacks? Can we quantify this? Can we copare the?
3 Overview (2) We quantify & copare how well the ajor BGP Security protocols prevent traffic attraction attacks origin authentication (ROA/RPKI) sobgp defensive filtering (prefix lists) Secure BGP Our approach: Evaluate via siulation on AS topology data. Assue a BGP security protocol is fully deployed. How uch traffic can an attacker attract? To deterine this, we use a odel of BGP routing policies based on the business relationships & AS-path length And run siulations on [CAIDA] & [UCLA Cyclops] data (aps of the AS-level Internet w business relationship)
4 A odel for BGP Routing Policies (1) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP BUT, we don t know exactly how you do this. So we use a odel. peer p1 peer v p3 custoer provider Prefer custoer paths over peer paths over provider paths A odel of routing policies: p p Prefer cheaper paths. Then, prefer shorter paths.
5 A odel for BGP Routing Policies (2) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP. v, Prefix v, Prefix p1 v p3 p1, v, Prefix, p3, v, Prefix p3, v, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths.
6 A odel for BGP Routing Policies (3) In order to figure out how traffic would flow as result of an attack, we need to know how each AS chooses paths in BGP. p1 v p3 Losing, p1, v, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
7 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications
8 I ll start with a single anonyized exaple fro CADIA s 11/20/2009 AS relationship data. I ll Ill use this exaple to present possible attacks on each BGP security protocol For now, I ll have have one attacker and one victi Later I ll consider ultiple (attacker, victi) pairs
9 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix p1 v p3?, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
10 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix p1 v p3?, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
11 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix v, Prefix p1 v p3,, Prefix, Prefix, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
12 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) v, Prefix v, Prefix p1 v p3,, Prefix, Prefix, Prefix A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
13 Traffic Attraction Attacks Attacker wants ax nuber of ASes to route thru its network. (For eavesdropping, dropping, tapering, ) p1 v p3 Siulations show he attracts 62% of ASes! A odel of routing decisions: Prefer cheaper paths. Then, prefer shorter paths. Only transit traffic if it earns you oney, ie. for custoers.
14 The attack we just saw could have been prevented with origin authentication (ROA/RPKI). Now, suppose we had ROA/RKPI. Can the attacker still launch an attack? (Yes)
15 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. p1 v p3 Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
16 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix p1 v p3?, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
17 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix v, Prefix p1 v p3,, v, Prefix, v, Prefix, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
18 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. v, Prefix v, Prefix p1 v p3,, v, Prefix, v, Prefix, v, Prefix Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
19 Security Mechanis: Origin Authentication RPKI/ROA A secure database that t aps es to owner ASes. p1 v p3 Siulations show he attracts 58% of ASes! Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
20 The attack we just saw could have been prevented with sobgp or Secure BGP. Now, suppose we had Secure BGP. Can the attacker still launch an attack? (Yes, using route leaks)
21 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1 v p3 Public Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.
22 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1: (v, Prefix) p1 v p3 p1: (v, Prefix) : Public (p1, v, Prefix) Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.
23 Security Mechanis: Secure BGP [KLS98] Secure BGP: Origin Authentication + Cannot announce a path that was not announced to you. p1: (v, Prefix) p3: (v, Prefix) p1 v p3 p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) p3: (v, Prefix) : (p1, v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) Public Key Signature: Anyone who knows v s public key can authenticate that the essage was sent by v.
24 Are attacks still possible with Secure BGP? (1) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p1: (v, Prefix) : (p1, v, Prefix) p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix)
25 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)
26 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3? p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)
27 Are attacks still possible with Secure BGP? (2) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 p3: (v Prefix) : (p3, v, Pref p1: (v, Prefix) : (p1, v, Prefix) p1: (v, Prefix) : (p1, v, Prefix) : (, p1, v, Prefix)
28 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p3: (v, Prefix) p1 v p3? p1: (v, Prefix) : (, v, Prefix : (, p1, v, Pr Later we ll discuss why why this is an attack p3: (,, p1, v
29 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p3: (v, Prefix) p1 v p3 p1: (v, Prefix) : (, v, Prefix : (, p1, v, Pr Later we ll discuss why why this is an attack p3: (,, p1, v
30 Are attacks still possible with Secure BGP? (3) Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors! p1 v p3 Siulations show he attracts 16% of ASes! Later we ll discuss why this is an attack
31 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications
32 Wait! Is this the best attack strategy?!? I can t lie about y business relationship with AS, so I ight as well announce the shortest path I can. Sart Attack Strategy: Announce the shortest path I can get away with to all y neighbors!
33 Wait! Is this the best attack strategy?!? I can t lie about y business relationship with AS, so I ight as well announce the shortest path I can. But Not Optial! Sart Attack Strategy: Announce the shortest path ^ I can get away with to all y neighbors! Soeties Soeties announcing to longer paths fewer neighbors is better! are better! Btw, it s also NP hard to find the optial attack strategy. Sart Attack Strategy underestiates daage.
34 Longer paths are better?!? Here s an exaple that shows why
35 Soeties longer paths are better! (1) p1 v p3 p3: (v, Prefix) : (p3, v, Prefix) p3: (v, Prefix) : (, p3, v, Prefix) : (p3, v, Prefix) p1: (,, p3, v, Prefix) : (, p3, v, Prefix)
36 Soeties longer paths are better! (2) Siulations show he attracts 56% of Internet! With the shorter path, he attracts only 16% of Internet! This is alost as uch as attack on insecure BGP: 62%! p1 v p3 517 neighbors Why does this happen? p1 is bigger than. 4 neighbors Key Observation: Who you announce to is as iportant as what you announce.
37 Security Heuristic: Filtering Stubs on Prefix Lists (1) Providers that filter stubs on prefix lists: keep lists of the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1 v p3 Stub : IP1 IP2 A stub should not transit traffic. A stub is an AS with no custoers.
38 Security Heuristic: Filtering Stubs on Prefix Lists (2) Providers that filter stubs on prefix lists: keep lists the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1: (v, Prefix) p1 v p3 Stub : IP1 IP2 My stub doesn t own this prefix! p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) p1: (,, p3, v, Prefix)
39 Security Heuristic: Filtering Stubs on Prefix Lists (2) Providers that filter stubs on prefix lists: keep lists the prefixes owned by each stub custoer filter if stub custoer announces any path to a prefix not on list p1: (v, Prefix) p1 v p3 Stub : IP1 IP2 My stub doesn t own this prefix! p3: (v, Prefix) : (p3, v, Prefix) : (, p3, v, Prefix) p1: (,, p3, v, Prefix) Defensive filtering thwarts all attacks by stubs! In the data, 85% of ASes are stubs.
40 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications
41 Probability* Sart Attack attracts 10% of Internet *Probability y is taken over rando choice of attacker and victi. No Defensive Filtering Defensive Filtering 15% of Ases are not stubs! BGP OrAuth sobgp Secure BGP Recall that the Greedy Attack Strategy underestiates daage.
42 We see that if every provider filters announceents fro stubs based on prefix lists, is about as effective as having everyone ipleent Secure BGP! Secure BGP is not a replaceent for filtering, we need both in cobination. (S*-BGP is vulnerable to route leaks)
43 Now, graphs that show how well the results fro [CAIDA] and [Cyclops] agree. These two datasets are produced by independent researchers (not us) using different business-relationship inference algoriths. But for our study, the trends we see across the datasets are rearkably consistent.
44 Probability* Sart Attack attracts >x% of Internet (1) *Probability y is taken over rando choice of attacker and victi. 1 BGP OrAuth 0.8 sobgp 0.6 SBGP Honest BGP + DF CAIDA Nov 20, % of Ases are not stubs! Fraction of ASes routing thru Manipulator Recall that the Sart Attack Strategy underestiates daage.
45 Probability* Sart Attack attracts >x% of Internet (2) *Probability y is taken over rando choice of attacker and victi. 1 BGP OrAuth 0.8 sobgp 0.6 SBGP Honest BGP + DF UCLA Cyclops Nov 20, % of Ases are not stubs! Fraction of ASes routing thru Manipulator Recall that the Sart Attack Strategy underestiates daage.
46 Filtering stubs on prefix lists does not prevent attacks by Tier 1s and Tier 2s. In fact, the next graph shows that Tier 2s ake the ost effective attackers. Thus: Filtering is not a replaceent for Secure BGP, we need both in cobination.
47 Tier 2 s are the ost effective attackers Probability* of Attracting >x% of the Internet Attack on BGP (i.e. Originate victi prefix to all neighbors) Tier 2 s attract ore traffic than anyone else Attacker type: Non-Stub 0.2 > 25 Custoers Tier 2 > 250 CustoersTier Fraction of ASes routing thru Manipulator *Probability is over rando victi and attacker fro different classes
48 This talk Part 1: A odel of BGP Routing Policies Part 2: Secure Routing Protocols and Attacks Prefix hijacks on BGP Attacks on Origin Authentication (RPKI) Route Leaks with Secure BGP Interlude: Finding the Optial Attack Filtering attacks by stubs via prefix lists Part 3: Graphs of Siulation Results Part 4: Conclusions and Iplications
49 Take away points 1) Who you tell is as iportant as what you say. Secure BGP constrains the paths announced but not export policies. 2) Defensive filtering is crucial even with S* -BGP S*-BGP prevents path shortening attacks,.but is still vulnerable to route leaks Defensive filtering prevents attacks by stubs but is still vulnerable to attacks by Tier 1s and 2s... which are the ost effective Need a cobination of filtering on prefix lists and S*BGP
50 Ipleenting Filtering on Prefix Lists Today: The provider locally aintains its prefix list. Ipleentation is iperfect. Stub : IP1 IP2 a1 Why? Relies on altruis Also, other ASes have to trust that each provider has properly ipleented prefix lists. My stub doesn t own this IP prefix! Maintaining prefix lists is annoying and hard. Why not use RPKI/ROA derive prefix lists? RPKI / ROA: A secure database that aps es to their owner ASes.
51 What if only large ASes ipleent prefix lists? (1) CAIDA Nov 20, Stubs, size of sallest provider < 5 Custoers 0.14 (5,10] Custoers (10,25] Custoers (25,100] Custoers (100,500] Custoers > 500 Custoers If ISPs with > 10 custoers filter, 56% of attacks stopped.
52 What if only large ASes ipleent prefix lists? (2) UCLA Cyclops Nov 20, Stubs, size of sallest provider < 5 Custoers 0.14 (5,10] Custoers (10,25] Custoers (25,100] Custoers (100,500] Custoers > 500 Custoers If ISPs with > 10 custoers filter, 55% of attacks stopped.
53 Thanks! This work will also appear at SIGCOMM 10 Full report available at:
54 sobgp is Weaker than S-BGP for Targeted Attacks p X T1 Now, which path should the attacker announce to the rest of the Internet?, T1, a, v, Prefix 4 hops available Attract 2% of ASes v a, p, v, Prefix 3 hops not available Attract 10% of ASes With S-BGP, he couldn t announce an unavailable path that exists in the AS graph.
55 Attract More by Exporting Less (1)! The Teir 1 s announce T1a T1b 4 hop paths.?? a2?? p a1 CAIDA Nov 20, 2009 v Siulations show he attracts 40% of ASes
56 Attract More by Exporting Less (2)! Why? The Teir 1 s T1a T1b use 3 hop paths!?? a2 p X? a1 CAIDA Nov 20, 2009 v Siulations show he attracts 40% of ASes.
57 How Secure is Routing on the Internet Today? (1) February 2008 : Pakistan Teleco hijacks Youtube The Internet YouTube I YouTube: IP / 24 Pakistan Teleco Telnor Pakistan Aga Khan University Multinet Pakistan
How Secure are Secure Interdomain Routing Protocols?
How Secure are Secure Interdoain Routing Protocols? Full ersion fro June 2, 2 Sharon Goldberg Microsoft Research Michael Schapira Yale & UC Berkeley Peter Huon AT&T Labs Jennifer Rexford Princeton ABSTRACT
More informationA survey of interdomain routing policies
NANOG56 Oct. 22, 2012 Tier1? Content? Small transit A survey of interdomain routing policies Phillipa Gill Citizen Lab/ Stony Brook University Sharon Goldberg Boston University Michael Schapira Hebrew
More informationThe Transition to BGP Security Is the Juice Worth the Squeeze?
The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev
More informationJumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking Victim Path: 111 AS X AS 111 Boston University BGP Ad. AS 666 Data flow 2 Prefix
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationInterdomain Routing and Connectivity
Interdomain Routing and Connectivity Brighten Godfrey CS 538 February 28 2018 slides 2010-2018 by Brighten Godfrey unless otherwise noted Routing Choosing paths along which messages will travel from source
More informationNetworking Review & Grand Challenges
ing Review & Grand Challenges Brighten Godfrey CS 538 January 22 2018 slides 2010-2018 by Brighten Godfrey unless otherwise noted Announcements Introducing Sangeetha Key dates posted Assignment release,
More informationSecuring BGP Networks using Consistent Check Algorithm
Securing BGP Networks using Consistent Check Algorithm C. K. Man, K.Y. Wong, and K. H. Yeung Abstract The Border Gateway Protocol (BGP) is the critical routing protocol in the Internet infrastructure.
More informationNetwork Security - ISA 656 Routing Security
Network Security - ISA 656 Angelos Stavrou December 4, 2007 What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games
More informationEvaluation of Prefix Hijacking Impact Based on Hinge-Transmit Property of BGP Routing System
Evaluation of Prefix Hijacking Impact Based on Hinge-Transmit Property of BGP Routing System Evaluation of Prefix Hijacking Impact Based on Hinge-Transmit Property of BGP Routing System School of Computer,
More informationIntroducción al RPKI (Resource Public Key Infrastructure)
Introducción al RPKI (Resource Public Key Infrastructure) Roque Gagliano rogaglia@cisco.com 4 Septiembre 2013 Quito, Equator 2011 Cisco and/or its affiliates. All rights reserved. 1 Review of problem to
More informationBGP Security in Partial Deployment
BGP Security in Partial Deployment Is the Juice Worth the Squeeze? Full version from July 11, 2013 Robert Lychev* Georgia Tech Altanta, GA, USA rlychev@cc.gatech.edu Sharon Goldberg Boston University Boston,
More informationLet the market drive deployment: a strategy for transitioning to BGP security
Boston University OpenBU Computer Science http://open.bu.edu CAS: Computer Science: Technical Reports 2011-02-04 Let the market drive deployment: a strategy for transitioning to BGP security Gill, Phillipa
More informationIntroduc)on to Computer Networks
Introduc)on to Computer Networks COSC 4377 Lecture 15 Spring 2012 March 19, 2012 Announcements HW7 due this week HW8 due 3/28 Exam 2 on 4/23 HW7 RIP (Rou)ng Informa)on Protocol) Components Forwarding Rou)ng
More informationNetwork Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012
Network Security: Routing security Aapo Kalliola T-110.5241 Network security Aalto University, Nov-Dec 2012 Outline 1. Structure of internet 2. Routing basics 3. Security issues 4. Attack 5. Solutions
More informationSteven M. Bellovin AT&T Labs Research Florham Park, NJ 07932
Steven M. Bellovin! " $#"##%& '( ) * 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 Steven M. Bellovin June 13, 2003 1 What is? Bad guys play games with routing protocols. Traffic is diverted.
More informationNetworking Review & Grand Challenges
ing Review & Grand Challenges CS 538 August 25 2011 slides 2010-2011 by Brighten Godfrey unless otherwise noted Undergraduate ing in Three Slides (including this one) Layering Application Application Transport
More informationSecuring the Internet at the Exchange Point Fernando M. V. Ramos
Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 Securing the Internet at the Exchange Point Fernando M. V. Ramos 18.09.2017 There are vulnerabilities in the Internet architecture
More informationOPTIMAL COMPLEX SERVICES COMPOSITION IN SOA SYSTEMS
Key words SOA, optial, coplex service, coposition, Quality of Service Piotr RYGIELSKI*, Paweł ŚWIĄTEK* OPTIMAL COMPLEX SERVICES COMPOSITION IN SOA SYSTEMS One of the ost iportant tasks in service oriented
More informationNetwork-Destabilizing Attacks
Network-Destabilizing Attacks Robert Lychev Sharon Goldberg Michael Schapira Abstract The Border Gateway Protocol (BGP) sets up routes between the smaller networks that make up the Internet. Despite its
More informationIntroduction to IP Routing. Geoff Huston
Introduction to IP Routing Geoff Huston Routing How do packets get from A to B in the Internet? A Internet B Connectionless Forwarding Each router (switch) makes a LOCAL decision to forward the packet
More informationBGP Route- Leak Protec0on Community
BGP Route- Leak Protec0on Community Jakob Heitz, Cisco Nanog 71, October, 2017 BGP Route- Leak Protec@on Community 1 Gao - Rexford BGP ASes have 2 types of rela@onships: transit- customer or peer- peer.
More informationInterdomain Routing Reading: Sections K&R EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277)
Interdomain Routing Reading: Sections K&R 4.6.3 EE122: Intro to Communication Networks Fall 2007 (WF 4:00-5:30 in Cory 277) Guest Lecture by Brighten Godfrey Instructor: Vern Paxson TAs: Lisa Fowler, Daniel
More informationInterdomain Routing. Networked Systems (H) Lecture 11
Interdomain Routing Networked Systems (H) Lecture 11 Lecture Outline Interdomain routing Autonomous systems and the Internet AS-level topology BGP and Internet routing 2 Interdomain Unicast Routing Tier-1
More informationImprove Peer Cooperation using Social Networks
Iprove Peer Cooperation using Social Networks Victor Ponce, Jie Wu, and Xiuqi Li Departent of Coputer Science and Engineering Florida Atlantic University Boca Raton, FL 33431 Noveber 5, 2007 Corresponding
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationCSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca
CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca Based partly on lecture notes by Rob Sherwood, David Mazières, Phil Levis, John Janno? Administrivia Midterm moved up from 3/17 to 3/15 IP
More informationInterdomain Routing Reading: Sections P&D 4.3.{3,4}
Interdomain Routing Reading: Sections P&D 4.3.{3,4} EE122: Intro to Communication Networks Fall 2006 (MW 4:00-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim http://inst.eecs.berkeley.edu/~ee122/
More informationShortest Path Determination in a Wireless Packet Switch Network System in University of Calabar Using a Modified Dijkstra s Algorithm
International Journal of Engineering and Technical Research (IJETR) ISSN: 31-869 (O) 454-4698 (P), Volue-5, Issue-1, May 16 Shortest Path Deterination in a Wireless Packet Switch Network Syste in University
More informationCS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal
CS4450 Computer Networks: Architecture and Protocols Lecture 15 BGP Spring 2018 Rachit Agarwal Autonomous System (AS) or Domain Region of a network under a single administrative entity Border Routers Interior
More informationSurvivability Function A Measure of Disaster-Based Routing Performance
Survivability Function A Measure of Disaster-Based Routing Perforance Journal Club Presentation on W. Molisz. Survivability function-a easure of disaster-based routing perforance. IEEE Journal on Selected
More informationA Survey of BGP Security: Issues and Solutions
A Survey of BGP Security: Issues and Solutions Butler, Farley, McDaniel, Rexford Kyle Super CIS 800/003 October 3, 2011 Outline Introduction/Motivation Sources of BGP Insecurity BGP Security Today BGP
More informationLecture 18: Border Gateway Protocol
Lecture 18: Border Gateway Protocol CSE 123: Computer Networks Alex C. Snoeren HW 3 due Wednesday Some figures courtesy Mike Freedman & Craig Labovitz Lecture 18 Overview Path-vector Routing Allows scalable,
More informationA FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS. A Thesis KRISHNA CHAITANYA TADI
A FRAMEWORK FOR DEFENDING AGAINST PREFIX HIJACK ATTACKS A Thesis by KRISHNA CHAITANYA TADI Submitted to the Office of Graduate Studies of Texas A&M University in partial fulfillment of the requirements
More informationλ-harmonious Graph Colouring Lauren DeDieu
λ-haronious Graph Colouring Lauren DeDieu June 12, 2012 ABSTRACT In 198, Hopcroft and Krishnaoorthy defined a new type of graph colouring called haronious colouring. Haronious colouring is a proper vertex
More informationCompiling an Honest but Curious Protocol
6.876/18.46: Advanced Cryptography May 7, 003 Lecture 1: Copiling an Honest but Curious Protocol Scribed by: Jonathan Derryberry 1 Review In previous lectures, the notion of secure ultiparty coputing was
More informationISP 1 AS 1 Prefix P peer ISP 2 AS 2 Route leak (P) propagates Prefix P update Route update P Route leak (P) to upstream 2 AS 3 Customer BGP Update messages Route update A ISP A Prefix A ISP B B leaks
More informationExamination. IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491
Examination IP routning på Internet och andra sammansatta nät, DD2491 IP routing in the Internet and other complex networks, DD2491 Date: October 21st 2008 10:00 13:00 a) No help material is allowed You
More informationIdentifying Converging Pairs of Nodes on a Budget
Identifying Converging Pairs of Nodes on a Budget Konstantina Lazaridou Departent of Inforatics Aristotle University, Thessaloniki, Greece konlaznik@csd.auth.gr Evaggelia Pitoura Coputer Science and Engineering
More informationNetwork Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:
Network Forensics: Network OS Fingerprinting Prefix Hijacking Analysis Scott Hand September 30 th, 2011 Outline 1 Network Forensics Introduction OS Fingerprinting 2 Prefix Hijacking Theory BGP Background
More informationInternet Infrastructure
Internet Infrastructure Internet Infrastructure Local and inter-domain routing TCP/IP for routing and messaging BGP for routing announcements Domain Name System Find IP address from symbolic name (www.cc.gatech.edu)
More informationStealing The Internet
Stealing The Internet An Internet-Scale Man In The Middle Attack Presented at NANOG 44 Los Angeles, CA October, 2008 Tony Kapela tk@5ninesdata.com Agenda Prior Work Hijacking Mechanics Route Filtering
More informationSecure Wireless Multihop Transmissions by Intentional Collisions with Noise Wireless Signals
Int'l Conf. Wireless etworks ICW'16 51 Secure Wireless Multihop Transissions by Intentional Collisions with oise Wireless Signals Isau Shiada 1 and Hiroaki Higaki 1 1 Tokyo Denki University, Japan Abstract
More informationService Provider Multihoming
BGP Traffic Engineering Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit ISPs strive to balance traffic flows in both directions
More informationIncentives for Honest Path Announcement in BGP
Rationality and Traffic Attraction Incentives for Honest Path Announcement in BGP $ Sharon Goldberg Shai Halevi Aaron D. Jaggard Vijay Ramachandran Rebecca N. Wright University University SIGCOMM 2008
More informationInter-Domain Routing: BGP II
Inter-Domain Routing: BGP II Mark Handley UCL Computer Science CS 3035/GZ01 BGP Protocol (cont d) BGP doesn t chiefly aim to compute shortest paths (or minimize other metric, as do DV, LS) Chief purpose
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Phil Roberts roberts@isoc.org Andrei Robachevsky www.internetsociety.org Let us look at the problem
More informationL11 : Inter-domain Routing with BGP Lecture14 Michaelmas, 2016
7//06 L : Inter-domain Routing with BGP Lecture4 Michaelmas, 06 Timothy G. Griffin Computer Lab Cambridge UK 7//06 How many ASNs today (7 November, 06)? http://bgp.potaroo.net/ 7//06 How many prefixes
More informationInter-domain Routing. Outline. Border Gateway Protocol
Inter-domain Routing Outline Border Gateway Protocol Internet Structure Original idea CS 640 2 Internet Structure Today CS 640 3 Route Propagation in the Internet Autonomous System (AS) corresponds to
More informationLecture 17: Border Gateway Protocol
Lecture 17: Border Gateway Protocol CSE 123: Computer Networks Alex C. Snoeren Some figures courtesy Mike Freedman Lecture 18 Overview Border Gateway Protocol (BGP) The canonical path vector protocol How
More informationLecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011
Lecture 4: Intradomain Routing CS 598: Advanced Internetworking Matthew Caesar February 1, 011 1 Robert. How can routers find paths? Robert s local DNS server 10.1.8.7 A 10.1.0.0/16 10.1.0.1 Routing Table
More informationPART III. Implementing Inter-Network Relationships with BGP
PART III Implementing Inter-Network Relationships with BGP ICNP 2002 Routing Protocols Autonomous System BGP-4 BGP = Border Gateway Protocol Is a Policy-Based routing protocol Is the de facto EGP of today
More informationBamboozling Certificate Authorities with BGP
Bamboozling Certificate Authorities with BGP Henry Birge-Lee Princeton University Jennifer Rexford Princeton University Yixin Sun Princeton University Prateek Mittal Princeton University Anne Edmundson
More informationComputer Science 461 Final Exam May 22, :30-3:30pm
NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge
More informationProfessor Yashar Ganjali Department of Computer Science University of Toronto.
Professor Yashar Ganjali Department of Computer Science University of Toronto yganjali@cs.toronto.edu http://www.cs.toronto.edu/~yganjali Announcements Don t forget the programming assignment Due: Friday
More informationProtecting BGP from Invalid Paths
Protecting BGP from Invalid Paths Josh Karlin University of New Mexico karlinjf@cs.unm.edu Stephanie Forrest University of New Mexico Santa Fe Institute forrest@cs.unm.edu Jennifer Rexford Princeton University
More informationNetwork Layer (Routing)
Network Layer (Routing) Border Gateway Protocol Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix E1 Net E IXP Prefix
More informationService Provider Multihoming
Service Provider Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic?
More informationAdaptive Parameter Estimation Based Congestion Avoidance Strategy for DTN
Proceedings of the nd International onference on oputer Science and Electronics Engineering (ISEE 3) Adaptive Paraeter Estiation Based ongestion Avoidance Strategy for DTN Qicai Yang, Futong Qin, Jianquan
More informationBGP. Autonomous system (AS) BGP version 4
BGP Border Gateway Protocol (an introduction) dr. C. P. J. Koymans Informatics Institute University of Amsterdam March 11, 2008 General ideas behind BGP Background Providers, Customers and Peers External
More informationRouting Security We can do better!
Routing Security We can do better! And how MANRS can help Andrei Robachevsky robachevsky@isoc.org 1 No Day Without an Incident 120 6 month of suspicious activity 90 60 Hijack Leak 30 0 1/5/17 1/16/17 1/27/17
More informationMANRS. Mutually Agreed Norms for Routing Security. Jan Žorž
MANRS Mutually Agreed Norms for Routing Security Jan Žorž The Problem A Routing Security Overview 2 No Day Without an Incident http://bgpstream.com/ 3 Routing Incidents Cause Real World
More informationBGP Configuration for a Transit ISP
BGP Configuration for a Transit ISP ISP Workshops Last updated 24 April 2013 1 Definitions p Transit carrying traffic across a network, usually for a fee n traffic and prefixes originating from one AS
More informationInterdomain Routing. EE122 Fall 2011 Scott Shenker
Interdomain Routing EE122 Fall 2011 Scott Shenker http://inst.eecs.berkeley.edu/~ee122/ Materials with thanks to Jennifer Rexford, Ion Stoica, Vern Paxson and other colleagues at Princeton and UC Berkeley
More informationClosing The Performance Gap between Causal Consistency and Eventual Consistency
Closing The Perforance Gap between Causal Consistency and Eventual Consistency Jiaqing Du Călin Iorgulescu Aitabha Roy Willy Zwaenepoel EPFL ABSTRACT It is well known that causal consistency is ore expensive
More informationAn Efficient Approach for Content Delivery in Overlay Networks
An Efficient Approach for Content Delivery in Overlay Networks Mohaad Malli, Chadi Barakat, Walid Dabbous Projet Planète, INRIA-Sophia Antipolis, France E-ail:{alli, cbarakat, dabbous}@sophia.inria.fr
More informationBGP. Autonomous system (AS) BGP version 4
BGP Border Gateway Protocol (an introduction) Karst Koymans Informatics Institute University of Amsterdam (version 1.5, 2011/03/06 13:35:28) Monday, March 7, 2011 General ideas behind BGP Background Providers,
More informationNetwork Security - ISA 656 Routing Security
What is? Network Security - ISA 656 Angelos Stavrou What is Routing Security? History of Routing Security Why So Little Work? How is it Different? Bad guys play games with routing protocols. Traffic is
More informationA Measurement Study of BGP Misconfiguration
A Measurement Study of BGP Misconfiguration Ratul Mahajan, David Wetherall, and Tom Anderson University of Washington Motivation Routing protocols are robust against failures Meaning fail-stop link and
More informationRPKI and Internet Routing Security ~ The regional ISP operator view ~
RPKI and Internet Routing Security ~ The regional ISP operator view ~ APNIC 29/APRICOT 2010 NEC BIGLOBE, Ltd. (AS2518) Seiichi Kawamura 1 Agenda Routing practices of the regional ISP today How this may
More informationBGP Security. Kevin s Attic for Security Research
Kevin s Attic for Security Research kevinkoo001@gmail.com Table 1. BGP Operation (1): Concept & Topology 2. BGP Operation (2): Message Exchange, Format and Path Decision Algorithm 3. Potential Attacks
More informationAutonomous Security for Autonomous Systems
Autonomous Security for Autonomous Systems Josh Karlin, Stephanie Forrest, and Jennifer Rexford Abstract The Internet s interdomain routing protocol, BGP, supports a complex network of Autonomous Systems
More informationDynamics of Hot-Potato Routing in IP Networks
Dynamics of Hot-Potato Routing in IP Networks Jennifer Rexford AT&T Labs Research http://www.research.att.com/~jrex Joint work with Renata Teixeira (UCSD), Aman Shaikh (AT&T), and Timothy Griffin (Intel)
More informationA Low-Cost Multi-Failure Resilient Replication Scheme for High Data Availability in Cloud Storage
216 IEEE 23rd International Conference on High Perforance Coputing A Low-Cost Multi-Failure Resilient Replication Schee for High Data Availability in Cloud Storage Jinwei Liu* and Haiying Shen *Departent
More informationCS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella
CS 640: Introduction to Computer Networks Aditya Akella Lecture 11 - Inter-Domain Routing - BGP (Border Gateway Protocol) Intra-domain routing The Story So Far Routing protocols generate the forwarding
More informationOblivious Routing for Fat-Tree Based System Area Networks with Uncertain Traffic Demands
Oblivious Routing for Fat-Tree Based Syste Area Networks with Uncertain Traffic Deands Xin Yuan Wickus Nienaber Zhenhai Duan Departent of Coputer Science Florida State University Tallahassee, FL 3306 {xyuan,nienaber,duan}@cs.fsu.edu
More informationLecture 16: Border Gateway Protocol
Lecture 16: Border Gateway Protocol CSE 123: Computer Networks Alex C. Snoeren Some figures courtesy Mike Freedman Lecture 16 Overview Border Gateway Protocol (BGP) The canonical path vector protocol How
More informationCS 361 Meeting 8 9/24/18
CS 36 Meeting 8 9/4/8 Announceents. Hoework 3 due Friday. Review. The closure properties of regular languages provide a way to describe regular languages by building the out of sipler regular languages
More informationRouting Security. Daniel Karrenberg RIPE NCC.
Routing Security Daniel Karrenberg RIPE NCC Who is talking: Daniel Karrenberg 1980s: helped build Internet in Europe - EUnet, Ebone, IXes,... - RIPE 1990s: helped build RIPE
More informationSecure Routing with RPKI. APNIC44 Security Workshop
Secure Routing with RPKI APNIC44 Security Workshop Misdirection / Hijacking Incidents YouTube Incident Occurred 24 Feb 2008 (for about 2 hours) Pakistan Telecom announced YT block Google (AS15169) services
More informationSecuring BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC
Securing BGP: The current state of RPKI Geoff Huston Chief Scientist, APNIC Incidents What happens when I announce your addresses in BGP? All the traffic that used to go to you will now come to me I can
More informationLecture 6. Internet Security: How the Internet works and some basic vulnerabilities. Thursday 19/11/2015
Lecture 6 Internet Security: How the Internet works and some basic vulnerabilities Thursday 19/11/2015 Agenda Internet Infrastructure: Review Basic Security Problems Security Issues in Routing Internet
More informationModule 10 An IPv6 Internet Exchange Point
ISP/IXP Networking Workshop Lab Module 10 An IPv6 Internet Exchange Point Objective: To investigate methods for connecting to an Internet Exchange Point. Prerequisites: Modules 1 to 4, and the Exchange
More informationVerifying Wide-Area Routing Configuration
Verifying Wide-Area Routing Configuration Nick Feamster and Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory {feamster,hari}@csail.mit.edu http://nms.lcs.mit.edu/bgp/ BGP
More informationLecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture
Lecture outline Internet Routing Security Issues Z. Morley Mao Lecture 3 Jan 14, 2003 Recap of last lecture, any questions? Existing routing security mechanisms - SBGP General threats to routing protocols
More informationSolving the Damage Localization Problem in Structural Health Monitoring Using Techniques in Pattern Classification
Solving the Daage Localization Proble in Structural Health Monitoring Using Techniques in Pattern Classification CS 9 Final Project Due Dec. 4, 007 Hae Young Noh, Allen Cheung, Daxia Ge Introduction Structural
More informationCarnegie Mellon Computer Science Department Spring 2016 Midterm Exam
Carnegie Mellon Computer Science Department. 15-744 Spring 2016 Midterm Exam Name: Andrew ID: INSTRUCTIONS: There are 13 pages (numbered at the bottom). Make sure you have all of them. Please write your
More informationInter-Domain Routing: BGP II
Inter-Domain Routing: BGP II Brad Karp UCL Computer Science (drawn mostly from lecture notes by Hari Balakrishnan and Nick Feamster, MIT) CS 05/GZ01 4 th December 2014 BGP Protocol (cont d) BGP doesn t
More informationInter-AS routing. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley
Inter-AS routing Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley Some materials copyright 1996-2012 J.F Kurose and K.W. Ross, All Rights Reserved Chapter 4:
More informationCS4700/CS5700 Fundamentals of Computer Networks
CS4700/CS5700 Fundamentals of Computer Networks Lecture 12: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang Alan Mislove amislove at ccs.neu.edu
More informationCS 204: BGP. Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences
CS 204: BGP Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences 1403 http://www.cs.ucr.edu/~jiasi/teaching/cs204_spring17/ 1 Overview AS relationships Inter-AS routing BGP Example Paper discussion
More informationCOMP/ELEC 429 Introduction to Computer Networks
COMP/ELEC 429 Introduction to Computer Networks Lecture 11: Inter-domain routing Slides used with permissions from Edward W. Knightly, T. S. Eugene Ng, Ion Stoica, Hui Zhang T. S. Eugene Ng eugeneng at
More informationINTERDOMAIN ROUTING POLICY
INTERDOMAIN ROUTING POLICY COS 461: Computer Networks Spring 2010 (MW 3:00 4:20 in COS 105) Mike Freedman hdp://www.cs.princeton.edu/courses/archive/spring10/cos461/ 1 Goals of Today s Lecture Business
More informationRouting and router security in an operator environment
DD2495 p4 2011 Routing and router security in an operator environment Olof Hagsand KTH CSC 1 Router lab objectives A network operator (eg ISP) needs to secure itself, its customers and its neighbors from
More informationInter-domain Routing(BGP) Security [IP Prefix Hijacking] Akmal Khan
Inter-domain Routing(BGP) Security [IP Hijacking] Akmal Khan [raoakhan@mmlab.snu.ac.kr] 4-15-2010 2 Outline Introduction Types of IP Hijacking Internet Routing Data Sources Tools of the Trade Past Research
More informationLecture 16: Interdomain Routing. CSE 123: Computer Networks Stefan Savage
Lecture 16: Interdomain Routing CSE 123: Computer Networks Stefan Savage Overview Autonomous Systems Each network on the Internet has its own goals Path-vector Routing Allows scalable, informed route selection
More informationJust give me a button!
Just give me a button! The challenges of routing security RIPE NCC Members organisation founded in 1992 Manages IP and ASN allocations in Europe, Middle East and former Soviet Union - Ensure unique holdership
More informationCS 43: Computer Networks. 24: Internet Routing November 19, 2018
CS 43: Computer Networks 24: Internet Routing November 19, 2018 Last Class Link State + Fast convergence (reacts to events quickly) + Small window of inconsistency Distance Vector + + Distributed (small
More informationResource Optimization for Web Service Composition
Resource Optiization for Web Coposition Xia Gao, Ravi Jain, Zulfikar Razan, Ulas Kozat Abstract coposition recently eerged as a costeffective way to quickly create new services within a network. Soe research
More information