Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Transcription

1 CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring

2 Routing 101 Network routing exists to provide hosts desirable paths from the source to destination What desirable means depends on the types of protocols being used Two main approaches to routing Link state - collected/metrics of paths between hosts, e.g., OSPF Distance vector - shortest path based on exchanged routing tables, e.g., BGP 2

3 Routing Security Bad guys play games with routing protocols. Traffic is diverted. Enemy can see the traffic. Enemy can easily modify the traffic. Enemy can drop the traffic. Cryptography can mitigate effects, but not stop them. History: we don t have a lot of good answers! 3

4 Why So Little Progress? It's a really, really hard problem. Actually, getting routing to work well is hard enough. Has been outside the scope of traditional communications security. 4

5 How is it Different? Most communications security failures happen because of buggy code or broken protocols. Routing security failures happen despite good code and functioning protocols. The problem is a dishonest participant. Hop-by-hop authentication isn't sufficient. 5

6 Routing... Host B Host A 6

7 The Enemy's Goal? Host B Host A 7

8 Routing Protocols Routers speak to each other. They exchange topology information and cost information. Each router calculates the shortest path to each destination. Routers forward packets along locally shortest path. Attacker can lie to other routers 8

9 Normal Behavior Host B 5 5 Y 10 5 Host A 10 Y :B(10) Y :B(10) :Y (5),B(15) A:(5),Y(5),B(15) 9

10 Malicious Behavior 3 Host B 5 5 Y 10 5 Host A 10 Y : B(10) Y : B(10) B : Y (5), B(3) A : (5),Y(5), B(8) 10

11 Why is the Problem Hard? has no knowledge of 's real connectivity. Even Y has no such knowledge. The problem isn't the link from to ; the problem is the information being sent. (Note that might be deceived by some other neighbor Q.) 11

12 Worm-Holing Host B Host A 12

13 Worm-Holing Host B Host A 13

14 Link Cutting Host B Host A 14

15 Link Cutting Host B Host A 15

16 Routing in the Internet Two types, internal and external routing. Intradomin - Internal (within ISP, company): primarily OSPF. Interdomain routing - external (between ISPs, and some customers): BGP. Topology matters. 16

17 OSPF (Open Shortest Path First) Each node announces its own connectivity. Announcement includes link cost. Each node reannounces all information received from peers. Every node learns the full map of the network. Each node calculates the shortest path to all destinations. Host B Host A 10 Note: limited to a few thousand nodes at most. 17

18 Characteristics of Internal Networks Common management. Common agreement on cost metrics. Companies have less rich topologies, but less controlled networks. ISPs have very rich---but very specialized---topologies, but well-controlled networks. Often based on Ethernet and its descendants. 18

19 Secure OSPF? Simple link security is hard: multiple-access net. Shared secrets guard against new machines being plugged in but not against an authorized party being dishonest. Solution: digitally sign each routing update (expensive!) List authorizations in certificate. Experimental RFC by Murphy et al., Note: everyone sees the whole map; monitoring stationcan note discrepancies from reality. (But bad guys can send out different announcements in different directions.) 19

20 BGP (Border Gateway Protocol) BGP is the protocol used to route information at the autonomous system level - (distance vector protocol) Everyone builds a route to every AS in the internet based on paths received from neighbors Routes are flooded to neighbors Path selection is based on policy (not always shortest path) 20

21 External Routing via BGP No common management hence no metrics beyond hop count No shared trust. Policy considerations: by intent, not all paths are actually usable. Controls address management The control plane for the Internet. 21

22 Secure BGP? Kent et al. created the sbgp protocol which: Signs routes Signs address advertisements Based on the idea that we can setup parallel PKI to support trust in the routing and address use. Several RFCs, many papers. Not really gotten traction because of costs and limitations of trust. 22

23 Routing Registries Services like the Internet Routing Registry (IRR) allow ISPs to provide public routing information Users can cross check received advertisements against the IRR for correctness Also used to prevent misconfiguration, traffic engineering... Problem: ISP generally don t like to expose how there networks are configured Depth and freshness of included data is not always good Hard to base security decisions on sometimes unreliable sources. 23

24 Problems to Solutions? Independent of the type, this all relates to securing the following information for a source: where the destination address? what is the best path to that address? Answering these questions in practice is complex, as it necessarily requires us to trust foreign entities or devices for which we may know little (if anything). This is the nasty secure distributed computation all over again, only everyone on the Internet must play. Want more? Take CSE545 - Advanced Network Security 24