Future Internet CMU XIA & SCION
|
|
- Eustace Stephens
- 5 years ago
- Views:
Transcription
1 Future Internet CMU XIA & SCION expressive Internet Architecture Security Architecture Dave Andersen, Adrian Perrig, Peter Steenkiste David Eckhardt, Sara Kiesler, Jon Peha, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon University Aditya Akella, University of Wisconsin John Byers, Boston University Adrian Perrig 1 2 1
2 XIA Vision We envision a future Internet that: Is trustworthy Security broadly defined is the biggest challenge Supports long- term evoluoon of usage models Including host- host, content retrieval, services, Supports long term technology evoluoon Not just for link technologies, but also for storage and compuong capabilioes in the network and end- points Allows all actors to operate effecovely Despite differences in roles, goals and incenoves P1: Evolvable Set of Principals Specifying intent allows future network support to opomize performance, efficiency No need to force all communicaoon at a lower level (hosts), as in today s Internet Allows the network to evolve Content a581fe9... Services d9389fa 3 Host 024e881 Future Entities 39c
3 P2: Security as Intrinsic as Possible Security properoes are a direct result of the design of the system Do not rely on correctness of external configuraoons, acoons, data bases Malicious acoons can be easily idenofied Host 024e881 Content a581fe9... Services d9389fa Future Entities 39c Other XIA Principles Narrow waist for trust management Intrinsically secure idenofiers must match the user s trust assumpoons and intensions Narrow waist allows leveraging diverse mechanisms for trust management: CAs, reputaoon, personal, Narrow waist for all principals Defines the API between principals and network protocol mechanisms All other network funcoons are explicit services XIA provides a principal type for services (visible) Keeps the architecture simple and easy to reason about 6 3
4 XIA: expressive Internet Architecture Each communicaoon operaoon expresses intent of operaoons Also: explicit trust management, APIs among actors XIA is a single inter- network in which all principals are connected Not a collecoon of architectures implemented through, e.g., virtualizaoon or overlays Not based on a preferred principal (host or content), that has to support all communicaoon What Do We Mean by Evolvability? Narrow waist of the Internet has allowed the network to evolve significantly But need to evolve the waist as well! Can make the waist smarter IP: Evolvability of: Applications Link technologies XIA adds evolvability at the waist: Applications Evolving set of principals Link technologies 7 8 4
5 Evolvability IntroducOon of a new principal type must be incremental no flag day! Not all routers and ISPs will provide support from day one No universal connecovity Some ISPs may never support certain principal types SoluOon is to provide an. intent and fallback address CID Intent address allows in- AD:HID network opomizaoons based AD:HID on user intent. Fallback address is guaranteed Payload to be reachable 9 Generalizing Evolvable Address Format Use a directed acyclic graph to represent address Router traverses the DAG Priority among edges AD 1 AD 2 Fallback DAG format supports many addressing styles Shortcut rouong, binding, source rouong, infrastructure evoluoon,.. Common case: small dag, most routers look at one XID CID Intent 10 5
6 XIA Security A key feature of XIA is flexibility, thus, the architecture can be extended in ways we cannot anocipate XIA security depends on Underlying architecture XIA extension principals and mechanisms Specific extensions future designers choose Consequently, detailed security analysis depends on specific principal types 12 XIA High- Level Security Goals Support today's Internet- style host- to- host communicaoon with drasocally improved security Provide improved security for two classes of communicaoon we anocipate being important: content retrieval & accessing services Provide groundwork for future extensions to make good decisions w.r.t. security and availability 13 6
7 Main Security ProperOes Availability CommunicaOon availability (hosts and services) Finding nearby contents and services Defenses against DoS aqacks AuthenOcity / integrity AuthenOcaOon of user, host, domain, service, content AuthenOcaOon and Accountability Both authorizaoon and deterrence, respecovely Secrecy of idenoty, anonymity, privacy Sender / receiver privacy if desired Trust management How to set up trust relaoons, roots of trust XIA Security Design Principles Well- foundedness: IdenOfiers, associaoons match user s intent Fault isolaoon: Good design reduces dependencies, insulates correct poroons of network operaoon from incorrect/malicious Fine- grain control: Allow users to specify their intent Explicit chain of trust: Allow users to understand the basis for trust, underlying assumpoons 15 7
8 Check us out at: hqp:// SCION: Scalability, Control and IsolaOon On Next- GeneraOon Networks Xin Zhang, Hsu- Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen
9 Auer years of patching, the Internet is soll neither Reliable nor Secure! Reliable Network Layer Wishlist" Imagine if we had:" Feb 2008: Pakistani ISP hijacks YouTube prefix Apr 2010: A Chinese ISP inserts fake routes affecong thousands of US networks. Nov 2010: 10% of Internet traffic 'hijacked' to Chinese servers due to DNS Tampering. Fixes to date ad hoc, patches Inconvenient truths S- BGP: delayed convergence Global PKI: single root of trust ApplicaOon S- BGP route aqestaoon DNSSec Physical Transport Data link Network S- BGP origin aqestaoon MulO- path rouong Explicit understanding whom you must trust for network operations" Application All relevant parties have balanced control over path selection" Transport The architecture isolates attacks to domains with common laws and economic incentives" No single global root of trust" High efficiency, scalability, flexibility" Physical Data link Network
10 LimitaOons of the Current Internet DesOnaOon or ISP have no control over inbound paths Route inconsistencies B C D s prefix here! Forwarding state may be different from announced state A D Prefer the red path M 20 LimitaOons of the Current Internet (cont d) Lack of rouong isolaoon A failure/aqack can have global effects Global visibility of paths is not scalable Slow convergence / route oscillaoon Large rouong tables MulO- homing / flat namespaces prevent aggregaoon Lack of route freshness Current (S- )BGP cannot prevent replay of old paths Note that these issues are fundamental to (S)- BGP! 21 10
11 IsolaOon of aqacks Wish List (1): IsolaOon Scalable and reliable rouong updates Operate with mutually distrusong enooes without a global single root of trust: enforceable accountability Wish List (2): Balanced Control Transit ISPs, source and desonaoon all need path control A B D C Aqacks (e.g., bad routes) M L3 PSC CMU I2 A B D C Hide the peering link from CMU L3 PSC I2 CMU
12 Wish List (3): Explicit Trust SCION Architectural Goals Know who needs to be trusted Absence of consistency in BGP prevents knowing exactly who needs to be trusted Level 3 Who will forward packets on my path? X Y Z Internet PSC CMU I2 24 High availability, even for networks with malicious paroes Explicit trust for network operaoons Minimal TCB: limit number of enooes that need to be trusted for any operaoon Strong isolaoon from untrusted paroes Operate with mutually distrusong enooes No single root of trust Enable route control for ISPs, receivers, senders Simplicity, efficiency, flexibility, and scalability 25 12
13 SCION Architecture Overview Hierarchical DecomposiOon Trust domain (TD)s IsolaOon and scalability Path construcoon Path construcoon beacons (PCBs) Path resoluoon Control Explicit trust Route joining (shortcuts) Efficiency, flexibility PCB PCB PCB Source TD TD Core path srv S: blue paths D: red paths DesOnaOon Global set of TD (Trust Domains) Map to geographic, poliocal, legal boundaries TD Core: set of top- Oer ISPs that manage TD Route to other TDs IniOate path construcoon beacons Manage Address and Path TranslaOon Servers Handle TD membership Root of trust for TD: manage root key and ceroficates AD is atomic failure unit, conoguous/autonomous domain Transit AD or endpoint AD
14 Hierarchical DecomposiOon Split the network into a set of trust domains (TD) TD: isolaoon of route computaoon AD: atomic failure unit Down- paths DesOnaOon core TD cores: interconnected large ISPs core Up- paths Source Path Construction" Goal: each endpoint learns multiple verifiable paths to its core" Discovering paths via Path Construction Beacons (PCBs)" TD Core periodically initiates PCBs" Providers advertise upstream topology to peering and customer ADs" ADs perform the following operations " Collect PCBs" For each neighbor AD, select which k PCBs to forward" Update cryptographic information in PCBs" Endpoint AD will receive up to k PCBs from each upstream AD, and select k down-paths and up-paths"
15 Path ConstrucOon : interface : Opaque field : expiraoon Ome : signature Path ConstrucOon Interfaces: I(i) = previous-hop interfaces local interfaces Opaque field: O(i) = local interfaces MAC over local interfaces and O(i-1) = MAC( ) = SIG( ) = MAC( ) = SIG( ) = MAC( ) = SIG( ) Embed into pkts TD Core PCB PCB PCB A B PCB C 30 Signature: Σ(i) = sign over I(i), T(i), O(i), and Σ(i-1), with cert of pub key TC A: I(TC): ϕ {ϕ, TC1} O(TC) : {ϕ, TC1} MAC Ktc ( {ϕ, TC1} ϕ) Σ(TC): Sign( I(TC) T(TC) O(TC) ϕ) A C: I(A): I(TC) {A1, A2} O(A) : {A1, A2} MAC Ka ( {A1, A2} O(TC) ) Σ(A): Sign( I(A) T(A) O(A) Σ(TC) ) E TD Core (TC) A 2 1 B C D F G 31 15
16 C? One PCB per neighbor C E: I(C): I(A) {C1, C4} Path ConstrucOon Interfaces: I(i) = previous-hop interfaces local interfaces Opaque field: O(i) = local interfaces MAC over local interfaces and O(i-1) Signature: Σ(i) = sign over I(i), T(i), O(i), and Σ(i-1), with cert of pub key O(C) : {C1, C4} MAC Ka ( {C1, C4} O(A) ) Σ(C): Sign( I(C) T(C) O(C) Σ(A) ) Also include peering link! I C,D (C): {C4, C2} TD AID D O C,D (C): {C4, C2} MAC Kc ( {C4, C2} ) Σ C,D (C): Sign( I C,D (C) T C,D (C) O C,D (C) O(C) ) E TD Core (TC) A 2 1 B C D F G 32 Address/Path ResoluOon TD core provides address/path resoluoon servers Each endpoint is idenofied as an AID:EID pair. AID is signed by the containing TD, and EID is signed by the containing AD (with AID). Address is a public key [AIP 2008] Each AD registers name / address at address resoluoon server, uses an up- path to reach TD core Private key used to sign name address mapping ADs select which down- paths to announce ADs sign down- paths with private key and register down- paths with path resoluoon servers 33 16
17 Route Joining Local traffic should not need to traverse TD core Sender obtains receiver s k down- paths Sender intersects its up- paths with receiver s down- paths Sender selects preferred routes based on k 2 opoons Forwarding Down- path contains all forwarding decisions (AD traversed) from endpoint AD to TD core Ingress/egress points for each AD, authenocated in opaque fields ADs use internal rouong to send traffic from ingress to egress point Joined end- to- end route contains full forwarding informaoon from source to desonaoon No rouong / forwarding tables needed!
18 Discussion SCION Security Benefits Incremental Deployment Current ISP topologies are consistent with the TDs in SCION ISPs use MPLS to forward traffic within their networks Only edge routers need to deploy SCION Can use IP tunnels to connect SCION edge routers in different ADs LimitaOons ADs need to keep updaong down- paths on path server Increased packet size StaOc path binding, which may hamper dynamic re- rouong IsolaIon S- BGP + DNSSec No collusion/wormhole aqacks poor path freshness path replay aqacks single root of trust SCION Yes no cross- TD aqacks path freshness scalability no single root of trust TCB The whole Internet TD Core and on- path ADs Path Control Too lille (dst) or too much (src), empowering DDoS aqacks Balanced control enabling DDoS defenses
19 Performance Benefits EvaluaOon Scalability RouOng updates are scoped within the local TD Flexibility Transit ISPs can embed local rouong policies in opaque fields Simplicity and efficiency No interdomain forwarding table Current network layer: rouong table explosion Symmetric verificaoon during forwarding Simple routers, energy efficient, and cost efficient Methodology Use of CAIDA topology informaoon Assume 5 TDs (AfriNIC, ARIN, APNIC, LACNIC, RIPE) We compare to S- BGP/BGP Metric 1: addioonal path length (AD hops) compared to BGP Without shortcuts: 21% longer With shortcuts: o 1 down/up- path: 6.7% longer o 2 down/up- path: 3.5% longer o 5 down/up- path: 2.5% longer
20 EvaluaOon (cont d) Metric 2: Expressiveness FracOon of BGP paths available under SCION Related Work RouOng security S- BGP, sobgp, psbgp, SPV, PGBGP Only topological correctness; addressed a subset of aqacks addressed in SCION RouOng control MulOpath (MIRO, DeflecOon, Path splicing, Pathlet), NIRA Only given control to the source, and/or liqle security assurance Next- generaoon architectures HLP, HAIR, RBF, AIP, ICING/IGLOO, LISP, OpenFlow, NDN Focusing on other aspects (reducing rouong churns and rouong table sizes, enforcing rouong policies, and providing source accountability, content- centric networking)
21 Conclusions " Basic architecture design for a next- generaoon network that emphasizes isolaoon, control and explicit trust " Highly efficient, scalable, available architecture " Enables numerous addioonal security mechanisms, e.g., network capabilioes ApplicaOon Physical Transport Data link Network 42 21
SCION: Scalability, Control and Isola2on On Next- Genera2on Networks
SCION: Scalability, Control and Isola2on On Next- Genera2on Networks Xin Zhang, Hsu- Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen 1 Reasons for Clean-Slate Design Someone may just
More informationSCION: Scalability, Control and Isolation On Next-Generation Networks
SCION: Scalability, Control and Isolation On Next-Generation Networks Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen 1 After years of patching, the Internet is Reliable
More informationA Routing Infrastructure for XIA
A Routing Infrastructure for XIA Aditya Akella and Peter Steenkiste Dave Andersen, John Byers, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang FIA PI Meeting,
More informationNSF Future Internet Architecture. Outline. Predicting the Future is Hard! The expressive Internet Architecture: from Architecture to Network
The expressive Internet Architecture: from Architecture to Network Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie
More informationOutline. Predicting the Future is Hard! The expressive Internet Architecture: From Architecture to Network. We love all of them!
The expressive Internet Architecture: From Architecture to Network Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie
More informationXIA: An Architecture for a Trustworthy and Evolvable Internet
XIA: An Architecture for a Trustworthy and Evolvable Internet Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon
More informationOutline. Narrow Waist of the Internet Key to its Success. expressive Internet Architecture: Overview and Next Phase. Three Simple Ideas 9/13/2014
expressive Internet Architecture: Overview and Next Phase Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon University
More informationexpressive Internet Architecture:
expressive Internet Architecture: GEC 15 Demo Matt Mukerjee and David Naylor! Peter Steenkiste! Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang
More informationXIA: An Architecture for a Trustworthy and Evolvable Internet
XIA: An Architecture for a Trustworthy and Evolvable Internet Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon
More informationXIA: Lessons Learned and Open Issues
XIA: Lessons Learned and Open Issues Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Vyas Sekar, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie Mellon University
More informationNarrow Waist of the Internet Key to its Success. NSF Future Internet Architecture. The expressive Internet Architecture: From Architecture to Network
The expressive Internet Architecture: From Architecture to Network Peter Steenkiste Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin Sirbu, Hui Zhang Carnegie
More informationSharkFest'17 US. Experience with the expressive Internet Architecture. Peter Steenkiste Carnegie Mellon University
SharkFest'17 US Experience with the expressive Internet Architecture Peter Steenkiste Carnegie Mellon University Dave Andersen, David Eckhardt, Sara Kiesler, Jon Peha, Adrian Perrig, Srini Seshan, Marvin
More informationOutline. XIA!Vision. P1:!Evolvable!Set!of!Principals. expressive Internet!Architecture Security!Architecture 5/26/2011. Security!
expressive Internet!Architecture Security!Architecture Dave!Andersen,!Adrian!Perrig,!Peter!Steenkiste David!Eckhardt,!Sara!Kiesler,!Jon!Peha,!Srini Seshan,! Marvin!Sirbu,!Hui Zhang Carnegie!Mellon!University
More informationSCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich
SCION: A Secure Multipath Interdomain Routing Architecture Adrian Perrig Network Security Group, ETH Zürich SCION: Next-generation Internet Architecture Path-aware networking: sender knows packet s path
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationAbstractions for Routing. Abstractions for Network Routing
Abstractions for Routing Abstractions for Network Routing Brighten Godfrey DIMACS 23 May 2012 Abstractions for Network Routing Impressions of Network Routing Neo-Dadaisms for Network Routing Absurdisms
More informationNext Generation Network Architectures. Srinivasan Seshan!
Next Generation Network Architectures Srinivasan Seshan! Living Analy+cs Rich data collec,on à real-,me data analy,cs à automated applica,on feedback à rich data collec,on Key networking/distributed systems
More informationRouting Security Security Solutions
Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 Page 1 Solving BGP Security Reality: most attempts at securing BGP have been at the local level
More informationUpdate on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008
Update on Resource Certification Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008 Address and Routing Security What we have had for many years is a relatively insecure interdomain routing system
More informationCisco Intelligent WAN
Cisco Intelligent WAN Ľuboš Lontoš Systems Engineer SP/R&S ALEF NULA a.s. Agenda Cisco iwan Architecture Overview Tranport Independent Design Intelligent Path Control- PfRv3 Product PorMolio Tradi4onal
More informationTowards Deployment of a Next- Generation Secure Internet Architecture
Towards Deployment of a Next- Generation Secure Internet Architecture Adrian Perrig Network Security Group, ETH Zürich http://www.scion-architecture.net 1 monumental structure stood the test of time &
More informationBootstrapping evolvability for inter-domain routing with D-BGP. Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste
Bootstrapping evolvability for inter-domain routing with D-BGP Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste This talk in one slide Q What evolvability features needed in any inter-domain
More informationImportant Lessons From Last Lecture Computer Networking. Outline. Routing Review. Routing hierarchy. Internet structure. External BGP (E-BGP)
Important Lessons From Last Lecture 15-441 Computer Networking Inter-Domain outing BGP (Border Gateway Protocol) Every router needs to be able to forward towards any destination Forwarding table must be
More informationCS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella
CS 640: Introduction to Computer Networks Aditya Akella Lecture 11 - Inter-Domain Routing - BGP (Border Gateway Protocol) Intra-domain routing The Story So Far Routing protocols generate the forwarding
More informationSCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich
SCION: PKI Overview Adrian Perrig Network Security Group, ETH Zürich PKI Concepts: Brief Introduction PKI: Public-Key Infrastructure Purpose of PKI: enable authentication of an entity Various types of
More informationProblem. BGP is a rumour mill.
Problem BGP is a rumour mill. We want to give it a bit more authorita We think we have a model AusNOG-03 2009 IP ADDRESS AND ASN CERTIFICATION TO IMPROVE ROUTING SECURITY George Michaelson APNIC R&D ggm@apnic.net
More informationAPT: A Practical Transit-Mapping Service Overview and Comparisons
APT: A Practical Transit-Mapping Service Overview and Comparisons draft-jen-apt Dan Jen, Michael Meisel, Dan Massey, Lan Wang, Beichuan Zhang, and Lixia Zhang The Big Picture APT is similar to LISP at
More informationAttacks on routing: IP hijacks
Attacks on routing: IP hijacks How Internet number resources are managed IANA ARIN LACNIC APNIC RIPE NCC AfriNIC ISP NIC.br NIC.MX ISP #1 LIRs/ISPs LIRs/ISPs End users ISP mx How Internet number resources
More informationSecurity in inter-domain routing
DD2491 p2 2011 Security in inter-domain routing Olof Hagsand KTH CSC 1 Literature Practical BGP pages Chapter 9 See reading instructions Beware of BGP Attacks (Nordström, Dovrolis) Examples of attacks
More informationOutline Computer Networking. Inter and Intra-Domain Routing. Internet s Area Hierarchy Routing hierarchy. Internet structure
Outline 15-441 15-441 Computer Networking 15-641 Lecture 10: Inter-Domain outing Border Gateway Protocol -BGP Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 outing hierarchy Internet structure
More informationDissemination of Paths in Path-Aware Networks
Dissemination of Paths in Path-Aware Networks Christos Pappas Network Security Group, ETH Zurich IETF, November 16, 2017 PANRG Motivation How does path-awareness extend to the edge? 2 PANRG Motivation
More informationXIA: An Architecture for an Evolvable and Trustworthy Internet
XIA: An Architecture for an Evolvable and Trustworthy Internet Ashok Anand, Fahad Dogar, Dongsu Han, Boyan Li, Hyeontaek Lim, Michel Machado, Wenfei Wu, Aditya Akella, David Andersen, John Byers, Srinivasan
More informationA PKI For IDR Public Key Infrastructure and Number Resource Certification
A PKI For IDR Public Key Infrastructure and Number Resource Certification AUSCERT 2006 Geoff Huston Research Scientist APNIC If You wanted to be Bad on the Internet And you wanted to: Hijack a site Inspect
More informationTag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER
CHAPTER 23 Tag Switching Background Rapid changes in the type (and quantity) of traffic handled by the Internet and the explosion in the number of Internet users is putting an unprecedented strain on the
More informationHIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson
HIP Host Identity Protocol October 2007 Patrik Salmela Ericsson Agenda What is the Host Identity Protocol (HIP) What does HIP try to solve HIP basics Architecture The HIP base exchange HIP basic features
More informationPathlet Routing. P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica SIGCOMM (maurizio patrignani)
Pathlet Routing P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica SIGCOMM 2009 (maurizio patrignani) Reti di Calcolatori di Nuova Generazione http://www.dia.uniroma3.it/~rimondin/courses/rcng1011/
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationInterdomain routing CSCI 466: Networks Keith Vertanen Fall 2011
Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011 Overview Business relationships between ASes Interdomain routing using BGP Advertisements Routing policy Integration with intradomain routing
More informationComputer Science 461 Final Exam May 22, :30-3:30pm
NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge
More informationInter-Domain Routing: BGP
Inter-Domain Routing: BGP Stefano Vissicchio UCL Computer Science CS 3035/GZ01 Agenda We study how to route over the Internet 1. Context The Internet, a network of networks Relationships between ASes 2.
More informationFacilitating Secure Internet Infrastructure
Facilitating Secure Internet Infrastructure RIPE NCC http://www.ripe.net About the RIPE NCC RIPE Network Coordination Centre Bottom-up, self-regulated, membership association, notfor-profit Regional Internet
More informationRPKI Trust Anchor. Geoff Huston APNIC
RPKI Trust Anchor Geoff Huston APNIC Public Keys How can you trust a digital signature?? What if you have never met the signer and have no knowledge of them or their keys? One approach is transitive trust
More informationInter-Domain Routing: BGP
Inter-Domain Routing: BGP Brad Karp UCL Computer Science (drawn mostly from lecture notes by Hari Balakrishnan and Nick Feamster, MIT) CS 3035/GZ01 4 th December 2014 Outline Context: Inter-Domain Routing
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationSecuring BGP Networks using Consistent Check Algorithm
Securing BGP Networks using Consistent Check Algorithm C. K. Man, K.Y. Wong, and K. H. Yeung Abstract The Border Gateway Protocol (BGP) is the critical routing protocol in the Internet infrastructure.
More informationRouting Basics ISP/IXP Workshops
Routing Basics ISP/IXP Workshops 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 addresses are 32 bits long range from 1.0.0.0 to
More informationLecture 16: Interdomain Routing. CSE 123: Computer Networks Stefan Savage
Lecture 16: Interdomain Routing CSE 123: Computer Networks Stefan Savage Overview Autonomous Systems Each network on the Internet has its own goals Path-vector Routing Allows scalable, informed route selection
More informationRouting Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols
Routing Basics 1 Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 2 IPv4 Internet uses IPv4 Addresses are 32 bits long Range from 1.0.0.0 to 223.255.255.255 0.0.0.0
More informationVerified Secure Routing
Verified Secure Routing David Basin ETH Zurich EPFL, Summer Research Institute June 2017 Team Members Verification Team Information Security David Basin Tobias Klenze Ralf Sasse Christoph Sprenger Thilo
More informationRouting on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP
Routing on the Internet Computer Networks Lecture 17: Inter-domain Routing and BGP In the beginning there was the ARPANET: route using GGP (Gateway-to-Gateway Protocol), a distance vector routing protocol
More informationSCION Secure Next-generation Internet Architecture
SCION Secure Next-generation Internet Architecture Adrian Perrig Network Security Group, ETH Zürich scion- architecture.net 1 The Internet is perceived to be like the pyramids: monumental structure that
More informationThe Role of Trustworthy Computing to Build Future Secure Internet Architectures
The Role of Trustworthy Computing to Build Future Secure Internet Architectures Adrian Perrig Network Security Group ETH Zürich Overview Trusted Compu-ng Overview Cuckoo a7ack Secure rou-ng and BGP with
More informationEnhancing the Trust of Internet Routing with Lightweight Route Attestation
1 Enhancing the Trust of Internet Routing with Lightweight Route Attestation Qi Li, Student Member, IEEE, Mingwei Xu, Member, IEEE, Jianping Wu, Fellow, IEEE, Xinwen Zhang, Member, IEEE, Patrick P. C.
More informationRouting Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing
Routing Concepts IPv4 Routing Routing Basics ISP/IXP Workshops Forwarding Some definitions Policy options Routing Protocols 1 2 IPv4 IPv4 address format Internet uses IPv4 addresses are 32 bits long range
More informationLecture 18: Border Gateway Protocol
Lecture 18: Border Gateway Protocol CSE 123: Computer Networks Alex C. Snoeren HW 3 due Wednesday Some figures courtesy Mike Freedman & Craig Labovitz Lecture 18 Overview Path-vector Routing Allows scalable,
More informationLecture 17: Border Gateway Protocol
Lecture 17: Border Gateway Protocol CSE 123: Computer Networks Alex C. Snoeren Some figures courtesy Mike Freedman Lecture 18 Overview Border Gateway Protocol (BGP) The canonical path vector protocol How
More informationOpenADN: A Case for Open Application Delivery Networking
OpenADN: A Case for Open Application Delivery Networking Subharthi Paul, Raj Jain, Jianli Pan Washington University in Saint Louis {Pauls, jain, jp10}@cse.wustl.edu International Conference on Computer
More information2 The SCION Architecture
2 The SCION Architecture DAVID BARRERA, LAURENT CHUAT, ADRIAN PERRIG, RAPHAEL M. REISCHUK, PAWEL SZALACHOWSKI This chapter provides an overview of SCION. The goals to be met by a secure Internet architecture
More informationCNT Computer and Network Security: BGP Security
CNT 5410 - Computer and Network Security: BGP Security Professor Kevin Butler Fall 2015 Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means
More informationVirtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing
Virtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing Zhi Li, Prasant Mohapatra, and Chen-Nee Chuah University of California, Davis, CA 95616, USA {lizhi, prasant}@cs.ucdavis.edu,
More informationCS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal
CS4450 Computer Networks: Architecture and Protocols Lecture 15 BGP Spring 2018 Rachit Agarwal Autonomous System (AS) or Domain Region of a network under a single administrative entity Border Routers Interior
More informationSCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich
SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich March 2019 Internet: The network of networks The Internet is a network of Autonomous Systems (ASes). Each AS is itself a
More informationSmall additions by Dr. Enis Karaarslan, Purdue - Aaron Jarvis (Network Engineer)
Routing Basics 1 Small additions by Dr. Enis Karaarslan, 2014 Purdue - Aaron Jarvis (Network Engineer) Routing Concepts IPv4 Routing Forwarding Some definitions Policy options Routing Protocols 3 IPv4
More informationRegion-based BGP Announcement Filtering for Improved BGP Security
Region-based BGP Announcement Filtering for Improved BGP Security Fernando Sanchez Florida State University sanchez@cs.fsu.edu Zhenhai Duan Florida State University duan@cs.fsu.edu ABSTRACT BGP prefix
More informationBGP Multihoming ISP/IXP Workshops
BGP Multihoming ISP/IXP 1 Why Multihome? Redundancy One connection to internet means the network is dependent on: Local router (configuration, software, hardware) WAN media (physical failure, carrier failure)
More informationUnderstanding Tradeoffs in Incremental Deployment of New Network Architectures
Understanding Tradeoffs in Incremental Deployment of New Network Architectures ABSTRACT Matthew K. Mukerjee Carnegie Mellon University mukerjee@cs.cmu.edu Srinivasan Seshan Carnegie Mellon University srini@cs.cmu.edu
More informationSDN Use-Cases. internet exchange, home networks. TELE4642: Week8. Materials from Prof. Nick Feamster is gratefully acknowledged
SDN Use-Cases internet exchange, home networks TELE4642: Week8 Materials from Prof. Nick Feamster is gratefully acknowledged Overview n SDX: A Software-Defined Internet Exchange n SDN-enabled Home Networks
More informationSome Lessons Learned from Designing the Resource PKI
Some Lessons Learned from Designing the Resource PKI Geoff Huston Chief Scientist, APNIC May 2007 Address and Routing Security The basic security questions that need to be answered are: Is this a valid
More informationSanctuary Trail: Refuge from Internet DDoS Entrapment
Sanctuary Trail: Refuge from Internet DDoS Entrapment Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Sangjae Yoo, Xin Zhang, Soo Bum Lee, Virgil Gligor, and Adrian Perrig June 7, 2012 CMU-CyLab-12-013 CyLab Carnegie
More informationIntroduction to IP Routing. Geoff Huston
Introduction to IP Routing Geoff Huston Routing How do packets get from A to B in the Internet? A Internet B Connectionless Forwarding Each router (switch) makes a LOCAL decision to forward the packet
More informationECE 428 Internet Protocols (Network Layer: Layer 3)
ECE 428 Internet Protocols (Network Layer: Layer 3) 1 Done so far MAC protocols (with PHYsical layer) Transport bits from one node to another. Key element: Determine WHEN to transmit DLC protocol (running
More informationSome Foundational Problems in Interdomain Routing
Some Foundational Problems in Interdomain Routing Nick Feamster, Hari Balakrishnan M.I.T. Computer Science and Artificial Intelligence Laboratory Jennifer Rexford AT&T Labs -- Research The state of interdomain
More informationRouting Basics. ISP Workshops
Routing Basics ISP Workshops These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/) Last updated 26
More informationMPLS L3VPN. The MPLS L3VPN model consists of three kinds of devices: PE CE Site 2. Figure 1 Network diagram for MPLS L3VPN model
is a kind of PE-based L3VPN technology for service provider VPN solutions. It uses BGP to advertise VPN routes and uses to forward VPN packets on service provider backbones. provides flexible networking
More informationResource Public Key Infrastructure
Resource Public Key Infrastructure A pilot for the Internet2 Community to secure the global route table Andrew Gallo The Basics The Internet is a self organizing network of networks. How do you find your
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationRouting Basics. ISP Workshops. Last updated 10 th December 2015
Routing Basics ISP Workshops Last updated 10 th December 2015 1 Routing Concepts p IPv4 & IPv6 p Routing p Forwarding p Some definitions p Policy options p Routing Protocols 2 IPv4 p Internet still uses
More informationA Measurement Study of BGP Misconfiguration
A Measurement Study of BGP Misconfiguration Ratul Mahajan, David Wetherall, and Tom Anderson University of Washington Motivation Routing protocols are robust against failures Meaning fail-stop link and
More informationInternet Research Task Force (IRTF) Category: Informational May 2011 ISSN:
Internet Research Task Force (IRTF) T. Li, Ed. Request for Comments: 6227 Cisco Systems, Inc. Category: Informational May 2011 ISSN: 2070-1721 Abstract Design Goals for Scalable Internet Routing It is
More informationShare Count Analysis HEADERS
Measuring Network Privacy with It s 11PM. DO YOU KNOW WHERE YOUR Share Count Analysis HEADERS ARE? David Naylor Peter Steenkiste GOAL measure how private a network architecture or protocol is GOAL measure
More informationA Survey of BGP Security: Issues and Solutions
A Survey of BGP Security: Issues and Solutions Butler, Farley, McDaniel, Rexford Kyle Super CIS 800/003 October 3, 2011 Outline Introduction/Motivation Sources of BGP Insecurity BGP Security Today BGP
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationPassTorrent. Pass your actual test with our latest and valid practice torrent at once
PassTorrent http://www.passtorrent.com Pass your actual test with our latest and valid practice torrent at once Exam : 352-011 Title : Cisco Certified Design Expert Practical Exam Vendor : Cisco Version
More informationLecture 13: Traffic Engineering
Lecture 13: Traffic Engineering CSE 222A: Computer Communication Networks Alex C. Snoeren Thanks: Mike Freedman, Nick Feamster Lecture 13 Overview Evolution of routing in the ARPAnet Today s TE: Adjusting
More information3/10/2011. Copyright Link Technologies, Inc.
Mikrotik Certified Trainer / Engineer MikroTik Certified Dude Consultant Consulting Since 1997 Enterprise Class Networks WAN Connectivity Certifications Cisco, Microsoft, MikroTik BGP/OSPF Experience Deployed
More informationBGP Issues. Geoff Huston
BGP Issues Geoff Huston Why measure BGP?! BGP describes the structure of the Internet, and an analysis of the BGP routing table can provide information to help answer the following questions:! What is
More informationInterdomain Routing Reading: Sections P&D 4.3.{3,4}
Interdomain Routing Reading: Sections P&D 4.3.{3,4} EE122: Intro to Communication Networks Fall 2006 (MW 4:00-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim http://inst.eecs.berkeley.edu/~ee122/
More informationCSE 123b Communications Software
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Stefan Savage Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to
More informationQuick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004
CSE 123b Communications Software Spring 2004 Lecture 9: Mobile Networking Quick announcements Typo in problem #1 of HW #2 (fixed as of 1pm yesterday) Please consider chapter 4.3-4.3.3 to be part of the
More informationLecture 6: Overlay Networks. CS 598: Advanced Internetworking Matthew Caesar February 15, 2011
Lecture 6: Overlay Networks CS 598: Advanced Internetworking Matthew Caesar February 15, 2011 1 Overlay networks: Motivations Protocol changes in the network happen very slowly Why? Internet is shared
More informationLife After IPv4 Depletion
1 Life After IPv4 Depletion Jon Worley Analyst Securing Core Internet Functions Resource Certification, RPKI Mark Kosters Chief Technology Officer 2 Core Internet Functions: Routing & DNS The Internet
More informationRouting the Internet in Geoff Huston APNIC March 2007
Routing the Internet in 2006 Geoff Huston APNIC March 2007 IPv4 in 2006 Total Advertised BGP Prefixes BGP Table Growth 210000 200000 190000 BGP FIB Entries 180000 2006 170000 2005 160000 150000 Jan Feb
More informationCisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003
Cisco ACI Multi-Pod/Multi-Site Deployment Options Max Ardica Principal Engineer BRKACI-2003 Agenda ACI Introduction and Multi-Fabric Use Cases ACI Multi-Fabric Design Options ACI Stretched Fabric Overview
More informationTo Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xiaowei Yang Duke Unversity Denial of Service (DoS) flooding attacks Send packet floods to a targeted victim Exhaust
More informationImpactful Routing Research with the PEERING Testbed
1 Impactful Routing Research with the PEERING Testbed Combining intradomain emulation with real BGP connectivity Ethan Katz-Bassett (University of Southern California) with: Brandon Schlinker and Kyriakos
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationConfiguring MPLS L3VPN
Contents Configuring MPLS L3VPN 1 MPLS L3VPN overview 1 Introduction to MPLS L3VPN 1 MPLS L3VPN concepts 2 MPLS L3VPN packet forwarding 5 MPLS L3VPN networking schemes 5 MPLS L3VPN routing information
More informationRouting Basics. Campus Network Design & Operations Workshop
Routing Basics Campus Network Design & Operations Workshop These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationCS 43: Computer Networks. 24: Internet Routing November 19, 2018
CS 43: Computer Networks 24: Internet Routing November 19, 2018 Last Class Link State + Fast convergence (reacts to events quickly) + Small window of inconsistency Distance Vector + + Distributed (small
More information