Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

Size: px

Start display at page:

Download "Jumpstarting BGP Security. Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira"

Alan Pitts
6 years ago
Views:

1 Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

2 Prefix hijacking Victim Path: 111 AS X AS 111 Boston University BGP Ad. AS 666 Data flow 2

3 Prefix hijacking Path: X-111 AS X Victim Path: 666 AS 666 AS 111 Boston University BGP Ad. Data flow 3

4 Prefix hijacking Path: X-111 Victim prefers shorter route Path: 666 AS X AS 666 AS 111 Boston University BGP Ad. Data flow 4

5 Resource Public Key Infrastructure (RPKI) The Resource Public Key Infrastructure (RPKI) maps IP prefixes to organizations that own them [RFC 6480] Provides origin authentication to prevent hijacks Lays the foundation for protection against more sophisticated attacks on interdomain routing e.g., required for BGPsec

6 BGP Routers Resource Public Key Infrastructure (RPKI) Origin Authentication Protects against hijacks Slowly gaining traction (6% of prefixes covered) RPKI local cache ROA: AS 111 Autonomous System

7 BGP Routers Resource Public Key Infrastructure (RPKI) Origin Authentication Protects against hijacks Slowly gaining traction (6% of prefixes covered) RPKI local cache ROA: AS 111 Verify signature Autonomous System

8 BGP Routers Resource Public Key Infrastructure (RPKI) Origin Authentication Protects against hijacks Slowly gaining traction (6% of prefixes covered) RPKI local cache : AS 111 : AS 111 Autonomous System

9 RPKI prevents prefix hijacks Path: Y-X-111 Victim Path: 666 AS Y AS X AS 111 BGP Ad. AS 666 ROA: AS 111 Data flow RPKI

10 Forged origin circumvents RPKI Path: Y-X-111 AS Y Victim Path: AS 666 AS X AS 111 False link ROA: AS 111 BGP Ad. RPKI Data flow

``false links in the route Prefix: Secure-Path: X-111

11 Current paradigm: a two step solution First, RPKI against hijacking Then, add BGPsec Protects against ``false links in the route Prefix: Secure-Path: X-111 AS 111 AS X Matches RPKI policy? : AS AS Y 111 Path signature OK?

12 Current paradigm: a two step solution First, RPKI against hijacking Then, add BGPsec Protects against ``false links in the route Prefix: Secure-Path: Y-X-111 AS 111 AS X Add signature, AS then Y relay

13 Current paradigm: a two step solution First, RPKI against hijacking Then, add BGPsec Protects against ``false links in the route Deployment challenge: Real-time signature and validation Different message format Prefix: Secure-Path: Y-X-111 AS 111 AS X Add signature, AS then Y relay

14 BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM 13] Victim Sec Path: X-111 AS Y AS X AS 111 BGPsec AS 666 ROA: AS 111 BGP RPKI

15 BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM 13] Breaks BGPsec Sec Path: X-111 AS Y AS X AS 111 Victim BGPsec AS 666 ROA: AS 111 BGP RPKI

16 BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM 13] Path: Y-X-111 Victim Path: AS Y AS X AS 111 BGPsec AS 666 ROA: AS 111 BGP RPKI

17 Our Goals Security: Protect against forged origin in BGP advertisements Significant benefits in partial deployment In contrast to BGPsec Deployment: Minimal computation overhead Signatures and verifications: only offline, off-router No changes to BGP messages Similar to RPKI

18 Path-end validation Path: Y-X-111 AS Y Victim Path: AS 666 AS X AS 111 Edge auth: AS 111 AS X Covers all neighbors path end False link ROA: AS 111 BGP Ad. Data flow RPKI

19 Path-end validation Path: Y-X-111 AS Y Victim Path: AS 666 AS X AS 111 Edge auth: AS 111 AS X Covers all neighbors path end False link ROA: AS 111 BGP Ad. Data flow RPKI

20 Attacker success rate (%) Inter domain routing security: Mechanism comparison BGP (no auth.) RPKI (origin auth.) RPKI + Path-end validation RPKI + BGPsec, BGP still allowed 0 Protocol

21 Attacker success rate (%) Inter domain routing security: Mechanism comparison BGP (no auth.) This talk RPKI (origin auth.) RPKI + Path-end validation RPKI + BGPsec, BGP still allowed 0 Protocol

22 Path-end validation: Intuition

23 Deployment Similar to RPKI Verify signatures RPKI Path RPKI End Local cache ROA: AS 111 Edge auth: AS 111 -> AS X BGP Routers Autonomous System

24 Deployment Similar to RPKI RPKI Path RPKI End Local cache BGP Routers Verify signatures ROA: AS 111 : AS 111 AS 111 AS X Autonomous System Edge auth: AS 111 -> AS X

25 Deployment ip as-path access-list as1 deny _[^X]_111_ Use existing Access List interface Validated suffix extends automatically with adoption

26 Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM 13] RPKI ROA: /16 AS A Path End Edge auth: AS A AS D Security in partial adoption: Simulation framework H K A D J B E C I F L Pick victim & attacker Victim s prefix has a ROA+EA G

27 Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM 13] RPKI ROA: /16 AS A Path End Edge auth: AS A AS D Security in partial adoption: Simulation framework H K A D J B E C I F L Pick victim & attacker Victim s prefix has a ROA+EA Pick set of filtering ASes G

0/16 AS A Path End Edge auth: AS A AS D Security in partial adoption: Simulation framework

28 Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM 13] RPKI ROA: /16 AS A Path End Edge auth: AS A AS D Security in partial adoption: Simulation framework H K A D J B E C I F L Pick victim & attacker Victim s prefix has a ROA+EA Pick set of filtering ASes Evaluate which ASes send traffic to the attacker G

29 Simulation results

30 Simulation results

31 Simulation results

32 Local deployment & local benefits

33 Impact of authenticating hops BGP (no authentication) Origin authentication (RPKI) Path-end validation 2-hop validation

34 More results Large content providers are better protected Path-end validation mitigates high profile incidents Security monotone BGPsec is not [Lychev et al., SIGCOMM 13]

35 Path-end validation Conclusion Can significantly improve inter-domain routing security while avoiding BGPsec s deployment hurdles We advocate Extending RPKI to support path-end validation Regulatory/financial efforts on gathering critical mass of adopters

36 Thank You

The Transition to BGP Security Is the Juice Worth the Squeeze?

The Transition to BGP Security Is the Juice Worth the Squeeze? RPKI Sharon Goldberg Boston University November 2013 Work with Kyle Brogle (Stanford), Danny Cooper (BU), Ethan Heilman (BU), Robert Lychev