SCION: A Secure Multipath Interdomain Routing Architecture. Adrian Perrig Network Security Group, ETH Zürich

Similar documents
Verified Secure Routing

SCION: A Secure Internet Architecture Samuel Hitz CTO Anapaya Systems ETH Zurich

Towards Deployment of a Next- Generation Secure Internet Architecture

SCION Project Testbed Trials. David Hausheer, Youssef El Biad, Kurt Baumann, Adrian Perrig

Dissemination of Paths in Path-Aware Networks

SCION: Scalability, Control and Isolation On Next-Generation Networks

SCION: PKI Overview. Adrian Perrig Network Security Group, ETH Zürich

2 The SCION Architecture

Adding Path Awareness to the Internet Architecture

A Routing Infrastructure for XIA

Interdomain Routing Design for MobilityFirst

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

SCION: Scalability, Control and Isola2on On Next- Genera2on Networks

Communication Networks

Tag Switching. Background. Tag-Switching Architecture. Forwarding Component CHAPTER

Dynamics of Hot-Potato Routing in IP Networks

Computer Science 461 Final Exam May 22, :30-3:30pm

Locator ID Separation Protocol (LISP) Overview

Inter-Autonomous-System Routing: Border Gateway Protocol

Introduction to Segment Routing

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

CSE 123: Computer Networks

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

SCION Secure Next-generation Internet Architecture

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Internet Infrastructure

CSE 1 23: Computer Networks

Outline. Narrow Waist of the Internet Key to its Success. expressive Internet Architecture: Overview and Next Phase. Three Simple Ideas 9/13/2014

CSCI Topics: Internet Programming Fall 2008

Multicast Technology White Paper

cs/ee 143 Communication Networks

Overview. Information About Layer 3 Unicast Routing. Send document comments to CHAPTER

Pathlet Routing. P. Brighten Godfrey, Igor Ganichev, Scott Shenker, and Ion Stoica SIGCOMM (maurizio patrignani)

Overview. Overview. OTV Fundamentals. OTV Terms. This chapter provides an overview for Overlay Transport Virtualization (OTV) on Cisco NX-OS devices.

Introduction to Computer Networks

Routing Basics ISP/IXP Workshops

Inter-Autonomous-System Routing: Border Gateway Protocol

Design and development of the reactive BGP peering in softwaredefined routing exchanges

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity

Internet Measurements. Motivation

Computer Network Architectures and Multimedia. Guy Leduc. Chapter 2 MPLS networks. Chapter 2: MPLS

CS 640: Introduction to Computer Networks. Intra-domain routing. Inter-domain Routing: Hierarchy. Aditya Akella

CSC 4900 Computer Networks: Routing Protocols

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

HIP Host Identity Protocol. October 2007 Patrik Salmela Ericsson

Overlay and P2P Networks. Introduction and unstructured networks. Prof. Sasu Tarkoma

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Achieving scale: Large scale active measurements from PlanetLab

Lecture 3: Packet Forwarding

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

NSF Future Internet Architecture. Outline. Predicting the Future is Hard! The expressive Internet Architecture: from Architecture to Network

Link State Routing & Inter-Domain Routing

Important Lessons From Last Lecture Computer Networking. Outline. Routing Review. Routing hierarchy. Internet structure. External BGP (E-BGP)

MPLS/Tag Switching. Background. Chapter Goals CHAPTER

Virtual Multi-homing: On the Feasibility of Combining Overlay Routing with BGP Routing

SDX: A Software Defined Internet Exchange

Routing Basics ISP/IXP Workshops

Introduction to IP Routing. Geoff Huston

Lecture 19: Network Layer Routing in the Internet

Configuring MSDP. Overview. How MSDP operates. MSDP peers

Protocol for Tetherless Computing

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

Routing Basics. ISP Workshops. Last updated 10 th December 2015

OpenADN: A Case for Open Application Delivery Networking

CS 457 Networking and the Internet. The Global Internet (Then) The Global Internet (And Now) 10/4/16. Fall 2016

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

Chapter IV: Network Layer

Computer Networking Introduction

The Interconnection Structure of. The Internet. EECC694 - Shaaban

COM-208: Computer Networks - Homework 6

Cisco ACI Multi-Pod and Service Node Integration

HAIR: Hierarchical Architecture for Internet Routing

Never Drop a Call With TecInfo SIP Proxy White Paper

HP Routing Switch Series

A Survey of BGP Security: Issues and Solutions

Inter-Domain Routing: BGP

End-To-End Signaling and Routing for Optical IP Networks

Routing and router security in an operator environment

Improving Network Agility with Seamless BGP Reconfigurations

Internet Kill Switches Demystified

Hierarchical Routing. Our routing study thus far - idealization all routers identical network flat not true in practice

Various Anti IP Spoofing Techniques

Protecting DNS from Routing Attacks -Two Alternative Anycast Implementations

Routing in the Internet

CPSC 826 Internetworking. The Network Layer: Routing & Addressing Outline. The Network Layer

Implementing MPLS Forwarding

Securing BGP Networks using Consistent Check Algorithm

Why dynamic route? (1)

Outline. Predicting the Future is Hard! The expressive Internet Architecture: From Architecture to Network. We love all of them!

Accelerating SDN and NFV Deployments. Malathi Malla Spirent Communications

Routing Support for Wide Area Network Mobility. Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan

Internet Routing Basics

Table of Contents 1 MSDP Configuration 1-1

Inter-Domain Routing: BGP

Top-Down Network Design

Scalable Multipath Routing (towards)

Homework 3 Discussion

Unicast Routing. Information About Layer 3 Unicast Routing CHAPTER

Huawei CloudEngine Series. VXLAN Technology White Paper. Issue 06 Date HUAWEI TECHNOLOGIES CO., LTD.

DoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.

Transcription:

SCION: A Secure Multipath Interdomain Routing Architecture Adrian Perrig Network Security Group, ETH Zürich

SCION: Next-generation Internet Architecture Path-aware networking: sender knows packet s path Enables geo-fencing Multi-path communication Caution: use is highly addictive! Highly available communication Secure by construction BGP-free Internet communication Improved network operation Higher network utilization Advanced traffic engineering 2

SCION Architecture Design Goals High availability, even for networks with malicious parties Adversary: access to management plane of router Communication should be available if adversary-free path exists Secure entity authentication that scales to global heterogeneous (dis)trusted environment Flexible trust: enable selection of trust roots Transparent operation: clear what is happening to packets and whom needs to be relied upon for operation Balanced control among ISPs, senders, and receivers Scalability, efficiency, flexibility 3

SCION Overview Control plane: How to find end-to-end paths? Path exploration Path registration Data plane: How to send packets Path lookup Path combination Deployment Demos 4

Approach for Scalability: Isolation Domain (ISD) Isolation Domain (ISD): grouping of ASes ISD core: ASes that manage the ISD Core AS: AS that is part of ISD core Control plane is organized hierarchically Inter-ISD control plane Intra-ISD control plane TRC TRC TRC TRC TRC 5

Intra-ISD Path Exploration: Beaconing Core ASes K, L, M initiate Path-segment Construction Beacons (PCBs), or beacons K L M PCBs traverse ISD as a flood to reach downstream ASes Each AS receives multiple PCBs representing path segments to a core AS N Q O R P S 6

PCB Contents A PCB contains an info field with: PCB creation time Each AS on path adds: AS name Hop field for data-plane forwarding Link identifiers Expiration time Message Authentication Code (MAC) AS signature N Q K O L R 3 2 M 1 1 2 4 P 3 S M: Info field Timestamp ISD: Blue Hop field Out: 1 Expiration, MAC Signature P: Hop fields In: 2, Out: 3 Peering: 4, Out: 3 Expiration, MAC Signature 7

Inter-ISD Path Exploration: Sample Core-Path Segments from AS T I J T U C F A D G B E H N Q K O L R M P S V W X A Y D B Z E C 8

Up-Path Segment Registration AS selects path segments to announce as up-path segments for local hosts K L M Up-path segments are registered at local path servers N Q O P S Path server R 9

Down-Path Segment Registration AS selects path segments to announce as down-path segments for others to use to communicate with AS N K O L M Core path server P Down-path segments are uploaded to core path server in core AS Q R S 10

Ingress and Egress Interface Identifiers Each AS assigns a unique integer identifier to each interface that connects to a neighboring AS The interface identifiers identify ingress/egress links for traversing AS ASes use internal routing protocol to find route from ingress SCION border router to egress SCION border router Examples Yellow path: L:4, O:3,6, R:1 Orange path: L:5, O:2,6, R:1 N Q K 1 2 L 5 4 1 2 3 9 4 8 O 5 7 6 R 2 1 3 M P S 11

SCION Overview Control plane: How to find end-to-end paths? Path exploration Path registration Data plane: How to send packets Path lookup Path combination Deployment Demos 12

Path Lookup Steps of a host to obtain path segments Host contacts RAINS server with a name H RAINS: www.scion-architecture.net RAINS H: ISD X, AS Y, local address Z Host contacts local path server to query path segments H PS: ISD X, AS Y PS H: up-path, core-path, down-path segments Host combines path segments to obtain end-to-end paths, which are added to packets 13

Path Lookup: Local ISD Client requests path segments to <ISD, AS> from local path server If down-path segments are not locally cached, local path server send request to core path server Local path server replies Up-path segments to local ISD core ASes N K O L M P Down-path segments to <ISD, AS> Core-path segments as needed to connect up-path and down-path segments Q R S 14

Path Lookup: Remote ISD Host contacts local path server requesting <ISD, AS> T U If path segments are not cached, local path server will contact core path server K L M V W X Y Z If core path server does not have path segments cached, it will contact remote core path server Finally, host receives up-, core-, and down-segments N Q O R P S A D B E C 15

Path Construction ISD core A B C D E source destination up-segment (intra-isd PCB) core-segment (core PCB) down-segment (intra-isd PCB) INF INF INF CONTROL PLANE AS C s entry HF AS B s entry HF AS D s entry HF AS C s entry HF AS D s entry HF AS E s entry HF AS A s entry HF forwarding path (in SCION header) INF DATA PLANE HF HF HF INF HF HF INF HF HF 16

SCION Overview Summary Complete re-design of network architecture resolves numerous fundamental problems BGP protocol convergence issues Separation of control and data planes Isolation of mutually untrusted control planes Path control by senders and receivers Simpler routers (no forwarding tables) Root of trust selectable by each ISD An isolation architecture for the control plane, but a transparency architecture for the data plane. 17

Outline Control plane: How to find end-to-end paths? Path exploration Path registration Data plane: How to send packets Path lookup Path combination Deployment Demos 18

Deployment @ ETH SWITCH Swisscom BR BR BR BR ETH Legacy device SCION border router 19

SCION-IP Gateway (SIG) Deployment ISP A FW BR BR BR BR C BR Communication patterns A - B: SCION B BR A - C: IP B - C: IP Legacy device SCION border router SIG 20

Carrier-grade SIG Supports SCION Devices ISP A FW BR BR BR BR C POP Communication patterns A - B: SCION (SIG - CG-SIG) B AR A - C: IP (SIG) B - C: IP (CG-SIG) Private address space network (not publicly routed) Not SCION aware Legacy device SCION border router SIG Carrier-grade SIG 21

How to make this work? SIG handles legacy IP traffic If destination is reachable through SCION, encapsulate IP packet and send it to remote SIG over SCION network Otherwise, send packet through IP Carrier-Grade SIG (CG-SIG) handles all traffic to destination NAT for destination network Destination is not publicly reachable DDoS defense Destination does not need to establish an AS 22

SCIONLab SCION Network SCIONLab User SCION AS SCIONLab AS Core link Peering link Prov.-Cust. link 23

Global SCIONLab Network https://www.scionlab.org Collaboration with David Hausheer @ Uni Magdeburg 24

Use Case: Internet Backup through SCIONLab 25

Commercial SCION Network Deutsche Telekom, Swisscom, SWITCH, Init7 offer SCION connections (as test) on a commercial SCION network Several banks and Swiss government are running trial deployments One large bank has been running production traffic over SCION since August 2017 26

How to obtain a SCION Connection? Individual: SCIONLab https://www.scionlab.org SCION AS running on VM within 10 minutes University, research lab SWITCH, DFN can (soon) provide SCION connections David Hausheer @ Uni Magdeburg has set up SCION VMs at GEANT <hausheer@ovgu.de> Corporation, Government entity Swisscom Deutsche Telecom <markus.seipel@telekom.de> 27

Conclusions It is possible to evolve Layer 3: SCION is a secure Internet architecture that we can use today Strong properties for high-availability communication Multipath routing architecture offers multitude of path choices for meaningful diverse path selection For some cases, lower latency than in today s Internet Fast failover providing business continuity Prevention of routing attacks Built-in DDoS defense mechanisms 28

SCION Commercialization Founded Anapaya Systems in June 2017 4 founders: David Basin, Sam Hitz (CEO), Peter Müller, Adrian Perrig Several banks and ISPs are customers https://www.anapaya.net

https://www.scion-architecture.net Book Papers Videos Tutorials Newsletter signup https://www.scionlab.org SCIONLab testbed infrastructure https://www.anapaya.net SCION commercialization https://github.com/scionproto/scion Source code Online Resources 30

SCION Core Project Team Netsec: Daniele Asoni, Laurent Chuat, Sergiu Costea, Piet De Vaere, Sam Hitz, Mike Farb, Tobias Klausmann, Cyrill Krähenbühl, Jonghoon Kwon, Tae-Ho Lee, Sergio Monroy, Chris Pappas, Juan Pardo, Adrian Perrig, Benjamin Rothenberger, Stephen Shirley, Jean-Pierre Smith, Brian Trammell Infsec: David Basin, Tobias Klenze, Ralf Sasse, Christoph Sprenger, Thilo Weghorn Programming Methodology: Marco Eilers, Peter Müller Uni Magdeburg: David Hausheer 31

Thanks to all our Collaborators! 32

Thanks to our Sponsors! 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback