Network Security - ISA 656 Routing Security

Similar documents
Network Security - ISA 656 Routing Security

Steven M. Bellovin AT&T Labs Research Florham Park, NJ 07932

Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring * Thanks to Steve Bellovin for slide source material.

Module: Routing Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Routing Concepts. IPv4 Routing Forwarding Some definitions Policy options Routing Protocols

Routing Basics. ISP Workshops. Last updated 10 th December 2015

Routing Security Security Solutions

Security in inter-domain routing

Routing Basics. Campus Network Design & Operations Workshop

Routing Basics. ISP Workshops

Top-Down Network Design

Introduction to IP Routing. Geoff Huston

Securing BGP. Geoff Huston November 2007

Securing BGP: The current state of RPKI. Geoff Huston Chief Scientist, APNIC

Service Provider Multihoming

A PKI For IDR Public Key Infrastructure and Number Resource Certification

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Module 14 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

Small additions by Dr. Enis Karaarslan, Purdue - Aaron Jarvis (Network Engineer)

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

Service Provider Multihoming

Routing Basics ISP/IXP Workshops

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Inter-Domain Routing: BGP

Routing Basics ISP/IXP Workshops

Top-Down Network Design, Ch. 7: Selecting Switching and Routing Protocols. Top-Down Network Design. Selecting Switching and Routing Protocols

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

TBGP: A more scalable and functional BGP. Paul Francis Jan. 2004

Internet Measurements. Motivation

Multihoming Complex Cases & Caveats

Routers / external connectivity (HSRP) Web farm, mail servers

Some Lessons Learned from Designing the Resource PKI

The Internet Ecosystem

Routing Basics. Routing Concepts. IPv4. IPv4 address format. A day in a life of a router. What does a router do? IPv4 Routing

A configuration-only approach to shrinking FIBs. Prof Paul Francis (Cornell)

IPv6 Module 6x ibgp and Basic ebgp

An Operational Perspective on BGP Security. Geoff Huston February 2005

Module 18 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

IP Addressing & Interdomain Routing. Next Topic

BGP and the Internet. Enterprise Multihoming. Enterprise Multihoming. Medium/Large ISP Multihoming. Enterprise Multihoming. Enterprise Multihoming

Unit 3: Dynamic Routing

Service Provider Multihoming

Routing Security. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel

Example: Conditionally Generating Static Routes

Securing BGP Networks using Consistent Check Algorithm

BGP Multihoming ISP/IXP Workshops

Department of Computer and IT Engineering University of Kurdistan. Computer Networks II Border Gateway protocol (BGP) By: Dr. Alireza Abdollahpouri

Multihoming with BGP and NAT

Last time. Transitioning to IPv6. Routing. Tunneling. Gateways. Graph abstraction. Link-state routing. Distance-vector routing. Dijkstra's Algorithm

Ravi Chandra cisco Systems Cisco Systems Confidential

Lecture 16: Interdomain Routing. CSE 123: Computer Networks Stefan Savage

3/10/2011. Copyright Link Technologies, Inc.

A Survey of BGP Security Review

Routing on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP

Advanced BGP using Route Reflectors

CS519: Computer Networks. Lecture 4, Part 5: Mar 1, 2004 Internet Routing:

Routing in the Internet

Lecture outline. Internet Routing Security Issues. Previous lecture: Effect of MinRouteAdver Timer. Recap of previous lecture

COM-208: Computer Networks - Homework 6

Update on Resource Certification. Geoff Huston, APNIC Mark Kosters, ARIN IEPG, March 2008

Introduction to IS-IS

COMP/ELEC 429 Introduction to Computer Networks

CS4700/CS5700 Fundamentals of Computer Networks

Intelligent Routing Platform

Lecture 18: Border Gateway Protocol

CS 457 Networking and the Internet. The Global Internet (Then) The Global Internet (And Now) 10/4/16. Fall 2016

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

Routing Protocols --- Exterior Gateway Protocol

Module 16 An Internet Exchange Point

Module 13 Multihoming to Different ISPs

Routing and router security in an operator environment

Advanced Multihoming. BGP Traffic Engineering

Inter-Domain Routing: BGP

IPv6 Module 16 An IPv6 Internet Exchange Point

BGP and the Internet. Why Multihome? Why Multihome? Why Multihome? Why Multihome? Why Multihome? Redundancy. Reliability

BGP and the Internet

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Service Provider Multihoming

CS 268: Computer Networking

Basic Idea. Routing. Example. Routing by the Network

Dynamic Routing. The Protocols

LARGE SCALE IP ROUTING

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

Internet Routing : Fundamentals of Computer Networks Bill Nace

RIP Version 2. The Classless Brother

Routing by the Network

Network Security: Routing security. Aapo Kalliola T Network security Aalto University, Nov-Dec 2012

Routing & Protocols 1

Outline Computer Networking. Inter and Intra-Domain Routing. Internet s Area Hierarchy Routing hierarchy. Internet structure

CS BGP v4. Fall 2014

Module 19 Internet Exchange Points

9/6/2015. COMP 535 Lecture 6: Routing Security. Agenda. In the News. September 3, 2015 Andrew Chi

Network Layer: Routing

Announcements. CS 5565 Network Architecture and Protocols. Project 2B. Project 2B. Project 2B: Under the hood. Routing Algorithms

PART III. Implementing Inter-Network Relationships with BGP

BGP for Internet Service Providers

Introduction to Computer Networks

FAQ. Version: Copyright ImageStream Internet Solutions, Inc., All rights Reserved.

Transcription:

Network Security - ISA 656 Angelos Stavrou December 4, 2007

What is? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Bad guys play games with routing protocols. Traffic is diverted. Enemy can see the traffic. Enemy can easily modify the traffic. Enemy can drop the traffic. Cryptography can mitigate the effects, but not stop them. 2 / 41

History of What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Radia Perlman s dissertation: Network Layer Protocols with Byzantine Robustness, 1988. Bellovin s Security Problems in the TCP/IP Protocol Suite. More work starting around 1996. Kent et al., 2000 (two papers). 3 / 41

Why So Little Work? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? It s a really hard problem. Actually, getting routing to work well is hard enough. It s outside the scope of traditional communications security. 4 / 41

How is it Different? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Most communications security failures happen because of buggy code or broken protocols. Routing security failures happen despite good code and functioning protocols. The problem is a dishonest participant. Hop-by-hop authentication isn t sufficient. 5 / 41

The Enemy s Goal? What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy s Goal? Z Y Host B Host A X Good: A >X >Y >B Bad: A >X >Z >Y >B But how can this happen? 6 / 41

Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? Routers speak to each other. They exchange topology information and cost information. Each router calculates the shortest path to each destination. Routers forward packets along locally shortest path. Attacker can lie to other routers. 7 / 41

Normal Behavior Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? 5 Z 5 10 Y Host B Host A 10 X 5 Y >X, Y >Z: B(10) Z >X: Y(5), B(15) X >A: Z(5), Y(5), B(15) 8 / 41

But Z Can Lie Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? 5 Z 5 10 Y Host B Host A 10 X 5 Y >X, Y >Z: B(10) Z >X: Y(5), B(3) X >A: Z(5), Y(5), B(8) Note that X is telling the truth as it knows it. 9 / 41

Using a Tunnel for Packet Re-injection Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? Z Z Host A X Y Q Host B 10 / 41

Why is the Problem Hard? Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? X has no knowledge of Z s real connectivity. Even Y has no such knowledge. The problem isn t the link from X to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.) 11 / 41

OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points Two types, internal and external routing. Internal (within ISP, company): primarily OSPF. External (between ISPs, and some customers): BGP. Topology matters. 12 / 41

OSPF (Open Shortest Path First) OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points Each node announces its own connectivity. Announcement includes link cost. Each node re-announces all information received from peers. Every node learns the full map of the network. Each node calculates the shortest path to all destinations. Note: limited to a few thousand nodes at most. 13 / 41

Characteristics of Internal Networks OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points Common management. Common agreement on cost metrics. Companies have less rich topologies, but less controlled networks. ISPs have very rich but very specialized topologies, but well-controlled networks. Often based on Ethernet and its descendants. 14 / 41

How Do You Secure OSPF? OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points Simple link security is hard: multiple-access net. Shared secrets guard against new machines being plugged in, but not against an authorized party being dishonest. Solution: digitally sign each routing update (expensive!). List authorizations in certificate. Experimental RFC by Murphy et al., 1997. Note: everyone sees the whole map; monitoring station can note discrepancies from reality. (But bad guys can send out different announcements in different directions.) 15 / 41

Address Certificate OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points Each router has certain interfaces and hence direct network reachability Each router therefore has a certificate binding its public key to its valid addresses Note well: the CA has to know the proper addresses for each router But that s the norm in OSPF environments 16 / 41

External Routing via BGP OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points No common management (hence no metrics beyond hop count). No shared trust. Policy considerations: by intent, not all paths are actually usable. 17 / 41

POP Topology OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points R1 R2 access router access router access router access router 18 / 41

Noteworthy Points OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points A lot of attention to redundancy. Rarely-used links (i.e., R1 R2) Link cost must be carefully chosen to avoid external hops. May have intermediate level of routers to handle fan-out. 19 / 41

OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Certificate External Routing via BGP POP Topology Noteworthy Points 20 / 41

InterISP Routing B X Y Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets W A Z L C 21 / 41

InterISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Tier 1 ISPs are peers, and freely exchange traffic. Small ISPs buy service from big ISPs. Different grades of service: link L-Z is for customer access, not transit. C B goes via L-Y-X-W, not L-Z-W. A is multi-homed, but W-A-Z is not a legal path, even for backup. BGP is distance vector, based on ISP hops. Announcement is full path to origin, not just metric. 22 / 41

Path Vectors Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Route advertisements contain a prefix and a list of ASs to traverse to reach that prefix Example: if B owns address block 10.0/16, L would see 10.0/16, {Y,X,W,B} ASs do not see paths filtered by upstream nodes. Y sees 10.0/16, {X,W,B} and 10.0/16, {Z,W,B} ; since only forwards the former to L, L knows nothing of the path via Z 23 / 41

Policies Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets ISPs have a great deal of freedom when choosing the best path While hop count is one metric, local policies (i.e., for traffic engineering) count more These policies in general, not disclosed publicly affect with path neighbors will see 24 / 41

Long Prefixes and Loop-Free Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Routers ignore advertisements with their own AS number in the path This is essential to provide loop-free paths Routers use longest match on prefixes when calculating a path These two facts can be combined to form an attack 25 / 41

Longer Prefix Attack Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Suppose B owns 10.0/16. Z sees 10.0/16, {W,B} A advertises 10.0.0/17, {A,W} Z will route packets for 10.0.0/17to A it has a longer prefix W will never see that path, and hence won t pass it to B the path (falsely) contains W, so it will be rejected by W 26 / 41

Filtering Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets ISPs can filter route advertisements from their customers. Doesn t always happen: AS7007 incident, spammers, etc. Not feasible at peering links. 27 / 41

Secure BGP (Kent et al.) Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Each node signs its announcements. That is, X will send {W } X, {Y } X, {Z} X. W will send {B} W, {A} W, {X} W, {X : {Z} X } W. Chain of accountability. 28 / 41

SBGP Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Lots of digital signatures to calculate and verify. Can use cache Verification can be delayed Calculation expense is greatest when topology is changing i.e., just when you want rapid recovery. (About 120K routes... ) How to deal with route aggregation? What about secure route withdrawals when link or node fails? Dirty data on address ownership. 29 / 41

Certificate Issuance Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Who issues prefix ownership certificates? Address space comes from upstream ISP or RIRs RIRs really are authoritative hence they re a monopoly If an RIR makes a mistake, the prefix is off the air Is this a risk worth taking? 30 / 41

Certificate Tree Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets The RIRs (Regional Registries) give addresses to big ISPs and big end users Accordingly, the RIRs should issue certificates (Really, it should be ICANN, but the politics of that are too painful) Small ISPs and small customers get address space from their own ISPs Every ISP is thus a certificate holder and a certificate issuer These are authorization certificates, not identity certificates 31 / 41

Certificates Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets The identity of the certificate holder is irrelevant What matters is the authorization: the certificate contains IP address ranges The signing party has its own certificate listing larger ranges of IP addresses, and hence the right to delegate them 32 / 41

Signed Origin BGP Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Suppose only the origin was digitally signed: 10.0/16, B In addition, all polices are (securely) published in some database Receiving node verifies origin, then compares received path against all policies Query: is the received path consistent with policies? Advantage: many fewer signatures 33 / 41

SOBGP Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Sill have monopoly RIRs ISPs don t like to publish policies Clever attackers can play games in the middle of the path 34 / 41

Happy Packets Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) SBGP Certificate Issuance Certificate Tree Certificates Signed Origin BGP SOBGP Happy Packets Philosophy: don t worry too much about routing security Crucial metric: do packets reach their destination? What about confidentiality? If it matters, encrypt end-to-end But what about traffic analysis? 35 / 41

Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Suppose that we have SBGP and SOSPF. Suppose the enemy controls a few links or nodes. Can he or she force traffic to traverse those paths? Yes... 36 / 41

Is Link-Cutting Feasible? Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Attacker must have network map. Easy for OSPF; probably doable for BGP see Rocketfuel paper. Can attacker determine peering policy? Unclear. How can links be cut? Backhoes? Ping of death? DDoS attack on link bandwidth? 37 / 41

Sample Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Ya1 Ya2 Ya3 Yb1 Yb0 Ya0 C Za2 Zb1 Za1 Za3 Zb0 Za0 D Xa1 Xa3 Xb0 Xa0 B Xb1 Xa2 Wb0 Wa3 Wa2 Wb1 Wa0 Wa1 A 38 / 41

Cost of s on the Backbone 80 70 60 "cut-effort-full" "cut-effort-reduced" "cut-avg-full" "cut-avg-reduced" Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Link cuts required 50 40 30 20 10 0 0 20 40 60 80 100 120 140 160 180 Number of nodes 39 / 41

Hard to defend against routing protocols are doing what they re supposed to! Keeping attacker from learning the map is probably infeasible. Feed routing data into IDS? Link-level restoration is a good choice, but can be expensive. Others? 40 / 41

Routing security is a major challenge. Mentioned specifically in White House Cybersecurity document. Lots of room for new ideas. 41 / 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback