Jobtalk

Securing Internet Routing

$
Local
ISP

Sharon Goldberg g
Princeton University
Based on work with:
Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran,
Jennifer
Princeton Rexford,
University Eran Tromer, Rebecca Wright, and David Xiao
 The Internet (1)
Th Internet
The I t t is
i a collection
ll ti off Autonomous
A t Systems
S t (AS).
(AS)

Princeton
AT&T
IBM
Local
ISP
Comcast

Connectivity requires competing ASes to cooperate.

cooperate
 The Internet (2)
E hA
Each Autonomous
t S
System
t (AS) iis a collection
ll ti off routers.
t

Princeton
AT&T
IBM
Local
ISP
Comcast
Local ISP
Different Failure Models & Formal Techniques

Honest
• Follows the protocol
The Internet
was designed
Benign / Fail-Stop for this.
• Stops responding

$
Game Theory
Rational (Selfish)
• Deviates from protocol for personal g
gain

Cryptography
Adversarial
• Actively tries to “break” the protocol
 Research Approach

System engineering &

(Goal) economic limitations

Prove this protocol

satisfies security for
Define Security Property failure model.
erate

$
Ite

Choose Failure Model

Evaluate Protocol Any protocol with

security property X
Characterize
Ch t i
needs resource Y
Security vs Efficiency
 Research Approach

System
(Goal)

Define Security Property

erate
Ite

Choose Failure Model Standards,

Prototypes

Evaluate Protocol
Implement /
Characterize
Ch t i
Tech transfer
Security vs Efficiency
 Secure Routing on the Internet

Goal: Ensure packets arrive at their destination.

Princeton
AT&T
IBM
Local
ISP
Comcast

y research devoted to solving

Years of security g this p
problem.
 Overview of Previous Work on Secure Routing
AT&T IBM
AT&T,
Princeton
AT&T
IBM
Local
ISP
Comcast
Local, Comcast, IBM

Control Plane (Routing protocols):

• Set
S up paths
h between
b nodes
d

Secure BGP soBGP, IRV, SPV, pgBGP, psBGP,

[Kent Lynn Seo 00] Listen Whisper etc
Listen-Whisper, etc.,
Data Plane:
• Given the p
paths, how should p
packets be forwarded?
NPBR [Perlman 88], Secure Msg Transmission [DDWY92],
Secure/Efficient Routing [AKWK04], Secure TR [PS03], etc!
 Overview of Previous Work on Secure Routing
AT&T IBM
AT&T,

To inform deployment efforts, my research focusesPrincetonon:

AT&T
1.
1 Are IBM
we securing the right part of the system?
2. Characterizing the tradeoffs between Local
security & efficiency
ISP
Comcast
Local, Comcast, IBM

Control Plane (Routing protocols):

• Set
S up paths
h between
b nodes
d

Secure BGP soBGP, IRV, SPV, pgBGP, psBGP,

[Kent Lynn Seo 00] Listen Whisper etc
Listen-Whisper, etc.,
Data Plane:
• Given the p
paths, how should p
packets be forwarded?
NPBR [Perlman 88], Secure Msg Transmission [DDWY92],
Secure/Efficient Routing [AKWK04], Secure TR [PS03], etc!
 Overview of the Results in this Talk
Internet Routing
(Ensuring packets arrive at
their destination)

Ensure packets actually Detect packet loss

follow announced paths. & localize bad router.

$
Rational ASes Adversarial routers

[GXTBR, SIGMETRICS’08]
[GHJRW, SIGCOMM’08]
[BGX, EUROCRYPT’08]
Known control-
control-plane
New data-
data-plane
protocols, like Secure BGP
protocols & characterization
☺
 Part I : The Control Plane

two counterexamples & a theorem

 BGP: The Internet Routing Protocol (1)
P th b
Paths t
between A t
Autonomous S t
Systems (AS
(ASes)) are
set up via the Border Gateway Protocol (BGP).

IBM AT&T, IBM

AT&T $ Princeton
IBM
$ Local
ISP Local Val
Valuation:
ation
Comcast Comcast, IBM
AT&T, IBM
IBM
Comcast, IBM

Forwarding: Node use single outgoing link for all traffic to destination.
Valuations: Usually based on economic relationships.
Here, we assume they are fixed at “beginning of game”
 BGP: The Internet Routing Protocol (2)
P th b
Paths t
between A t
Autonomous S t
Systems (AS
(ASes)) are
set up via the Border Gateway Protocol (BGP).
AT&T, IBM
$
Princeton
AT&T $
IBM
Local Princeton Valuat’n:
ISP Local AT&T
Local, AT&T, IBM
Comcast AT&T, IBM
Local, Comcast, IBM

Local, Comcast, IBM

Forwarding: Node use single outgoing link for all traffic to destination.
Valuations: Usually based on economic relationships.
Here, we assume they are fixed at “beginning of game”
 Our desired security goal…

BGP announcements match actual paths in the data plane.

Princeton
AT&T
IBM
Local Princeton Valuat’n:
ISP Local AT&T
Local, AT&T, IBM
Comcast AT&T, IBM
Local, Comcast, IBM

Then, can use BGP messages as input to security schemes!

1. Chose paths that avoid ASes known to drop packets
2. Protocols that localize an adversarial router on path.
3. Contractual frameworks that penalize nodes that drop packets.
 Our desired security goal…

BGP announcements match actual paths in the data plane.

Local, AT&T, IBM

Princeton
AT&T
IBM $
Local Princeton Valuat’n:
ISP Local AT&T
Local, AT&T, IBM
Comcast AT&T, IBM
Local, Comcast, IBM

Then, can use BGP messages as input to security schemes!

1. Chose paths that avoid ASes known to drop packets
2. Protocols that localize an adversarial router on path.
3. Contractual frameworks that penalize nodes that drop packets.
 The “Secure BGP” Internet Routing Protocol

If AS a announced path abP then b announced bP to a

Public Comcast:
Key (IBM)
Infrastructure
Local: (Comcast, IBM)
Princeton: ((Local,, Comcast,, IBM))
Princeton
AT&T
IBM
Local
ISP
Comcast

Comcast: (IBM)
Comcast: (IBM)

Local: (Comcast, IBM)

Public Key Signature: Anyone who knows IBM’s

public key can verify the message was sent by IBM.
 The “Secure BGP” Internet Routing Protocol

If AS a announced path abP then b announced bP to a

Public Comcast:
Key (IBM)
Infrastructure
Local: (Comcast, IBM)
Princeton: ((Local,, Comcast,, IBM))
Princeton
AT&T
IBM
Local
ISP
Comcast

Comcast: (IBM)
If we assume nodes are(IBM)
Comcast: rational,
do we get securityLocal:
from (Comcast,
“Secure IBM)
BGP”?
Y
Yes - For
F certain
t i utility
tilit models
d l ((prior
i work)
k)
Public Key Signature: Anyone who knows IBM’s
public keyNo - For more
can verify realistic was
the message onessent
(ourby
work)
IBM.
 The “No Attractions” model of utility…
Model of utility in prior work:
. Utility of outgoing Utility of attracted
Utility of AS = (data-plane)
( p ) path
p + incoming g traffic

Princeton
AT&T
IBM
Local
ISP Local Valuatio’n:
Comcast Comcast, IBM
AT&T IBM
AT&T,

In all prior work: Utility

is
i determined
d t i d by
b the
th
valuation function
 Do control plane & data plane match?
Utility
y Secure
Model BGP

No Attractions [LSZ]

Corollary: If _________, rational ASes have no incentive

to send
se d dishonest
d s o est BGP
G aannouncements!
ou ce e ts
• [Feigenbaum-Ramachandran-Schapria-06],
[Feigenbaum-Schapria-Shenker-07] [Levin-Schapira-Zohar-08]

• These results build on

• [Nisan-Ronen-01] [Feigenbaum-Papadimitriou-Shenker-01],
[Parkes-Shneidman-04], [Feigenbaum-Karger-Mirrokni-Sami-05]
Feigenbaum-Papadimitriou-Sami-Shenker-05],
 The “Attractions” model of utility…
Our
Model
model
of utility
of utility:
in prior work:
. Utility of outgoing Utility of attracted
Utility of AS = (data-plane)
( p ) path
p + incoming g traffic

AT&T $ $
Princeton
IBM
$ Local $
ISP
Local Valuat’n:
Attract: Princeton
Comcast
Comcast IBM
Comcast,
Valuat’n:
AT&T, IBM
Comcast, IBM
More realistically models AT&T, IBM
payment structure.
 Do control plane & data plane match?
Utility
y Secure
Model BGP

No Attractions [LSZ]

Attractions X
?

Negative result is network where a

node has incentive to lie.
Counterexample: “Secure BGP” is not sufficient!
Comcast:
AT&T: (IBM)
(IBM)

Local: (Comcast,
(AT&T, IBM)IBM)

Princeton: (Local,
(Local AT&T,
AT&T
Comcast,
Comcast
IBM)IBM)
AT&T: (IBM)

Local: (AT&T, IBM)

Princeton
AT&T
IBM $
Local Princeton Valuat’n:
ISP Local, AT&T, IBM
Comcast
☺ AT&T, IBM
Local, Comcast, IBM
Attract: Princeton
Comcast: (IBM) Valuation:
Comcast, IBM
Local: (Comcast, IBM) AT&T, IBM
 Do control plane & data plane match?
Utility
y Secure Next-hopp
Model BGP Policy

No Attractions [LSZ] OR [FRS]

Attractions X
? ?

Next-hop policy: Valuations depend only on 1st

AS to receive traffic.
 What if everyone used next-hop policy?

N t h policy:
Next-hop li Valuations
V l ti d
depend l on 1stt
d only
AS to receive traffic.

The bad example goes away.

Princeton
AT&T
IBM $
Local Princeton
Princeton Valuat’n:
Valuat’n:
ISP Local, AT&T, IBM
Local, * , IBM
Comcast AT&T, IBM
AT&T,
Local, *, IBM IBM
AT&T Comcast,
Attract: Princeton
Valuation:
Comcast, IBM
AT&T, IBM
 Do control plane & data plane match?
Secure Next-hopp
Att ti
Attractions
BGP Policy

No Attractions [LSZ] OR [FRS]

Attractions X X
?

N th
Next-hop li
policy, ((naïve)
ï ) iintuition:
t iti
If a uses a next-hop policy, nothing m says affects a.

Blah Blah
blah blah Surprisingly,
S i i l
intuition fails
m, *, dest
…. (again).
(aga )
…. a m
Counterexample: Next-hop policy is not sufficient! (1)

Attract Princeton
(on direct link only)
Value: IBM
Sprint, *, IBM

$
IBM
Greedy
AT&T
ISP
$
$ Princeton
Sprint, *, IBM
Greedy, *, IBM
$ Sprint $

Greedy, *, IBM
IBM
Counterexample: Next-hop policy is not sufficient! (2)

Attract Princeton
(on direct link only)
Value: IBM
Sprint, *, IBM Greedy, IBM

Greedy Greedy, IBM

AT&T
IBM ISP
Sprint, *, IBM
Princeton
Greedy, *, IBM
IBM
Sprint

Greedy, *, IBM Sprint, Greedy, IBM

IBM
Export
Counterexample: Next-hop policy is not sufficient! (3)

Attract Princeton
(on direct link only)
Value: IBM
Sprint, *, IBM Greedy, IBM

☺
Greedy Greedy, Princeton, IBM
AT&T
IBM ISP
Sprint, *, IBM
Princeton
Greedy, *, IBM
IBM
Sprint

Greedy, *, IBM Sprint, Greedy, Princeton, IBM

IBM
This is a false loop!
Counterexample: Next-hop policy is not sufficient! (3)
Observation: Manipulation not possible with Secure BGP.
BGP
(Also not possible if nodes use clever loop detection.)

☺
Greedy Greedy, Princeton, IBM
AT&T
IBM ISP
Sprint, *, IBM
Princeton
Greedy, *, IBM

Sprint

Greedy, *, IBM
IBM
 Do control plane & data plane match?
Secure Next-hopp
Att ti
Attractions
BGP Policy

No Attractions [LSZ] [FRS]

Attractions X * X
 Our Main Theorem
For a network with traffic attraction where all nodes have

1. Next-hop valuations, and

2
2. Secure BGP;
and there is no dispute wheel in the valuations
There is a set H of “honest strategies” such that for every
Then
node m,no node
if all has except
nodes an incentive
m usetoa lie.
strategy in H, then m
has an optimal strategy in H.
H

Proof Idea:
1. Assume some node gets higher utility by lying
p
2. Show some node must have announced a false loop.
3. Contradiction if nodes use Secure BGP.
 Our Main Theorem
For a network with traffic attraction where all nodes have

1. Next-hop valuations, and

2
2. Secure BGP;
and there is no dispute wheel in the valuations
There is a set H of “honest strategies” such that for every
node m, if all nodes except m use a strategy in H, then m
has an optimal strategy in H.
H
“ex-post set Nash”
[Lavi-Nisan 05]
Proof Idea:
1. Assume some node gets higher utility by lying
p
2. Show some node must have announced a false loop.
3. Contradiction if nodes use Secure BGP.
 Securing the Control Plane: Conclusions
Secure Next-hopp
BGP Policy

No Attractions [LSZ] [FRS]

Attractions X * X

These routing policies are not realistic.

Incentives to announce false paths

paths, even
if ASes are rational and use “Secure BGP”

Motivates more work on data plane security

Part II : The Data Plane

two theorems & a protocol

 Securing the Data Plane (1)
How is path
performing?

Bob
Alice

Detection: Does packet loss / corruption rate exceed 1% ?

Localization: If so, which router is responsible?
 Securing the Data Plane (2)
How is path
performing?

Bob ack
ack
Alice
Alice
ping

Eve

Knows monitoring protocol

Add / drop / modify / reorder packets
Wants to hide packet loss from Alice

Detection: Does packet loss / corruption rate exceed 1% ?

Localization: If so, which router is responsible?

Today s approaches cannot withstand active attack

Today’s
(ping, traceroute, active probing, marked diagnostic packets)
 Data Plane: Security vs Efficiency
How is path
performing?

Bob
Alice
Eve

[GXTBR SIGMETRIC’08] Anyy protocol detecting g loss on a path

(with an adversary) needs keys and crypto at Alice and Bob.

Argued
g by
y reduction to one-wayy functions.

[BGX, EUROCRYPT’08] Any protocol localizing the adversary

path, needs keys and crypto at every node on the path
on a path path.

Argued with Impagliazzo-Rudich style black box separation.

 Data Plane: Security vs Efficiency
How is path
performing?

Bob
Alice
Eve

[GXTBR SIGMETRIC’08] Anyy protocol detecting g loss on a path

(with an adversary) needs keys and crypto at Alice and Bob.

[BGX, EUROCRYPT’08] Any protocol localizing the adversary

path, needs keys and crypto at every node on the path
on a path path.

B
Argued
Limited
with
incentives
Impagliazzo-Rudich
to deploy these
styleprotocols
black boxinseparation.
the Internet.
 Efficient & Secure Detection : Protocol
key k , key k ,

Alice Bob
+1

A 0 0 10 -2
2 1 0 1 0 3 1
0 0 0 01 -1
1 1 0 -1
1 0 43 0
B
Hash each packet fk(d) = index Hash each packet fk(d) = index
Update sketch A[index] += 1 Update sketch B[index] += 1
Send authenticated (MAC’d) sketch
Take difference sketch X = A-B
MACC and send
Decide btwn > 1% and < 0.5% loss:
• Compute the ℓ2-norm ΣXi2
• Raise an alarm iff norm > 0.66%
Refresh hash key & Repeat Refresh hash key & Repeat
 Efficient & Secure Detection : Summary
key k key k

Alice Bob
+1

A 0 0 0 -2
2 1 0 1 0 3 0 0 0 0 -1
1 1 0 -1
1 0 3 0
B
Our protocol requires: Pkts Sketch
• O(log(#
O(l (# packets))
k t )) storage
t att Alice
Ali & Bob
B b 106 170 Bytes
• compute one hash / packet at Alice & Bob 107 200 Bytes
• no traffic modification
• 2 extra packets (communication) 108 235 Bytes
• pairwise keys at Alice & Bob 109 270 Bytes

This was prototyped at Cisco in summer 2008.

 Conclusions
Securing the control plane is not a panacea
panacea.
• Even if we assume ASes are rational and use “Secure BGP”

Availability schemes that require knowledge of paths?

• Control-plane protocols don’t guarantee that
• … we know the paths packets actually take
take.
• Data-plane protocols that localize an adversary are
• …expensive;
expensive; each node on the path has to participate
participate.

y schemes that involve only

Availability y the end ppoints?
• Efficient protocols are possible, even in the data-plane
• … but with weaker security guarantees
 Thanks!

Local
ISP

Full versions of all papers available:

www.princeton.edu/~goldbe/

Princeton University