Download dhs-aug2006 - Princeton University

Incrementally Deployable Security
for Interdomain Routing
(TTA-4, Type-I)
Jennifer Rexford, Princeton University
Joan Feigenbaum, Yale University
August, 2006
Overview: Insecure Internet Infrastructure
• Border Gateway Protocol is important
– BGP is the glue that holds the Internet together
• BGP is extremely vulnerable
– Easy to inject false information
– Easy to trigger routing instability
• Vulnerabilities are being exploited
– Configuration errors and malicious attacks
– Route hijacking, blackholes, denial-of-service, …
• Changing to a secure protocol is hard
– Can’t have a flag day to reboot the Internet
2
Overview: Incrementally Deployable Solution
• Backwards compatibility
– Work with existing routers and protocols
• Incentive compatibility
– Offer significant benefits, even to the first adopter
Routing
Control
Platform
tells
how
to forward
traffic
ASes
can
upgrade
to deploy
secure
interdomain
routing
protocol
Use
… Use
all
RCP
with
while
RCP
to
RCPs
simplify
still
to
can
using
cooperate
management
(and
BGP
avoid)
torouters
control
to detect
suspicious
and
the
enable
suspicious
legacy
routes
new
routers
services
routes
Use
Other
BGP
ASes
todetect
communicate
can
an
with
RCP
the
independently
legacy
routers
Distributed detection
Inter-AS Protocol
RCP
BGP
AS 1
RCP
RCP
AS 2
AS 3
3
Overview: Potential Security Impact
• Breaking the “flag day” stalemate
– Viable approach to incremental deployment
– Backwards compatible with the legacy routers
– Incentive-compatible with goals of each AS
• Immediate benefits to participating ASes
– Avoiding anomalous and suspicious routes
– Secure routing with participating neighbors
• Tipping point leads to ubiquitous deployment
– Increasing incentives for ASes to participate
– Ultimately, full deployment of secure protocol
• Insights for other protocols (such as DNSSEC)
4
Technical Accomplishments: Outline
• Prototyping and deployment
– Routing Control Platform (RCP) prototype
– Virtual Network Infrastructure (VINI) platform
• Anomaly detection techniques
– Pretty Good BGP (PGBGP)
– Update-clustering algorithms
• Incremental deployability
– Multi-path Interdomain ROuting (MIRO)
5
Accomplishment #1: Prototyping & Deployment
• RCP prototype
RCP
– Prototype as extension to XORP/Vyatta
AS 1
– Learns BGP routers from neighbor ASes
– Selects a “best route” for each router per prefix
– API for anomaly detection and path selection
• Virtual Network Infrastructure (VINI)
– Platform for demonstrating the RCP in operation
– Shared WAN facility for network experimentation
– Initial evaluation of the existing routing protocols
– A step toward the NSF’s GENI backbone design
6
Accomplishment #2: Anomaly Detection
• Pretty Good BGP (PGBGP)
– Maintain history of AS originating a prefix
– Flag announcements with new AS as suspicious
– Prefer “normal” routes over suspicious ones
– Natural application to run on the RCP
3
2
5
1
12.34.0.0/16
prevent hijack
4
12.34.0.0/16
7
Accomplishment #2: Anomaly Detection (Cont.)
• Aggregation and analysis of route updates
– A single event can trigger instability in routes to
many destinations. High volume of updates
makes this an MDS-algorithmic challenge.
– Use statistical correlation to form clusters of
routes that change frequently and (approx’ly)
simultaneously. Provide tools to aid anomaly
detection and root-cause diagnosis.
– MDS clustering algorithms have been designed,
implemented, and tested on RouteViews data. To
be deployed in RCP.
8
Accomplishment #3: Incremental Deployability
• Multipath Interdomain Routing (MIRO)
– Increase chance of learning a valid path
– Availability providers advertise extra paths
– Stub ASes direct packets on alternate paths
• Design of the protocol
– RCP application running in participating ASes
– Packet encapsulation to send packets on paths
• Evaluation of incremental deployment
– Incremental deployment offers significant gains
– Small set of large ASes see most of path diversity
9
Milestones, Deliverables, Schedule
RCP Prototype
RCP prototype,
and API to dataanalysis engine
Anomaly Detection Routing Policy Secure Routing
Offline
algorithms and
upper bounds
Identify today’s
policies and
select notation
Evaluate
incentive
compatibility
Integrate policy
language in trust
management
Quantify gains
of a partial
deployment
Focus thus far
RCP with API to
trust-management
system
Online analysis
algorithm to
detect anomalies
For PGBGP
and MIRO
Deployment of
RCP in operational
networks
Deploy online
algorithm; create
distributed
Deploy in trust
management
system
Investigate new
secure inter-AS
protocols
10
Public Relations Activities
• NANOG presentation
– PGBGP talk at NANOG in June 2006
– Discovered deployment opportunity at IXNM
• Interaction with ISPs and vendors
– ISPs: AT&T, NLR, and Abilene
– Vendors: XORP/Vyatta, Cisco, and Lucent
– Natural focus for influencing interdomain routing
• Research publications
– Anomaly detection (IEEE ICNP’06, ACM CIKM’06)
– VINI (ACM SIGCOMM’06)
– MIRO (ACM SIGCOMM’06)
11
Technology Transition Plans
• RCP: Routing Control Platform
– Initial discussions with Cisco on RCP
– Continued collaboration with AT&T
– Possible deployment path with Vyatta (start-up)
• VINI: Virtual Network Infrastructure
– Running on PlanetLab nodes in Abilene backbone
– Deploying in six sites in National Lambda Rail
– Planning dedicated bandwidth & ISP connectivity
– A step toward the NSF’s GENI backbone design
12
Technology Transition Plans (Continued)
• PGBGP: Pretty Good BGP
– Internet Alert Registry deployed and in use
– Prototype in progress for IXNM exchange point
– In discussion with Cisco about router support
– … and using PGBGP to enable soBGP deployment
• MIRO: Multipath Interdomain ROuting
– In discussion with Cisco about router extensions
– Many of the building blocks are already available
– IP-in-IP encapsulation & “add paths” BGP feature
13
Publication Activity: Published Papers
• Prototyping and deployment
– “In VINI veritas: Realistic and controlled network
experimentation” (ACM SIGCOMM, 2006)
• Anomaly detection
– “Learning-based anomaly detection in BGP updates” (ACM
SIGCOMM MineNet Workshop, 2005)
– “A distributed reputation approach to cooperative Internet
routing protection” (Workshop on Secure Network
Protocols, 2005)
– “Pretty Good BGP: Improving BGP by cautiously adopting
routes” (IEEE International Conference on Network
Protocols, 2006)
– “Finding Highly Correlated Pairs Efficiently with Powerful
Pruning” (ACM Conference on Information and Knowledge
Management, 2006)
14
Publication Activity: Published Papers (Cont)
• Incrementally deployable security techniques
– “Pretty Good BGP: Improving BGP by cautiously adopting
routes" (IEEE International Conference on Network
Protocols, 2006)
– “Stealth probing: Efficient data-plane security for IP
routing” (USENIX, May/Jun 06)
– “MIRO: Multipath Interdomain ROuting” (ACM SIGCOMM,
2006)
• Incentive-compatible routing protocols
– "Distributed algorithmic mechanism design” (Algorithmic
Game Theory, 2007)
– "Incentive-compatible interdomain routing" (ACM
Conference on Electronic Commerce, 2006)
• BGP routing policies
– “BGP policies in ISP networks” (IEEE Network, 2005)
15
Cyber Security R&D
Incrementally Deployable Security for Interdomain Routing
RCP
Secure routing
protocol
DESCRIPTION / OBJECTIVES / METHODS
RCP
BGP
Network A
Network B
• Routing-Control Platform (RCP)
• Selects routes on behalf of routers
• Possible today on high-end PC
• Incrementally deployable security
• Speak BGP to the legacy routers
• Detect and avoid suspicious routes
• Update RCPs to use secure protocol
BUDGET & SCHEDULE
DHS/Cyber Security IMPACT
• Internet-routing system is vulnerable
• Core communication infrastructure
• Very vulnerable to cyber attacks
• Hard to have “flag day” for upgrades
• Phased deployment of secure routing
• Network manager deploys locally
• Participating domains detect attacks
• Neighbor domains upgrade protocol
TASK
FY05
FY06
FY07
RCP prototype
Anomaly detection
Policy manager
Secure routing
Total cost
16