������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� CMPSC443 - Introduction to Computer and Network Security Module: Routing Security Professor Patrick McDaniel Spring 2009 CMPSC443 - Introduction to Computer and Network Security Page 1
Routing 101 • Network routing exists to provide hosts desirable paths from the source to destination ‣ What desirable means depends on the types of protocols being used • Two main approaches to routing ‣ Link state - collected/metrics of paths between hosts, e.g., OSPF ‣ Distance vector - shortest path based on exchanged routing tables, e.g., BGP CMPSC443 - Introduction to Computer and Network Security Page 2
Routing Security • Bad guys play games with routing protocols. • Traffic is diverted. ‣ Enemy can see the traffic. ‣ Enemy can easily modify the traffic. ‣ Enemy can drop the traffic. • Cryptography can mitigate effects, but not stop them. • History: we don’t have a lot of good answers! CMPSC443 - Introduction to Computer and Network Security Page 3
Why So Little Progress? • It's a really, really hard problem. • Actually, getting routing to work well is hard enough. • Has been outside the scope of traditional communications security. CMPSC443 - Introduction to Computer and Network Security Page 4
How is it Different? • Most communications security failures happen because of buggy code or broken protocols. • Routing security failures happen despite good code and functioning protocols. The problem is a dishonest participant. • Hop-by-hop authentication isn't sufficient. CMPSC443 - Introduction to Computer and Network Security Page 5
Routing ... Z X Host B X X X Host A X X X X X CMPSC443 - Introduction to Computer and Network Security Page 6
The Enemy's Goal? Z X Host B X X X Host A X X X X X CMPSC443 - Introduction to Computer and Network Security Page 7
Routing Protocols • Routers speak to each other. • They exchange topology information and cost information. • Each router calculates the shortest path to each destination. • Routers forward packets along locally shortest path. • Attacker can lie to other routers CMPSC443 - Introduction to Computer and Network Security Page 8
Normal Behavior Host B Z 5 10 5 Y 5 X 10 Host A Y → X : B (10) Y → Z : B (10) Z → X : Y (5) , B (15) X → A : Z (5) , Y (5) , B (15) CMPSC443 - Introduction to Computer and Network Security Page 9
Malicious Behavior 3 Host B Z 5 10 5 Y 5 X 10 Host A Y → X : B (10) Y → Z : B (10) Z → B : Y (5) , B (3) X → A : Z (5) , Y (5) , B (8) CMPSC443 - Introduction to Computer and Network Security Page 10
Why is the Problem Hard? • X has no knowledge of Z's real connectivity. • Even Y has no such knowledge. • The problem isn't the link from X to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.) CMPSC443 - Introduction to Computer and Network Security Page 11
Worm-Holing X X Host B X X Z Host A X X X Z X CMPSC443 - Introduction to Computer and Network Security Page 12
Worm-Holing X X Host B X X Z Host A X X X Z X CMPSC443 - Introduction to Computer and Network Security Page 13
Link Cutting X X Host B X X Z Host A X X X Z X CMPSC443 - Introduction to Computer and Network Security Page 14
Link Cutting X X Host B X X Z Host A X X X Z X CMPSC443 - Introduction to Computer and Network Security Page 15
Routing in the Internet • Two types, internal and external routing. ‣ Intradomin - Internal (within ISP, company): primarily OSPF. ‣ Interdomain routing - external (between ISPs, and some customers): BGP. • Topology matters. CMPSC443 - Introduction to Computer and Network Security Page 16
OSPF (Open Shortest Path First) • Each node announces its own connectivity. Announcement includes link cost. ‣ Each node reannounces all information received from peers. ‣ Every node learns the full map of the network. ‣ Each node calculates the shortest path to all destinations. Host B Z 5 10 5 X 5 X 10 Host A • Note : limited to a few thousand nodes at most. CMPSC443 - Introduction to Computer and Network Security Page 17
Characteristics of Internal Networks • Common management. • Common agreement on cost metrics. • Companies have less rich topologies, but less controlled networks. • ISPs have very rich---but very specialized---topologies, but well-controlled networks. • Often based on Ethernet and its descendants. CMPSC443 - Introduction to Computer and Network Security Page 18
Secure OSPF? • Simple link security is hard: multiple-access net. • Shared secrets guard against new machines being plugged in but not against an authorized party being dishonest. • Solution: digitally sign each routing update (expensive!) ‣ List authorizations in certificate. • Experimental RFC by Murphy et al., 1997. • Note: everyone sees the whole map; monitoring station can note discrepancies from reality. (But bad guys can send out different announcements in different directions.) CMPSC443 - Introduction to Computer and Network Security Page 19
BGP (Border Gateway Protocol) • BGP is the protocol used to route information at the autonomous system level - (distance vector protocol) ‣ Everyone builds a route to every AS in the internet based on paths received from neighbors ‣ Routes are flooded to neighbors ‣ Path selection is based on policy (not always shortest path) CMPSC443 - Introduction to Computer and Network Security Page 20
External Routing via BGP • No common management ‣ hence no metrics beyond hop count • No shared trust. • Policy considerations: by intent, not all paths are actually usable. • Controls address management The control plane for the Internet. CMPSC443 - Introduction to Computer and Network Security Page 21
Secure BGP? • Kent et al. created the sBGP protocol which: ‣ Signs routes ‣ Signs address advertisements • Based on the idea that we can setup parallel PKI to support trust in the routing and address use. • Several RFCs, many papers. • Not really gotten traction because of costs and limitations of trust. CMPSC443 - Introduction to Computer and Network Security Page 22
Routing Registries • Services like the Internet Routing Registry (IRR) allow ISPs to provide public routing information ‣ Users can cross check received advertisements against the IRR for correctness ‣ Also used to prevent misconfiguration, traffic engineering ... • Problem: ISP generally don’t like to expose how there networks are configured ‣ Depth and freshness of included data is not always good ‣ Hard to base security decisions on sometimes unreliable sources. CMPSC443 - Introduction to Computer and Network Security Page 23
Problems to Solutions? • Independent of the type, this all relates to securing the following information for a source: ‣ where the destination address? ‣ what is the best path to that address? • Answering these questions in practice is complex, as it necessarily requires us to trust foreign entities or devices for which we may know little (if anything). • This is the nasty secure distributed computation all over again, only everyone on the Internet must play. • Want more? ‣ Take CSE545 - Advanced Network Security CMPSC443 - Introduction to Computer and Network Security Page 24
Recommend
More recommend
