CS 598: Network Security Matthew Caesar February 26, 2013 1 Part - PowerPoint PPT Presentation

Lecture 5: Network Configuration and Defense CS 598: Network Security Matthew Caesar February 26, 2013 1

Part 1: How the Internet works 2

How can two hosts communicate? 0.7 Volts -0.7 Volts • Encode information on modulated “Carrier signal” – Phase, frequency, and amplitude modulation, and combinations thereof – Ethernet: self-clocking Manchester coding ensures one transition per clock – Technologies: copper, optical, wireless

How can many hosts communicate? • Naïve approach: full mesh • Problem: – Obviously doesn’t scale to the 570,937,778 hosts in the Internet (estimated, Aug 2008)

How can many hosts communicate? • Multiplex traffic with routers • Goals: make network robust to failures, maintain spare capacity, reduce operational costs – More on “topology” later in this lecture

How can routers find paths? Robert’s local DNS server .com authoritative DNS sever Robert Routing Table at B Prefix IF Hops 4.0.0.0/8 D 1 10.1.8.7 23.2.0.1 IP address A 4.9.0.1 10.1.0.0/16 B 23.2.0.0/24 4.18.5.1 Prefix D C 4.0.0.0/8 10.1.0.1 81.2.0.0/24 Routing Table at A twitter.com IF Prefix Hops 81.2.0.1 4.5.16.2 4.0.0.0/8 B 2 Routing Table at C Prefix IF Hops 4.0.0.0/8 D 1 Twitter’s authoritative • Hosts assigned topology-dependent addresses DNS server • Routers advertise address blocks (“prefixes”) • Routers compute “shortest” paths to prefixes • Map IP addresses to names with DNS

Intra- vs. Inter-domain routing dest Sprint source AT&T BGP session • Run “Interior Gateway Protocol” (IGP) within ISPs – OSPF, IS-IS, RIP • Use “Border Gateway Protocol” (BGP) to connect ISPs – To reduce costs, peer at exchange points (AMS-IX, MAE-EAST)

Distance vector: update propagation D tells B: I am D, and I can reach F via 1 hop F tells D: I am F, and D’s forwarding table B’s forwarding table Dest NextHop Dist I can reach F via 0 hops Dest NextHop Dist F F 1 F D 2 (F,1) (F,2) B D (F,0) (F,1) (F,2) (F,2) (F,1) A F source destination (F,0) C E (F,2) (F,1)

Link state: update propagation Each node maintains F tells all routers: a “topology database” there is a link between F and E [C,A] [D,E] [A,B] [E,F] [C,E] [B,D] [C,B] [D,F] [D,E] [C,A] [D,F] [C,B] [C,E] [A,B] [E,F] [B,D] B D [C,A] [D,E] [A,B] [C,E] [B,D] [C,B] [E,F] [D,F] [C,A] [D,E] [C,E] [E,F] [C,B] [A,B] [B,D] [D,F] [C,A] [D,E] [C,E] [A,B] [E,F] [C,B] [D,F] [B,D] [D,E] [C,A] [C,E] [B,D] [D,F] [A,B] [E,F] [C,B] [D,E] [C,A] [C,E] [C,B] [E,F] [A,B] [B,D] [D,F] A F [C,A] [D,E] [C,E] [D,F] [C,B] [E,F] [A,B] [B,D] [C,A] [D,E] [C,B] [C,E] [E,F] [A,B] [B,D] [D,F] C E [C,A] [D,E] [B,D] [E,F] [C,B] [D,F] [C,E] [A,B] • How to prevent update loops: (seq numbers) • How to bring up new node: (load TDB from neighbor)

Link state: route computation B D A F C E • Each router computes shortest path tree, rooted at that router • Determines next-hop to each dest, publish to forwarding table • Operators can assign link costs to control path selection

Link-state: packet forwarding B D IP packet A F source destination C E • Downsides of link-state: – Lesser control on policy (certain routes can’t be filtered), more cpu – Increased visibility (bad for privacy, but good for diagnostics)

Shortest-path forwarding isn’t enough • In the real world, ISPs want to influence path selection – Load balance traffic, prefer cheaper paths, avoid untrusted routes, give preferential service, block reachability, limit external control over path selection decisions • One trick: change the “cost” used to compute shortest paths • Another trick: filter routes from being received from/advertised to certain neighbors

Intra- vs. Inter-domain routing dest Sprint source AT&T BGP session • Run “Interior Gateway Protocol” (IGP) within ISPs – OSPF, IS-IS, RIP • Use “Border Gateway Protocol” (BGP) to connect ISPs – To reduce costs, peer at exchange points (AMS-IX, MAE-EAST)

Changing the “cost” of paths • ISPs have a lot of different kinds of policies – Could make cost a linear combination of different metrics – More expressive: have several “costs” per link • Main idea: append “attributes” to updates • Can set preferences (or filter the route) based on set of attributes contained in update – Hard-coded “decision process” orders importance of attributes – This process can be influenced by changing values of attributes

Example: Using MED to balance I would like AT&T to traffic across ingresses route to me via PoP A dest MED=1 Sprint source PoP A AT&T MED=2 PoP B • MED: “multi-exit discriminator” – tell neighboring ISP which ingress peering points I prefer – Local ISP can choose to filter MED on import

Different peering points, different AT&T isn’t listening to my advertisements MEDs, but I would REALLY like AT&T to route to me via PoP A Advertise dest dest Sprint source AT&T Don’t advertise dest • Sprint can trick AT&T into routing over longer distance! • Consistent export: make sure your neighbor is advertising the same set of prefixes at all peering points • ISPs sometimes sign SLAs with consistent export clause

How inter- and intra- domain routing work together 3 2 2 4 9 6 3 1 Border router Internal router 1. Provide internal reachability ( IGP ) 2. Learn routes to external destinations ( eBGP ) 3. Distribute externally learned routes internally ( iBGP ) 4. Select closest egress ( IGP )

Policies between ISPs: Tier-1s must be Types of ASes connected in a full mesh (Why? Who makes sure that hierarchy #1 hierarchy #2 hierarchy #3 happens?) Tier-1: ISP with no providers (core of peer link Internet is clique of tier-1s) Transit: ISP that Stub: ISP with no forward traffic Multihomed: ISP customers between other with more than ISPs one provider

Policies between ISPs: Types of AS relationships hierarchy #1 hierarchy #2 hierarchy #3 peer link Provider-customer: Peer link: ISPs form link out customer pays of mutual benefit, typically provider money to no money is exchanged transit traffic

AS relationships influence routing policies hierarchy #1 hierarchy #2 hierarchy #3 Do not export provider routes to peers Prefer customer over peer routes peer link Source Destination • Example policies: peer, provider/customer • Also trust issues, security, scalability, traffic engineering

Provider B Provider A Tag=CUST Config Rule: Config Rule: If (tag==CUST) If (from B) FILTER Tag: CUST Problem: need to export routes only to certain neighbors Solution: use “community attribute” tags Customer C to annotate routing advertisements

Background - iBGP R • iBGP sessions run on TCP B A • Overlay over the intra- domain routing protocol iBGP (IGP) like OSPF F E • Routing messages and data packets forwarded via IGP within AS D • Routes from iBGP session C IGP not propagated to another iBGP session Route

Approach#1: Full-mesh iBGP R R B A F E D • Every router has an iBGP C session to every border router R • Not scalable R R iBGP session Route

Approach#2: Route reflection R Route reflector B A F E • “Reflects” routes to and from client iBGP D sessions C • Avoids full-mesh • Hierarchy of reflectors Client iBGP session Route

Policy disputes ISP A prefers route (A-C-B-D-p) ISP B prefers route through C over (A-C-D-p) through A over (B-A-C-D-p) Advertise(A-D-p) direct route direct route (B-C-D-p) Withdraw Withdraw Advertise(B-D-p) ISP A (link price: $100 per 1Gbps) ISP B Advertise(D-p) Withdraw Advertise(A-D-p) Advertise(B-D-p) (A-C-D-p) (B-A-D-p) (A-C-B-D-p) (B-A-C-D-p) ISP D (A-C-B-A-D-p) Withdraw Prefix P (link price: (C-B-A-D-p) $5000 per (C-B-D-p) 1Gbps) Advertise(C-D-p) Withdraw Withdraw ISP C ISP C prefers route Advertise(C-D-p) through B over (C-B-D-p) (C-B-A-D-p) direct route

Policy disputes ISP A prefers route (A-C-B-D-p) ISP B prefers route through C over (A-C-D-p) through A over (B-A-C-D-p) Advertise(A-D-p) direct route direct route (B-C-D-p) Withdraw Withdraw Advertise(B-D-p) ISP A ISP B Advertise(D-p) Withdraw Advertise(A-D-p) Advertise(B-D-p) (A-C-D-p) (B-A-D-p) (A-C-B-D-p) (B-A-C-D-p) ISP D Withdraw Prefix P (C-B-A-D-p) (C-B-D-p) Advertise(C-D-p) Withdraw Withdraw ISP C ISP C prefers route Advertise(C-D-p) through B over (C-B-D-p) (C-B-A-D-p) direct route

Policy disputes ISP A prefers route (A-C-B-D-p) ISP B prefers route through C over (A-C-D-p) through A over (B-A-C-D-p) Advertise(A-D-p) direct route direct route (B-C-D-p) Withdraw Withdraw Advertise(B-D-p) ISP A ISP B Advertise(D-p) Withdraw Advertise(A-D-p) Advertise(B-D-p) (A-C-D-p) (B-A-D-p) (A-C-B-D-p) (B-A-C-D-p) ISP D Withdraw Prefix P (C-B-A-D-p) (C-B-D-p) Advertise(C-D-p) Withdraw Withdraw ISP C ISP C prefers route Advertise(C-D-p) through B over (C-B-D-p) (C-B-A-D-p) direct route