������������������ � � �������������������������������� ����������������������������������������� �������������������������������������������� ���������������������� Routing redux • The Internet is broken up into Autonomous Systems • All the hosts in an AS have a single administrative control Interdomain Routing • Two types of Routing � Intradomain routing Security • Accomplished via OSPF and other protocols � Interdomain routing • Accomplished only via BGP CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 � ASes cooperatively inform each other, for each IP address, in which AS it’s located and how to get there. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2 Routing in a nutshell Routing in a nutshell • The Internet ... • …is made up of Autonomous Systems (ASes)… CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 4
Routing in a nutshell Routing in a nutshell • …linked at Border Routers. • The Border Gateway Protocol determines which ASes to follow from source to destination. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6 Routing in a nutshell The BGP Protocol • Each AS is responsible for moving packets inside it. • BGP messages • Route decisions • Intra-AS routing is (mostly) independent from Inter-AS � Origin announcements: � Border routers receive many origin announcements/ route • “I own this block of addresses” routing. advertisements, one from each of Route advertisements: � their peers “To get to this address block, send • packets destined for it to me. And by They choose the “best” path and � the way, here is the path of ASes it send their selection downstream will take” • BGP Attributes � Route withdrawals: • “Remember the route to this � BGP messages have additional address block I told you about, that attributes to help routers choose path of ASes no longer works” the “best” path � AS_path (above), MED, community strings, … CIDR Block Path Attributes 192.168.28.0/24 768 4014 664 quest:bkup CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8
Routing in a nutshell BGP announcements � Which path gets picked depends on the • Propagate throughout the network. advertised attributes. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10 BGP Connection FSM BGP Operation: Connection Setup • A router is speak BGP with another router, generally physically connected to it, in another AS � These two routers are called BGP peers � Before coming online, the router is in the Idle state • When the router comes on line, it creates a BGP session with its peer � BGP runs over TCP, and a TCP connection is made first between the two peers (port 179) � The router is in the Connect state during this time � When the connection is established, the router moves into the Established state CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12
BGP Operation: Path Attributes BGP Operation: Information Exchange • Once the BGP session is active, the peers exchange • ORIGIN: shows whether prefix was learned through routing data interior or exterior routing � This information is passed through the UPDATE message • AS_PATH: the ASes that the prefix has passed through during this advertisement • Contains a list of advertised prefixes, known as network layer reachability information (NLRI), and � BGP is a path vector protocol, and the prefix with the fewest withdrawn routes ASes traversed is usually preferred � Including AS path vector prevents looping • Prefixes with different policy attributes are sent in separate UPDATE messages • NEXT -HOP: the node to send packets back to in order to get them closer to their destination • Route setup can create heavy exchanges of messages and be computationally intensive for the router CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14 In class exercise Other Common Path Attributes • MULTI-EXIT DISCRIMINATOR: if two ASes connect in • Fill in the routing tables ... CIDR Block AS PATH 192.10.10.0/24 192.10.0.0/16 multiple locations, the MED can be used by a peer to 192.10.11.0/16 CIDR Block AS PATH 192.10.12.0/16 192.10.10.0/24 favour a particular link to improve routing 192.10.14.0/16 192.10.0.0/16 192.10.11.0/16 AS 4 192.10.12.0/16 Addresses: 192.10.11.0/24 • LOCAL-PREF: used by the local AS to assign a degree of 192.10.14.0/16 CIDR Block AS PATH 192.10.10.0/24 AS 1 preference of one link for a given prefix over another 192.10.0.0/16 Addresses: 192.10.10.0/24 192.10.11.0/16 192.10.12.0/16 192.10.14.0/16 • ATOMIC-AGGREGATE: lets the router know not to AS 3 AS 5 deaggregate an advertisement into more specific CIDR Block AS PATH Addresses: Addresses: 192.10.12.0/24 192.10.14.0/24 192.10.10.0/24 192.10.0.0/16 prefixes 192.10.11.0/16 192.10.12.0/16 192.10.14.0/16 • AGGREGATOR: specifies AS and router that performed aggregation of a prefix AS 2 Addresses: CIDR Block AS PATH 192.10.0.0/16 192.10.10.0/24 192.10.0.0/16 192.10.11.0/16 192.10.12.0/16 192.10.14.0/16 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16
BGP Misconfiguration Mahajan et al. • One of the largest problems with BGP is • SIGCOMM ’02 study of BGP misconfiguration misconfiguration � Those instances where configurations caused problems: � Leading cause of instability on the Internet • unintended suppression of legitimate advertisement • unintended creation of illegitimate advertisement � Causes � Human factors terminology • Stupidity • slip - inadvertent errors, e.g., typos • Poor configuration tools • mistakes - design errors, e.g., • Under-specified network requirements • Methodology: use data from RouteViews routing � Often misconfiguration can lurk for months or years before repository collected over 3 years and 23 vantage it is detected or its effects felt points located located over the globe. • Changing network topology � contacted ASes for information on causes • Unexpected network states CSE598K/CSE545 - Advanced Network Security - McDaniel Page 17 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 18 Study Results Attacks Against BGP • Errors detected • Control Plane � prefix hijacking - incorrect advertisement of addresses � Timing � improper route export - exporting routes/paths in violation of � Availability stated ISP policies • Problems are universal, pervasive, and pathological • Data Plane � 200-1200 prefixes seeing misconfiguration per day (0.2-1.0% of � Origin 2002 table size) � Path � 3 in 4 new prefix advertisements result of misconfigurations � About 15 hijacks per day (getting much worse) • Result: constant stream of incorrect information being received by routers.* • Interesting thought: how to secure in this environment? *only gets worse after 2002. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 19 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 20
Origin Attacks Path Attacks • Prefix hijacking • Path modification • Prefix destabalization • Path forgery • Self-deaggregation • Policy modification • Unauthorized use • AS forgery • The most serious of the attacks, particularly because • These attacks can be used to subvert routing and bias they can happen accidentally the way packets travel through the system CSE598K/CSE545 - Advanced Network Security - McDaniel Page 21 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 22 Timing Attacks Availability Attacks • Spoofed OPEN message • In-protocol attacks during negotiation � Forged NOTIFICATION messages • TCP SYN attack � Syntax errors in BGP messages • Altering BGP timers � Forcing route flooding to occur � Forged TCP RST packet • Forged KEEPALIVE messages while peers are • Physical attacks connecting � Resetting the router by gaining control of it � Link cutting CSE598K/CSE545 - Advanced Network Security - McDaniel Page 23 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 24
Recommend
More recommend
