Rationality and Traffic Attraction Rationality and Traffic - PowerPoint PPT Presentation

Rationality and Traffic Attraction Rationality and Traffic Attraction Incentives for Honest Path Announcement in BGP Princeton AT&T AT&T $ IBM Local Local ISP ISP ISP ISP Comcast Sharon Goldberg Shai Halevi Aaron D. Jaggard A D J d Vij Vijay Ramachandran R h d R b Rebecca N. Wright N W i h Princeton University Princeton University SIGCOMM 2008

Incentives and Security We use game theory to understand the which secure protocols should be deployed in the Internet. We ask: Does traffic on the Internet actually follow the paths announced in BGP ? $ $ Approach: Assume that nodes are economic entities They are rational -- try to maximize utility. • AS Our Results: Mostly bad news . We find that cryptographically authenticating We find that cryptographically authenticating • • routing messages is not sufficient. Polic … unless we also make unrealistic • cy assumptions about routing policies. • Results are mostly descriptive, not prescriptive 2/24

BGP: The Interdomain Routing Protocol (1) The Border Gateway Protocol (BGP) is the routing protocol Th B d G t P t l (BGP) i th ti t l that sets up paths between Autonomous Systems (ASes). IBM AT&T, IBM Princeton AT&T AT&T IBM Local ISP ISP Local Ranking Local Ranking: Comcast Comcast, IBM AT&T, IBM IBM IBM Comcast, IBM Forwarding: Node use single outgoing link for all traffic to destination. Rankings: Static and local; usually based on economic relationships. 3/24

BGP: The Interdomain Routing Protocol (2) The Border Gateway Protocol (BGP) is the routing protocol Th B d G t P t l (BGP) i th ti t l that sets up paths between Autonomous Systems (ASes). AT&T, AT&T, IBM IBM Princeton AT&T AT&T IBM Local Princeton Ranking: ISP ISP Local AT&T IBM Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM Local, Comcast, IBM Forwarding: Node use single outgoing link for all traffic to destination. Rankings: Static and local; usually based on economic relationships. 4/24

Today’s Security Goal: Matching the Data Plane Goal: BGP announcements match AS-paths packets take in data plane. Goal: Local, AT&T, IBM Princeton AT&T AT&T $ IBM Local Local Princeton Ranking: ISP ISP ISP ISP Local AT&T IBM Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM This way, ASes can use BGP messages: 1. To avoid ASes perceived as adversarial / unreliable 2. To choose high performance paths g p p 3. As part of an accountability framework 5/24

Data Plane Approaches Secure Data-Plane Protocols: S D t Pl P t l [LYWA-06] Packet Obituaries [AMISS-07] • Packet Passports Truth in advertising [WBAGS-07] Truth in advertising [WBAGS-07] Failure Localization [BGX-08] Failure Localization [BGX-08] Secure Secure AS-path tracing protocols incur overheads X proportional to the amount of traffic sent in the data plane. What path are my packets actually taking to IBM? taking to IBM? Princeton AT&T AT&T $ $ IBM Probe! Local Local ISP ISP Comcast Local, AT&T, IBM 6/23

Routing Protocol Approaches to Match Data Plane R Routing Protocols + Game Theory: ti P t l G Th [NR-01] [FPS-01] [FPSS-05] [PS-04] [FKMS-05] • Shortest-path policy / Next-hop policy [FRS-06] [FSS-07] [FRS 06] [FSS 07] Shortest path policy / Next hop policy [LSZ-08] Secure BGP � Corollary: If ______, rational rational ASes have no incentive to unilaterally deviate from announcing paths that match data plane. p Princeton AT&T $ $ IBM IBM Local Local ISP ISP Local Ranking: Comcast Comcast Comcast IBM Comcast, IBM AT&T, IBM 7/24

Quick background: Public-key Signatures Anyone who knows Alice’s public key can verify that yreceived the correct message from Alice. Msg, tag Alice Bob Alice’s Secret Key Alice s Secret Key Alice’s Public Key Mssg, faketag Eve Bob Alice’s P blic Alice’s Public ALARM! Key This looks great, what’s the catch? We need an infrastructure to certify the public keys.

Secure BGP (1) If AS a announced path abP then b announced bP to a Assumes a public-key infrastructure that, today, we don’t have. AT&T: (IBM) AT&T: (IBM) Local: (AT&T, IBM) Princeton AT&T IBM Local ISP Local Ranking: Comcast Comcast, IBM AT&T, IBM Comcast: (IBM) Comcast: (IBM) Local: (Comcast, IBM)

Secure BGP (2) If AS a announced path abP then b announced bP to a AT&T: (IBM) Princeton: (AT&T, IBM) Princeton AT&T IBM Local Pton Ranking: ISP Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM Comcast: (IBM) Local: (Comcast, IBM) Princeton: (Local, Comcast, IBM)

Secure BGP : Matching the Data Plane ??? If AS a announced path abP then b announced bP to a AT&T: (IBM) AT&T: (IBM) Why does Local ISP do this? Local: (AT&T, IBM) Let’s look at utility models. Princeton AT&T $ IBM Local Local Pton Ranking: ISP ISP Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM Comcast: (IBM) AT&T: (IBM) Local: (Comcast, IBM) Local: (AT&T, IBM) Princeton: (Local, Comcast, IBM) Princeton: (Local, AT&T, IBM)

Modeling Utility Our model of utility: Our model of utility: Model of utility in prior work: Model of utility in prior work: Utility of AS = Utility of AS = . . Utility of outgoing Utility of outgoing Utility of attracted Utility of attracted + + ( ( (data-plane) path (data-plane) path p p ) p ) p incoming traffic incoming traffic g g In all prior work: Utility is determined by the ranking function Princeton AT&T $ IBM Local Local ISP ISP ☺ Comcast Local Ranking: Comcast, IBM Local ISP has no incentive to AT&T, IBM announce mismatched paths announce mismatched paths. 12/24

Modeling Utility with Traffic Attraction Our model of utility: Our model of utility: Model of utility in prior work: Model of utility in prior work: Utility of AS = . . Utility of outgoing Utility of outgoing Utility of attracted Utility of attracted = + + Utility of n (data-plane) path ( (data-plane) path ( p p ) p ) p incoming traffic incoming traffic g g Traffic-volume attractions : • AS only cares who originates traffic • Models incentive to snoop / tamper • … or increase incoming traffic volumes … or increase incoming traffic volumes Customer attractions: • AS wants to attract traffic from customers via direct link . AS wants to attract traffic from customers via direct link • Models bilateral economic relationships. Generic attractions: • AS wants to attract traffic from specific ASes via a specific path 13/23

Result: Secure BGP is not Sufficient! With traffic-volume OR customer attractions, there can be an With t ffi l t OR tt ti th b incentive to announce mismatched paths, even with Secure BGP . AT&T: (IBM) Attracted Observation : Princeton does not use a shortest-path policy. Local: (AT&T, IBM) customer Princeton: (Local, AT&T, IBM) Princeton (Local AT&T IBM) Princeton AT&T $ $ IBM IBM Local Local Pton Ranking: Local, AT&T, IBM ISP ISP AT&T IBM AT&T, IBM Comcast C t Local, Comcast, IBM Local Ranking: Favorite Comcast, IBM outgoing path outgoing path AT&T IBM AT&T, IBM 14/23

Result: Shortest-Path Policy is not Sufficient! (0) With t With traffic-volume OR customer attractions, there can be an ffi l t OR tt ti th b incentive to mismatch paths, even with shortest-path policies. Princeton AT&T IBM IBM Local Princeton Ranking: Ranking: Local, IBM Local, AT&T, IBM ISP AT&T, IBM AT&T, IBM AT&T IBM C Comcast t Local, Comcast, IBM Local, Comcast, IBM Local Ranking: Ranking: IBM Comcast, IBM Comcast, IBM AT&T IBM AT&T, IBM 15/23

Result: Shortest-Path Policy is not Sufficient! (1) With traffic-volume OR customer attractions, there can be an With t ffi l t OR tt ti th b incentive to mismatch paths, even with shortest-path policies. Ranking: Local, IBM AT&T, IBM Local, Comcast, IBM No export to Local No export to Local AT&T Princeton IBM X Local Ranking: Local, IBM ISP AT&T, IBM C Comcast t Local, Comcast, IBM Attract: Princeton Ranking: IBM Ranking: IBM g Comcast, IBM Comcast, IBM 16/23

Result: Shortest-Path Policy is not Sufficient! (2) With traffic-volume OR customer attractions, there can be an With t ffi l t OR tt ti th b incentive to mismatch paths, even with shortest-path policies. Ranking: Local, IBM AT&T, IBM AT&T, IBM Local, Comcast, IBM No export to Local No export to Local AT&T Princeton IBM X Local ISP fails Local to attract traffic ISP � � from Princeton. from Princeton Comcast C t Local, Comcast, IBM Attract: Princeton Ranking: IBM g Comcast, IBM 17/23