������������������ ���������������������� � � �������������������������������� ����������������������������������������� �������������������������������������������� Routing Security* CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 * Thanks to Steve Bellovin for slide source material. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1
Routing 101 • Network routing exists to provide hosts desirable paths from the source to destination ‣ What desirable means depends on the types of protocols being used • Two main approaches to routing ‣ Link state - collected/metrics of paths between hosts, e.g., OSPF ‣ Distance vector - shortest path based on exchanged routing tables, e.g., BGP CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2
Routing Security • Bad guys play games with routing protocols. • Traffic is diverted. ‣ Enemy can see the traffic. ‣ Enemy can easily modify the traffic. ‣ Enemy can drop the traffic. • Cryptography can mitigate effects, but not stop them. • History: we don’t have a lot of good answers! CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3
Why So Little Progress? • It's a really, really hard problem. • Actually, getting routing to work well is hard enough. • Has been outside the scope of traditional communications security. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 4
How is it Different? • Most communications security failures happen because of buggy code or broken protocols. • Routing security failures happen despite good code and functioning protocols. The problem is a dishonest participant. • Hop-by-hop authentication isn't sufficient. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5
Routing ... Z X Host B X X X Host A X X X X X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6
The Enemy's Goal? Z X Host B X X X Host A X X X X X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7
Routing Protocols • Routers speak to each other. • They exchange topology information and cost information. • Each router calculates the shortest path to each destination. • Routers forward packets along locally shortest path. • Attacker can lie to other routers CSE598K/CSE545 - Advanced Network Security - McDaniel Page 8
Normal Behavior Host B Z 5 10 5 X 5 X 10 Host A Y → X : B (10) Y → Z : B (10) Z → X : Y (5) , B (15) X → A : Z (5) , Y (5) , B (15) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9
Malicious Behavior Host B Z 5 10 5 X 5 X 10 Host A Y → X : B (10) Y → Z : B (10) Z → X : Y (5) , B (3) X → A : Z (5) , Y (5) , B (15) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10
Why is the Problem Hard? • X has no knowledge of Z's real connectivity. • Even Y has no such knowledge. • The problem isn't the link from X to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11
Worm-Holing X X Host B X X Z Host A X X X Z X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12
Worm-Holing X X Host B X X Z Host A X X X Z X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13
Link Cutting X X Host B X X Z Host A X X X Z X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14
Link Cutting X X Host B X X Z Host A X X X Z X CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15
Routing in the Internet • Two types, internal and external routing. ‣ Intradomin - Internal (within ISP, company): primarily OSPF. ‣ Interdomain routing - external (between ISPs, and some customers): BGP. • Topology matters. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16
OSPF (Open Shortest Path First) • Each node announces its own connectivity. Announcement includes link cost. ‣ Each node reannounces all information received from peers. ‣ Every node learns the full map of the network. ‣ Each node calculates the shortest path to all destinations. Host B Z 5 10 5 X 5 X 10 Host A • Note : limited to a few thousand nodes at most. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 17
Characteristics of Internal Networks • Common management. • Common agreement on cost metrics. • Companies have less rich topologies, but less controlled networks. • ISPs have very rich---but very specialized---topologies, but well-controlled networks. • Often based on Ethernet and its descendants. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 18
Secure OSPF? • Simple link security is hard: multiple-access net. • Shared secrets guard against new machines being plugged in but not against an authorized party being dishonest. • Solution: digitally sign each routing update (expensive!) ‣ List authorizations in certificate. • Experimental RFC by Murphy et al., 1997. • Note: everyone sees the whole map; monitoring station can note discrepancies from reality. (But bad guys can send out different announcements in different directions.) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 19
BGP (Border Gateway Protocol) • BGP is the protocol used to route information at the autonomous system level - (distance vector protocol) ‣ Everyone builds a route to every AS in the internet based on paths received from neighbors ‣ Routes are flooded to neighbors ‣ Path selection is based on policy (not always shortest path) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 20
External Routing via BGP • No common management ‣ hence no metrics beyond hop count • No shared trust. • Policy considerations: by intent, not all paths are actually usable. • Controls address management The control plane for the Internet. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 21
Secure BGP? • Kent et al. created the sBGP protocol which: ‣ Signs routes ‣ Signs address advertisements • Based on the idea that we can setup parallel PKI to support trust in the routing and address use. • Several RFCs, many papers. • Not really gotten traction because of costs and limitations of trust. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 22
Problems to Solutions? • Independent of the type, this all relates to securing the following information for a source: ‣ where the destination address? ‣ what is the best path to that address? • Answering these questions in practice is complex, as it necessarily requires us to trust foreign entities or devices for which we may know little (if anything). • This is the nasty secure distributed computation all over again, only everyone on the Internet must play. • Next week: exploring the solution space! CSE598K/CSE545 - Advanced Network Security - McDaniel Page 23
Recommend
More recommend