Jobtalk Securing Internet Routing Securing Internet Routing $ Local ISP Sharon Goldberg g Princeton University Based on work with: Based on work with: Boaz Barak, Shai Halevi, Aaron Jaggard, Vijay Ramachandran, Jennifer Rexford, Eran Tromer, Rebecca Wright, and David Xiao Princeton University
The Internet (1) Th The Internet is a collection of Autonomous Systems (AS). I t t i ll ti f A t S t (AS) Princeton Princeton AT&T IBM Local Local ISP Comcast Connectivity requires competing ASes to cooperate Connectivity requires competing ASes to cooperate.
The Internet (2) E Each Autonomous System (AS) is a collection of routers. h A t S t (AS) i ll ti f t Princeton Princeton AT&T IBM Local Local ISP Comcast Local ISP
Different Failure Models & Formal Techniques Honest • Follows the protocol The Internet The Internet was designed Benign / Fail-Stop for this. • • Stops responding Stops responding $ $ Game Theory Rational (Selfish) • Deviates from protocol for personal gain g Cryptography Adversarial • Actively tries to “break” the protocol
Research Approach System engineering & economic limitations (Goal) Prove this protocol satisfies security for Define Security Property failure model. erate erate $ Ite Ite Choose Failure Model Evaluate Protocol Any protocol with security property X security property X Ch Characterize t i needs resource Y Security vs Efficiency
Research Approach System (Goal) Define Security Property erate erate Ite Ite Choose Failure Model Standards, Prototypes Evaluate Protocol Implement / Implement / Ch Characterize t i Tech transfer Security vs Efficiency
Secure Routing on the Internet Goal: Ensure packets arrive at their destination. Princeton Princeton AT&T IBM Local Local ISP Comcast Years of security research devoted to solving this problem. y g p
Overview of Previous Work on Secure Routing AT&T, IBM AT&T IBM Princeton AT&T IBM IBM Local ISP Comcast Comcast Local, Comcast, IBM Control Plane (Routing protocols): • Set up paths between nodes S h b d soBGP, IRV, SPV, pgBGP, psBGP, Secure BGP Listen Whisper etc Listen-Whisper, etc., [Kent Lynn Seo 00] [Kent Lynn Seo 00] Data Plane: • Given the paths, how should packets be forwarded? p p NPBR [Perlman 88], Secure Msg Transmission [DDWY92], Secure/Efficient Routing [AKWK04], Secure TR [PS03], etc!
Overview of Previous Work on Secure Routing AT&T, IBM AT&T IBM Princeton To inform deployment efforts, my research focuses on: AT&T IBM IBM 1. Are we securing the right part of the system? 1 Are we securing the right part of the system? Local 2. Characterizing the tradeoffs between security & efficiency ISP Comcast Comcast Local, Comcast, IBM Control Plane (Routing protocols): • Set up paths between nodes S h b d soBGP, IRV, SPV, pgBGP, psBGP, Secure BGP Listen Whisper etc Listen-Whisper, etc., [Kent Lynn Seo 00] [Kent Lynn Seo 00] Data Plane: • Given the paths, how should packets be forwarded? p p NPBR [Perlman 88], Secure Msg Transmission [DDWY92], Secure/Efficient Routing [AKWK04], Secure TR [PS03], etc!
Overview of the Results in this Talk Internet Routing (Ensuring packets arrive at their destination) Ensure packets actually Detect packet loss follow announced paths. & localize bad router. $ Rational ASes Adversarial routers [GXTBR, SIGMETRICS’08] [GHJRW, SIGCOMM’08] [BGX, EUROCRYPT’08] Known control Known control- -plane plane New data New data-plane New data New data plane plane plane protocols, like Secure BGP protocols & characterization � ☺
Part I : The Control Plane Part I : The Control Plane two counterexamples & a theorem
BGP: The Internet Routing Protocol (1) P th Paths between Autonomous Systems (ASes) are b t A t S t (AS ) set up via the Border Gateway Protocol (BGP). IBM AT&T, IBM $ $ Princeton AT&T AT&T IBM Local $ ISP ISP Local Val ation Local Valuation: Comcast Comcast, IBM AT&T, IBM IBM IBM Comcast, IBM Forwarding: Node use single outgoing link for all traffic to destination. Valuations: Usually based on economic relationships. Here, we assume they are fixed at “beginning of game”
BGP: The Internet Routing Protocol (2) Paths between Autonomous Systems (ASes) are P th b t A t S t (AS ) set up via the Border Gateway Protocol (BGP). AT&T, IBM AT&T, IBM $ $ Princeton $ $ AT&T AT&T IBM Local Princeton Valuat’n: ISP ISP Local AT&T IBM Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM Local, Comcast, IBM Forwarding: Node use single outgoing link for all traffic to destination. Valuations: Usually based on economic relationships. Here, we assume they are fixed at “beginning of game”
Our desired security goal… BGP announcements match actual paths in the data plane. Princeton AT&T AT&T IBM Local Princeton Valuat’n: ISP ISP Local AT&T IBM Local, AT&T, IBM Comcast AT&T, IBM Local, Comcast, IBM Then, can use BGP messages as input to security schemes! 1. Chose paths that avoid ASes known to drop packets 2. Protocols that localize an adversarial router on path. 3. Contractual frameworks that penalize nodes that drop packets.
Our desired security goal… BGP announcements match actual paths in the data plane. Local, AT&T, IBM Princeton AT&T AT&T $ IBM Local Local Princeton Valuat’n: ISP ISP ISP ISP Local, AT&T, IBM Local AT&T IBM Comcast AT&T, IBM Local, Comcast, IBM Then, can use BGP messages as input to security schemes! 1. Chose paths that avoid ASes known to drop packets 2. Protocols that localize an adversarial router on path. 3. Contractual frameworks that penalize nodes that drop packets.
The “Secure BGP” Internet Routing Protocol If AS a announced path abP then b announced bP to a Comcast: (IBM) Comcast: (IBM) Public Key Public Key Infrastructure Local: (Comcast, IBM) Princeton Princeton: (Local, Comcast, IBM) ( , , ) AT&T AT&T IBM Local ISP ISP Comcast Comcast: (IBM) Comcast: (IBM) Comcast: (IBM) Local: (Comcast, IBM) Public Key Signature : Anyone who knows IBM’s public key can verify the message was sent by IBM.
The “Secure BGP” Internet Routing Protocol If AS a announced path abP then b announced bP to a Comcast: (IBM) Comcast: (IBM) Public Key Public Key Infrastructure Local: (Comcast, IBM) Princeton Princeton: (Local, Comcast, IBM) ( , , ) AT&T AT&T IBM Local ISP ISP Comcast Comcast: (IBM) Comcast: (IBM) If we assume nodes are rational, Comcast: (IBM) do we get security from “Secure BGP”? Local: (Comcast, IBM) Yes Y Yes - For certain utility models (prior work) F t i tilit d l ( i k) Public Key Signature : Anyone who knows IBM’s No No - For more realistic ones (our work) public key can verify the message was sent by IBM.
The “No Attractions” model of utility… Model of utility in prior work: Model of utility in prior work: Utility of AS = . Utility of outgoing Utility of attracted + (data-plane) path ( p ) p incoming traffic g Princeton AT&T IBM Local Local Local Valuatio’n: ISP ISP Comcast Comcast, IBM AT&T IBM AT&T, IBM In all prior work: Utility i is determined by the d t i d b th valuation function
Do control plane & data plane match? Utility y Secure Model BGP [LSZ] [LSZ] No Attractions No Attractions � to se d d s o est Corollary: If _________, rational rational ASes have no incentive to send dishonest BGP announcements! G a ou ce e ts [Feigenbaum-Ramachandran-Schapria-06], • [Feigenbaum-Schapria-Shenker-07] [Levin-Schapira-Zohar-08] These results build on • [Nisan-Ronen-01] [Feigenbaum-Papadimitriou-Shenker-01], • [Parkes-Shneidman-04], [Feigenbaum-Karger-Mirrokni-Sami-05] Feigenbaum-Papadimitriou-Sami-Shenker-05],
The “Attractions” model of utility… Our model of utility: Our model of utility: Model of utility in prior work: Model of utility in prior work: Utility of AS = Utility of AS = . . Utility of outgoing Utility of outgoing Utility of attracted Utility of attracted + + (data-plane) path ( (data-plane) path ( p p ) p ) p incoming traffic incoming traffic g g $ Princeton AT&T $ IBM $ Local Local $ ISP ISP Local Valuat’n: Attract: Princeton Comcast Comcast IBM Comcast, IBM Valuat’n: AT&T, IBM Comcast, IBM More realistically models AT&T, IBM payment structure.
Do control plane & data plane match? Utility y Secure Model BGP [LSZ] [LSZ] No Attractions No Attractions X X ? ? Attractions Attractions Negative result is network where a node has incentive to lie.
Counterexample: “Secure BGP” is not sufficient! Comcast: (IBM) AT&T: (IBM) Local: (AT&T, IBM) Local: (Comcast, IBM) Princeton: (Local, AT&T, IBM) Princeton: Princeton: (Local, Comcast, IBM) Princeton: (Local Comcast (Local AT&T IBM) IBM) AT&T: (IBM) Local: (AT&T, IBM) Princeton AT&T $ IBM Local Local Princeton Valuat’n: ISP ISP Local, AT&T, IBM ☺ ☺ Comcast AT&T, IBM Local, Comcast, IBM Attract: Princeton Valuation: Comcast: Comcast: (IBM) (IBM) Comcast, IBM Local: (Comcast, IBM) AT&T, IBM
Recommend
More recommend