1 / 63

Inter-domain Routing Policy and Security Overview

Explore BGP concepts, scaling techniques, and security issues in inter-domain routing, focusing on BGP hijacking and solutions like S-BGP. Learn about ISP and end-user challenges and solutions like overlays and CDNs.

jennar
Download Presentation

Inter-domain Routing Policy and Security Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSCI-1680Network Layer:Inter-domain Routing – Policy and Security Theophilus Benson Based partly on lecture notes by Jennifer Rexford, Rob Sherwood, David Mazières, Phil Levis, John Jannotti

  2. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  3. Recall BGP Tier 1 ISP Tier 1 ISP Default free, Has information on every prefix $$ $$ $$ Default: provider Tier 2 $$ $$ Tier 2 Regional Tier 2 $$ Tier 3 (local) Tier 3 (local)

  4. Recall BGP Tier 1 ISP Tier 1 ISP “Best Route” is not The shortest route Default free, Has information on every prefix $$ $$ $$ Default: provider Tier 2 $$ $$ Tier 2 Regional Tier 2 $$ Tier 3 (local) Tier 3 (local)

  5. Recall BGP: Realistic Example Tier 1 ISP Tier 2 Tier 2 $$ $$ Tier 2 $10 $$ Tier 2 $$ Tier 2 Regional $20 $$ Tier 3 (local) Tier 3 (local)

  6. Zooming ISPD ISPC D is provider for B Peering ISPB Regional ISPA 10.10/16 ISPA 10.10/16

  7. Zooming-in! ISPZ ISPD Who should ISPB send routes to? Who should ISPB use to get to Alice? Everyone? No one? Friends? Enemies? ISPC D is provider for B Peering Import Policies: (Who to use for transit?) Export Policies: (Who to send routes to?) ISPB Regional 10.10/16 ISPA • Provider  Customer • All routes so as to provide transit service • Customer  Provider • Only customer routes • Peer  Peer • Only customer routes ISPA 10.10/16

  8. Zooming-in! ISPZ ISPD 10.10/16 ISPB ISPA Who should ISPB send routes to? Who should ISPB use to get to Alice? Everyone? No one? Friends? Enemies? ISPC 10.10/16 ISPB ISPA D is provider for B Peering Import Policies: (Who to use for transit?) Export Policies: (Who to send routes to?) ISPB Regional • Provider  Customer • All routes so as to provide transit service • Customer  Provider • Only customer routes • Peer  Peer • Only customer routes ISPA 10.10/16

  9. Zooming-in! ISPZ ISPD 10.10/16 ISPZ Who should ISPB send routes to? Who should ISPB use to get to Alice? Everyone? No one? Friends? Enemies? ISPC D is provider for B Peering Import Policies: (Who to use for transit?) Export Policies: (Who to send routes to?) ISPB Regional • Provider  Customer • All routes so as to provide transit service • Customer  Provider • Only customer routes • Peer  Peer • Only customer routes customer > peer > provider • Customer route: charge $$  • Peer route: free • Provider route: pay $$  ISPA 10.10/16

  10. Zooming-in! ISPZ ISPD Who should ISPB send routes to? Who should ISPB use to get to Alice? Everyone? No one? Friends? Enemies? 10.10/16 ISPD ISPZ ISPC 10.10/16 ISPC ISPZ D is provider for B Peering Import Policies: (Who to use for transit?) Export Policies: (Who to send routes to?) ISPB Regional • Provider  Customer • All routes so as to provide transit service • Customer  Provider • Only customer routes • Peer  Peer • Only customer routes customer > peer > provider • Customer route: charge $$  • Peer route: free • Provider route: pay $$  ISPA 10.10/16

  11. Zooming-in! ISPZ ISPD Who should ISPB send routes to? Who should ISPB use to get to Alice? Everyone? No one? Friends? Enemies? ISPC D is provider for B Peering Import Policies: (Who to use for transit?) Export Policies: (Who to send routes to?) ISPB Regional • Provider  Customer • All routes so as to provide transit service • Customer  Provider • Only customer routes • Peer  Peer • Only customer routes customer > peer > provider • Customer route: charge $$  • Peer route: free • Provider route: pay $$  ISPB ISPC ISPZ 10.10/16 ISPA 10.10/16

  12. Valley Free Routing Z is provider for D ISPZ ISPD Z is provider for C ISPC D  B  C  Z -1 +1 +1 D is provider for B C is provider for B D  Z +1 ISPB Regional B is provider for A A  B  C  Z +1 +1 +1 ISPA 10.10/16

  13. How to get Peering Z is provider for D ISPZ ISPD Z is provider for C D  Z  C +1 -1 ISPC D is provider for B • All users in network D want to go to something in network C: • Network C could be Google • Network C could be Netflix • ISP D can try and Peer with C C is provider for B ISPB Regional B is provider for A ISPA 10.10/16

  14. How to get Peering Z is provider for D ISPZ ISPD Z is provider for C D  Z  C Valley free: +1 -1 ISPC D is provider for B • All users in network D want to go to something in network C: • Network C could be Google • Network C could be Netflix • ISP D can try and Peer with C • Path: D  C • Valley free: 0 • Why is this good for D? or C? • Neither has to pay Z anymore C is provider for B ISPB Regional B is provider for A ISPA 10.10/16

  15. BGP State • BGP speaker conceptually maintains 3 sets of state • Adj-RIB-In • “Adjacent Routing Information Base, Incoming” • Unprocessed routes learned from other BGP speakers • Loc-RIB • Contains routes from Adj-RIB-In selected by policy • First hop of route must be reachable by IGP or static route • Adj-RIB-Out • Subset of Loc-RIB to be advertised to peer speakers

  16. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  17. M How does router-X learns to the route to 10.20/8 or 10.20/16?? If don’t have routes Send to M ISPD • Stub Ass (e.g. ISP A, D) • Border router clear choice for default route • Inject into IGP: “any unknown route to border router” • Inject specific prefixes in IGP • E.g., Provider injects routes to customer prefix • For Large networks • Too many prefixes for IGP • Run internal version of BGP, iBGP • All routers learn mappings: Prefix -> Border Router • Use IGP to learn how to get to Border Router Who to send unknown to? Y or W? Y Z X W ISP-B ISPA

  18. Two types of BGP sessions eBGP 128.112.0.0/16 Next Hop = 192.0.2.1 128.112.0.0/16 AS23 iBGP 192.0.2.1 AT&T Sprint AS23 Forwarding Table destination next hop 192.0.2.0/30 10.10.10.10 Forwarding Table + destination next hop BGP (iBGP) 128.112.0.0/16 10.10.10.10 destination next hop 192.0.2.0/30 10.10.10.10 128.112.0.0/16 192.0.2.1

  19. Two types of BGP sessions eBGP session is a BGP session between two routers in different ASes iBGP session is a BGP session between internal routers of an AS. iBGP eBGP AT&T Sprint

  20. Scaling iBGP • Every Router runs iBGP • All-to-All iBGP peering • Doesn’t scale • N*(N-1) connections

  21. Scaling iBGPRoute reflectors • Every Router runs iBGP • Selective peering • Scales • N*K connections

  22. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  23. “Shutting off” the Internet • Starting from Jan 27th, 2011, Egypt was disconnected from the Internet • 2769/2903 networks withdrawn from BGP (95%)! Source: RIPEStat - http://stat.ripe.net/egypt/

  24. Egypt Incident Source: BGPMon (http://bgpmon.net/blog/?p=480)

  25. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  26. BGP Security Goals • Confidential message exchange between neighbors • Validity of routing information • Origin, Path, Policy • Correspondence to the data path

  27. Origin: IP Address Ownership and Hijacking • IP address block assignment • Regional Internet Registries (ARIN, RIPE, APNIC) • Who can advertise a prefix with BGP? • By the AS who owns the prefix • … or, by its upstream provider(s) in its behalf • However, what’s to stop someone else? • Prefix hijacking: another AS originates the prefix • BGP does not verify that the AS is authorized • Registries of prefix ownership are inaccurate

  28. 4 3 5 2 6 7 1 Prefix Hijacking: full or partial control • Consequences for the affected ASes • Blackhole: data traffic is discarded • Snooping: data traffic is inspected, and then redirected • Impersonation: data traffic is sent to bogus destinations 12.34.0.0/16 12.34.0.0/16

  29. Hijacking is Hard to Debug • Real origin AS doesn’t see the problem • Picks its own route • Might not even learn the bogus route • May not cause loss of connectivity • E.g., if the bogus AS snoops and redirects • … may only cause performance degradation • Or, loss of connectivity is isolated • E.g., only for sources in parts of the Internet • Diagnosing prefix hijacking • Analyzing updates from many vantage points • Launching traceroute from many vantage points

  30. 4 3 5 2 6 7 1 Sub-Prefix HijackingFull control over sub-prefix • Originating a more-specific prefix • Every AS picks the bogus route for that prefix • Traffic follows the longest matching prefix 12.34.0.0/16 12.34.158.0/24

  31. How to Hijack a Prefix • The hijacking AS has • Router with eBGP session(s) • Configured to originate the prefix • Getting access to the router • Network operator makes configuration mistake • Disgruntled operator launches an attack • Outsider breaks in to the router and reconfigures • Getting other ASes to believe bogus route • Neighbor ASes not filtering the routes • … e.g., by allowing only expected prefixes • But, specifying filters on peering links is hard

  32. Pakistan Youtube incident • Youtube’s has prefix 208.65.152.0/22 • Pakistan’s government order Youtubeblocked • Pakistan Telecom (AS 17557) announces 208.65.153.0/24 in the wrong direction (outwards!) • Longest prefix match caused worldwide outage • http://www.youtube.com/watch?v=IzLPKuAOe50

  33. Cool Bit Coin attack using Prefix-Hijacking

  34. Bit Coin Incident • Bit Coin Primer • You donate resources on your computer to ‘mine’ (create) bit coins • Your computer connects to a server • Servers tells it how to mine • Server rewards you for mining • Transaction fees for using coins • subsidies for new coins • Hacker steal Bit Coins • Hacker Hijacks a prefix • Pretends to be the bit coin-server • Collects bit coins you mine • Doesn’t give miners any rewards

  35. 4 3 5 2 6 7 1 12.34.0.0/16 12.34.158.0/24 Bit-coin Miners Legitimate Bit-Coin Server hacker

  36. Avoiding Spam Detection with Prefix Hijacking • People create a whitelist of acceptable addresses for Mail servers • Only accept mail from address in that whitelist • Spammers steal unused IP space to hide • Announce very short prefixes (e.g., /8). Why? • For a short amount of time • Hijack route == announce a route you don’t own • Send lots of spam!! • Stop Hijack == Withdraw Route • Interesting talk: https://www.usenix.org/conference/lisa-07/homeless-vikings-bgp-prefix-hijacking-and-spam-wars

  37. Attacks on BGP Paths • Remove an AS from the path • E.g., 701 3715 88 -> 701 88 • Why? • Attract sources that would normally avoid AS 3715 • Make path through you look more attractive • Make AS 88 look like it is closer to the core • Can fool loop detection! • May be hard to tell whether this is a lie • 88 could indeed connect directly to 701!

  38. Attacks on BGP Paths • Adding ASesto the path • E.g., 701 88 -> 701 3715 88 • Why? • Trigger loop detection in AS 3715 • This would block unwanted traffic from AS 3715! • Make your AS look more connected • Who can tell this is a lie? • AS 3715 could, if it could see the route • AS 88 could, but would it really care?

  39. Attacks on BGP Paths • Adding ASesat the end of the path • E.g., 701 88 into 701 88 3 • Why? • Evade detection for a bogus route (if added AS is legitimate owner of a prefix) • Hard to tell that the path is bogus! 701 3 18.0.0.0/8 88 18.0.0.0/8

  40. Data Plane Attacks (Forwarding Attacks) • Routers/ASes can advertise one route, but not necessarily follow it! • May drop packets • Or a fraction of packets • What if you just slow down some traffic? • Can send packets in a different direction • Impersonation attack • Snooping attack • How to detect? • Congestion or an attack? • Can let ping/traceroute packets go through • End-to-end checks? • Harder to pull off, as you need control of a router

  41. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  42. Proposed Solution: S-BGP • Based on a public key infrastructure • Address attestations • Claims the right to originate a prefix • Signed and distributed out of band • Checked through delegation chain from ICANN • Route attestations • Attribute in BGP update message • Signed by each AS as route along path • S-BGP can avoid • Prefix hijacking • Addition, removal, or reordering of intermediate ASes

  43. Today • BGP Recap • BGP + IGP • iBGP, Scaling iBGP • Using BGP to take down the internet • BGP Security • Hijacking prefixes  making money • Solution: S-BGP • BPG Issues • ISP issues versus end-user issues • Solution: Overlays, CDNs

  44. BGP Issues BGP issues from ISP’s perspective BGP issues user’s perspective Network Outages Large latency Low Bandwidth • Prefix Hijacking • Internet outage • Route table overflow • Internet outage • Convergence issues • Temporary outage

  45. Alice  Eve: 50 milliseconds Alice  Bob: 10 milliseconds Bob  Eve: 20 milliseconds Eve Alice Bob

  46. Alice  Eve: 50 milliseconds Alice  Bob: 10 milliseconds Bob  Eve: 20 milliseconds Why not send traffic through Bob? Eve Alice Bob

  47. Alice  Eve: 50 milliseconds Alice  Bob: 10 milliseconds Bob  Eve: 20 milliseconds • Why not send traffic through Bob? • Internet uses destination based routing .. • For Alice  Eve to go through Bob • Packets must use Bob as the destination Eve Alice Bob

  48. IP tunnels: IP-in-IP Encapsulation 20.0.0.1 Alice-> Eve • Alice/Bob/Eve runs special software that perform • IP Encapsulate/decapsulation Alice-> Eve Bob->Eve Alice-> Eve Bob->Eve Eve Alice Bob Alive->Bob

More Related