1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of 1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing...
2
Schedule
• Tuesday– BGP Background– " Detection of Invalid Routing Announcement
in the Internet"
– Open Discussions
• Thursday– “Secure Border Gateway Protocol (S-BGP)”– “Secure Border Gateway Protocol (S-BGP) -
Real World Performance and Deployment Issues”
3
Outline
• Background
• “Detection of Invalid Routing Announcement in the Internet” Paper
• Related Open Problems
4
BGP Components
– Autonomous System (AS)– BGP speaker– BGP Routing table: Prefix + AS Path
AS4
AS3 AS1
AS2
BGP
5
BGP Routing Table
• Maintain the reachability information (AS path) for each prefix
• Default-free• Incremental updates
Prefix Next-Hop AS-Path TypeBest Route
6
BGP Update
AS566
Prefix AS Path
… …Routing
Table
12.0.0.0/8 : 1221, 34
Prefix : AS Path
Incoming update
12.0.0.0/8 : 1221, 34, 566
Outgoing update
12.0.0.0/8 1221, 34
7
General Operations
• Pick the best path and install it in forwarding table– BGP routing table V.S forwarding table – The definition of “best” depends on local policy
• Policies could influence import, the best path selection, export.
• Each AS only sends its best route for a prefix to its neighbors, append its AS# in the path
11
Other Trends
• More multi-homed small networks
• A denser interconnectivity mesh
• Reduction in hierarchical nature
12
Outline
• Background
• “Detection of Invalid Routing Announcement in the Internet” Paper
• Related Open Problems
13
Multiple Origin AS (MOAS)
128.9.0.0/16Path: 226
128.9.0.0/16Path: 4
128.9.0.0/16Path: X, 4
AS XAS Y
128.9.0.0/16Path: Z, 226
AS Z
MOAS case !Is it a valid policy or a fault/attack?
AS 226AS 4
14
Previous work
• How many MOAS cases have happened?
• How long did they last?
• What’s the distribution of prefix length having MOAS conflicts?
• Possible explanations
17
Idea: MOAS list– A list of legitimate ASes who are authorized to
announce the prefix– Attached to route announcement
AS4
AS3
AS1AS2 12.0.0.0/8, MOAS list {1,2}
12.0.0.0/8, MOAS list {4} Detect MOAS
lists conflict
12.0.0.0/8, MOAS list {1,2}
18
Assumption• Rich interconnectivity
• It is very difficult, if not impossible, for the attacker to totally block the propagation of valid route announcement with MOAS list
AS1 AS2
AS3 AS4
Prefix: 12.0.0.0/8MOAS list: {1, 2}
Controlled by attack
AS6AS5
19
Limitations in Design
• Only detects invalid MOAS conflicts– Correct origin AS with a false path ???
• Valid path: 4, 231, 55, 1024
• False path: 4, XXX, YYY, 1024
• Rely on other mechanisms to identify the correct origin AS– DNS lookup verification
20
Discussion & Critiques
• Topology Generation – Route Views only has a partial view of Internet
topology– The view is also filtered by best path selection– Is node number reducing process reasonable?
• Selection of the two origin ASes– Is random selection reasonable? Adjacent– Is selection only from stub (NO transit) ASes
reasonable?
21
Outline
• Background
• “Detection of Invalid Routing Announcement in the Internet” Paper
• Related Open Problems
22
Challenge - Abnormal BGP behaviors
• Reasons– Implementation / protocol bugs– Misconfigurations– Attack
• Problems– How to define?– How to detect?– How to distinguish them?– How to trace back?
• What information do we need to collect?
23
Challenge - Opaque Policy
• Some strength and complexity of BGP come from the usage of local policy
• IRR project aims to collect global routing policy knowledge - obsolete and incomplete
• But: – peer policy agreement are often confidential– There is no way to verify whether received updates
abided the intermediate AS’s policies– Are these policies reasonable– Local sound policies may have global conflicts
24
Challenge - Topology
• How to generate realistic Internet topology?– So huge, complicated, dynamic– What are the essential characteristics of Internet
topology? How to model them?
25
BGP Security Problems
• Outsider attacks– TCP session spoofing– BGP session spoofing– DoS attack
• Misbehaved, misconfigured, and compromised legitimate BGP routers are the main threat currently– E.g 1997 AS7007 incident
26
Securing Announcement
• Announcement is not authenticated
• We don’t know who is allowed to advertise a prefix
• Anyone could (almost) announce any prefix– Malicious attacks– Accidentally mistakes
27
Securing Path Attribute
• Each router chooses among multiple routes for a destination
• Need to select the best path• Path attribute is also not authenticated• Path modification could disrupt routing
– Cause suboptimal path to be adopted• Direct to longer path• Bring to path with adversary eavesdrop
– Interfere with policy decisions– Make some destinations unreachable