Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
-
Upload
kaitlyn-macgregor -
Category
Documents
-
view
213 -
download
1
Transcript of Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Secure Routing PanelFIND PI Meeting (June 27, 2007)
Morley Mao, Jen Rexford, Xiaowei Yang
2
Goal of the Panel
• Understand and discuss– The threats on the routing system– Lessons learned from today’s routing
system– Challenges of architecting a secure routing
system– A few specific architectural proposals
3
Questions
• What are the threats?– End hosts– Compromised routers– Greedy providers
• What security properties do we need?– Just availability?– Knowing traffic is reaching the right destination?– Knowing end-to-end path? At what granularity?– Avoiding certain paths, countries, or companies?– Do paths need to be symmetric?
• Enable multiple levels of security in parallel?
4
Questions
• Where should security functions be placed?– End hosts vs. routers– Data, control, and management planes
• How do we ensure participation?– Economic incentives for deployment?– Role (if any) for government regulation?– Any need for accountability/liability for
problems?– Enable partial deployment scenarios?
5
Organization
• Morley Mao, U. Michigan– Threats, and an operator perspective (15
min)
• Jen Rexford, Princeton– Multi-path routing and secure monitoring
(10 min)
• Xiaowei Yang, UC Irvine– User-controlled routes (15 min)
• Discussion, debate, …
Helping Edge Networks to Help Themselves
Jen Rexford
Joint work with Dave Andersen, Ioannis Avramopoulos, and Dan Wendlandt
7
Don’t Need Secure Routing Protocols
• Secure routing protocols– Securing info communicated within the
protocol
• Secure routing protocols are too much– Require large-scale (ubiquitous?) deployment– Heavy weight crypto operations– Global public key infrastructure
• Secure routing protocols are too little– Packets might not follow the path– Adversary can deflect packets or DoS links– Colluding ASes can claim fake links
8
Secure End-to-End Communication
• An architectural proposal– Multi-path routing exposes possible paths– Edge nodes find and securely use working
paths
End-to-end security (e.g., SSL & IPsec)
•Confidentiality of Data
•Integrity of Data
•Availability of Communication Channel
Depends on Routing and Forwarding
9
Where do Multiple Paths Come From?
• Multi-homing– Connecting to multiple neighboring ASes– Connecting to a neighbor at multiple places
• Deflecting through intermediate nodes– Overlay networks of end hosts– Deflection services offered by other
networks
• Multi-path routing protocolsAA
BB
C
D
10
How Do Edge Nodes Switch Forwarding Paths?
• Tagging– Mark tag bits in the data packets– Routers interpret the bits in forwarding
• Encapsulation– Specifying intermediate deflection point– Routers forward based on deflection address
B
A C101
B
11
How Do Edge Nodes Decide to Change Paths?
• End-to-end integrity check– IPsec and SSL– Client authentication and server certificates– Vote among users from many vantage
points
• Secure availability monitoring– End-host applications judge the
performance– Edge routers securely sample the
performance
12
Conclusion
• Secure routing is not the goal– The control plane is just one part of the system– “Jen, the Internet is not a network for delivering
BGP update messages.” – Randy Bush
• Secure communication should be the goal– Integrity, confidentiality, and availability
• Leading to a combination of mechanisms– End-to-end integrity and confidentiality– Multi-path routing and forwarding– Secure availability monitoring