University of California, Los Angeles, Computer Science Department Using Name-Based Identities and...

University of California, Los Angeles, Computer Science Department

Using Name-Based Identities and Topological Relations of Trust to Secure Routing System

ALEXANDER AFANASYEV June 9th, 2011

Oral Qualifying Exam

University of California, Los Angeles, Computer Science Department2

A high-level research objective

• A new model to secure the Internet routing system, which– could be universally applied to all routing levels

(OSPF, BGP)– is economically feasible to deploy– is completely distributed without centralized trust

management• the Internet does not have a single root of trust• countries do not want to rely on outside authority to

secure the internal network

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Unauthorized access to confidential information– hacking to a router– sniffing control layer– data plane traffic analysis

• Routing update falsification– announcing an unauthorized prefix– incorrectly announcing a prefix

• announce /25 prefix instead of /24

– modifying information in route updates• fraudulent altering the AS path field in BGP update

Generic threats to routing (rfc4593)

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d



• Routing data falsification:– announcing an unauthorized prefix– incorrectly announcing a prefix




• Inevitably some keys will be compromised

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d



• Routing data falsification:– announcing an unauthorized prefix– incorrectly announcing a prefix




• Identities are easy to falsify

• AS number and IP addresses are incomprehensible to operators• misconfigurations and

confusions inevitable

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Proposals to secure global routing

• PKI

• Web-of-Trust

• Secure overlay

• Evidentiary trust (historical data analysis)

* M. Nicholes and B. Mukherjee. “A survey of security techniques for the border gateway protocol (BGP).” IEEE Communications Surveys and Tutorials, 11(1):52–65, 2009.

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• PKI-based (S-BGP, soBGP, psBGP, RPKI, …)– the Internet has no central trust

• Web-of-trust / evidence-based (BGP-Origins, PHAS, pgBGP)– so far the proposals are ad hoc at best – trust relations are too loose

• Secure overlays (IRV)– the chicken and egg problem: to build overlay

routing should exist, to build routing overlay should exist

Why previous work failed?

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Shifting concepts: IP vs NDN

NameHow to make

million $$

NDN

NDN

NDNNDN

I know what I want,deliver it to me

DNS

HTTP

FTP

HTTPSIP

I know what I want,where is it located?

How to make

million $$

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Apply Named Data Networking (NDN) concepts to address routing system security– people care about routing data integrity and authenticity– names give meaning

• Advanced network management tools– names give manageability

• Internet-oriented way to manage trust– leverage both contractual and collegial trust between parties on

the Internet

• Unify solution to security problems– single framework for everything

What can we do differently?

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


What is proposed?• A framework to secure the routing

system by employing a combination of – the topology-derived trust between

parties to secure– locally-controlled semantically-

meaningful hierarchical names for the routing infrastructure, with

– a multi-path trust graph for key certification, resource authorization, etc.

• Aim to develop a secure routing system for NDN networks

• Expectation that the results will be directly applicable to the existing Internet

Multi-path trust graph

Topological network of trust

Hierarchical semantically-sound

names

Route

rs

auth

enti

cati

on

Routi

ng info

auth

ori

zati

on

Routi

ng

config

pro

venance

…

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Hierarchical semantically-meaningful names

11



Hierarchical semantically-sound names

Rou

ters

au

then

tica

tion

Rou

tin

g in

fo

au

thori

zati

on

Rou

tin

g c

on

fig

p

roven

an

ce

…

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Currently used routing identities are meaningless• Organizations in BGP are identified by AS numbers

– AS numbers are just 16 bit or 32-bit numbers (AS52, AS4004)

• BGP and OSPF routers are identified using 4-octet integer– usually, but not necessary, one of router’s IPv4 addresses

• Router’s interfaces identified by IPv4 and IPv6 addresses– different interfaces usually have totally unrelated and

misleading addresses

169.232.4.103

137.164.27.6

137.164.27.5

137.164.26.133

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


CENICUCLA

Current practices in mapping IP addresses to names (UCLA / CENIC)

core-2--border-1-10.backbone.ucla.net

ucla--lax-hpr2-ge.cenic.net

lax-hpr2--ucla-10ge.cenic.net

hpr-lax-hpr--i2-newnet.cenic.net

169.232.4.103

137.164.27.6

137.164.27.5

137.164.26.133

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Current practices by large ISPs in mapping IPs to names• Level-3 (AS3356 / AS3549)

– 4.69.130.82 lo-22.err1.Amsterdam1.Level3.net

• NTT (AS2914)– 129.250.0.19 r00.sttlwa01.us.bb.gin.ntt.net

• Tata Communications (AS6453)– 206.82.129.13 vlan518.icore1.eql-losangeles.as6453.net

• QWEST (AS209)– 67.14.24.29 dvr-core-02.inet.qwest.net

• Verizon (AS701)– 204.255.169.89 0.so-1-0-0.br2.lax7.alter.net

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


/ucla

Keys and signatures from provider(s)

CS EE …

backbone

east-wingsouth-wing

irl-gw

nrl-gw lasr-gw

Intra-AS domain

A natural extension of current practices for OSPF (example)

15

/ucla/cs/backbone/irl-gw

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Advantages of using names

• Manageability– no confusion of IP address authority (links between providers) – lower risk to make a critical mistake

• e.g., */local namespace for strictly local updates

– router groups management

• Advanced filtering capabilities

• Possibility for advanced routing policies

• Easiness of routing events (accidents) analysis– easy to attribute problem to a particular routing entity

• The basic of NDN: (name + content) secured with a crypto key—build-in security building block

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d






Rou

ters

au

then

tica

tion

Rou

tin

g in

fo

au

thori

zati

on

Rou

tin

g c

on

fig

p

roven

an

ce

…

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Intro to public key infrastructure and web-of-trust

PKI• single root of trust• strict hierarchy

Web-of-Trust• every node can be a root of

trust• no restrictions on trust

relations

*S-BGP * PGP

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Public Key Infrastructure– Advantages

• Strict trust management procedures• Deterministic verification process

– Disadvantages• ultimate trust to a small set of certification authorities (CAs)• all CA public keys should be distributed and redistributed (re-issued,

revoked) to all nodes in off-line (out-of-band) manner• only one trust chain per key is usually allowed

• Web-of-Trust– Advantages

• Support of multi-path trust relations

– Disadvantages• there are no strict procedures how trust links are established• verification in web-of-trust is highly nondeterministic

Why not to rely on the existing trust management solutions?

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Non restricted trust relations

Topological relations

Strengthen trust using topological relations


Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Uses the existent topological relations to define trust between nodes– to make procedures form trust management very strict

• amendments to existing contracts and agreements

– to make verification process deterministic

• Allows multiple certification paths– to reflect complex topological relations

• multi-homed for customers• mesh-interconnections among providers via Internet exchange

points

– to give multi-dimensional certification• authenticate routers in a routing domain• authorize router to announce resources

Features of topological network of trust

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Topological relations on the Internet

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


A portion of real topological relations

* VeriSign Global Registry

AS 30085

NTTpeer

provider

peer

customer

provider

customer

customer

customer

provider

provider

provider

customer

AS 701 AS 2914

AS 26415

AS 36628

Verizon

VeriSign

VeriSign*

DynDNS isohunt

Hurricane

AS 33517

AS 6939

provider

customer

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Providers are local roots of trust for customers– Public keys between neighbors could be easily exchanged

off-line

• Customer-provider agreement– customer trusts provider to deliver data– customer also trusts that provider will honor all traffic

management policies– customer can ask (require) provider to sign customers key

• Provider-provider or customer-customer (peer-to-peer) agreements– each peer trusts that the other peer will deliver only local traffic

via peer-peer link– peers can sign keys of each other

Service agreement = contractual trust relation

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Certification paths and trust chains

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d

Verizon -> NTT -> VeriSign*

* VeriSign Global Registry

NTTVerizon

VeriSign

VeriSign*

isohunt

DynDNS

Hurricane

Verizon -> Verisign -> VeriSign*

Verizon -> Hurricane -> DynDNS


Verizon

Hurricane

DynDNS

out-of-band: Hurricane

Hurricane

Verizon

in-band

Topological trust bootstrapingDirect signing Reverse signing

local anchor of trust

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d

Verizon

Hurricane

DynDNS

out-of-band: Hurricane

Hurricane

DynDNS

in-band


• Only neighbors exchange public keys out-of-band– this is the only out-of-band exchange

• Direct signing– Providers sign keys of their customers– Give everybody access to these signatures

• Reverse signing– Providers sign keys of their providers (and/or peers)– Give clients access to this signatures

Summary of trust bootstraping in topological network of trust

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d

NTTVer

izon

VeriSign

VeriSign*isohunt

DynDNS

Hurricane




• Relative cheap trust bootstraping– only direct neighbors exchange of keys

• Limited trust risks– key compromise only affects customer tree of the

node

• Cheap re-keying abilities– same as in bootstraping– only a few keys exchanged between a few nodes

Advantages of topological network of trust

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d

NTTVer

izon

VeriSign

VeriSign*isohunt

DynDNS

Hurricane




• In-band distribution– using soBGP-like SECURITY BGP message– by flooding within OSPF area or throughout OSPF

domain

• Out-of-band distribution/management– DNSSEC-like infrastructure

• can simplify analysis of trust relations – in case of problems

• can be used as a primary key storage and management system

– standard (familiar) way to store keys and delegate trust– could be hooked up with routing layer to provide information

for in-band distribution

Trust information distribution methods

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d






Rou

ters

au

then

tica

tion

Rou

tin

g in

fo

au

thori

zati

on

Rou

tin

g c

on

fig

p

roven

an

ce

…

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Chains give a uniform way to establish hierarchical relations– same network of trust– same formats

• There are orthogonal problems in routing security– routers authentication– resource authorization– limited provenance of router configurations

Why do we need multi-path chains?

A B

C

E F G

D

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Authentication chainsAuthenticate other areas in OSPF routing domain

Authenticate other routers in OSPF area

Authenticate routing updates, originated from the router

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Binding chains

Key + name Key + name

signature

Authentication chains

Key + name Key + name

Binding (authorization) chains

signatureresource

Signature binds the resource with the identity

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Routing resource authorization

A/ucla

CS

backbone

irl-gw

EE

east-wing

nrl-gw

131.179.196.0/24

/ucla/cs/irl-gw

131.179.0.0/16

/ucla/cs

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Routing configuration provenance

36

A/ucla

CS

backbone

irl-gw

EE

east-wing

nrl-gw

Admin

alex

pete

All routers/ucla/Admin

All CS routers

/ucla/Admin/pete

IRL router

/ucla/Admin/pete/alex

IRL router

/ucla/…/alex/irl-gw

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Names are of vital importance– people can understand only meaningful names– routing infrastructure needs advanced, meaningful management

features– hierarchical names give these features

• Topological network of trust– derived based on implicit topological trust relations – freedom of the Web-of-Trust and determinism of PKI– knowledge of the topology for valid trust chain discovery

• Multi-path chains provide a uniform way to – authenticate routers, – authorize routing resources, – limited router configuration provenance

Conclusions

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Define naming model conventions

• Implement secure intra-AS routing (OSPF)– based on the existing open-source code base

• Quagga or XORP

• Evaluate implementation– overhead (protocol, processing, storage, deployment)

• Research optimization methods (overhead reduction)– selective verification– caching

Research plan

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


• Design secure inter-AS routing– extension for BGP protocol

• has to be backward-compatible

– again, based on existent code base

Research plan (continue)

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d


Questions?

Intr

oN

am

es

Netw

. of

Trust

Chain

sEn

d

University of California, Los Angeles, Computer Science Department Using Name-Based Identities and...

Documents

Transcript of University of California, Los Angeles, Computer Science Department Using Name-Based Identities and...