DOC PREVIEW
Purdue CS 59000 - Lecture notes

This preview shows page 1-2-20-21 out of 21 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 21 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Cristina Nita-Rotaru Spring 2004/Lecture 11 1Security Topics in Networking andDistributed SystemsCS 590DLecture 11: Security of BGPDepartment of Computer SciencesPurdue UniversityCristina Nita-Rotaru Spring 2004/Lecture 11 2References• Secure Border GatewayProtocol (S-BGP) StephenKent, Charles Lynn and KarenSeo, JSAC 2000.Cristina Nita-Rotaru Spring 2004/Lecture 11 3A Network of Networks• Internet is a “network of networks”• Autonomous System (AS): a network, a singleadministrative domain, can span moreorganizations• How do those networks connect– Internet Exchange (IX)– Network Access Points (NAP)– Metropolitan Area Exchange (MAE)Cristina Nita-Rotaru Spring 2004/Lecture 11 4Getting on the Net• Internet Service Provider (ISP) provideaccess to Internet• Several types of ISPs depending on size,transit/peering and multihoming• Transit: carrying packets for other ISP• Peering: two ISPs of about the same sizeexchange traffic• Multihoming: being connected to multiplenetworksCristina Nita-Rotaru Spring 2004/Lecture 11 5Finding the Way Through the Net• IP address: identifies a computer IPv4 - 32 bits,IPv6 - 128 bits• Routing protocols: propagate information aboutroutes to reach hosts (IP addresses) ornetworks (IP prefixes)• Algorithms:– Distance vector protocols– Link-state protocols– Path vector protocols• Relative to an AS– inter-routing: RIP, IGRP, OSPF,– intra-routing: BGPCristina Nita-Rotaru Spring 2004/Lecture 11 6Link-State Routing• Each node:– Maintains global view of the network.– Sends periodically the current state of all links(link-state updates or advertisements) to allnodes (via flooding).– Notes the change and recompute its routes (useshortest-path – Dijkstra algorithm) todestination.• Less bandwidth-intensive than Distance-Vector, butmore complex and more computational andmemory intensive.• Examples: OSPF uses link-state routing.Cristina Nita-Rotaru Spring 2004/Lecture 11 7Distance-Vector Routing• Each node:– Maintains a vector with distances to all of thenodes.– Sends periodically its distance-vector to all itsneighbors.– Updates its distance vector based on theinformation received from the neighbors (shortestpath Bellman-Ford): for each network path, thereceiving routers pick the neighbor advertisingthe lowest cost, then add this entry into its routingtable for re-advertisement.• Examples: RIP uses distance-vector routing.Cristina Nita-Rotaru Spring 2004/Lecture 11 8Path Vectors• Similar to Distance Vector protocols• BUT: Routing updates contain an ordered list of thepath of traversed “nodes”Cristina Nita-Rotaru Spring 2004/Lecture 11 9BGP• Path Vector Protocol: Routing updates contain anordered list or AS path of traversed autonomoussystems and a set of network prefixes belonging tothe first AS in the list (UPDATE messages)• BGP uses TCP to exchange routing updates• Each BGP router receives UPDATEs from itsneighbors and selects one path for each prefix asthe “best” and reports that path to its neighbors(before that it has to withdraw the “old” path)• Selecting “best path”: policies, local preference,shortest AS path, other metricsCristina Nita-Rotaru Spring 2004/Lecture 11 10Some Statistics….• BGP routing tables: ~ 125K address prefixesmapping to about 17-18K paths• BGP routers: ~ 10K BGP• How many organizations own AS? ~ 2K• How many organization own prefixes?~ 60K• Path length for a route:– Average AS path length for a route is about 3.7– 50% of routes have a length < 4 Ases– about 95% have a length < 5Cristina Nita-Rotaru Spring 2004/Lecture 11 11UPDATE Messages (4096 bytes)• The AS that knows how to reach directly a prefixof IP addresses will be the first AS in the list (inUPDATE messages)• When receiving an UPDATE message, an ASupdates its own routing table then propagatesthe update about new routes, after he addeditself in the list of ASes• Each AS along the path must be authorized bythe preceding AS to advertise the prefixescontained in the UPDATE message• A route may be withdrawn only by the neighborAS that advertised itCristina Nita-Rotaru Spring 2004/Lecture 11 12Threats• BGP does not use any securitymechanisms at all• Misconfiguration: an ISP advertisedaddresses they it does not know how toreach; consequence: packets will getdropped.• Same effect if malicious attacker injectsor modifies update packets, withdrawsroutes.Cristina Nita-Rotaru Spring 2004/Lecture 11 13Solution• Authentication of source of packets?• Data integrity?NEEDED BUT NOT ENOUGH!Cristina Nita-Rotaru Spring 2004/Lecture 11 14…Because …• IP addresses are own by organizations• An AS can span more organizations• An AS must be authorized by the organizationthat owns a set of IP addresses to advertisethem• Each AS along the path must be authorized bythe preceding AS to advertise the prefixescontained in the UPDATE messageCristina Nita-Rotaru Spring 2004/Lecture 11 15WHAT IS NEEDED?• A BGP speaker should be able to verify:– The owner of each prefix authorized theorigin AS to advertise that prefix– Each subsequent AS in the path has beenauthorized by the preceding AS to advertisea route to that prefix– Neighbor withdrawing a route is theadvertiser for that routeCristina Nita-Rotaru Spring 2004/Lecture 11 16S-BGP• Secure the BGP traffic by using IPSEC, ESPmode with no encryption (provides authenticationand integrity)• Uses Public Key Infrastructure to provide anauthorization for the mapping between addressspace and AS• Uses digital signatures to bind authorizationinformation to UPDATE messagesCristina Nita-Rotaru Spring 2004/Lecture 11 17PKI Support• Goal: bind the relationship amongInternet registries, ISPs andsubscribers• X.509 certificates are issued to ISPsand subscribers to identify “owners” ofASes and prefixesCristina Nita-Rotaru Spring 2004/Lecture 11 18Attestations• Address Attestation: issued by the “owner”of one or more prefixes, to identify the originAS authorized to advertise the prefixes• Route Attestation: is issued by a S-BGPspeaker, to authorize neighbor ASes to usethe route in the UPDATE message will issueCristina Nita-Rotaru Spring 2004/Lecture 11 19PKI Distribution• How to distribute the certificates?• How about the CRLs?• On-line vs off out-of-band• What about attestations?– Address attestations– Route attestationsCristina


View Full Document

Purdue CS 59000 - Lecture notes

Documents in this Course
Lecture 4

Lecture 4

42 pages

Lecture 6

Lecture 6

38 pages

Load more
Download Lecture notes
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Lecture notes and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Lecture notes 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?