What is Routing Security?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices1 / 9Routing Security EconomicsSteven M. Bellovinhttp://www.cs.columbia.edu/~smbColumbia UniversityJanuary 18, 2007What is Routing Security?What is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices2 / 9■ Bad guys play games with routing protocols.■ Traffic is diverted.◆ Enemy can see the traffic.◆ Enemy can easily modify the traffic.◆ Enemy can drop the traffic.■ End-to-end cryptography can mitigate theeffects, but not prevent them.How is it Different?What is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices3 / 9■ Most communications security failures happenbecause of buggy code or broken protocols.■ Routing security failures happen despite goodcode and functioning protocols. The problemis a dishonest participant.■ Hop-by-hop authentication isn’t sufficient.Lying RoutersWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices4 / 9Y−>X: B{Y,W}XYZSite AY−>Z: B{Y,W}W Site BZ−>X: B{Z}Problems CausedWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices5 / 9■ Reachability■ Spoofing■ Denial of service■ Spam or other attacks■ Traffic analysisCostsWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices6 / 9■ Cost of dealing with the attacks (what istraffic privacy worth?)■ Cost of clean-up■ Cost of route advertisement filteringCost of DefensesWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices7 / 9■ All proposed defenses involve lots o fcryptography, and frequently public keycryptography■ This implies capital expenditures for routerupgrades: memory, CPU power, modularexponentiation hardware, etc.■ Most Internet users get IP address ranges fromtheir ISPs; this means that ISPs need to1. Obtain certificates for their own addressranges2. Operate (or outsource) a CA and helpdesk to issue address-based certificates totheir customersDeaggregationWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices8 / 9■ Routers use a “longest prefix” match to selecta routing table entry■ Some sites are advertising redundant, longerprefixes to forestall (inadvertent?) attacks■ Example: AT&T currently advertises12.0.0.0/8, 12.0.0.0/9, and 12.128.0.0/9■ Result: three RIB entries instead of one; moreimportantly, two FIB entries instead of one■ (Note: this was the direct consequence of arouting incident in 2005.)■ What if they need to switch to 256 /16s?(Some of that already for traffic engineeringand multihoming.)Economic ChoicesWhat is RoutingSecurity?How is it Different?Lying RoutersProblems CausedCostsCost of DefensesDeaggregationEconomic Choices9 / 9Do nothing Continue to absorb the cost ofattacks — low thus far, except for spam, butthe spammers currently favor bo tnets.Full-scale crypto ISPs spend a lot — can theyrecover their costs? None of the proposedsolutions provide economic incentives for earlyadopters. (Of course, without ISP demand,vendors haven’t built any hardware.)Deaggregation The cost of deaggregating islow for the originator, but it increaseseveryone else’s costs. Furthermore, we areseeing increasing pressure on router FIB sizesfor other