DOC PREVIEW
Princeton COS 461 - Interdomain Routing Security

This preview shows page 1-2-3-20-21-22-41-42-43 out of 43 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 43 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Interdomain Routing SecurityGoals of Today’s LecturesSecurity Goals for BGPBGP Session SecurityTCP Connection Underlying BGP SessionAttacks Against ConfidentialityAttacking Message IntegrityDenial-of-Service Attacks, Part 1Denial-of-Service Attacks, Part 2Exploiting the IP TTL FieldValidity of the routing information: Origin authenticationIP Address Ownership and HijackingPrefix HijackingHijacking is Hard to DebugSub-Prefix HijackingHow to Hijack a PrefixThe February 24 YouTube OutageTimeline (UTC Time)Slide 19Another Example: SpammersBGP AS PathBogus AS PathsSlide 23Slide 24Invalid PathsMissing/Inconsistent RoutesBGP Security TodayProposed Enhancements to BGPS-BGP Secure Version of BGPS-BGP Deployment ChallengesIncrementally Deployable SchemesWhat About Packet Forwarding?Control Plane Vs. Data PlaneData-Plane Attacks, Part 1Data-Plane Attacks, Part 2Fortunately, Data-Plane Attacks are HarderWhat’s the Internet to Do?BGP is So VulnerableBGP is So Hard to FixConclusionsEncrypting and Decrypting With KeysAuthenticating the Sender and ContentsPublic Key Infrastructure (PKI)1Interdomain Routing SecurityCOS 461: Computer NetworksSpring 2008 (MW 1:30-2:50 in COS 105)Jennifer RexfordTeaching Assistants: Sunghwan Ihm and Yaping Zhuhttp://www.cs.princeton.edu/courses/archive/spring08/cos461/2Goals of Today’s Lectures•BGP security vulnerabilities–TCP sessions–Prefix ownership–AS-path attribute•Improving BGP security–Protective filtering–Cryptographic variant of BGP–Anomaly-detection schemes•Data-plane attacks•Difficulty in upgrading BGP3Security Goals for BGP•Secure message exchange between neighbors–Confidential BGP message exchange–No denial of service•Validity of the routing information–Origin authenticationIs the prefix owned by the AS announcing it?–AS path authenticationIs AS path the sequence of ASes the BGP update traversed?–AS path policy Does the AS path adhere to the routing policies of each AS?•Correspondence to the data path–Does the traffic follow the advertised AS path?4BGP Session Security5TCP Connection Underlying BGP Session•BGP session runs over TCP–TCP connection between neighboring routers–BGP messages sent over TCP connection–Makes BGP vulnerable to attacks on TCP•Main kinds of attacks–Against confidentiality: eavesdropping–Against integrity: tampering–Against performance: denial-of-service•Main defenses–Message authentication or encryption–Limiting access to physical path between routers–Defensive filtering to block unexpected packets6Attacks Against Confidentiality•Eavesdropping –Monitoring the messages on the BGP session–… by tapping the link(s) between the neighbors•Reveals sensitive information–Inference of business relationships–Analysis of network stability•Reasons why it may be hard–Challenging to tap the linkOften, eBGP session traverses just one link… and may be hard to get access to tap it–Encryption may obscure message contentsBGP neighbors may run BGP over IPSecBGP sessionphysical link7Attacking Message Integrity•Tampering–Man-in-the-middle tampers with the messages–Insert, delete, modify, or replay messages•Leads to incorrect BGP behavior–Delete: neighbor doesn’t learn the new route–Insert/modify: neighbor learns bogus route•Reasons why it may be hard–Getting in-between the two routers is hard–Use of authentication (signatures) or encryption–Spoofing TCP packets the right way is hardGetting past source-address packet filtersGenerating the right TCP sequence number8Denial-of-Service Attacks, Part 1•Overload the link between the routers–To cause packet loss and delay–… disrupting the performance of the BGP session•Relatively easy to do–Can send traffic between end hosts–As long as the packets traverse the link–(which you can figure out from traceroute)•Easy to defend–Give higher priority to BGP packets–E.g., by putting packets in separate queueBGP sessionphysical link9Denial-of-Service Attacks, Part 2•Third party sends bogus TCP packets–FIN/RST to close the session–SYN flooding to overload the router•Leads to disruptions in BGP–Session reset, causing transient routing changes–Route-flapping, which may trigger flap damping•Reasons why it may be hard–Spoofing TCP packets the right way is hardDifficult to send FIN/RST with the right TCP header–Packet filters may block the SYN floodingFilter packets to BGP port from unexpected source… or destined to router from unexpected source10Exploiting the IP TTL Field•BGP speakers are usually one hop apart–To thwart an attacker, can check that the packets carrying the BGP message have not traveled far•IP Time-to-Live (TTL) field–Decremented once per hop–Avoids packets staying in network forever•Generalized TTL Security Mechanism (RFC 3682)–Send BGP packets with initial TTL of 255–Receiving BGP speaker checks that TTL is 254–… and flags and/or discards the packet others•Hard for third-party to inject packets remotely11Validity of the routing information:Origin authentication12IP Address Ownership and Hijacking•IP address block assignment–Regional Internet Registries (ARIN, RIPE, APNIC)–Internet Service Providers•Proper origination of a prefix into BGP–By the AS who owns the prefix–… or, by its upstream provider(s) in its behalf•However, what’s to stop someone else?–Prefix hijacking: another AS originates the prefix–BGP does not verify that the AS is authorized–Registries of prefix ownership are inaccurate13Prefix Hijacking123456712.34.0.0/1612.34.0.0/16•Consequences for the affected ASes–Blackhole: data traffic is discarded–Snooping: data traffic is inspected, and then redirected–Impersonation: data traffic is sent to bogus destinations14Hijacking is Hard to Debug•Real origin AS doesn’t see the problem–Picks its own route–Might not even learn the bogus route•May not cause loss of connectivity–E.g., if the bogus AS snoops and redirects–… may only cause performance degradation•Or, loss of connectivity is isolated–E.g., only for sources in parts of the Internet•Diagnosing prefix hijacking–Analyzing updates from many vantage points–Launching traceroute from many vantage points15Sub-Prefix Hijacking123456712.34.0.0/1612.34.158.0/24•Originating a more-specific prefix–Every AS picks the bogus route for that prefix–Traffic follows the longest matching


View Full Document

Princeton COS 461 - Interdomain Routing Security

Documents in this Course
Links

Links

39 pages

Lecture

Lecture

76 pages

Switches

Switches

35 pages

Lecture

Lecture

42 pages

Links

Links

39 pages

Lecture

Lecture

34 pages

Topology

Topology

42 pages

Lecture

Lecture

42 pages

Overview

Overview

42 pages

Sockets

Sockets

45 pages

Load more
Download Interdomain Routing Security
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Interdomain Routing Security and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Interdomain Routing Security 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?