Routing Security - Network Security - Lecture Slides | ISA 656, Study notes of Cryptography and System Security

Download Routing Security - Network Security - Lecture Slides | ISA 656 and more Study notes Cryptography and System Security in PDF only on Docsity! Network Security - ISA 656 Routing Security Angelos Stavrou December 4, 2007 What is Routing Security? Routing Security What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy’s Goal? Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 2 / 41 ■ Bad guys play games with routing protocols. ■ Traffic is diverted. ◆ Enemy can see the traffic. ◆ Enemy can easily modify the traffic. ◆ Enemy can drop the traffic. ■ Cryptography can mitigate the effects, but not stop them. How is it Different? Routing Security What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy’s Goal? Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 5 / 41 ■ Most communications security failures happen because of buggy code or broken protocols. ■ Routing security failures happen despite good code and functioning protocols. The problem is a dishonest participant. ■ Hop-by-hop authentication isn’t sufficient. The Enemy’s Goal? Routing Security What is Routing Security? History of Routing Security Why So Little Work? How is it Different? The Enemy’s Goal? Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 6 / 41 Host A X Y Z Good: A−>X−>Y−>B Bad: A−>X−>Z−>Y−>B Host B But how can this happen? Routing Protocols Routing Security Routing Protocols Routing Protocols Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 7 / 41 ■ Routers speak to each other. ■ They exchange topology information and cost information. ■ Each router calculates the shortest path to each destination. ■ Routers forward packets along locally shortest path. ■ Attacker can lie to other routers. Using a Tunnel for Packet Re-injection Routing Security Routing Protocols Routing Protocols Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 10 / 41 Z’ X Z Host A Y Host BQ Why is the Problem Hard? Routing Security Routing Protocols Routing Protocols Normal Behavior But Z Can Lie Using a Tunnel for Packet Re-injection Why is the Problem Hard? Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 11 / 41 ■ X has no knowledge of Z’s real connectivity. ■ Even Y has no such knowledge. ■ The problem isn’t the link from X to Z; the problem is the information being sent. (Note that Z might be deceived by some other neighbor Q.) Routing in the Internet Routing Security Routing Protocols Routing in the Internet Routing in the Internet OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Authorization Certificate External Routing via BGP POP Topology Noteworthy Points Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 12 / 41 ■ Two types, internal and external routing. ■ Internal (within ISP, company): primarily OSPF. ■ External (between ISPs, and some customers): BGP. ■ Topology matters. How Do You Secure OSPF? Routing Security Routing Protocols Routing in the Internet Routing in the Internet OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Authorization Certificate External Routing via BGP POP Topology Noteworthy Points Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 15 / 41 ■ Simple link security is hard: multiple-access net. ■ Shared secrets guard against new machines being plugged in, but not against an authorized party being dishonest. ■ Solution: digitally sign each routing update (expensive!). List authorizations in certificate. ■ Experimental RFC by Murphy et al., 1997. ■ Note: everyone sees the whole map; monitoring station can note discrepancies from reality. (But bad guys can send out different announcements in different directions.) Address Authorization Certificate Routing Security Routing Protocols Routing in the Internet Routing in the Internet OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Authorization Certificate External Routing via BGP POP Topology Noteworthy Points Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 16 / 41 ■ Each router has certain interfaces and hence direct network reachability ■ Each router therefore has a certificate binding its public key to its valid addresses ■ Note well: the CA has to know the proper addresses for each router ■ But that’s the norm in OSPF environments External Routing via BGP Routing Security Routing Protocols Routing in the Internet Routing in the Internet OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Authorization Certificate External Routing via BGP POP Topology Noteworthy Points Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 17 / 41 ■ No common management (hence no metrics beyond hop count). ■ No shared trust. ■ Policy considerations: by intent, not all paths are actually usable. Routing Security Routing Protocols Routing in the Internet Routing in the Internet OSPF (Open Shortest Path First) Characteristics of Internal Networks How Do You Secure OSPF? Address Authorization Certificate External Routing via BGP POP Topology Noteworthy Points Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 20 / 41 InterISP Routing Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 21 / 41 B W X Y Z L A C InterISP Routing Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 22 / 41 ■ “Tier 1” ISPs are peers, and freely exchange traffic. ■ Small ISPs buy service from big ISPs. ■ Different grades of service: link L-Z is for customer access, not transit. C→B goes via L-Y-X-W, not L-Z-W. ■ A is multi-homed, but W-A-Z is not a legal path, even for backup. ■ BGP is distance vector, based on ISP hops. Announcement is full path to origin, not just metric. Long Prefixes and Loop-Free Routing Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 25 / 41 ■ Routers ignore advertisements with their own AS number in the path ■ This is essential to provide loop-free paths ■ Routers use longest match on prefixes when calculating a path ■ These two facts can be combined to form an attack Longer Prefix Attack Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 26 / 41 ■ Suppose B owns 10.0/16. Z sees 〈10.0/16, {W,B}〉 ■ A advertises 〈10.0.0/17, {A,W}〉 ■ Z will route packets for 10.0.0/17to A — it has a longer prefix ■ W will never see that path, and hence won’t pass it to B — the path (falsely) contains W, so it will be rejected by W Filtering Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 27 / 41 ■ ISPs can filter route advertisements from their customers. ■ Doesn’t always happen: AS7007 incident, spammers, etc. ■ Not feasible at peering links. Certificate Issuance Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 30 / 41 ■ Who issues prefix ownership certificates? ■ Address space comes from upstream ISP or RIRs ■ RIRs really are authoritative — hence they’re a monopoly ■ If an RIR makes a mistake, the prefix is off the air ■ Is this a risk worth taking? Certificate Tree Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 31 / 41 ■ The RIRs (Regional Internet Registries) give addresses to big ISPs and big end users ■ Accordingly, the RIRs should issue certificates ■ (Really, it should be ICANN, but the politics of that are too painful) ■ Small ISPs and small customers get address space from their own ISPs ■ Every ISP is thus a certificate holder and a certificate issuer ■ These are authorization certificates, not identity certificates Authorization Certificates Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 32 / 41 ■ The identity of the certificate holder is irrelevant ■ What matters is the authorization: the certificate contains IP address ranges ■ The signing party has its own certificate listing larger ranges of IP addresses, and hence the right to delegate them Happy Packets Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Path Vectors Policies Long Prefixes and Loop-Free Routing Longer Prefix Attack Filtering Secure BGP (Kent et al.) Problems with SBGP Certificate Issuance Certificate Tree Authorization Certificates Signed Origin BGP Problems with SOBGP Happy Packets Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions 35 / 41 ■ Philosophy: don’t worry too much about routing security ■ Crucial metric: do packets reach their destination? ■ What about confidentiality? If it matters, encrypt end-to-end ■ But what about traffic analysis? Link-Cutting Attack (Bellovin and Gansner) Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Link-Cutting Attack (Bellovin and Gansner) Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Defenses Conclusions 36 / 41 ■ Suppose that we have SBGP and SOSPF. ■ Suppose the enemy controls a few links or nodes. Can he or she force traffic to traverse those paths? ■ Yes. . . Is Link-Cutting Feasible? Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Link-Cutting Attack (Bellovin and Gansner) Is Link-Cutting Feasible? Sample Link-Cutting Attack Cost of Link-Cutting Attacks on the Backbone Defenses Conclusions 37 / 41 ■ Attacker must have network map. Easy for OSPF; probably doable for BGP—see “Rocketfuel” paper. ■ Can attacker determine peering policy? Unclear. ■ How can links be cut? Backhoes? “Ping of death”? DDoS attack on link bandwidth? Defenses Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Defenses Conclusions 40 / 41 ■ Hard to defend against—routing protocols are doing what they’re supposed to! ■ Keeping attacker from learning the map is probably infeasible. ■ Feed routing data into IDS? ■ Link-level restoration is a good choice, but can be expensive. ■ Others? Conclusions Routing Security Routing Protocols Routing in the Internet Inter-ISP Routing Link-Cutting Attack (Bellovin and Gansner) Defenses Conclusions Conclusions 41 / 41 ■ Routing security is a major challenge. ■ Mentioned specifically in White House Cybersecurity document. ■ Lots of room for new ideas.