BGP Security in Partial Deployment Is the Juice Worth the Squeeze? 1 Robert Lychev Sharon Goldberg Michael Schapira Georgia Tech Boston University Boston University Hebrew University
Jan 04, 2016
1
BGP Security in Partial Deployment
Is the Juice Worth the Squeeze?Robert Lychev Sharon Goldberg Michael
SchapiraGeorgia TechBoston University
Boston University Hebrew University
How Secure is Today’s Internet Routing?
February 2008: Pakistan Telecom hijacks YouTube!
YouTube
Pakistan Telecom
Telnor Pakistan
Aga KhanUniversity
MultinetPakistan
The Internet
I’m YouTube:IP 208.65.153.0/22
How Secure is Today’s Internet Routing?What should have happened…
YouTube
Pakistan Telecom
Telnor Pakistan
Aga KhanUniversity
MultinetPakistan
I’m YouTube:IP 208.65.153.0/22
X
drop packets
YouTube
Pakistan Telecom
Telnor Pakistan
Aga KhanUniversity
MultinetPakistan
I’m YouTube:IP 208.65.153.0/22
PakistanTelecom
No, I’m YouTube!IP
208.65.153.0/24
How Secure is Today’s Internet Routing?What did happen
5
Nov 2013
Rare Occurances? Not Really!
7
Outline
1. Background:
1. BGP, RPKI, BGPSEC
2. routing policies in BGPSEC partial deployment
2. BGPSEC in partial deployment is tricky
3. Is the juice worth the squeeze?
4. Summary
The Inter-Net:A Network of Networks
Microsoft
Verizon
Comcast
AT&T
Over 45,000 Autonomous Systems (ASes)
Border Gateway Protocol (BGP)
99
Sprint
2828
4323
D69.63.176.0/24
D69.63.176.0/24
2828, D69.63.176.0/24
4323, 2828, D69.63.176.0/24
A
Sprint, 4323, 2828, D69.63.176.0/24
The “1-hop hijack”
1010
Sprint
2828
4323
D69.63.176.0/24
Which route to choose?Use routing policies.
e.g. “Prefer short paths”
4323, 2828, D69.63.176.0/24
?
A
A, D69.63.176.0/24
Prefix Hijack
1111
Sprint
2828
4323
D69.63.176.0/24
Which route to choose?Use routing policies.
e.g. “Prefer short paths”
4323, 2828, D69.63.176.0/24
?
A
A69.63.176.0/24
69.63.176.0/24
A, D69.63.176.0/24
A
A69.63.176.0/24
RPKI Prevents Prefix Hijacks
1212
Sprint
2828
4323
D69.63.176.0/24RPKI
Binds prefixes to ASes authorized to originate them.
XRPKI invalid!
Sprint checks thatA is not authorized for 69.63.176.0/24
69.63.176.0/24
13
BGP RPKI (origin authentication)
BGPSEC
S
4323,2828, FB, prefix
S
2828, FB, prefix
S
SP, 4323, 2828, FB, prefix
Sec
uri
ty B
enef
its
or
Juic
e
prevent prefix hijacks
assume RPKI is fully deployed, and focus on 1-hop hijack.
Partial Landscape of BGP Defenses
prevent route
manipulations
A
S
SP, A, D, prefix
A, D, prefixXBGPSEC invalid!
BGPSEC Prevents the “1-hop hijack”
1414
Sprint
2828
4323
D69.63.176.0/24
P/S
P/S
P/S
P/S
S
4323,2828, D, prefix
S
2828, D, prefix
S
SP, 4323, 2828, D, prefix
S
2828, D, prefix
S
4323, 2828, D
, pre
fix
2828, D, p
refix
S
P/S
?Sprint can verify that
D never sent
A, D prefixS
RPKI
What happens when BGP andBGPSEC coexist?
15
BGP RPKI (origin authentication)
BGPSEC
S
4323,2828, FB, prefix
S
2828, FB, prefix
S
SP, 4323, 2828, FB, prefix
Sec
uri
ty B
enef
its
or
Juic
e
prevent prefix hijacks
assume RPKI is fully deployed, and focus on 1-hop hijack.
Partial Landscape of BGP Defenses
prevent route
manipulations
A
What Happens in Partial BGPSEC Deployment?
1616
Sprint
2828
4323
DSiemens
69.63.176.0/24
P/S
P/S
P/S
P/S
Should Sprint choose the long secure path ORthe short insecure one?
P/S
P/S
?Secure ASes must accept legacy
insecure routes
Depends on the interaction between BGPSEC and routing policies!
RPKI
S
4323,2828, D, prefix
S
2828, D, prefix
S
SP, 4323, 2828, D, prefix
A, D69.63.176.0/24
17
BGP Decision Process
1. local preference
(often based on business relationships with neighbors)
2. prefer short routes
…
3. break ties in a consistent manner
18
Security 1st
1. local preference (cost)
(often based on business relationships with neighbors)
Security 2nd
2. prefer short routes (performance)
Security 3rd
3. break ties in a consistent manner
How to Prioritize Security?
Survey of 100 network operators shows that 10%, 20% and 41% would place security 1st, 2nd, and 3rd, [Gill, Schapira, Goldberg’12]
SecurityCost,Performance
Security
Cost,Performance
19
Our Routing Model
Security 1st
1. local preference (cost)
(prefer customer routes over peer over provider routes)
Security 2nd
2. prefer short routes (performance)
Security 3rd
3. break ties in a consistent manner
To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]
We test the robustness of this local pref model.
20
Outline
1. Background: BGP, RPKI, BGPSEC, routing policies
2. BGPSEC in partial deployment is tricky
1. Protocol downgrade attacks
2. Collateral damages
3. Routing instabilities
3. Is the Juice worth the squeeze?
4. Summary
A
Protocol Downgrade Attack, Security 3rd!
2121
Sprint
2828
4323
D 69.63.176.0/24
P/S
P/S
P/S
S
4323,2828, D, prefix
S
2828, D, prefix
S
SP, 4323, 2828, D, prefix
P/S
Security 3rd: Path length trumps
path security!?
Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route.During the attack, Sprint downgrades to an insecure bogus route .
A, D69.63.176.0/24
22
Partial Deployment is Very Tricky!
We prove… No protocol downgrades?
No collateral damages?
No instabilities?
Security 1st
Security 2nd
Security 3rd
A2828
4323
D
Siemens
69.63.176.0/24
P/S
P/S
P/S
A, D69.63.176.0/24
P/S
?Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack.
Sprint
P/S
Collateral Damages; Security 2nd
325720960
56173356
5214212389
M
prefix
10310
404267922
174
3491
P/S
P/S
P/S
P/S
P/S
Collateral Damages; Security 2nd
W
XZ
Y
M
Before X deploys BGPSEC
?X offers the shorter path
?Shorter path!
prefix D
V
P/S
P/S
P/S
P/S
P/S
Secure ASes: 5Happy ASes: 8
Collateral Damages; Security 2nd
W
X VZ
Y
M
?W offers the shorter path!
?Security 2nd:Security trumps
path length!
Y experiences collateral damage because X is secure!
P/S
P/S
P/S
P/S
P/S
Secure ASes: 6Happy ASes: 7
After X deploys BGPSEC
prefix D
P/S
26
Partial Deployment is Very Tricky!
We prove… No protocol downgrades?
No collateral damages?
No instabilities?
Security 1st Security 2nd Security 3rd
325720960
56173356
5214212389
A
?
?
5617
Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes
10310
40426
7922
174
3491
prefix
P/S
P/S
P/S
P/S
P/S
P/S
27
We prove… No protocol downgrades?
No collateral damages?
No instabilities?
Security 1st Security 2nd Security 3rd
Partial Deployment is Very Tricky!
Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.
But, if they don’t, there can be BGP Wedgies and oscillations.
28
Outline
1. Background: BGP, RPKI, BGPSEC, routing policies
2. BGPSEC in partial deployment is tricky
3. Is the Juice worth the Squeeze?
1. Can we efficiently select the optimal set of secure ASes?
2. Can we bound security benefits invariant to who is secure?
3. Is the BGPSEC juice worth the squeeze given RPKI?
4. Summary
∑
all Aall d
Let S be the set of ASes deploying BGPSEC,
A be the attacker and d be the destination
Our metric is the average of the set of Happy ASes
Happy S , ,
Quantifying Security: A Metric
| Happy(S, A, d)| = 7
|V| 3
1Metric(S) =
prefix
325720960
56173356
52142
12389
?
10310
d7922
5617 174
3491
A
A d prefix
30
Problem: find set S of secure ASes that maximizes
s. t. |S| = k, for a fixed attacker A and destination d
Theorem:
This problem is NP-hard for all three routing models.
Happy S , ,
It is Hard to Decide Whom to Secure
A d prefix
A
Bounding Security Metric. Security 3rd
3131
Sprint
2828
4323
DSiemens
69.63.176.0/24
A, D69.63.176.0/24
The bogus path is shorter!
A
Bounding Security Metric. Security 3rd
3232
Sprint
2828
4323
DSiemens
P/S
Sprint is doomed The bogus path is shorter!
P/S
P/S
P/S
P/S
Regardless of who is secure, Sprintwill select the shorter bogus route!
69.63.176.0/24
A, D69.63.176.0/24
A
Bounding Security Metric. Security 3rd
3333
Sprint
2828
4323
DSiemens
P/S
P/S
P/S
P/S
P/S
69.63.176.0/24
A, D69.63.176.0/24
The legitimate path is shorter!
Sprint is doomed The bogus path is shorter!
A
Bounding Security Metric. Security 3rd
3434
Sprint
2828
4323
DSiemens
69.63.176.0/24
2828 and 4323are immune
The legitimate path is shorter!
A, D69.63.176.0/24
Regardless of who is secure, 4323 and 2828 will select legitimate routes!
Sprint is doomed The bogus path is shorter!
35
∑
all Aall d
Problem: Find upper and lower bound on
Different Idea: Bound Security Benefits!
Key observation. Regardless of who is secure:1. Doomed ASes will always choose bogus routes2. Immune ASes will always choose legitimate routes
Lower bound on Metric(S) = fraction of immune ASes Upper bound on Metric(S) = 1 – fraction of doomed ASes
Happy S , , |V| 3
1Metric(S) = A d prefix
36
Security Benefits Bounds over RPKI
lower boundwith RPKI
17%
upper boundwith BGPSEC
In the most realistic security 3rd model, the best we could do is make extra 17% happy with security!
53%
36%47%
Ave
rag
e F
ract
ion
of H
ap
py
AS
es
results based on simulations on empirical AS-level graphs
37
lower boundwith RPKI
17%53%
36%47%
Securing 113 High Degree ASes & their Stubs
Securing 50% of ASes on the Internet
Improvements in the security 3rd and 2nd models are only 4% and 8% respectively.
24%
Ave
rag
e F
ract
ion
of H
ap
py
AS
es
results based on simulations on empirical AS-level graphs
38
BGP RPKI (origin authentication)
BGPSEC
S
4323,2828, FB, prefix
S
2828, FB, prefix
S
SP, 4323, 2828, FB, prefix
Sec
uri
ty B
enef
its
or
Juic
e
prevent prefix
hijack
Unless Security is 1st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre
Typically little observable difference between Sec 2nd and 3rd
So Is the Juice Worth the Squeeze?
prevent route
manipulations
BGP and BGPSECcoexistence: very tricky
*protocol downgradescollateral damagesrouting instabilities
Ongoing and Future Research:New Paradigms
1. A grassroots approach to routing security anonymity service in lieu of a PKI
2. Outsourcing interdomain routing to a non-trusted center
via Secure MultiParty Computation (SMPC)
40
THANK YOU
check out the full version at http://arxiv.org/abs/1307.2690
1 Proofs2 More empirical analysis and plots3 Robustness tests4 BGPSEC deployment guidelines
41
Graph: A UCLA AS-level topology from 09-24-2012 39K ASes, 73.5K and 62K customer-provider and peer links
For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes
Quantified security-benefit improvements for many different BGPSEC deployment scenarios
Robustness Tests added 550K extra peering links inferred from IXP data on 09-24-2012
accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers
currently repeating all analysis with respect to different local pref models
Our Methodology
A
Bounding Security Metric. Security 3rd
4242
Sprint
2828
4323
DSiemens
69.63.176.0/24
2828 and 4323are immune
The legitimate path is shorter!
Sprint is doomed The bogus path is shorter!
Only Siemans is neither doomed nor immune!
A, D69.63.176.0/24
A
Bounding Security Metric. Security 3rd
4343
Sprint
2828
4323
DSiemens
P/S
2828 and 4323are immune
The legitimate path is shorter!
Sprint is doomed The bogus path is shorter!
P/S
P/S
P/S
P/S
Regardless of who is secure, only Siemans can benefits from BGPSEC!
Only Siemans is neither doomed nor immune!
69.63.176.0/24
A, D69.63.176.0/24
44
Security Benefits Bounds over RPKI
lower boundwith RPKI
53%
17%79%
upper boundwith BGPSEC
In the most realistic security 3rd model, the best we could do is make extra 17% happy with security!
10%
30%11%
upper boundwith BGPSEC
45
Securing 113 top Tier and their Stubs
lower boundwith RPKI
53%
Improvements in the security 3rd and 2nd models are only 4% and 8% respectively.
10%
30%11%
17%79%
Securing 50% of the Internet
24%
46
we highlight operational issues of BGPSEC partial deployment
results are not meant to be predictive, but our trends are robust
Final Remarks
47
Network administrators have to agree on security prioritization otherwise, unpredictable routing behavior may be encountered
ASes deploying BGPSEC experience noticeable security benefit improvements when routing to secure destinations secure islands could form with different security prioritizations
Overall security benefits are almost the same even when STUBs deploying BGPSEC do not verify routes themselves
Tier 1 networks are not a good choice for initial deployment protocol downgrades
most ASes are immune (i.e. happy to begin with)
BGPSEC Deployment Guidelines
48
Security Benefits Bounds over RPKI
lower boundwith RPKI60%
15%
77%
upper boundwith BGPSEC
In the most realistic security 3rd model, the best we could do is make extra 15% happy with security!
12%
25%11%
49
Security Benefits Bounds over RPKI
lower boundwith RPKI62%
16%
80%
upper boundwith BGPSEC
10%
22%10%
IXP-links augmented graph
average over all attackers
50
Security Benefits Bounds over RPKI
lower boundwith RPKI
54%
19%
82%
upper boundwith BGPSEC
8%
27%10%
IXP-links augmented graph
average over only non-stub attackers
51
Security Benefits Bounds over RPKI
lower boundwith RPKI72%
11%
51%
upper boundwith BGPSEC
41%
17%8%
average over all attackers
Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes
longer than 1 and 2 hops respectively
52
Security Benefits Bounds over RPKI
lower boundwith RPKI
63%
15%55%
upper boundwith BGPSEC
35%
22%10%
average over only non-stub attackers
Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes
longer than 1 and 2 hops respectively
53
Security Benefits Bounds over RPKI
lower boundwith RPKI75%
13%39%
upper boundwith BGPSEC
55%
12%6%
IXP-links augmented graphaverage over all attackers
Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes
longer than 1 and 2 hops respectively
54
Security Benefits Bounds over RPKI
lower boundwith RPKI
64%
16%44%
upper boundwith BGPSEC
47%
20%9%
IXP-links augmented graphaverage over only non-stub attackers
Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes
longer than 1 and 2 hops respectively
55
Security Benefits Bounds over RPKI
Sec 3rd model
56
Security Benefits Bounds over RPKI
Sec 2nd model
57
Security Benefits Bounds over RPKI
Sec 3rd model
IXP-links augmented graph
58
Security Benefits Bounds over RPKI
Sec 2nd model
IXP-links augmented graph
59
Securing 113 top Tier and their Stubs
pessimistic:consider all neutralASes as unhappy
optimistic:consider all neutral ASes as happy
0 20KASes deploying S*BGP
Imp
rove
me
nt i
n H
app
y(S
)
Securing 50% of the Internet
60
Consider only Secure Destinations
pessimistic:consider all neutralASes as unhappy
optimistic:consider all neutral ASes as happy
0 20KASes deploying S*BGP
Imp
rove
me
nt i
n H
app
y S(S
)
Securing 50% of the Internet
61
Securing 50% of the Internet
downgrades and collateral benefits play a significant role in the security metric improvement
Sec
3rd S
ec 1
st
62
Security Preference Disagreements
cost is more important
than security
security is more important
than cost
(AS4, AS5, AS1)…
AS5
(AS3, AS2, AS1)… AS4
P/S
AS2
P/S
AS3P/S
AS1
P/SAS1,66.174.161.0/24
S
(AS1)…
(AS1)…
$
$ $
$$
63
Security Preference Disagreements
cost is more important
than security
security is more important
than cost
(AS4, AS5, AS1)…
AS5
(AS3, AS2, AS1)… AS4
P/S
AS2
P/S
AS3P/S
AS1
P/SAS1,66.174.161.0/24
S
(AS1)…
(AS1)…
AS5
P/S