BGP Security in Partial Deployment Is the Juice Worth the Squeeze?

1

BGP Security in Partial Deployment

Is the Juice Worth the Squeeze?Robert Lychev Sharon Goldberg Michael

SchapiraGeorgia TechBoston University

Boston University Hebrew University

How Secure is Today’s Internet Routing?

February 2008: Pakistan Telecom hijacks YouTube!

YouTube

Pakistan Telecom

Telnor Pakistan

Aga KhanUniversity

MultinetPakistan

The Internet

I’m YouTube:IP 208.65.153.0/22

How Secure is Today’s Internet Routing?What should have happened…

YouTube

Pakistan Telecom

Telnor Pakistan

Aga KhanUniversity

MultinetPakistan

I’m YouTube:IP 208.65.153.0/22

X

drop packets

YouTube

Pakistan Telecom

Telnor Pakistan

Aga KhanUniversity

MultinetPakistan

I’m YouTube:IP 208.65.153.0/22

PakistanTelecom

No, I’m YouTube!IP

208.65.153.0/24

How Secure is Today’s Internet Routing?What did happen

5

Nov 2013

Rare Occurances? Not Really!

7

Outline

1. Background:

1. BGP, RPKI, BGPSEC

2. routing policies in BGPSEC partial deployment

2. BGPSEC in partial deployment is tricky

3. Is the juice worth the squeeze?

4. Summary

The Inter-Net:A Network of Networks

Microsoft

Verizon

Comcast

AT&T

Over 45,000 Autonomous Systems (ASes)

Border Gateway Protocol (BGP)

99

Sprint

2828

4323

D69.63.176.0/24

D69.63.176.0/24

2828, D69.63.176.0/24

4323, 2828, D69.63.176.0/24

A

Sprint, 4323, 2828, D69.63.176.0/24

The “1-hop hijack”

1010

Sprint

2828

4323

D69.63.176.0/24

Which route to choose?Use routing policies.

e.g. “Prefer short paths”

4323, 2828, D69.63.176.0/24

?

A

A, D69.63.176.0/24

Prefix Hijack

1111

Sprint

2828

4323

D69.63.176.0/24

Which route to choose?Use routing policies.

e.g. “Prefer short paths”

4323, 2828, D69.63.176.0/24

?

A

A69.63.176.0/24

69.63.176.0/24

A, D69.63.176.0/24

A

A69.63.176.0/24

RPKI Prevents Prefix Hijacks

1212

Sprint

2828

4323

D69.63.176.0/24RPKI

Binds prefixes to ASes authorized to originate them.

XRPKI invalid!

Sprint checks thatA is not authorized for 69.63.176.0/24

69.63.176.0/24

13

BGP RPKI (origin authentication)

BGPSEC

S

4323,2828, FB, prefix

S

2828, FB, prefix

S

SP, 4323, 2828, FB, prefix

Sec

uri

ty B

enef

its

or

Juic

e

prevent prefix hijacks

assume RPKI is fully deployed, and focus on 1-hop hijack.

Partial Landscape of BGP Defenses

prevent route

manipulations

A

S

SP, A, D, prefix

A, D, prefixXBGPSEC invalid!

BGPSEC Prevents the “1-hop hijack”

1414

Sprint

2828

4323

D69.63.176.0/24

P/S

P/S

P/S

P/S

S

4323,2828, D, prefix

S

2828, D, prefix

S

SP, 4323, 2828, D, prefix

S

2828, D, prefix

S

4323, 2828, D

, pre

fix

2828, D, p

refix

S

P/S

?Sprint can verify that

D never sent

A, D prefixS

RPKI

What happens when BGP andBGPSEC coexist?

15


BGPSEC

S

4323,2828, FB, prefix

S

2828, FB, prefix

S

SP, 4323, 2828, FB, prefix

Sec

uri

ty B

enef

its

or

Juic

e

prevent prefix hijacks

assume RPKI is fully deployed, and focus on 1-hop hijack.

Partial Landscape of BGP Defenses

prevent route

manipulations

A

What Happens in Partial BGPSEC Deployment?

1616

Sprint

2828

4323

DSiemens

69.63.176.0/24

P/S

P/S

P/S

P/S

Should Sprint choose the long secure path ORthe short insecure one?

P/S

P/S

?Secure ASes must accept legacy

insecure routes

Depends on the interaction between BGPSEC and routing policies!

RPKI

S

4323,2828, D, prefix

S

2828, D, prefix

S

SP, 4323, 2828, D, prefix

A, D69.63.176.0/24

17

BGP Decision Process

1. local preference

(often based on business relationships with neighbors)

2. prefer short routes

…

3. break ties in a consistent manner

18

Security 1st

1. local preference (cost)

(often based on business relationships with neighbors)

Security 2nd

2. prefer short routes (performance)

Security 3rd


How to Prioritize Security?

Survey of 100 network operators shows that 10%, 20% and 41% would place security 1st, 2nd, and 3rd, [Gill, Schapira, Goldberg’12]

SecurityCost,Performance

Security

Cost,Performance

19

Our Routing Model

Security 1st

1. local preference (cost)

(prefer customer routes over peer over provider routes)

Security 2nd

2. prefer short routes (performance)

Security 3rd


To simulate routing outcomes, we use a concrete model of local preference. [Gao-Rexford’00, Huston’99, etc.]

We test the robustness of this local pref model.

20

Outline

1. Background: BGP, RPKI, BGPSEC, routing policies


1. Protocol downgrade attacks

2. Collateral damages

3. Routing instabilities

3. Is the Juice worth the squeeze?

4. Summary

A

Protocol Downgrade Attack, Security 3rd!

2121

Sprint

2828

4323

D 69.63.176.0/24

P/S

P/S

P/S

S

4323,2828, D, prefix

S

2828, D, prefix

S

SP, 4323, 2828, D, prefix

P/S

Security 3rd: Path length trumps

path security!?

Protocol downgrade attack: Before the attack, Sprint has a legitimate secure route.During the attack, Sprint downgrades to an insecure bogus route .

A, D69.63.176.0/24

22

Partial Deployment is Very Tricky!

We prove… No protocol downgrades?

No collateral damages?

No instabilities?

Security 1st

Security 2nd

Security 3rd

A2828

4323

D

Siemens

69.63.176.0/24

P/S

P/S

P/S

A, D69.63.176.0/24

P/S

?Protocol downgrade attack: A secure AS with a secure route before the attack, downgrades to an insecure bogus route during the attack.

Sprint

P/S

Collateral Damages; Security 2nd

325720960

56173356

5214212389

M

prefix

10310

404267922

174

3491

P/S

P/S

P/S

P/S

P/S


W

XZ

Y

M

Before X deploys BGPSEC

?X offers the shorter path

?Shorter path!

prefix D

V

P/S

P/S

P/S

P/S

P/S

Secure ASes: 5Happy ASes: 8


W

X VZ

Y

M

?W offers the shorter path!

?Security 2nd:Security trumps

path length!

Y experiences collateral damage because X is secure!

P/S

P/S

P/S

P/S

P/S

Secure ASes: 6Happy ASes: 7

After X deploys BGPSEC

prefix D

P/S

26




No instabilities?

Security 1st Security 2nd Security 3rd

325720960

56173356

5214212389

A

?

?

5617

Collateral damage (during the attack): More secure ASes leads to more insecure ASes choosing bogus routes

10310

40426

7922

174

3491

prefix

P/S

P/S

P/S

P/S

P/S

P/S

27



No instabilities?

Security 1st Security 2nd Security 3rd


Theorem: Routing converges to a unique stable state if all ASes use the same secure routing policy model.

But, if they don’t, there can be BGP Wedgies and oscillations.

28

Outline

1. Background: BGP, RPKI, BGPSEC, routing policies


3. Is the Juice worth the Squeeze?

1. Can we efficiently select the optimal set of secure ASes?

2. Can we bound security benefits invariant to who is secure?

3. Is the BGPSEC juice worth the squeeze given RPKI?

4. Summary

∑

all Aall d

Let S be the set of ASes deploying BGPSEC,

A be the attacker and d be the destination

Our metric is the average of the set of Happy ASes

Happy S , ,

Quantifying Security: A Metric

| Happy(S, A, d)| = 7

|V| 3

1Metric(S) =

prefix

325720960

56173356

52142

12389

?

10310

d7922

5617 174

3491

A

A d prefix

30

Problem: find set S of secure ASes that maximizes

s. t. |S| = k, for a fixed attacker A and destination d

Theorem:

This problem is NP-hard for all three routing models.

Happy S , ,

It is Hard to Decide Whom to Secure

A d prefix

A

Bounding Security Metric. Security 3rd

3131

Sprint

2828

4323

DSiemens

69.63.176.0/24

A, D69.63.176.0/24

The bogus path is shorter!

A


3232

Sprint

2828

4323

DSiemens

P/S

Sprint is doomed The bogus path is shorter!

P/S

P/S

P/S

P/S

Regardless of who is secure, Sprintwill select the shorter bogus route!

69.63.176.0/24

A, D69.63.176.0/24

A


3333

Sprint

2828

4323

DSiemens

P/S

P/S

P/S

P/S

P/S

69.63.176.0/24

A, D69.63.176.0/24

The legitimate path is shorter!


A


3434

Sprint

2828

4323

DSiemens

69.63.176.0/24

2828 and 4323are immune


A, D69.63.176.0/24

Regardless of who is secure, 4323 and 2828 will select legitimate routes!


35

∑

all Aall d

Problem: Find upper and lower bound on

Different Idea: Bound Security Benefits!

Key observation. Regardless of who is secure:1. Doomed ASes will always choose bogus routes2. Immune ASes will always choose legitimate routes

Lower bound on Metric(S) = fraction of immune ASes Upper bound on Metric(S) = 1 – fraction of doomed ASes

Happy S , , |V| 3

1Metric(S) = A d prefix

36

Security Benefits Bounds over RPKI

lower boundwith RPKI

17%

upper boundwith BGPSEC

In the most realistic security 3rd model, the best we could do is make extra 17% happy with security!

53%

36%47%

Ave

rag

e F

ract

ion

of H

ap

py

AS

es

results based on simulations on empirical AS-level graphs

37


17%53%

36%47%

Securing 113 High Degree ASes & their Stubs

Securing 50% of ASes on the Internet

Improvements in the security 3rd and 2nd models are only 4% and 8% respectively.

24%

Ave

rag

e F

ract

ion

of H

ap

py

AS

es

results based on simulations on empirical AS-level graphs

38


BGPSEC

S

4323,2828, FB, prefix

S

2828, FB, prefix

S

SP, 4323, 2828, FB, prefix

Sec

uri

ty B

enef

its

or

Juic

e

prevent prefix

hijack

Unless Security is 1st or BGPSEC deployment is very large, security benefits from partially deployed BGPSEC are meagre

Typically little observable difference between Sec 2nd and 3rd

So Is the Juice Worth the Squeeze?

prevent route

manipulations

BGP and BGPSECcoexistence: very tricky

*protocol downgradescollateral damagesrouting instabilities

Ongoing and Future Research:New Paradigms

1. A grassroots approach to routing security anonymity service in lieu of a PKI

2. Outsourcing interdomain routing to a non-trusted center

via Secure MultiParty Computation (SMPC)

40

THANK YOU

check out the full version at http://arxiv.org/abs/1307.2690

1 Proofs2 More empirical analysis and plots3 Robustness tests4 BGPSEC deployment guidelines

http://arxiv.org/abs/1307.2690



41

Graph: A UCLA AS-level topology from 09-24-2012 39K ASes, 73.5K and 62K customer-provider and peer links

For each attacker-destination pair, simulated routing and determined the sets of doomed and immune ASes

Quantified security-benefit improvements for many different BGPSEC deployment scenarios

Robustness Tests added 550K extra peering links inferred from IXP data on 09-24-2012

accounted for traffic patterns by focusing on only certain destinations (e.g. content providers) and attackers

currently repeating all analysis with respect to different local pref models

Our Methodology

A


4242

Sprint

2828

4323

DSiemens

69.63.176.0/24




Only Siemans is neither doomed nor immune!

A, D69.63.176.0/24

A


4343

Sprint

2828

4323

DSiemens

P/S




P/S

P/S

P/S

P/S

Regardless of who is secure, only Siemans can benefits from BGPSEC!

Only Siemans is neither doomed nor immune!

69.63.176.0/24

A, D69.63.176.0/24

44



53%

17%79%



10%

30%11%


45

Securing 113 top Tier and their Stubs


53%

Improvements in the security 3rd and 2nd models are only 4% and 8% respectively.

10%

30%11%

17%79%

Securing 50% of the Internet

24%

46

we highlight operational issues of BGPSEC partial deployment

results are not meant to be predictive, but our trends are robust

Final Remarks

47

Network administrators have to agree on security prioritization otherwise, unpredictable routing behavior may be encountered

ASes deploying BGPSEC experience noticeable security benefit improvements when routing to secure destinations secure islands could form with different security prioritizations

Overall security benefits are almost the same even when STUBs deploying BGPSEC do not verify routes themselves

Tier 1 networks are not a good choice for initial deployment protocol downgrades

most ASes are immune (i.e. happy to begin with)

BGPSEC Deployment Guidelines

48


lower boundwith RPKI60%

15%

77%



12%

25%11%

49



16%

80%


10%

22%10%

IXP-links augmented graph

average over all attackers

50



54%

19%

82%


8%

27%10%


average over only non-stub attackers

51



11%

51%


41%

17%8%

average over all attackers

Local Pref: prefer customer over peer over provider routes, but prefer 1-hop and 2-hop peer routes to customer routes

longer than 1 and 2 hops respectively

52



63%

15%55%


35%

22%10%

average over only non-stub attackers



53



13%39%


55%

12%6%

IXP-links augmented graphaverage over all attackers



54



64%

16%44%


47%

20%9%

IXP-links augmented graphaverage over only non-stub attackers



55


Sec 3rd model

56


Sec 2nd model

57


Sec 3rd model


58


Sec 2nd model


59

Securing 113 top Tier and their Stubs

pessimistic:consider all neutralASes as unhappy

optimistic:consider all neutral ASes as happy

0 20KASes deploying S*BGP

Imp

rove

me

nt i

n H

app

y(S

)


60

Consider only Secure Destinations

pessimistic:consider all neutralASes as unhappy

optimistic:consider all neutral ASes as happy

0 20KASes deploying S*BGP

Imp

rove

me

nt i

n H

app

y S(S

)


61


downgrades and collateral benefits play a significant role in the security metric improvement

Sec

3rd S

ec 1

st

62

Security Preference Disagreements

cost is more important

than security

security is more important

than cost

(AS4, AS5, AS1)…

AS5

(AS3, AS2, AS1)… AS4

P/S

AS2

P/S

AS3P/S

AS1

P/SAS1,66.174.161.0/24

S

(AS1)…

(AS1)…

$

$ $

$$

63

Security Preference Disagreements

cost is more important

than security

security is more important

than cost

(AS4, AS5, AS1)…

AS5

(AS3, AS2, AS1)… AS4

P/S

AS2

P/S

AS3P/S

AS1

P/SAS1,66.174.161.0/24

S

(AS1)…

(AS1)…

AS5

P/S

BGP Security in Partial Deployment Is the Juice Worth the Squeeze?

Documents

youtube misconfiguration

theyre youtube

pakistan telecomrouting

ip addresses

provider pakistan telecom

secure routing protocol

todays internet routing

high jacked traffic