Pretty Good BGP: Improving BGP by Cautiously Adopting Routes Josh Karlin, Stephanie Forrest, Jennifer Rexford IEEE International Conference on Network.

Pretty Good BGP: Improving BGP by Cautiously Adopting Routes

Josh Karlin, Stephanie Forrest, Jennifer Rexford

IEEE International Conference on Network Protocols 2006

Outline

• What are current BGP security issues?

• What is PGBGP trying to solve?

• How does PGBGP solve it?

• How good is PGBGP?

• How bad is PGBGP?

• Shall we use it?

What are current BGP security issues?

• BGP4 (RFC1771)– Inter-domain routing, internet core– Link state protocol, distributed system

• Vulnerabilities– No encryption: eavesdropping– No timestamp: replaying– No signature: man-in-the-middle

What are current BGP security issues?

• Examples

What is PGBGP trying to solve?

• General requirements of a good solution– BGP is widely deployed: don’t modify the protocol– Route’s resource is stretched thin: don’t consume too

much resource– ISPs are conservative: incremental deployable– ISPs are greedy: show good results!

What is PGBGP trying to solve?

• Prefix hijack– Shorter AS_PATH

(man-in-the-middle)– MOAS

(multiple origin AS)

How does PGBGP solve it?

• Basic idea– Suspicious Cautious– Use historical prefix-origin records– Damping suspicious prefix-origin

announcement for 24 hours– Human investigation– Good for prefix/sub-prefix hijacks

How does PGBGP solve it?

• AlgorithmHistory period – h hours cleanSuspicious period – s hours quarantinedMove h forward remove staleness, get freshness

• Parameters sensitivityh = 10 days : short FP, long repeat slips s = 24 hours : human response time

How does PGBGP solve it?

Prefix Hijacks: conflict w/ unknown origins

Sub-prefix hijacks:

Conflict w/ known origins

[Q1]?

How does PGBGP solve it?

• Mitigation– Avoid suspicious routes:

• lower preference• Sub-prefix: quarantine, choose neighbor not

having the suspicious routes (not really helpful)• Never seen prefix / super-prefix will be adopted

– Convergence consideration• Obey relationship-based policy• Dampened as if not announced

How good is PGBGP?

• Simulation– 18,943 ASes, average 4 links per AS-AS– Simulator w/ policy-based routing– Deployment strategries:

• random -- p• core+random -- 16 (15 degree+) + p

– 500 attacks per setup– Parameters: h = 3, s = 1– Day 1, O; Day 2 O’

How good is PGBGP?

How good is PGBGP?

How good is PGBGP?

How good is PGBGP?

How good is PGBGP?

How good is PGBGP?

• Conclusion: pretty good – Core + random deployment, 90%+ effective– Incrementally deployable– Out-of-core computation possible– Centralized computation possible– Overhead is small, real time possible– Extension: IAR (internet alert registry)

How bad is PGBGP?

• Limitations:– FP: Origin change, multi-homed– DoS + no other choice– lucky slips – Man-in-the-middle (put itself in AS_PATH)

• Conclusion: not to bad

Shall we use it?

• Critiques for the paper– FP delay propagation: 24+24+24+24+24– Model human correction rate with prob. p1,

FP rate p2 …– Some analysis is not thorough (e.g. Fig 3)– Undeployed ASes at risk (good & bad)– Distributed/Co-operated version

• Conclusion: try if you like

Shall we use it?

Questions

• Ask me:[email protected]

• Email Josh Karlin: [email protected]

• Interested in security [email protected]