02/01/2006USC/ISI1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research...
35
02/01/2006 USC/ISI 1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security Technology (EMIST) USC Information Sciences Institute University of California, Berkeley University of California, Davis Penn State University Purdue University International Computer Science Institute Stanford Research Institute (SRI) Network Associates SPARTA
-
Upload
tyrone-smith -
Category
Documents
-
view
219 -
download
0
Transcript of 02/01/2006USC/ISI1 Updates on Routing Experiments Cyber DEfense Technology Experimental Research...
02/01/2006 USC/ISI 1
Updates on Routing Experiments
Cyber DEfense Technology Experimental Research (DETER) NetworkEvaluation Methods for Internet Security Technology (EMIST)USC Information Sciences Institute University of California, Berkeley University of California, Davis Penn State UniversityPurdue University International Computer Science Institute Stanford Research Institute (SRI) Network Associates SPARTA
02/01/2006 USC/ISI 2
Research Objectives
• Realistic Internet routing experiments on Dynamics (i.e., faults, failures, & attacks) with configurable parameters
• Study, analyze, evaluate, & validate hypothesis/principles related to Internet routing and its security
02/01/2006 USC/ISI 3
Problems in Understanding the Problems
• Inter-Domain Routing is very hard and complex to understand…
02/01/2006 USC/ISI 4
The “Internet”as February 1, 2006
• 21319 Autonomous Systems• 177300 IP Address Prefixes announced
http://bgp.potaroo.net/cidr/
02/01/2006 USC/ISI 5
Problems in Understanding the Problems
• Inter-Domain Routing is very hard and complex to understand…
• It is really not just scalability though…– Policy/configuration– Implementation
02/01/2006 USC/ISI 6
Simulation versus Emulation
• Simulation large-scale but might abstracting away low level characteristics.
• Emulation experimenting realistic implementations and observing the “unexpected”– Implementation differences– Analyzing/interpreting the interactions– May help in accomplishing better simulation tasks in
BGP.
02/01/2006 USC/ISI 7
Interactions/Dynamics
• Failures/faults/attacks• Mobility/configuration/policy changes• Cross-layer interactions• EGP versus IGP
02/01/2006 USC/ISI 8
Problems in Understanding the Problems
• Inter-Domain Routing is very hard and complex to understand…
• It is really not just scalability though…– Policy/configuration– Implementation
• And, industry is introducing new BGP features..
02/01/2006 USC/ISI 9
Route Flap Damping (RFC 2439)
02/01/2006 USC/ISI 10
Differential Damping Penalty
CISCO 12000AS65001
CISCO 2600AS65002
Zebra/LinuxAS65006
IBM 2210AS65003
IBM 2210AS65004
CISCO 2514AS65005
02/01/2006 USC/ISI 11
Penalty: 0
Penalty 1: 0Penalty 2: 0
Prefix: 169.237/16
02/01/2006 USC/ISI 12
Penalty: ???
Penalty 1: 1000Penalty 2: 1000
Prefix: 169.237/16
02/01/2006 USC/ISI 13
Penalty: 1000 2000
Penalty 1: 1000Penalty 2: 1000
Prefix: 169.237/16
artificial delay X
initialdifference
02/01/2006 USC/ISI 14
Penalty: 2000 -/+ X > 750
Penalty 1: 1000Penalty 2: 1000 -/x < 2000
Prefix: 169.237/16
02/01/2006 USC/ISI 15
Outbound Route Filter (ORF)
Internet draft, under implementation in Cisco
“defines a BGP-based mechanism that allows a BGP speaker to send to its BGP peer a set of Outbound Route Filters (ORFs). The peer would then apply these filters, in addition to its locally configured outbound filters (if any), to constrain/filter its outbound routing updates to the speaker. ”
If the peer damps a path, sends ORF to the downstream peer. So, the peer won’t receive further updates until the path is reused.
02/01/2006 USC/ISI 16
Penalty: 1000 2000
Penalty 1: 1000Penalty 2: 1000
Prefix: 169.237/16
ORF
02/01/2006 USC/ISI 17
A Little Dampening Story
SSFNet Zebra Ciscoper prefix + per peer per prefix + per peer +
per AS path
02/01/2006 USC/ISI 18
Penalty: 1000 2000
Penalty 1: 1000Penalty 2: 1000
Withdraw 169.237/16
02/01/2006 USC/ISI 19
SSFNet Simulator “Bugs”
Penalty: 1000 2000
Penalty 1: 1000Penalty 2: 1000
Withdraw 169.237/16Missing!!
02/01/2006 USC/ISI 20
SSFNET
SSFNET + WD
CISCO
02/01/2006 USC/ISI 21
SSFNET
SSFNET + WD
CISCO
02/01/2006 USC/ISI 22
ICDCS’2005 Best Paper Award
SSFNET
SSFNET + WD
CISCO
02/01/2006 USC/ISI 23
Problems or Issues
• Damping implementation• MRAI timer• The Single Router AS Assumption• Route Withdraw• ORF
02/01/2006 USC/ISI 24
Collecting the Results in 2005
show IP BGP …
selected prefixesper routerper 1 second
1 peer (SPRINT)Full Routing Table(9MB compressed)BGP Updates(2 hours -- 168KB)
updates -- MRT
02/01/2006 USC/ISI 25
AS-101
AS-112
AS-117
AS-114
AS-113
AS-121
02/01/2006 USC/ISI 26
AS 101 Multi homing =====================================================Wed Sep 28 02:26:00 PDT 2005===================================================== Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to non peer-group peers: 101.0.0.1 101.0.0.2 112.0.0.2 114.0.0.2 114 113 121 114.0.0.2 from 114.0.0.2 (114.0.0.2) Origin IGP, localpref 100, valid, external Last update: Wed Sep 28 02:13:28 2005 112 117 112.0.0.2 from 112.0.0.2 (112.0.0.2) Origin IGP, localpref 100, valid, external Dampinfo: penalty 543, flapped 1 times in 00:13:05 Last update: Wed Sep 28 02:25:39 2005 113 121 113.0.0.2 from 113.0.0.2 (113.0.0.2) Origin IGP, localpref 100, valid, external, best Last update: Wed Sep 28 02:13:11 2005
02/01/2006 USC/ISI 27
AS 101
0
0.5
1
1.5
2
2.5
3
200 400 600 800 1000 1200 1400 1600 1800 2000
Time
Stat
us
Path 112-117
Path 114-113-121
Path 113-121
117 112 101 113 121114
AS-117announced
AS-121withdrawn
OASC
02/01/2006 USC/ISI 28
Creation and Evolution of BGP modeling
SSFNet:Current Understand of
The BGP Model
DETERAll BGP information
are available
Conflicts Anomalies
02/01/2006 USC/ISI 29
Observation Point Data
• ORV/RIPE– Relatively incomplete in understanding the
behavior
02/01/2006 USC/ISI 30
On Explaining and Model-Building
the Model Anomaly Detection
Anomaly Analysis and Explanation
02/01/2006 USC/ISI 31
Creation and BGP model
• What are the event ?– Event changes in BGP table
• Cause by : – OP Configuration– BGP peers – Other means , OSPF redistribute route
– Event results BGP update messages
• How are the event related ?
02/01/2006 USC/ISI 32
BGP Behavior
BGP
Update
RedistributePolicy / local pref
Y
N
Operator
OSPF Done
Update
02/01/2006 USC/ISI 33
Mapping
TIME
2D AS Topology via project to Z=0
Announce
Announce
Announce
Announce
Withdraw Withdraw
Time 60
Time 30
Time 0
02/01/2006 USC/ISI 34
BGP Events: Causality and Correlation
• Causality Relationship among each individual BGP event (across different routers/ASes)– Critical to simply understand/correlate BGP
behavior– Discovery new types of relationships (or
filter/correct false causality in experiments)– Important for generating/replaying realistic BGP
events
• Using emulation to verify the causality– Maybe also with commercial routers (e.g., Juniper)
02/01/2006 USC/ISI 35
Plan for the June 2006 Demo
• One “very interesting” defense tested..– in a stealthy mode…
• Event correlation• “realistic” and “comprehensive” BGP
model– Many interesting examples and comparisons
• Still in development (not sure yet)– Using the model to examine real BGP data– What patterns should we expect from the
observation points?
