Secure Routing PanelFIND PI Meeting (June 27, 2007)

Morley Mao, Jen Rexford, Xiaowei Yang

2

Goal of the Panel

• Understand and discuss– The threats on the routing system– Lessons learned from today’s routing

system– Challenges of architecting a secure routing

system– A few specific architectural proposals

3

Questions

• What are the threats?– End hosts– Compromised routers– Greedy providers

• What security properties do we need?– Just availability?– Knowing traffic is reaching the right destination?– Knowing end-to-end path? At what granularity?– Avoiding certain paths, countries, or companies?– Do paths need to be symmetric?

• Enable multiple levels of security in parallel?

4

Questions

• Where should security functions be placed?– End hosts vs. routers– Data, control, and management planes

• How do we ensure participation?– Economic incentives for deployment?– Role (if any) for government regulation?– Any need for accountability/liability for

problems?– Enable partial deployment scenarios?

5

Organization

• Morley Mao, U. Michigan– Threats, and an operator perspective (15

min)

• Jen Rexford, Princeton– Multi-path routing and secure monitoring

(10 min)

• Xiaowei Yang, UC Irvine– User-controlled routes (15 min)

• Discussion, debate, …

Helping Edge Networks to Help Themselves

Jen Rexford

Joint work with Dave Andersen, Ioannis Avramopoulos, and Dan Wendlandt

7

Don’t Need Secure Routing Protocols

• Secure routing protocols– Securing info communicated within the

protocol

• Secure routing protocols are too much– Require large-scale (ubiquitous?) deployment– Heavy weight crypto operations– Global public key infrastructure

• Secure routing protocols are too little– Packets might not follow the path– Adversary can deflect packets or DoS links– Colluding ASes can claim fake links

8

Secure End-to-End Communication

• An architectural proposal– Multi-path routing exposes possible paths– Edge nodes find and securely use working

paths

End-to-end security (e.g., SSL & IPsec)

•Confidentiality of Data

•Integrity of Data

•Availability of Communication Channel

Depends on Routing and Forwarding

9

Where do Multiple Paths Come From?

• Multi-homing– Connecting to multiple neighboring ASes– Connecting to a neighbor at multiple places

• Deflecting through intermediate nodes– Overlay networks of end hosts– Deflection services offered by other

networks

• Multi-path routing protocolsAA

BB

C

D

10

How Do Edge Nodes Switch Forwarding Paths?

• Tagging– Mark tag bits in the data packets– Routers interpret the bits in forwarding

• Encapsulation– Specifying intermediate deflection point– Routers forward based on deflection address

B

A C101

B

11

How Do Edge Nodes Decide to Change Paths?

• End-to-end integrity check– IPsec and SSL– Client authentication and server certificates– Vote among users from many vantage

points

• Secure availability monitoring– End-host applications judge the

performance– Edge routers securely sample the

performance

12

Conclusion

• Secure routing is not the goal– The control plane is just one part of the system– “Jen, the Internet is not a network for delivering

BGP update messages.” – Randy Bush

• Secure communication should be the goal– Integrity, confidentiality, and availability

• Leading to a combination of mechanisms– End-to-end integrity and confidentiality– Multi-path routing and forwarding– Secure availability monitoring