1 / 41

Outline

Advanced Research Issues In Security: Securing Key Internet Technologies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher. Outline. Routing security DNS security. Routing Security. Routing protocols control how packets flow through the Internet

aman
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Research Issues In Security: Securing Key Internet TechnologiesCS 236On-Line MS ProgramNetworks and Systems Security Peter Reiher

  2. Outline • Routing security • DNS security

  3. Routing Security • Routing protocols control how packets flow through the Internet • If they aren’t protected, attackers can alter packet flows at their whim • Most routing protocols were not built with security in mind

  4. Routing Protocol Security Threats • Threats to routing data secrecy • Usually not critical • Threats to routing protocol integrity • Very important, since tampering with routing integrity can be bad • Threats to routing protocol availability • Potential to disrupt Internet service

  5. What Could Really Go Wrong? • Packets could be routed through an attacker • Packets could be dropped • Routing loops, blackhole routing, etc. • Some users’ service could be degraded • The Internet’s overall effectiveness could be degraded • Slow response to failures • Total overload of some links • Many types of defenses against other attacks presume correct routing

  6. Where Does the Threat Occur? • At routers, mostly • Most routers are well-protected • But . . . • Several vulnerabilities have been found in routers • Also, should we always trust those running routers?

  7. Different Types of Routing Protocols • Link state • Tell everyone the state of your links • Distance vector • Tell nodes how far away things are • Path vector • Tell nodes the complete path between various points • On demand protocols • Figure out routing once you know you two nodes need to communicate

  8. Popular Routing Protocols • BGP • Path vector protocol used in core Internet routing • Arguably most important protocol to secure • RIP • Distance vector protocol for small networks • OSPF • ISIS • Ad hoc routing protocols

  9. Fundamental Operations To Be Protected • One router tells another router something about routing • A path, a distance, contents of local routing table, etc. • A router updates its routing information • A router gathers information to decide on routing

  10. Protecting BGP • BGP is probably the most important protocol to protect • Handles basic Internet routing • Works at autonomous system (AS) level • Rather than router level

  11. BGP Issues • BGP is spoken (mostly) between routers in autonomous systems • On direct network links to their partner • Over TCP sessions that are established with known partners • Isn’t that enough to give reasonable security?

  12. A Recent Counterexample • Pakistan became upset with YouTube over posting of “blasphemous” video • Responded by injecting a BGP update that sent all traffic to YouTube to a site in Pakistan • Which probably dropped it all • Rendered YouTube unavailable worldwide (well, 2/3s of world)

  13. How Did This Happen? • Pakistan injected a BGP update advertising a path to YouTube • Which they had no right to do • It got automatically propagated by BGP • Everyone knows YouTube isn’t in Pakistan • But the routing protocol didn’t • Security required to prevent other future incidents

  14. A Side Issues on This Story • Much thinking about Internet predicated on assumption that major players play by the rules • Pakistan didn’t • Not desirable to base Internet’s security on this assumption • Though sometimes not many other choices

  15. C,B,A B,A A A D,C,B,A 1.2.3.* 1.2.3.* 1.2.3.* 1.2.3.* 1.2.3.* Basic BGP Security Issue A B C D E 1.2.3.* What do we need to protect? F G A wants to tell everyone how to get to 1.2.3.*

  16. A D,F 1.2.3.* 1.2.3.* Well, What Could Go Wrong? A B C D E What if A doesn’t own 1.2.3.*? What if router D alters the path? F G What if router A isn’t authorized to advertise 1.2.3.*?

  17. How Do We Solve These Problems? • Advertising routers must prove ownership and right to advertise • Paths must be signed by routers on them • Must avoid cut-and-paste attacks • And replay attacks

  18. S-BGP • A protocol designed to solve most of the routing security issues for BGP • Intended to be workable with existing BGP protocol • Key idea is to tie updates to those who are allowed to make them • And to those who build them

  19. Some S-BGP Constraints • Can’t change BGP protocol • Or packet format • Can’t have messages larger than max BGP size • Must be deployable in reasonable way

  20. A 1.2.3.* An S-BGP Example A B C D E 1.2.3.* A can provide a certificate proving ownership F G How can B know that A should advertise 1.2.3.*?

  21. D,C,B,A C,B,A B,A A 1.2.3.* 1.2.3.* 1.2.3.* 1.2.3.* Securing BGP Updates A B C D E 1.2.3.* What are these signatures actually attesting to? F G A wants to tell everyone how to get to 1.2.3.*

  22. Who Needs To Prove What? • A needs to prove (to B-E) that he owns the prefix • B needs to prove (to C-E) that A wants the prefix path to go through B • C needs to prove (to D-E) the same • D needs to prove (to E) the same

  23. So What Does A Sign? • A clearly must provide proof he owns the prefix • He also must prove he originated the update • And only A can prove that he intended the path to go through B • So he has to sign for all of that

  24. Address Attestations in S-BGP • These are used to prove ownership of IP prefix spaces • IP prefix owner provides attestation that a particular AS can originate its BGP updates • That AS includes attestation in updates

  25. Route Attestations • To prove that path for a prefix should go through an AS • The previous AS on the path makes this attestation • E.g., B attests that C is the next AS hop

  26. How Are These Signatures Done? • Via public key cryptography • Certificates issued by proper authorities • ICANN at the top • Hierarchical below ICANN • Certificates not carried with updates • Otherwise, messages would be too big • Off-line delivery method proposed

  27. S-BGP and IPSec • S-BGP generates the attestations itself • But it uses IPSec to deliver the BGP messages • Doing so prevents injections of replayed messages • Also helps with some TCP-based attacks • E.g., SYN floods

  28. Protecting Other Styles of Protocols • Generally, how do you know you should believe another router? • About distance to some address space • About reachability to some address space • About other characteristics of a path • About what other nodes have told you

  29. How Routing Protocols Pass Information • Some protocols pass full information • E.g., BGP • So they can pass signed information • Others pass summary information • E.g., RIP • They use other updates to create new summaries • How can we be sure they did so properly?

  30. Who Are You Worried About? • Random attackers? • Generally solvable by encrypting/authenticating routing updates • Misbehaving insiders? • A much harder problem • They’re supposed to make decisions • How do you know they’re lying?

  31. A Sample Problem 1 2 3 1 B C D E 0 A H 1.2.3.* 0 F G How can H tell someone lied? 1 2 Assume a distance vector protocol How can H tell that E lied?

  32. Types of Attacks on Distance Vector Routing Protocols • Blackhole attacks • Claim short route to target • Claim longer distance • To avoid traffic going through you • Inject routing loops • Which cause traffic to be dropped • Inject lots of routing updates • Generally for denial of service

  33. How To Secure a Distance Vector Protocol? • Can’t just sign the hop count • Not tied to the path • Instead, sign a length and a “second-to-last” router identity • By iterating, you can verify path length

  34. An Example B C D E A H 1.2.3.* F G H needs to build a routing table entry for 1.2.3.* Should show hop count of 3 via G, 5 via E

  35. One Way to Do It E D 2 1 E - B C D E A H C 3 D F G B 4 C A 5 B H directly verifies that it’s one hop to E Now we can trust it’s five hops to A H gets signed info that D is 2 hops through E Then we iterate

  36. Who Does the Signing? • The destination • A in the example • It only signs the unchanging part • Not the hop count • But an update eventually reaches H that was signed by A

  37. What About That Hop Count? • E could lie about the hop count • But he can’t lie that A is next to B • Nor that B next to C, nor C next to D, nor D next to E • Unless other nodes collude, E can’t claim to be closer to A than he is

  38. What If Someone Lies? D E 2 1 E - B C D E A H C 3 D F G B 4 C A 5 B There’s limited scope for effective lies E can’t claim to be closer to A Since E can’t produce a routing update signed by A that substantiates that

  39. A Difficulty • This approach relies on a PKI • H must be able to check the various signatures • Breaks down if someone doesn’t sign • That’s a hole in the network, from the verification point of view • Consider, in example, what happens if C doesn’t sign

  40. What If C Doesn’t Sign? D E 2 1 - E B C D E A H C 3 D F G B 4 C A message coming through D tells us that it’s three hops to C A 5 B But how can he be sure D is next to C? But H can’t verify that Other than trusting D . . . H knows C is next to B And that B is next to A

  41. What’s the Problem? E D 1 2 E - B C D E A H C 3 D F G B 4 C For this graph, no problem A 5 B But how about for this one? B C D E A H F G

More Related