350 likes | 536 Views
Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security Technology (EMIST). USC Information Sciences Institute University of California, Berkeley University of California, Davis Penn State University
E N D
Cyber DEfense Technology Experimental Research (DETER) Network Evaluation Methods for Internet Security Technology (EMIST) USC Information Sciences Institute University of California, Berkeley University of California, Davis Penn State University Purdue University International Computer Science Institute Stanford Research Institute (SRI) Network Associates SPARTA Updates on Routing Experiments USC/ISI
Research Objectives • Realistic Internet routing experiments on Dynamics (i.e., faults, failures, & attacks) with configurable parameters • Study, analyze, evaluate, & validate hypothesis/principles related to Internet routing and its security USC/ISI
Problems in Understanding the Problems • Inter-Domain Routing is very hard and complex to understand… USC/ISI
The “Internet”as February 1, 2006 http://bgp.potaroo.net/cidr/ • 21319 Autonomous Systems • 177300 IP Address Prefixes announced USC/ISI
Problems in Understanding the Problems • Inter-Domain Routing is very hard and complex to understand… • It is really not just scalability though… • Policy/configuration • Implementation USC/ISI
Simulation versus Emulation • Simulation large-scale but might abstracting away low level characteristics. • Emulation experimenting realistic implementations and observing the “unexpected” • Implementation differences • Analyzing/interpreting the interactions • May help in accomplishing better simulation tasks in BGP. USC/ISI
Interactions/Dynamics • Failures/faults/attacks • Mobility/configuration/policy changes • Cross-layer interactions • EGP versus IGP USC/ISI
Problems in Understanding the Problems • Inter-Domain Routing is very hard and complex to understand… • It is really not just scalability though… • Policy/configuration • Implementation • And, industry is introducing new BGP features.. USC/ISI
Route Flap Damping (RFC 2439) USC/ISI
Differential Damping Penalty CISCO 2600 AS65002 CISCO 12000 AS65001 IBM 2210 AS65003 Zebra/Linux AS65006 IBM 2210 AS65004 CISCO 2514 AS65005 USC/ISI
Penalty: 0 Penalty 1: 0 Penalty 2: 0 Prefix: 169.237/16 USC/ISI
Penalty: ??? Penalty 1: 1000 Penalty 2: 1000 Prefix: 169.237/16 USC/ISI
Penalty: 1000 2000 initial difference Penalty 1: 1000 Penalty 2: 1000 artificial delay X Prefix: 169.237/16 USC/ISI
Penalty: 2000 -/+ X > 750 Penalty 1: 1000 Penalty 2: 1000 -/x < 2000 Prefix: 169.237/16 USC/ISI
Outbound Route Filter (ORF) Internet draft, under implementation in Cisco “defines a BGP-based mechanism that allows a BGP speaker to send to its BGP peer a set of Outbound Route Filters (ORFs). The peer would then apply these filters, in addition to its locally configured outbound filters (if any), to constrain/filter its outbound routing updates to the speaker. ” If the peer damps a path, sends ORF to the downstream peer. So, the peer won’t receive further updates until the path is reused. USC/ISI
Penalty: 1000 2000 ORF Penalty 1: 1000 Penalty 2: 1000 Prefix: 169.237/16 USC/ISI
A Little Dampening Story SSFNet Zebra Cisco per prefix + per peer per prefix + per peer + per AS path USC/ISI
Withdraw 169.237/16 Penalty: 1000 2000 Penalty 1: 1000 Penalty 2: 1000 USC/ISI
SSFNet Simulator “Bugs” Withdraw 169.237/16 Missing!! Penalty: 1000 2000 Penalty 1: 1000 Penalty 2: 1000 USC/ISI
SSFNET + WD SSFNET CISCO USC/ISI
SSFNET + WD SSFNET CISCO USC/ISI
ICDCS’2005 Best Paper Award SSFNET + WD SSFNET CISCO USC/ISI
Problems or Issues • Damping implementation • MRAI timer • The Single Router AS Assumption • Route Withdraw • ORF USC/ISI
Collecting the Results in 2005 show IP BGP … updates -- MRT 1 peer (SPRINT) Full Routing Table (9MB compressed) BGP Updates (2 hours -- 168KB) selected prefixes per router per 1 second USC/ISI
AS-117 AS-112 AS-121 AS-113 AS-101 AS-114 USC/ISI
AS 101Multi homing =====================================================Wed Sep 28 02:26:00 PDT 2005=====================================================Paths: (3 available, best #3, table Default-IP-Routing-Table) Advertised to non peer-group peers: 101.0.0.1 101.0.0.2 112.0.0.2 114.0.0.2114 113 121 114.0.0.2 from 114.0.0.2 (114.0.0.2) Origin IGP, localpref 100, valid, external Last update: Wed Sep 28 02:13:28 2005112 117 112.0.0.2 from 112.0.0.2 (112.0.0.2) Origin IGP, localpref 100, valid, external Dampinfo: penalty 543, flapped 1 times in 00:13:05 Last update: Wed Sep 28 02:25:39 2005113 121 113.0.0.2 from 113.0.0.2 (113.0.0.2) Origin IGP, localpref 100, valid, external, best Last update: Wed Sep 28 02:13:11 2005 USC/ISI
117 112 101 113 121 114 AS-117 announced AS-121 withdrawn OASC USC/ISI
Creation and Evolution of BGP modeling DETER All BGP information are available SSFNet: Current Understand of The BGP Model Conflicts Anomalies USC/ISI
Observation Point Data • ORV/RIPE • Relatively incomplete in understanding the behavior USC/ISI
On Explaining and Model-Building the Model Anomaly Detection Anomaly Analysis and Explanation USC/ISI
Creation and BGP model • What are the event ? • Event changes in BGP table • Cause by : • OP Configuration • BGP peers • Other means , OSPF redistribute route • Event results BGP update messages • How are the event related ? USC/ISI
BGP Behavior Update Update BGP Y Redistribute Policy / local pref Operator OSPF N Done USC/ISI
Mapping Announce Announce Announce Announce Time 60 TIME Time 30 Withdraw Withdraw Time 0 2D AS Topology via project to Z=0 USC/ISI
BGP Events: Causality and Correlation • Causality Relationship among each individual BGP event (across different routers/ASes) • Critical to simply understand/correlate BGP behavior • Discovery new types of relationships (or filter/correct false causality in experiments) • Important for generating/replaying realistic BGP events • Using emulation to verify the causality • Maybe also with commercial routers (e.g., Juniper) USC/ISI
Plan for the June 2006 Demo • One “very interesting” defense tested.. • in a stealthy mode… • Event correlation • “realistic” and “comprehensive” BGP model • Many interesting examples and comparisons • Still in development (not sure yet) • Using the model to examine real BGP data • What patterns should we expect from the observation points? USC/ISI