1 / 61

Securing Routing Protocols

Securing Routing Protocols. Yih-Chun Hu University of California, Berkeley. April 5, 2005. The Importance of Network Security. Networks are increasingly used for many important functions: eCommerce Online banking and stock trading Military command and control

ludwig
Download Presentation

Securing Routing Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Routing Protocols Yih-Chun Hu University of California, Berkeley April 5, 2005

  2. The Importance of Network Security • Networks are increasingly used for many important functions: • eCommerce • Online banking and stock trading • Military command and control • The goal of my research is to make networks trustworthy for these functions by discovering: • New attacks against existing network systems • Defenses against new and existing attacks

  3. Highlights of My Other Work • Peer-to-Peer and Internet Security: • Friends Troubleshooting Network: Towards Privacy-Preserving, Automatic Troubleshooting, IPTPS 2004 • Securing Ad Hoc Networks: • Ariadne: A Secure On-Demand Protocol for Wireless Ad Hoc Networks, MobiCom 2002 • Building real ad hoc networks: • Link-Layer Source Routing (LLSR) at Microsoft Research (http://www.research.microsoft.com/mesh/) • Evaluating and designing protocols for ad hoc networks: • Caching Strategies in On-Demand Protocols for Wireless Ad Hoc Networks, MobiCom 2000

  4. Improving Routing Security • Current routing protocols were designed without sufficient security • Non-malicious router misconfigurations have already disrupted Internet routing • Example: AS 7007 incident • Goals of secure routing: • Robust against impact of misconfigurations • Robust against external malicious nodes • Robust against compromised nodes

  5. Techniques for Securing Routing • Use intrusion-detection techniques to detect malicious behavior • Use cryptographic techniques to prevent malicious behavior • Use robustness techniquesto reduce impact of malicious behavior

  6. Attacks Against Routing • Attacker causes packets normally routed through itself to instead use a worse route • Example: Fail to advertise a route • Attacker receives a packet for forwarding but instead discards it • Example: Save own bandwidth or CPU time • Attacker causes packets normally routed elsewhere to instead go through itself • Example: Claim good routes to far-away nodes

  7. Talk Outline Securing ad hoc network routing protocols: • Special security issues in ad hoc networks • SEAD: Secure Efficient Ad-hoc network Distance vector routing protocol: • Joint with Adrian Perrig and David Johnson • Published at WMCSA 2002, NDSS 2003, Ad Hoc Networks journal Securing Internet routing protocols: • SPV: Secure Path Vector for securing BGP: • Joint work with Adrian Perrig and Marvin Sirbu • Published at SIGCOMM 2004

  8. Ad Hoc Networks • No infrastructure, or out-of-range base station • Devices self-organize to form a network • Ad hoc network routing protocol extends communication range A B C

  9. Example Applications • Emergency response and disaster relief • Vehicular networks sending safety information • Mining and earthmoving • Space exploration • Military applications

  10. Threats Unique to Ad Hoc Networks • Wireless communication allows attacker to easily: • Eavesdrop on all communication • Inject malicious messages into the network • Current ad hoc network routing protocols were designed for trusted environments • New types of attacks: • Wormhole attack (INFOCOM 2003) • Rushing attack (WiSe 2003)

  11. Securing Ad Hoc Networks Several approaches to ad hoc network routing:

  12. Normal Distance Vector Routing • In normal Distance Vector routing, each node maintains a routing table: Example table at A: A B C D

  13. Normal Distance Vector Routing • Computed using Distributed Bellman-Ford: • Each node periodically broadcasts routing table • For each routing table entry received, compare best known route with newinformation To D: 3 hops via B E 2 X X A B C D E D is 1 hop away

  14. Distance Fraud Attack • A very strong attack against distance vector • Attacker claims very short routes to entire network • Disconnects large portions of the network C J G A K S E D B H F

  15. My Solution: SEAD To solve distance fraud, authenticate distances For each destination D: • To claim distance m, need authenticator aD,m • Attacker can’t reduce distance m • Next hop can derive its authenticator aD,m+1 • Authenticators should be efficient to verify aD,2 aD,1 aD,0 A B C D

  16. C1 = H(C0) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0

  17. C2 = H(C1) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0 C1

  18. C1 C3 = H(C2) =H(C0) Building Blocks: Hash Chains • Uses a one-way hash function H:{0,1}*→{0,1}ρ • Pick a random C0 • Compute each chain value Ci = Hi(C0) C0 C2 =H(C1) • Given any authentic chain value Ci: • Can compute later values Cj for j > i • Can efficiently verify all values Cj • Hard to generate earlier values Cj for j < i

  19. Hash Chains for Distance Authentication

  20. C0 C1 C2 C3 Distance Authentication Details • Distance vector protocols define a maximum distance k • Each node D: • Generates a hash chain k+1 values long • Distributes ck to allow verification • Then authenticator aD,i = ci • Conceptually change hash chains frequently Distance 0 Distance 1 Distance 2

  21. SEAD Stops (Most) Distance Fraud • Everyone knows C3 • Source D announces C0 for distance 0 • Neighbor C announces C1 fordistance 1 • Attacker B can’t announce lower distance! D C B Distance 0 Distance 1 Distance 2 C0 C1 C2 C3

  22. SequenceNumbers First proposed in DSDV for loop-freedom: • Each node maintains a sequence number • Each node increments its sequence number each time it sends an update about itself • An advertised route is “better” if either: • Has a higher (more recent) sequence number • Sequence numbers equal, and distance is shorter • SEAD also gets loop-freedom, plus a guarantee of fresh distance information

  23. Distance 0 Distance 1 Distance 2 Sequence 3 Sequence 1 Sequence 0 Securing Sequence Numbers • Each node generates a hash chain and distributes the last element (C12) for verification • Each sequence number has 3 hash chain values: • Within a sequence number: • C{0,3,6,9} represent distance 0 • C{1,4,7,10} represent distance 1 • C{2,5,8,11} represent distance 2 • In our example, maximum distance is 3 Sequence 2 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12

  24. Distance 0 Distance 1 Distance 2 Sequence 3 Sequence 1 Sequence 0 SEAD Stops (Most) Distance Fraud • Source D announces C3 for distance 0 sequence 2 • Neighbor C announces C4 fordistance 1 sequence 2 • Attacker B can’t announce lower distance! • Due to inherent flooding, useless to announce lower distance with lower sequence number D C B Sequence 2 C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 C10 C11 C12

  25. Simulation Methodology • ns-2 simulator with Monarch wireless extensions • Random waypoint mobility model • 20 sources, 4 packets per second per source • 10 different simulation runs at each pause time • Under attack by a single attacker: • DSDV: attacker claims distance 0 everywhere • SEAD: attacker performs same distance fraud 700m×700m 50 nodes

  26. Packet Delivery Ratio: SEAD vs DSDV

  27. SEAD Related Work Work prior to SEAD: • Hop-by-hop authentication (verifies identity of neighbor, but neighbor give any distance)[Kumar], [Baker and Atkinson], [Malkin] • Limit routes based on full knowledge of original wired network topology [Smith et al.] Later work: • SAODV secures hop count with a hash chain, but uses a new chain for each sequence number, and uses expensive digital signatures • My Ariadne provides end-to-end security for on-demand routing, has higher overhead

  28. Remaining Problems in SEAD • “Same Distance” Fraud: • Attacker replays distance and authenticator • Solution: Bind forwarding node to authenticator • Denial-of-Service attack: • Claim a very high sequence number • Solution: One chain per sequence number • Larger metric spaces: • Verifying even one sequence number may be expensive (e.g., latency or policy metrics) • Solution: Cheaper hash chain traversal

  29. Bind Authenticator to Forwarding Node For each destination D and distance m: • Split the single authenticator aD,m into many node-specific authenticators • For each possible forwarding node F, there exists an associated authenticatoraD,m,F Properties of node-specific authenticators: • Attacker can’t replay another node’s authenticator • Next hop can derive its authenticator for distance m+1

  30. Building Blocks: Hash Trees • Merkle Tree allows authentication of a collection of values given a single authentic value: Distribute root to all verifiers P = H(L || R) b’i = H(bi) bi

  31. b0 b0 ’ ci ci+1 Hash Chain: b01 b1 ’ b1 Hash Tree Chain: ci+1 ’ b2 b2 b23 ci ’ b3 b3 Hash Tree Chains • I developed the hash tree chain: b’j = H(bi) bj = H(ci|| j)

  32. ’ b0 Distance 0 Distance 1 b0 ’ b0 b0 b0 b0 b1 ’ ’ ’ Distance 0 Distance 1 Distance 2 b1 b01 b01 b1 b1 b1 b1 ’ ’ c0 c1 c2 b23 b23 b2 b2 b2 b2 ’ ’ b23 b23 b3 b3 b3 b3 Using Hash Tree Chains • One step in the chain corresponds to a distance • Each bi corresponds to a forwarding node • Attacker must produce its bi to replay distance C0 C1 C2 C3 bj = H(c1|| j) bj = H(c0|| j)

  33. Ad Hoc Networks Summary • SEAD provides efficient, robust security: • Stops attacker from reducing or replaying advertised distance • Built entirely using computationally efficient symmetric cryptography • I have built more sophisticated protocols with better security properties: • Modified Ariadne proven secure at SASN 2004 • I have also identified new and powerful attacks that exploit wireless network properties: • e.g., wormhole and rushing attacks

  34. Securing Internet Routing Internet routers communicate using the Border Gateway Protocol (BGP): • Destinations are prefixes: • Example: 128.2.0.0/16 (CMU) • Routes go through ISPs (Autonomous Systems) • Each ISP is uniquely identified by a number: • Example: 25 (UC Berkeley) • Each route includes a list of traversed ISPs: • Example route from UC Berkeley to CMU: 9 ← 5050 ← 11537 ← 2153 ←

  35. Sample BGP Routing Table • Routing table at a UC Berkeley router:

  36. Sample Operation of BGP • Routing table at a UC Berkeley router: A

  37. Important Attacks On BGP (1) Unauthorized origin ISP: • Attacker advertises for a prefix it does not own G B C M M’s route to G is better than B’s

  38. Important Attacks On BGP (2) Route truncation: • Attacker removes ISP numbers from recorded route G B C E M M’s route to G is better than D’s D

  39. Important Attacks On BGP (3) Route alteration: • Attacker changes ISP numbers already recorded on the route G B C E M M’s route avoids C

  40. S-BGP: Secure BGP [Kent et al.] S-BGP checks two things: • Originating ISP is authorized to advertise prefix • Each ISP received delegation from previous ISP This requires identification of delegating ISP S-BGP Disadvantages: • Poor incremental deployment properties: • Can’t secure route without all intermediate routers doing S-BGP • Requires the use of computationally expensive digital signatures

  41. My Solution: Secure Path Vector SPV secures against all three important attacks: • Unauthorized origin ISP • Route truncation • Route alteration My approach: • Create a “certificate” that allows only authorized ISPs to originate a prefix (like S-BGP) • Build an append-only “route protector”

  42. SPV Properties Properties of append-only “route protector”: • Without breaking the crypto, a node cannot change or remove any ISP number from route • Desirable incremental deployment properties • However, collaborating attackers can insert bogus ISPs between themselves

  43. Intuition: Append-Only Route Protector My route protector is like a stack of punch cards: • Each destination generates one stack • The ith ISP punches its route into ith card • Each punch card is one-way and is verifiable Verifying an N-hop route A1 ← A2 ← ... ← AN: • Verify that each card is authentic • Verify that ith card shows route A1 ← A2 ← ... ← Aifor i ≤ N, otherwise card must be blank 25 25 ← 2152 25 ← 2152 ← 174 25 ← 2152 ← 174 ← 3549 Cards 1..N Card N+1

  44. Protecting the First-Hop Route To use SPV route protector, origin (first) ISP: • Sends lower values (bi,j) based on H(route) • Sends upper values (b''i,j) needed to verify • Second ISP checks SPV’s route protector: • Verify lower values set r1 • Verify r1 H(b’’1,2n-1 || b’’1,2n) b’’1,j = H(b’1,j) 25 b’1,j = H(b1,j) b1,j = H(c1|| j) c1 chosen by destination c1

  45. c2 = H(c1) c3 = H(c2) c4 = H(c3) Protecting Each Longer Route • Each structure can protect only a single route • We add an additional structure for each hop Prefix’s Verification Value r ri b’’i,j 25 25 ← 2152 25 ← 2152 ← 174 25 ← 2152 ← 174 ← 3549 b’i,j bi,j c1

  46. Using the Route Protector • Originating ISP encodes its own identity: • Sends lower values based on H(route) r ri b’’i,j 25 b’i,j bi,j c1 c2 c3 c4

  47. Using the Route Protector • Originating ISP encodes its own identity: • Sends upper values needed to verify r ri b’’i,j b’i,j bi,j c1 c2 c3 c4

  48. Using the Route Protector • Originating ISP encodes its own identity: • Sends next ci (allows next ISP to encode) r ri b’’i,j b’i,j bi,j c1 c2 c3 c4

  49. The EvilISP, Inc. Using the Route Protector • Originating ISP encodes its own identity • Each ISP in turn encodes its identity r ri b’’i,j 25 ← 2152 25 ← 2152 ← 174 b’i,j bi,j c1 c2 c3 c4

  50. The EvilISP, Inc. Attacker Can’t Modify ISPs on Route • Attacker can’t get values needed to change the last ISP from 174 to 123: r ri b’’i,j b’i,j bi,j c1 c2 c3 c4

More Related