jumpstarting bgp security
play

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai - PowerPoint PPT Presentation

Jun 28, 2023 •623 likes •884 views

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking prefers shorter route Victim 168.122/16 168.122/16 Path: X-111 AS X Path: 666 AS 666 168.122/16 AS Path: 111

  1. Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

  2. Prefix hijacking prefers shorter route Victim 168.122/16 168.122/16 Path: X-111 AS X Path: 666 AS 666 168.122/16 AS Path: 111 111 BGP Ad. Data flow Boston University 2

  3. Resource Public Key Infrastructure (RPKI) • Origin Authentication – Protects against hijacks – Slowly gaining traction (6% of prefixes covered) Verify signature local cache RPKI 168.122/16: AS 111 168.122/16: AS 111 Autonomous ROA: AS 111 System 168.122/16 BGP Routers

  4. RPKI prevents prefix hijacks 168.122/16 168.122/16 Victim Path: Y-X-111 Path: 666 AS Y AS 666 AS X ROA: AS 111 RPKI 168.122/16 AS 111 BGP Ad. Data flow

  5. Forged origin circumvents RPKI 168.122/16 168.122/16 Victim Path: 666-111 Path: Y-X-111 AS Y AS 666 AS X ROA: AS 111 RPKI 168.122/16 AS 111 False link BGP Ad. Data flow

  6. Current paradigm: a two step solution • First, RPKI against prefix-hijacking • Then, add BGPsec – Protects against false paths (e.g., next-AS attacks) – Deployment challenge: •Real -time signature and validation •Different message format Prefix: 168.122/16 Prefix: 168.122/16 Add signature, then relay Secure-Path: Y-X-111 Secure-Path: X-111 Matches RPKI policy? Matches RPKI Path signatures valid? policy? AS 111 AS X 168.122/16: AS 111 AS Y 168.122/16 Path signature OK?

  7. BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM’ 13] 168.122/16 Victim Path: 666-111 AS Y AS 666 168.122/16 ROA: AS 111 Sec Path: X-111 AS X RPKI 168.122/16 BGPsec BGP AS 111

  8. BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM’ 13] 168.122/16 168.122/16 Victim Path: 666-111 Path: Y-X-111 AS Y “Breaks” AS 666 BGPsec ROA: AS 111 AS X RPKI 168.122/16 BGPsec BGP AS 111

  9. Our Goals Security : • Protect against ``false links’’ in BGP advertisements • Significant benefits in partial deployment – In contrast to BGPsec Deployment : • Minimal computation overhead – Signatures and verifications: only offline, off-router • No changes to BGP messages • Similar to RPKI

  10. Path-end validation 168.122/16 168.122/16 Victim Path: 666-111 Path: Y-X-111 AS Y AS 666 AS X ROA: AS 111 Edge auth: path RPKI RPKI 168.122/16 AS 111  AS X end AS Covers all 111 False link BGP Ad. Data flow edges

  11. Inter domain routing security: Mechanism comparison 50 BGP (no auth.) 45 Attacker success rate (%) 40 35 RPKI 30 This talk 25 RPKI + Path-end validation 20 15 RPKI + BGPsec, BGP still 10 allowed 5 0 Protocol

  12. Path-end validation • Path-end validation extends RPKI to authenticate the “last hop” • Key insight: Securing path-suffixes provides significant benefits RPKI Prefix d v path-end validation a Did d approve reaching it via v?

  13. Path-end validation 4.5 4 3.5

  14. Deployment • Similar to RPKI Verify signatures Local cache RPKI Path End RPKI ROA: 168.122/16: AS 111 168.122/16: AS 111 AS 111  AS X AS 111  AS X 168.122/16 -> AS 111 Autonomous Edge auth: System AS 111 -> AS X BGP Routers

  15. Deployment ip as-path access-list as1 deny _[^X]_111_ • Use existing Access List interface • Validated suffix extends automatically with adoption

  16. Security in partial adoption: Simulation framework • Pick victim & attacker RPKI A • Victim’s prefix has a ROA+EA B • Pick set of filtering ASes ROA: C • Evaluate which ASes send 1.2.0.0/16  AS A traffic to the attacker D E F G Path End H I Edge auth: J AS A  AS D K L Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM’ 13]

  17. Simulation results

  18. Simulation results

  19. Simulation results

  20. Local deployment & local benefits

  21. Impact of authenticating hops BGP (no authentication) Origin authentication (RPKI) Path-end validation 2-hop validation

  22. More results • Large content providers are better protected • Path-end validation mitigates high profile incidents • Security monotone – BGPsec is not [ Lychev et al., SIGCOMM’ 13]

  23. Conclusion • Path-end validation – Can significantly improve inter-domain routing security while avoiding BGPsec’s deployment hurdles • We advocate – Extending RPKI to support path-end validation – Regulatory/financial efforts on gathering critical mass of adopters

  24. Thank You

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and

Jumpstarting Your DevSECOps Pipeline with IAST and RASP Jeff Williams @planetlevel CTO and Co-FOUNDER Contrast Security The Average 26.7 Vulnerabilities application is extremely 21% CustomCode vulnerable 8% USED Libraries 2

598 views • 37 slides
Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira BGP is insecure! Prefix hijack 1.2.0.0/16 is Mine The Internet AS 1 AS 666 1.2.0.0/16 is Mine BGP is insecure! Prefix hijacks

305 views • 27 slides
WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the

WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the

WOW! What a Clerkship! How to Maximize Law Students Judicial Externships by Jumpstarting the Classroom Experience By Amany Ragab Hacking, Assistant Clinical Professor Supervisor, Saint Louis University School of Law Externship Clinic I.

599 views • 46 slides
The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A

The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A

The Kitchen Sink Jumpstarting Mobile Web Development Introduction & Background i n i m A n a g j o M e c f i f O b W e s u p m a C UC San Diego embraces MWF onsulted 7 ampus IT Student Affairs Libraries Summer

527 views • 8 slides
Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler

Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler

Jumpstarting EV Adoption: Making NL a leader in electric vehicle use Jon Seary Joe Butler Drive Electric NL Public Utilities Board Rate Mitigation Options and Impacts Why do we drive electric? Owning an EV: Significant cost savings for NL

680 views • 20 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
HOUSING IS FOUNDATIONAL "MacArthur-supported How Housing Matters

HOUSING IS FOUNDATIONAL "MacArthur-supported How Housing Matters

8/11/2015 AFFORDABLE HOUSING FOR SENIORS AND PEOPLE WITH DISABILITIES PRESENTED TO: GOVERNORS COMMISSION ON SENIOR SERVICES PRESENTED BY: KENNY LAPOINT HOUSING INTEGRATOR, OHCS HOUSING IS FOUNDATIONAL "MacArthur-supported How

355 views • 8 slides
ERS Engineering firm with 20-year history in clean energy, energy efficiency, and

ERS Engineering firm with 20-year history in clean energy, energy efficiency, and

P ROACTIVE E FFICIENCY Engaging Large Customers for Untapped Energy Savings Max Twogood, ERS Gita Subramony, ERS AESP Online Conference | July 19, 2016 Headquarters: 120 Water Street, Suite 350, North Andover, MA 01845 With offices in: CA,

294 views • 8 slides
TulStat WIN, Planning & Development, Parks, Economic Development Well-Being Opportunity

TulStat WIN, Planning & Development, Parks, Economic Development Well-Being Opportunity

TulStat WIN, Planning & Development, Parks, Economic Development Well-Being Opportunity The City Experience May 26, 2017 Mission Statement The Mission of TulStat is to create a platform for department leaders to share accurate

889 views • 56 slides
Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed)

Hannenhalli-Pevzner Theory Signed, unichromosomal genomes Operation: reversal (signed) Polynomial time algorithms for distance & operations First polynomial result for a realistic model of genome rearrangements HP Theory

239 views • 10 slides
www.healthywomen.org About HealthyWomen HealthyWomen is the nation's leading independent,

www.healthywomen.org About HealthyWomen HealthyWomen is the nation's leading independent,

www.healthywomen.org About HealthyWomen HealthyWomen is the nation's leading independent, nonprofit, comprehensive health information source for women. Our mission is to educate women to make informed health choices for themselves and for

756 views • 19 slides
Query Session Detection as a Cascade Matthias Hagen Benno Stein Tino R ub

Query Session Detection as a Cascade Matthias Hagen Benno Stein Tino R ub

Query Session Detection as a Cascade Matthias Hagen Benno Stein Tino R ub Bauhaus-Universit at Weimar matthias.hagen@uni-weimar.de SIR 2011 Dublin, Ireland April 18, 2011 Hagen, Stein, R ub Query Session Detection as a Cascade 1

553 views • 36 slides
ACM-W Europe Volunteering to Improve your Prospects Who am I I am the Chair of ACM-W Europe

ACM-W Europe Volunteering to Improve your Prospects Who am I I am the Chair of ACM-W Europe

ACM-W Europe Volunteering to Improve your Prospects Who am I I am the Chair of ACM-W Europe I have been a member of the ACM-W Europe executive for a number of years I am the academic advisor to my local ACM-W and ACM student

715 views • 13 slides
INF 111 / CSE 121: Software Tools and Methods Lecture Notes for Fall Quarter, 2007 Michele

INF 111 / CSE 121: Software Tools and Methods Lecture Notes for Fall Quarter, 2007 Michele

INF 111 / CSE 121: Software Tools and Methods Lecture Notes for Fall Quarter, 2007 Michele Rousseau Lecture Notes Set 3 Previous Lecture Software Tools Methods & Notations Process Modeling The Agile Process Model Started

327 views • 20 slides

More recommend