Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick - - PowerPoint PPT Presentation

preserving privacy at ixps
SMART_READER_LITE
LIVE PREVIEW

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick - - PowerPoint PPT Presentation

Feb 04, 2023 511 likes •734 views

Preserving Privacy at IXPs + Xiaohe Hu * Arpit Gupta , Nick Feamster , Aurojit Panda , Scott Shenker + * Internet Exchange Points Global Transit / Hyper Giants National Large Content, Consumer, Hosting CDN

slide-1
SLIDE 1

Preserving Privacy at IXPs

Xiaohe Hu Arpit Gupta , Nick Feamster , Aurojit Panda , Scott Shenker

*

+

  • +
  • *
slide-2
SLIDE 2

Internet Exchange Points

2

Global Internet Core Regional / Tier2 Providers

Global Transit / National Backbones

ISP ISP

“Hyper Giants” Large Content, Consumer, Hosting CDN

Customer IP Networks IXP IXP IXP

Interdomain Ecosystem

  • 901 IXPs in total
  • 140 new IXPs in the past year
  • Large IXPs
  • 500+ AS members
  • 50K+ peering links
  • 4T+ peek traffic

Labovitz et al., Internet Inter-Domain Traffic, SIGCOMM 2010 http://wwww.pch.net/ixp/dir

slide-3
SLIDE 3

Internet Exchange Points

3

Switching Fabric

IXP

AS C Router AS A Router AS B Router

Scalability challenge for AS BGP Implementation

  • 100s or1000s of sessions at large IXPs
slide-4
SLIDE 4

IXP Route Server

4

Switching Fabric Route Server (RS)

IXP

AS C Router AS A Router AS B Router BGP Session

  • Functionality
  • Aggregating and distributing routes
  • Executing AS policies
  • Scalability
  • Sessions from O( ) to O( )

n2 n

slide-5
SLIDE 5

Programmable Fabric SDX Controller

SDX = SDN + IXP

AS C Router AS A Router AS B Router

IXP Route Server

5

Flexibility on functionality extension

  • More flexible business relationships
  • Load balancing and traffic engineering
  • Better security applications
slide-6
SLIDE 6

Privacy Concern

  • AS policies are revealed to the IXP provider
  • Related to AS commercial resources, agreements and strategies
  • Backup paths, peering relationships, and local preferences on route selection
  • No SLA or NDA on data confidentiality
  • Concern of network operators
  • Impeding the widespread adoption of route servers

6

slide-7
SLIDE 7

Problem Statement

Can we construct IXP route servers which are

  • scalable: increasing # of ASes at an IXP ✔
  • flexible: supporting functionality extension ✔
  • privacy-preserving: protecting AS policies ?

7

? ?

slide-8
SLIDE 8

Route Server Computation

8

Switching Fabric Route Server (RS)

IXP

AS C Router AS A Router AS B Router BGP Session

Master RIB

… …

BGP Handler AS B RIB Route Selection (Ranking Policies) Incoming routes Sanitization Outgoing routes Filtering (Export/Import Policies)

slide-9
SLIDE 9

Policy Privacy

9

Information Publicly Visible Route Server Visible

Route Announcements Yes Yes Possible Routes (RIB) No Configuration Dependent Best Route Yes Yes Filtering Policy No Yes Ranking Policy No Configuration Dependent Auxiliary State (e.g. intradomain link property) No Configuration Dependent Dataplane Behavior Yes Yes

slide-10
SLIDE 10

Previous Approach

  • Secure Multi-Party Computation (SMPC)
  • Splitting computation across multiple non-colluding players
  • Converting computation into an arithmetic or boolean circuit
  • SIX-PACK: a privacy-preserving route server using SMPC
  • Limitations
  • Requiring computation outsourced to non-colluding providers
  • Two order-of-magnitude slower than the insecure approach
  • Making it harder to add functionality when minimizing computation with SMPC

10

slide-11
SLIDE 11

Trusted Execution Environment

  • A hybrid approach of system and cryptography
  • TEE processor is trusted
  • Hardware guaranteed confidentiality and integrity
  • Current commodity instances such as Intel SGX
  • Enclave abstraction
  • Memory protection
  • ACL from other application accesses
  • (D)Encryption between cache<->enclave<->main memory
  • Remote attestation
  • Verifying code within enclave for remote clients by signatures

11

Physical Memory

Enclave Page Cache (EPC) Enclave Ctrl Structure Code/Data Code/Data

CPU

Memory Encryption Engine (MEE) Enclave Access Check snoop snoop Access from OS/App Encrypted Data Sealing Attestation Integrity check

slide-12
SLIDE 12

Trusted Execution Environment

  • Threat Model
  • IXPs are honest but curious
  • ASes and IXP trust the hardware vendor and TEE is correct
  • IXPs don’t use side-channel attacks
  • Related Work
  • Staying in simulation stage
  • Not to centralize BGP computation

12

slide-13
SLIDE 13

System Design

  • Scalability: route server in real TEE platform
  • Identify the untrusted and trusted code and data
  • Protect minimal trusted part within enclave to reduce system calls
  • Flexibility: little restriction on route server functionality
  • Consolidate trusted parts in one single enclave
  • Replace trusted-untrusted message passing with TEE transition calls
  • Privacy-preserving: end to end trustworthiness and confidentiality
  • Remote attestation, memory protection and secure channels

13

slide-14
SLIDE 14

SGRS = SGX + Route Server

14

SGX Enclave

SGX Trusted Run-Time System and Basic Library Support Route Computation Route Server Core Message Parsing Sanity Check Attestation, Authentication, and De/Encryption Module

Application ECALLs OCALLs

SGX Untrusted Run-Time System Untrusted Trusted

SGRS

Policies RIBs Routing Policy Handler Session Handler

  • Control
  • BGP

SGX Driver System Call Handler

OS Kernel

slide-15
SLIDE 15

SGDX = SGX + SDX

New private function

  • Augment SDN outbound

policies with BGP reachability

Consolidate computation

  • Run all routing related

functions in central services

15

IXP Programmable Fabric Fabric Controller Tagging Relay

Central Services

BGP Announcements Tag Requests

AS Controller

BGP State and SDN Policy Handler SDN Policy Updates

  • Reachability Handler
  • Routing Handler

Extended RS Core Enclave Update and Tagging Handler Session Handler VNH Assignment Application

  • Virtual Next-hops
  • Augmented

Reachability

SDN Policies BGP States

slide-16
SLIDE 16

Implementation Analysis

  • SGRS and SGDX trusted part
  • Most functions are written in identical way as general C program
  • SGX related logic
  • Reusable: enclave_init() remote_attestation() etc.
  • Transition call interfaces by enclave definition language
  • Application-specific transition call functions
  • Development overhead (Application-specific LOC / total trusted LOC)
  • SGRS: 207 / 2241 = 9.23%
  • SGDX: 277 / 2807 = 9.87%

16

slide-17
SLIDE 17

Evaluation

  • A 4-core SGX-enabled processor and 64GB DRAM
  • Data-sets derived from real-world RIPE RIS data
  • Original data consists of only public BGP updates and RIB dumps
  • Extend AS number with uniform fraction of peering
  • Random local preferences as ranking policies
  • Replay real BGP update traces to evaluate BGP update compute time
  • SGRS v.s. SIXPACK, SGDX v.s. iSDX

17

slide-18
SLIDE 18

Evaluation

  • SGRS is 20x-70x faster

than SIX-PACK

  • SGRS is 4x-26x slower

than Baseline (insecure)

18 AS Number

slide-19
SLIDE 19

Evaluation

  • SGDX is comparable to

iSDX ranging from 0.5x-2.1x the processing time of iSDX

19

slide-20
SLIDE 20

Summary

  • Propose SGRS and SGDX to preserve privacy at IXPs with TEE
  • SGDX is approximately scalable and flexible as iSDX while preserves privacy
  • Codebase: https://github.com/huxh10/SGDX
  • Future work
  • Expanding the threat model to mitigate side-channel attacks
  • Application extensions with SGDX
  • Automating the privacy-preserving development process

20