Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9
What is Routing Security? Bad guys play games with routing protocols. What is Routing ■ Security? How is it Different? Traffic is diverted. ■ Lying Routers Problems Caused Enemy can see the traffic. ◆ Costs Cost of Defenses Enemy can easily modify the traffic. ◆ Deaggregation Economic Choices Enemy can drop the traffic. ◆ End-to-end cryptography can mitigate the ■ effects, but not prevent them. 2 / 9
How is it Different? Most communications security failures happen What is Routing ■ Security? How is it Different? because of buggy code or broken protocols. Lying Routers Problems Caused Routing security failures happen despite good ■ Costs Cost of Defenses code and functioning protocols. The problem Deaggregation Economic Choices is a dishonest participant. Hop-by-hop authentication isn’t sufficient. ■ 3 / 9
Lying Routers What is Routing Security? How is it Different? Lying Routers Problems Caused Costs Cost of Defenses W Site B Deaggregation Economic Choices Z Y X Y−>Z: B{Y,W} Site A Y−>X: B{Y,W} Z−>X: B{Z} 4 / 9
Problems Caused Reachability What is Routing ■ Security? How is it Different? Spoofing ■ Lying Routers Problems Caused Denial of service ■ Costs Cost of Defenses Spam or other attacks ■ Deaggregation Economic Choices Traffic analysis ■ 5 / 9
Costs What is Routing Cost of dealing with the attacks (what is ■ Security? How is it Different? traffic privacy worth?) Lying Routers Problems Caused Cost of clean-up ■ Costs Cost of Defenses Cost of route advertisement filtering ■ Deaggregation Economic Choices 6 / 9
Cost of Defenses All proposed defenses involve lots of What is Routing ■ Security? How is it Different? cryptography, and frequently public key Lying Routers Problems Caused cryptography Costs Cost of Defenses This implies capital expenditures for router ■ Deaggregation Economic Choices upgrades: memory, CPU power, modular exponentiation hardware, etc. Most Internet users get IP address ranges from ■ their ISPs; this means that ISPs need to 1. Obtain certificates for their own address ranges 2. Operate (or outsource) a CA and help desk to issue address-based certificates to their customers 7 / 9
Deaggregation Routers use a “longest prefix” match to select What is Routing ■ Security? How is it Different? a routing table entry Lying Routers Problems Caused Some sites are advertising redundant, longer ■ Costs Cost of Defenses prefixes to forestall (inadvertent?) attacks Deaggregation Economic Choices Example: AT&T currently advertises ■ 12.0.0.0/8, 12.0.0.0/9, and 12.128.0.0/9 Result: three RIB entries instead of one; more ■ importantly, two FIB entries instead of one (Note: this was the direct consequence of a ■ routing incident in 2005.) What if they need to switch to 256 /16s? ■ (Some of that already for traffic engineering and multihoming.) 8 / 9
Economic Choices Continue to absorb the cost of What is Routing Do nothing Security? How is it Different? attacks — low thus far, except for spam, but Lying Routers Problems Caused the spammers currently favor botnets. Costs Cost of Defenses ISPs spend a lot — can they Full-scale crypto Deaggregation Economic Choices recover their costs? None of the proposed solutions provide economic incentives for early adopters. (Of course, without ISP demand, vendors haven’t built any hardware.) The cost of deaggregating is Deaggregation low for the originator, but it increases everyone else’s costs. Furthermore, we are seeing increasing pressure on router FIB sizes for other reasons. 9 / 9
Recommend
More recommend
