routing security security solutions
play

Routing Security Security Solutions CSE598K/CSE545 - Advanced - PowerPoint PPT Presentation

Sep 23, 2022 •135 likes •312 views

  1. �������฀฀���฀฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� ��������������฀�������� Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel - Spring 2008 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 1 Solving BGP Security • Reality: most attempts at securing BGP have been at the local level ‣ Filtering ‣ Securing BGP peering • Future: a number of complex protocols have been proposed to solve some or all BGP security issue ‣ S-BGP ‣ soBGP ‣ IRV ‣ SPV • We will be looking at these solutions over the next couple of lectures CSE598K/CSE545 - Advanced Network Security - McDaniel Page 2

  2. Filtering • Filtering just drops BGP message (typically advertisements) as they are passed between ASes ‣ Ingress filtering (as it is received) ‣ Egress filtering (as it is sent) • Types of filtering ‣ By prefix (e.g., bogon/martian list) ‣ By path (e.g., customer advertisement of provider routes) ‣ By policy (e.g., some “community” strings that represent paths/policies that an AS does not want to support) • ISP ASes aggressively filter ( the security mechanism) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 3 Protecting Peer Communication • Two routers exchanging BGP messages (in a BGP session) need to secure communication. ‣ Integrity ‣ Confidentiality? ‣ Authenticity ‣ Non-repudability? • Note: This is often defined as a transport security issue, where just secure point-to-point communication is necessary. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 4

  3. MD5 • A simple solution (RFC 2385) ‣ Share a private secret (e.g., password) ‣ Compute an keyed message authentication code on each TCP packet passed between the two routers ‣ Check MAC upon receipt of each packet • You get ‣ Integrity ‣ Authenticity • Problem: this is manual configuration, which neither scales to many routers or supports key maintenance CSE598K/CSE545 - Advanced Network Security - McDaniel Page 5 Generalized TTL Security Mechanism • TCP time-to-live (RFC 3682) ‣ At a packets origination, the TTL is set to the maximum number of hops that the packet can traverse ‣ TTL decremented at each hop ‣ Packets are dropped when TTL goes to 0 • This ensures that packets stuck in transient routing loops do not congest the network • Idea : can we use the TTL to ensure that every packet received can from peer (assuming one hop)? ‣ Set TTL = 255 (Q: how about TTL=1?) ‣ Receiver checks TTL on all packets, if not 254, then forged • Issue: how much does this really tell you? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 6

  4. HOP Integrity • HOP integrity protocols implement peering secure communication that provides integrity/authentication ‣ Diffie-Hellman style key negotiation, data integrity, data authentication ‣ Idea : provide public key based per hop security, the simple constructions to enforce integrity constraints • Two protocols ‣ Weak - just per hop integrity (MAC) ‣ Strong - adds replay protection (sequence numbers) • Note: used to secure communication between a range of peers via a per-hop security (limitation?) CSE598K/CSE545 - Advanced Network Security - McDaniel Page 7 Smith/Garcia-Luna-Aceves • A (ad hoc?) suite of countermeasures 1. Encrypt all messages between peers 2. Add a message sequence number to all BGP messages • Protects against replayed or deleted messages 3. Add a sequence number (or time-stamps) to UPDATES 4. Add a PREDECESSOR path attribute 5. Digitally sign all the UPDATEs • Note: this gets beyond the basic peer security, and bleeds into the more general BGP security issues. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 8

  5. Question? • What attacks do these measures prevent? • If yes, how? ‣ Message replay ‣ Route replay ‣ Path forgery ‣ Path modification ‣ Forged route withdrawal ‣ Prefix hijacking CSE598K/CSE545 - Advanced Network Security - McDaniel Page 9 IPsec • IPsec provides all of the basic guarantees needed to implement router-to-router BGP security ‣ Independent of intermediate connectivity ‣ IKE/ISAKMP used to establish transient keys • Avoids cryptanalysis of long running keys ‣ ESP/AH provide confidentiality, integrity, replay protection ... • Problems: this is just a start ‣ Overheads can be expensive if not managed correctly ‣ Backward compatibility ‣ Key management CSE598K/CSE545 - Advanced Network Security - McDaniel Page 10

  6. Peering Summary Integrity Confidentiality Replay Prevention DOS Prevention IPsec (ESP) yes yes yes yes IPsec (AH) yes no yes yes MD5 Integrity yes no yes no HOP Protocol yes no yes no GTSM no no no no Smith .et al. yes yes yes no • Reality: most of these schemes were hacks or stop-gap measures until IPsec became widely available ‣ Where secured at all, IPsec is generally used ‣ AH/ESP w/out confidentiality is popular ‣ Singly-homed customer/ISP peering is often not secured at all • Question: why is this reasonable? CSE598K/CSE545 - Advanced Network Security - McDaniel Page 11 Assignment #2 • Each of you is to implement a client/server file transfer application on OpenSSL in C. ‣ The client will send files. ‣ The server will receive files (on port 5005). • The client will send an initial transfer request, followed by blocks of the file. ‣ Startup: ./assignment2 [server] [filename] [block length] ‣ Part 1: run over unsecured connection ‣ Part 2: run over secured connection • Use your own certificates for client and server CSE598K/CSE545 - Advanced Network Security - McDaniel Page 12

  7. Assignment #2 (cont.) • Transfer request: Field Data Type Length (bytes) Request Type (1) integer 1 Filename char 128 Filesize (bytes) unsigned long 4 Block length unsigned short 2 • Transfer block: Field Data Type Length (bytes) Request Type (2) integer 1 Block number unsigned long 4 Block length char variable CSE598K/CSE545 - Advanced Network Security - McDaniel Page 13 BGP Security Protocols • The big two, plus one (self-serving) • sBGP (Secure Border Gateway Protocol) ‣ [Kent et al. 99] • soBGP (Secure Origin BGP) ‣ [White et al. 03] • IRV (Internet Routing Validation) ‣ [Goodell et al. 03] CSE598K/CSE545 - Advanced Network Security - McDaniel Page 14

  8. sBGP • sBGP was the first leading candidate for routing security, and highlighted much of IR security issues ‣ Still under consideration, but somewhat limited ‣ Model: Routing and origination announcements are signed • signatures are validated based on shared trust associations (CAs) • It all begins with the keys (really two parallel PKIs) 1. Binding routers and organizations to ASes. 2. Origin authentication PKI CSE598K/CSE545 - Advanced Network Security - McDaniel Page 15 Organization PKI • Keys for routers, AS numbers • Route attestations - attestations to the transient state of the network, e.g., the advertisements/routes ‣ Keys used to create these advertisements • Router certificates need to ascertain validity of instantaneous advertisements. ‣ You need to prove association between the network elements making statements and AS/organizations CSE598K/CSE545 - Advanced Network Security - McDaniel Page 16

  9. Route Attestations AS2 AS3 AS4 AS5 AS 1 • Signing recursively: each advertisement signs everything it receives, plus the last hop. (4 , (3 , (2 , 1) k AS 2 ) k AS 3 ) k AS 4 CSE598K/CSE545 - Advanced Network Security - McDaniel Page 17 Address Attestations • Attestations of ownership and delegation very similar to that observed in origin authentication ‣ These are the “simple attestations” ‣ For example, assume that organization A delegates prefix p to organization B : ( p, B ) k A • Note: (surprisingly) sBGP distributes with address attestations out-of-band ‣ Thus everyone is required to obtain and validate their own copies of origin/ownership proving certificates. ‣ As in OA, validate path to ICANN CSE598K/CSE545 - Advanced Network Security - McDaniel Page 18

  10. sBGP Issues • Single point of trust : is an authority that everyone will trust to provide address/path certification? ‣ Chinese Military vs. NSA? • Cost : validating signatures is very computationally expensive ‣ Can a router sustain the load? • Incremental deployability : requires changes to BGP message formats ‣ All implementations must change CSE598K/CSE545 - Advanced Network Security - McDaniel Page 19 soBGP • CISCO’s entry in the securing Internet routing rodeo ‣ Viewed as the manufacturer approach to implementing security within BGP • Released as a kind of refutation of sBGP, which was seen as too expensive and unwieldy to be practical. ‣ A more “open” model that allows providers to implement security much more flexibly, i.e., within the confines of existing policy and infrastructure • Basic approach : network providers themselves act as a joint authority, and issue certificates for all relevant routing data, e.g., policy, address management, paths. CSE598K/CSE545 - Advanced Network Security - McDaniel Page 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Xpanda security gates Security solutions Retail security gate solutions Industrial

Xpanda security gates Security solutions Retail security gate solutions Industrial

STOREFRONT PROTECTION Xpanda security gates Security solutions Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate solutions Office building

406 views • 13 slides
Retail security gate solutions Industrial security gate solutions Institutional

Retail security gate solutions Industrial security gate solutions Institutional

PHYSICAL SECURITY SOLUTIONS Quantum security gates can help you improve security quickly. Before or after a break-in. Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Office

215 views • 18 slides
Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

906 views • 44 slides
Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9 What is Routing Security? Bad guys play games with routing protocols. What is Routing Security? How is it

95 views • 9 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org /

IPv6 prerequisite All about Routing Header extension Security implications Solutions and workaround IPv6 Routing Header Security. Philippe BIONDI Arnaud EBALARD phil(at)secdev.org / philippe.biondi(at)eads.net arno(at)natisbad.org /

896 views • 61 slides
Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste & Justine Sherry & (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides
Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste & Justine Sherry Your Feedback I like to think of Dr. Weiss as my teaching teacher They require students to go over algorithms weve

1.3k views • 79 slides
Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda security products The gate way to peace of mind Retail security gate solutions

Xpanda Security Products Presentation Xpanda security products The gate way to peace of mind Retail security gate solutions Industrial security gate solutions Institutional security gate solutions Access control security gate

491 views • 13 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team

Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team

Backwaters: Security Streaming Platform Comcast TPX Security Solutions Engineering (SSE) The Team Chris Maenner Ryan Van Antwerp Will Weber Principal Security Developer Principal Security Developer Senior Security Developer 2 Agenda

179 views • 17 slides
Welcome to Tronsec Security, an industry leader in Security Management Solutions Melbourne I

Welcome to Tronsec Security, an industry leader in Security Management Solutions Melbourne I

Welcome to Tronsec Security, an industry leader in Security Management Solutions Melbourne I Sydney I Canberra I Brisbane I Adelaide I Perth I Darwin I Hobart Who We Are & What We Stand For? Established in 2002 - Directors have over 20 Years

540 views • 11 slides
Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell |

Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell |

Dell Security Overview Eddie Chan Security Solution Consultant Dell Security Solutions Dell | Hong Kong & Taiwan Agenda Session One 2016 Threat Report Update Session Two SonicWALL C APT URE Advanced Threat Protection Service

746 views • 63 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings

BIRD Internet Routing Daemon Ond rej Zaj cek CZ.NIC z.s.p.o. 2015-02-16 Proceedings of netdev 0.1, Feb 14-17, 2015, Ottawa, On, Canada BIRD overview BIRD Internet Routing Daemon Routing protocols BGP, OSPF, RIP and BFD

630 views • 27 slides
Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique

Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique

Declarative, Secure, Convergent Edge Computation Christopher Meiklejohn Universit catholique de Louvain, Belgium 1 Internet of Things 2 Internet of Things but, more generally 2 Edge Computation Logical extremes Pushing both

1.86k views • 168 slides
Information Filtering Information Systems M Prof. Paolo Ciaccia

Information Filtering Information Systems M Prof. Paolo Ciaccia

Information Filtering Information Systems M Prof. Paolo Ciaccia http://www-db.deis.unibo.it/courses/SI-M/

205 views • 6 slides
Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks

Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks

Perceptual Ad-Blocking: Meet Adversarial Machine Learning Florian Tramr Palo Alto Networks February 22nd 2019 Joint work with Pascal Dupr, Gili Rusak, Giancarlo Pellegrino and Dan Boneh The Future of Ad-Blocking? easylist.txt

315 views • 28 slides
Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing Intra-AS: RIP and OSPF (quick recap) Inter-AS: BGP and Policy Routing Internet Control Message Protocol: ICMP network management

888 views • 61 slides
Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe,

Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe,

Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe, Berlin, 2016 Agenda Introduction Bluetooth Low Energy technology recap Linux Bluetooth stack architecture Linux kernel

800 views • 26 slides
An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar

An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar

An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar Sakhuja 1 , and Damon McCoy 1 1 New York University ABSTRACT Facebook launched their searchable archive of U.S. advertisements with political content on

1.03k views • 8 slides
BGP A route too far Michael Silvin Fredrik Sderquist Contents Background

BGP A route too far Michael Silvin Fredrik Sderquist Contents Background

BGP A route too far Michael Silvin Fredrik Sderquist Contents Background GigaSunet Mechanics Security ASN Interconnecting iBGP Politics Route Reflection Policies Confederation

771 views • 60 slides

More recommend