Security implications of source-controlled routes

Xiaowei Yangxwy@uci.edu

UC Irvine

NSF FIND PI meeting, June 27 2007

Source-controlled routing is controversial

Secure routing depends on source routes Security is the #1 reason to disable source

routes Why we can reconcile these two

ISP1

ISP4

ISP3

ISP2

Byzantine-tolerant routing

[Perlman88] [Wendlandt06] A discriminatory/nosy ISP, a hostile country

ISP1

ISP3

ISP2

Accountable routing

Accountability is key to innovation [Laskowski06]

User knows the path responsible for the performance [Goldberg07]

ISP1

ISP4

ISP3

ISP2

Symmetric return path

DDoS defense Network capabilities [Yang05] Private path-based addressing [Handley04]

Accountability

ISP1

ISP4

ISP3

ISP2

token

token

Source-controlled routing is controversial

Secure routing depends on source routes Security is the #1 reason to disable source

routes Why we can reconcile these two

ISP1

ISP4

ISP3

ISP2

Source routing breaks address-based authentication

10.0.0.1

10.0.0.2

10.0.0.1 attackerIP 10.0.0.210.0.0.2 attackerIP 10.0.0.1

Source routing in IPv4 is largely disabled Without source routing, packets will not return

to spoofed addresses

Bandwidth amplification attack

IPv6 makes it worse Allows 44 intermediate nodes [BIONDI07] (

http://www.natisbad.org/, CanSecWest 2007)

Source: [Biondi07]

R1 R2 R1 R2 R1 R2….

Increased power to DDoS

ISP1

ISP3

ISP2

…

Targeted link flooding Multi-path flooding

Forced path oscillation

ISP1

ISP4

ISP3

ISP2

…

Interfere with ISP policies

Make your ISP broke

ISP1

ISP4

ISP3

ISP2$$$

$

ISP

Source

Slow down the routers

CPU

Memory

RouteProcessor

Memory

RouteProcessing

MAC

SwitchFabricInterface

SwitchFabric

Memory

RouteProcessing

MAC

SwitchFabricInterface

Can we make source-controlled routes

innocuous?

Main causes of the security issues

Control and exposure Source-controlled routing Source routing

option in IPv4 or Routing header in IPv6 A set of design goals:

Security, accountability, economic incentives, overhead A variety of mechanisms

Amplified security issues Lack of mechanisms

Explicitly list the routersDeflect withoutKnowing the paths

Choose pathsKnowing entities on the paths

Nocontrol

Bandwidth amplification attacks

Select paths, not arbitrary waypoints

Path 1

Path 2

Path 3

Source: [Biondi07]

Interfere with ISP policies

Provide policy-allowed paths Pricing Inter-domain choices

ISP1

ISP4

ISP3

ISP2$$$

$

Path 1: $$$Path 2: $

Source routing breaks address-based authentication

Light-weight network-layer authentication Unspoofable source identifiers [Liu06]

10.0.0.1

10.0.0.1

10.0.0.2

attackerIP 10.0.0.2 X

Increased power to DDoS

ISP1

ISP3

ISP2

…

A DoS-defense system that cuts off attack traffic at its source

Forced path oscillation

ISP1

ISP4

ISP3

ISP2

…

Stable path selection protocol Do not switch all at once Use multiple paths [He06] Admission control and resource reservation

Slow down routers

Fix the routers Do not let the present hardware

implementation limit future innovations Encapsulation/decapsulation at line speed

CPU

Memory

RouteProcessor

Memory

RouteProcessing

MAC

SwitchFabricInterface

SwitchFabric

Memory

RouteProcessing

MAC

SwitchFabricInterface

Conclusion

The desirable goals Byzantine-tolerant, accountability, availability,

economic incentives, overhead, QoS, manageability…

The right balance of control and exposure Source-controlled routing Source routing

option in IPv4 or Routing header in IPv6

Deflect without Knowing thepaths

Choose pathsknowing entities on the paths

Explicitly list the routersNocontrol