security implications of source- controlled routes xiaowei yang [email protected] uc irvine nsf find pi...
TRANSCRIPT
Security implications of source-controlled routes
Xiaowei [email protected]
UC Irvine
NSF FIND PI meeting, June 27 2007
Source-controlled routing is controversial
Secure routing depends on source routes Security is the #1 reason to disable source
routes Why we can reconcile these two
ISP1
ISP4
ISP3
ISP2
Byzantine-tolerant routing
[Perlman88] [Wendlandt06] A discriminatory/nosy ISP, a hostile country
ISP1
ISP3
ISP2
Accountable routing
Accountability is key to innovation [Laskowski06]
User knows the path responsible for the performance [Goldberg07]
ISP1
ISP4
ISP3
ISP2
Symmetric return path
DDoS defense Network capabilities [Yang05] Private path-based addressing [Handley04]
Accountability
ISP1
ISP4
ISP3
ISP2
token
token
Source-controlled routing is controversial
Secure routing depends on source routes Security is the #1 reason to disable source
routes Why we can reconcile these two
ISP1
ISP4
ISP3
ISP2
Source routing breaks address-based authentication
10.0.0.1
10.0.0.2
10.0.0.1 attackerIP 10.0.0.210.0.0.2 attackerIP 10.0.0.1
Source routing in IPv4 is largely disabled Without source routing, packets will not return
to spoofed addresses
Bandwidth amplification attack
IPv6 makes it worse Allows 44 intermediate nodes [BIONDI07] (
http://www.natisbad.org/, CanSecWest 2007)
Source: [Biondi07]
R1 R2 R1 R2 R1 R2….
Increased power to DDoS
ISP1
ISP3
ISP2
…
Targeted link flooding Multi-path flooding
Forced path oscillation
ISP1
ISP4
ISP3
ISP2
…
Interfere with ISP policies
Make your ISP broke
ISP1
ISP4
ISP3
ISP2$$$
$
ISP
Source
Slow down the routers
CPU
Memory
RouteProcessor
Memory
RouteProcessing
MAC
SwitchFabricInterface
SwitchFabric
Memory
RouteProcessing
MAC
SwitchFabricInterface
Can we make source-controlled routes
innocuous?
Main causes of the security issues
Control and exposure Source-controlled routing Source routing
option in IPv4 or Routing header in IPv6 A set of design goals:
Security, accountability, economic incentives, overhead A variety of mechanisms
Amplified security issues Lack of mechanisms
Explicitly list the routersDeflect withoutKnowing the paths
Choose pathsKnowing entities on the paths
Nocontrol
Bandwidth amplification attacks
Select paths, not arbitrary waypoints
Path 1
Path 2
Path 3
Source: [Biondi07]
Interfere with ISP policies
Provide policy-allowed paths Pricing Inter-domain choices
ISP1
ISP4
ISP3
ISP2$$$
$
Path 1: $$$Path 2: $
Source routing breaks address-based authentication
Light-weight network-layer authentication Unspoofable source identifiers [Liu06]
10.0.0.1
10.0.0.1
10.0.0.2
attackerIP 10.0.0.2 X
Increased power to DDoS
ISP1
ISP3
ISP2
…
A DoS-defense system that cuts off attack traffic at its source
Forced path oscillation
ISP1
ISP4
ISP3
ISP2
…
Stable path selection protocol Do not switch all at once Use multiple paths [He06] Admission control and resource reservation
Slow down routers
Fix the routers Do not let the present hardware
implementation limit future innovations Encapsulation/decapsulation at line speed
CPU
Memory
RouteProcessor
Memory
RouteProcessing
MAC
SwitchFabricInterface
SwitchFabric
Memory
RouteProcessing
MAC
SwitchFabricInterface
Conclusion
The desirable goals Byzantine-tolerant, accountability, availability,
economic incentives, overhead, QoS, manageability…
The right balance of control and exposure Source-controlled routing Source routing
option in IPv4 or Routing header in IPv6
Deflect without Knowing thepaths
Choose pathsknowing entities on the paths
Explicitly list the routersNocontrol