Pretty Good BGP: Improving BGP by Cautiously Adopting Routes
Josh Karlin, Stephanie Forrest, Jennifer Rexford
IEEE International Conference on Network Protocols 2006
Outline
• What are current BGP security issues?
• What is PGBGP trying to solve?
• How does PGBGP solve it?
• How good is PGBGP?
• How bad is PGBGP?
• Shall we use it?
What are current BGP security issues?
• BGP4 (RFC1771)– Inter-domain routing, internet core– Link state protocol, distributed system
• Vulnerabilities– No encryption: eavesdropping– No timestamp: replaying– No signature: man-in-the-middle
What are current BGP security issues?
• Examples
What is PGBGP trying to solve?
• General requirements of a good solution– BGP is widely deployed: don’t modify the protocol– Route’s resource is stretched thin: don’t consume too
much resource– ISPs are conservative: incremental deployable– ISPs are greedy: show good results!
What is PGBGP trying to solve?
• Prefix hijack– Shorter AS_PATH
(man-in-the-middle)– MOAS
(multiple origin AS)
How does PGBGP solve it?
• Basic idea– Suspicious Cautious– Use historical prefix-origin records– Damping suspicious prefix-origin
announcement for 24 hours– Human investigation– Good for prefix/sub-prefix hijacks
How does PGBGP solve it?
• AlgorithmHistory period – h hours cleanSuspicious period – s hours quarantinedMove h forward remove staleness, get freshness
• Parameters sensitivityh = 10 days : short FP, long repeat slips s = 24 hours : human response time
How does PGBGP solve it?
Prefix Hijacks: conflict w/ unknown origins
Sub-prefix hijacks:
Conflict w/ known origins
[Q1]?
How does PGBGP solve it?
• Mitigation– Avoid suspicious routes:
• lower preference• Sub-prefix: quarantine, choose neighbor not
having the suspicious routes (not really helpful)• Never seen prefix / super-prefix will be adopted
– Convergence consideration• Obey relationship-based policy• Dampened as if not announced
How good is PGBGP?
• Simulation– 18,943 ASes, average 4 links per AS-AS– Simulator w/ policy-based routing– Deployment strategries:
• random -- p• core+random -- 16 (15 degree+) + p
– 500 attacks per setup– Parameters: h = 3, s = 1– Day 1, O; Day 2 O’
How good is PGBGP?
How good is PGBGP?
How good is PGBGP?
How good is PGBGP?
How good is PGBGP?
How good is PGBGP?
• Conclusion: pretty good – Core + random deployment, 90%+ effective– Incrementally deployable– Out-of-core computation possible– Centralized computation possible– Overhead is small, real time possible– Extension: IAR (internet alert registry)
How bad is PGBGP?
• Limitations:– FP: Origin change, multi-homed– DoS + no other choice– lucky slips – Man-in-the-middle (put itself in AS_PATH)
• Conclusion: not to bad
Shall we use it?
• Critiques for the paper– FP delay propagation: 24+24+24+24+24– Model human correction rate with prob. p1,
FP rate p2 …– Some analysis is not thorough (e.g. Fig 3)– Undeployed ASes at risk (good & bad)– Distributed/Co-operated version
• Conclusion: try if you like
Shall we use it?
Questions
• Ask me:[email protected]
• Email Josh Karlin: [email protected]
• Interested in security [email protected]