Reading – How Secure are Secure Interdomain Routing Protocols Flashcards
Describe how (or if) BGP, origin authentication, soBGP, S-BGP, data plane verification and defensive filtering can be manipulated.
-BGP does not validate information in routing announcements, so a manipulator can announce any path they want and claim ownership of a victim’s IP prefix. -Origin Authentication uses a trusted database for verification so an AS can’t claim ownership of a victim’s IP prefix, but they can still announce a path that ends at the proper AS, although the path does not physically exist. -soBGP uses origin authentication and a trusted database to guarantee that any path physically exists, but the manipulator can advertise a path that exists but is not actually available. -S-BGP uses path verification, which limits a single manipulator to announcing available paths, but they could announce a shorter, more expensive, provider path while actually forwarding traffic on a cheaper, longer customer path. -Data plane verification prevents an AS from announcing a path and forwarding on another, so
the manipulator must actually forward traffic on the path he is announcing. -Defensive filtering polices the BGP announcements made by stubs. With the model in the paper, each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. If a stub announces a path to any prefix it doesn’t own, then it is dropped. In this way, if all providers correctly implement this it eliminated attacks by stubs.
The “Shortest-Path Export-All” strategy was proven not to be optimal for the
manipulator. Describe the 3 counterexamples that were discussed.
Announcing longer paths can be better than announcing shorter ones. In the example given in Figure 9 of the paper, advertising the shortest path will only pick up traffic from one small provider. Announcing a longer path to the large provider, will attract more traffic overall as the large provider will prefer this path over the shorter, peer path as it will be cheaper. It is better for the manipulator to attract traffic from larger AS. This strategy will work against any secure routing protocol, except when launched by stubs in a network with defensive filtering, because it is only implementing a different export policy than usually used. Announcing to fewer neighbors can be better than announcing to more. In this strategy, by not exporting to certain Tier providers, customer paths to the victim can be eliminated and influential ASes will be forced to choose shorter peer paths over a longer customer path because the customer path was not made known to them. This will work against any secure protocol as it is just using a clever export policy to manipulate traffic. The identity of the ASes on the announce path matters since it can be used to strategically trigger BGP loop detection. With false loop prefix hijack, the manipulator claims an innocent AS originates the prefix to his provider. But when the false loop is announced, BGP loop detection will cause the AS to reject the path, removing the customer path from the network. This will force large ISPs to choose shorter peer paths. Unlike the first two attacks, this one will only work against BGP, origin authentication or soBGP because it involves false advertising of the path announced by an innocent AS.
