BGP Security in Partial Deployment: Is the Juice Worth the Squeeze?

As the rollout of secure route origin authentication with the RPKI slowly gains traction among network operators, there is a push to standardize secure path validation for BGP (i.e., S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin authentication already does much to improve routing security. Moreover, the transition to S*BGP is expected to be long and slow, with S*BGP coexisting in "partial deployment" alongside BGP for a long time. We therefore use theoretical and experimental approach to study the security benefits provided by partially-deployed S*BGP, vis-a-vis those already provided by origin authentication. Because routing policies have a profound impact on routing security, we use a survey of 100 network operators to find the policies that are likely to be most popular during partial S*BGP deployment. We find that S*BGP provides only meagre benefits over origin authentication when these popular policies are used. We also study the security benefits of other routing policies, provide prescriptive guidelines for partially-deployed S*BGP, and show how interactions between S*BGP and BGP can introduce new vulnerabilities into the routing system

Preventing Attacks on BGP Policies: One Bit is Enough

The Internet is comprised of many autonomous systems (AS) managed by independent entities that use the Border Gateway Protocol (BGP) to route their traffic. Although it is the de facto standard for establishing paths across the Internet, BGP is not a secure protocol and the Internet infrastructure often experiences attacks, such as prefix hijacking and attribute mangling, incurring great costs to ASes that experience them. Various solutions have been proposed in response to these attacks, such as Secure BGP, but they do not address traffic attraction attacks that stem from export policy violations. In these attacks, malicious ASes can introduce paths that are legitimate from the protocol standpoint and yet malicious to the users of that protocol. Although these attacks have been studied before, no solution has yet been proposed. In this paper, we thoroughly characterize this set of attacks and propose a very lightweight and effective scheme to address them. Our scheme requires no manual configuration. We show that even if only a small fraction of ASes deploy our scheme, the amount of possible attacks reduces by on order of magnitude

How Secure and Quick is QUIC? Provable Security and Performance Analyses

QUIC is a secure transport protocol developed by Google and implemented in Chrome in 2013, currently representing one of the most promising solutions to decreasing latency while intending to provide security properties similar with TLS. In this work we shed some light on QUIC\u27s strengths and weaknesses in terms of its provable security and performance guarantees in the presence of attackers. We first introduce a security model for analyzing performance-driven protocols like QUIC and prove that QUIC satisfies our definition under reasonable assumptions on the protocol\u27s building blocks. However, we find that QUIC does not satisfy the traditional notion of forward secrecy that is provided by some modes of TLS, e.g., TLS-DHE. Our analyses also reveal that with simple bit-flipping and replay attacks on some public parameters exchanged during the handshake, an adversary could easily prevent QUIC from achieving minimal latency advantages either by having it fall back to TCP or by causing the client and server to have an inconsistent view of their handshake leading to a failure to complete the connection. We have implemented these attacks and demonstrated that they are practical. Our results suggest that QUIC\u27s security weaknesses are introduced by the very mechanisms used to reduce latency, which highlights the seemingly inherent trade off between minimizing latency and providing `good\u27 security guarantees

Evaluating security-enhanced interdomain routing protocols in full and partial deployment

The Internet consists of over 50 thousand smaller networks, called Autonomous Systems (ASes) (e.g., AT&T, Sprint, Google), that use the Border Gateway Protocol (BGP) to figure out how to reach each other. One way or another, we all rely on BGP because it is what glues the Internet together, but despite its crucial role, BGP remains vulnerable to propagation of bogus routing information due to malicious attacks or unintentional misconfigurations. The United States Department of Homeland Security (DHS) views BGP security as part of its national strategy for securing the Internet, and there is a big push to standardize a secure variant of BGP (S*BGP) by the Internet Engineering Task Force (IETF). However, S*BGP properties and their impact on the Internet's routing infrastructure, especially in partial deployment, have not yet been fully understood. To address this issue, in this thesis we use methodologies from applied cryptography, algorithms, and large scale simulations to study the following three key properties with respect to their deployment: 1. provable security guarantees, 2. stability in full and partial deployment with or without attackers, 3. benefits and harm resulting from full and partial deployment. With our analysis we have discovered possible security weaknesses in previously proposed secure BGP variants and suggest possible fixes to address them. Our analysis also reveals that security benefits from partially deployed S*BGP are likely to be meager, unless a significant fraction of ASes deploy it. At the same time, complex interactions between S*BGP and the insecure, legacy BGP can introduce new vulnerabilities and instabilities into the Internet's routing infrastructure. We suggest possible strategies for mitigating such pitfalls and facilitating S*BGP deployment in practice.Ph.D

Designing Enforceable Network Contracts

Internet connectivity depends on contractual agreements between cooperating entities, such as administrative domains (AD), where an agreement over a certain level of service is made. Contracts (e.g., SLAs) for providing certain levels of service must be enforceable, and ADs must have an incentive to meet their contractual obligations. Previous work has designed mechanisms for both pricing and network accountability, but no existing work examines contract structures with respect to different accountability frameworks, and how together they may affect an AD’s incentives to fulfill contracts. We study how different contract structures—in particular, path-based versus pairwise contracts—affect ADs’ incentives to establish contracts (which, in turn, can affect overall connectivity) and, once contracts are established, to forward traffic according accordingly. This paper presents several contributions. First, we derive sufficient conditions for path-based contract systems and accountability frameworks for entities to have an incentive to forward traffic according to their contracts, provided that all parties involved are rational. Second, we show that for path-based contracts at equilibrium where nodes are encouraged to fulfill their contracts, only a constant amount of monitoring is required for every participant to make a positive profit; this is not the case for pairwise contracts. Third, we show how systems that rely on pairwise contracts are prone to depeering in presence of sufficient supply and demand due to coarse granularity, a contractual failure that systems which rely on path-based contracts are immune to. We propose modifications to pairwise contracts that could prevent such failures. Finally, we present situations of depeering that may be unpreventable due to maliciously behaving parties for both pairwise and path-based contract structures. For such scenarios, we show that while path-based contracts allow the sender of traffic to get reimbursed, this is not guaranteed in pairwise contract systems

Provable Security of S-BGP and other Path Vector Protocols: Model, Analysis and Extensions

This paper provides the provable-security treatment of path vector routing protocols. We first design a security definition for routing path vector protocols by studying, generalizing, and formalizing numerous known threats. Our model incorporates three major security goals. It is quite strong, yet simple to use. We prove by reduction that S-BGP satisfies two out of the security model’s three goals, assuming the underlying signature scheme is secure. Under the same assumption, we next show how the protocol can be modified to meet all three security goals simultaneously. We also analyze SoBGP and show that it fails to meet two security goals. Finally, we study security of partial PKI deployment of path vector protocols when not all nodes have public keys. We investigate the possibilities of relaxing the PKI requirement and relying on non-cryptographic physical security of networks that use the protocol in order to achieve possibly weaker, but still well-defined, notions of security. We also present the necessary and sufficient conditions to achieve full security in the partial PKI deployment scenario. We believe our conclusions will prove useful for protocol developers, standards bodies and government agencies

Stepping-Stone Detection via Request-Response Traffic Analysis

In this paper, we propose a new method to detect stepping-stone intrusion by computing the linearity between the numbers of send packets and the numbers of echo packets. The linearity of two relayed connections is better than that of two non-relayed connections. We develop a connection-chain detection procedure that may be used as a stepping-stone detection tool. Our procedure is based on analyzing correlations between the frequencies at which cumulative numbers of packets are sent in outgoing connections and at which packets are sent in that of the incoming connections. The experiment and simulation results show this method can resist intruders ’ time and chaff evasion better than other approaches

Stepping-Stone Detection Via Request-Response Traffic Analysis

Abstract. In this paper, we develop an algorithm that may be used as a stepping-stone detection tool. Our approach is based on analyzing correlations between the cumulative number of packets sent in outgoing connections and that of the incoming connections. We present a study of our method’s effectiveness with actual connections as well as simulations of time-jittering (introduction of inter-packet delay) and chaff (introduction of superfluous packets). Experimental results suggest that our algorithm works well in the following scenarios: (1) distinguishing connection chains that go through the same stepping stone host and carry traffic of users who perform similar operations at the same time; and (2) distinguishing a single connection chain from unrelated incoming and outgoing connections even in the presence of chaff. The result suggests that timejittering will not diminish our method’s usefulness.