Ausgewählte Kapitel der Rechnernetze

Transcription

1 Ausgewählte Kapitel der Rechnernetze Komplexe, große Internetze bauen Routing Routing-Protokolle Distance-Vector Link-State

2 Goal: Build Large Networks How to implement a Very Large Network? Flooding clearly not a good idea Need some structure to decide where a packet should go Calculate best routes for packets Spanning tree is a good start: Once spanning tree for a destination is known, it is clear how to send a packet to this destination However, once a link goes down, the tree gets disconnected insufficient fault tolerance 2

3 Key Network-Layer Functions Forwarding: move packets from router s input to appropriate router output Routing: determine route taken by packets from source to dest. Routing algorithms Analogy: Routing: process of planning trip from source to dest Forwarding: process of getting through single interchange 3

4 Forwarding Question: How do you get a packet from one network to another?? A B C D W X Y Z Answer: with a switch / bridge / router (or a series of them) Case 1: Single hop A B C D W X Y Z R Case 2: Multi-hop R Network Cloud A B C D W X Y Z R 4

5 Forwarding: Example R1 R2 R3 N1 N2 N3 N4 routing R2 Dest Next hop N1 N2 N3 N4 R1 Deliver directly Deliver directly R3 Actual routing table contains IP addresses, flags indicating type of entries, net mask etc. 5

6 Searching the Routing Table First, search for a matching host address Flag H is set Second, search for a matching network address Need to know the number of bits to use for network ID Third, search for a default entry Execute netstat -rn on your machine and find the contents of the routing table Default entry allows for a single entry for a list of entries that have the same nexthop value This leads to the interesting question: How is the information stored in this routing / forwarding table obtained? Answer: this is the task of a routing algorithm (more on this later) 6

7 Interplay Between Routing and Forwarding (Summary) routing algorithm local forwarding table header value output link value in arriving packet s header

8 Overview on Routing Algorithms (1) A router executes a routing algorithm to decide which output line an incoming packet should be transmitted on: In connection-oriented service, the routing algorithm is performed only during connection setup In connectionless service, the routing algorithm is either performed as each packet arrives, or performed periodically and the results of this execution updated in the forwarding table Often, routing algorithms take a so-called metric into account when making routing decisions: In this context, a metric assigns a cost to each network link This allows to compute a metric for each route in the network A metric may take into account parameters like number of hops, cost of a link, delay, length of output queue, etc. The cheapest path according to some metric is often also referred to as the shortest path (even though it might actually contain more hops than an alternative path) 8

9 Overview on Routing Algorithms (2) Two basic types of routing algorithms: Non-adaptive routing algorithms: do not base their routing decisions on the current state of the network (example: flooding) Adaptive routing algorithms: take into account the current network state when making routing decisions (examples: distance vector routing, link state routing) Remark: additionally, hierarchical routing can be used to make these algorithms scale to large networks 9

10 Flooding Basic strategy: Every incoming packet is sent out on every outgoing line except the one it arrived on Problem: vast number of duplicated packets Reducing the number of duplicated packets: Solution 1: Have a hop counter in the packet header; routers decrement each arriving packet s hop counter; routers discard a packet with hop count=0 Ideally, the hop counter should be initialized to the length of the path from the source to the destination Solution 2: Require the first router hop to put a sequence number in each packet it receives from its hosts Each router maintains a table listing the sequence numbers it has seen from each firsthop router; the router can then discard packets it has already seen 10

11 Flooding: Possible Applications Military applications Large number of routers is desirable (all systems act as a router) If one router is taken out (e.g. by a bomb) flooding will still get packets to their destinations Distributed databases Simultaneous updates of multiple databases can be done with a single packet transmission Networks with frequent topology changes Adhoc networks 11

12 Adaptive Routing Algorithms (1) Problems with non-adaptive algorithms: If traffic levels in different parts of the subnet change dramatically and often, non-adaptive routing algorithms are unable to cope with these changes Lots of computer traffic is bursty (~ very variable in intensity), but non-adaptive routing algorithms are usually based on average traffic conditions Three types: Adaptive routing algorithms can deal with these situations Centralized adaptive routing: One central routing controller Isolated adaptive routing: Based on local information Does not require exchange of information between routers Distributed adaptive routing: Routers periodically exchange information and compute updated routing information to be stored in their forwarding table 12

13 Centralized Adaptive Routing Basic strategy: Routing table adapts to network traffic A routing control center is somewhere in the network Periodically, each router forwards link status information to the control center The center can compute the best routes, e.g. with Dijkstra s shortest path algorithm (explained later) Best routes are dispatched to each router Problems: Vulnerability: if the control center goes down, routing becomes non-adaptive Scalability: the control center must handle a great deal of routing information, especially for larger networks 13

14 Isolated Adaptive Routing Algorithms Basic idea: Routing decisions are made only on the basis of information available locally in each router Examples: Hot potato Backward learning Hot potato routing: When a packet arrives, the router tries to get rid of it as fast as it can by putting it on the output line that has the shortest queue Hot potato does not care where the output line leads Not very effective 14

15 Backward Learning Routing Basic idea: Algorithm: Packet headers include destination and source addresses; they also include a hop counter learn from this data as packets pass by Network nodes, initially ignorant of network topology, acquire knowledge of the network state as packets are handled Routing is originally random (or hot potato, or flooding) A packet with a hop count of one is from a directly connected node; neighboring nodes are identified with their connecting links A packet with a hop count of two is from a source two hops away, etc. As packets arrive, compare the hop count for a given source address with the minimum hop count already registered; if the new one is less, it is substituted for the previous one Remark: in order to be able to adapt to deterioration of routes (e.g. link failures) the acquired information has to be forgotten periodically ( soft-state ) 15

16 Distributed Adaptive Routing Routing Protocol Goal: Determine good path (sequence of routers) through network from source to dest. Graph abstraction for routing algorithms: A B 2 D C E F Graph nodes are routers Graph edges are physical links Link cost: delay, $ cost, or congestion level Path cost: sum of the link costs on the path Good path: Typically means minimum cost path Other definitions possible 16

17 Decentralized Adaptive Routing Algorithm Classification Global or decentralized information? Decentralized: Router knows physically-connected neighbors, link costs to neighbors Iterative process of computation, exchange of info with neighbors Distance vector algorithms RIP protocol BGP protocol ( path vector ) Static or dynamic? Static: Routes change slowly over time Dynamic: Routes change more quickly Periodic update In response to link cost changes Global: All routers have complete topology, link cost info Link state algorithms Dijkstra s algorithm OSPF protocol 17

18 Distance Vector Routing Algorithm Iterative: Continues until no nodes exchange info. Self-terminating: no signal to stop Distributed: Each node communicates only with directly-attached neighbors Distance Table data structure Each node has its own Row for each possible destination Column for each directly-attached neighbor to node Example: in node X, for dest. Y via neighbor Z: X D (Y,Z) = = distance from X to Y, via Z as next hop Z c(x,z) + min {D (Y,w)} w 18

19 Example for Distance Table A 1 E D (C,D) E D (A,D) E D (A,B) 7 B E C D D = c(e,d) + min {D (C,w)} w = 2+2 = 4 D = c(e,d) + min {D (A,w)} w = 2+3 = 5 loop! B = c(e,b) + min {D (A,w)} w = 8+6 = 14 loop! 2 destination E D () A B C D cost to destination via A B D

20 Constructing Routing Table from Distance Table E D () Cost to destination via A B D Outgoing link to use, cost A A A,1 Destination B C Destination B C D,5 D,4 D D D,4 Distance table Routing table 20

21 Distance Vector Routing: Overview Iterative, asynchronous: Each local iteration caused by: Local link cost change Message from neighbor: its least cost path change from neighbor Distributed: Each node notifies neighbors only when its least cost path to any destination changes Neighbors then notify their neighbors if necessary Each node: wait for (change in local link cost of msg from neighbor) recompute distance table if least cost path to any dest has changed, notify neighbors 21

22 Distance Vector Algorithm: Initialization At all nodes, X: 1 Initialization: 2 for all adjacent nodes v: X 3 D (*,v) = infinity /* the * operator means "for all rows" */ X 4 D (v,v) = c(x,v) 5 for all destinations, y 6 send min D (y,w) to each neighbor /* w over all X's neighbors */ W X 22

23 Distance Vector Algorithm: Main Loop 8 loop 9 wait (until I see a link cost change to neighbor V 10 or until I receive update from neighbor V) if (c(x,v) changes by d) 13 /* change cost to all dest's via neighbor v by d */ 14 /* note: d could be positive or negative */ 15 for all destinations y: D X(y,V) = D X(y,V) + d else if (update received from V w.r.t. destination Y) 18 /* shortest path from V to some Y has changed */ 19 /* V has sent a new value for its min W D (Y,w) */ 20 /* call this received new value "newval" */ V 21 for the single destination y: D X(y,V) = c(x,v) + newval if we have a new min D X (Y,w) for any destination Y W 24 send new value of min D X(Y,w) to all neighbors W forever 23

24 Distance Vector Algorithm: Example (1) X 2 Y 7 1 Z 24

25 Distance Vector Algorithm: Example (2) X 2 Y 7 1 Z X D (Y,Z) Z = c(x,z) + min {D (Y,w)} w = 7+1 = 8 X D (Z,Y) Y = c(x,y) + min {D (Z,w)} w = 2+1 = 3 25

26 Distance Vector: Reaction to Link Cost Changes (1) Link cost changes: Node detects local link cost change Updates distance table (line 15) If cost change in least cost path, notify neighbors (lines 23,24) X 1 4 Y 50 1 Z Good news travel fast Algorithm terminates 26

27 Distance Vector: Reaction to Link Cost Changes (2) Link cost changes: Good news travel fast Bad news travel slow - count to infinity problem! 60 X 4 Y 50 1 Z algorithm continues on! 27

28 Distance Vector: Poisoned Reverse If Z routes through Y to get to X: Z tells Y its (Z s) distance to X is infinite (so Y won t route to X via Z) Will this completely solve count to infinity problem? 60 X 4 Y 50 1 Z algorithm terminates 28

29 Link-State Routing Link state routing usually uses Dijkstra s algorithm: Network topology, link costs known to all nodes: Accomplished via link state broadcast All nodes have same information Input: a graph (V, E) with V being the set of vertices (nodes) E being the set of edges (links) A mapping c(v, w) representing the cost of edge (v, w) if (v, w) is in E (otherwise c(v, w) = infinity) Goal: compute the least cost paths from one node s ( source ) to all other nodes v: Can be used to obtain routing table for that node s 29

30 Dijkstra s Algorithm to Compute Shortest Paths (1) Basic algorithm idea: Start with a set N containing only the source node s and incrementally add one node at a time, to which the shortest path can be determined with the knowledge available at that point in time Initially, the shortest path to node v is estimated to be infinity for all vertices except the source vertex s In each step: Select the node v not yet in the set N that can be reached from s with the cheapest estimated cost using only nodes, that are already in N Include v in N Update the estimates for all direct neighbors w of v if a path over v would be cheaper than the current estimate When updating an estimate for node w, also memorize the predecessor node v leading to this estimate 30

31 Dijkstra s Algorithm to Compute Shortest Paths (2) Thus, the algorithm maintains for every vertex v: A shortest path estimate d(v) This estimate d(v) is what the algorithm currently assumes to be the shortest path from s to v The predecessor node p(v) on the currently assumed shortest path from s to v A list of vertices N for whom the shortest path is definitely known Some remarks: It holds that whenever the estimate d(v) is finite for a vertex v, there exists a path from the source s to v with weight d(v) It turns out that the estimate is accurate for the vertex with the minimum value of this estimate Shortest path is known for this vertex v This vertex v is added to the set N of vertices for which shortest path is known Shortest path estimates are upgraded for every vertex which has an edge from v, and is not in N 31

32 Dijkstra s Algorithm to Compute Shortest Paths (3) Estimate upgrade procedure: Suppose vertex v is added to the list newly, and we are upgrading the estimate for vertex w: d(v) is the shortest path estimate for v, d(w) is the estimate for w c(v, w) is the cost of the edge from v to w if ( d(v) + c(v, w) < d(w)) { d(w) = d(v) + c(v, w); p(w) = v; } Intuition behind this procedure: Assume that d(w) and d(v) are finite So, there exists a path (s, v 1, v 2,, v) from s to v of weight d(v) Hence, there exists a path (s, v 1, v 2,, v, w) from s to w of weight d(v) + c(v, w) Also, there exists a path to u of weight d(w) So the shortest path to w can not have weight more than either d(w) or d(v) + c(v, w) 32

33 Dijkstra s Algorithm in Pseudocode Computes least-cost path from one node to other nodes in the net 1 Initialization (for Node s): 2 N = {s} /* Set of Nodes with known least-cost path */ 3 for all nodes v 4 if v adjacent to s 5 then { d(v) = c(s,v); p(v) = s; } 6 else d(v) = infinity; 7 8 Loop 9 find v not in N such that d(v) is a minimum 10 add v to N 11 for all w adjacent to v and not in N do /* update d(w) */ 12 { if (d(v) +c(v, w) < d(w)) { d(w) = d(v) + c(v, w); p(w) = v; } } 13 /* new cost to w is either old cost to w or known 14 shortest path cost to v plus cost from v to w */ 15 until all nodes in N 33

34 Example Run of Dijkstra s Algorithm (1) Step 0 start N A d(b),p(b) 2,A d(c),p(c) 5,A d(d),p(d) 1,A d(e),p(e) infinity d(f),p(f) infinity 5 A 1 2 B D C E F 34

35 Example Run of Dijkstra s Algorithm (2) Step 0 1 start N A AD d(b),p(b) 2,A 2,A d(c),p(c) 5,A 4,D d(d),p(d) 1,A d(e),p(e) infinity 2,D d(f),p(f) infinity infinity 5 A 1 2 B D C E F 35

36 Example Run of Dijkstra s Algorithm (3) Step start N A AD ADE d(b),p(b) 2,A 2,A 2,A 5 d(c),p(c) 5,A 4,D 3,E d(d),p(d) 1,A d(e),p(e) infinity 2,D d(f),p(f) infinity infinity 4,E A 1 2 B D C E F 36

37 Example Run of Dijkstra s Algorithm (4) Step start N A AD ADE ADEB d(b),p(b) 2,A 2,A 2,A d(c),p(c) 5,A 4,D 3,E 3,E d(d),p(d) 1,A d(e),p(e) infinity 2,D d(f),p(f) infinity infinity 4,E 4,E 5 A 1 2 B D C E F 37

38 Example Run of Dijkstra s Algorithm (5) Step start N A AD ADE ADEB ADEBC d(b),p(b) 2,A 2,A 2,A d(c),p(c) 5,A 4,D 3,E 3,E d(d),p(d) 1,A d(e),p(e) infinity 2,D d(f),p(f) infinity infinity 4,E 4,E 4,E 5 A 1 2 B D C E F 38

39 Example Run of Dijkstra s Algorithm (6) Step start N A AD ADE ADEB ADEBC ADEBCF d(b),p(b) 2,A 2,A 2,A 5 d(c),p(c) 5,A 4,D 3,E 3,E d(d),p(d) 1,A d(e),p(e) infinity 2,D d(f),p(f) infinity infinity 4,E 4,E 4,E A 1 2 B D C E F 39

40 Link State Routing (with Dijkstra s Algorithm) Each router measures the cost (in delay, hop count, etc.) between itself and its adjacent routers The router builds a packet containing all these distances The packet also contains a sequence number and an age field Each router distributes these packets using flooding To control flooding, the sequence numbers are used by routers to discard flood packets they have already seen from a given router The age field in the packet is an expiration date that specifies how long the information in the packet is valid Once a router receives all the link state packets from the network, it can reconstruct the complete topology and compute a shortest path between itself and any other node using Dijsktra s algorithm 40

41 Comparison of Link State and Distance Vector Algorithms Message complexity LS: with n nodes, E links, O(n E) msgs sent each DV: exchange between neighbors only convergence time varies Speed of Convergence LS: O(n 2 ) algorithm requires O(n E) msgs may have oscillations DV: convergence time varies may be routing loops count-to-infinity problem Robustness: what happens if router malfunctions? LS: DV: Node can advertise incorrect link cost Each node computes only its own table DV node can advertise incorrect path cost Each node s table used by other routers: Errors propagate through network 41

42 Hierarchical Routing Our routing study so far is an idealization: All routers are assumed to be identical Network is assumed to be flat Practice, however, looks different Scale (50 million destinations!): Can t store all destinations in routing tables Routing table exchange would overload links Administrative autonomy: Internet = network of networks Each network admin may want to control routing in its own network 42

43 Hierarchical Routing: Autonomous Systems Aggregate routers into regions, autonomous systems (AS) Routers in same AS run same routing protocol Intra-AS routing protocol Routers in different AS can run different intra-as routing protocol Gateway Routers Special routers in AS Run intra-as routing protocol with all other routers in AS Also responsible for routing to destinations outside AS Run inter-as routing protocol with other gateway routers 43

44 Inter-AS and Intra-AS Routing a C C.b b d A A.a a b A.c c B.a a B c b Gateways: Perform inter-as routing amongst themselves Perform intra-as routers with other routers in their AS inter-as, intra-as routing in gateway A.c network layer link layer physical layer 44

45 Routing in the Internet The Global Internet consists of Autonomous Systems (AS) interconnected with each other: Stub AS: small corporation (only one link to the Internet) Multihomed AS: large corporation (multiple links, but no transit) Transit AS: provider Two-level routing: Intra-AS: administrator is responsible for choice Routing Information Protocol (RIP): Distance Vector Open Shortest Path First (OSPF): Link State Interior Gateway Routing Protocol (IGRP): Distance Vector (Cisco proprietary) Inter-AS: unique standard Border Gateway Protocol (BGP): Path Vector (sort of distance vector, but with path information for loop avoidance) 45

46 Why Having Different Inter- and Intra-Domain Routing? Policy: Scale: Inter-AS: admin wants control over how its traffic routed, who routes through its net. Intra-AS: single admin, so no policy decisions needed Hierarchical routing saves table size, reduced update traffic Performance: Intra-AS: can focus on performance Inter-AS: policy may dominate over performance 46

47 Interconnected Autonomous Systems (1) 3c 3a 3b AS3 1a 1c 1d 1b Intra-AS Routing Algorithm AS1 2a Inter-AS Routing Algorithm 2c AS2 2b Forwarding table is configured by both intra- and inter-as routing algorithm Intra-AS sets entries for internal dests Inter-AS & Intra-As sets entries for external dests Forwarding table 47

48 Inter-AS Tasks Problem: Suppose router in AS1 receives datagram for which destination is outside of AS1 Router should forward packet towards one of the gateway routers, but which one? AS1 needs to: Learn which destinations are reachable through AS2 and which through AS3 Propagate this reachability info to all routers in AS1 Job of inter-as routing! 3c 3a 3b AS3 1a 1c 1d 1b AS1 2a 2c AS2 2b 48

49 Example: Setting Forwarding Table in Router 1d Suppose AS1 learns from the inter-as protocol that subnet x is reachable from AS3 (gateway 1c) but not from AS2. Inter-AS protocol propagates reachability info to all internal routers. Router 1d determines from intra-as routing info that its interface I is on the least cost path to 1c. Puts in forwarding table entry (x,i). 49

50 Example: Choosing Among Multiple ASes Now suppose AS1 learns from the inter-as protocol that subnet x is reachable from AS3 and from AS2. To configure forwarding table, router 1d must determine towards which gateway it should forward packets for dest x. This is also the job on inter-as routing protocol! Hot potato routing: send packet towards closest of two routers (the AS tries to get rid of the packet as quickly as possible) Learn from inter- AS protocol that subnet x is reachable via multiple gateways Use routing info from intra-as protocol to determine costs of least-cost paths to each of the gateways Hot potato routing: Choose the gateway that has the smallest least cost Determine from forwarding table the interface I that leads to least-cost gateway. Enter (x,i) in forwarding table 50

51 Intra-AS Routing Also known as Interior Gateway Protocols (IGP) Most common Intra-AS routing protocols: RIP: Routing Information Protocol OSPF: Open Shortest Path First IGRP: Interior Gateway Routing Protocol (Cisco proprietary) 51

52 RIP ( Routing Information Protocol) Basic characteristics: Distance vector algorithm Included in BSD-UNIX Distribution in 1982 Distance metric: # of hops (max = 15 hops) z u A C B D v y w x Destination Hops u 1 v 2 w 2 x 3 y 3 z 2 52

53 RIP Advertisements Distance vectors: Exchanged among neighbors every 30 sec via Response Message Also called advertisement Each advertisement: List of up to 25 destination networks within AS 53

54 RIP: Example w x y A D B z C Destination Network Next Router Num. of hops to dest. w A 2 y B 2 z B 7 x Routing table in D 54

55 RIP: Example Dest Next hops w - - x - - z C Advertisement from A to D w x y A D B z C Destination Network Next Router Num. of hops to dest. w A 2 y B 2 z B A 7 5 x

56 RIP: Link Failure and Recovery If no advertisement heard after 180 sec neighbor/link declared dead: Routes via neighbor invalidated New advertisements sent to neighbors Neighbors in turn send out new advertisements (if tables changed) Link failure info quickly propagates to entire net Poison reverse used to prevent ping-pong loops (infinite distance = 16 hops) 56

57 OSPF (Open Shortest Path First) Open : publicly available Uses Link State algorithm LS packet dissemination Topology map at each node Route computation using Dijkstra s algorithm OSPF advertisement carries one entry per neighbor router Advertisements disseminated to entire AS (via flooding) Carried in OSPF messages directly over IP (rather than TCP or UDP 57

58 OSPF Advanced Features (not in RIP) Security: all OSPF messages authenticated (to prevent malicious intrusion) Multiple same-cost paths allowed (only one path in RIP) For each link, multiple cost metrics for different TOS (e.g., satellite link cost set low for best effort; high for real time) Integrated uni- and multicast support: Multicast OSPF (MOSPF) uses same topology data base as OSPF Hierarchical OSPF in large domains. 58

59 Internet Inter-AS Routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: Obtain subnet reachability information from neighboring ASs Propagate the reachability information to all routers internal to the AS Determine good routes to subnets based on reachability information and policy Allows a subnet to advertise its existence to rest of the Internet: I am here 59

60 BGP Basics Pairs of routers (BGP peers) exchange routing info over semi-permanent TCP connections: BGP sessions Note that BGP sessions do not correspond to physical links. When AS2 advertises a prefix to AS1, AS2 is promising it will forward any datagrams destined to that prefix towards the prefix AS2 can aggregate prefixes in its advertisement 3c 3a 3b AS3 1a AS1 1c 1d 1b 2a 2c 2b AS2 ebgp session ibgp session 60

61 Distributing Reachability Info With ebgp session between 3a and 1c, AS3 sends prefix reachability info to AS1. 1c can then use ibgp do distribute this new prefix reach info to all routers in AS1 1b can then re-advertise the new reach info to AS2 over the 1b-to-2a ebgp session When router learns about a new prefix, it creates an entry for the prefix in its forwarding table. 3c 3a 3b AS3 1a AS1 1c 1d 1b 2a 2c 2b AS2 ebgp session ibgp session 61

62 Path Attributes & BGP Routes When advertising a prefix, the advertisement includes BGP attributes. Prefix + attributes = route Two important attributes: AS-PATH: contains the ASs through which the advert for the prefix passed: AS 67 AS 17 NEXT-HOP: Indicates the specific internal-as router to next-hop AS. (There may be multiple links from current AS to next-hop-as.) When gateway router receives route advert, uses import policy to accept/decline. 62

63 BGP Routing Policy (1) B legend: provider network W A C X customer network: Y Figure 4.5-BGPnew: a simple BGP scenario A,B,C are provider networks X,W,Y are customer (of provider networks) X is dual-homed: attached to two networks X does not want to route from B via X to C.. so X will not advertise to B a route to C 63

64 BGP Routing Policy (2) B legend: provider network W A C X customer network: Y Figure 4.5-BGPnew: a simple BGP scenario A advertises to B the path AW B advertises to X the path BAW Should B advertise to C the path BAW? No way! B gets no revenue for routing CBAW since neither W nor C are B s customers B wants to force C to route to w via A B wants to route only to/from its customers! 64

65 General Threats to Routing Protocols Threats to routing can be characterized according to: Threat source: Subverted link or subverted / rogue router Threat consequence (generic): Disclosure of (routing) information Deception of other routers (e.g. with forged messages) Disruption of normal (router) operation Usurpation (= gaining control over a routers operation, e.g. by stealing traffic originally to be routed by that router) Threat consequence zone: Single node / part of a network / whole Internet Threat consequence period: Only during attack / for a certain period of time (characterization mostly according to [BMY04]) 65

66 Routing Threats Consequences (1) Consequences regarding the network as a whole: Network congestion: more traffic is routed through a specific part of the network than would usually be Blackhole : packets go into a certain router/region and disappear Looping: traffic is forwarded along a route that loops (this causes both traffic to disappear and congestion) Partitioning: some portion of the network believes that it is partitioned from the rest of the network when in fact it is not Frequent route changes: resulting in unnecessary routing processing and message exchanges as well as large variations in forwarding delay Instability of the routing protocol: convergence towards a global forwarding state is not achieved Routing overload: routing protocol messages become a significant part of the overall transported traffic the network carries 66

67 Routing Threats Consequences (2) Consequences regarding a specific target host / network: Delay: traffic from / to a target host / network is routed along routes that are inferior to the route the traffic would otherwise take Cut: some part of the network believes that there is no route to the target host / network when, in fact, there is Starvation: the traffic destined for the target host/network is routed to a part of the network that can not deliver it Eavesdropping: traffic is routed through some router or network that would normally not see this traffic, so that an attacker can eavesdrop on the traffic or at least monitor the traffic pattern Controlled delivery: traffic is routed through a router / network so that an attacker can selectively delay, delete or modify packets destined to a target host / network 67

68 Generally Identifiable Routing Threats (1) Disclosing routing information: Deliberate exposure of routing information: e.g., by a subverted router in order to disclose routing information Eavesdropping on routing exchanges: different attacking technique, also leading to disclosure of routing information Traffic analysis: by eavesdropping on forwarded data traffic, an attacker can gain insight about routing information Masquerade: An entity claims the identity of a router (sometimes also called spoofing) Masquerade is usually performed in order to realize further attacks Interference: An attacker inhibits the exchange of routing information between routers, e.g. by delaying or deleting routing messages or receipts, breaking synchronization, etc. The consequence is usually (partial) disruption of routing operations 68

69 Generally Identifiable Routing Threats (2) Falsification of routing information: Either by an originator (forging) or a forwarder (modification) Overclaiming: Announcing better routes / link capacity than available Goals can be to attract traffic to a certain area in order to control the traffic or to mislead the traffic so that it will not be delivered at all or with higher delay Consequences for the network are potential overload of single routers, increase of overall traffic load Underclaiming: Announcing inferior routes / link capacities than actually exist Potential goals are to keep traffic out of certain areas of the network, e.g. in order to avoid forwarding of traffic at certain routers or to increase attractiveness of alternative routes Potential consequences are that certain destinations become unreachable, and the overall traffic load in the network increases (because packets take inferior routes) 69

70 Generally Identifiable Routing Threats (3) Resource exhaustion: E.g. by an attacker that announces frequent changes in his routing information, or triggers a router to create an excessive amount of state information which can not be handled by other routers Sometimes also referred to as overload Goal is degradation / disruption of routing protocol operation Resource destruction: Link destruction: either physically ( cutting ) or by strong interference Node destruction: e.g. physically or logically by exploiting weaknesses in the router software (OS, routing software) Depending on the network topology, the consequences can be either of local or global scope (single network / part of network unreachable or network partitioning) In the following, we will focus on Inter-AS routing threats and countermeasures, as it concerns availability of the Internet as a whole 70

71 Inter-AS Routing Threats in the Internet Inter-AS routing threats mainly concern BGP operation Attack Scenarios: Disabling of parts of the Internet by disrupting Internet routing tables Forcing multi-homed AS to use alternate paths to / from an outside AS instead of the preferred path Disabling a single- or multi-homed AS Creating traffic blackholes The above mentioned attack scenarios can e.g. be realized by: announcing to host IP addresses ranges for which no ownership exists inserting unauthorized prefixes into routing table (= announcing paths for networks for which no authorization to route exists) modifying or forging routing messages during transmission resource destruction 71

72 Securing BGP Operation: Verifying Peer Messages (1) Forcing routers to accept only protocol messages from directly connected peers (if direct links exist): Referred to as BGP TTL Security Hack (BTSH) Idea directly connected peer routers: send routing messages with IP TTL field set to 255, and accept only routing messages with IP TTL field 254 Messages from attackers which can only reach a target router over multiple hops will be discarded by router Question: why can this mechanism not be implemented as follows? send routing messages with IP TTL set to 1, and let routers in between automatically discard routing messages after one hop (so routing messages from attacker will not reach the target) Authenticate routing messages between peers: Protection of BGP sessions via the TCP MD5 signature option (RFC 2385) Deploy IPSec between BGP peer entities (see chapter 11 in [Sch03]) 72

73 Securing BGP Operation: Verifying Peer Messages (2) TCP MD5 Signature Option: Goal: protect BGP exchanges between peers from spoofed TCP segments (attacker would only need to eavesdrop or guess correct sequence number) Sender computes an MD5 hash value over each TCP segment and a secret shared with its peer entity The hash value is transported in an option field As all options in a TCP PDU together may not exceed 40 bytes this option has been defined to use 16 Byte long MD5 hash values (plus two bytes for TCP option information; type and length) Problem: no automatic key negotiation / update procedure defined, leading to deployment difficulties (+ known vulnerabilities of manual key mgmt.) Deployment of IPSec between peers: Provides authentication and replay protection for IP packets Allows for additional confidentiality Leverages well known IPSec architecture (incl. key management protocol) 73

74 Problems Beyond Simple Peer-to-Peer BGP Security Address space ownership verification: Who has been assigned an IP address range and has thus the right to announce this range / delegate the announcement of this range? Autonomous System (AS) authentication: To whom has a claimed AS-number actually been assigned? Router authentication and authorization (relative to an AS): Are the entities pretending to belong to an autonomous system authentic? Route and address advertisement authorization: Who is allowed to announce specific address ranges / routes Route withdrawal authorization: Who is allowed to withdraw a route? Need for further security measures, one approach for this is S-BGP (material on S-BGP taken from [Kent] and [Lynn99]) 74

75 Overview on the Secure Border Gateway Protocol (S-BGP) IPsec: Provides authenticity and integrity of peer-to-peer communication with support for automated key management Public Key Infrastructures (PKIs): Secure identification of BGP speakers and of owners of AS s and of address blocks Attestations: Authorization of the subject (by the issuer) to advertise specified address blocks Validation of BGP UPDATEs: Based on a new path attribute, using certificates and attestations Distribution of security specific data: Certificates, certificate revocation lists (CRLs), attestations 75

76 Internet Address Space Ownership ICANN/IANA ISP-1 ARIN/RIPE/APNIC ORG-X DSP-A DSP-C ISP-2 ORG-Y DSP-B ORG-Z ORG-YY DSP-D ORG-XX ORG-ZZ Internet address space is managed hierarchically with the Internet Assigned Numbers Authority (IANA) acting as the root authority for assigning address ranges 76

77 S-BGP: Certificates and Address Space Attestations ICANN issues certificates for address space ownership to regional authorities and to entities that have direct address allocations (from IANA) Each of these certificates contains an extension specifying the address space being delegated, so that certificate validation is addressconstrained Holders of address space certificates can create an address attestation, authorizing an AS (or a router) to advertise the specified address space Only networks that execute BGP need certificates: All Internet Service Providers (ISPs) are BGP users, Only about ~10% of Downstream Providers (DSPs), Maybe 5% of subscribers, are BGP users 77

78 S-BGP: Certificates and Attestations ICANN issues certificates for AS ownership to: ISPs, DSPs, and organizations that run BGP AS operators issue certificates to: Routers as AS representatives Holders of AS (or router) certificates generate route attestations that: authorize the advertisement of a route by a specified next hop AS are used to express a secure route as a sequence of AS hops Securing an UPDATE: A secure UPDATE consists of an UPDATE message with a new, optional, transitive path attribute for route authorization This attribute consists of a signed sequence of route attestations, nominally terminating in an address space attestation This attribute is structured to support both route aggregation and AS sets Validation of the attribute verifies that the route was authorized by each AS along the path and by the ultimate address space owner 78

79 S-BGP: Address Certificates Issuer Subject Extensions Root Certificate IANA IANA all addr Registry Certificate IANA Registry addr blocks ISP/DSP Certificate Registry (or IANA) ISP/DSP addr blocks Subscriber Certificate ISP/DSP (or Registry, IANA) Subscriber addr blocks 79

80 S-BGP: AS # Allocation and Router PKI Example IANA Registry-a ISP-1 DSP-A Sub-Z AS-a Router-1 AS-b Router-2 AS-c Router-3 80

81 S-BGP: AS and Router Certificates Issuer Subject Extensions Root Certificate IANA IANA all ASes Registry Certificate IANA Registry ASes AS Owner Certificate Registry (or IANA) ISP/DSP or Subscriber ASes AS Certificate ISP/DSP or Subscriber AS Router Certificate ISP/DSP or Subscriber Router* AS, RtrId * the subject name could be a fully-qualified DNS name 81

82 S-BGP: Overview over Attestations Address Attestations: Used to validate that a destination address block is being originated by an authorized AS Route Attestations: Used to validate that an AS is authorized to use an AS Path Each UPDATE includes: one or more Address Attestations, and a set of Route Attestations These are carried in a new, optional, transitive BGP Path Attribute 82

83 S-BGP: Address Attestations Address Attestations include identification of: address blocks, their owner s certificate, AS authorized to originate (advertise) the address blocks, and expiration date/time Indicate that the AS listed in the attestation is authorized by the owner to originate/advertise the address blocks in an UPDATE Digitally signed by owner of the address blocks, traceable up to the IANA via a certification path Used to protect BGP from erroneous UPDATEs (authenticated but misbehaving or misconfigured BGP speakers) 83

84 S-BGP: Route Attestations Include identification of: AS s or BGP speaker s certificate issued by the AS owner, the address blocks and the AS Path (ASes) in the UPDATE, the AS number of the receiving (next) neighbor, and expiration date/time Indicate that the BGP speaker or its AS authorizes the receiver s AS to use the AS Path & NLRI in the UPDATE Digitally signed by owner of the BGP speaker (or its AS) distributing the UPDATE, traceable to the IANA... Used to protect BGP from erroneous UPDATEs (authenticated but misbehaving or misconfigured BGP speakers) 84

85 S-BGP: Encoding of Attestations UPDATE BGP Header Addr Blks of Rtes Being Withdrawn BGP Path Attributes Dest. Addr Blks (NLRI) Path Attribute for Attestations Attribute Header Route + Address Attestations Attestation: Route or Address Attestation Header Issuer Cert ID Algorithm ID & Signature Signed Info Signed Info Exp Date Subject AS Path Info * Other protected Path Attributes * NLRI Info * *explicit in the aggregation case, or if Path Attribute changes unpredictably 85

86 S-BGP: Propagation of an S-BGP UPDATE # seq: nlri:a,b % seq:32221 nlri:a,b Hdr seq: RA:r7 5 # RA:r5 4 % RA:r3 3 $ RA:as1 2 = AA:orga 1 a AA:orgb 1 b NLRI:a,b Hdr seq:32221 RA:r5 4 % RA:r3 3 $ RA:as1 2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b $ seq:2221 nlri:a,b Hdr seq:2221 RA:r3 3 $ RA:as1 2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b = seq:1 nlri:a,b Hdr seq:1 RA:as1 2 = AA:orga 1 a AA:orgb 1 b NLRI: a,b r8 r7 r6 r5 r4 r3 r2 r1 a b AS 5 AS 4 AS 3 AS 2 AS 1 86

87 S-BGP: Validating a Route To validate a route from AS n, AS n+1 needs: 1 address attestation from each organization owning an address block(s) in the network layer reachability information (NLRI), 1 address allocation certificate from each organization owning address blocks in the NLRI, 1 route attestation from every AS along the path (AS 1 to AS n ), where the route attestation for AS k specifies the NLRI and the AS Path up to that point (AS 1 through AS k+1 ), 1 certificate for each AS or router along the path (AS 1 to AS n ) to use to check signatures on the route attestations, and of course, all the relevant certificate revocation lists (CRLs) must have been verified (in case a private key was compromised and the corresponding certificate must be revoked) 87

88 S-BGP: Distributing Certificates, CRLs, & AAs Putting certificates & CRLs in UPDATEs: would be redundant and make UPDATEs too big same is true for address attestations Solution use servers for these data items: replicate for redundancy & scalability locate at network access points (NAPs = points where multiple BGP speakers are interconnected with high speed LANs) for direct (non-routed) access Download options: whole certificate/aa/crl databases queries for specific certificates/aas/crls To minimize processing & storage overhead, network operations centers (NOCs) should validate certificates & AAs, and send processed extracts to routers However, in this case trust is delegated to the NOC! 88

89 S-BGP: Performance Issues Resources Certificates (generation and signing done offline): Disk space for storing certificates CPU resources for validating certificates CRLs (generation and signing done offline): Disk space for storing CRLs CPU resources for validating CRLs Attestations: Routing Information Base (RIB) memory space for storing attestations Disk space for faster recovery from router reboot (optional) CPU resources for signing and validating attestations Resources for transmitting attestations (to make this a dynamic system) Size of the problem (June 1999): ~ 5,300 AS, ~ 44,000 owners of address prefixes, ~ 7,500 BGP speakers Resulting certificate database size: ~ 26Mbyte (~ 450 byte / certificate) CRLs would add to this (should not be too much) 89

90 Further S-BGP Issues Remaining vulnerabilities: Failure to advertise route withdrawal Premature re-advertisement of withdrawn routes Erroneous application of local policy Erroneous traffic forwarding, bogus traffic generation, etc. (not really a BGP issue, since BGP deals with routing, but not traffic forwarding) (Non-)Deployment: Up to now, only tests have been conducted in prototype environments Discussion on S-BGP has somewhat calmed down... Nevertheless, S-BGP still: shows the tasks to be accomplished regarding certification of IP address ownership, AS# ownership, and authorization to advertise certain routes gives an impression on the scale of the effort that has to be invested in order to secure a global-scale Inter-AS routing protocol 90