Stealth Probing: Efficient Data-Plane Security for IP Routing

1
Stealth Probing Efficient Data-Plane Security
for IP Routing

• Ioannis Avramopoulos
• Princeton University
• Joint work with Jennifer Rexford

2
Hosts vis-à-vis Routers(Attacks against
Availability)
3
Routing Fabric(Routing Protocols)
4
Routing Fabric(Data Forwarding)
5
Attacks against the Routing Fabric(Breaking
Perimeter Defense)
Perimeters can be broken because of
Disgruntled network operators
Password guessing
Exploits of the OS
6
Attacks against the Routing Fabric(Routing
Protocol Attacks and Defenses)

• These attacks game the routing state by
  falsifying routing protocol messages
• Falsifications come in two flavors
• Modification of en-route protocol messages
• Collusion (or wormhole) attacks
• Secure routing protocols protect from the
  modification of protocols messages
• They do not protect from wormholes
• They do not verify forwarding behavior

7
Limitation of Secure Routing Protocols(Data-Plane
Adversary)
8
Attacks against the Routing Fabric (Data-Plane
Attacks)

• Link layer disruption
• Physical layer attacks
• Medium access control layer attacks
• Network layer disruption
• Packet loss
• Packet modification
• Packet delay
• Packet deflection
• Transport layer disruption
• Attacks against the congestion control mechanism

9
Securing the Routing Fabric(Defending against
Data-Plane Attacks)

• Availability monitoring
• Easy for the traffic source
• Difficult from within the network
• Fault localization
• Beaconing and traceroute egregiously fail in
  adversarial networks
• In adversarial networks, fault localization is
  difficult but necessary

10
Overview

• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine Tomography
• Interdomain Deployment -- Secure Route Control
• Related Work
• Conclusion

11
Availability Monitoring(Problem Formulation)
12
Naïve Solutions

• Probing (e.g., ping)
• Cumulative network-layer ACKs
• Transport-layer ACKs

ingress
egress
13
Stealth Probing(Approach)

• Prevent the adversary from preferentially
  treating probing traffic by making data and
  probing traffic indistinguishable
• Three steps
• Create an encrypted tunnel and divert both data
  and probing traffic in the tunnel
• Match the size of probing traffic with that of
  the data traffic
• Obscure the timing of probes

14
Stealth Probing(Approach---continued)
ingress router
egress router
15
Stealth Probing(Approach---continued)
ingress router
egress router
16
Stealth Probing(Primary Benefits)

• Non-intrusive (low overhead)
• Detects delay attacks (by measuring the
  round-trip-times of probing traffic)
• Prevents selective low-rate attacks that target
  individual IP addresses (by hiding the source and
  destination IP addresses of data traffic)
• Mitigates attacks that exploit TCP (by making the
  TCP mechanism opaque)

17
Stealth Probing(Secondary Benefits)

• Encryption protects unencrypted host-to-host
  communications
• Fate-sharing between data traffic and probes is
  broadly useful in network troubleshooting
• Tunnels are useful in traffic engineering

18
Overview

• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine Tomography
• Interdomain Deployment -- Secure Route Control
• Related Work
• Conclusion

19
Basic idea

• Fault localization without overburdening the data
  plane
• Terminal nodes monitor path availability
• Terminal nodes disclose faulty paths to a
  designated network entity
• This entity triangulates adversarial nodes and
  links from the collection of faulty paths

20
Byzantine Tomography(Model)
21
Byzantine Tomography(Approach)
Solves Minimum Hitting Set
22
Byzantine Tomography(Basic Property)

• Output from Byzantine tomography is not always
  accurate
• However, accuracy increases as fault knowledge
  expands
• Therefore, the higher the adversarys impact, the
  more likely it is that the adversary will be
  correctly detected

23
Overview

• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine Tomography
• Interdomain Deployment -- Secure Route Control
• Related Work
• Conclusion

24
Secure Route Control
AS B (Stub)
Provider
Provider
Provider
Provider
Provider
AS A (Stub)
25
Secure Route Control (cont.)
AS B (Stub)
Provider
Provider
Provider
Provider
Provider
AS A (Stub)
26
Overview

• Introduction
• Stealth Probing
• Intradomain Deployment -- Byzantine Tomography
• Interdomain Deployment -- Secure Route Control
• Related Work
• Conclusion

27
Related Work

• Perlman proposed encryption to make data and
  control traffic indistinguishable
• Perlman proposed encryption at network links
• We extend this idea to network paths
• Mizrak et al. proposed Fatih as a secure
  data-plane availability monitor
• Fatih requires clock synchronization
• Stealth probing does not rely on clock
  synchronization
• Several researchers have proposed data-plane
  mechanisms for secure fault localization
• Byzantine tomography is a management-plane
  technique

28
Conclusion (1)

• Resilience was a top priority in the design of
  the operational Internet but the threat model was
  naïve (vis-à-vis todays attacks)
• In future networks, we should expect to see
• better perimeter defense and
• in-depth defense
• secure routing protocols
• secure data forwarding
• Stealth probing is a secure availability monitor
  that works by concealing probing traffic

29
Conclusion (2)

• We presented deployment scenarios of this monitor
  in
• Intradomain routing and
• Interdomain routing
• Our ongoing work focuses on
• Intradomain case improving the accuracy of
  Byzantine tomography
• Interdomain case investigating the benefits of
  more flexible interdomain path selection schemes

30
Thank you

• Questions