S-BGP Workshop Topology - PowerPoint PPT Presentation
1 / 8
Title: S-BGP Workshop Topology
1
S-BGP Workshop Topology
ISP A
ISP C
ISP B
AS 64710
AS 64730
AS 64720
172.16.16 / 22
172.16.52 / 22
172.16.32 / 22
Private peering inter-AS link
DSP D
ISP H
AS 64780
AS 64740
172.16. 128/ 21
172.16.50/ 24
Autonomous System (AS) number
AS 64750
AS 64760
AS 64770
Subscriber networks
172.16.84 / 22
172.16.96 / 21
172.16.112 / 22
ISP G
ISP F
ISP E
2
Scenario 1 Two clients access a server
Legitimate server 172.16.32.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
10.7
29.5
Subscriber traffic
ISP H
Adversary server
AS 64780
128 / 21
57.7
Adversary
48.5
10.1
29.3
48.8
57.8
AS 64750
AS 64770
112 / 21
84 / 22
ISP G
ISP E
Client E
Client G
3
Scenario 1 Misconfiguration by BGP AS
Legitimate server 172.16.32.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
10.7
29.5
Subscriber traffic
ISP H
Adversary server
AS 64780
128 / 21
57.7
Adversary
Unauthorized Routing UPDATE
48.5
10.1
29.3
48.8
57.8
Unauthorized Routing UPDATE
Traffic rerouted from AS not running S-BGP
AS 64750
AS 64770
84 / 22
112 / 21
ISP G
ISP E
4
Scenario 2 Two clients access a server
Legitimate server 172.16.32.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
10.7
29.5
Subscriber traffic
10.1
29.3
54.7
46.6
AS 64750
AS 64760
AS 64770
84 / 22
112 / 21
96 / 21
54.6
46.5
ISP G
ISP F
ISP E
5
Scenario 2 Compromised S-BGP AS advertises
another ASs Prefix
Legitimate server 172.16.32.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
10.7
29.5
Subscriber traffic
Traffic rerouted from AS not running S-BGP
10.1
29.3
54.7
46.6
AS 64750
AS 64760
AS 64770
84 / 22
112 / 21
32 / 22
54.6
46.5
ISP G
ISP F
ISP E
Routing UPDATE
Unauthorized prefix rejected by S-BGP router
Unauthorized Prefix
6
Scenario 3 Active Wiretapping between S-BGP
ASes to Redirect Subscriber Traffic to Attacker
Legitimate server 172.16.16.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
22.6
29.5
DSP D
Subscriber traffic
AS 64740
Valid Routing UPDATE
172.16.50/ 24
47.5
22.2
29.3
46.6
47.4
AS 64750
AS 64760
Illegitimate server 172.16.16.1
84 / 22
96 / 21
46.5
ISP F
ISP E
7
Scenario 3 Modified UPDATE rejected by S-BGP
Legitimate server 172.16.16.1
ISP A
ISP C
ISP B
9.1
18.2
AS 64710
AS 64730
AS 64720
32 / 22
16 / 22
52 / 22
18.3
9.2
22.6
29.5
DSP D
Subscriber traffic
AS 64740
Valid Routing UPDATE
172.16.50/ 24
47.5
22.2
29.3
46.6
47.4
AS 64750
AS 64760
Illegitimate server 172.16.16.1
84 / 22
96 / 21
46.5
ISP F
ISP E
Modified UPDATE rejected by S-BGP router
Routing UPDATE modified by attacker
8
S-BGP Operations at an ISP or Subscriber
Organization
Registry or ISP
1
CA Cert Req
CA Cert
ISP/Org
ISPs/Orgs CA
Certs,CRLs, AAs from this ISP/Org
Certs,CRLs, AAs from all ISPs/Orgs
6
Policies Extracts
2b
2a
End Entity Cert Reqs
7b
NOC Tools GUI
EE Certs
CA Cert
CRLs
Generate Cert Reqs
Upload to Routers
4
Create, Sign Upload List of Transactions
AAs, Certs, CRLs
5a
3
Generate Sign AAs
signed files 1 per rtr
signed files 1 per rtr
S-BGP Policies
Extract File (Public Keys AA data)
5b
reconciliation
Download from Repository
Certs,CRLs,AAs downloaded from Repository
Validate, Extract, Sign File
7a
Manage Policies
Recommended
CrystalGraphics Presentations
