a secure routing architectureitc.committees.comsoc.org/files/2017/07/shenoy-itc... · routing table...
TRANSCRIPT
![Page 1: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/1.jpg)
A SECURE ROUTING ARCHITECTURE
NIRMALA SHENOY
ROCHESTER INSTITUTE OF TECHNOLOGY, NY, USA
![Page 2: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/2.jpg)
AGENDA• MODULAR ARCHITECTURES
• SELECTIVE CONTROL
• A MODULAR ROUTING ARCHITECTURE
• SELECTIVE SECURITY / PRIVACY
• VISIBILITY CONTROL FOR PRIVACY
• TRACKING CONTROL FOR SECURITY
• REVOLUTIONARY / EVOLUTIONARY ?
• ADOPTION
![Page 3: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/3.jpg)
MODULAR ARCHITECTURES
• EXAMPLES
• SOFTWARE DEFINED NETWORKS
• FIVE LAYER PROTOCOL STACK
• FUNCTIONAL ABSTRACTION / ISOLATION HELPS IN EACH MODULE –
• SUITABLY DESIGNED FOR SECURITY / PRIVACY
![Page 4: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/4.jpg)
A MODULAR ROUTING ARCHITECTURE• NETWORKS – EXAMPLE -> AUTONOMOUS SYSTEMS
• PERFORM ROUTER BASED FUNCTIONAL ABSTRACTION
• CORE ROUTERS
• DISTRIBUTION ROUTERS
• ACCESS ROUTERS
• HOW TO CAST THEM INTO MODULES?
• HOW TO USE THEM FOR ROUTING?
![Page 5: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/5.jpg)
TIER STRUCTURE AND LABELS FOR ROUTING
5
BBRouters
DBRouterSet1 DBRouterSet2
ACRouterSet2ACRouterSet1
TIER1
TIER 2
TIER 3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
Let us introduce routers and assign LABELS that capture the structure properties
1.1 TierValue.UniqueID
2.1:1 TierValue.UniqueIDUniqueID = parentID: ChildUniqueID
3.1:1:1
TierValue.UniqueIDUniqueID = grandparentID:parentID: ChildUniqueID
The label structure is TierValue . UniqueID
Unique ID carries the parent child relationship Grandparent : Parent : ChildTree like - Can be used for routing and forwarding
TierValue provides a level of aggregation
![Page 6: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/6.jpg)
SELECTIVE SECURITY • EACH MODULE CAN HAVE DIFFERENT LEVELS OF SECURITY
• MODULAR? – NEW NESTED MODULE CONNECTED VIA 3.1:1:1
• HIDE INTERNAL STRUCTURE / ADDRESSES
• LABELS CAN BE A:1.2.3 OR A:11.2.3 …
• CAN BE CHANGED INTERNALLY
• NAME SERVERS AT EDGE WILL TRANSLATE
• DIFFERENT LEVELS OF SECURITY
TIER1
TIER 2
TIER 3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
TIER1
TIER 2
NestedModule
![Page 7: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/7.jpg)
ROUTING STRUCTURE AND MODULARITY
7
NewYorkPOPSeattlePOP
ChicagoPOP
ISPA
Tier1
Tier2
Tier3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
1.2
1.2:11.2:2
1.2:3Devices 4. :::
Forward between 3.3:1:1 – 3.3:2:1 – via 2.3:1 and 2.3:2
Forward between 3.3:1:1 in Seattle POP – and NY POP – packet leaves the Seattle cloud –address will be 1.2:1(3.3:1:1). The device in NY POP will accordingly have an address 1.2:2{3.3:1…) – Name services
Now to Modularity
![Page 8: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/8.jpg)
PARTIAL NAME SERVICES – PRIVACY
8
NewYorkPOPSeattlePOP
ChicagoPOP
ISPA
Tier1
Tier2
Tier3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
1.2
1.2:11.2:2
1.2:3Devices 4. :::
Server 4.1:1:1:1ftp.Univ2.edu
Client 4.1:1:1:1Univ1.edu
Client sends a request to ftp.Univ2.eduDNS at Chicago resolves Univ2.edu as 1.2:1Request forwarded ftp.(1.2:1) to Seattle POPftp server’s address resolved at the Seattle POP – Security
![Page 9: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/9.jpg)
TIERED STRUCTURE OF THE INTERNET
9MODULARITY IN THE INTERNET STRUCTURE
![Page 10: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/10.jpg)
COMPARISON WITH OSPF LOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO
SECURTITY HACKS
![Page 11: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/11.jpg)
OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)
Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA
X Axis Incremental count of routers
300 routers had 13689 entries less than 10 routers had 68 entries
![Page 12: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/12.jpg)
OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)
Number of Update Packets Generated (Y axis) by OSPF and TRP for a Single Link Failure in the AT&T Network, USA
OSPF
less than 2000 routers
X axis incremental router count. truncated
![Page 13: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/13.jpg)
COMPARISON WITH BGPLOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO
SECURTITY HACKS
![Page 14: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/14.jpg)
CHURN RATE (BGP 80% EVENTS ARE GLOBALLY VISIBLE)
Changes in level3 tier 1 can impact 13791 Ass – 41.15% There are 31 tier 1 ISP AS
Averaged Effect – Average affected tree size 1078, around 3.21% OF AS.
![Page 15: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/15.jpg)
ROUTING TABLE SIZES(BGP VS TIERED ROUTING PROTOCOL)
BGP CORE ROUTERS >600K
largest routing table size 2631
X axis – router count
![Page 16: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/16.jpg)
CURRENT STATUS
• JUST DEMONSTRATED THIS ON THE GENI TESTBED – 27 NODE TOPOLOGY.
• HTTPS://BLUEJEANS.COM/S/PW2LI
• QUITE A FEW NEWS ITEMS
![Page 17: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/17.jpg)
• REFERENCES
• Y. Nozaki, E.F. Golen, and N. Shenoy, “A modular architecture for scalable inter-domain routing”. IEEE computing and communication workshop and conference, january 9-11, 2017 (compared with BGP)
• Yoshihiro nozaki, nirmala shenoy and aparna gupta, “power usage efficiency with a modular routing protocol”, future network systems and security, paris 23-24 nov 2016. (Also a journal) (compared with OSPF in the AT&T network USA
• Rea, A., Cao, X., Gupta, A. Shenoy, N., “A secure cloud internetwork model with economic and social incentives (SCIMES)”AMCIS, 18th americas conference on information systems seattle, washington august 9-11, 2012 (also a journal article)
![Page 18: A SECURE ROUTING ARCHITECTUREitc.committees.comsoc.org/files/2017/07/Shenoy-ITC... · Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA XAxis Incremental](https://reader035.vdocument.in/reader035/viewer/2022071502/61217a96d9c46969430a8941/html5/thumbnails/18.jpg)
QUESTIONS