scion: scalability, control and isolation on next ... · update cryptographic information in pcbs...
TRANSCRIPT
1
SCION:Scalability, Control and Isolation On Next-Generation Networks
Xin Zhang, Hsu-Chun Hsiao, Geoff Hasker, Haowen Chan, Adrian Perrig, David Andersen
Application
Transport
Data link
Network
Physical
“After years of patching, the Internet is Reliable and Secure!”
2
Feb 2008: Pakistani ISP knocks YouTube offline through prefix hijacking
Apr 2010: A small Chinese ISP inserts fake routes affecting thousands of US networks including AT&T and Level3
Nov 2010: 10% of Internet traffic 'hijacked' to Chinese servers, says US report; Chinese DNS Tampering a big threat to Internet security
Aug 2010: An academic experiment by RIPE NCC and Duke University briefly disrupts 1% of Internet traffic
• Fixes to date – ad hoc, patches• Inconvenient truths
S-BGP for topology correctness delayed convergence; route oscillation Global PKI for attestation single root of trust
Reliable Network Layer Wishlist
3
Imagine if
•Explicit understanding whom you must trust for network operations
•All relevant parties have balanced
control over path selection
•The architecture isolates attacks to domains with common laws and economic incentives
•No single global root of trust
•High efficiency, scalability, flexibility
Transport
Data link
Network
Application
Physical
Reasons for Clean-Slate Design • Someone may just want to deploy a new Internet
Possible for specialized high-reliability networks, e.g., smart grid
• Once someone wants to deploy a new Internet, we have a design ready
• Even if we want to evolve current Internet, we need to have a goal, know how good a network could be
4
Current Network-Layer Limitations • No path selection by sender and receiver
Path influence can enable DDoS defenses
• Lack of routing isolation Global visibility of paths is not scalable A failure/attack can have global effects
• Lack of route freshness Current (S-)BGP enables replay of old paths
• Explosion of routing table size More specific prefixes, multi-homing
5
S-BGP, multi-path routing, and DNSSec do not address any of these issues!
SCION Architectural Goals• High availability, even for networks with malicious parties• Explicit trust for network operations• Minimal TCB: limit number of entities that need to be
trusted for any operation– Strong isolation from untrusted parties
• Operate with mutually distrusting entities– No single root of trust
• Enable route control for ISPs, receivers, senders• Simplicity, efficiency, flexibility, and scalability
9
Property: Isolation
10
… … … …
CMU
PSC
I2L3
M
Attacks(e.g., bad routes)
… …
D
CA B
… …
• Operate with mutually distrusting entities• no single root of trust • localization of attacks
Property: Control
1111
… … … …
CMU
PSC
I2L3
… …
D
CA B
• Transit ISPs: select paths to support• Destination: select paths to receive packets• Source: select paths to send packets• Support rich policies and DDoS defenses
Use Level 3 by default
Use Level 3 by default
Please reach me via A or B
Please reach me via A or B
Hide the peering link from CMU
Hide the peering link from CMU
Property: Explicit Trust
12
CMU
PSC
Level 3 Internet 2
• Know who needs to be trusted• Select whom to trust X Y Z
Who will forwardPackets on the path?
Who will forwardPackets on the path?Go through X and Z,
but not YGo through X and Z,
but not Y
• Higher confidence in selected paths• Higher reliability in data delivery• Enforceable accountability
… … … … … …
SCION Architecture Overview
13
• Path construction• Path resolution• Route joining
(shortcuts)
SourceDestination
PCB PCB PCBPCB
SCION Architecture Details• Hierarchical decomposition
Trust Domain (TD)
Trust Domain Core (TD Core)
Autonomous Domain (AD)
• Path construction
• Address/path resolution service
• Route joining
• Forwarding
14
Hierarchical Decomposition• Split the network into a hierarchy of trust domains (TD)
15
TD: isolation of route computation
TD cores: interconnected large ISPs
SourceDestination
Sub-TD
AD: atomic failure unit
Hierarchical Decomposition• Global set of TD (Trust Domains)
Map to geographic, political, legal boundaries
• TD Core: set of top-tier ISPs that manage TD Route to other TDs Send routing beacons Manage Address and Path Translation Servers Handle TD membership Root of trust for TD: manage root key and certificates
• AD is atomic failure unit, contiguous/autonomous domainTransit AD or endpoint AD
16
Path ConstructionGoal: each endpoint learns multiple verifiable paths to its core
• Discovering paths via Path Construction Beacons (PCBs)
TD Core periodically initiates PCBs
Providers advertise upstream topology to peering and customer ADs
• ADs perform the following operations
Collect PCBs
For each neighbor AD, select which k PCBs to forward
Update cryptographic information in PCBs
• Endpoint AD will receive up to k PCBs from each upstream AD, and select k down-paths and up-paths
17
Path Construction• Upon receiving a PCB from node i-1, node i updates the
following for each path p:
18
Interfaces that specify the path
Link expiration time T(i)
Opaque field that the local AD will utilize for efficient, secure forwarding
Signature
• A PCB also contains a timestamp and TD scope
I(i) = previous-hop interfaces || local interfaces
O(i) = local interfaces || MAC over local interfaces and O(i-1)
Σ(i) = sign over I(i), T(i), O(i), and Σ(i-1), with cert of pub key
Path Construction
19
Interfaces:
Opaque field:
Signature:
TCA: I(TC): ϕ || {ϕ, TC1}
O(TC) : {ϕ, TC1} ||MACKtc( {ϕ, TC1} || ϕ)
Σ(TC): Sign( I(TC) || T(TC) || O(TC) || ϕ)
AC: I(A): I(TC)|| {A1, A2}
O(A) : {A1, A2} || MACKa( {A1, A2} ||O(TC) ) Σ(A): Sign( I(A) || T(A) || O(A) ||Σ(TC) )
TD Core(TC)
A B
C D
GFE
1 2
2
1
2
1
2
1
3
1 324
1 1 1
I(i) = previous-hop interfaces || local interfaces
O(i) = local interfaces || MAC over local interfaces and O(i-1)
Σ(i) = sign over I(i), T(i), O(i), and Σ(i-1), with cert of pub key
Path Construction
20
O(C) : {C1, C4} || MACKa( {C1, C4} || O(A) )
Σ(C): Sign( I(C) || T(C) || O(C) ||Σ(A) )
CE:
C? – One PCB per neighbor
I(C): I(A)|| {C1, C4}
Also include peering link!
IC,D(C): {C4, C2} || TD || AIDD
OC,D(C): {C4, C2} ||MACKc( {C4, C2} )
ΣC,D(C): Sign( IC,D(C) || TC,D(C) || OC,D(C) || O(C) )
TD Core(TC)
A B
C D
GFE
1 2
2
1
2
1
2
1
3
1 324
1 1 1
Interfaces:
Opaque field:
Signature:
I(i) = previous-hop interfaces || local interfaces
O(i) = local interfaces || MAC over local interfaces and O(i-1)
Σ(i) = sign over I(i), T(i), O(i), and Σ(i-1), with cert of pub key
Forwarding• Down-path contains all forwarding decisions (AD
traversed) from endpoint AD to TD core Ingress/egress points for each AD, authenticated in opaque fields
ADs use internal routing to send traffic from ingress to egress point
• Joined end-to-end route contains full forwarding information from source to destination No routing / forwarding tables needed!
24
Opaque Fields for Forwarding
25
TD Core(TC)
A B
C D
GFE
• Serve as “capabilities” for efficient path verification
• Examples From E to G without shortcut:
o use up-path e and down-path go packet contains: Oe(C), Oe(A),
Oe(TC), Og(TC), Og(B), Og(D) From E to G with shortcut:
o use peering link between C, Do packet contains: Oe(C), Oe(A),
OC,D(C), Og(B), Og(D)
path e path g
Security Properties• Strong isolation between TDs
S-BGP: colluding attacks, delayed convergence, obsolete paths
SCION: No large-scale routing attacks, high path freshness and consistency, reduced TCB
• Minimal Trusted Computing Base (TCB) S-BGP: whole internet
SCION: only ADs in the path and the TD core
• Operate with mutually distrusting entities S-BGP or DNSSec: a global PKI and root of trust
SCION: No single root of trust
26
Security Properties (cont’d)
• Control by both endpoints and transit ADs S-BGP: no path diversity
Multi-path routing: destinations have little control, sources have too fine-grained control, DDoS threat
SCION: k2 path diversity; destinations have inbound traffic control, facilitating DDoS defense; control at a coarser granularity
• Other example attack resilience Prefix hijacking, reflection DoS attacks
27
Performance Benefits• High scalability
(S-)BGPo Cannot securely withdraw a route
Adversary can intercept route withdrawals Adversary can re-advertise paths that were withdrawn
o Routes cannot have fine grained timeouts All-to-all broadcast problem!
SCIONo Control only flows downstream
Fine-grained timeouts possible Core-to-edges broadcast is much more efficient
29
Performance Benefits (cont’d)
• High flexibility Transit ISPs can embed local routing policies in the opaque fields
• High efficiency Current network layer: routing table explosion SCION:
o no forwarding table lookup, o symmetric verification during forwardingo simple routers, energy efficient, cost efficient,
30
Discussion• Incremental Deployment
Current ISP topologies are consistent with the TDs in SCION ISPs use MPLS to forward traffic within their networks Only edge routers need to deploy SCION Can use IP tunnels to connect SCION edge routers in different
ADs
31
• Limitations Increased packet size Static path binding, which may hamper dynamic re-routing
Evaluation• Use of CAIDA topology information
• Assuming 5 TDs (AfriNIC, ARIN, APNIC, LACNIC, RIPE), we partitioned ASes into 5 TDs
• We compare to BGP, current interdomain Internet routing protocol
32
Stretch
• Path stretch without shortcuts– Average BGP path length = 3.9 AS hops
– Average SCION path length = 4.72 (k=1)
33
• Path stretch with shortcuts in a TD
• Stretch: SCION path length / BGP path length
Expressiveness• Fraction of BGP paths available under SCION
34
Wormhole and Data-plane Attacks
35
BGP/SBGPSCION
Related Work• Routing security
S-BGP, soBGP, psBGP, SPV, PGBGP. Only topological correctness; only addressed a subset of attacks
addressed in SCION
• Routing control Source routing, multi-path (MIRO, Deflection, Path splicing,
Pathlet), NIRA Only given control to the source, and/or little security assurance
• Next-generation architecture HLP, HAIR, RBF, AIP Focusing on other aspects (reducing routing churns and routing
table sizes, enforcing routing policies, and providing source accountability)
36
Conclusions• Basic architecture design for a next-generation
network that emphasizes isolation, control and explicit trust
• Highly efficient, scalable, available architecture
• Enables numerous additional security mechanisms, e.g., network capabilities
37