Private and Verifiable Interdomain Routing Decisions

Existing secure interdomain routing protocols can verify validity properties about individual routes, such as whether they correspond to a real network path. It is often useful to verify more complex properties relating to the route decision procedure - for example, whether the chosen route was the best one available, or whether it was consistent with the network's peering agreements. However, this is difficult to do without knowing a network's routing policy and full routing state, which are not normally disclosed. In this paper, we show how a network can allow its peers to verify a number of nontrivial properties of its interdomain routing decisions without revealing any additional information. If all the properties hold, the peers learn nothing beyond what the interdomain routing protocol already reveals; if a property does not hold, at least one peer can detect this and prove the violation. We present SPIDeR, a practical system that applies this approach to the Border Gateway Protocol, and we report results from an experimental evaluation to demonstrate that SPIDeR has a reasonable overhead.

[1]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[2]  John Nagle,et al.  Congestion control in IP/TCP internetworks , 1984, CCRV.

[3]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[4]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[5]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[6]  Enke Chen,et al.  An Application of the BGP Community Attribute in Multi-home Routing , 1996, RFC.

[7]  Ravishanker Chandra,et al.  BGP Communities Attribute , 1996, RFC.

[8]  Ramesh Govindan,et al.  BGP Route Flap Damping , 1998, RFC.

[9]  Lixin Gao,et al.  Stable Internet routing without global coordination , 2000, SIGMETRICS '00.

[10]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[11]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[12]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[13]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[14]  Olivier Bonaventure,et al.  Common utilizations of the BGP community attribute , 2003 .

[15]  Nick Feamster,et al.  BorderGuard: detecting cold potatoes from peers , 2004, IMC '04.

[16]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[17]  Jia Wang,et al.  Finding a needle in a haystack: pinpointing significant BGP routing changes in an IP network , 2005, NSDI.

[18]  Ratul Mahajan,et al.  Sustaining cooperation in multi-hop wireless networks , 2005, NSDI.

[19]  Anja Feldmann,et al.  Building an AS-topology model that captures route diversity , 2006, SIGCOMM.

[20]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[21]  D. Clark,et al.  Complexity of Internet Interconnections: Technology, Incentives and Implications for Policy , 2007 .

[22]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[23]  Rocco A. Servedio,et al.  Highly Efficient Secrecy-Preserving Proofs of Correctness of Computations and Applications , 2007, 22nd Annual IEEE Symposium on Logic in Computer Science (LICS 2007).

[24]  Dmitri V. Krioukov,et al.  AS relationships: inference and validation , 2006, CCRV.

[25]  Joseph M. Hellerstein,et al.  Proof Sketches: Verifiable In-Network Aggregation , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[26]  Vitaly Shmatikov,et al.  Truth in advertising: lightweight verification of route integrity , 2007, PODC '07.

[27]  Lixin Gao,et al.  On inferring and characterizing Internet routing policies , 2003, Journal of Communications and Networks.

[28]  Olivier Bonaventure,et al.  On BGP communities , 2008, CCRV.

[29]  Rob Sherwood,et al.  Discarte: a disjunctive internet cartographer , 2008, SIGCOMM '08.

[30]  S. Goldberg,et al.  Rational ASes and Traffic Attraction: Incentives for honestly announcing paths in BGP , 2008 .

[31]  Arun Venkataramani,et al.  iPlane Nano: Path Prediction for Peer-to-Peer Applications , 2009, NSDI.

[32]  Andreas Haeberlen,et al.  NetReview: Detecting When Interdomain Routing Goes Wrong , 2009, NSDI.

[33]  Craig A. Shue,et al.  Malicious Hubs: Detecting Abnormally Malicious Autonomous Systems , 2010, 2010 Proceedings IEEE INFOCOM.

[34]  Andreas Haeberlen,et al.  Having your cake and eating it too: routing security with privacy protections , 2011, HotNets-X.

[35]  Kotikalapudi Sriram,et al.  Recommendation for Not Using AS_SET and AS_CONFED_SET in BGP , 2011, RFC.

[36]  Nikita Borisov,et al.  P3CA: Private Anomaly Detection Across ISP Networks , 2011, PETS.

[37]  Walter Willinger,et al.  10 Lessons from 10 Years of Measuring and Modeling the Internet's Autonomous Systems , 2011, IEEE Journal on Selected Areas in Communications.

[38]  Mario Di Raimondo,et al.  Zero-Knowledge Sets With Short Proofs , 2008, IEEE Transactions on Information Theory.

[39]  Joan Feigenbaum,et al.  A new approach to interdomain routing based on secure multi-party computation , 2012, HotNets-XI.

[40]  Andreas Haeberlen,et al.  Private and Verifiable Interdomain Routing Decisions , 2016, IEEE/ACM Trans. Netw..