NetCo: Reliable Routing With Unreliable Routers

Software-Defined Networks (SDNs) are typically designed and operated under the assumption that the underlying routers (and switches) are trustworthy. Recent incidents, however, suggest that this assumption is questionable. The possibility of incorrect or even malicious router behavior introduces a wide range of security problems. The problem is exacerbated by the fact that governments and companies do not have the expertise nor budget to build their own trusted high-performance routing hardware. This paper presents NetCo, an approach to build secure routing using insecure routers. NetCo is inspired by the robust combiner concept known from cryptography, and leverages redundancy to compile a secure whole from insecure parts. We present the basic design of NetCo, and report on a prototype implementation in OpenFlow.

[1]  Xin Li,et al.  Distributed and collaborative traffic monitoring in software defined networks , 2014, HotSDN.

[2]  Stefan Schmid,et al.  Reclaiming the Brain: Useful OpenFlow Functions in the Data Plane , 2014, HotNets.

[3]  Junda Liu,et al.  Ensuring connectivity via data plane mechanisms , 2013, NSDI 2013.

[4]  Jörn Müller-Quade,et al.  Universally Composable Firewall Architectures Using Trusted Hardware , 2014, BalkanCryptSec.

[5]  Hyong S. Kim,et al.  Secure Split Assignment Trajectory Sampling: A Malicious Router Detection System , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[6]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[7]  Jennifer Rexford,et al.  Stealth Probing: Efficient Data-Plane Security for IP Routing , 2006, USENIX Annual Technical Conference, General Track.

[8]  Daniel R. Simon,et al.  Securing Routing in Open Networks Using Secure Traceroute , 2004 .

[9]  Brighten Godfrey,et al.  Debugging the data plane with anteater , 2011, SIGCOMM.

[10]  Shlomi Dolev,et al.  SDN-Based Private Interconnection , 2014, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[11]  Nick McKeown,et al.  I Know What Your Packet Did Last Hop: Using Packet Histories to Troubleshoot Networks , 2014, NSDI.

[12]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[13]  Myungjin Lee,et al.  CherryPick: tracing packet trajectory in software-defined datacenter networks , 2015, SOSR.

[14]  Michael Walfish,et al.  Verifying and enforcing network paths with icing , 2011, CoNEXT '11.

[15]  Yih-Chun Hu,et al.  A survey of secure wireless ad hoc routing , 2004, IEEE Security & Privacy Magazine.

[16]  Cisco IOS Router Exploitation , 2009 .

[17]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[18]  Moni Naor,et al.  On Robust Combiners for Oblivious Transfer and Other Primitives , 2005, EUROCRYPT.

[19]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[20]  Brighten Godfrey,et al.  VeriFlow: verifying network-wide invariants in real time , 2012, HotSDN '12.

[21]  Sajad Shirali-Shahreza,et al.  FleXam: flexible sampling extension for monitoring and security applications in openflow , 2013, HotSDN '13.

[22]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[23]  Randy H. Katz,et al.  Decentralized security mechanisms for routing protocols , 2005 .

[24]  Xin Li,et al.  Distributed Collaborative Monitoring in Software Defined Networks , 2014, ArXiv.

[25]  George Varghese,et al.  Header Space Analysis: Static Checking for Networks , 2012, NSDI.

[26]  Sujata Banerjee,et al.  DevoFlow: scaling flow management for high-performance networks , 2011, SIGCOMM.

[27]  Andreas Haeberlen,et al.  Let SDN Be Your Eyes: Secure Forensics in Data Center Networks , 2014 .