Académique Documents
Professionnel Documents
Culture Documents
This report is submitted as part requirement for the MEng Degree in Computer Science at UCL. It is substantially the result of my own work except where explicitly indicated in the text. The report may be freely copied and distributed provided the source is explicitly acknowledged.
Abstract
This projects aims at producing a feasible security solution for the Border Gateway Protocol (BGP), a protocol ran by ISPs that carries out the core routing decisions made on the Internet. BGP suers from security issues that are ultimately down to it lacking a means by which it can verify routing information exchanged over it. This has left a huge security gap within BGP that has been lled with a damaging group of attacks known as prex hijack attacks. These attacks can, in summary, give malicious ISPs access to data being routed over the Internet, to a target IP address, that they will otherwise have no access to. BGP's security issues have long been known and there has been a substantial amount of work aiming at plugging the gaps in its security, however, none of this work has actually ltered its way to real life deployment. Our approach was to build a system, independent of BGP's implementation layer, that will allow an ISP running an instance of it to detect attacks against its owned IP addresses. Using routing information
instances share with one another each instance will build a live map of the Internet and will monitor this map for attacks. In order to test our solution we have built a BGP simulator atop which our solution code was ran/simulated and analyzed. In the process of developing our solution we encountered issues that we resolved by implementing many interesting features such as a custom ooding protocol and a distributed key distribution mechanism. We have found that instances of our solution we were able to detect prex hijack attacks in there various forms quiet eectively by relying on routing information shared from only 20-40% of the ISPs within the Internet, hence our solution certainly does not rely on full scale deployment to provide its instances with good protection. We have also found that, if our solution was adopted by all the ISPs within the Internet, the cost of sharing information between its instances is manageable. We believe that we have produced a robust and eective solution that can be seamlessly deployed by ISPs.
Acknowledgments
Many thanks to my supervisor, Professor Mark Handley, who has provided me with a wealth of knowledge that i have found to be invaluable throughout the course of this project.
Contents
1 Introduction
1.1 1.2 1.3 1.4 Border Gateway Protocol Security issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7
8 10 12 13
2 Related Work
2.1 2.2 2.3 2.4 Secure BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Origin BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prex Hijack Alert System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inter-domain Route Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
14 15 16 17
18
18 19 20 20
21
21 21 21 21 22 23 23 24
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
24
25 25
26 26 27 27 27 28 28 28 29 29 29 30 30 30 30 31 31 31 31 32 32 32 32 32 32 33 33 33 33 33 33
Routing Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.3.1 5.3.2 5.3.3 5.3.4 Reasons and Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distance Vector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5
Public Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.5.1 5.5.2 5.5.3 5.5.4 Building the certicate store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting and Propagating Conicts . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6
Triple history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.7
5.8
5.9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
34 34 34 35 35 35 35 35 35 35 37 37 37 38
5.10 Daemon on Daemon Threat and Attack detection . . . . . . . . . . . . . . . . . . . . . . . 5.10.1 False Autonomous System representation . . . . . . . . . . . . . . . . . . . . . . .
5.10.4 Random peering attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5.10.5 Tampering with Path Vector Protocol overlay . . . . . . . . . . . . . . . . . . . . . 5.11 BGP Threat and Attack detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
38
38 39 39 40 40 44 45 46 49
Stopping Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
50
50 51 51
8 Bibliography
6
52
Introduction
Security is one of the main concerns associated with technology, a dynamic technical world presses upon us an ever increasing need to make current and new technologies more secure. Secure technologies have an adequate degree of protection that can ensure their correct operation under external inuence and the ability to detect and deal with malicious attacks. Attacks against technologies can come in many
dierent forms, many of which aim to achieve the same goal, to alter the operation of the technology to the advantage of the attacker. The level of security that we can consider as adequate varies with the nature of the technology we are attempting to secure. Naturally there exists technologies that are more prone to attacks then others and there exists technologies that if successfully attacked can lead to devastating results, such technologies can be considered to be high value targets. The value of a target technology is also aected by many more factors, these factors include the type of data the technology stores, the purpose and application of the technology and the value of the systems that it interfaces with. Having briey described what can make a technology a high value target we now introduce the Border Gateway Protocol (BGP). BGP is a technology that resides at the backbone of the Internet and is charged with its core routing decisions. We can consider BGP by previously mentioned measures to be a very
high value target. Compromising BGP security and altering its operation can have very dangerous eects, a single compromised node running BGP can cause a global ux in the routing decisions made all over the Internet. This global change can be executed in a manner that will give the attacker access to data being routed on the Internet that they will otherwise have no access to . An attacker can achieve this by advertising false information that will cause data to be routed through him. In this project we consider such information to be attacks on the Border Gateway Protocol. Nodes that have been compromised, falsely congured or purposely advertising such information are considered to be the attackers. The victims of these attacks are considered to be the destinations whose reachability is aected by the advertisement of false information. This project aims at producing a robust system that will attempt to provide a means of security for BGP nodes. This system will aim to detect malicious routing information being circulated over BGP We aim to build a system that will be
implemented independently of BGP, it will run as a layer on top of BGP that will allow it to gain enough global abstraction to view all the necessary information required to detect attacks. Nodes running this system will be able to detect and warn when an attacker attempts to victimize any of the destinations they are authoritative for.
from any point within their domain. To achieve this goal ASes run both Inter-domain and Intra-domain routing protocols. Inter-domain routing protocols allow ASes to communicate with one another regarding routing information, whereas Intra-domain routing protocols allow an AS to internally propagate routing information learned from an Inter-domain routing protocol. BGP is the most widely used inter-domain protocol, it allows ASes to advertise to one another information regarding prexes that they can reach, this information is communicated using update messages[Figure 2]. Informally a BGP router sending an update message on behalf of an AS is telling the receiving BGP router the following:
If your AS sends me data destined for prexes within this messages [NLRI], it will reach its destination [Path Attributes] describes the route i use when routing to prexes within this messages [NLRI] I am no longer willing to route to prexes within this messages list of [Unfeasible Routes]
The BGP routers of an AS are typically its boundary routers that physically connect with other ASes. BGP sessions running between BGP routers from separate ASes are referred to as external BGP sessions (eBGP), whereas BGP sessions running between BGP routers from the same AS are referred to as internal BGP sessions (iBGP). The operation of eBGP and iBGP varies slightly. BGP routers will not forward routing information heard from one iBGP session onto another iBGP session. When a BGP session is bought up, both routers at each end of the session will transmit their whole routing table to one another in the form of Update messages. This information is then kept alive by each end periodically transmitting to the other end a keep alive signal. The BGP routers at each end of the session will send further update messages over the session when they learn new routes for prexes.
Attribute
Description
Inuence
LOCAL PREF
A numerical representation of how much the peer that a route was heard from preferred it. This attribute is ignored if the route was heard over eBGP
Select the route that has the highest LOCAL-PREF value. If multiple routes have equally high LOCAL-PREF values then consider the AS-PATH attribute Select the route that has the least amount of hops in its AS-PATH. If multiple routes have an equally low hop count for their AS-PATHs then consider the MED attribute BGP only considers the MED value if it is comparing routes heard from the same AS. If MED is considered BGP will choose the path with the lowest MED value. Paths that have not been selected as best routes due to the previous attributes will be inuenced by this attribute . BGP chooses a path learned through eBGP over a path learned over iBGP
AS PATH
A sequence of intermediate ASes between the peer a route was heard from and the origin of the route. Generally describes the path that will be traversed by packets if the route is chosen.
MED
This attribute is used when two ASes have multiple connection points, it is used by the advertiser of a route to inuence which of these connection points the receiver should use for routing i.e. (choose as its best route)
iBGP
Indicates whether this route was heard from the same AS through an iBGP session or heard from another AS through eBGP session.
[Table 1] BGP will process every prex within the NLRI of an update message it hears over a BGP session. To process a prex BGP will rst add the route described by this message to the list of routes known for that prex, then it will compare all of the routes within this list to one another and decide on which of these routes it should route on. The comparison between routes is based on their respective attributes, hence the route that has attributes better then all other routes is usually the one BGP will decide on. If this decision leads to a new route being selected then BGP will send update messages over its BGP sessions thereby informing its peers of this new route it has chosen/learned. [Table 1] shows the purpose of the main route attributes used within BGP's decision process, It also shows how they inuence BGP's decision on selecting between routes.
BGP also allows policy based routing, this means that an AS can decide on whether to forward reachability information heard from one AS to another AS. The most notable attribute used to aid policy based routing
is the COMMUNITY attribute which is an instrumental tool in enforcing policies. BGP routers generally class peers by one or more classiers that describe the nature of the peering. An arbitrary route received at a BGP router will be tagged with the class of the peer it was received from. BGP routers inturn will only re-advertise such routes to a certain class of peers [Figure 3]. A routes COMMUNITY attibute is used to store information about the class of the peer it was heard from, it is also sent as a path attribute of routes advertised to iBGP peers to ensure that they also apply routing policies correctly.
To consolidate our understanding of BGP i have put together a sample topology that should clearly demonstrate how BGP propagates reachability information that is used to route data. [Figure 4] shows the paths BGP routers within the topology acquire for a prex 25.0.0.0/8 that has been advertised from router (J) at AS(1023). [Figure 4] also points out critical route selection and policy based routing decisions made by BGP and how these decisions aected the paths each router learned for the prex 25.0.0.0/8.
This implicit trust relationship between BGP peers is the seed from which most BGP security
issues have sprouted. BGP's trust model may be the product of a naive view of the Internet which perhaps was true at the time of its deployment. Such a view will hold that ISPs or ASes have no incentive to advertise false information over BGP. This view certainly does not apply in the Internet as it is today and there are many reasons as to why this this trust model is no longer a good t for BGP. For example:
10
As ASes become more topologically complex the probability of misconguring BGP routers increases, this can cause BGP routers to advertise incorrect routing information that constitute an attack on BGP.
ASes may be under the control of an agenda that motivates them to purposefully advertise false information. An agenda's motives behind such actions could be to gain access to sensitive data
This group of attacks aims at giving the attacker access to data destined for a prex. An attacker gains this access by advertising routes with attractive attributes that will cause other ASes to prefer routing through them over any other AS. One of the main attributes manipulated by the attacker to achieve this is the AS-PATH attribute. The attacker advertises a route for a prex with an AS-PATH attribute that aims at providing other ASes a shorter path to the target, this shorter route will see data destined for the target prex travel through the attacker. More sophisticated attacks will see the attacker factor in knowledge of the export/import policies of ASes into their attack. For example, the attacker might advertise a less attractive route knowing that strategically located ASes have an import policy of applying high LOCALPREF value to routes heard from him. We use the term strategically located AS to describe an AS that falls under one or more of the following categories :
An AS that
must be attracted to the attackers route in order for the attack to work more ASes will also attract to the attackers route. increases the probability of attracting more ASes
It then shows the eects of an attack by
[Figure 5] shows an example of an attack on BGP. It shows the paths learned and chosen by ASes within a topology for a prex advertised by a router at AS(1023).
AS(8009) which makes one of its routers advertise an empty AS-PATH for the prex i.e. (claiming that it also owns the prex). We will discuss key points in this attack that generally apply to prex hijacking attacks.
11
1.
Knowing more information about the current routes held by an AS for a target prex makes the attacker more able to attract that AS to their advertised route. In this attack AS(8009) which is a
customer of AS(8000) knew that it will attract AS(8000) because providers prefer routes heard from customers AS(8009) over routes heard from providers AS(1023).
2.
Knowing the export policy of ASes makes the attacker capable of formulating an attack that can attract more ASes to their advertised route. In this attack AS(8009) knew that being a customer of
AS(8000) its routes if accepted will generally be forwarded onto all peers of AS(8000).
3.
Shorter AS-PATH's can be eective in attracting ASes local to the attacker. The further an AS is from an attacker the less likely they will be attracted to a shorter AS-PATH style attack. In this
attack AS(3210) saw a shorter path for the target prex; However, AS(1123) saw a longer path due to the intermediate ASes between it and the attacker AS(8009).
4.
Attacks can have a partitioning eect, where dierent subsets of ASes select routes that are destined for dierent sources. In this attack the topology has partitioned on the target prex.
Valid prex attack is an attack on a prex where the attacker advertises a malicious route for a prex
that has been explicitly advertised by another AS.
Direct prex hijacking is a variant of a valid prex attack where the malicious route claims through its
AS-PATH attribute that the attacker is the origin (owner) of the target prex. To do this the attacker's advertised route will have an AS-PATH attribute with the rst hop as his ASN.
Indirect prex hijack is a variant of a valid prex attack where the malicious route preserves the target
prexe's real and valid origin. To do this the attacker's advertised route will have an AS-PATH attribute with the rst hop as the ASN of the known origin for the prex.
Invalid prex attack is an attack on a prex where the attacker advertises a malicious route for a prex
that has either been implicitly advertised by another AS or not advertised at-all.
12
Deaggregation prex hijack is a form of invalid prex attack where the advertised route is for a subprex of a valid prex being advertised by some AS. This attack is very eective because BGP implements longest prex match where it will use the most specic prex that the destination IP of a packet falls under to route to. Since this sub-prex has not been advertised by any other AS the attackers advertisement could be widely accepted by other ASes thereby making this attack very eective. e.g. AS(X) advertising 29.0.0.0/8, Attacker advertises 29.19.10.0/24
is a form of invalid prex attack where the advertised route is for a prex
whose sub-prexes are being advertised by some ASes. As previously mentioned BGP implements longest prex match and hence this attack may seem redundant. However, if any sub-prexes of the attacked
prex being advertised by other ASes are withdrawn, the attacker will have access the the prex space of the withdrawn sub-prexes from all the ASes aected by their attack. e.g. AS(X) advertising 30.10.0.0/16, Attacker advertises 30.0.0.0/8
BGP has proved itself very hard to replace, even with its security issues there are very few if any ISPs who will dare to replace it. ISPs that intend on deploying a new version of BGP will need to reboot their BGP routers, these routers will then have to be monitored closely to ensure that they operate correctly under this new version of BGP and that they can deal with the huge sudden inux of routing information from their BGP peers upon reboot. This means that an ISP choosing to deploy a new version of BGP must opt for a slow incremental deployment strategy to avoid this huge transient load. This will come at a great cost for an ISP and will unlikely bring about any benets for that ISP until other ISPs follow suit and deploy the same version of BGP. The stubborn stance ISPs have taken against changing their deployed BGP version proved to be the crux of our solution's design. We could have opted for a solution that will attempt to
at BGP's implementation layer i.e. a secure BGP implementation. Our solution would then most probably be added to the sizable list of similar solutions that aim at securing BGP but are in eect ignored by ISPs. To avoid this being the fate of our solution we opted for a design that will see our solution run as a layer on-top of BGP. This design will see an instance of our solution run on an AS and interface with one or more of its BGP routers using iBGP sessions. Through these interfaces our solution, on behalf of the AS it is running on, will attempt to
occur. Instances of our solution running on dierent ASes will be able to communicate through congured peerings with one another. Our solution instances will use these communication channels primarily to
inform one another of routing information they have seen over their own BGP interfaces. This is a crucial design choice in our solution that will allow us to bridge the partitioning eect of prex hijacks[Figure 7].
13
We anticipate that our design will provide an easy and inexpensive BGP security solution that detects and warns against prex hijacks. It is our hope that this project will produce a solution design that can be quickly and easily deployed by ISPs. This project aims at designing and implementing our abstractly described solution and simulating our implementation on-top of a BGP simulation that we also aim to implement. Using this constructed
simulation we aim to analyze the theoretical cost and eectiveness of our design, from our analysis we aim to make appropriate changes to our solution's design. Our changes will aim at minimizing our solution's running cost and increasing its eectiveness in detecting prex hijack attacks. We also aim to identify the advantages and disadvantages of the approach we took to solving this problem, more specically we would like to answer questions such as:
Can our solution stop prex hijack attacks or does our approach limit us to only being able to detect and warn against prex hijacking?
What level of security can we provide in comparison to solutions that embed themselves in BGP's implementation?
Related Work
There has been a substantial amount of work carried out aiming to provide a means of security for BGP. Some of this work has resulted in new secure BGP implementations and some has resulted in systems that attempt to provide BGP security independent of BGP's implementation layer. In this section we will make a mention of the most prominent of these solutions and how they protect against prex hijacking.
verication .
origin authentication
and
path
Origin authentication allows S-BGP routers to verify that the originator of an update
message is authorized to advertise all the prexes within the messages NLRI. Path verication allows S-BGP routers to verify that the AS-PATH seen in an update message physically exists and every AS on the path has authorized it for use.
14
S-BGP achieves these two properties through the use of cryptographically signed update messages and through the use of trusted certicates. To verify an update message an S-BGP router requires the following:
Address Attestations(AA) for each organization that owns a prex within the messages NLRI. AA's
are used by organizations to authorize ASes to originate prexes they own. Route Attestations
(RA)
from every AS along the AS-PATH. RA's are used by S-BGP routers to
authorize neighboring ASes to advertise prexes, within an update message's NLRI, through the update messages AS-PATH.
Certicate's for every S-BGP router that was involved in the signing of RA's along the AS-PATH
With these resources S-BGP routers can verify that the origin and AS-PATH of an update message is valid. To verify this an S-BGP router must carry out the following steps on any received update message:
Verify that the owner of each prex within the messages NLRI has stated the origin of this update message within its AA
Verify that the update message contains an RA for every AS along the messages AS-PATH Verify the signature of each RA for each ASi within the AS-PATH {ASn , ..., ASorigin } Check that each RA for an ASi veries the sub AS-PATH { ASi , ..., ASorigin }, the NLRI and ASi+1
S-BGP's operation provides robust protection against prex hijacking and to a large extent eliminates BGP security issues. There remains residual cases where an attacker can replay RA's for a short amount of time after a route withdrawal. The notable issue with S-BGP is the high cost of cryptographically signing and verifying update messages. Implementations of S-BGP have been developed and tested; However, hardly any ISPs have actually adopted it. Even though S-BGP solves the problem it remains to much of a risky and expensive choice for ISPs.
Unlike
S-BGP, soBGP does not verify that an AS-PATH seen in an update message is actually validated for use by each AS on the path. soBGP provides a weaker form of route validation in that it only ensures that the AS-PATH physically exists. To oer this protection each AS must have the following resources stored in a trusted database.
Entity Certicate(EntityCert)
containing the public half of the ASes public/private key pair that authorizes the AS to advertise a set of prexes listed in
15
Using these resources each soBGP router builds a topology map of the inter AS connections. This map is used to verify that AS-PATHs seen within update messages physically exist i.e. they t within the map. To verify the origin of a prex there must be a chain of AuthCert delegations between the update's origin and the owner of the prex. soBGP will verify the origin of all prexes seen within the NLRI of the update message. soBGP's operation mitigates the threat of prex hijacking; However, as a product of soBGP only verifying route existence an attacker can still mount eective prex hijack attacks. An attacker can advertise an update message with an AS-PATH of a route that physically exists, but one or more hops within that route are invalid due to export policies. For example, the attacker advertises a route for a prex with the correct origin with the following ASPATH {ASattacker ,ASn ,ASorigin }. Physically this route exists; However, ASn will not usually advertise
routing information heard from the origin AS to the attackers AS. Although soBGP does not wholly solve prex hijacking, it severely limits an attackers options. soBGP's weaker security relative to S-BGP is a product of it giving up S-BGP's most expensive operations. Implementations of soBGP have been developed and tested; However, hardly any ISPs have adopted it. Even though soBGP oers a substantial increase in BGP security, changing BGP implementations remains to much of a risky choice for ISPs.
Prex Hijack Alert System (PHAS) is a system that aims at providing prex owners warnings when an attacker hijacks any of the prexes they own. monitors as its source of routing information. PHAS takes advantages of currently established route Route monitors typically have peering agreements with
hundreds of ASes that allow them to view real time BGP updates from many dierent perspectives. PHAS takes input from such monitors and uses this input to detect prex hijacks. As illustrated in [gure 8] PHAS is composed of several sub systems:
The
Origin Monitor
Origin Set.
processes real time data heard from BGP monitors. It maintains for each
registered prex a set of ASes originating it as revealed by the processed monitor data, this set is called the PHAS maintains an Origin Set for each prex registered by a user of the
Origin Event s.
16
The
tually warn on, then sends a signed email notication to the client that registered the prex whose Origin Set has triggered this event.
The
It veries
Using this lter the client can choose to ignore notications that meet certain
The
User Registration system allows a prex owner to register a prex for monitoring.
The basic design of the system allows registered owners of prexes to receive slightly delayed warnings when one of their registered prexes are DIRECTLY hijacked. Proposed extensions to PHAS would allow the system to detect and inform registered prex owners of INDIRECT and DEAGGREGATION prex hijacks.
query one another for static and dynamic information regarding the ASes they are authoritative for. Examples of such information are routing policies, import & export policies, communities policies, current peerings and BGP routing information. To provide Dynamic data it is proposed that IRV instances peer through iBGP sessions with BGP routers within the AS they represent. This gives them access to live BGP updates as seen by their AS's BGP routers. The concept of this solution is that by formulating queries to IRV instances, ASes can gather the necessary information needed to verify BGP updates. IRV gives its participants an option of how to use the query platform, for example, IRV servers can be congured to verifying all seen update messages or randomly seen update messages. Furthermore, IRV would give participating ASes the ability to control access to their static and dynamic data. IRV servers could, for example, be congured to only accept queries for a certain type of data from a certain subset of ASes. It is recommended that an IRV implementation should be secured by authenticating communication between ASes though digitally signed responses, or by authenticated transport such as IPsec/SSL/TLS. It is also proposed that IRV servers should gure out contact information of other IRV servers through a trusted database that stores and distributes authoritative IRV contact information. In summary IRV proposes the use of queries to implement features not currently present in BGP. Having presented an overview of IRV and what it tries to achieve, omitting many complex and detailed design choices, it is conceivable that an implementation of IRV could be widely deployed. However, IRV will
only be as eective as the information each AS is willing to publish, whether ASes would like to share any information at all regarding their routing policies is questionable.
17
Interceptor
Describes ASes that choose to carry out any form of prex hijacking as previously described.
They do so with the intention of manipulating/black-holing data destined for the target prex. We assume these ASes do not try to preserve a route to the original owner of the target prex.
Attractor
Describes ASes that also choose to carry out any form of prex hijacking as previously described. However, they take on the role of the man in the middle such that they intend
to forward data they receive, destined for the target prex of their attack, to the prexes known owner. We assume these ASes carefully choose their attacks to preserve a route to the original owner of the target prex.
Erroneous
Describes the set of ASes that have one or more incorrectly congured BGP routers. These erroneous congurations of BGP routers causes them to announce information that amasses to an attack on BGP.
Colluder
any
intention of increasing the eectiveness of another malicious ASes prex hijack attacks.
We have also identied several classes that describe the general motivation behind a malicious ASes behavior. Furthermore, we have identied, for each class, the associated behaviors that can be expected from ASes that fall under it.
Class
NOC Takeover
Description ASes that have lost control of their Network Operations Center(NOC) to an adversary. With this takeover the adversary has forcefully gained complete control of the AS, as such we expect ASes within this set to fall under any of the previously identied behavior classes
Behavior
Interceptor, Attractor, Erroneous, Colluder Interceptor, Attractor, Colluder
Agenda
ASes that intentionally mount or aid prex hijack attacks on BGP. These ASes are generally motivated by a Personal/Bussiness/Political agenda. As these ASes are intentionally mounting/aiding attacks we expect their behaviors to fall under most of the previously identied classes. However, we do not expect their behavior to be Erroneous as no AS will intentionally misconguring its infrastructure
ASes that have no motivation behind mounting an attack yet the have seemingly mounted one. These ASes are non malicious but miscongured ASes that have had some of their routers taken over by an adversary. With this takeover the adversary has complete control of
Erroneous
Erroneous, Interceptor
18
malicious AS might be running an EWSD, when it decides to mount a BGP attack it can attempt to disrupt the functionality of other EWSDs in order for its attacks to go undetected. Similarly an attacker that has managed to
takeover
running, and could again use it to try and make his attacks go undetected. Finally before we detail the actual threat model of our solution, consider that an EWSD can be specifically targeted by an attacker with a prex hijack attack in order to divert all information destined for that EWSD. With this in mind we summarize the threats a malicious/compromised EWSD poses to the operation of other EWSDs.
false information over the EWSD net (described in section 5) that causes other EWSDs to detect false attacks and threats. This is a major concern since allowing false positives means that our solution will be unreliable.
an EWSD can verify certicates they receive from one another, collisions could occur. For example, two
19
EWSDs (one of which is malicious) broadcast dierent certicates claiming to be authoritative for the same AS.
Overloading Instances
Similar to a Denial of Service attack, a malicious EWSD could advertise huge amounts of messages over the EWSD net with the intent of overloading other EWSDs and bringing them oine. This concludes the summary of the threats that EWSDs could pose to one another. In (Section 5) when we elaborate on the security mechanisms implemented we will also elaborate on the specic attacks that they guard against and the adverse eects of not implementing them.
Maximizing the percentage of prex hijack attacks that can be detected by our solution. Minimizing the cost incurred by an AS deploying an instance of our solution. Ensuring that the growth in our solution's cost as more EWSDs are bought on-line is manageable. Ensuring that our solution is robust and secure, our solution should mitigate the threats against it described in the threat model.
Deployability Ensuring that our solution does not rely on external architectures for operation 3.4 Requirements for Simulation
As previously mentioned this project aims at building a simulation of our solution. Our aim is to build a BGP simulator rst and then layer our solution's code atop this simulator. We chose to build a simulation over an actual implementation because it seemed the more practical choice, using a simulator we are able to run our solution on large topologies. Without a simulator this will not be possible, we would have
needed access to many BGP routers over many ASes to actually evaluate our solution's eectiveness. Having mentioned why we chose to simulate our solution, our requirements for the simulator is as follows:
The simulation should be capable of simulating topologies of substantial size Both the BGP and EWSDs simulation should be as detailed as possible All design features of our solution should be implemented within the simulation The simulator should provide an interface for automated analysis of our solution's performance The simulator should provide an interface that allows the user to manipulate and view its state during simulations
20
intuitively describe topologies within this component. Furthermore, this le allows the user to dene attributes that control the simulator's behavior.
some
21
client can query or modify the simulation running on the server. Our motivation behind this client server architecture was to allow us to view multiple concurrent views of the same simulation, thereby making our evaluation less dicult.
Designing the simulator to run at router granularity Supporting the simulation of both eBGP and iBGP sessions Supporting the conguration of BGP routers with MED and LOCAL-PREF lters Supporting policy based routing through the implementation of COMMUNITIES Implementation of route withdrawals, implicit replace and IGP metrics Implementation of route reectors
Our BGP simulator is cyclic i.e. it will continually cycle through each router within the topology model, on each visit of the router it will command the router object through an interface method to simulate its BGP implementation. A single cycle of OUR BGP implementation carries out the following actions:
Receiving and processing update messages queued at any of its router's BGP session queues Making appropriate changes as dictated by BGP operation to the routing table on process of a message.
Withdrawing any routes that have been withdrawn from the router. Sending newly learned routes over BGP sessions considering policy based routing and export lters.
22
Receiving and processing all messages queued at any of its Peer to Peer (P2P) session queues. Making appropriate changes to its internal storage structures as dictated by our solution's design. Scanning received messages for information that reveals BGP attacks and triggering alarms if such information is found.
Forwarding over its P2P sessions any messages received that resulted in the EWSD learning new information.
Checking its internal timer to see if a periodic event on the EWSD should be executed.
An EWSD running on a router, within the topology model in our simulator, is comprised of several components [Figure 11].
Manages the overall operation of an EWSD. To simulate an EWSD the simulator will invoke this component. The Controller also interfaces with the BGP entity on the same router to view its routing table. Manages all the sessions that an EWSD has bought up. This includes sending and receiving messages and post peering communication. Stores a live map of the Internet, this map is built using information received from other EWSDs over P2P sessions and from the BGP table associated with the router the EWSD is running on. This component runs a modied routing protocol over an EWSD's P2P sessions. The performance reasons for this are later described.
4.7 Evaluator
The evaluator component of our system is in eect an automated client. This component automatically generates topologies using the topology generator, following which this component will invoke the simulation controller that will simulate this created topology. The evaluator can repeat this process many times,
23
at each invocation of the simulation controller i.e. at each new simulation, the evaluator injects data into the simulation and collects test specic data from the statistics component[Figure 9]. The evaluator component has multiple methods/tests that can be invoked by the user, each test evaluates a dierent aspect of our solution. Once a test has been completed by the evaluator its results are graphically displayed using a plotting library called matplotlib.
4.8 Display
To conclude this section we would like to briey discuss the type of interface we chose for our simulator. As previously discussed the simulation client is an interface from which a user can query/modify every aspect of a simulation. The client is a command line interface, the user can enter commands which are sent to the server and the replies to these commands are then displayed on the client terminal. The client can also send commands to the server asking it for a graphical representation of the simulation. The
server handles such commands by generating and sending back GraphViz formatted text that corresponds to the graphical view requested of it. The client expecting this text will compile it locally and display the resultant image. We found it absolutely critical to have some sort of graphical representation in this project. Graphical views allowed us to quickly verify that our BGP and solution implementations were working correctly. Examples of some of the graphical views that a client can request from the server are as follows:
The current topology model at AS and router granularity with an optional graphical route trace The graph currently held by an EWSD
Previously we have introduced this project, elaborated on our aims and goals and detailed how the simulator we have built for this project works. We now move on to this core section of our report, in this section we discuss in detail the design of our solution. We have mentioned that an EWSD running on an AS is tasked with detecting prex hijack attacks against that AS. We also described that an EWSD relies on information heard from other EWSDs to build a map of the Internet that it uses to detect these attacks. In this section we aim to provide a robust explanation of how EWSDs collaboratively work together to
24
achieve this functionality. We also discuss the design choices we have made, and furthermore how we have dealt with the security issues facing an EWSD as described in the threat model (Section 3.2).
Each instance of our solution , an EWSD, is ran on a machine physically located at an AS An EWSD machine interfaces with one or more BGP routers on the AS it is running on. This allows an EWSD to view live BGP information from the perspective of its AS. We refer to this information as an EWSD's current perspective.
EWSDs inform one another of the ASes they are representing by advertising a certicate that binds their AS number (ASN) to a public key.
Inter EWSD communication is generally signed and coupled with an ASN. EWSDs receiving messages generally verify them using the certicate that corresponds to a message's ASN.
EWSDs periodically inform one another of their current perspective of the Internet as seen through their BGP interfaces.
Each EWSD merges all the dierent perspectives it has received into a single map of the Internet. EWSD monitor this map for any nodes/edges that reveal attacks.
In summary, our solution is a secure distributed graph builder that gives each of its instances a live birds eye view of routing information held by ASes. Unlike the IRV system (section 2.4) where its instances query one another for information needed to verify routes they have been seen over BGP, our solution aims at giving its instances(EWSDs) all the information they need to detect attacks against their represented AS. EWSDs will hold critical information, that they keep secret, about the AS they represent such as routing policies, peering relationships and import/export lters. Using this information an EWSD can
detect most forms of attacks against their represented AS. Our approach allows EWSDs to detect attacks without sharing this highly critical information. We believe that we have the advantage over a system such as IRV, where in order to maximize its eectiveness, its instances must share highly critical information.
25
EWSDs congure a FANOUT attribute that describes their desired number of P2P sessions. Periodically each EWSD will check if the number of P2P sessions they have established is below the FANOUT threshold.
If so an EWSD will create an RPR message, which includes a HOP COUNT attribute, and sends it to a random peer. This EWSD will also enter a state where they are willing to accept the next session request.
EWSDs that receive an RPR message with a HOP COUNT less then the 5 hops and are willing to accept this request (i.e. they have session capacity) will attempt to being up a P2P session the RPR's SOURCE_IP attribute as set by its originator
EWSDs that reject an RPR will randomly forward it with a decremented HOP COUNT, or dispose of it if its HOP COUNT is zero.
26
We have implemented this random mechanism in order to mitigate the threat of a coordinated attack against an EWSD. For example, if an EWSD is targeted by an attacker that attempts stop other EWSDs from sending it messages. With this mechanism an attacker does not know which EWSDs they must
in order .
Ends send to one another their complete certicate store in the form of cached CRA messages (Section 5.5)
Each end adds its newly established P2P interface to the routing protocol overlay, this leads to a routing table swap via an RPO message (Section 5.3)
all
its P2P sessions any message they have received that they
have not seen before. With this solution an EWSD can be sessions it will reach all other EWSDs.
sure
However, it quickly became clear to us that this solution would be very expensive i.e. for every message sent over the EWSD net, each instance of our solution would receive duplicate messages on the order of the number of its currently establish P2P sessions. This simply seemed to expensive a solution and we sought to establish an alternative design. We wanted each instance of our solution to be able to identify which of its sessions are redundant. However, EWSDs had to make this decision collaboratively to ensure that the EWSD net does not partition. With this in mind we sought to implement a routing protocol that runs over P2P sessions. We quickly came up with a design that seemed to yield promising results.
routing table over their P2P sessions in the form of Routing Protocol Overlay (RPO) messages.
Our protocol maintains, for every entry, a path describing the intermediate EWSDs between the receiver of an RPO and the source of the entry i.e. it is a path vector protocol. However, our
protocol also maintains a metric value for each entry describing the accumulated cost of the entry's path.
27
Our protocol diers from the traditional path vector protocol in that it will choose, for each entry/source, the path with the lowest metric and not the shortest amount of hops.
Instances of our protocol on each EWSD assign exponentially distributed metrics to their P2P sessions
Once our protocol converges it identies P2P sessions that do not appear in its routing table. We consider these sessions as redundant.
Instances of our protocol will swap their complete routing tables over a newly established session after assigning a new metric to it.
The idea behind using exponentially distributed metrics is to place an increasing bias on each session, using this bias we attempt to identify redundant links within the EWSD net. Our metrics are exponentially distributed to ensure that a bias/metric set on a session can rarely be equaled by longer paths with smaller individual metrics. For example, a path with a single hop that had a bias of 100 can only be equaled by a path with 10 hops each with a bias value of 10. To summarize the operation of our protocol, if an EWSD assigns a high bias to a P2P session, this session will never be used unless it sits on the only path to some other EWSD [Figure 14].
28
path vector protocol , much like BGP , meant that each EWSD needs to keep all the paths it has seen for each entry/source. This is more expensive, but in the face of links failing/going oine we believe that we have made the correct choice. There are some security issues with this protocol. Firstly, we reveal to EWSDs some detail regarding
the EWSD net topology. Furthermore, a malicious EWSD could inject routes within the protocol in an attempt to eect another EWSD's reachability. Our implementation has addressed these security issues (Section 5.10.5)
well connected
sizes. From this point onwards we assume that tree based ooding is the default mechanism used by an EWSD.
innitely loop over the EWSD net. Our rst solution to this problem was for an EWSD to process all of its received messages, then only ood messages that caused a change in its internal state. We could be sure, through some intricate implementation details that we will not elaborate on, that two duplicate
29
messages would never cause a state change within an EWSD. We then realized that this approach was to expensive. On top of the expensive cryptographic verication of these redundant messages we would now have to process them, processing some messages such as the Current Route Assertion (CRA) message, later described, is an expensive task. As an alternative we implemented sequence numbers into our solution. An EWSD will reject a message, without processing it, that has a sequence number less or equal to the largest sequence number heard from the messages source (AS number). [Figure 16] shows that SEQNOs reduce the average processing load on an EWSD, within fairly dense EWSD nets, by approximately 20%.
Note :
Later, we mention how Peer Key Exchange (PKE) messages are cached by EWSDs and sent over
new P2P sessions. By only considering sequence numbers of valid messages, we can be sure that a PKE's sequence number will never be outdated. This is because, as we later describe, any message heard by an EWSD is invalid until a PKE/certicate is heard from its source.
assume an authoritative source that distributes these certicates since this will break our goal of making our solution easily deployable. distribution mechanism. As an alternative we have implemented into our solution a certicate
whole
certicate store in case our solution is deployed in cliques. If so, then some
cliques could merge by a new P2P session coming online. EWSDs at the ends of this session must swap their whole key store to ensure that each clique knows about the others certicates. A certicate in our design and implementation is represented by a Peer Key Exchange (PKE) message. This message contains an ASN and the public key to bind to it. PKEs are signed with the private pair of their contained key, ensuring that certicates themselves are tamper proof.
30
key pair, then advertising a new certicate (PKE) that is signed with its old private key.
5.6 Graph
This component of an EWSD is a map of the Internet that EWSDs build collaboratively. In summary, an EWSD builds its graph by merging the dierent perspectives of the Internet heard over its P2P sessions. In this section will make a quick mention of the internal structures an EWSD uses to represent this map.
store ; However, we realized that we had made an erroneous assumption in assuming that AS peerings are
symmetric. With this realization we converted our algorithm to produce a directed adjacency list. This remained our approach for a short period until we realized that a directed graph eliminated crucial information from a map. Our directed graph could only be used to identify physical peerings as claimed by the AS-PATHs within the
path
path store ; However, it does not reveal any information that could be used
to detect if an AS is violating a routing policy. BGP facilitates policy based routing (Section 1.1). ASes could choose not to forward routes heard from a certain class of peerings over another certain class of peerings. With a directed graph all an EWSD could infer is that some AS-PATH claimed these links exist. It was nally decided that EWSDs should convert received AS-PATHs into triples. With triples an EWSD could begin to identify polices within its map. For example, if an EWSD's graph is provided with the
following path {1,2,3,4} and coverts it into the following triples (1,2,3) (2,3,4), the triple (2,3,4) informs us that some AS-PATH is claiming that AS(3) will announce to AS(2) a prex heard from AS(4). The
triple store
is a simple map, mapping a triple to a pair of values. The rst value is a reference count
path store
31
metric, the use of this value will be described in the following sections.
triple history
path store.
stop
detection
is not as critical as if
attacks.
32
would accept, into its graph, all information within a received perspective, EWSDs would also ood their whole perspective. With suppression, which is later describe, an EWSD would only ood and accept
path store
path within the store had an expiry time. However, expiring triples that no longer exist in a EWSD's map was more dicult. Triples could be part of many paths and hence we had to implement a mechanism by which we can detect, for each triple, if any paths exist that still have a reference to it. Recall the reference count attribute for triples within the paths, within the
triple store.
A triples reference count attribute indicates how many If an expired path causes the reference count
triple history.
triple store
how long we have seen a triple. In our solution's design our expiry check events are periodic, hence we use these events to build a triples trust. After an expiry check we increment the trust metric of all the triples that are still alive i.e. they still remain in the
triple store.
history
. We instantiate the triple with the trust metric held for it within the
triple history
triple
(if any).
33
currently within its graph. Suppression lters process perspectives at prex granularity. perspective process every AS-PATH associated with it. For example, for every prex within a
path store
Reduce the returned list to the set of AS-PATHs that have the same origin as (A) Identify the length of the shortest path out of this reduced list if A's length is less than or equal to this identied length, or A reveals a new origin/prex then A passes the suppression lter
Without going into detail of how we implemented the re-suppression lter, (A) would only pass this lter if no other AS-PATH has been introduced into the map that is closer than it and has the same origin. This mode was intended to allow EWSDs to build a graph that can be used to detect all DIRECT prex hijack attacks. In summary, this mode deterministically rids of all the AS-PATHs that do not reveal a new origin for a prex.
(A) does not overlap with the closest path currently held for its associated prex. (A) must be compared with the closest paths that have the same origin as it
This mode was intended to allows EWSDs to build a graph that can be used to detect all INDIRECT prex hijack attacks. With this mode we rid of any AS-PATH that does not tell us of new peerings with the origin(s) of a prex.
34
ensures that these conicts are globally propagated. In summary, If an EWSD receives a PKE message claiming to be originated by it, and a dierence exists between the EWSD's key and the key within the PKE, then this reveals a conict and a warning is raised. This warning presents the administrator with the IP address of the system that originated the attack.
35
A malicious EWSD could advertise a path with a lower metric for the target EWSD's ASN. The attacker does this with the intent of making there targets neighbors identify their sessions to the target as redundant, hence bringing the target out of reach of ooded messages. Note that an attacker must manipulate the whole tree in order to make a target unreachable. The attacker must ensure that all EWSDs, most
importantly the targets neighbors, believe that the he is a cheaper route to the target, otherwise the manipulate tree will still include the target. Message signing/verication ensures that RPO messages are tamper proof and are originated by an EWSD, hence we have already limited the domain of attackers to live EWSDs. Prior to detailing the security mechanisms we have designed/implemented, recall that our protocol design dictates that paths with the lowest metric are chosen for each destination and that a path's metric is accumulated whilst being announced from one EWSD to another.
Inverse metrics
A crucial decision we have taken is for our protocol to dictate that EWSDs apply metrics on receipt of a path and not on its announcement/forwarding. This makes it impossible for an attacker to know if his attack will be successful. His neighboring EWSDs could receive his attack's path (RPO message) on high metric/bias sessions. Our protocol instance at any of these neighbors will not select the attackers path over the cheaper path it already holds. This increases the possibility of the target remaining within the tree, i.e. post attack, some neighbor of the target chose to retain its original path to it.
announcement, it will withdraw its old identity and announce a new distinct identity. This mechanism ensures that no EWSD can ever be made unreachable. We relied on two two main factors when designing this mechanism, rstly we do not care about identities, we just want to identify redundant links. Secondly, if an EWSD has converged, it has waited a signicant period such that any of its previous announcement would have already looped. When analyzing our solution we found that this mechanism could be bypassed by an attacker. All the attacker needs to do is precede his announcement of a target EWSD's ASN with some redundant announcement that causes a global ux in the routing tables of our routing protocol. This will cause the convergence timer on his target to reset, his proceeding attack will then not be considered as one until his target's convergence timer counts down.
36
Prexes owned by its AS. Automatically detected via the EWSD's perspective. ASes that have peering relationships with the AS they are representing Non atomic prexes owned by its AS i.e. they are allowed to be deaggregated
Even though we can detect to some extent the list of peerings through an EWSD's perspective, it is possible that some ASes might not advertise would not see the peer in its perspective.
any
If a prex, within the local prexes list, is attached to an AS within the graph dierent from the EWSD's AS If the graph reveals any edge/peering between an EWSD's AS and an AS that does not appear in the EWSD's list of peers. If a deaggregation of a prex, within the local prexes list and not in the atomicity list, is attached to any AS within the graph.
The routing policies of its AS The class of each peer within its list of peers
With this information an EWSD could trivially detect policy violations. When a new triple (A,B,C) is seen, such that B is the EWSD's represented ASN, the following steps are taken:
Identify the class of peerings held with A & C through the Check the identied classes against the secretly kept
routing policies
Check that routing policies allow routes heard from class(C) peers be announced to class(A) peers
37
The correct valid path for the prex has been advertised rst The attacker claiming a new path to the prex, advertises his attack some time later The attacker's path has lead to a new
With these assumptions in mind, we implemented our third party detection mode in the following manner
An EWSD will inspect the path's of a prex it has heard a new path for (via CRA) For each of those paths, identify the lowest
history metric
Identify the two paths with the lowest/highest LHM If the lowest path's LHM is less than 50% of the highest path's LHM throw a warning
This means that some path, most probably the newly heard path, has some triple that is new/young to our map and hence has a very low history. We throw an Untrusted Route Warning because we already hold a live path whose component triples have been seen
38
Our approach was to build within our client the ability to retrieve an array of data that can be used to manually conrm correct BGP operation. For example, retrieving the routing table of any router at any point within our simulation. We also added a feature by which the client can command the server to
return a graphical representation of the global topology at dierent layers of abstraction. The client can also graphically trace routes heard over BGP, for a certain prex, within these representations [Figure 12]. With both these tools we ran many simulations, injecting many dierent routes, verifying that the resultant route propagation over BGP was correct. Our injected routes tested every aspect of BGP's route selection algorithm which can be found in detail within our implementation (BGP.py). They also tested that our implementation's iBGP, eBGP and route reectors were operating correctly.
EWSD details, displays the currently detected threats by an EWSD within our simulation EWSD graph, a graphical display of the graph an EWSD within our simulation has built EWSD graph trace, a graphical display of the routes within an EWSD's map for a particular prex
Using these views we could verify that the overall behavior of our solution was correct. We consider correct behavior to be that all EWSDs build the same map and if an attack is injected within the simulation and the EWSD can detect it then it should. Thoroughly testing our solution proved to be signicantly more complex, at dierent points in time we had to add instrumentation code to ensure that every feature described in our solution design (Section 5) was operating correctly within our implementation.
6.3 Model
In this section we present the model that was used by our automated analyzer from which we have gathered the results revealed in the next section. Our aim was to model the current topology of the Internet as closely as our simulator permits. With this in mind we chose to make the ASes, within our automatically generated topologies, abide by the traditional multi-tier model.
Tier-1 Peer
provider
Tier-2 Customers of Tier-1 ASes and providers of Tier-3 ASes. Tier-3 Customers
of Tier-2 ASes. Tier-3 ASes could
peer
peer
Our generator's output BGP topology also describes the classical BGP export policy described in [Figure 3] which is used in our actual simulation. Furthermore, in an attempt to capture some of the policies ASes
39
may deploy, we have chosen to make our generated topologies enforce through the use of LOCAL-PREF lters that an AS would prefer routes in the following manner:
Class
customers peers providers
LOCAL-PREF Reason
1000 500 100 Routes generate revenue Routes are free (conditional) Routes are expensive
We have also created two models to describe our solution deployment strategies. The rst model we call
non-seeded where EWSDs are deployed by random ASes and as such the growth of the EWSD net is random. The second model we call seeded where EWSDs are deployed in cliques and as such the EWSD
net grows radially around the rst deployed EWSD (the seed).
40
Our prediction was was true in the initial growth of the EWSD net [Figure 19]. However, after approximately 20% of ASes had deployed EWSDs, the EWSD net would have spread globally by traversing peerings and partially engulng Tier-1 ASes. This spread introduced perspectives to the net that allowed EWSDs to detect attacks from the extremities of the Internet. We can then assume that if the most
optimal non-seeded model and least optimal seeded-model generally follow linear growth, models therein should also follow linear growth. We consider our non-seeded model to be the most optimal because
random deployment maximizes the amount of distinct routes learned from dierent perspectives/EWSDs.
41
We would now like to perform some further analysis to discover how the growth of the EWSD net eects an EWSD's ability to detect attacks against its represented AS. [Figures 20-21] show that, with our default analysis model (Section 6.3), ASes running EWSDs have very good detection rates for all forms of prex hijack attacks. However, it turns out that the LOCAL-PREF lters in our analysis model completely
dominated BGP routing and hence attacks could attract much more ASes. This increased the probability that an attack would attract an AS running an EWSD leading to its detection. [Figures 21-22] shows the re-execution of our analysis but without our LOCAL-PREF lters. These gure show quiet clearly that, with default BGP operation, more EWSDs need be deployed to provide the same detection as our initial model. This shows that the eectiveness of an EWSD, its ability to detect attacks against its AS, is directly related to the routing policies of other ASes. These policies, which tend to be extremely complicated and kept secret, can increase/decrease our solution's eectiveness at lower deployment levels. However, no
matter what the policies are, as deployment tends towards 100% their eect on our solution's eectiveness becomes negligible. After thoroughly investigating the cause of the variance in the detection rate of attacks for ASes running EWSDs as displayed in [Figure 20-24], we concluded that these variations were simply down to the undetected attacks not being able to attract an AS running an EWSD. To conrm our conclusion we programmed our analyzer to keep track of the long run averages of attacks detected per tier whilst running our analysis [Figure 24 - 25]. Our results show that the variance in detection is generally not localized to any particular tier of ASes, but as we concluded it is distributed over dierent tiers. This is a main point within our analysis, it shows that there are no particular EWSDs that will experience bad protection because of their location/tier within the Internet.
With our modied model (no LOCAL-PREF lters) and a seeded EWSD net, it turns out that tier 1 ASes, as a whole, experienced a decreased average detection rate (approximately 85%). With some further analysis we found that, with no default LOCAL-PREF lters, attacks against tier 1 ASes were less likely to spread globally i.e. they make it past the tier 1 full mesh. Since a seeded model means that all EWSDs are clustered together, this further decreased the likeliness that attacks will reach an AS running an EWSD. However, we believe that our original model is a better description of the Internet as it is today. We have shown that our solution generally provides good rst party protection. Now we explore the ways be which an attacker can attempt to beat our solution. An attacker who wants to bypass our rst party
42
protection mechanism has two ways of attempting to do so, either through a malicious EWSD, or by mounting clever BGP attacks.
Malicious EWSD
EWSDs trust signed communication from one another, but what if one of the EWSDs is malicious? they can then authoritatively send messages with malicious payloads and all other EWSDs will trust their content. Our security mechanisms deal with this problem for most types of communications as mentioned in (Section 5.10). However, we have not addressed this problem with regards to CRA messages. The sender uses this message to inform all other EWSDs of his current perspective, but what if the sender broadcasts a malicious perspective i.e he may disclude attack revealing information and include information that reveals false attacks. This means that an attacker's CRA can easily trigger
negatives except if his AS is the only AS with an EWSD and a perspective that reveals the attack they
are trying to mask. An example of when an attacker can use this to his advantage is as follows:
The attacker's/colluder's EWSD advertises CRAs that show other ASes attacking its target prex The attacker then mounts his BGP attacks on the target prex The EWSD ran by the target prex's AS detects both the fake and real attacks, which of these is true?
This is quite a big problem with our solution, had we had this problem in mind whilst designing and implementing our solution then we could have implemented the following functionality to severely mitigate the eects of this threat. Recall that an EWSD monitors its built map for attack revealing information. What we have not mentioned is that the monitoring/scanning of a map is triggered by the receipt of an CRA/perspective i.e. a received CRA is used to modify an EWSD's map, then it is scanned for attacks. This means that we could very easily associate an identied attack with the EWSD that originated the CRA that revealed it.
Trigger-Quota
This proposal would see each EWSD allocate a periodic quota for each identity (ASN)
it knows for other EWSDs (through certicates). This quota states how much attacks an EWSD is allowed to reveal. When an EWSD's quota is used up alerts triggered by his CRAs are ignored.
Trigger-Decay
trigger e.g. an attack.
Identify the rate of attacks that we consider to be average/normal for each EWSD to 2 attack per hour. Keep the latest time at which each source EWSD has revealed
Exponentially decay the amount of attacks that an EWSD can trigger (probability of
accepting the attack). If the decayed probability is less then some threshold then do not alert on it (say 30.00%). This is a dierent approach that aims at CRAs as he sustains his possibly malicious behavior.
43
In the case that an EWSD was genuinely triggering many alerts we believe there should be some other EWSD whose AS was also aected by these attacks and hence we can still detect them from his CRAs. For this to work we must ensure that if multiple EWSDs trigger the same alert we only decay/modify quota on one of them.
any
AS
running an EWSD. This means that no perspective(CRA) sent over the EWSD net will hold information that can reveal his attack. This is a complex and dicult option as the attacker has no control over the routing decisions taken outside of his domain. However, as explained in (Section 1.2), the more information the attacker has about other ASes the more likely he can mount such a strategic attack. The alternative option is for the attacker to mount BGP attacks against the IP address of the EWSD running on his target's AS. The attacker does this with the intent of diverting all information destined for that EWSD to him, this means that his target EWSD will not be capable of detecting any of his mounted attacks. However, our design also makes this option extremely dicult. Inter EWSD communication
happens through ooding, so the attacker must ensure that his BGP attack(s) attracts every single AS running an EWSD that his target has P2P sessions with. Otherwise EWSDs neighboring his target can still communicate with it. An attacker
may
sessions with. He may be able to do this by analyzing the paths, within his routing protocol overlay, heard for his target's identity(ASN). However, our random peering mechanism means that an EWSD's neighbors are randomly distributed over the Internet, this makes it very dicult for the attacker to attract all of them.
any prex.
third party detection mechanism can be easily bypassed by an attacker. Furthermore, it is only eective in detecting third party indirect prex hijack attacks.
44
Our third party detection mechanism works quiet well for indirect prex hijacks. If the attack makes it into any perspective exchanged over the EWSD net then it will denitely be detected by all EWSDs [Figure 26]. This is because indirect attacks claim a new peering with their target's AS. If such a route/attack is seen by any EWSD it introduces a new triple,
However,
deaggregation/direct attacks generally introduce no new triples i.e. the attack follows routes previously introduced into an EWSD's map. Furthermore, some prexes are allowed to be deaggregated and likewise some prexes are multi-homed, this means that an EWSD will generate false positives if it tried to detect on deaggregation/direct attacks. We have found that an attacker with access to a malicious EWSD can bypass third party detection altogether i.e. he can ensure that none of his attacks can be detected by anyone but the EWSD associated with his target's AS. To do this the attacker needs to perform an
associate with it the path he will use in his future attack. Since this initial attack is against a prex not allocated for use over the Internet, then no EWSD will detect any threat. The attacker keeps his unused prex hijack alive for some time, by doing so EWSDs build trust for all the triples within the routes seen for the unused prex. So the attacker has managed to build trust on a triple that would have otherwise caused his attack to be detected. Third party detection attempts to allows an EWSD to detect attacks against ASes other than its own AS. An example application would be a provider AS detecting attacks against its customers whom have not bought up an EWSD. This takes us onto our nal point regarding third party attack detection. Our solution allows all EWSDs to build exactly the same graph, this gives an EWSD the ability to detect third party attacks as robustly as it can detect attacks against its own AS. However, in order to do so, an EWSD requires some extra information as mentioned in (Section 5.11.1). If an AS agrees to handover this information to another trusted AS running an EWSD, that trusted AS could provide
This
feature has not been implemented since we believe that it is very unlikely that any AS would handover such sensitive information to
anyone.
The location of an EWSD within the internal topology of an AS is quiet signicant, it has a direct eect on the quality of the perspective that an EWSD can build on behalf of its AS. It does not suce for an
45
EWSD to have a single BGP interface with some router in its represented AS, such a deployment would see EWSDs build very weak perspectives that can exclude attack revealing information. BGP routers
generally prefer a route heard via eBGP over one heard over iBGP when they are both equally good. This means that an AS can partition internally on a prex [Figure 24]. To fully capture an AS's perspective an EWSD must peer with all of its border routers. However, this is an expensive option in terms of
the number of iBGP sessions that an AS must congure. Our recommended deployment strategy is for EWSDs to peer with the leaf routers of the route reector [Figure 4] tree within their AS. This will allow an EWSD to capture a signicant portion of it's AS's perspective; However, it may still omit attack revealing information. We of course refer to logical iBGP peerings instead of physical iBGP peerings for an EWSD. Our recommended minimum requirements for an EWSD machine are as follows:
CPU RAM
Multiple cores to parallel message verication and processing Holds cached graph data, certicate store and overlay protocol RIB
HDD
Prior to analyzing our solution's scalability we would like to quickly comment on [Figure 29]. This gure shows that the amount of messages seen by an EWSD varies quite signicantly, by analyzing the cause
46
of this variance we have found that the operation of our routing protocol overlay (section 5.3) generates ooding hot-spots within an EWSD net. We refer to hot-spots as EWSDs who see high amounts of
redundant messages due to all/most of their P2P sessions being used by our overlay protocol. This shows that although our protocol does reduce the amount of redundant messages seen over an EWSD net, as previously shown in (gure 15), this reduction is not fairly distributed amongst EWSDs. By exploring this variance we have found that,
generally, EWSDs with the highest amount of P2P sessions are hot-spots.
It follows that if an EWSD's FANOUT is reduced they are less likely to be a hot-spot. However, there is a
strict trade-o here between an EWSD's robustness and resilience to attacks described in (section
5.10) and its operational cost. It is worth noting that the amount of hot-spots in an EWSD net is very small but they may suer problems at full scale deployment. To deal with this issue we propose that an EWSD keep track of the redundancy rate within received messages, when it exceeds a certain threshold the EWSD should bring oine some of its P2P sessions. This of-course may mean that our protocol
creates another hot spot when it re-converges, however, with this mechanism the burden of hot-spots will be bounced around the EWSD net
Scalability analysis
Messages sent over an EWSD net are signed, this means that every single message received needs to be veried, this involves calculating the message hash, decrypting the message signature and verifying the two values match. We mentioned that each EWSD periodically sends its current prospective as seen
though it BGP interfaces, there is a strict trade-o between this periodicity and the cost of our solution. Furthermore, the periodicity of CRA messages also directly eects the delay between an attack taking place and its detection. With these trade-os in mind we have decided that EWSDs should send CRA's hourly. Now we consider the worst case scenario where all EWSDs are synchronized to send their perspectives within the same minute i.e. they are all bought online by their administrators at roughly the same time of day. Can EWSDs handle such loads at full deployment? In order to answer this question we must rst estimate the amount of data that all EWSDs will send combined, recall our suppression modes mentioned in (Section 5.9). As we will explain next our recommended suppression modes are (TRIPLES NOT IN MAP & CLOSEST ONLY). In order to identify how much data we will end up sending with these suppression modes we must rst abstract away from their distributed nature. Our abstraction is that all EWSDs perspectives are accumulated into a single routing table. If our solution was fully deployed, how much of this abstract routing table would actually pass
CLOSEST ONLY
For every prex within the abstract routing table, group it's AS-PATHs by their rst hop, for each group send the shortest AS-PATH(s) in length. So with full deployment we will send one path for each prex i.e. the perspective for the AS that owns each prex has the shortest(empty) AS-PATH in our abstract routing table. Now imagine that only X percent of prexes were owned by ASes that we had perspectives for in our abstract routing table i.e. ASes running an EWSDs. As previously described we would only send one path for each of them. However, for
47
each remaining prex there could be many perspectives with equally short AS-PATHs and hence their all sent by this suppression mode. There is a seesaw eect here, at low EWSD deployment, were less likely to have multiple equal length AS-PATHs for a prex, at higher EWSDs deployment, there are more prexes that have only one closest AS-PATH. So we generalize and say that a single AS-PATH is sent for each prex under this mode.
lowest amount of AS-PATHs that cover all the triples within all
the AS-PATHs seen in the abstract routing table. We believe that the complexity of trying to generate a model by which we can predict this value is equivalent to that of trying to infer policies on the Internet as this value is directly related to the routing policies globally used. Instead we have chosen to make
use of publicly available route monitor data to calculate the exact amount of AS-PATHs that pass this suppression mode in the Internet as it is today. We analyzed routing table dumps for April 2011 from 18 separate route collectors as made available by RIPE RIS [6], a project that collects and stores Internet routing data from several locations around the globe.
Our analysis of the routing tables showed that ~1.1 million AS-PATHs pass this suppression mode. This number reects the minimal amount of AS-PATHs needed to be sent to cover all the triples within the Internet. Our suppression mode implementation implicitly guarantees this property i.e. The only way an AS-PATH will pass this suppression/re-suppression mode is if it has the
only
this means that longer paths with more triples cause shorter ones to fail this mode. Accommodating for the rapid growth in the Internet, we assume that at full scale deployment 1 million prexes are advertised over BGP (currently 489,046 [7]). We also assume that the amount of AS-PATHs needed to be sent for the TRIPLES NOT IN MAP suppression mode doubles as the Internet becomes more topologically complex due to more ASes coming online. Doubling this value also accommodates for the fact that our analyzed route monitor data was not a full representation of the Internet and may have omitted triples. Hence, with our recommended suppression modes, EWSDs will cooperatively send an
estimated 3.2 million AS-PATHs. Each AS-PATH will consumes on average 10 bytes within a CRA, 4 for the prex it is associated with and 5 for the actual path (average AS-PATH length on the Internet[7]). This means each EWSD, at full scale deployment, should receive
per hour.
It turns out that with a fairly dense variable sized EWSD net, using our routing protocol overlay, 20% of messages sent over it are redundant[Figure 16]. This gure should, with our proposed hot-spot bouncing mechanism, reect the average amount of redundant messages seen by an EWSD. Our research shows that the recommended size of RSA keys/certicates is 2048 bit keys with an associated decryption time of 7ms on an general purpose Intel 1.8GHz dual core processor. We also found that this processor can perform SHA-256 hashes at a rate of approximately 100 MB/s [10]. The following formula is a somewhat primitive model of how long it will take an EWSD to verify CRA messages sent from all others EWSDs in the EWSD net periodically.
48
redundancy
1.2
89s
Hence we expect that verifying messages, under the worst case scenario previously described, on an EWSD machine will utilize 2.5 % of its hourly capacity. In summary our
estimates
data sent periodically over an EWSD net, with full deployment, is manageable. Furthermore, the
case time spent processing this data is well within an EWSD's capacity.
worst
[Figure 28-29] show that combining suppression modes (1 & 2) combined is the best trade-o between the amount of attacks that can be detected from the graphs built at EWSDs and the cost of building them.
detect
attacks.
achieved our aim can we transform our system into one that can stop attacks. It turns out that we could quiet easily do so with little to no changes to our solution. Simply when an EWSD detects an attack they can ood an authoritative alert over the EWSD net, when such an alert is received by an EWSD, it will perform some sanity/validity checks and send over its iBGP sessions one of it alternative paths(if any), for the target prex, with a high LOCAL-PREF and a third party next-hop (the IP address of the router the alternate path was heard from). However, the existence of false positives and further security issues as with key hijacking means that we would be just adding to BGP's security issues. Furthermore, it will be extremely naive of us to think that an AS would run such a system that can interfere with its internal operation.
49
validation.
origin authentication.
route
Our solution diers from S-BGP in that its individual instances (EWSDs) can only eectively detect attacks against their own AS (rst party detection). Furthermore, in order to detect these attacks, EWSDs rely solely on information heard from one another. On one hand this is a disadvantage in that ASes have
little to no incentives to be the rst ones to deploy an EWSD. However, we have worked hard to ensure that our solution is cheap and easy to deploy for an AS, and we believe that that this should counter this disadvantage. We have also shown that an EWSD can detect
deployment levels are at 20-40% depending on the topology of the EWSD net, this is another incentive that should spur deployment. We have shown that at full scale deployment, where we liken our ability to detect attacks to S-BGP, the operational cost of a solution instance should be generally manageable and well within the budget of even the smallest ASes in the Internet. However, our scalability analysis has uncovered a scaling issue for a
very small subset of solution instances, namely our routing protocol's hot-spot phenomena, however, we
are condent that our proposed hot-spot bouncing mechanism should neutralize this problem. This leads us to a conclude that, with this mechanism in place, our solution can scale to full deployment. The distributed nature of our solution and our avoidance of authoritative/secure data sources e.g. (Public key infrastructure) means that we have traded security for deployability. It follows that there are some security issues with our solution, although we have implemented/proposed functionality that seriously mitigate their threat, their existence has limited our solution to be one that can detect and not stop attacks. We believe that, with our proposed features, there are no major obstacles as to why our solution cannot be
Realistically our solution will in time become redundant when ASes nally
begin switching to secure implementations of BGP. In the meanwhile we believe that our solution provides an alternative feasible approach to providing some degree of security for ASes. In summary, our solution is cheap, scalable, deployable, eective and
reasonably
solution does not and cannot (practically) solve/stop prex hijacking attacks, it can just detect their presence and provide warnings to the victims as early as possible.
50
Explore alternative proposals by which an AS can agree on initial EWSD peerings Hard state redesign of our solution to substantially decrease the periodic loads seen by an EWSD Explore a dierent approach to performing third party attack detection Implement the proposal described in our analysis to suppress false positive attacks Implement our proposed hot spot bouncing mechanism and verify it works
51
8
[1]
Bibliography
S. Goldberg, M. Schapira, P. Hummon, J. Rexford How Secure are Secure Interdomain Routing Protocols? SIGCOMM '10 Proceedings of the ACM SIGCOMM 2010 conference on SIGCOMM [2] G. Goodell, W. Aiello, T. Grin, J. Ioannidis, P. McDaniel, A. Rubin Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing Proc. of Internet Society Symposium on Network and Distributed System Security (NDSS'03), 2003. [3] S. Kent, C. Lynn, K. Seo Secure border gateway protocol (S-BGP) IEEE Journal on Selected Areas in Communications, 18(4):582592, April 2000. [4] R. White Securing BGP through secure origin BGP. Technical report, Internet Protocol Journal, Cisco Systems, September 2003. [5] M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, L. Zhang PHAS: A prex hijack alert system in Proc. USENIX Security Symposium, 2006. [6] RIPE RIS RIS Raw Data http://www.ripe.net/data-tools/stats/ris/ris-raw-data [7] RIPE RIS Statistics Report 2011-04-15 - 2011-04-22 http://www.ris.ripe.net/weekly-report/reports/risreport-20110415-20110422.txt [8] [9] AS6447 BGP Routing Table Analysis Report http://bgp.potaroo.net/as6447/ B. Kaliski TWIRL and RSA Key Size http://www.rsa.com/rsalabs/node.asp?id=2004
[10]
52
Appendix
Contents
1 Project Plan 2 Interim Report 3 RIPE RIS Analysis 4 Simulator Requirements 5 Simulation Server
5.1 5.2 5.3 5.4 Automatic Topology Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manual Topology Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Example topology conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Starting the simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 5 7 7 7
7 8 13 14
6 Simulator Client
6.1 6.2 Connecting to the simulation server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commanding the simulation server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
14
14 14
7 Other information
7.1 7.2 Modifying Simulation Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
16
16 16
8 Code Listing
8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Code listings summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attacker.py code listing BGP.py . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
19 19 20 23 29 32 37 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Project Plan
Interim Report
To reproduce our RIPE RIS analysis results, carry out the following steps
1. 2. 3.
Navigate to the /ripe folder in our provided distribution Execute gcc -o dumper dump_paths.c bgp_lib/libbgpdump.so -Wall Execute ./dumper
This will result in approximately 1GB of uncompressed data being dumped into /ripe/as_paths
4.
We have included April 2011 routing table dumps from route collectors at the following locations: Amsterdam, Frankfurt, Geniva, Japan, London, Miami, Milan, Moscow, New York, Palo Alto, Paris, Sweden, Vienna To add new/updated routing table dumps, place the new routing table dumps in the /ripe/bgp_tables folder. Routing table dumps can be retrieved from the following website: http://www.ripe.net/data-tools/stats/ris/ris-raw-data
Simulator Requirements
To run our simulator, this is a critical requirement. http://www.python.org/download/releases/2.6/
Python-2.6
GraphViz
To convert a clients image request response into an actual image from dot text http://www.graphviz.org/Download.php
RSA-1.3.3
Used by our EWSD implementation to generate RSA keys, verify and sign messages Provided in the distribution folder /dependents To install,
Matplotlib
Used by our automated analyzer to display results of analysis runs. All results are displayed graphically using this library http://matplotlib.sourceforge.net/users/installing.html
Simulation Server
takes as input
another
conguration le at ews/cong/generator.cong, within this le are congurable The following are the attributes and
parameters that are used by the script to generate the topology. there purpose FANOUT
Number of tier 1 ASes in the conguration, dictates the size of the whole topology. (
ROUTERS_PER_AS
Number of routers each AS within the simulation has. If above 1 a route reector is used in each AS
T2_PEER_PROBABILITY
The probability that a tier 2 AS brings up a peering class BGP session with another tier 2 AS
T3_PEER_PROBABILITY
The probability that a tier 3 AS brings up a peering class BGP session with another tier 3 AS
DAEMON_PROBABILITY
The probability that an AS should have an EWSD online e.g. 1.0 means full deployment
DAEMON_MAX_PEERS
The maximum number of P2P sessions each EWSD should bring up initially
This module can also be used directly by code as with our attacker module. To do so the user overrides the map holding these attribute values prior to calling the actual generation function. The user can then re-start the simulator, which will now read the new topology le. To invoke the generator script :
Declaring ASes
Description Command Example Note Description Command Example Description Command Example
This command declares the range of ASNs to instantiate into the simulation. An AS will be instantiated for each AS
Declaring a network
Description Command Example
This command declares a network address for a BGP router to announce over BGP within the simulation
network [CIDR IP] router 160.10.0.1 at-as 65400 network 169.10.9.0/24 network 169.10.0.0/16
Declaring a peering
Description
This command declares a peering between one BGP router and another within the conguration. Peerings can be declared and tagged with a community , and also assigned a metric (for iBGP). Peerings with routers declared under the same AS are automatically detected and instantiated as iBGP sessions
Command Example
Note
peer [declared BGP router IP of peer] [class COMMUNITY] [metric VALUE] router 160.10.0.1 at-as 65400 peer 209.210.9.1 peer 106.10.0.2 metric 100 peer 106.10.0.3 metric 50 class clique-a peer 100.293.1.1 class provider Community tags must be declared within the conguration le, refer to the policy command.
The target router of this command must agree on this peering, i.e. they must also have a command to bring up a BGP session with this router
router 160.10.0.1 at-as 65400 peer 209.210.9.1 class provider peer 65.190.90.1 class customer peer 106.10.0.2 metric 100 local-pref 90000 next-hop 65.190.90.1 local-pref 10000 next-hop 209.210.9.1 local-pref 90000 prex 23.0.0.0/8 next-hop 209.210.9.1
The commands have been listed in order of precedence, i.e. when multiple lters apply for the same received announcement, the rule towards the end of the list will be applied.
Note
router 160.10.0.1 at-as 65400 network 160.10.8.0/24 peer 160.10.0.5 metric 100 peer 209.210.9.1 class provider MED 900 to-router 209.210.9.1 MED 100 on-prex 160.10.0.0/16 to-router 209.210.9.1 160.10.0.15 at-as 65400 peer 160.10.0.1 metric 50 peer 209.210.9.3 class provider MED 400 to-router 209.210.9.3 Note
The commands have been listed in order of precedence, i.e. when multiple lters apply for the same received announcement, the rule towards the end of the list will be applied.
Example
MED ignore next-hop [IP] router 160.10.0.1 at-as 65400 peer 160.10.0.5 metric 100 peer 209.210.9.1 class provider MED ignore next-hop 209.210.9.1
The commands have been listed in order of precedence, i.e. when multiple lters apply for the same announcement, the rule towards the begining of the list will be applied.
Note
10
policy [name] [shape (used for GraphViz rendering)] no-ad [policy name]
Declaring the standard policy model, routes tagged with provider or peer COMMUNITY i.e. heard from a provider/peer link, should not be forwarded on links with a provider/ peer tag
Note
policy provider box no-ad provider no-ad peer policy peer odot no-ad provider no-ad peer policy customer box policy None none policy None none , must be included in the le, or the simulator will crash.
[shape] attribute is the shape that will be used by GraphViz to render a link end with the particular policy tag, you have a choice of the following shapes: inv, dot, invdot, odot, invodot, tee, invempty, diamond, odiamond, ediamond, crow, box, obox, open, halfopen, vee, none
router [IP] at-as [ASN] daemon router 160.10.0.1 at-as 65400 daemon #BGP Interfaces peer 160.10.0.2 peer 160.10.0.2
EWSD routers should be congured with extra information as mentioned in the report (Sesction 5.11.1) and also with the initial P2P sessions of the EWSD. The following commands detail how this can be done.
Note
connect [EWSD IP] router 160.10.0.1 at-as 65400 daemon ..... connect 90.0.0.2 connect 191.9.0.1
The target EWSD of this command must agree on this peering, i.e. they must also have a command to bring up a P2P session with this EWSD
Note
11
as-peers [ASN:COMMUNITY TAG],... router 160.10.0.1 at-as 65400 daemon ..... connect 90.0.0.2 as-peers 19223:provider,8772:customer,1882:customer connect 191.9.0.1
This is required to correctly detect indirect prex hijack attacks
deaggregated [CIDR IP],... router 160.10.0.1 at-as 65400 daemon ..... connect 90.0.0.2 deaggregated 19.0.0.0/16,18.0.0.0/24
This is required to correctly detect deaggregation prex hijacks
12
to-router
20.0.0.0
router 10.20.0.0 at-as 1 route-reector peer 10.0.0.0 peer 10.20.0.1 peer 10.10.0.0 metric 15 peer 10.30.0.0 metric 10 router 10.30.0.0 at-as 1 network 10.30.0.0/8 peer 10.20.0.0 metric 10 peer 20.0.0.0 class provider MED 0 to-router 20.0.0.0 router 20.0.0.0 at-as 2 network 21.0.0.0/8 peer 60.0.0.0 class customer peer 10.10.0.0 class customer peer 10.30.0.0 class customer router 35.0.0.0 at-as 10 network 35.0.0.0/8 peer 35.0.0.1 peer 90.0.0.0 class provider router 35.0.0.1 at-as 10 daemon peer 35.0.0.0 connect 10.20.0.1 as-peers 7:provider router 10.20.0.1 at-as 1 daemon peer 10.20.0.0 connect 90.0.0.1 connect 35.0.0.1 as-peers 2:provider,3:peer router 90.0.0.1 at-as 7 daemon peer 90.0.0.0 peer 80.0.0.0 connect 60.0.0.1 connect 10.20.0.1 as-peers 3:peer,10:customer router 60.0.0.1 at-as 5 daemon peer 60.0.0.0 peer 65.0.0.0 connect 90.0.0.1 as-peers 3:peer,2:provider policy peer open no-ad peer no-ad provider policy provider odot no-ad peer no-ad provider policy customer box policy
None none
13
port 50008,
Simulator Client
Command
Example
global [-i] [-a] [-t prex] [-d] -i: graphical view -a: abstraction, i.e. the graphical view at AS granularity -t: prex trace, overlays a graphical trace for a prex within the view -d: Overlay P2P sessions within the view # global # global -i # global -i -a -t 10.0.0.0/8
The parameters [-a][-d][-t] only apply when the global view is requested as a graphic i.e. [-i] is provided. If the requested view is graphical, the resulting GraphViz text returned by the server is complied locally and stored in the same folder as the client script
Note
14
as [ASN] as 19282
Command
daemon [IP] [-i] [-t prex] IP: IP address of the router running the EWSD -i: indicates that the request is for an image of the EWSD's graph -t: indicates that the request if for an image of all the routes within the current
EWSD's graph for a particular prex, must be used with [-i]
Example
Note
live and hence withdrawals should eect it, the eects of the injection can then be seen with
the array of commands we previously detailed.
Command Example
15
live and hence injected routes should eect it, the eects of the
injection can then be seen with the array of commands we previously detailed.
Command
Example Note
mod-net [prex] [AS-PATH] at [IP] # new-net 21.0.0.0/16 at 21.0.0.1 # mod-net 19.0.0.0/16 9882,4322 at 21.0.0.1
Our BGP simulation dictates that a router prepends the ASN of there AS to the AS-PATH of routes on there announcement
Other information
instance variables of the Daemon/Daemon.py and Globals.py modules relative to the folder ews/. Within these modules you will nd
an explanation code annotations of what each instance variable is used for within our simulation. To view the code annotations of these modules in a user friendly manner open the
index.html le and navigate using the tree structure, on the left hand-side of the screen, to these modules.
documentation/
7.2 Analysis
Our analyzer/evaluator module, an automated client, is a wrapper for our simulation server. It invokes the dierent modules of our code base to automatically execute analysis tests, once these tests are complete there results are displayed graphically to the user. To execute a chosen analysis , navigate to and execute python Attacker.py To choose the test to run you must edit Attacker.py's main method located at the end of the le. Within this method, uncomment tests you would like to run and ensure all other tests are commented out. Below you will nd a list of the tests we have provided and there input parameters
ews/ folder
16
Description
Method Parameters
list of the attack types to simulate and gather data for the fanout attribute to instantiate the automated topology generator with, i.e. implicitly dictate the size of the tested topology (Appendix: section 5.1)
seeded
Indicates if the EWSD deployment and growth should be seeded or not (Report: section 6.3)
Description
Method Parameters
list of the attack types to simulate and gather data for the fanout attribute to instantiate the automated topology generator with, i.e. implicitly dictate the size of the tested topology (Appendix: section 5.1)
seeded
Indicates if the EWSD deployment and growth should be seeded or not (Report: section 6.3)
Description
Method Parameters
the fanout attribute to instantiate the automated topology generator with, i.e. implicitly dictate the size of the tested topology (Appendix: section 5.1) Indicates if the EWSD deployment and growth should be seeded or not (Report: section 6.3)
17
Description
Suppression benets
Schedules simulations, then collects results from these simulations aimed at nding the correlation between the following
Activated suppression modes and attacks detected Activated suppression modes and the solution cost in terms of CRA size and
frequency
Method Parameters
list of the attack types to simulate and gather data for the fanout attribute to instantiate the automated topology generator with, i.e. implicitly dictate the size of the tested topology (Appendix: section 5.1)
daemon_rate
Description
Method Parameters
dictates the maximum FANOUT to analyze for message counts, i.e. analyze all the topologies with FANOUT attribute less then this value The EWSD deployment percentage within the simulated topologies
Description
Method Parameters
dictates the maximum FANOUT to analyze for message counts, i.e. analyze all the topologies with FANOUT attribute less then this value The EWSD deployment percentage within the simulated topologies
18
Code Listing
8.1 Documentation
We have provided with this distribution a detailed documentation of our code base, this documentation describes the modules/classes within our system, there parameters, instance variables, and purpose. To view this documentation navigate to the
Carries out automated analysis tests Contains description of a AS within the simulation Contains description of BGP operation within the simulation Contains support structures for BGP simulation Simulation client Initializes/Manipulates/Queries the simulation topology Cryptographic component of the daemon solution Contains the description of the EWSD main controller component Graph component of the daemon solution Contains path vector implementation of our overlay protocol Contains distance vector implementation of our overlay protocol Contains link state implementation of our overlay protocol Contains support structures for Early waning system components Generates topologies Holds variables global to the simulation Contains (graphical/text) output generating functions Code performance prole viewer Contains description of a router within the simulation Contains live logging functionality Simulation server
Node.py Conguration.py
Daemon
72 715
PVP.py DVP.py LSP.py Structures.py Generator.py Globals.py Printer.py Prole.py Router.py Statistics.py Simulator.py
In summary, we have included approximately we have listed approximately listings reect the segments of code that we believe to be interesting.
of detail, please refer to our distribution folder /ews for the full code
19
25% of our code base, our Our listings omit a vast amount
draw()
xated_attack_analysis())
we
only included a single example because we feel that it is sucient to show how we have wrapped our simulators code to automate our analysis.
Listed :
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 #
def
f i x a t e d _ a t t a c k _ d e t e c t i o n ( modes , f a n o u t , s e e d e d ) : """ Schedules finding of simulations corelation and injects the BGP attacks within them , of it then collects and results the aimed at
the
amount ( p e r c e n t a g e ) it . to simulate
E S 's W D
running
perecentage
attacks
against
attack
types to
and
gather
data
fanout
attribute if the
instantisate and
the
automated should
topology be seeded
Indicates
E S W D
deployment
growth
import
# fileno #
Simulator , Generator , Globals , S t a t i s t i c s , C o n f i g u r a t i o n , generated under this test will be stored in some
Topologies =
s t r ( i n t ( random ( ) the
100000))
that will hold the results of this test
Instantiate mode
variables
for
in
FIXATED_DETECTION [ mode ]
DETECTION_TIER_DIST [ ' T1 ' ] [ mode ] DETECTION_TIER_DIST [ ' T2 ' ] [ mode ] DETECTION_TIER_DIST [ ' T3 ' ] [ mode ] Generate an initial topology , to
Generator . clean_state ( ) G e n e r a t o r . CONFIG = { "F N U A O T" "ROUTERS_PER_AS" "T2_PEER_PROBABILITY" "T3_PEER_PROBABILITY" "DAEMON_PROBABILITY" "D E O _ A _ E R A M N M X P E S" G e n e r a t o r . g e n e r a t e ( s e e d e d , f i l e n o , True ) # Run the test for deployment levels between 0 : fanout , :1 , :0.6 , :0.3 , :0 , :5} # Initially no E S ' s W D running
100%
in
steps
of
10%
for
i i
in
range ( 0 , 1 0 ) :
+ = 1
Simulator . clean_state ()
if
seeded #
: topologies grow around the seed , the generator has a special function for this
Seeded
Generator . increase_seed_radius ( f i l e n o ,
i / 1 0 . 0 , True )
else
#
Generator . clean_state ( ) G e n e r a t o r . CONFIG = { "F N U A O T" "ROUTERS_PER_AS" "T2_PEER_PROBABILITY" "T3_PEER_PROBABILITY" "DAEMON_PROBABILITY" "D E O _ A _ E R A M N M X P E S" G e n e r a t o r . g e n e r a t e ( s e e d e d , f i l e n o , True ) # Run each type of attack with this topology : fanout , :1 , :0.6 , :0.3 , : i /10.0 , :5}
for
mode #
in
modes : the simulagtors previous state , then reload / load the topology to be tested
Clean
20
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
command = # List of =
C o n f i g u r a t i o n . process_command routers within the topology not running an E S W D and not route reflectors
routers
[ ( i p , o b j e c t . as_number )
not
# List of ASes daemonised_ases
for
( ip , o b j e c t )
and not
that are
in
G l o b a l s . ROUTERS . i t e m s ( )
if
[ o b j e c t . as_number
for
( ip , o b j e c t ) ]
in
G l o b a l s . ROUTERS . i t e m s ( )
if\
o b j e c t . r un n i ng _ da e m on
if
l e n ( d a e m o n i s e d _ a s e s ) <=
continue
S t a t i s t i c s .D E O _ O N A M N C U T 1 0 0 / l e n ( G l o b a l s . ASES ) , Highest Detection , Lowest Detection for this attack type with
daemon_p = #A v e r a g e #t h i s
detection
deployment
running
an E S W D by
all
other
ASes
for
victim_as x+=1
in
daemonised_ases :
Simulator . clean_state () C o n f i g u r a t i o n . l o a d _ t o p o l o g y ( " c o n f i g / "+ f i l e n o ) # Choose a router that should announce things at the victim
for
victim_ip , r o u t e r _ o b j e c t
in
Schedule
some
prefix
stime
n e t
"+v i c t i m _ i p+" / 8
at
"+v i c t i m _ i p )
again
chances
to
be
captured + 5
by
daemons
periodic
CRA
flood
attack_length
for
( attacker_ip , attacker_as )
# Each
if
n e t
"+v i c t i m _ i p+" / 8
at
"+a t t a c k e r _ i p ) at "\
"+v i c t i m _ i p+" / 8
if
mode = = "INDIRECT" : skip # if = False already connected then you its not an indirect attack
there
if
in
skip
n e t
"+v i c t i m _ i p+" / 8
"+ s t r ( v i c t i m _ a s )+\
if
n e t
"+v i c t i m _ i p+" / 1 6
at
"+a t t a c k e r _ i p ) at "\
a d d _ e v e n t ( s t i m e+a t t a c k _ l e n g t h , command , " w i t h d r a w +a t t a c k e r _ i p ) stime # Attacks + = attack_length now all + 5 scheaduled , run start this
"+v i c t i m _ i p+" / 1 6
have
been
' Starting
fixated
attack
21
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 # # If # #
' attacks
scheduled ' ' , i /10.0 ' , x , ' / ' , l e n ( daemonised_ases ) ' , seeded finish time ' , stime
Start
simulation
S i m u l a t o r . s t a r t ( F a l s e , stime , run ) # Simulation has = ended , now collect results regarding attack detection
total_attacks found_n =
l e n ( S t a t i s t i c s . ATTACKS)
l e n ( [ True
for
attack , found
in
S t a t i s t i c s . ATTACKS . i t e m s ( )
if
found
])
found_p # Sum
i n t ( found_n the
100/ t o t a l _ a t t a c k s )
rates undet his mode and deployment . later averaged + = found_p this mode and deployment ?
all
detection
under
if
#
found_p > FIXATED_DETECTION [ mode ] [ daemon_p ] [ 1 ] : FIXATED_DETECTION [ mode ] [ daemon_p ] [ 1 ] is this the lowest derection under this = found_p and deployment ?
mode
if
found_p < FIXATED_DETECTION [ mode ] [ daemon_p ] [ 2 ] : FIXATED_DETECTION [ mode ] [ daemon_p ] [ 2 ] lowest_undetected = [ attack = found_p
i f not
# Log this detection rate under
for
the
attack , found
in
S t a t i s t i c s . ATTACKS . i t e m s ( )
if if if
Clean from
s t r ( victim_as )
in in in
G e n e r a t o r . T1 :
DETECTION_TIER_DIST [ ' T3 ' ] [ mode ] . a p p e n d ( found_p ) up the the stored results , calculate everages , highest and lowest are no diffrences
there
is
variance and
in
rates ,
i . e .
attacks
were
un
detected ,
then
store
the
topology
detected !=
for
manual
review
if
len ( lowest_undetected ) In =
o p e n ( " c o n f i g / "+ f i l e n o )
raw
strings
for
windows
file
Out =
t o p o l o g y .
for
line
in
In :
f a i l i u r e
. config " ,
"w" )
for
ip , s o u r c e
in
732 733 734 735 736 737 738 739 740 741
def
draw ( )
. . . . . . . . . . . . . . . . . . . .
if
!=
[]
'
, ' go
'
, ' bo
' ]
:
for
type
entry
in
FIXATED_DETECTION . i t e m s ( )
22
742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771
xerr , ynegerr s =
= make ( e n t r y , 2 )
line
plot . errorbar (x ,
p l o t . x l a b e l ( '% Daemons ' ) p l o t . y l a b e l ( '% plot . figlegend ( Attacks Detected ' ) right ' ) single target ")
[]
for
t i e r , entry colours =
in
for
type , v a l u e s y = dot
in
entry . items ( ) :
if
type
not in
labels :
h a n d l e s . append ( d o t ) l a b e l s . append ( t y p e ) plot . annotate ( t i e r , x+=1 p l o t . ylim ( [ 0 , 1 0 1 ] ) p l o t . y l a b e l ( ' Average plot . figlegend ( plot . t i t l e ( " Tier . . . . . . . . . Detection %' ) right ' ) xy =(x , 2) , x y t e x t =(x , 2))
8.4 BGP.py
We have included this module fully, since it holds core code to our project, this module represents the BGP
Listed:
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
class
""" This is a class by description L{ R o u t e r } representing that BGP on on it a router to , as such it . it is this class
class
calls that
simulate and of on IP
L{ BGP_Session } encapsulates
objects this
represent and on
between
that
BGP
object is
@ivar @ivar
router :
L{ R o u t e r } L{map} session
object of all
this
BGP
running to
sessions :
L{ B G P _ S e ss i o n s }
the
address
of
the
router
at
other
@ivar """
table :
L{BGP_Table}
def
__init__ ( s e l f , r o u t e r ) : """ constructor @param """ s e l f . router = router = {} # Sessions For handled the by this BGP object for : BGP the object router this BGP is running on
router
= BGP_Table ( )
# RIB
router
23
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 new_routes_count # Command all = 0 to recevive and process any BGP messages recevied ' ' ' ibgp
def
start_sessions ( s e l f ): """ Creates once This """ BGP the sessions same by for all valid stay peering up t i l l relationships its bought all , sessions by are are created of the peer .
and is
session the
will
down
either init
end
called
configuraton
module
once
routers
for
in
not
this
accept
bring
if
peer_router_number
continue
= True
in
self . sessions
or not
if
p e e r _ r o u t e r . as_number = =
s e l f . r o u t e r . as_number
else
BGP
False
session # add
= BGP_Session ( s e l f . r o u t e r , p e e r _ r o u t e r , i b g p ) session to this BGP protocol = and to the peer target protocol
the
s e l f . s e s s i o n s [ peer_router_number ]
session
peer_router . accept_session ( s e l f . router , s e s s i o n ) ' ' ' s e l f . r o u t e r . l o g . a p p e n d ( "BGP session : "+ p e e r _ r o u t e r . number+" AS + " iBGP = " "+\ +s t r ( i b g p ) ) "+\ +s t r ( i b g p ) )
s t r ( s e l f . r o u t e r . as_number )
def
simulate ( s e l f ) : """ Method sending @return """ # If there = are changes to the RIB command all sessions to transmit them then clear them used all to command to this the of BGP RIB new protocol to run and a single simulation all step , this on consists Sessions of
changes :
and
reciving
processing
messages
sent
Integer
number
routes
learned
sessions
self . sessions > 0: , they dont : sent routing info , only listen
if
BGP
i f not s e l f . r o u t e r . r un n in g _ da e mo n for i p in s e s s i o n s :
s e l f . t a b l e . delete_change ( )
s e s s i o n s [ i p ] . send ( s e l f . ro u te r , s e l f . t a b l e )
sessions :
for
ip
in
sessions =
count
new_routes_count + =
return class
new_routes_count
BGP_Session :
""" BGP whom Session have class object , this it object represents sending a BGP session running between on bother two routers who
sucessfully session
peered .
handles
and
reciving
messages
routers
this
peer_a : peer_b :
L{ R o u t e r } L{ R o u t e r }
at at
end end
A B
of of for for
the the
router router is an
indicator
session
iBGP
session
def
24
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149
s e l f . peer_b
peer_b = = [] []
ibgp_peer
def
send ( s e l f , sender , s e n d e r s _ t a b l e ) : """ Called UPDATE them in when changes to to the RIB other at the of one end of are detected , it and makes places
notify
end
link
these
changes
sender
senders_table
router
messages
= =
[] [] out what side of in s e n d e r . number = = s e l f . p e e r _ a . number the link the reciver is on so we know who is reciving and
figure to
queue =
put
the
messages
target_que reciver =
s e l f . peer_b_que
s e l f . peer_b
if
if
s e n d e r . number = =
s e l f . p e e r _ a . number
else
else
s e l f . peer_a_que
s e l f . peer_a
# For # for
every that
prefix prefix
that or
has
changed if if
in it
our is
table no
send in
all our
the table
new / c h a n g e d
routes
heard
withdraw
longer
for
prefix #
in
senders_table . changes : does not exist an ym o re than this : flag was to indicate a complete withdrawal
prefix
i f not
s e n d e r s _ t a b l e . has_entry ( p r e f i x )
withdrawn . append ( p r e f i x )
continue
entry = senders_table . get ( p r e f i x ) to send all the changed routes : a n ym or e than this entry flag is to indicate a route under the changed prefix # Attempt
for
route_number # # if this
in
route
withdrawal
( previous
best
route ) :
if
route_number
not in
entry . routes
withdrawn . append ( p r e f i x )
continue
route # if = we e n t r y . g e t _ r o u t e ( route_number ) are sending to a classed != link , only \ G l o b a l s . POLICIES [ r o u t e [ CONFEDERATION_LOC ] ] : send route if our policy permits
if
# Dont
it
from :
the
router
were
sending
to
now
if if
continue
ibgp except if the sender is a RR
# Dont
heard
r o u t e [H A D F O _ B P L C] E R _ R M I G _ O
and
s e l f . ibgp
and not
sender . route_reflector :
continue
origin
r o u t e [ ORIGIN_LOC ]
i f not
#
s e l f . ibgp : Sending to iBGP , attach your ASN , M D E , clear attributes transitive over
# iBGP as_path
next_hop
next_hop_as med =
s e l f . get_med ( p r e f i x , s e n d e r , r e c i v e r ) = 0 = None 0
local_pref igp_dist =
confederation
else :
# If were sending over iBGP then preserve attributes , save the iBGP metric
25
150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 # if no # # if
that
should = =
be
changed
as_path
r o u t e [AS_PATH_LOC] r o u t e [N X _ O _ O E T H P L C] = r o u t e [N X _ O _ S L C] E T H P A _ O
next_hop
next_hop_as med =
r o u t e [M D L C] E _ O = r o u t e [ LOCAL_PREF_LOC ] + s e n d e r . p e e r _ m e t r i c [ r e c i v e r . number ]
local_pref igp_dist =
r o u t e [ IGP_DIST_LOC ] =
confederation
r o u t e [ CONFEDERATION_LOC ]
added_flag # add
prefix
for
message
if
in
messages :
break
prefix could not be added to any message then add it to a new one with the prefix ' s route : attributes
i f not
added_flag
m e s s a g e s . a p p e n d ( U p d a t e ( p r e f i x , o r i g i n , a s _ p a t h , next_hop , next_hop_as , \ med , l o c a l _ p r e f , i g p _ d i s t , c o n f e d e r a t i o n ) ) messages exist = = 0 we create a dummy message > 0: to hold the withdrawals
if
l e n ( messages ) path =
and
=
l e n ( withdrawn )
s e l f . ibgp
m e s s a g e s . a p p e n d ( U p d a t e ( ' ' , ' ' , p a t h , ' ' , ' ' , ' ' , ' ' , ' ' , None ) ) # Choose any message > 0 to to : put any withdrawals we have = in them
l e n ( withdrawn ) all
# Add
messages
the :
the
message
in
messages
t a r g e t _ q u e . append ( m e s s a g e )
messages [ : ]
receive ( self , reciver , reciver_table ): """ Used from to the receive BGP messages via this BGP session on one end , m e s s a g e s are processed
receivers :
queue L{ R o u t e r } : object of the router to reciving update on this the session BGP updates
receiver
receiver_table
with
received
# # W E COULD # determine =
just what
access queue
the
RIB
though to the
the
router end
object
but
that
l o n g ( r o u t e r . bgp . t a b l e )
belongs
reciving
input_que sender =
s e l f . peer_a_que
s e l f . peer_b
if
if
r e c i v e r . number = =
s e l f . p e e r _ a . number
r e c i v e r . number = =
s e l f . p e e r _ a . number
else
else
s e l f . peer_b_que
s e l f . peer_a
for
message
in
new_routes_count + =
recivers : : : Update
based
on BGP
selection
L{ U p d a t e } for for the the reciving end that end sent of the session message
L{ R o u t e r } L{ R o u t e r }
object object
this
26
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267
reciver_table
to
update
with
this
message
consider
routes
that
have
your
ASN
in
them : on
if
#
in
return
the
0 filters
within
receivers
message # Speed
s e l f . a p p l y _ m e d _ f i l t e r ( message , r e c i v e r )
withdrawn
for
prefix
if
in
message . withdrawn
table_has_entry ( p r e f i x ) entry =
reciver_table . get ( p r e f i x ) = None all routes ( can under only be this one withdrawn due to prefix heard replace from in the sender of
message
implicit
BGP_Table_Entry )
for
id , r o u t e
if
in
r o u t e [H A D F O _ O E R _ R M L C]
del
entry . routes [ id ] = id
remove_id
if
break
len ( entry . routes ) # Run # # then knock out > 0 : to see who if is the is our current changes best as winner to after the withdrawl will algorithim the a table change is to if not
command be a
check
there was
this
entry
, there
definately send if
# on
route
marked :
changed
if else
#
e n t r y . best_route_number = = remove_id
e n t r y . c h a n g e s . append ( remove_id )
s e l f . knockout ( e n t r y ) r e c i v e r _ t a b l e . check_change ( p r e f i x ) : alternatively just found tell and if the no routes are left then remove has the prefix , on altogether if the prefix is
# and # not
table as
that
the
prefix it is
changed as
send
marked
changed
assumed
withdrawn
del
r e c i v e r _ t a b l e . c h a n g e s . append ( p r e f i x )
Handle
all
announced
prefixes :
in
the
Update
message
for
prefix # apply
in
message . n l r i pref =
local
filters
and
discover
the
local
pref
value
for
this
route
prefix_local_pref
i f not
entry # # the =
table_has_entry ( p r e f i x ) IS C M U I Y O M NT
# CONFEDERATION
our
TO LONG TO C A G H N E
reciver_table . get ( p r e f i x ) tag use is what ibgp peer tag specified , of the if not an ibgp peer or
confederation , then
unspecified =
the
confederation
peering
relationship != None ) \
confed
message . c o n f e d e r a t i o n
else
# add # this previous
if
( s e l f . ibgp
and
, the
message . c o n f e d e r a t i o n
r e c i v e r . p e e r _ c l a s s [ s e n d e r . number ] as a new route for the prefix of or the route will implicitly replace
route route
though
internal
operation
BGP
table
e n t r y . a d d _ r o u t e ( m e s s a g e . o r i g i n , m e s s a g e . a s _ p a t h , m e s s a g e . next_hop , m e s s a g e . next_hop_as , \ m e s s a g e . med , p r e f i x _ l o c a l _ p r e f , s e n d e r . number , s e l f . i b g p , c o n f e d , \ message . i g p _ d i s t ) # Run knock out algorithim to see who is the current winner after this new announcment
s e l f . knockout ( en t r y ) r e c i v e r _ t a b l e . check_change ( p r e f i x )
return def
l e n ( message . n l r i )
l e n ( message . withdrawn )
knockout ( s e l f , e n tr y ) : """
27
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326
Runs route of
Knock the
out entry of
on the so
RIB
prefix , be the
that route
identifies is then
the
prefix could
marked
changes
that entry :
entry
it
sent of the
@param """
param
L{ BGP_Table_Entry }
table
to
run
the
K.O
algo
on
copy ( e n t r y . r o u t e s . k e y s ( ) )
entry . get_route
while
""" Knock out algorithim the that continually the compares with first two elements of the route_numbers to there values are 1
elements
routes
route is
numbers
route
selection
comparision
applied .
loop
route_number
has
( Winner )
g e t _ r o u t e ( route_numbers [ 0 ] ) = l e n ( r o u t e _ a [AS_PATH_LOC ] . s p l i t ( ) )
route_a_as_count route_b =
g e t _ r o u t e ( route_numbers [ 1 ] ) = l e n ( r o u t e _ b [AS_PATH_LOC ] . s p l i t ( ) )
route_b_as_count
Highest
if
r o u t e _ a [ LOCAL_PREF_LOC ]
i f r o u t e _ a [ LOCAL_PREF_LOC ] e l s e : pop ( 1 )
shortest AS PATH != >
# Then
elif
route_a_as_count
route_b_as_count route_b_as_count
: : pop ( 0 )
i f route_a_as_count e l s e : pop ( 1 )
Lowest M D E r o u t e _ a [M D L C] E _ O
# Then
elif
!=
None
and
r o u t e _ b [M D L C] E _ O
!=
None
r o u t e _ a [N X _ O _ S L C] E T H P A _ O r o u t e _ a [M D L C] E _ O != >
= = r o u t e _ b [N X _ O _ S L C] E T H P A _ O : pop ( 0 )
and and
\ \
r o u t e _ b [M D L C] E _ O :
i f r o u t e _ a [MED_LOC] e l s e : pop ( 1 )
# eBGP over iBGP
r o u t e _ b [M D L C] E _ O
elif
r o u t e _ a [H A D F O _ B P L C] E R _ R M I G _ O
!= :
r o u t e _ b [H A D F O _ B P L C ] : E R _ R M I G _ O pop ( 0 )
i f r o u t e _ a [HEARD_FROM_IBGP_LOC] e l s e : pop ( 1 )
IGP metric != > r o u t e _ a [ IGP_DIST_LOC ]
Lowest
elif
r o u t e _ b [ IGP_DIST_LOC ] r o u t e _ b [ IGP_DIST_LOC ]
: : pop ( 0 )
i f r o u t e _ a [ IGP_DIST_LOC ] e l s e : pop ( 1 )
Breaker
Tie
else : if
>
\ pop ( 0 )
else
# # if the
pop ( 1 ) = a pop ( ) diffrent route to the previous best route then add it to
prefix
change != e n t r y . best_route_number :
if
best_route_number
if
best_route_number
not in
=
entry . changes
e n t r y . c h a n g e s . append ( best_route_number )
e n t r y . best_route_number
best_route_number
def
value
for
prefix
within
recived
BGP
update
message
@param
BGP L{ U p d a t e }
message
28
327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370
prefix reciver
: :
specific the
prefix
within of
the the
L{ R o u t e r }
object
p r e f
if
s e l f . ibgp
message . l o c a l _ p r e f
( p r e f i x , m e s s a g e . next_hop )
in
reciver . local_pref_prefix_router_filter :
r e c i v e r . l o c a l _ p r e f _ p r e f i x _ r o u t e r _ f i l t e r [ ( p r e f i x , m e s s a g e . next_hop ) ]
( p r e f i x , m e s s a g e . next_hop_as )
in
reciver . local_pref_prefix_as_filter
r e c i v e r . l o c a l _ p r e f _ p r e f i x _ a s _ f i l t e r [ ( p r e f i x , m e s s a g e . next_hop_as ) ]
m e s s a g e . next_hop
in
reciver . local_pref_router_filter :
r e c i v e r . l o c a l _ p r e f _ r o u t e r _ f i l t e r [ m e s s a g e . next_hop ]
m e s s a g e . next_hop_as
in
reciver . local_pref_as_filter
r e c i v e r . l o c a l _ p r e f _ a s _ f i l t e r [ m e s s a g e . next_hop_as ] dont confuse myself , i could is just return except message . l o c a l _ p r e f if were sending over to the same effect ,
just
becuase 0
when
sending
local_pref
cleared
IBGP
return def
get_med ( s e l f , p r e f i x , s e n d e r , r e c i v e r ) : """ Used to return prefix reciver sender the : : : M D E value for to a prefix we the the the are M D E about for that that will is recieve this M D E to send to <s e n d e r >
prefix
L{ R o u t e r } L{ R o u t e r }
router router
sending
this
message
if
( p r e f i x , r e c i v e r . number )
in
sender . MED_prefix_router_filter :
s e n d e r . M E D _ p r e f i x _ r o u t e r _ f i l t e r [ ( p r e f i x , r e c i v e r . number ) ]
( p r e f i x , r e c i v e r . as_number )
in
s e n d e r . MED_prefix_as_filter
s e n d e r . M E D _ p r e f i x _ a s _ f i l t e r [ ( p r e f i x , r e c i v e r . as_number ) ]
r e c i v e r . number
in
s e n d e r . MED_router_filter :
s e n d e r . M E D _ r o u t e r _ f i l t e r [ r e c i v e r . number ]
def
a p p l y _ m e d _ f i l t e r ( s e l f , message , r e c i v e r ) : """ method @param @param """ used to apply : : BGP the M D E filters to recived BGP L{ U p d a t e } messages
message reciver
Update Router
if
r e c i v e r . ignore_all_med
( m e s s a g e . next_hop
in
or
( m e s s a g e . next_hop_as :
in
r e c i v e r . ignore_as_med )
or
r e c i v e r . ignore_router_med )
m e s s a g e . med = None
return
message
8.5 BGP_Structures.py
To complement the full listing of our BGP implementation code (BGP.py) we will also fully list the support structures used by BGP.py, together BGP.py and BGP_Structures.py describe implementation.
fully
our BGP
Listed:
7 8 9 #
Indexes
ORIGIN_LOC =
AS_PATH_LOC =
29
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68
N X _ O _ O E T H P L C =
2 3
N X _ O _ S L C = E T H P A _ O M D L C = E _ O 4 5 6
LOCAL_PREF_LOC = H A D F O _ O E R _ R M L C =
H A D F O _B P L C = E R _ R M I G _ O CONFEDERATION_LOC = IGP_DIST_LOC = 9 8
class
Update :
def
__init__ ( s e l f , p r e f i x , o r i g i n , a s _ p a t h , next_hop , next_hop_as , med , l o c a l _ p r e f , igp_dist , c o n f e d e r a t i o n ) : """ method be """ self . origin = = origin as_path next_hop = next_hop_as used to to it initialise along with a BGP all update its messages , to initialise requierd a BGP message a prefix must
passed
attributes
that
are
for
an UPDATE
message
s e l f . as_path
s e l f . next_hop
local_pref
s e l f . withdrawn s e l f . igp_dist
[] igp_dist = confederation
s e l f . confederation
if def
prefix
!=
' '
s e l f . n l r i . append ( p r e f i x )
a c c e p t _ p r e f i x ( s e l f , p r e f i x , o r i g i n , a s _ p a t h , next_hop , next_hop_as , med , l o c a l _ p r e f , igp_dist , c o n f e d e r a t i o n ) : """ method same nlri """ used to accept a as p r e f i x / route the prefix into that this messages nlri , i . e . if the we prefix add it has to the
route / a tt r i bu te s
initialised
this
message
then
the
if
self . origin
= =
origin
\ \ \ \
s e l f . as_path = = as_path
s e l f . next_hop = = next_hop
= =
igp_dist = =
s e l f . confederation
confederation :
s e l f . n l r i . append ( p r e f i x )
""" Represents @ivar @ivar """ the RIB on a of router running to BGP L{ BGP_Table_Entry } ' s changes within them
entrys : changes :
L{map}
prefixes of
there that
L{ l i s t }
prefixes
have
def
30
69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 @ivar @ivar @ivar route_count best_route_number changes : : :
def
items ( s e l f ) : """ returns """ items for entrys held within the RIB
return def
s e l f . entrys . items ()
add ( s e l f , e n t r y ) : """ Adds an entry entry : to the RIB object representing an entry for a prefix
@param """
L{ BGP_Table_Entry }
s e l f . entrys [ entry . p r e f i x ]
entry
def
get ( s e l f , p r e f i x ) : """ Returns @param @return """ the entry : for a given to prefix entry for a for specified prefix
prefix :
prefix
retrive entry }
L{ BGP_Table_Entry
return def
s e l f . entrys [ prefix ]
has_entry ( s e l f , p r e f i x ) : """ returns @param @return """ the status : of an to entrys check entry existance entrys exists , for a given for prefix
prefix : True
prefix if
existance False
prefix
otherwise
i f p r e f i x in return F a l s e def
s e l f . entrys
return
True
check_change ( s e l f , p r e f i x ) : """ method @param """ that checks the if the prefix to entry for a prefix for has any changed routes within it
prefix :
prefix
check
change
state
if def
!=
and
prefix
not in
s e l f . changes
delete_change ( s e l f ) : """ method """ that clears all changes from this table
for
prefix # # if it
in
s e l f . changes : change exists flag and was we not must for the complete list of removal changed of a prefix then
this s t i l l
clear
its
routes
if class del
prefix
del
in
s e l f . entrys :
s e l f . entrys [ p r e f i x ] . changes [ : ]
s e l f . changes [ : ]
BGP_Table_Entry :
""" Represents @ivar @ivar @ivar a structure for : : : an the entry prefix of of for a prefix BGP ids in the BGP RIB is for for is this prefix from to the id of the L{BGP_Table}
table to
entry
routes a
heard route
addresses
heard
heard of id all routes of the currently best route ids in for the table entry
number route of
this
prefix
list
the
route
that
have
changed
31
128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 s e l f . r o u t e s [ route_id ] """ Adds a heard : route id self . prefix s e l f . routes = = prefix {} """
( new
winner
or
implict
replace
or
withdrawn )
def
__init__ ( s e l f , p r e f i x ) :
s e l f . heard_from_to_id s e l f . route_count = 0
{}
s e l f . best_route_number s e l f . changes = []
= None
def
for of
this the
prefix
to
this
entry
route
added
route
s e l f . route_count
if
heard_from route_id
in
s e l f . heard_from_to_id :
if else
#
s e l f . best_route_number = = #I m p l i c i t l y replaced ,
but
send
def
return
""" returns @param @return """
route_id
get_route ( s e l f , route_id ) :
the
route :
tuple the id
for of
route_id : the
the
L{ t u p l e }
holding
information
return def
s e l f . r o u t e s [ route_id ]
get_best_route ( s e l f ) : """ returns @return """ the : route tuple for the best route route for this entry
the
L{ t u p l e }
holding
information
return
s e l f . g e t _ r o u t e ( s e l f . best_route_number )
8.6 Daemon.py
This module is the controller for an EWSD within our simulator, from this module we have included
some
of its methods that describe some key operations it carries out. We have omitted half of this module, the omitted code consists of the P2P_session implementation/class, methods that handle an EWSDs periodic, and many helper methods e.g. ood, deaggregation_check.
Listed:
32
def
accept_session ( s e l f , session ) : """ Used if to accept daemon peer : Session the daemon session proposed by the other daemon connection is attempts to from accept other , or daemons if the , accepts is the session for a
the
preconfigured
daemon
waiting
the
session
is
proposed
to
us
then
we :
are
at
end
of
the
session
if
s e s s i o n . enda [ 0 ]
in
s e l f . configured_peers
s e l f . p e e r _ s e s s i o n s [ s e s s i o n . enda [ 0 ] . i p ]
session
s e l f . c o n f i g u r e d _ p e e r s . remove ( s e s s i o n . enda [ 0 ] )
elif
return
True : = session
s e l f . awaiting_random_peer
return
return
False
True
def
new_sessions_handler ( s e l f ) : """ method these used peers to try and have bring been a peering sessions manually with or by configured accepting peers an RPR .
could
configured over IP
here
happen
through
direct
communication
through
daemon
objects
for
peer
in if
s e l f . configured_peers =
session
P2P_Session ( s e l f , p e e r )
peer . ip , '
s e l f . c o n f i g u r e d _ p e e r s . remove ( p e e r )
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183
def
i s _ v a l i d ( s e l f , message ) : """ Used to 1. 2. check if if key the the that a received of is or the of with be a message is is valid as , applies daemon the several checks which are as follows
source message it
the
this
then
then
ensure
that
verifies AS number
within it
public change ) be
key ( i f
any )
held
within
may
messages no key
signature or
can
using
the is
key
we
have
for
the
AS
that
sent
it
held
cannot is
verify +
message
message
time to
stamp
the
stamp
window
L{ M e s s a g e } True if
the
m e s s a g e . g e t S t a t e ( "SOURCE_AS" )
m e s s a g e . g e t S t a t e ( "TYPE" )
if
source
= =
s e l f . advertised_as
: s e l f . c r y p t e r . public_key :
if
type
= = PKE_TYPE #p r i n t
and
m e s s a g e . g e t S t a t e ( "PUBLIC_KEY" ) ! =
' Hijack ' ' Public Key ' , m e s s a g e . g e t S t a t e ( "CONTACT_IP" ) , ' ')
s e l f . a d d _ t o _ l o g (KEY_HIJACK,
elif
return
type # Must
False : either internal public key , or held private key ( key \ change )
i f not
( s e l f . c r y p t e r . v e r i f y ( m e s s a g e , m e s s a g e . g e t S t a t e ( "PUBLIC_KEY" ) )
33
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 #I f
or s e l f . c r y p t e r . v e r i f y ( m e s s a g e ) ) : return F a l s e
# Timestamp # should be window does not apply changed to , PKE when messages , changed whole then point is that will they not veirfy replayed until old PKE ' s
return
we cant
True verify the message using the crypter component then message is invalid
# OBSELETE, time_window
m e s s a g e . g e t S t a t e ( "TIMESTAMP" )
return F a l s e return T r u e
if
a b s ( time_window )
> T M _ T M _ I D W: I E S A P WN O
def
p r o c e s s _ c r a ( s e l f , s o u r c e _ s e s s i o n , message ) : """ Bounces had and received CRA messages onto in it the the graph graph processor then on this the daemon , on if to the all CRA message ,
paths
flood
message
peers
inspect
uncovers
session
this
message
actual
L{ M e s s a g e }
heard
if
source_session )
def
process_pke ( s e l f , s o u r c e _ s e s s i o n , message ) : """ Used the if to handle key is validated within new or it PKE into a messages our , handling for then the the AS PKE entails in an the attempt PKE . to assert
store
causes the
conflict this
flood was
session
message
heard
actual
L{ M e s s a g e }
heard
s e l f . c r y p t e r . commit ( m e s s a g e ) = = KEY_COMMITED_SIGNAL
if
signal
if
or
signal :
= = KEY_CONFLICT_SIGNAL :
signal True
= = KEY_CONFLICT_SIGNAL
s e l f . f l o o d _ m e s s a g e ( m e s s a g e , s o u r c e _ s e s s i o n , True )
def
p r o c e s s _ r p r ( s e l f , s o u r c e _ s e s s i o n , message ) : """ When we receive has less a RPR than < message 5 100 hops then left , we accept it if we have space for on to peering a and the session
message if it
otherwise
bounce
the
message
random
peer
has
0 >
hops
the
actual
L{ M e s s a g e }
heard
if
hops c_ip
in
and
len ( s e l f . peer_sessions ) :
<
s e l f . maximum_peerings
and not \
s e l f . peer_sessions
34
240 241 242 243 244 245 246 247 248 249
communication pulling up
will the
now
happen
over for
IP
directly ip in
, the
so
we
simualte message
# by #
daemon for
object
the
RPR
and
configured
peers =
later
connection
source_daemon
G l o b a l s . ROUTERS [ c _ i p ] . daemon
s e l f . c o n f i g u r e d _ p e e r s . append ( source_daemon )
elif
return
hops != 0
and
hops
<
64
m e s s a g e . s e t S t a t e ( "HOPS" , h o p s session =
1)
s e s s i o n . transmit_message ( s e l f . ip , message )
def
a l e r t _ h a n d l e r ( s e l f , message ) : """ Processes daemon on its a recived , it CRA message all that caused , path ) router this a state pairs change for to in the attempts and threats
Graph
checks AS
( prefix AS its
hijack
represented message :
i . e .
the
belongs daemon
L{ M e s s a g e }
received
by
m e s s a g e . g e t S t a t e ( "P AY LO AD" ) from the fast the AS it BGP is table of the on router this daemon ' ' is running on all the prefixes
Identify by
running
i . e .
AS PATH =
for = {}
lookup
for
entry
for
in
s e l f . bgp_table . e n t r y s . v a l u e s ( ) :
route
if
in
r o u t e [AS_PATH_LOC]
l o c a l [ entry . p r e f i x ]
break for
prefix
if
in
If
payload
prefix # #
in
this
look
for
prefix
hijacks
for
path
in
=
payload [ p r e f i x ] : l e n ( path )
length
if
path [ l e n g t h
1]
!=
1]
prefix , ' System '+c a u s e , path )
s e l f . a d d _ t o _ l o g (DIRECT_PREFIX_HIJACK,
if elif
( prefix , cause )
in
S t a t i s t i c s . ATTACKS : = True
and
path [ l e n g t h
2 ] not in
path
i . e .
shows
2]
prefix , ' System '+c a u s e , path ) S t a t i s t i c s . ATTACKS : = True
s e l f . a d d _ t o _ l o g ( INDIRECT_PREFIX_HIJACK ,
if else : if
( prefix , cause )
in
S t a t i s t i c s . ATTACKS [ ( p r e f i x , c a u s e ) ]
prefix #
in
s e l f . graph . p r e f i x _ p a t h s : may not = be in the map if triples not in map used alone
Prefix
lowest , highest
s e l f . graph . g e t _ p r e f i x _ t r u s t _ m e t r i c s ( p r e f i x )
if
highest [ 0 ] lowest [ 0 ]
and
is
lowest [ 1 ]
in
only
payload [ p r e f i x ]
and
highest
i . e .
# UNTRUSTED ROUTE
this
35
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 # Check # # If
# and
it
has
the
worst
triple
S t a t i s t i c s .THIRD_PARTY_ATTACKS[ p r e f i x ] s e l f . a d d _ t o _ l o g (UNTRUSTED_PATH_SEEN, str ( lowest [ 2 ] ) , this for prefix is not explicitly attacks
look
DEAGGREGATION =
check_format
p r e f i x . r s p l i t ( "/" )
for
local_prefix
if
in
local : : daemons AS
s e l f . deaggregate_check ( l o c a l _ p r e f i x . r s p l i t ( "/" ) , check_format ) # if this the prefix daemon is was a deaggregation not told it of any be prefix owned by then
the
# and
could
deaggregated
warn
if
local_prefix
break
= =
in
s e l f . deaggregate_prefixes :
path cause
1]
if
( local_prefix , cause )
in
S t a t i s t i c s . ATTACKS [ ( l o c a l _ p r e f i x , c a u s e ) ] s e l f . a d d _ t o _ l o g (DEAGGREGATION_HIJACK,
local_prefix ,
break
every path for policy violations
for
path
if
in if
payload [ p r e f i x ] :
s t r ( s e l f . advertised_as ) index =
in
path :
index t f = = f
path [ index
1 and 1]
index
>
0:
p a t h [ i n d e x +1]
if
in s e l f . a s _ p e e r s and t in s e l f . a s _ p e e r s : i f s e l f . a s _ p e e r s [ t ] in G l o b a l s . POLICIES [ s e l f
s e l f . a d d _ t o _ l o g (POLICY_VIOLATION,
prefix ,
def
graph_handler ( s e l f ) : """ Periodically all routes it reasserts sees that all current its routes into the graph , uses it and , it then floods used by commit the that check a
pass
suppression modes
modes
the into
methods the
routes if
validity are
against to
suppression the
then
insert message
graph
( namely
accept ()
method
there
paths to
send it
generate
a CRA
flood
it .
the the
graph log to
keep it
live
keep
live
payload , s i z e
{} ,0
for
( prefix , entry )
for
route
in
=
in
s e l f . bgp_table . i t e m s ( ) :
as_path
if
s e l f . g r a p h . a c c e p t ( p r e f i x , as_path , 2
ASSERTION_RATE ) :
= [ as_path ]
if
size
>
message message
ASSERTION_RATE, G l o b a l s . TIME ,
s e l f . SEQ)
36
8.7 Graph.py
We have included for this module the methods that handle suppression/re-suppression lters. We have omitted methods that handle the maintenance(expiry/addition/deletion) of this modules internal store. We have also omitted the classes that describe the structures used for the internal store of this module e.g. path store, triple store.
Listed:
80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
def
seen
for not
the be
@return : """
should
SUPPRESSION =
G l o b a l s . SUPPRESSION = = 0 :
return F a l s e and s e l f . i s _ c l o s e s t ( a s _ p a t h , p r e f i x ) ) or \ (TRIPLES_NOT_IN_MAP in SUPPRESSION and s e l f . h a s _ t r i p l e s _ n o t _ i n _ m a p ( a s _ p a t h , p r e f i x ) ) or \ (NOT_SUBSET_OF_CLOSEST in SUPPRESSION and s e l f . i s _ n o t _ s u b s e t _ o f _ c l o s e s t ( a s _ p a t h , prefix ))) return T r u e return F a l s e
SUPPRESSION
def
r e a s s e r t ( s e l f , as_path , p r e f i x ) : """ Applys however modes @param @param prefix as_path True : : if the the this prefix AS PATH path the activated path is suppression a modes and in we this must simulation check that to it a path seen passes for the a prefix , suppression
this
reassertion
s t i l l
seen
for not
the be
@return : """
should
SUPPRESSION = length =
G l o b a l s . SUPPRESSION
l e n ( as_path ) = = 0 of :
if
# a #
return
equally
clos
keyed
paths
source
closest_paths src =
s e l f . get_closest_paths ( p r e f i x )
as_path [ l e n g t h
1]
mode is with on then the path must source be in one the of the equally close
if
CLOSEST # # If
in
CLOSEST seen
paths
prefix
the :
particular
as_path
if
if
# #
as_path
in
closest_paths [ src ] [ 0 ]
TRIPLES_NOT_IN_MAP If
in
if
return
is
True
SUPPRESSION
: mode on then triple this will path must have atleast one
suppression path 0 is
triple
the =
deleted
the
expire
#i . e
Refrence
if else :
if
l e n g t h <=
s e l f . t r i p l e s [ as_path ] [ 0 ]
1 = = 0
return
True
a ,b, c
length
3 , l e n g t h 2 , l e n g t h 1
1 = = 0:
1 , b 1 , c 1
if
NOT_SUBSET_OF_CLOSEST # If
in
SUPPRESSION
NOT_SUBSET_OF_CLOSEST
suppression
37
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187
# #
path
such
that
this
path
is
a in
subset the
of
it
except
this
path
itself
becuase = =
its
obviously
s t i l l
map
size paths
for
closest
if
#
in
paths
: :
closest If this = 1
= = as_path path is a
continue
of any path expet itself then fail
subset
index
index ]
and
index
!=
True
False
get_closest_paths ( s e l f , p r e f i x ) : """ Gets the paths stored in the graph that are equally close in terms of hop counts for a
prefix @return : """ closest # for = {} path that the table holds for the prefix L{map} in format C{ ( p r e f i x source , ( paths length , l i s t ( paths ) ) ) }
every
for
path #
in
=
s e l f . prefix_paths [ p r e f i x ] . paths . keys ( ) : is its first hop , ( in last index ) . BGP prepends
source
l e n ( path )
path [ l e n g t h
1]
: = [ [ path ] , l e n g t h ] : then the other paths then reset the list of paths
if
not in
<
closest
closest [ src ]
elif
#
length if
this
elif
#
length if it
= = is
then
c l o s e s t [ s r c ] [ 0 ] . append ( p a t h )
return def
closest
i s _ c l o s e s t ( s e l f , as_path , p r e f i x ) : """ Returns for in the the true if this as_path of it to check path is for by previous definition , False otherwise is the the closest i . e . path no seen for the for prefix this prefix from this source
particular map is as
source as
path
other
path
close the
@param @param
path prefix
the if
the is
@return : """ # if we
as_path
the
closest
dont
even
have
the
prefix
then :
obviously True
its
the
closes
if
prefix
not in
=
s e l f . prefix_paths
return
s e l f . get_closest_paths ( p r e f i x )
l e n ( as_path )
as_path [ l e n g t h
1]
:
return
:
True
length
return
True
ha s _t ri pl es _n ot _i n_ ma p ( s e l f , as_path , p r e f i x ) : """
38
188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
true
if
as_path path to
has check
triple
not
previously
known
to
this
graph
prefix
the has
path
is
if
as_path
atleast
l e n ( as_path ) 2 :
if
l e n g t h <=
else :
if
as_path
not in
self . triples
return
True
a ,b, c
length
3 , l e n g t h 2 , l e n g t h 1
self . triples :
1 , b 1 , c 1
return def
False
i s _ n o t _ s u b s e t _ o f _ c l o s e s t ( s e l f , as_path , p r e f i x ) : """ Returns this true if this as_path source to check path a is for of any prefix seen for the path , False otherwise is not a subset of any prefix seen for this path with
paths
@param @param
path prefix
the is
@return : """
as_path
not
subset
if
prefix
not in
=
s e l f . prefix_paths
return
True
s e l f . get_closest_paths ( p r e f i x )
l e n ( as_path )
as_path [ l e n g t h
1]
:
if for
not in in
1
closest_paths
return
True
size paths
closest index =
index ]
and
index
!=
return
True
8.8 PVP.py
We have included for this module the core algorithm for our overlay protocol, we have omitted the structure (Table_Entry) that the algorithm makes use of as it is very similar to a BGP structure previously listed.
Listed:
7 8 9 10 11 12 13 14 15 16 17
class
PVP :
som E S W D machine @ivar @ivar @ivar @ivar @ivar """ routing_base : session_info : changes : holds the maps the routing its list the to table of the instance to exponential whose an enties dist . have metrics changed was received
sessions
destinations time at
last_change : daemon : a
holds
which object
announcment this
refrence
L{Daemon}
owning
protocol
def
__init__ ( s e l f , daemon ) :
39
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
= =
{ daemon . a d v e r t i s e d _ a s {} [] 0
= =
s e l f . last_change
G l o b a l s . TIME
s e l f . daemon = daemon
def
session_up ( s e l f , s e s s i o n ) : """ Called @param """ s e l f . session_info [ session ] s e l f . metric_vector # Send the full + = 1 over that session = 20 by the owner E S W D the to indicate that a new just session been has come online
session :
L{ P 2 P _ S e s s i o n }
that
has
bought
online
s e l f
. metric_vector
RIB
s e l f . g e n e r e r a t e ( s e s s i o n , s e l f . s e s s i o n _ i n f o [ s e s s i o n ] , True )
def
session_down ( s e l f , s e s s i o n ) : """ Called @param """ by the owner E S W D the to indicate that a session just has come offline offline
session :
L{ P 2 P _ S e s s i o n }
that
has
been
bought
in
s e l f . routing_base . keys ( )
: session )
s e l f . handle_session_withdraw ( d e s t i n a t i o n ,
handle_session_withdraw ( s e l f , d e s t i n a t i o n , s e s s i o n ) : """ Handles a a RIB a session a withdrawal is event , called for every destination for session within
when
session
offline , it is
likewise
called a
particular
destination :
withdrawn
from was it
particular withdrawn
destination session :
holds the
destination that
that
holds
session
withdew
s e l f . routing_base [ d e s t i n a t i o n ]
for
route_id # remove
in
any
entry . r o u t e s . keys ( ) : route heard from the session : for the destination
if
# If
entry . r o u t e s [ route_id ] [ 2 ]
= =
session
del
entry . r o u t e s [ route_id ] route was withdrawn , then : , will be sent next simstep either implicit / explicit replace
the
best
if
entry . best_route
if
not in
entry . routes :
= = 0
# EXPLICIT
else
del
: #
winner
= None
for
id , r o u t e
if
in
,
route [ 1 ] metric
winner as changed = 1
destination
s e l f . changes [ d e s t i n a t i o n ] s e l f . last_change =
G l o b a l s . TIME
def
r e c e i v e ( s e l f , s e s s i o n , packet ) : """ Process @param an RPO session : message the received the by the E S W D owner received on
session
RPO was
40
77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135
@param
packet :
the
message / packet
s e l f . routing_base
for
destination
if
in
payload [ 1 ] :
# WT D W L I H A A S : session )
destination
in
s e l f . routing_base
s e l f . handle_session_withdraw ( d e s t i n a t i o n ,
for
d e s t i n a t i o n , path , m e t r i c
if if
in
payload [ 0 ] :
# UPDATES
s t r ( s e l f . daemon . a d v e r t i s e d _ a s )
continue
+ = destination
in
path . s p l i t ( ) :
metric
s e l f . session_info [ session ]
not in
rib
: = Table_Entry ( path , m e t r i c , s e s s i o n )
s e l f . routing_base [ d e s t i n a t i o n ] s e l f . changes [ d e s t i n a t i o n ] = 1
else :
entry best = = s e l f . routing_base [ d e s t i n a t i o n ] entry . routes [ entry . best_route ]
if
session
in
e n t r y . heard_from_to_id
: = ( path , m e t r i c , s e s s i o n )
e n t r y . r o u t e s [ e n t r y . heard_from_to_id [ s e s s i o n ] ] id = e n t r y . heard_from_to_id [ s e s s i o n ]
else if
best [ 1 ]
entry . best_route
s e l f . changes [ d e s t i n a t i o n ] s e l f . last_change =
G l o b a l s . TIME
def
g e n e r e r a t e ( s e l f , s e s s i o n , metric , f u l l _ r i b """ Create @param @param @param just """ and transmits the the a routing packet
False ) :
constructed routing
for
particular is for
session
session : metric :
L{ P 2 P _ S e s s i o n } metric of this
this
packet
full_rib :
indicates
whether
changes
: =
keys
s e l f . routing_base
s e l f . changes
( [ ] , [ ] )
s e l f . routing_base
for
destination
if
in
it
keys :
destination # means
not in
has
been
p a y l o a d [ 1 ] . append ( d e s t i n a t i o n )
= = =
rib [ destination ] entry . routes [ entry . best_route ] route [ 0 ] + ' ' + s t r ( s e l f . daemon . a d v e r t i s e d _ a s )
p a y l o a d [ 0 ] . append ( ( d e s t i n a t i o n , path , r o u t e [ 1 ] ) )
message message
def
calculate_used ( s e l f ) : """
41
136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168
upon which
of
this i . e .
protocol appear in
instace , the
identifies table
and
redundant ,
routing
sessions
{}
for
in
:
s e l f . routing_base . items ( ) :
if
session
continue
sessions [ session ]
True
s e l f . used_sessions #i f #
len ( s e l f . used_sessions )
def
simulate ( s e l f ) : """ Called by the owner E S W D ( L{Daemon } ) to simulate its protocol instance
"""
if
!=
: sessions :
over
all
for
session , metric
in
if
s e l f . last_change # Convergence
G l o b a l s . MINUTE <=
G l o b a l s . TIME :
if
return return
True
False
42