A SECURE ROUTING ARCHITECTURE

NIRMALA SHENOY

ROCHESTER INSTITUTE OF TECHNOLOGY, NY, USA

AGENDA• MODULAR ARCHITECTURES

• SELECTIVE CONTROL

• A MODULAR ROUTING ARCHITECTURE

• SELECTIVE SECURITY / PRIVACY

• VISIBILITY CONTROL FOR PRIVACY

• TRACKING CONTROL FOR SECURITY

• REVOLUTIONARY / EVOLUTIONARY ?

• ADOPTION

MODULAR ARCHITECTURES

• EXAMPLES

• SOFTWARE DEFINED NETWORKS

• FIVE LAYER PROTOCOL STACK

• FUNCTIONAL ABSTRACTION / ISOLATION HELPS IN EACH MODULE –

• SUITABLY DESIGNED FOR SECURITY / PRIVACY

A MODULAR ROUTING ARCHITECTURE• NETWORKS – EXAMPLE -> AUTONOMOUS SYSTEMS

• PERFORM ROUTER BASED FUNCTIONAL ABSTRACTION

• CORE ROUTERS

• DISTRIBUTION ROUTERS

• ACCESS ROUTERS

• HOW TO CAST THEM INTO MODULES?

• HOW TO USE THEM FOR ROUTING?

TIER STRUCTURE AND LABELS FOR ROUTING

5

BBRouters

DBRouterSet1 DBRouterSet2

ACRouterSet2ACRouterSet1

TIER1

TIER 2

TIER 3

1.1 1.21.3

2.1:1 2.3:1 2.3:2 2.2:1

3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1

Let us introduce routers and assign LABELS that capture the structure properties

1.1 TierValue.UniqueID

2.1:1 TierValue.UniqueIDUniqueID = parentID: ChildUniqueID

3.1:1:1

TierValue.UniqueIDUniqueID = grandparentID:parentID: ChildUniqueID

The label structure is TierValue . UniqueID

Unique ID carries the parent child relationship Grandparent : Parent : ChildTree like - Can be used for routing and forwarding

TierValue provides a level of aggregation

SELECTIVE SECURITY • EACH MODULE CAN HAVE DIFFERENT LEVELS OF SECURITY

• MODULAR? – NEW NESTED MODULE CONNECTED VIA 3.1:1:1

• HIDE INTERNAL STRUCTURE / ADDRESSES

• LABELS CAN BE A:1.2.3 OR A:11.2.3 …

• CAN BE CHANGED INTERNALLY

• NAME SERVERS AT EDGE WILL TRANSLATE

• DIFFERENT LEVELS OF SECURITY

TIER1

TIER 2

TIER 3

1.1 1.21.3

2.1:1 2.3:1 2.3:2 2.2:1

3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1

TIER1

TIER 2

NestedModule

ROUTING STRUCTURE AND MODULARITY

7

NewYorkPOPSeattlePOP

ChicagoPOP

ISPA

Tier1

Tier2

Tier3

1.1 1.21.3

2.1:1 2.3:1 2.3:2 2.2:1

3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1

1.2

1.2:11.2:2

1.2:3Devices 4. :::

Forward between 3.3:1:1 – 3.3:2:1 – via 2.3:1 and 2.3:2

Forward between 3.3:1:1 in Seattle POP – and NY POP – packet leaves the Seattle cloud –address will be 1.2:1(3.3:1:1). The device in NY POP will accordingly have an address 1.2:2{3.3:1…) – Name services

Now to Modularity

PARTIAL NAME SERVICES – PRIVACY

8

NewYorkPOPSeattlePOP

ChicagoPOP

ISPA

Tier1

Tier2

Tier3

1.1 1.21.3

2.1:1 2.3:1 2.3:2 2.2:1

3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1

1.2

1.2:11.2:2

1.2:3Devices 4. :::

Server 4.1:1:1:1ftp.Univ2.edu

Client 4.1:1:1:1Univ1.edu

Client sends a request to ftp.Univ2.eduDNS at Chicago resolves Univ2.edu as 1.2:1Request forwarded ftp.(1.2:1) to Seattle POPftp server’s address resolved at the Seattle POP – Security

TIERED STRUCTURE OF THE INTERNET

9MODULARITY IN THE INTERNET STRUCTURE

COMPARISON WITH OSPF LOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO

SECURTITY HACKS

OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)

Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA

X Axis Incremental count of routers

300 routers had 13689 entries less than 10 routers had 68 entries

OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)

Number of Update Packets Generated (Y axis) by OSPF and TRP for a Single Link Failure in the AT&T Network, USA

OSPF

less than 2000 routers

X axis incremental router count. truncated

COMPARISON WITH BGPLOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO

SECURTITY HACKS

CHURN RATE (BGP 80% EVENTS ARE GLOBALLY VISIBLE)

Changes in level3 tier 1 can impact 13791 Ass – 41.15% There are 31 tier 1 ISP AS

Averaged Effect – Average affected tree size 1078, around 3.21% OF AS.

ROUTING TABLE SIZES(BGP VS TIERED ROUTING PROTOCOL)

BGP CORE ROUTERS >600K

largest routing table size 2631

X axis – router count

CURRENT STATUS

• JUST DEMONSTRATED THIS ON THE GENI TESTBED – 27 NODE TOPOLOGY.

• HTTPS://BLUEJEANS.COM/S/PW2LI

• QUITE A FEW NEWS ITEMS

• REFERENCES

• Y. Nozaki, E.F. Golen, and N. Shenoy, “A modular architecture for scalable inter-domain routing”. IEEE computing and communication workshop and conference, january 9-11, 2017 (compared with BGP)

• Yoshihiro nozaki, nirmala shenoy and aparna gupta, “power usage efficiency with a modular routing protocol”, future network systems and security, paris 23-24 nov 2016. (Also a journal) (compared with OSPF in the AT&T network USA

• Rea, A., Cao, X., Gupta, A. Shenoy, N., “A secure cloud internetwork model with economic and social incentives (SCIMES)”AMCIS, 18th americas conference on information systems seattle, washington august 9-11, 2012 (also a journal article)

QUESTIONS