A SECURE ROUTING ARCHITECTURE
NIRMALA SHENOY
ROCHESTER INSTITUTE OF TECHNOLOGY, NY, USA
AGENDA• MODULAR ARCHITECTURES
• SELECTIVE CONTROL
• A MODULAR ROUTING ARCHITECTURE
• SELECTIVE SECURITY / PRIVACY
• VISIBILITY CONTROL FOR PRIVACY
• TRACKING CONTROL FOR SECURITY
• REVOLUTIONARY / EVOLUTIONARY ?
• ADOPTION
MODULAR ARCHITECTURES
• EXAMPLES
• SOFTWARE DEFINED NETWORKS
• FIVE LAYER PROTOCOL STACK
• FUNCTIONAL ABSTRACTION / ISOLATION HELPS IN EACH MODULE –
• SUITABLY DESIGNED FOR SECURITY / PRIVACY
A MODULAR ROUTING ARCHITECTURE• NETWORKS – EXAMPLE -> AUTONOMOUS SYSTEMS
• PERFORM ROUTER BASED FUNCTIONAL ABSTRACTION
• CORE ROUTERS
• DISTRIBUTION ROUTERS
• ACCESS ROUTERS
• HOW TO CAST THEM INTO MODULES?
• HOW TO USE THEM FOR ROUTING?
TIER STRUCTURE AND LABELS FOR ROUTING
5
BBRouters
DBRouterSet1 DBRouterSet2
ACRouterSet2ACRouterSet1
TIER1
TIER 2
TIER 3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
Let us introduce routers and assign LABELS that capture the structure properties
1.1 TierValue.UniqueID
2.1:1 TierValue.UniqueIDUniqueID = parentID: ChildUniqueID
3.1:1:1
TierValue.UniqueIDUniqueID = grandparentID:parentID: ChildUniqueID
The label structure is TierValue . UniqueID
Unique ID carries the parent child relationship Grandparent : Parent : ChildTree like - Can be used for routing and forwarding
TierValue provides a level of aggregation
SELECTIVE SECURITY • EACH MODULE CAN HAVE DIFFERENT LEVELS OF SECURITY
• MODULAR? – NEW NESTED MODULE CONNECTED VIA 3.1:1:1
• HIDE INTERNAL STRUCTURE / ADDRESSES
• LABELS CAN BE A:1.2.3 OR A:11.2.3 …
• CAN BE CHANGED INTERNALLY
• NAME SERVERS AT EDGE WILL TRANSLATE
• DIFFERENT LEVELS OF SECURITY
TIER1
TIER 2
TIER 3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
TIER1
TIER 2
NestedModule
ROUTING STRUCTURE AND MODULARITY
7
NewYorkPOPSeattlePOP
ChicagoPOP
ISPA
Tier1
Tier2
Tier3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
1.2
1.2:11.2:2
1.2:3Devices 4. :::
Forward between 3.3:1:1 – 3.3:2:1 – via 2.3:1 and 2.3:2
Forward between 3.3:1:1 in Seattle POP – and NY POP – packet leaves the Seattle cloud –address will be 1.2:1(3.3:1:1). The device in NY POP will accordingly have an address 1.2:2{3.3:1…) – Name services
Now to Modularity
PARTIAL NAME SERVICES – PRIVACY
8
NewYorkPOPSeattlePOP
ChicagoPOP
ISPA
Tier1
Tier2
Tier3
1.1 1.21.3
2.1:1 2.3:1 2.3:2 2.2:1
3.1:1:1 3.3:1:1 3.3:2:1 3.2:1:1
1.2
1.2:11.2:2
1.2:3Devices 4. :::
Server 4.1:1:1:1ftp.Univ2.edu
Client 4.1:1:1:1Univ1.edu
Client sends a request to ftp.Univ2.eduDNS at Chicago resolves Univ2.edu as 1.2:1Request forwarded ftp.(1.2:1) to Seattle POPftp server’s address resolved at the Seattle POP – Security
TIERED STRUCTURE OF THE INTERNET
9MODULARITY IN THE INTERNET STRUCTURE
COMPARISON WITH OSPF LOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO
SECURTITY HACKS
OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)
Routing Table Sizes (Y AXIS) for OSPF and TRP in the AT&T ISP Network, USA
X Axis Incremental count of routers
300 routers had 13689 entries less than 10 routers had 68 entries
OPERATIONAL COMPLEXITY (OSPF VS TIERED PROTOCOL)
Number of Update Packets Generated (Y axis) by OSPF and TRP for a Single Link Failure in the AT&T Network, USA
OSPF
less than 2000 routers
X axis incremental router count. truncated
COMPARISON WITH BGPLOWER OPERATIONAL COMPLEXITY, LESS BRITTLE, LESS PRONE TO
SECURTITY HACKS
CHURN RATE (BGP 80% EVENTS ARE GLOBALLY VISIBLE)
Changes in level3 tier 1 can impact 13791 Ass – 41.15% There are 31 tier 1 ISP AS
Averaged Effect – Average affected tree size 1078, around 3.21% OF AS.
ROUTING TABLE SIZES(BGP VS TIERED ROUTING PROTOCOL)
BGP CORE ROUTERS >600K
largest routing table size 2631
X axis – router count
CURRENT STATUS
• JUST DEMONSTRATED THIS ON THE GENI TESTBED – 27 NODE TOPOLOGY.
• HTTPS://BLUEJEANS.COM/S/PW2LI
• QUITE A FEW NEWS ITEMS
• REFERENCES
• Y. Nozaki, E.F. Golen, and N. Shenoy, “A modular architecture for scalable inter-domain routing”. IEEE computing and communication workshop and conference, january 9-11, 2017 (compared with BGP)
• Yoshihiro nozaki, nirmala shenoy and aparna gupta, “power usage efficiency with a modular routing protocol”, future network systems and security, paris 23-24 nov 2016. (Also a journal) (compared with OSPF in the AT&T network USA
• Rea, A., Cao, X., Gupta, A. Shenoy, N., “A secure cloud internetwork model with economic and social incentives (SCIMES)”AMCIS, 18th americas conference on information systems seattle, washington august 9-11, 2012 (also a journal article)
QUESTIONS