Reliable Communication in Unknown Networks

Lakshmi Subramanian

Joint work with:

Randy Katz, Volker Roth, Scott Shenker, Ion Stoica

Reliable communication problem

Good node Adversarial node

Given a graph G, how do two good nodes reliably communicatein the presence of adversarial nodes attempting to disrupt the communication

Challenges to reliable communication

• Lack of knowledge of which nodes are adversarial

• Adversarial nodes can potentially– Modify messages traversing them– Generate spurious messages on behalf of good

nodes– Collude with other adversaries using out-of-

band communication

• Absence of a public key infrastructure to enable originators to sign messages

Lamport’s Result

• If every node is aware of the entire graph G and G is (2k+1) vertex connected, then two good nodes can reliably communicate provided #adversaries <= k – Source route the message along (2k+1) vertex

disjoint paths and compute consensus– This result is also a lower bound

• Reliable communication vs Byzantine consensus– Reliable communication is a necessary building

block for byzantine agreement

What if the graph is not known?

What if a node is aware only its neighbors but not the entire network?

neighborhoodof a node

Reliable communication in unknown networks

• Input: Given a graph G with n nodes where each node is aware of only its neighbors but not the entire graph. Every node has a unique, unforge-able identity.

• Problem: Assume that k among the n nodes are adversarial and the remaining (n-k) nodes are good nodes which follow a prescribed algorithm. For what values of k, can we get a distributed algorithm that allows two good nodes to reliably communicate?

The problem spectrum

Reliable Communication Problem

Complete Graph Incomplete Graph

Unsigned Messages Signed Messages

Graph unknown Graph known

Example 1: BGP

• Nodes in the graph are AS’s

• Identity= AS number– AS number is a socially assigned identity– Assumption: AS number is unique and

unforgable

• What information needs to be reliably communicated?– (AS, prefix) mapping– Valid path-vector route updates

Example 2: Intra-domain routing

• Identity of a node = <router-id>• Information to be reliably communicated?

– Graph topology

– Link costs

• An adversary should not be able to – Modify the cost of existing links between good nodes

– Introduce new links to good nodes

• What an adversary can do– Introduce spurious links to other adversaries

– Introduce fake nodes

Example 3: DNS

• Node identifier = <IP address of DNS server>– Assumption: The IP address of a DNS server of

a domain is relatively static

• Information to be reliably communicated?– Domain ownership information– Redirection of DNS requests to the

authoritative DNS

• Challenge:– Is it possible to secure DNS without a public-

key infrastructure?

Our result

• In an unknown network comprising n nodes, given #adversaries <=k and a bound N>=n on the number of nodes, two good nodes can reliably communicate if the underlying connectivity graph, G, is (2k+1) vertex connected.

• Complexity– Consider a network with bounded capacity where every

link can transmit one message in unit time.

– One-time complexity=O(kNn3)

– Subsequent communication complexity = O(k.diam(G))

Simpler adversarial model

• Independent adversaries– Do not collude with each other

– Do not directly communicate with each other during protocol execution

– Motivation: misconfigurations, independent attackers

• Result: In an unknown network comprising n nodes, given number of independent adversaries <=k and a bound N>=n on the number of nodes, two good nodes can reliably communicate if the underlying connectivity graph, G, is (k+2) vertex connected.

Practical implications• BGP

– Reliable communication is achievable within the Internet core (tier-1 +tier-2 ISPs)

– In power-law random graphs, the damage that few adversaries can cause is small

– Multi-homing => better reliable communication– Mis-configurations cause lesser damage than colluding

adversaries

• OSPF– The network can be carefully engineered to ensure that

few adversaries cannot disrupt link-state routing– The cost of propagating updates reliably can be made

very low

Practical implications (contd)

• DNS– By designing the DNS as a hierarchical but

structured peer-peer network, adversarial nodes can cause very little damage

– DNS requests can be reliably serviced in the presence of adversaries

• Decentralized public key distribution– In specific graphs, one can achieve

decentralized public key distribution in the presence of a bounded number of adversaries

Other implications

• Network design– Need a minimum 3-connected graph to

completely protect against a single adversary

• Failures are accommodated as adversarial nodes

• Not applicable for– Unstructured peer-peer networks, nodes with

variable identities, extremely dynamic networks

Algorithm building blocks

• Path vector signatures

• Flow concept

• Path suppression

• Loop testing – for independent adversaries

Path vector signatures• Path vector message =(m,S,P)

– message m, source S, path P

• Path vector signature sgn(m,S,P) satisfies– Verifiability: Given (m,S,P) and sgn(m,S,P), any node

can verify that message traversed P provided it originated from S

– Update: sgn(m,S,P) can be updated to sgn(m,S,P’) for any path P’= P +{v}

– Inability to modify: Any adversary attempting to modify m or remove entries in P cannot compute signature

– Distinguishability: The signature of a fake path vector message (m,S,P) is always distinguishable from a genuine message (m,S,P)

El-Gamal path vector signatures

A D

CB

YXClaimedPublic-key=PMessage=x

<h1= h(x, (A,B)), P> <h3= h(h2, (B,C,D)),P>

• Consistency checking of routes (C,B,A) and (Y,X,A):• Does the signature match the public key?• Do the public keys match?

<h2= h(h1, (A,B,C)),P>

<k1= h(x, (A,X)), Q>

<k2= h(k1, (A,X,Y)),Q>

<k3= h(k2, (X,Y,D)),Q>

Property of path-vector signature

• A single adversary attempting to modify the message or generate a fake message with a genuine signature has to generate a new public key for the source

• Two colluding adversaries can– tunnel an adversary and introduce a fake path

between them without changing the message

Modified path-vector signatures

<(h(ABC),p(A)),(h(BC),p(B))>

<(h(ABCD),p(A)), (h(BCD), p(B)), (h(CD),p(C))>

A DCB

<h(AB), p(A)>

Append a string of hash signatures, one for each node along a path along with the “claimed” public-key of each node

Property of modified scheme

• Two colluding adversaries generating a fake path with additional identities have to fake the public-keys of these identities

• Keyed-identity of a node = (identity, claimed public key)

• Distinguishability of messages:– A genuine path-vector message traversing good

nodes will always be distinguishable from a fake path-vector message generated by adversaries

Flow concept

• Let G be a (2k+1) connected with at most k adversarial nodes

• Consider two good nodes X and Y with public keys p(X) and p(Y)– Flow ((X,p(X), (Y,p(Y)) >=k+1

• Consider a good node X and a fake node F created by adversaries– Flow((X,p(X)), (F,p(F)) <=k

Basic Algorithm

• Step 1: Every node X with a message m(X), transmits m(X) to its neighbors along with its path-vector signature

• Step 2: Every intermediary node appends the path attribute and the signature and propagates the message to other neighbors

• Step 3: Every receiver chooses identity-disjoint paths for each source and updates the flow

• Step 4: If flow(node)>k, then that message is declared genuine

Path suppression

• Number of paths in a graph is exponential

• Path suppression:– A node only forwards a path-vector message if

the path contains a new edge or a new source.– For a given keyed identity (X,p(X)), the

number of messages forwarded is bounded.

Loop testing: Independent adversaries

X

Z

Independent adversaries will fail the loop test: • If G is (k+2) connected, every edge will be present in at least one good loop

Conclusions• Reliable communication in unknown networks if

the graph G is (2k+1) connected with at most k adversaries– (k+2) connectivity sufficient for independent adversaries– byzantine consensus in unknown networks

• Practical applications– BGP, OSPF, DNS

• Related problem: Reliable communication in sparse unknown networks– How much damage can a single adversary cause in 1-

connected and 2-connected networks?– What is the best defense mechanism in sparse networks?