Dagstuhl Seminar 18242
Secure Routing for the Internet
( Jun 10 – Jun 13, 2018 )
- Phillipa Gill (University of Massachusetts - Amherst, US)
- Amir Herzberg (University of Connecticut - Storrs, US)
- Adrian Perrig (ETH Zürich, CH)
- Matthias Wählisch (FU Berlin, DE)
- Shida Kunz (for scientific matters)
- Annette Beyer (for administrative matters)
- The Rise of Certificate Transparency and Its Implications on the Internet Ecosystem : article in IMC '18 Proceedings of the Internet Measurement Conference 2018 - Scheitle, Quirin; Gasser, Oliver; Nolte, Theodor; Amann, Johanna; Brent, Lexi; Wählisch, Matthias; Schmidt, Thomas C.; Holz, Ralph; Carle, Georg - New York : ACM, 2019. - Pages 343-349.
- Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and Filtering : article - Reuter, Andreas; Bush, Randy; Cunha, Italo; Katz-Bassett, Ethan; Schmidt, Thomas C.; Wählisch, Matthias - New York : ACM, 2018. - pp. 20-27 - (Computer communication review ; 48. 2018, 1).
Routing is a fundamental mechanism in communication networks, and its security is critical to ensure availability and prevent attacks; however, developing and deploying secure routing mechanism is still a challenge. Routing is the process by which information is passed via the communication network, from source to destination, via a series of intermediary nodes or routers. Routing attacks include route-hijacking, i.e., diverting traffic to an adversary-controlled router, as well as denial-of-service attacks exploiting the routing mechanism, i.e., preventing communication (in entire network, between specific parts, etc.), e.g., by malicious dropping of packets by a router. Routing, and even more secure routing, are complex problems, with many variants. In particular, the Internet is a federation of many domains (usually referred to as autonomous systems (ASes)), each managed by a separate organization (e.g., an Internet Service Provider (ISP)); there are separate standard protocols for routing inside an AS (Intra-domain routing) and for routing from a source in one AS to a destination in a different AS (Inter-domain routing). Significant efforts are dedicated to securing both Intra-domain routing protocols and Inter-domain routing protocols.
This Dagstuhl Seminar aims at bringing together, leading scientist in the area of secure routing, including scientists working on security of inter-AS routing, intra-AS routing, routing for future Internet designs, and on (secure) routing for highly-mobile scenarios including ad-hoc networks, sensor networks, robotic (swarm) networks, delay-tolerant networks and vehicular networks. To further stimulate discussion, the seminar will include also a number of prominent scientists and experts in the more general areas of network security, privacy/security, and future communication networks. At the same time, researchers and representatives from industry are invited to aid in understanding the requirements of practical routing security at Internet scale, with the hope of improving standardization and adoption of improved routing security mechanisms, and of improving the cooperation between academia and industry. The main topics which we plan to focus on in this seminar include:
- Improving the security of the (existing) Internet's Inter-Domain Routing protocols. Inter-domain routing is challenging, as it involves multiple organizations, controlling different domains (autonomous systems); these organizations have different interests, often conflicting, and in particular may be competing or in political or other conflict. For several years already, there have been extensive standardization and deployment efforts, e.g., at the IETF’s SIDR working group, to improve the security of current inter-domain routing protocols. Progress has been made, but slower than anticipated and desired. In this topic, we will focus on understanding the challenges and exploring directions for improving adoption, possibly by new security mechanisms or modifications/extensions to existing proposals and standards.
- New Inter-Domain Routing protocols with extended security and new requirements, including Quality of Service (QoS) and Denial of Service (DoS) requirements. An alternative approach is to change the routing protocols to new designs, designed to meet security requirements. This allows to support security requirements which inherently conflict with existing Internet routing. In particular, QoS routing is concerned with ensuring the well-defined and controllable behavior of the routing system with respect to quantitative performance parameters. However, QoS routing is typically investigated in absence of attacks and isolated from security considerations. In the presence of DoS attacks, the QoS of communications systems cannot be guaranteed in absence of suitable routing security solutions, yet, QoS and DoS are mostly regarded in isolated fashion in existing research work. This Dagstuhl Seminar aims at jointly investigating QoS and DoS aspects in routing security.
- Intra-domain Routing Security. Much less effort has been directed at security of intra-domain routing mechanisms, since these are all under the control of the same organization. However, there are still security concerns, in particular, to deal with corruption of one or multiple routers; there are very few deployed intra-routing security mechanisms, and relatively few research-works in this area.
- Routing Security in Mobile/Wireless Networks, and in Delay- and Disruption-tolerant Networks. Mobile and wireless networks come in many forms such as wireless sensor networks, mobile ad hoc or vehicular networks, etc. These networks typically build on mobile end systems with a low degree of physical security. The main challenge lies in the severe limitations of these systems in terms of computational capabilities or resources such as energy. Moreover, variability of network characteristics can be considered the norm rather than the exception, leading to delay- or disruption-tolerant communications. Existing solutions for secure routing cannot be considered as practical, hence, new and tailored solutions towards secure routing for mobile and wireless networks have to be designed.
- Anonymous and Privacy-preserving Routing. Insecure routing systems facilitate surveillance as has been demonstrated by the information made public by Edward Snowden. In today’s Internet, the amount of data that can be gathered about individual users is unprecedented and leads to concerns about user’s privacy. New solutions for anonymous and privacy preserving routing have to take into account stronger adversary models, and include privacy preservation and anonymity protection directly into the routing mechanism.
The seminar was focused on the following aspects of routing security, mostly in the context of traditional inter-domain routing security: (i) Protocol design vs tooling, (ii) sources of relevant routing data and their accuracy/collection challenges, including policy databases, (iii) the need for metadata and dataset ``labelling'', (iv) monitoring and detection of routing attacks and anomalous incidents, such as BGP hijacks and route leaks, incentives for network operators to adopt routing security protocols, (v) testbeds for routing experiments, (vi) hijacks as enabling attacks against ToR and Bitcoin, on the application level, (vii) prevention of routing attacks, (viii) anonymity, privacy and (anti-)censorship. Moreover, we discussed in depth about (ix) PKI and cryptographic verification and protection mechanisms, and their use in securing routing infrastructures, such as the RPKI and BGPsec protocols. Finally, we (x) approached BGP flowspecs, DDoS attacks and QoS in the Internet as separate topics of interest in the field. Another goal of the seminar was to touch upon (xi) future network routing architectures which offer routing security ``by design'', especially in light of demanding upcoming applications such as IoT, car-to-car communications, sensor swarms, and wireless routing at scale, and identify related security and privacy concerns and objectives.
Besides the specific goals of the seminar, it is also worth noting some interesting aspects of Dagstuhl seminars in general, that played a critical role in fueling the related talks, discussions and reports. In summary, the 3-day seminar in which we participated, focused not solely on the presentation of established results but also on ideas, sketches, and open (research and operations) problems. The pace and program was guided by topics and presentations that evolved through discussions. This report contains an executive summary of the material that was transcribed during the entire seminar.
Overall, some participants of the seminar seem to be more "pessimistic" about routing security. Both the research and operator communities need to consolidate more data sources to facilitate progress. Any deployment progress is only possible if operator incentives are improved, however, it remains an open problem on how to provide strong incentives. In practice, a good technical solution is insufficient without first tackling the "politics". We discussed about routing/network testbeds and the role they can play in emulating and verifying many of the discussed concepts. However, in the wild (or the "real world"), it is surprisingly hard to implement something like RPKI; even more so for BGPsec. We all need a better understanding of the problem space; formal taxonomies of routing attacks, such as hijacks, would be of great help on this front. Regarding improving BGP itself, we have seen many prevention mechanisms, whose deployment is the end-goal for the Internet. However, as we have to live with BGP at least in the intermediate term, we can also explore research on overlay solutions to achieve the properties that we need, at least for the time being. These solutions need to support incremental deployment for obvious reasons.
In general, deployment progress has been slow which is feared not change in the near future. It is reassuring to see that a lot of work is being done in the measurement area; we were also reminded how hard is it to get the ground truth, labelled with useful metadata. Some fundamentally new and secure approaches were discussed, for instance the SCION secure Internet architecture, however, the deployment of new inter-domain routing protocols is very challenging. To improve the deployment incentives of secure routing protocols for operators, the creation of a catalog of routing incidents could be beneficial.
Moreover, it seems that the community may have underestimated the importance of monitoring tools and their utility in the wild. We have learned about new data sets, as well as interesting insights on the Impact of prefix hijacks on the application layer. In general though, we were hoping to see more enthusiasm for new solutions.
Finally, it is worth noting that having a mixed group of researchers and operators is very important to exchange information and discuss potential approaches, which made the seminar an interesting and worthwhile experience.
- Mai Ben-Adar Bessos (Bar-Ilan University - Ramat Gan, IL) [dblp]
- Nikita Borisov (University of Illinois - Urbana Champaign, US) [dblp]
- Georg Carle (TU München, DE) [dblp]
- Shinyoung Cho (Stony Brook University, US) [dblp]
- Ítalo Cunha (Federal University of Minas Gerais-Belo Horizonte, BR) [dblp]
- Marc C. Dacier (EURECOM - Sophia Antipolis, FR) [dblp]
- Phillipa Gill (University of Massachusetts - Amherst, US) [dblp]
- Joel M. Halpern (Ericsson - Leesburg, US) [dblp]
- Raphael Hiesgen (HAW - Hamburg, DE) [dblp]
- Carlee Joe-Wong (Carnegie Mellon University - Pittsburgh, US) [dblp]
- Mattijs Jonker (University of Twente, NL) [dblp]
- Vasileios Kotronis (FORTH - Heraklion, GR) [dblp]
- Taeho Lee (ETH Zürich, CH) [dblp]
- Hemi Leibowitz (Bar-Ilan University - Ramat Gan, IL) [dblp]
- Victoria Manfredi (Wesleyan University - Middletown, US) [dblp]
- Marcin Nawrocki (FU Berlin, DE) [dblp]
- Christos Pappas (ETH Zürich, CH) [dblp]
- Adrian Perrig (ETH Zürich, CH) [dblp]
- Alvaro Retana (Huawei Technologies - Santa Clara, US) [dblp]
- Andreas Reuter (FU Berlin, DE) [dblp]
- Thomas C. Schmidt (HAW - Hamburg, DE) [dblp]
- Laurent Vanbever (ETH Zürich, CH) [dblp]
- Pierre-Antoine Vervier (Symantec Research Labs - Sophia Antipolis, FR) [dblp]
- Stefano Vissicchio (University College London, GB) [dblp]
- Rüdiger Volk (Deutsche Telekom - Münster, DE) [dblp]
- Matthias Wählisch (FU Berlin, DE) [dblp]
- Bing Wang (University of Connecticut - Storrs, US) [dblp]
- Dagstuhl Seminar 15102: Secure Routing for Future Communication Networks (2015-03-01 - 2015-03-04) (Details)
- security / cryptology
- Internet security
- secure routing
- communication networks
- future internet
- privacy and anonymity
- mobile and wireless networks