Listen & Whisper

This is joint work with Lakshminarayanan Subramanian, Ion Stoica, Scott Shenker, and Randy H. Katz.

Motivation

BGP, the current inter-domain routing protocol, assumes that the routing information propagated by authenticated routers is correct. This assumption renders the current infrastructure vulnerable to both accidental misconfigurations and deliberate attacks. This is illustrated below: M advertises a (non-existent) route to O which prompts the infrastructure to route traffic from C to O via M. Hence, M can eavesdrop on the traffic or simply drop packets to which M would not normaly have access.


A malicious BGP speaker announces forged routes (left). As a result, some peers will forward traffic to that BGP speaker (right).
More sophisticated BGP security mechanisms have been proposed (e.g., S-BGP), but they often require an extensive cryptographic key distribution infrastructure and/or a trusted central database. Without either of these two crucial ingredients, these security proposals have not moved forward towards adoption.

Synopsis

Whispers use e.g., hash functions along with routing redundancy to detect bogus route advertisements in the control plane. The principal idea of the Whispers is to test pairs of route advertisements for consistency.


Left: routes are propagated correctly, no alarms are raised. Middle: a bogus route announcement is in conflict with a legitimate one, which raises an alarm. Right: two malicious route announcements do not raise an alarm without a third legitimate one.
A failed consistency test exposes the existence of a bogus route announcement. Whispers cannot identify the bogus route but it raises an alarm and flags the suspicious routes. The mechanism can detect and contain isolated adversaries that propagate even a few bogus route advertisements. Colluding adversaries pose a more stringent challenge, and simple changes to the BGP policy mechanisms can limit the damage that colluding adversaries can cause.

Whisper protocols do not provide "perfect security" but significantly improve security through easily deployable mechanisms because they do not require prior exchange of cryptographic keys nor a trusted centralized database.

Selected Publications

  1. Lakshminarayanan Subramanian, Randy H. Katz, Volker Roth, Scott Shenker, and Ion Stoica.
    Reliable broadcast in unknown fixed-identity networks.
    In PODC '05: Proceedings of the twenty-fourth annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing, pages 342-351, New York, NY, USA, 2005. ACM Press.
    [pdf] Search on Scholar
  2. Lakshminarayanan Subramanian, Volker Roth, Ion Stoica, Scott Shenker, and Randy Katz.
    Listen and Whisper - Security mechanisms for BGP.
    In Proc. Symposium on Networked Systems Design and Implementation (NSDI'04), San Francisco, CA, March 2004. USENIX/ACM.
    [pdf] Search on Scholar