![]() |
![]() |
![]() |
Additional to acting as a group of isolated adversaries, colluding adversaries can tunnel advertisements and secrets between them and create invalid routes with fake AS links without being detected by the Whisper protocols. These invalid routes are not detectable even with a PKI unless the complete topology is known and enforced. Despite the limitation, we can provide protective measures for avoiding these invalid routes.
Given the hierarchical nature and the skewed structure of the
Internet topology, the invalid paths from colluding adversaries not
detectable by the Whisper tend to be longer in AS path length. This
is because, a normal route would traverse the Internet core (tier-1 +
tier-2 ISPs) once while a consistent invalid route through
colluding adversaries traverses the Internet core twice (since the
adversary cannot remove any AS from the path). Hence, by choosing the
shortest path we have a better chance of avoiding the invalid route.
Figures 8, 9 and 10,
illustrates this effect of colluding adversaries for
scenarios:
(a) the current Internet with no protection; (b) whisper protocols
with policy routing; (c) whisper protocols with shortest path routing.
All these graphs show the cumulative distribution of the vulnerability
metric (defined in Section 6.1) for a set of
colluding malicious adversaries. We specifically consider three
cases: (a)
colluding tier-1 AS's; (b)
colluding tier-2 AS's
(c)
colluding customer AS's.
We make two observations. First, randomly compromised customer
routers can inflict the same magnitude of damage as that of two tier-1
nodes illustrating the effect of colluding adversaries in the current
Internet. Typically, customer AS's are easier to compromise since many
of them are unmanaged. Second, whisper protocols with shortest path
routing drastically reduces the possibility of colluding adversaries
(in comparison to policy routing) propagating invalid routes without
triggering alarms. In particular, even when
customer AS's are
compromised, the effect on the Internet routing is negligible.
Whisper protocols with policy routing offers much lesser protection
since BGP tends to choose routes based on the local preference.
The typical policy convention based on stable routing and economic
constraints is to prefer customer routes over peer and provider
routes [18]. This preference rule increases the
vulnerability of BGP to pick consistent invalid routes from customers
over potentially shorter routes through peers /providers. In
principle, this problem also exists in S-BGP. To strike a middle ground
between the flexibility of policy routing and this vulnerability, we
propose a simple modification to the policy engine: Do not
associate any local preference to customer routes that have an AS path
length greater than (any route from a pair of colluding route
should have a minimum path length of
). We believe that this
modification to BGP policies should have little impact on current
operation since most customer routes today have a path length less
than
.
To summarize, whisper protocols in combination with the modified policies (emulating shortest path routing) can largely restrict the damage of colluding adversaries.