Check out the new USENIX Web site. next up previous
Next: Route Consistency Testing Up: Whisper: Control Plane Verification Previous: Whisper: Control Plane Verification


Triggering Alarms vs Identification

Figure: Comparison of the security approach of Whisper protocols with Secure BGP
\includegraphics[width=.6\columnwidth,height=2in]{graphs/pkicomp.eps}

The main distinction between our approach and a PKI-based approach is the concept of triggering alarms as opposed to identifying the source of problems. In Secure-BGP, a router can verify the correctness of a single route advertisement by contacting a PKI and a central authority to test the validity of the signatures embedded in the advertisement . For example, in Figure 1 (Case(i)), each AS $ X$ appends an advertisement with a signature $ S_X$ generated using its public key. Another AS can use a PKI to check whether $ S_X$ is the correct signature of $ X$. In this case, any misconfigured/malicious AS propagating an invalid route will not be able to append the correct signatures of other AS's and can be identified.

Without either of these two infra-structural pieces, a router cannot verify a single route advertisement in isolation. The Whisper model is to consider two different route advertisements to the same destination and check whether they are consistent with each other. For example, in Figure 1 Case(ii), each route advertisement is associated with a signature of an AS path. AS $ D$ receives two advertisements to destination $ A$ and can compare the signatures $ h_{ABC}$ and $ h_{AXY}$ to check whether the routes $ (C,B,A)$ and $ (Y,X,A)$ are consistent. When two routes are detected as inconsistent, the Whisper protocol can determine that at least one of the routes is invalid. However, it cannot clearly pinpoint the source of the invalid route. Upon detecting inconsistencies, the Whisper protocol can trigger alarms notifying operators about the existence of a problem. This method is based on the composition of well-known principles of weak authentication as discussed by Arkko and Nikander [11].

Whisper does not require the underlying Internet topology to have multiple disjoint paths to every destination AS. As long as an adversary propagating an invalid route is not on every path to the destination, whisper will have two routes to check for consistency: (a) the genuine route to the destination; (b) invalid path through the adversary.


next up previous
Next: Route Consistency Testing Up: Whisper: Control Plane Verification Previous: Whisper: Control Plane Verification
116 2004-02-12