ABSTRACT
Autonomous systems (ASes) on the Internet increasingly rely on Internet Exchange Points (IXPs) for peering. A single IXP may interconnect several 100s or 1000s of participants (ASes) all of which might peer with each other through BGP sessions. IXPs have addressed this scaling challenge through the use of route servers. However, route servers require participants to trust the IXP and reveal their policies, a drastic change from the accepted norm where all policies are kept private. In this paper we look at techniques to build route servers which provide the same functionality as existing route servers without requiring participants to reveal their policies thus preserving the status quo and enabling wider adoption of IXPs. Prior work has looked at secure multiparty computation (SMPC) as a means of implementing such route servers however this affects performance and reduces policy flexibility. In this paper we take a different tack and build on trusted execution environments (TEEs) such as Intel SGX to keep policies private and flexible. We present results from an initial route server implementation that runs under Intel SGX and show that our approach has 20x better performance than SMPC based approaches. Furthermore, we demonstrate that the additional privacy provided by our approach comes at minimal cost and our implementation is at worse 2.1x slower than a current route server implementation (and in some situations up to 2x faster).
- Amsterdam Internet Exchange (AMS-IX). https://ams-ix.net.Google Scholar
- Amsterdam Internet Exchange: Members. https://ams-ix.net/connected_parties retrieved 04/20/2018.Google Scholar
- S. Arnautov, B. Trach, F. Gregor, T. Knauth, A. Martin, C. Priebe, J. Lind, D. Muthukumaran, D. O'Keeffe, M. Stillwell, D. Goltzsche, D. M. Eyers, R. Kapitza, P. R. Pietzuch, and C. Fetzer. SCONE: Secure Linux Containers with Intel SGX. In OSDI, 2016. Google ScholarDigital Library
- G. Asharov and Y. Lindell. A full proof of the bgw protocol for perfectly secure multiparty computation. Journal of Cryptology, 30:58--151, 2011. Google ScholarDigital Library
- A. Baumann, M. Peinado, and G. C. Hunt. Shielding Applications from an Untrusted Cloud with Haven. In OSDI, 2014. Google ScholarDigital Library
- M. Ben-Or, S. Goldwasser, and A. Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In STOC, 1988. Google ScholarDigital Library
- The BIRD Internet Routing Daemon. http://bird.network.cz.Google Scholar
- I. Castro, J. C. Cardona, S. Gorinsky, and P. FranÃğois. Remote peering: More peering without internet flattening. In CoNEXT, 2014. Google ScholarDigital Library
- M. Chiesa, D. Demmler, M. Canini, M. Schapira, and T. Schneider. SIXPACK: Securing Internet eXchange Points Against Curious onlooKers. In CoNEXT, 2017. Google ScholarDigital Library
- M. Chiesa, R. di Lallo, G. Lospoto, H. Mostafaei, M. Rimondini, and G. D. Battista. Prixp: Preserving the privacy of routing policies at internet exchange points. 2017 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pages 435--441, 2017.Google ScholarDigital Library
- S. G. Choi, K.-W. Hwang, J. Katz, T. Malkin, and D. Rubenstein. Secure multiparty computation of boolean circuits with applications to privacy in on-line marketplaces. In IACR Cryptology ePrint Archive, 2011.Google Scholar
- ExaBGP overview. https://github.com/Exa-Networks/exabgp/wiki.Google Scholar
- O. Goldreich, B. Chor, S. Goldwasser, and L. A. Levin. Secure multiparty computation. 1998.Google Scholar
- O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority. In STOC, 1987. Google ScholarDigital Library
- A. Gupta, R. MacDavid, R. Birkner, M. Canini, N. Feamster, J. Rexford, and L. Vanbever. An Industrial-Scale Software Defined Internet Exchange Point. In NSDI, 2016. Google ScholarDigital Library
- A. Gupta, L. Vanbever, M. Shahbaz, S. P. Donovan, B. Schlinker, N. Feamster, J. Rexford, S. Shenker, R. J. Clark, and E. Katz-Bassett. SDX: a software defined internet exchange. In SIGCOMM, 2014. Google ScholarDigital Library
- D. Gupta, A. Segal, A. Panda, G. Segev, M. Schapira, J. Feigenbaum, J. Rexford, and S. Shenker. A new approach to interdomain routing based on secure multiparty computation. In HotNets, 2012. Google ScholarDigital Library
- IX.br. http://ix.br.Google Scholar
- IX.br Members. http://ix.br/particip/sp retrieved 04/20/2018.Google Scholar
- S. M. Kim, Y. Shin, J. Ha, T. Kim, and D. Han. A first step towards leveraging commodity trusted execution environments for network applications. In HotNets, 2015. Google ScholarDigital Library
- C. S. Liu, A. Harris, M. Maas, M. W. Hicks, M. Tiwari, and E. Shi. GhostRider: A Hardware-Software System for Memory Trace Oblivious Computation. In ASPLOS, 2015. Google ScholarDigital Library
- Meltdown and Spectre. https://meltdownattack.com.Google Scholar
- P. Richter, G. Smaragdakis, A. Feldmann, N. Chatzis, J. Böttger, and W. Willinger. Peering at Peerings: On the Role of IXP Route Servers. In IMC, 2014. Google ScholarDigital Library
- RIS Raw Data. https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/ris-raw-data.Google Scholar
- B. Schlinker, H. Kim, T. Cui, E. Katz-Bassett, H. V. Madhyastha, Í. S. Cunha, J. Quinn, S. Hasan, P. Lapukhov, and H. Zeng. Engineering egress with edge fabric: Steering oceans of content to the world. In SIGCOMM, 2017. Google ScholarDigital Library
- Intel(R) Software Guard Extensions for Linux* OS. https://github.com/01org/linux-sgx.Google Scholar
- G. Siganos and M. Faloutsos. Analyzing bgp policies: Methodology and tool. In INFOCOM, 2004.Google ScholarCross Ref
- A. Tang, S. Sethumadhavan, and S. J. Stolfo. Clkscrew: Exposing the perils of security-oblivious energy management. In USENIX Security Symposium, 2017. Google ScholarDigital Library
- GlobalPlatform made simple guide: Trusted Execution Environment (TEE) Guide. https://www.globalplatform.org/mediaguidetee.asp.Google Scholar
- Y. Xu, W. Cui, and M. Peinado. Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems. 2015 IEEE Symposium on Security and Privacy, pages 640--656, 2015. Google ScholarDigital Library
- A. C.-C. Yao. Protocols for secure computations. 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), pages 160--164, 1982. Google ScholarDigital Library
- A. C.-C. Yao. How to generate and exchange secrets. 27th Annual Symposium on Foundations of Computer Science (sfcs 1986), pages 162--167, 1986. Google ScholarDigital Library
- K.-K. Yap, M. Motiwala, J. Rahe, S. Padgett, M. J. Holliman, G. Baldus, M. Hines, T. Kim, A. Narayanan, A. Jain, V. Lin, C. Rice, B. Rogan, A. Singh, B. Tanaka, M. Verma, P. Sood, M. M. B. Tariq, M. Tierney, D. Trumic, V. Valancius, C. Ying, M. Kallahalla, B. Koley, and A. Vahdat. Taking the edge off with espresso: Scale, reliability and programmability for global internet peering. In SIGCOMM, 2017. Google ScholarDigital Library
Index Terms
- Preserving Privacy at IXPs
Recommendations
Neighbor-specific BGP: more flexible routing policies while improving global stability
SIGMETRICS '09The Border Gateway Protocol (BGP) offers network administrators considerable flexibility in controlling how traffic flows through their networks. However, the interaction between routing policies in different Autonomous Systems (ASes) can lead to ...
Implications of autonomy for the expressiveness of policy routing
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communicationsThousands of competing autonomous systems must cooperate with each other to provide global Internet connectivity. Each autonomous system (AS) encodes various economic, business, and performance decisions in its routing policy. The current interdomain ...
Neighbor-specific BGP: more flexible routing policies while improving global stability
SIGMETRICS '09: Proceedings of the eleventh international joint conference on Measurement and modeling of computer systemsThe Border Gateway Protocol (BGP) offers network administrators considerable flexibility in controlling how traffic flows through their networks. However, the interaction between routing policies in different Autonomous Systems (ASes) can lead to ...
Comments