You are on page 1of 22

RIP-TP:

Detecting Invalid RIP Routing Updates


Dan Pei, UCLA Dan Massey, USC/ISI Lixia Zhang, UCLA

December 3rd, 2003

Outline

Motivation
RIP-TP design(Triangle Checking and Probing) Simulation Evaluation

Summary

2/20

Fail-Stop Failure model might not be true in reality

Fail-Stop: a router either works perfectly, or completely stops.


UCLA
My Distance to UCLA is Zero!

ARPANet in 1971[McQuillan:TOC78(12)]
3/20

Invalid Routing Updates can be due to

Non-Fail-Stop Faults [McQuillan:TOC78(12)]

Mis-configurations [Mahajan:SIGCOMM02]

Implementation Bugs [Labovitz:SIGCOMM97] Malicious Attacks [Wang:IMW02]

4/20

RIP (Routing Information Protocol)


Exchange distance information Keep and announce shortest path only Rs route for D: [ Destination=D, Dist=4, Nexthop=A]
Distance Info refreshed every 30 seconds; Up to 25 destinations per update message.

D
A
D:1

R C

5/20

Outline

Motivation

RIP-TP design(Triangle Checking and Probing)


Simulation Evaluation

Summary

6/20

RIP-TP Design Overview


Message: Dist(A,D),, Dist(A,Y) R

No Collaboration between routers is needed!

Step 1: Triangle Checking to detect suspicious distances


Step 2: Send probing messages to verify

# of probing messages adaptive to # of suspicious distances per update discard those distances that failed verification
7/20

Triangle Theorem in a Static Graph

b
Dist(a,b) Dist(b,c) Dist(a,c)

Dist(a,c)Dist(a,b)+Dist(b,c)
8/20

Triangle Checking in RIP


A
Dist(A,B) Dist(B,D) Dist(A, D)

B [ destination D, Dist(R,D), B=Nexthop(R,D) ] [ destination B, Dist(R,B), B=Nexthop(R,B) ]

? Dist(B,I) Dist(A,B) + Dist(A,D)


9/20

Verification Through Probing

Probing message for suspicious Dist(A,D)


a UDP packet with un-used port number TTL = Dist(A,D) +1 (assuming routing metric is hop-count) A timer: expiration time proportional to TTL

QuickTime and a TIFF (LZW) decompressor are needed to see this picture.

A ICMP unreachable port

10/20

Verification Through Probing

Probing message for suspicious Dist(A,D)


a UDP packet with un-used port number TTL = Dist(A,D) +1 (assuming routing metric is hop-count) A timer: expiration time proportional to TTL

TTL=0
QuickTime and a TIFF (LZW) decompressor are needed to see this picture.

A ICMP time exceeded

11/20

Verification Through Probing

Probing message for suspicious Dist(A,D)


a UDP packet with un-used port number TTL = Dist(A,D) +1 (assuming routing metric is hop-count) A timer: expiration time proportional to TTL

QuickTime and a TIFF (LZW) decompressor are needed to see this picture.

Timer Expires!

12/20

Adaptive to large/small number of invalid distances

Let X be the number of suspicious distances in one update

Up to C Probing messages per update C [Cmin, Cmax]; if X, then C

13/20

Outline

Motivation RIP-TP design(Triangle Checking and Probing)

Simulation Evaluation
Summary

14/20

Simulation Scenario

One faulty router selects I destinations, and decreases each distance by 1; I:1~8

How Probing adapts to I

Compared with RIP-RP(Randomly Probing K destinations); K:1~3

how much triangle theorem helps

Grid topology(N*N); N:3~7


Every second, with probability of P(0.02~0.2), one link is failed (Recovered with probability of 0.5 later)
15/20

Detection Rate vs I
Detection Rate

RIP-TP

Faulty router sends I invalid distances, causing J invalid distances propagated in the network.
M of J are detected. Detection rate=M/J

I(Number of invalid distances/update)


16/20

Overhead vs I
Overhead= (Total Number of Probing messages)/ (Total Number of RIP messages) RIP-TP

I(Number of invalid entries/update)


17/20

Overhead

Summary of Simulation Results

I: 1~8, P:0.02~0.2, N:3~7


Detection Rate 95%
Overhead 1.1 probing messages/update

18/20

Related work

Sign the routing updates [Perlman88, Smith:NDSS97, Kent:J-SAC00] Update Counts Statistics[Mittal:CCS02]

Check TTL of the Routing Messages [Gill:IETF03]


19/20

Summary

Routing Protocols need to deal with invalid updates


Detection of Invalid Updates

is not only feasible, but can be done effectively with low overhead.

Future work:

Extension to general DV and general metric

20/20

Thank you very much!

Discard the entire Update if more thanThresh_Drop NACKed distances

Thresh_Drop [Tmin, Tmax]; if X or C, then Thresh_Drop

22/20