SIXPACK: Securing Internet eXchange Points Against Curious onlooKers
We leverage state-of-the-art accomplishments in Secure MultiParty Computation (SMPC) to design the first IXP route server service for efficiently ranking, selecting, and dispatching BGP routes based on the IXP members' expressive routing policies and IXP performance-related information without leaking any confidential business peering information.
View on BitBucket » Read our paper » Check our privacy survey » Read our short paper » Read our technical report » Reproduce our results »
Problem: Improving Internet Routing without disclosing private information
Internet eXchange Points (IXPs) are physical networks where member organizations connect to exchange traffic.
Routing information exchanged via BGP sessions among members.
Route Servers (RSes) at IXPs ease BGP route-dispatch.
Members that use RSes must disclose their confidential route-export policies to the IXP.
Export-policy: what BGP routes a member is willing to announce to other members.
Privacy concerns deter some networks from subscribing to RS services.
How can a member leverage the functionalities of a centralized RS without disclosing its export policies?
Can we add further information (e.g., port utilization) into the BGP dispatch operation at the RS to improve Internet Routing?
Solution: SIXPACK!
A privacy-preserving advanced route dispatching service.
Based on provable security guarantees and recent developments in Secure Multi-Party Computation (SMPC).
Two non-colluding entities perform SMPC computation in order to dispatch the BGP routes to participants.
The best route of each member is computed based on:
export policy: to whom a route is announced
import policy: a ranking of the neighbors per IP-prefix.
performance information: a value representing any performance metric (e.g., port utilization).
Example - Exporting a route
Member A wants to announce a route R to member B.
Route R is encrypted with key K and sent to each member.
The export policy of A is secret-shared between RS1 and RS2 as an input to the SMPC.
SMPC is responsible for dispatching K only to member B.
Neither RS1 nor RS2 learns anything about the export policy of member A.
Practically good SMPC performance
Emulate large IXP with 750 members.
1 Gbps link connection between the two parties.
ABY framework based on the GMW protocol.
The setup phase is independent of the actual inputs and can be precomputed.
SIXPACK comprises two efficient route dispatching functions:
Export-All: It exports all admissible routes to all members.
Select-Best: It exports the best route given a per-route ranking and ixp-performance information.
Approach | Routes | Setup[ms] | Online[ms] |
---|---|---|---|
Export-All | 1 | 1.7 | 0.6 |
Select-Best | 2 | 16.5 | 4.2 |
3 | 19.8 | 5.3 | |
7 | 34.6 | 10.3 | |
15 | 63.7 | 19.3 | |
31 | 122.4 | 35.9 |
Prototype evaluation
Based on a real-world trace of BGP updates from one of the largest IXPs worldwide.
More than 600 members, 10.62 BGP route announcements/withdrawals per second.
SIXPACK prototype in Python.
Bandwidth requirement RS1 RS2 below 11Mbps.
Slightly larger runtimes for the Select-Best approach.