Secure Integration of BGP and Software Defined Networks

The understanding the possible interactions of SDN and BGP networks is inchoate. (For readability, current networks which use BGP, eBGP, etc are referred to as "BGP" networks.) The demonstration implemented under this contract illustrates one possible mode of interaction at the single-controller scale. DNSSEC, BGP, BGPSEC will all interact with the control plane and are part of the answers to the questions above. But what is needed, is still undefined, and requires a multi-year commitment is the technology and resources for a trust ecosystem. Creating a resilient infrastructure requires reasoning about risks at a network scale. In order to inform our initial reasoning we built on biological and telecommunications modeling.

As software defined networks diffuse, they will be integrated with BGP-centric networks at every level. The separation of the physical and logical components of the network may arguably be more valuable in cyber-physical systems and networks managed by less skilled operators than in the larger infrastructure.

A good example of cyber-physical systems are SCADA or, in general, industrial control systems. There, millions of devices that were designed with the assumption of physical security and isolated networks are now connected over the Internet. This trend that will not only accelerate but also include OpenFlow controllers. Legacy control system components on the electrical grid, natural gas pipelines, pumping stations, and networked controllers in the extraction industries are increasingly connected. These devices are fundamentally different in terms of vulnerabilities than the current PC or mobile device model. There is no simple method to update the software when vulnerabilities are found. Update cycles can be years or even decades rather than weeks. The level of expertise required to move from known vulnerability to subverted system varies widely; currently no simple automation of code suitable for ego-driven amateurs is available (i.e., no script kiddies) but this may be only temporary. The view of the small community of SDN security experts is that the only practical medium-term solution is reperimterization, and this can be done much more cheaply and effectively using SDN.

However, SDN not only has the potential to provide better isolation for legacy cyber-physical systems, but also (if wrongly deployed) to provide ease of malicious mapping and simplified, more scalable attacks. Effective mutual authentication of cyber-physical systems will require effective architectures, trustworthy code, and correct administration of SDN. All the challenges noted above are compounded in cyber-physical systems.

Similarly SDN can be used to provide home network control and isolation. Our current traffic-engineering and network management technologies are not up to the task of preventing malicious distributed hosts from self-organizing into massive botnets. Should SDN be unable to improve on current methods to mitigate the chronic insecurity of networks owned by naive users, it may not offer much overall improvement.

Understanding this challenge requires high level modeling; not only formal technical modeling to determine measurable goals but economic and game-theoretic techniques that deal with dynamic systems, incomplete information and other forms of uncertainty, and interactions between rational self-optimizing agents.