Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Internet Engineering Task Force / 102 / 17 Jul 2018
Internet Engineering Task Force / 102 / 17 Jul 2018
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: IETF102-RTGAREA-20180717-1330

Description

RTGAREA meeting session at IETF102
2018/07/17 1330

https://datatracker.ietf.org/meeting/102/proceedings/

A

It's.

A

I'm.

B

So much fun.

B

So, in keeping up with the last year in Canada, we're going to say everything in English and in French.

C

What.

B

Did.

C

You say just say:.

B

Whatever does better, oh.

C

Yeah to stay at the hotel, raise your hand. If you don't understand me: okay, we have consensus to switch in English, so welcome to all of you. That's the routing area, open meeting about it this night.

C

So what's that?

C

Okay, so that's the note! Well, if you haven't read it, please do read it before speaking in that room and I'll pass to you around.

B

Sure, okay you're not gonna. Well, we also have a list of other resources. Yeah next slide. Please.

B

Please please please review documents.

A

Your.

B

Documents other people documents anything you want to review, please review, and also, please, you know some feedback on how you think we're doing as these good to me back and I say that, because you're gonna give that review about me, so you have to them and tell me all the good things that they're doing, because I know they're doing a good job about how we're doing how the area is doing other things that you think we need to to do in the area or how do we restructure different things?

B

You'll notice that our agenda is slightly different from what we've always had in the routing area, meaning this one is a very special because we have our several presentations. We don't have for the first time in probably many many many years, a review of all the working groups we do have. However, thank you.

B

There was a group chair who was clapping yeah. We do have for the enjoyment of everyone, the wiki, so that you can still go look at the wiki. It won't probably finished start by the other week with updates on the different working groups. So, instead of everyone getting up and reading what the wiki says, we figured that we would use the time better and actually have discussions about other things in in the routing area. Maybe so that's what the agenda reflects here.

B

We have four different presentations today that we want to to share this with you guys. Ross Cohen is here. He came out of retirement just to be here with all of you.

B

Yeah that deserves a hand, because you know not not. Anyone comes out of retirement just to be with you guys, then everyone's going to talk about others don'ts for a few minutes and then we're going to have the to a NRP, advanced or applied networking research. Price winners do the presentation here.

B

We believe that there is some relationship with routing in both of them. One is a lot more obvious than the other one, the first one I, which talk about running attacks on cyber currencies and then we're going to have panelists talk about skill or bus identity in vehicular networks, early communications. We have a.

D

Special circumstance.

B

Here, Pano's and Maria are probably running a little bit late, so they should be here by the time we get to their presentations.

B

Anyone want to change the agenda just so you know the only change will be accepting is to put back the working good reviews in the agenda and ready for the wiki. No, no are you sure, okay good, so the areas that is nothing or not a lot has changed. We managed to reach Artur when working good when the Martin is working. We were charter Babel with a minor change weeks ago, and we did close. One work helps to be extensions.

B

This is what the this looks really big. This is what the education.

E

Looks.

B

Like apparently I'm the only one doing any work, so let me know how about doing or how about I suck the other workers are not listed here.

E

Well,.

B

Okay, so.

B

That's it yes, so this is what the karate gear is. Gonna look like next time.

B

Okay, so unless anyone has any any things, you wanna bring up right now about the agenda, we're going to get Russ Russ to come up here and talk about history lists.

F

I am tall, so I will try to I, don't know if I can make this taller or not. I can aha, so we're owners up here. Next, we'll have to deal with the fact that I set this for a tall person, so I sure had a hobby back when I used to work for a living of keeping track of ways that whole networks can go down at once.

F

It's obviously involving multi-party interactions are sort of unfortunate, the great great fun hobby and after I retired I, intended to write that down and eventually realized I wasn't ever going to get around to it and then notice that you guys were having an IETF not that far from where I live and so I thought oh well, I'll volunteer to give a talk, and they said oh yeah we'd like you to give the talk so there's like over here and I'm gonna action, actually I'm going to need to make slides, so I did and John Scudder helped me with some of the slides, he's gonna get up and talk about the BGP stuff and because that's more his expertise than mine.

F

Now, let's see how I figure, how to make this thing work. Well me that button, what do I.

F

Know.

F

Okay, so I've been some major issues with entire networks going down some interesting things way back in the 1970s and 1980s and maybe even 1990s. We did not always know exactly what we were doing. Some of this stuff was very new to us.

F

And so some certain interesting things happened since then, every now and then you know back when I used to go to IETF meetings. My last ITTF meeting was two years ago in Berlin and then I retired, to mix after that.

F

So back when I went to ITF meetings every now and then we would see somebody bringing in an idea that looked like some of the things we did wrong in the past and old people with gray beards and I'd say no, don't do that I'm a little concerned that some of us old people with graveyards are getting old and we're not gonna be around forever, and some of us aren't around anymore at all. So, except for this one talk so I figured. It would be a good idea to write this down.

F

I, never managed to rated as an RFC. So let's I figured I'd, at least in this light. I've tried the in these slides to be completely vendor-neutral.

F

Generally, you know the best stuff that was out there got deployed, so the stuff that did not fail. This way did not fail because it was even worse, not because it was better, and you know we've all done this. If I had named vendors, there would be something like six or seven of them. That would be named in this talk alone, and that's not counting.

F

You know other failures, so I I wanted to be neutral, so I have not considered any issues with proprietary protocols, part because I couldn't do that and be neutral, and also because I had enough to keep meself or the talk busy just with standard stuff next line, so we're just going to jump into one particular thing and then we'll jump into another thing, and so on back in the 1970s, the ARPANET used a distance vector routing protocol and then in the late 1970s they came up with something called the new ARPANET routing protocol, which was a link state routing protocol.

F

It used a 3-bit sequence number space, because back in the 1970s networks were pretty slow right, I think there might have been 56 K links if that tying the ARPANET together. When the three that sequence number space, you were going to run off the end of it eventually, so it was a circular space. So when you got to the end, you went back to the beginning and since it's a circular space, whether a is greater than B or B is greater than a it depends on which way around the circle is shorter.

F

A single arpanet switch I'm sure that more than one crash, but one in particular example that was interesting was one of them crashed sometime in the early 1980s and when it came back up, it thought oh well, these messages in my queue, somebody's going to want to see them. So, let's forward them on so it did forward them on, and one of the messages in its queue happened to be a routing update, which was exactly halfway around the circular sequence space from the current update and this occurred.

F

While an update was in progress, so the three sequence number is ABC right: a came out, bigger than B and B was bigger than C, but C was bigger than a going around the circular space, which meant that update a replaced, update, B and then update, be replaced, update, C and then update. C replaced update a so next slide.

F

Three routing updates changed each other around the ARPANET as fast as switches could send them to each other for hours.

F

What eventually, fortunately, back in those days, the telephone system was not running over the Internet, and so you could call people on your phone from you know: Cambridge Massachusetts, to some place out in South in California and say please walk up to your ARPANET switch and turn it off, and so somebody had to actually physically walk up to all, except two of the packet switches in the ARPANET and turn it off when they were all turned off except two now there was only two updates that something thought was the most recent and so of the two one of them took precedent, and so very soon there was only one update that, oh you know, but both.

D

Of this, which is that we're.

F

Still up that was supposed current, and so now everybody could go manually to all of the switches in the ARPANET and turn them all back on again.

F

This was a little bit unpleasant back in the 1980s, but it wasn't that catastrophic, because you know the ARPANET failure wasn't catastrophic today, if you had hundreds or even thousands of routers in a network, this could be quite unpleasant. Next line will get a different problem back in the early.

F

This is sometime around 92 or 93 I think there was a network that was stable and working well and had a fairly modest number of routers that were basically as big as you could buy back then in the core, and it had a whole bunch of edge routers as stubs, and it was working well and the customer was quite happy, but the customer thought well I care about reliability. So, let's multi-home the stubs next slide.

F

So they did that and immediately the network completely collapsed. So what happened? What happened was on the next slide, some router, some that liked that core router in the middle had a link-state advertisements send out so send it to all its neighbors, including all of the stubs. All of the neighbors thought all my other neighbors are going to want to see this update, so they all forward it on to so they all arrived at once at another core router. It turned out I. Remember at the time people complaining that Dijkstra was so slow.

F

No, no Dijkstra wasn't really the problem. People just thought it was once they actually started. Looking hard at the code and instrumenting it they discovered. The problem was simply getting the same length state advertisement, 20 30 40 times all at once was too much for their little processors at the time and it caused them to crash in various ways up until seeing this happen in the network, nobody predicted that this is going to be a problem, but then we saw a problem and networks failed and we fixed it a.

F

Similar problem can occur with IP over ATM, where you have I did not I got lazy because I'm writing the slide. One of the last ones I did before sending the slides in and I didn't draw the ATM switches in the middle. But if you have a bunch of hours all attached to an ATM cloud and you have bunch of ATM switches in the middle or frame relay switches in the middle, you.

D

Have full.

F

Mesh between full mesh of links between the routers, the same sort of things can happen, and so mesh groups got out of to deal with that next slide.

F

There's another problem that I notice and this I was actually pulled down into the lab in 1992 and somebody said, sit there and look at this network would stay stable for quite a while and it just you know, work great and then just randomly by coincidence. Several things would happen at pretty much the same time. Now, in those days back before my hair turned gray, processors were a lot slower than they are now, and the processors were also used to forward packets, in addition to doing the routing protocol stuff.

F

So if you've got several changes that just happen to occur at the same time, the processors could fall behind. So even if one router was sending out hit its loans on time, the next router over might not notice for awhile, simply because it was too busy doing other stuff, and so it might have the timer go off. Saying: I haven't gotten too low in the last. You know 10 seconds before it noticed that it has alone sitting in its queue, and so what happens when that happens? Well, it decides.

F

I haven't, got hellos for a while I'm going to drop the adjacency. What do I do when I drop the adjacency island send out another update. So at the time when the network was too busy, what am I gonna do send more traffic to make it more busy a couple of routers. Do this it's going to cause more in the same or congestion, other processors get collide, get busy, they drop all those.

F

So what I was sort of looking at in the lab in 1992 was an entire network disconnecting at once now another fun thing happened. These things their advertisements were going to be refreshed periodically with a fixed timer. So since the whole network collapses at once, they all come back up at once. It all comes back up and once 20 minutes later, they all decide at the same time they have to refresh their lsas, so they send them all out again, all at the same time, which means it happens again.

F

So since I was encouraged to sit there for like an hour and watch this happen, every 20 minutes, it would happen again know that were disposed down. The hole that comes back up, works, 5, 20 minutes, then whole thing goes down and the whole thing comes back up. This was considered not a good thing. Then this way fun, though much more fun than you know, watching TV.

F

Well, it means every 20 minutes. It was more fun some solution. You optimize the hello there, the protocol processing, you prioritize the hello, so you deal with them first, because you never want to drop in adjacency. If you Jason sees really there, you ran the mines, the timer, so that if everybody goes down and up at once, they don't all 20 minutes later get panicky. At the same time, this will seem to be known to me in 92 or 93, because it was 92 I watched.

F

This all happened in 93 I watched it all get fixed, but about a year later there was an ATM network, a pretty big one, well-known service provider that you've all heard of on a big ATM network and a couple I know: love was 2 or 3, but a small number of links went down that happened to partition the entire ATM network and the link stayed down long enough for all of the link state advertisements on each side of the partition to get completely refreshed. While the network was partitioned.

F

This was an ATM network that was using OSPF as its routing protocol. So at some point one of those partitions healed right or got you know. Somebody went out there and reconnected the wire, and then the link came back up again and so the switch on each side. Of that we connected link. You know they they've run. You know the database sync and they each decide.

F

Okay, the guy on the other ends, gonna, want to know about the entire database that I have so both switches at each end of the link that came back up, send its entire database to the other side. What happened? Well, every single CPU in the entire network congested dropped, the loans, every link in the entire network went down, and then they came back up again to the credit of whoever wrote the software. They did randomize their timers, and so it did not repeat every 20 minutes for the rest of all time.

F

It only happened once, but it was still not much fun for a very big service provider somewhere.

F

This was supposed to be a bill, but apparently bills aren't working, which is probably going to be more of an issue for John than me.

F

Denial service attacks, I guess you know we're all familiar with that. Some attacker manages to get software onto many many hosts throughout the network and they all send traffic to the same place overwhelming a victim congesting links next slide. There was a funny example of this that happened in 2003.

F

If we get to the next slide, Odessa try again, you might have to do it one more time, because I think since I had to build with three things that it showed me the same picture three times: it's not exactly what you would have wanted, but it's good enough for government work. Okay, so in January 2003 there was the slammer world right. It was a worm that was created that just propagated itself very rapidly.

F

On average, it doubled every eight seconds so from until you notice it's there until it's causing a horrible problem is not very long. It decide and what IP address to attack by just picking an address at random and trying to attack it, and if it succeeded, I succeeded and if not, it would pick a different address at random and try to attack it of all of the addresses that it picked at random.

F

Some of them were the address of a router, so not only when other routers not aware of any routers that actually got infected by the slammer worm because they had fairly special software, but they certainly got a lot of traffic sent to them. So what happened in 2003? Well, the routers drop their hellos in some cases and drop their adjacencies and the network's disconnect. So apparently,.

D

Not.

F

Everything that was learned back in the 1990's was actually completely totally learned. However, I don't know whether this was caused by link ingestion or by CPU congestion. There's, you know, slammer really hit the internet very, very hard, and so exactly almost everything got overwhelmed at the time. The other fun thing is there were some routers that were getting so much traffic that they won't respond to the management plane.

F

So you could go to the console at the router and type in commands and nothing would happen so I know of cases where people actually had to physically disconnect all of the interfaces on the router type in the command to filter and discard all of the packets that are causing the attack and then reattach.

F

The physical interfaces to the router again as time goes on actually physically going to every router is not really a lot of fun nowadays, as you drive down the highway and see lots of little black boxes up on the electrical telephone lines and some of those are routers I, don't really think they have consoles attached.

F

They right. This is a fun problem. Next, so the same pretty much solution, but it had to be done with river board here, oh yeah, this is a fun one. The I dunno, who wrote some of the software involved here nice point out of it is, is and OSPF were designed in the mid-1980s back then again, the CPUs are slower than they are now and again. Some of the CPUs are still in fact, I think on the most part, we're still forwarding packets in the same CPU.

F

Because of this I don't know what funny character showed up there on right, but the original spec tried to minimize the strain on the CPU and optimize the speed of flooding. Given that the CPUs were not super fast back, then so one of the things that the is is spec specifies is first, you check the auto rapper, so you check the checksum yep that passes. That's good. You check the sequence number and the LSP number. Is this a new update? Yes, it is ok, it's a new update flood it out after you flooded it out.

F

Then you look at what's on the inside.

F

These protocols had been implemented for a while is, is was deployed in multiple networks around the world. Most of the large service providers had it running and it was saw letting worked well, no problems at all until the next slide.

F

There happen to be a bad interface somewhere that was thrashing packets. That would just randomly change a few bits and then could forward the packet now most of the time, the checksum would fail right in the back beats where I went away, but one packet managed to get through, because if you randomly change one bit, the checksum will always catch it. But if you randomly change multiple bits, the checksum will catch it with something like one in 65,000 or 65 536 or some number up around there that it might get through is ok.

F

One packet happened to get through as ok and the routers looked at the outer wrapper and there was fine. This is the new update, it's legitimate, so you forward it. Then you check the insides. The length field was out of range.

F

Somebody forgot to check that in the software so crash, but you forward the packet before you crashed. So when you come back up, somebody else will be forwarding the packets you before it crashes, so like a whole network, crashed and came back up and crashing what, but there one fun thing was this actually affected? More than one vendor at the same time, I'm not the name any of the vendors involved, because I said I, wouldn't name vendors, but it was. Most of these crashes have been single vendor crashes.

F

This one was a fun one because it was a multi vendor crash.

F

Okay, there's a bunch of counting to infinity with this inspector routing protocols such as rip I could have done more slides on it, but I thought you guys probably mostly know the problem and also you know, there's a limit to how long I want to talk here, and there was a many slides I wanted to gather so I just put together a couple of slides.

F

Basically right, you have a destination, a the router, the one hop away, says: I'm, one half away from a and the next router says I'm too hot. So a and the next router say on three hops away. You don't save this back to the guy you're, getting it from, because that's the way your one hopper to hops and three hops drove. So you say it in other directions. However, these packets are sent out. You know with some time delay involved right.

F

So exactly when any one router notices that they've got this, it might be a you know uh a few seconds. It might be a few more seconds or a few less seconds. It can vary a little bit. So if a goes away at some point and that first router says I can't get there anymore, the next router says I can't get there anymore, but that router sent out of things hang on two hops away and then it says something: I can't get there anymore.

F

The next router over has those last two routers have been hearing from each other that they can get there at three hops. They think they have a three hop way to get there in addition to the two halfway right, so we're really it be yeah. So when a goes away, those routers on the right think that they can get there by each other by three hearts. So when they hear they can't get there from the guy in the middle, the two hops they might say back to that guy.

F

Well, that's, okay, I can get there and it's four hops. However, there's going to be a timing issue as to when does one say that and when does the other hearing, so if we go to the next slide, this is just one possible thing that might happen is that guy at the bottom has just heard from the guy up on the upper right. I can get their three hops, so he thinks oh well, I just heard from the guy in the middle that he can't get there anymore.

F

So I'll tell him that I can get there as four hops sometime. The guy in the middle is heard that so he'll say to the guy over on the right. Well, I can't get so the guy on there on the upper right says to the guy in the bottom: I can get. There are six hops uses. You count up to infinity one hop at a time. What gets around this by the ludley approach of setting infinity to a fairly small number, so you'll actually get there. I think it's 15 is infinity and either.

D

15 or 16.

F

Is infinity yeah, it's 15, okay, great fun. However, it turns out in the early NSFNET they found a way to make this more fun.

F

For now we're going to get into I, don't know why the slides have gone to tiny, tiny little font. Now my apologies. What I sent in was not tiny font, although I will admit that it was a more recent slug for delay. Based routing is something that's been tried, a bunch of times with a bunch of fun things there's been multiple. Actually all of the bullets and sub bullets have been lost to on this slide very interesting.

F

It's only appropriate that, for this particular talk, something would go wrong on the slides, so they've been interesting experiments with routing based on real time QE one example was in the early NSFNET.

F

This is before, or IBM got involved. It was back when it was a university professor and probably a few grad students, or maybe even undergrad, students, I'm, not sure there might be somebody in this room who could tell me, but there was a friendly professor who was building the routers for the very first version of the NSFNET, and they were called fuzz balls and they worked. That's just serve their nickname and they had a real time delay plate based protocol which actually with measuring queuing delays in the router.

F

So it would add its queuing delays to what it was hearing from its neighbor with a distant sector of outing in the core of the NSFNET. So because this was hearing relays up and down and up and down right. If, if you have a particular path, that's not congested at all, you'll have very small delays. It will have very small metrics.

F

Everybody will think that's a great way to go so a whole bunch of traffic will decide to go that way, so how to put the delay way up and they never got inside to go a different way and sort of oscillate back and forth. Now. This was what was going on at the core of the first NSFNET outside of that they were running rip. So how do you go from rip to the hello protocol in the middle?

F

You have mapping tables where you know a rip value of two will get mapped to a delay of this and of X, and a value of three would get mapped of slightly larger delay and so on. Then you go across the core and on the other side it was mapped back into RIP and it was done so if you know if a particular rip value of let's say three got mapped to a particular delay.

F

When you got to the other side, it was guaranteed to be mapped to at least four right, but the problem is you had this delayed based protocol in the core that was flapping all over the place and that was getting mapped into rip values pop counts, which were flapping all over the place. So you take that counting to infinity behavior that I just mentioned, and you feed it with highly dynamic, jumping up and down metric values that you're feeding into rip all around the edges. The early NSFNET was not the greatest success.

F

Fortunately, they got replaced of something better. I do remember. One point: I was at a meeting at the National Center for Atmospheric Research in Colorado.

D

And.

F

I Telenet it back to my home computer in Cambridge, Massachusetts and typed in their log in and did a couple of things and then it froze and I couldn't do anything. I couldn't log out I couldn't stop the session. I couldn't do anything at all. 45 minutes later came back and I was still logged into this computer on the other side of the country.

F

Of course, the first thing I did was log out right, it's I could have walked away and a student could have Marge walked up and being logged into my computer, so that was great fun there's been another I mean there's all kinds of fun things that have happened with the latest routing. Another version that was fun was again in the mid to late 1980s this. What they called the new ARPANET routing protocol decided to use delay byte heavily dampened.

F

So the metrics were a combination of hop count and delay with the contribution of delay being very, very small, so it was mostly hop count with a little bit of delay so between equal cost paths. You take the less congested way. The problem is, then, the network started getting congested and it was a linear combination of hop count in doing so, as the delays went up to 10 times as big all of a sudden, it turned into what was essentially a scrape delay based routing became wildly operating.

F

You know, routing started oscillating rather wildly causing the network to not work very well and, of course, they had to go and update the software and change the way they're doing metrics next.

F

Non deterministic routing this is about BGP and John I'm, afraid your slides have been slightly mutilated, but you'll get to talk to them. Anyways.

G

Yeah so fortunately I guess. This is fortunate when Ross asked me to come up with some PGP examples. I couldn't think of as many that fall into the kind of Halden catch fire category as he came up with in the earlier slide set, but there's still a some interesting history behind BGP. So one thing that I thought was kind of interesting is that we, as probably a four I, won't repeat this, because it's generally true, but as a lot of you know some of you may not. We currently are routing the internet using a protocol.

G

That's neither deterministic nor even formally correct, but it still works anyway, um mostly so so one of the ones that I thought was really cool when I first had it explained to me by tim Griffin was this thing called BGP wedgies, which is a great thing and there's an RFC about it and if you've never heard of these things before I recommend it as entertaining reading to keep you awake at night or give you nightmares.

G

But basically the you know, sort of the the outline is that you bgp, if you hang out in the bgp community at all, you keep hearing things like it's a local matter or that's policy and policy is local, local, but forwarding is global and that leads to interesting consequences. Next slide, please, let's see what happens now.

G

Okay, we at least get to see the picture. We don't get to see the build. You can see the whole bill that at once, I guess so. I normally discourage my authors from doing builds, um but I really need believe there, like there's at least that much work.

G

Alright, so we'll try to do it this way, I guess basically at the set up. This is a relatively simple version of it is that you know this guy down here. The customer has a link that they only ever want to use for backup their policy is they want to receive all of their traffic? This way, you know, even if it's coming the long way around, because you know maybe things were all really high bandwidth links and that's really a little bandwidth, they're really expensive or you know whatever.

G

Who cares so they implement this policy using a community? You can community that they send on the route in this direction and that community has the semantics they're locally defined semantics telling this provider. You know what, if you have a backup route available, please follow that one instead of the one I'm sending you so when you set the topology up, it's all good traffic goes boom boom boom as desired. So now, let's see we fail this link.

G

What happens then routing does what we hope it would do, and traffic goes this way and the you know that backup link that customer see has expensively provisioned actually does its work. The interesting thing that happens is when that link comes back up because of the way the GP operates.

G

Well, there, let's see how's this work.

G

Yeah. Do you end up with traffic following that set of routes? Instead, because you have the property that you already have a route that is coming this way, which is suppressing advertisement of a route in the reverse direction, which means that in particular, this a s never gets to here about this route and therefore never stops using that route.

G

It would have made more sense with the bill if you find yourself interested in this, and that was clear as mud I refer you to the RFC, which is really a pretty good exposition, but the interesting takeaway, actually in a branch of Dean's upcoming slides, is that very simple protocols with very simple behaviors can have complicated, emergent behaviors when you put a few different features together next slide, please.

G

Right so we're going through the whole book now I hope you enjoy it. I worked hard on it.

G

It's off to entertain you well we're going on a.

E

Lot.

G

Of slides in the bill.

C

Maybe I couldn't.

G

Grab my laptop and stand up with it. Okay, here we go yeah. These Chromebooks are awesome, so yeah, you guys can even read these.

G

So so the description for that kind of you know weird behavior, where you can flip from one stable behavior. They have an have a transition and then transition back into a completely different, stable behavior is multi stable. So, interestingly enough, if once you throw the the popular bgp multi exit discriminator attribute into the mix, BGP is not even a multi stable, it's just not stable and well how the heck did that happen? You know: were the designers of BGP I'm not paying attention well, who knows, but.

G

Basically, the the you know and again there are RF scenes you can go and read. If you're not aware of this phenomenon, you find it interesting, but pretty much. What happened? What causes the behavior is the BGP route selection process assumes. There's. You know you can find a total ordering over all of the routes.

G

There's this cool attribute called multi exit discriminator. It only gives a partial ordering, because only certain routes are comparable having to be with you know, only routes from a given neighbor a s can be compared between themselves. That's all fine!

G

So far as long as you deploy the protocol as it was originally designed, which is with flat I BGP, meaning that every router in an AAS talks to every other router in the AAS, and they all know each other's routes, it turned out that that BGP did not scale or deploy well to large a essence that way. So we invented several things, including rail reflectors route, reflectors, new data hiding data, hiding works great. If you have total ordering, we don't have total ordering.

G

So you can, you know as easily as he like, build a persistently oscillating topology.

G

What's worse is so, of course, we did not realize at the time that you know it took probably a few years. You know, and it kind of like Roz was saying where he had to sit, and you know force not to leave his chair for twenty minutes and said. Oh, you know, I had a similar experience with this thing. It's not completely clear that you know, even if the working group had been presented with this problem, you know the moment we realize.

G

These were proposed, it.

D

Doesn't clear that anything.

G

Different would have happened because there's a compelling business routing need for multi exit discriminators. Well, the compelling business need for route, reflectors they're, both pretty easy, and once you know about the you can kind of work around it and nobody.

D

Was willing, you know, even after.

G

We realized it was a problem to give up either one of those toys, so we have this situation which continues to obtain to this day next slide. Please, oh.

G

And here we go, this is the closest I could come to an actual halt and catch fire.

G

Bgp has this? Is a nice extensive, extensible protocol? We have this thing called optional, transitive attributes an optional transitive attribute is data that you know. Basically, it says if you don't understand this data, just treat it as opaque and send it on to the next router. It's okay.

G

So the that that's very nice in that it allows us to do you know sort of introduce features that can roll out globally without having to have ubiquitous deployment.

G

The problem is that PGP was also designed with fairly draconian error, checking built into it for all the best reasons. It's you know. If your peer sends you data, that's insane, don't you think that your peer might be insane? If your peers in saying don't you think you would prefer to stop routing through that peer? Well, yes, that make good sense.

G

Anybody who cares about protocol correctness can see that it's obviously the right thing to do, especially in a fully incremental protocol as BGP is where you don't have a way of recovering synchronization once you lose it, but Oh, an optional transitive attribute may not have been formatted by your peer. Your peer may not be in this behaving party. The misbehaving party may be a really long way away across the internet. Their attribute may have you know, and you know the PGP basically is behaving like a replication tree. In this case you know one update.

G

It gets replicated replicated replicated fans out across the Internet hits a patch of routers that actually understand the attribute they all look at that. They all say this router, and this attribute is insane. My peer must be insane, and next thing you know you know all the peering z-- between s1 over there and a s2 over there get reset and people become very upset, and, even though this is you know, in certain sense, is less traumatic than a lot of the outages Ross was talking about.

G

It was also more dramatic because the internet was a little further evolved and you know there were things like phone calls going over those links, um so the good news is that we eventually did figure out how to fix this. Basically by saying: oh, that wasn't the right thing to do. We shouldn't reset those sessions. Let's not do that anymore. Next slide. Please.

G

So after having come up with these anecdotes, I try to distill it down into you know some kind of lessons learned where the lessons that ought to be learned, but they probably won't be because you know being human beings. The way we learn from the mistakes of others is by repeating them ourselves.

G

But you know simple protocols: bgp is a really simple protocol underneath all of the stuff, when you assemble them into large systems, can have interesting, complex, emergent, behaviors extensible protocols are one heeds to say, attractive nuisance, but they they invite people to make small extensions and small extensions are cool, but they have or can have surprising consequences when they interact.

G

You know, for example, the example about meed I'm sure it's not the only example that exists, and you know when you, when you invent your extensible protocol to begin with, it's got kind of architectural integrity, but you know when you have. You know people over there who are you know, building one kind of infrastructure on top of your protocol and people over there they're doing something completely different. They both do their little extension. They meet in the middle and nobody knew that was.

D

Going to happen.

G

If you're serving several masters, something's got to give, if I'm you know, if I try to have both protocol correctness and you know serve business reality, sometimes protocol correctness is computed when that fails, and the second last bullet actually is also something that was on one of Ross's, slides right, the where he was talking about flooding before doing your check, data that sometimes opaque and sometimes not opaque, is sometimes problematic.

G

It's sometimes it's kind of a bad word in protocol design, and if you were using it, you should probably think really hard and finally, I I love this. It's not even a paper. It's like a screen that somebody wrote a long time ago describing the worse is better than I'm philosophy and I. If you haven't read it, google, it it's it's it's a fun short rate.

G

Basically it contrasts. You know why did UNIX ran it wasn't because it was technically superior. It was because somebody said yeah well, we'll cover the 80% and then like the 20%, we'll figure it out later it's you know. We know it was the 80/20 world, but yeah you can build a virus very cheaply and get it out into the world and you're. Probably one of the thing you'll have to live with the consequences, which is what we do.

F

I'm going to assume we're running a little low on time right.

H

Okay,.

F

Two slides left: there are other examples: they've been operating errors, signaling system 7 has some famous failure, which I don't know if any of us are an expert on, but it might be fun to compare that to things that we've done wrong. I've heard.

D

Make rumors.

F

Of other people of notice, the whole networks can fail at once. I, don't know what they tend to pick. One of the methods we've already used or if anybody's come up with other additional ways and I did not mention multicast no smiles.

F

What do we do with this information? I attended an ITF two years ago, approximately this week, roughly in Berlin, two weeks after that, I retired and I thought I've got lots of time off. I'm gonna write this all up and get an internet draft and send it off. Well, it's I, like being retired too much, and so I figured out.

F

That was not going to happen and I've been feeling guilty for two years in a row for Amy I discovered you guys are visiting something not that far away from my neck of the woods, I'm unwritten aliy from somewhere pretty close to here and still live close enough. That you know, one daughter is only a two-hour drive from here. So it gave me an excuse to have lunch with her and drive up and see you guys and then once they agreed to have me, give the talk. I actually had to do the slides.

F

Somebody once said that those who cannot remember the past are condemned to repeat it. I heard it as an old saying, I googled, that a few weeks ago, and it was alleged that it was said by somebody in particular who I never heard of, but I do think that it's true right I mean if you don't learn from what we did wrong before you're likely to do it again, and the old guys are getting old and getting brain going off other fun stuff.

F

The Internet today is a whole lot more valuable than it used to be. If we took down the whole internet next week, people would really not be happy and it would make it on the news, except that nobody would get to see the news because, of course, their TVs.

D

Would all be off, but maybe not about that too.

F

So I'm hoping that somebody will decide this all needs to get written up in more detail, and you know they can bug me to try to come out of retirement long enough to read a write-up and comment on or to even mention some of the other people that I colluded with in putting these slides together, but just mostly I'm hoping. This is helpful to guys.

I

Okay, anybody have any questions, no questions, Hey, thank you Ron and done.

I

Okay, the next went on just a quick, because I already did it in them to us this morning, so many have seen it and it's just it's mostly just it's a list of references for folks that are doing drafts.

I

It's you know seeing that a lot of that recently on documents, not just in the rounding area but other areas, that as they go through the different we review reviewers. We know there's a long chain that there's a lot of knits picked up and you can't expect that others find especially technical errors, let alone editorial so make sure you double-check your document and don't expect Dianna to clean up your ana section. They only process so make sure it's clear, don't hesitate to ask for help. You know, especially as you're.

I

You know, share chairs document, Shepards eighties. You know just ask ask for help, you know, don't let things sit and then the big one right now is that if you're an author and your documents going through the publication process, don't think you can just go to sleep after the working group last call there's much more to be done. You've got to be responsive as all these other reviewers come through with comments, because often some more comments simply well.

I

Why did you decide this I think you could have better have done that and only the authors really know the history, especially the early days of the document, and why those choices remain dues read your document, make sure you have double-checked ik, because softened sections and figures have changed and where they are see. If it's it's been.

I

I'm sure one of them, the authors, will always be available. It doesn't have to be the same one but for mutation, but make sure somebody's available to update the document.

I

There was a educational alarm tutorial, the this last time in March on what makes a good internet draft. It was by our own Adrienne and Spencer. It has very good information, so I didn't put it all here, because it's it's a lot of information, so you should look at it and look at it twice.

I

There's a RFC style guide which y'all should be familiar with and something else that's been coming up is there's make sure you have that you check your abbreviations acronyms on first use, you're supposed to have them spelled out and you may think they're very common. Why do you have to spell it out? But that's not necessarily true that there's a list and there's only a few actually then have an asterisk that don't require expansion, so the best is to be on the safe side, expand everything and something that just came up in their debt.

I

Networking group make sure you do the reverse every we all love our acronyms and abbreviations, make sure when you come up with what you think is a new one check this list, because you may be surprised it's already in use, and it's not a good idea to to come up with your own that duplicates or triplicate something else. Okay, it's I mean they came up when it was unbelievable, they had one song CPE and they didn't catch it and, like we said, wait a minute.

I

You can't use CPE as an acronym for what you think from something controller, a platform some entity or something like that. So, okay, so make sure you check in this list check it twice ensure and then y'all should know that, there's not only you reference 2119, you need to reference 8174. So this is the phrase you should be putting in your documents and in the routing area we've been pulled on a couple of times. General reviews and stuff will come up with this.

I

They love there's something to come up with on our documents and there's a lot of our documents going through that we don't use the newest phrase here so make sure you use it make sure you put something in your security consideration section, and we all know this one. You know we can put any no, nothing new, no worries, but the security Directorate won't go by that make sure you put something then to say well.

I

Why is there not nothing just but more than two sentences, and it might save you a lot of trouble because and then also for management considerations.

I

They click that you put some thought into it and then another one that can't come out on one of our documents but in another area, make sure you're using a neutral point of view, and if you go to Wikipedia there, graz of tutorials on it and suggestions and make sure you're checking you know focusing on technical language versus marketing. You don't have to your document has got it's now working group document. It's going all the way to the publication process.

I

You don't have to rationalize and bash, you know other IETF technologies or why your document is the most important thing on earth and you should go forward. You know so make sure you, during neutral language, focusing on technical and, of course, make sure you do your ID myths and that's it so. Okay, so most important is ask for help. Just ask for help.

B

So as some years now, the IRT F together something called the A&R P every year, the applied networking research price and regularly. There are winners of that prize that have research that is related to radicals. So we have in writing the tune that were awarded price this time to come talk here in the routing area, meaning Maria is going to come and talk to you from ETH in Zurich. She has a presentation about hijacking Bitcoin how to use rallying to do that.

I

So both of these talks- I- am they want 45 minutes and because we didn't want them to do a lot of work, they promised to shorten it, so they would just like skip through it. And of course, if you have any questions, you can follow up with them, but the full presentations are online.

J

So hello, everyone, my name, is Maria pasta-like and I'm. A PhD student at EPA's I would like to thank you for welcoming in this meeting and inviting me to talk here so I will present our work on routing attacks in Bitcoin. This is joint work with my adviser, LaRon van beaver and evade so hard means also, professor at the Hebrew University routing attacks. Quite often, this is.

J

Routing attacks quite often make the news you will have probably heard about this Russian ISP that hijack large chunks of Internet traffic destined to MasterCard, Visa and other financial services, or about this other Canadian ISP that managed to steal eighty three thousand dollars by hijacking the prefixes of a mining pool and the price just gets higher.

J

Recently there was another able to be hijacked begins my ether wallet that also caused multiple thousands of dollars, but and that's only the tip of the iceberg in routing manipulations, by analyzing six month of b2b advertisements, we actually found that routing attacks happen much more toughening the internet that we could have imagined in the y-axis of us graph. You can see the number of monthly prefix hijacks that we detected in which of the month that you see in the x-axis, as you can see, multiple thousands of hijacks happen every month.

J

Of course, not all of them are malicious. In fact, most of them are miss configurations, but in any case, they happen in the defect internet traffic. Today, the purpose of our work is to shed light on the impact of routing attacks in Bitcoin. Intuitively Bitcoin should be robust against routing attacks right. After all, it's a highly decentralized network of nodes that are scattered around the globe. They establish random connections and the avenues multihoming and additional really networks interconnect.

J

Unlike intuition, though, bitcoin is highly centralized to involve in mining and the routing hit point in this graph, you can see the cumulative percentage of mining power as a function of the number of networks host engine. You can.

D

Imagine mining.

J

Power as computational power that is used and is dedicated to Bitcoin such that it works and networks are simple, a space I space. So clearly you can see that my new power is very centralized. For example, only three myspace hosts 68% of mining power, and it's not only about the mining power in this graph you'll see the cumulative percentage of Bitcoin clients as a function of the network's hosting them again.

J

You'll see that there are centralized, for example, 30 myspace hosts 30 % of the different clients and understand how rare this is to run a Bitcoin client. He don't need much like you, don't need much CPU need, don't need specialized hard work, so it will be counter intuitive. Finally, if we look at the cumulative respect percentage of connections as a function of the transit network, intercepting it we didn't see that traffic is very centralized.

J

For example, in this case we see that 3 ISPs intercept 63% of the Bitcoin traffic because of the centralization there are actually 2 attacks that are, in fact, practical and effective. Today, the partition attack in which the attacker tries to split the network into half and the Dini attack in which the attacker relays the block propagation, the partition attack, is very visible, as the attacker needs to hijack traffic. First, however, it is very effective even against the Bitcoin network as a whole.

J

The daily attack is completely invisible, as the attacker will only act on traffic she naturally intercepts. However, it's only effective against targeted nodes.

J

So that's the outline of my talk. I'll first give you some background information and then I'll talk about each of the two attacks in detail. I'll finish the talk with countermeasures, including some of our follow-up work. So, let's turn to the background. Bitcoin is a distributed network of nodes that establish random connections. Each of the Bitcoin clients keeps a ledger of phone transactions ever done in Bitcoin. This we call the blockchain and the blockchain is just a chain of blocks that contain transactions.

J

This same is extended by miners and use a lot of computational power through this, so they're compensated for their effort with block rewards bitcoins is mining is a very risky process. You can mine for years and years and still not get anything out of it. So my understand to collaborate forming my nipples and my nipples need actually become clients to interconnect to the actual Bitcoin network. This special friends we call gateways and oftentimes mining phones have multiple of them.

J

That can be also hosted in different networks if there are hosted indefinitely to receive at the mining Pole our multi-home, for example. This great food is two gateways not in and not see, and it is multi home because these nodes are hosted in different networks.

J

Bit calm traffic travels around the internet and the Internet, as we know, R is composed of all VA yeses and BGP is responsible for computing. The forwarding path across them. The interesting part here is that all the Bitcoin traffic is unencrypted and it doesn't have any integrity guarantee. That means that anything else in the forwarding path can actually instruct drop, delay or even modify.

J

The messages know that, even if the contradict was encrypted, an attacker in various paths would still be able to drop this traffic I'll note to you about the first out of the two attacks that we can see the remote work, so the partition attack in the partition attack. The goal of the attacker is to split the network into two components such that no information can be exchanged between them.

J

If I had to explain you why this is worrying for Bitcoin with one sending I would say that bitcoin is a consensus protocol and preventing the Bitcoin clients were talking to each other, makes them not be able to get to consensus, but in a more precise way, a partition attack is an effective denial of service attack, as transactions cannot be propagated from one component to the other. It can cause revenue loss as all blocks that are mined within one of the two components.

J

The one with a loose mining power will be eventually discarded and by discarding I mean that the miners that they have raised their computational power to find these blocks do not get anywhere in the back. Finally, a traditional attack can basically allows double spending, so I can use my same bitcoins to buy goats in both of the two components, so rather I hope I have persuaded.

J

This is bad I'll tell you how this works. So imagine we have. This is topology. This Bitcoin would work and he is in the middle wants to partition the network as denoted by the red lining, so intuitively. What the attacker would do is that she would attract on traffic destined to known in the right and she would drop the connections crossing. The partition don't understand little bit better. How this is done. We'll focus on node equity degree know that the right end of this life, so I, don't get that like now.

J

I want to explain how this will happen, but I understand that this might be boring for most of you, so I'll try to do it as quickly as possible. So no there is nice IP and in year six is responsible for advertising the prefix for creating ability, prefix that covers the IP. So this advertisement will be propagated any espen areas until all of them knows how to reach any six. So, for example, in this one will reach any six-by-eight cell now.

J

The problem is that the TP doesn't take the validity of advertisement as like folks know, and such any years in the internet can actually advertise any prefix. Now, let's assume that the attacker actually advertised the critics that covers the idea of the green node and it's in fact a longer prefix done with benign advertisement. That means that and because routers would always choose the more specific prefix they will all choose.

J

The attackers of the heisman versus the benign not exactly effective, will gain access to the traffic that is going to be flowing at the kono death and that's exactly what the attacker will do to attract all traffic destined to note in a live notes in the right see will hijack the prefixes pertaining to notes in the right, so you will drop the connection crossing the partition and boom. The partition is created.

J

Of course, creating a partition is not as trivial as I described, in fact, neural partitions that are infeasible to be creative, because their connections that the attacker is not able to cut.

J

There are three types of such connections: corrections within an ax connections within a my nipple and fry the connections between my nipples, so connections within an agency. They don't use BGP, so the attacker cannot hijack those for for the other two types. The reason why the attacker cannot do it is that she might not know the exact topology of of the mining pool or she might be unaware of a private connection. So she might not know its exact prefixes to advertise person might not be able to distinguish the traffic that is exchanged because of this.

J

But even in this case the attacker can understand that the partition she is trying to create is infeasible to be created and we stayed create a Facebook.

J

So to give you an intuition, is the same. Attacker wants to create this partition. What she will do is that single, again Heydrich- and we also assume that there is this phone in the highest apology. And what we talked about during this case is that she will hijack all nodes in the light. So she will hijack the prefixes of all notes pertaining in the notes in the right.

J

So you will drop the connection crossing the partition and the partition is created, but it's not effective, and that's because there is this connection with the sanction is not connection that crosses the partition. So in fact the partition was infeasible to be creative, because there is no way for the attacker to know the exact folds of truth and being able to cap with connection. But in this case what the attacker can do is actually monitor the connections that she already hijacked and notice that there is information leakage between the two components. For example.

J

It might be that the block that is mined by the black nodes is advertised by knowledge by via longer binding Orangemen, and she can even understand that the stealth connection is in OB, for example, in this case, because that's the first note that will advertise it knock that should not be in this component once he understands that she can change slightly the partition she wants to create in a similar infeasible one, the paper. We actually prove that if the attacker produce is algorithm, then she can always find the maximum.

J

The maximum feasible subset of nodes see initially wanted to isolate.

J

So we evaluated our partition apart in terms of practicality and times business, to evaluate their attack in terms of practicality, we have to first infer the Bitcoin topology, which we implemented with browsing information, and using this we thank found out that the attacker is able to split the network into half, which is the worst case scenario forbid crawling by hijacking 100, prefixes and 100. Prefixes is recognizable compared to the Hydra happen immediately orphan.

J

As an illustration in this graph, you can see in the y-axis the maximum number of prefixes that were hijacked at once in each of the months that are shown in the x-axis. So you can see that hijacks of one thousand three fixes, which is one order of magnitude more than where the attacker would actually read happen, often happened every month. We also evaluate with our attack in terms of Phi matrices, and to do that we actually had to run with the attack in the wild, so we attack their own notes using the following setup.

J

So we had a bunch of nodes, a DTS. They were connected to the live with for network and we were advertising their prefix by a vigil appear in Amsterdam. As that all traffic destined to our nodes was routed by Amsterdam, then we attacked our notes by hijacking their prefix via Crennel, and then we measure the time then takes for all the traffic to be redirected by the attackers network. The prime, this time that we measure is from this time we can infer how much time it will take for the attacker to create a partition.

J

So we summarize there are results in this graph, where you can see the cumulative percentage of connections that were intercepted by the attacker as a function of the time listed. You can see that it will be linked to the attacker less than 100 seconds to intercept all traffic, so that might mean that it will take for an attacker less than 100 seconds to create the partition.

J

On the other hand, it will actually take couple of hours for the high drug to me to be mitigated and that's because it's a human driven process, for example, they took Guru couple of hours to mitigate the Pakistan, Hydra and I'm sure that most of you would have some experience with put something related.

J

We also evaluated how much time it will take for the two components to the game from Katti batti after the hijack has been mitigated, and we found that the Bitcoin network has some natural term that were enabling to regain connectivity in seconds and if you won't be loosely connected, that the performance will be loosely connected, but still it will be able to reach consensus, which is the most important thing and I will not talk about daily attacks.

J

So the second type of attacks that we consider in our work, the purpose of daily attacks, is to keep the victim uninformed of the latest mind block the reason why these attacks are worrying depends on the actual victim that is deprive this information and allenford nation is susceptible to double. Spending cuts and on foreign mining pool is destined to line to waste its running power on something that is destined to be discarded, while learning from regular node is not able to contribute to the peer-to-peer network.

J

So, let's see how this works in this knife, you can see three Bitcoin clients notes a and B are connected to the victim and have an attacker that intercepts the connections from node a to the victim. Now a new block is mined in the Bitcoin network and notes a and B learn about this new block and advertise it to the victim. Using an inventory list. The victim will really request the block from the first Bitcoin client that advertised it so in this case from node a using the get data message.

J

Now, if the attacker wants to prevent note a from getting this block, so you can either drop the keep data messages or drop the block itself.

J

However, both of these attack would fail because Bitcoin runs on top of TCP and disappear will abort the connection in this case. What the attacker can do, though, is that she can change the content of the block methods set of the KPA dementia said that a different love is requested in this case now they will happily deliver the old block. The victim will ignore it and will in fact, wait for 20 minutes by default until it request it from another.

J

Bitcoin client and 20 minutes is a huge time interval for Bitcoin, as you have to remember that blocks are mind every approximately 10 minutes. If the tiger stops there, she would have managed to keep the victim and inform for 20 minutes, but after the 20 minutes timeout the victim will actually consider no day as malicious and go disconnect.

J

If the attacker wants to avoid this because she want to stay under the radar or because she wants to keep this connection, what she can do is the reverse operation, so civil chains and navigating the methods of the transaction this time, such that it requests the initial block. If the block is delivered within the 20 minute time out. The attack is completely under the rather and the victim at the connection, scared and the victim stays uninformed for graphical convenience.

J

We have ugly, there are tax in terms of effectiveness and practicality, evaluate the effectiveness of artifact. We actually had to perform it in the run against our own notes. So we host some Bitcoin clients, a tv8 which were connected to the live Bitcoin network, and we had an attacker that were intercepting part of where of of the victims connection configurable percentage of the victims connections.

J

Using this setup, we found that the attacker can keep the victim uninformed for most of its up time and that's correct, even if the attacker intercepts only a fraction of the victims connections to give you an iteration of our findings. If the attacker intercepts roughly 50% of the victims connections, she can keep it uninformed for 63 percent of its app time and and if you think that doesn't often happen, that filmer tell you that almost 70% of the Bitcoin clients would have an ISP that would intercept more than 50% of their connections.

K

Very quickly, appreciation.

J

Question when.

K

The block was modified, did the time staff in the block get modified, or was it just like a transaction ID or black ID.

J

Or when.

K

You said the the green block went to red. That means something in the black header was changed. Yes,.

J

Can.

K

You say what you changed: yeah.

J

So basically they give Danko has this? Has one format with the same for transactions and for blogs, and we need to specify which block we actually are asking for in? This was specify with the hash of the block, if you think the hassle to vlog to something that is no, there has here basically asking for a different look.

J

Yes and you have to recalculate the the texans, but that's it.

K

I I point with the Nexus cryptocurrency, so you go back to there, so there is a little bit of a delay even there in your diagram, which is what ours also. We were talking.

D

About.

K

With you know, but the difference there being when you re sign with your new hash, you still need to create a valid hash. According to your hashing algorithm, which would you need to modify the timestamp right there and you do have it it's slightly different. It's one one unit of time difference but um yeah, that's dunker, just the clarification there when you're modifying the block header to create this kind of attack, which we also just had happen to us, and we found a solution for stuff.

J

Okay, so I will not talk about countermeasures like any countermeasures exists for both of our attacks. For example, we can deal with melee attacks by adopting encryption in Bitcoin, or we can at least include unmarked units. Bitcoin message such that were sure that nobody can modify our messages, at least without the receiver noticing and wizard to be deployed. Countermeasure would be to let a Bitcoin find choose their peers in a more smart way, so more routing, aware manner such that there was no single I speak. That intercept intercept most of its connections.

J

However, dealing with the partition attack is much more challenging. The easiest way to do it is to actually host all Bitcoin clients, 2/24 prefixes.

J

The reason that why this would be an effective countermeasure is because, if the attacker, in this case, the attacker would need to advertise the same prefix advertisement so not a longer one, in which case the two advertisement would be conflicting, and it is said that the attacker would be able to get back 50 percent of the traffic that she would otherwise in yourself if she was advertising again longer and the much better way to deal with the back ins to basically deploy security protocols, and this way would get the way like we can avoid hijacks altogether.

J

However, these are nice solutions, but we're not practical like yes, of course, if we slash if we host all Bitcoin clients as fast on the floor, it would be nice, but we would increase our routing tables and it would be also mean we have acknowledged secure routing protocols, but but we're not there yet, and it might be that we're and and for sure won't be there just will be kind. So our follow-up work is on building and secure channel the rich Bitcoin clients can actually communicate and exchange their blocks.

J

Even if there is an attacker to the network, so even if the Bitcoin network is professional, we have an additional channel that would be able to transfer blocks around and we build this relay networks.

J

What we call Sabre and Sabre is basically a relay mode and I really know they mean a couple of special Bitcoin clients which are connected to each other and also to all other, become friends, and to give you an illustration that looks like this, so we have this Bitcoin, topology and Sabre network could be something like this, so you would have some additional Bitcoin clients that connect to each other and these clients connect to all other regular betw clients in a way that regular Bitcoin clients can talk to each other via the channel, and they don't actually need to always use their direct connection to each other.

J

And I can tell you now what is special about our Sabre only network? What's special about our nodes, so first they are located in the internet in a strategic way such that when you use the chances that an attacker can intercept traffic among the remain nodes or between the relay nodes and the actual, become clients and ii. Think that our nodes are special about is that they have particularly robust design and that because we actually use a hybrid design for them, which is also both for hardware and in software.

J

And for this we use this new programmable hardware like before hardware.

J

Ok, so now, I will sleep some slides, because I don't hit that pattern much time and I will actually go to the end and I will tell you what what I would want people to remember after this talk and that's that deep coin is vulnerable to routing attacks both to the network and to the note level and the potential impact is roaring, because we can cause denial of service attack. They can cause double spending and who knows of revenue.

J

However, we have countermeasures, and one of the flaky the best ones would be to actually with logical routing protocols and an alternative might be our solution with this relay network and release. I want to thank you and I'm happy to take questions.

I

Anyway of questions.

H

Just regarding.

J

Okay, so deploy and soft with hard core design, so we use the software only to validate our blocks and to update the Suites as if it was a class in the Suites. We actually keep the block the latest mind block, and then the suite is responsible to answer to all bitcoin finds that it is connected to now. There are few things about.

J

The suite that are like very important to note first is that this new programmable sweetie they are able to process terabits per seconds of time at line rate, so that means that can keep up with high demand and also with another service attack, and the second thing is that we can deploy defenses in the switch itself. For example, we can be very right list like lists and spoofing detection and detection of amplification attacks, so we can basically deal with the network attacks in the network.

H

So.

J

What I mean by DDoS attack is when so, let's assume we have a quotation of hack, but if I could also try to do is to attack very nice and.

D

To.

J

Do that simple, send a lot of requests, and this is the the switch is able to deal with that, because every request doesn't have to go through the whole stack, so it might answer right away, or it might be that it can much more quickly come up with the solution like a filter. That would would stop this back there. Thank.

H

You.

K

Hi thanks again, it's Brian again from Nexus I'd love to actually sit down and talk with you more in detail, but I'm on the slide. You were going over with the mining pool itself being.

J

Yes,.

J

Then.

K

I would've.

J

Never the the background or yeah.

K

Yeah, the one, the one where you had the mining pool on the left-hand side and the good and the bad actor, not the one with that. So basically, this is also an attack bacteria on cryptocurrencies that I've seen and it's the fact that that mining pool is actually centralized as well meaning they can specifically be creating blocks on purpose and shutting out smaller miners, which may be able to do in this situation. Just saying, okay! Well, we want to blow away all these people who are mining on the right-hand side.

K

All we need to do is just make sure that this guy, he doesn't have connection to our mine, employee anymore, and suddenly everyone loses connection in this one smaller section, because it is peer-to-peer and I think a solution for that would be for everyone to kind of start thinking, in the sense that we need to have a decentralized mining pool.

J

So, okay, two things there I totally agree with the fact that, basically, the partition that I could be used as by a mining pool that wants to win over another. So it basically removes it from the network. But yes, like the main reason why this attack works is that mining power is centralized. So if we, if we can somehow recent, realize it yes, it will be better. On the other hand, oh, but if not, this is that mining pools because me like they would lose a lot of revenue. Something goes bad.

J

There are multi-home, so they're trying to be better, so there is also an opportunity there if we assume that my nipples are benign, which I'm not this person to say that but like what I want to say is that it might be easier to persuade mining folks to deploy a better network rather than everyone before you better network. So this is a trade-off. I believe yeah.

I

I'm, sorry, you get your through a wrap up, get the next one up really. Thank you very much for a very interesting topic.

I

Okay, our next talk is on not quite routing but I. Think it's very interesting. It's a hot topic these days, it's vehicle communication.

L

All right so.

L

I'm still jet-lagged do I come from from kth, and this is yet another manifestation that Sweden and Switzerland are on the same thing. People.

D

Say: okay, th.

L

Yes, Zurich is a nice City I mean now. Coincidentally, secure routing is a topic. It is very close to my heart and I have done a lot of work and it's in the past. Nonetheless, the topic of today's talk is totally different. So what I'll try to do is that I'll quickly go through the very first part of the tour introduce the problem.

L

What we're trying to do is keep the great deal of slides regarding results, and you know just go to the the distant message at the end of it and then there are very short additional topics that relates to the bigger scheme of things, and we can use, let's say a few minutes or yeah just basically see what you might be interested in.

L

So the idea is that we have this upcoming type of systems, regular communication systems. You do additional computation and communication capabilities, all the vehicles, these you know words that allow them to communicate and with roadside infrastructure. So basically they inform the driver about anything that is happening. The driver cannot see or hear, and the purpose is to enhance those profession, safety and transportation efficiency and by the same purpose, lots of service providers are interested in. You know throwing in some infotainment right the good things that people are also, let's say, getting free bandwidth.

L

Now the problem is, if you have such a system, you might be opening the door for additional types of misbehavior, so things could go wrong in in unpredictable ways, especially even if you move from a driver, assisted monotony, driving mode. Where you have this communication, gonna rely only on sensors onboard, and here is an example where, let's say you have an application that in foreign field, there's an.

D

Ambulance so.

L

That you, you know, slows down on you and then one could go and buy the box that basically fakes the ambulance, traffic and finds the way open right. Then it could be even more serious attacks that would basically bring down the default system. Essentially, Dropper dies. The safety of the drivers and the cars put their lives in danger. So there's have been a lot of work on how you should be dealing with regular communication.

L

One thing that basically distinguishes beyond that different requirements of security is the need to have both security for all networking but at the same time have privacy. Why? Because in each of those, we have people and they care to know, disclose their whereabouts. Now you might say why on earth do they care when the mobile phone does that for them? Well, if you need to basically deploy a new technology- and you say that by default the target privacy, you might hit the world of some sort of regulation.

L

So we've been working this for many years and our let's say taken this as researchers and also what we say, for example, the European Commission, etc. Is that it should be deployed with privacy in place and they looking at the very simple way of doing this? Well, assuming you're digitally signing messages, you're sending you're using public key cryptography every time you do so 1 2 3 n messages can be trivially linked as no against someone is verifying these.

D

Signatures and.

L

The certificates can be saying everything about you know you can anonymize this, but if, even if you do so still the signature wants, we will give you away so what the proposal there is to basically utilize multiple shortening of credentials and public private key pairs and essentially change from one persona from one pseudonym to another. As you move, and then you were really linkable for a short period as short or as long as they overarching enabled applications needed.

L

For example, a collision avoidance application is trying to figure out if someone is actually coming in your lane, but short enough to make sure that your privacy is not at stake, and here I'm, just showing you pictures of how basically, these systems on the research front have developed. Since our first engagement in the thing demonstration from 2008.

G

Of the.

L

15, for example, here what we are looking into this paper that presented this morning is the provision of the credential, because there's a different, green effect of a public key infrastructure. Not only you have one public private key pair entity.

L

The ANA certificate is good for for a few years, but in contrast exactly because you want to protect privacy, and you won't have the lifetimes of the funeral credentials as as long as possible, you need to provide the provision each entity its villainous, okay with many of those huge numbers and eventually we're talking about several orders of magnitude, more credentials than any public infrastructure.

L

We have seen so far, so we speed the system in two domains and we say that the duties should be separated in a sense that there is a one entity, this long term certification authority that maintains the long term identities of anyone registered in the system and pseudonym certification authorities also provide the the short term credentials right. And why do we do this so that, essentially we put a barrier and we make things new versa means. Should there be and that's a legacy requirement?

L

Should there be some sort of accident or some other investigation, you can go back and look at these anonymous and pseudonymous key authenticating transmissions and figure out which week they correspond to, but otherwise you cannot and what we actually care to do is to consider the security infrastructure being not fully trustworthy. Essentially, we care to have a system that provides all the guarantees, the security, the privacy, the performances I'm sure in a while, but at the same time it assumes the PCA and the MPCA entities I showed you have, you are honest, but huge.

L

Basically, they try themselves to figure out as much as they can about the registered vehicles.

D

And.

L

That's the focus here yeah and that's exactly what we do with this design and we care how it would scale and in the end the message will be that well, it's not such a big impediment. You can do it with reasonably modest equipment for tens of thousands of cars. You still don't have any system really deployed, but we are coming forward towards that. So that's how it looks. Well, it reminds me for those of you who well versed in security protocols. It could remind you of the Kerberos like infrastructure.

L

The difference is that the ticket granting the service granting tickets is an imine so essentially that the vehicle gets in touch may be able to see a gets, an anonymized ticket that they can use to talk to any of the PCAs in the system to get a bunch of short-lived credentials, one valid after we are, after the other, so that it can only use one at any given point in time and if you move from a given domain, let's say this is a year the montreal municipality area, to the area or whatever is the split of your system.

L

Then you can talk to your NTC, a get a ticket that you can present to the foreign embassy a and then get a new set of credentials that anyone else in that domain is actually using. Why would you care so that when you digitally sign messages about yourself, your whereabouts and anything else, the reboost are exchanging each other? You don't look this way. You're coming from outside the system outside the domain, there may be a three-wheel, it's a very small and limited sets if you wish I'm skipping parts of the policy.

L

So basically we worked out all the protocols we have a system. The protocol basically can kick out entities that are found to be misbehaving, so you have revocation and we did a lot of experimentation. Of course we had to come up with some sort of synthetic node for through this public infrastructure he took actual mobility places from the city and the whole country, small country, and we look at different policies according to which we could basically refill with credentials these pseudonyms, and you can think of this as some sort of fuel right.

L

So you get more as you go depending.

D

What you know about.

L

I, don't.

D

Have time to go and.

L

I'm speaking the part about the pharmacy, so one thing that matters is that you basically get to utilize all these reasonings you get mostly I, mean high degree of utilization. That's a good message to not waste computation and not generate large sets of certificates. That will never be of any use to anyone, and then we look at basically how long it takes here. We stripped away networking delays because the full thing is in a lab and then the demand is a virtual machine that emulates the entrance.

L

Essentially you get your credentials in the order of less than hundred milliseconds, and that's essentially the message. I was talking about it's a complex system. It will get large and into complex deployment. Nonetheless, the point you are trying to make there is that not only we crank up the I mean the security and protection level.

L

By allowing honestly curious, you show that this can be done with a very modest hardware requirements, and we continue working on is improving, of course, the system, and we are looking into how we could deploy it in the cloud environment so that we can scale in and out depending on the other demand. Oh, that's, that's a different question: we're looking at how to distribute verification information, that's a problem that is in general, say difficult in any in classic. You know internet proper itself.

L

Nonetheless, it gets even more complicated in this context, so I'll say a few words yeah.

E

Say a.

L

Couple of minutes what what we're getting there and then I want to say how such a system with privacy and security enabled the same having these, the dentists could be useful rather than in different contexts when you try to hide from but vacation visitors said and I would also say how you can actually take ideas from this from this work and of liberate yourself from the need to use classic public key crypto ad since more exotic Krypton there, and then they do the system for participatory sensing systems like so.

L

Basically, you have input form, I mean I'm, saying.

D

A minute ago, this.

L

So since I I did this within a 15, 16 minutes or whatever so maybe I'll take 2-3 minutes were the other two three topics, just as a teaser, if you wish, but then there is there's a commonality as a common denominator there, and then we can have any any sort of discussion you want. So let's look at the certificate revocation list right so typically why they say this is sets of of serial numbers in English of certificate which are no longer volumes.

L

Now here you are having many more certificates than pseudonyms is a female or certificates, and many of them will expire your honor, but then, depending on for how long you are provisioning, the the vehicles with certificates, you might have very large numbers, it depends when the revocation happens and how many you've gained to the vehicle. So you can have a a large revocation list and of course now, since we care about privacy, but we don't want and I will.

L

This is the second bullet there is that we don't want when we revoke an entity at the same time, to make all previous activity all things, communication, linkable or traceable. Why mean something happen? We say a malfunction, it doesn't matter it.

L

Why should you give away all the previous activities with that that entity just because they no longer make part of the other system?

L

And the question is now: if you have a large-scale system with very diverse connectivity, how do you get this certificate? Revocation list information? You can always have online access, but there we are talking about systems where safety humans, their well-being, is at stake. So we are not. You might not want to tolerate it. Let's say long delays and you know what I want to push eventually, the the information to their vehicles and one other feature that is fundamentally different.

L

That typically, you interact, let's say with a website server and you check the status of their certificate. In this case you are in a neighborhood of previously not saying vehicles which do have a certificates, but this neighborhood keeps changing. So if you were to think of some sort of OCSP type of approach, you might be hitting a wall there exactly because you have been. You need to run this over and again. So, what's the deal here, a simple idea: we call this vehicle centric CLS, the bution and essentially we say well get to any vehicle.

L

Only the absolute minimum information about revoked credential that it could possibly need and.

L

Introduced some sort of cheap Authenticator in other credentials in a subset of those or broadcast this at a very low rate in what in what way or for what reason, so that essentially, that CRL that you need to distribute if you chop it into pieces. Essentially, you use these authenticators to basically facilitate validation of those pieces. Why? Because someone could actually fake that information if there were no security in place, even basically claimed that someone is revoked while they're? Not so you kick them out of the system or someone are these revoked?

L

You basically modify the CL and you let them basically act potentially maliciously as part of our system. So we need to small or very seemingly simple idea that no one has proposed before sensually. We do get a 40 fold improvement in terms of delay to distribute the Cyril information. Even if we, though, we're using around 25 kilobytes per second like a minimum, a very, very low rate of information- and this is- you might say: well, there are constraints for wireless communication, but still we're talking about megabits per second and.

A

All the links, but these are loaded beliefs, so.

L

Pays it pays to be frugal in that sense, or we can have this information basically distributed over kilometers of area within within reason of very reasonable delays and extremely faster than the best solution. Well, that's less a 1/1 problem solved furthering that in that direction. Now, why would it be useful, not the CRL distribution but overall, having such privacy preserving and security enabling ephemeral credentials?

L

Well, you can think of a scenario where you're submitting queries to an LPS server and then every time you do this, you disclose where you are, what you care about and eventually who you are in the end right. So there were solutions in the literature that say well take all these queries, aggregate them give them to an anonymizer, and then they anonymizer we're getting to the LPI server and then ship them back to you. Fine excellent solution.

L

Nonetheless, it basically said tell us that if this guy is honest but curious, this guy is fully trust worth why it's not clear. So what we proposed is basically relying on your peers to get this information and if and only if, they cannot provide it. Then you ask me lbs so essentially your exposure to the honest but curious entity is minimized. But then, if you rely on peers, you could be basically getting.

L

Additional problems why you could have ears which are actually misbehaving for whatever reason, so what we say well use such an infrastructure equip those peers whatever they are mobile phones, cars, any sort of mobile device, or, if you enough, with these credentials and.

D

Now.

L

Try to solve the problem of how basically useful up-to-date information could be made available. We tried initially to have peer to peer academic distribution of this information, meaning I asked a question to the server. If I have the answer you asked me for for the answer: I'll give it to you. If I have it right, but then basically the convergence in the delay is pretty low. Plus it opens additional. It raises additional questions. I could be exposing myself to my peers and so on and so forth. So we change the design here.

L

We said that there's a randomized not in the hands of the adversary approach that the infrastructure randomly assign someone to be a server node, a serving node, let's say of the peers for a short period of time and I'm skipping here that essentially we reduce dramatically and the exposure to they'll be a server and with the appropriate design we we reduce the exposure to peer. So this is something it wasn't measured before every everyone is usually a bit idealist.

L

Idealistic about this peer to peer interactions, but well you never know what are the motivations would say. The model- and we basically deal with the problem of those basically trying to pollute the air, the distribution of information and for the last minute or so same same direction, mobile systems, urban sensing system. So basically, rather than deploying a year sensing infrastructure, you leverage sensing capabilities, onboard the car from both cellphones and then you basically recruits important quotes to help you.

L

The question is: how do you do it without giving them the opportunity to manipulate your data, the medicine process? How do you do it without harming their privacy and even better? How do you provide an incentive, or do you remunerated some way tangible way so that you motivate and further to participate? Now, the big story? We have quite a lot of work, but then, here you see again the same idea, separation of duty, but then can we use of I'd, say.

H

Anonymous.

L

Authentication for one of the entities because it suits us better if you wish, we are not subject to the standard, the considerations for the design, considerations and so on so forth, and we address a broader set of problems. For example, you participate in a task. The infrastructure doesn't know which tasks are participating with the only one. You use those short-term credentials to submit your data, because this is the computational and communication wise most efficient way to do it. And then you have a great deal of guarantees which summarize here well there.

L

We also did some formal analysis of time and we went even further and we use machine learning to basically D sift sift SIF T I mean meaning. They basically tried to figure out which data we can trust. Even if someone and being an internal adversary is trying to manipulate the contributed data towards basically AB. You mention shifting the the collected data a in a way that it should and that's.

L

Thanks very much for the external. It's a opportunity to talk about this. This work. Ok, next time, I see you I promise. I will talk about Sakura outing, which gives much probably close to your taste. But do you have any questions.

I

Okay, we're short on time, so they can always find you afterwards and we thank you very much planners and I. Think we'll take you up on.

L

The.

I

Funny things that in.

L

These in this network, essentially, they work on secure geographical or geo casting so geographical forwarding information, but otherwise protocols are relatively simplified, basically broadcast.

L

Thank you very much. Yes,.

I

Thank you. Thank you. Okay, we have only a couple of minutes. If anybody has something quick to add a, they might get any questions anything and, of course you can always see us any that us anytime, you want okay, so see you in Bangkok.

E

You.