Jean Camp increases network routing security with Bongo

It has been a fruitful partnership between InCNTRE and L. Jean Camp, director of Indiana University’s Security Informatics program.  

Camp has created more resilient network traffic controls at a fraction of the cost, thanks in part to a grant with InCNTRE from the Defense Advanced Research Projects Agency (DARPA). Other collaborators include Cambridge University; the University of California, Berkeley; and the University of Minnesota. 

“We’ve done a really good job of growing together, and I think the faculty relationships with InCNTRE illustrate this positive long-term trend,” Camp said.

Through malice or misconfiguration, there remains an inherent ability for an autonomous system to fake capacity under Border Gateway Protocol (BGP), the standard routing logic governing online data transfer. Using OpenFlow, InCNTRE and Camp created a new model called Bongo. To ensure a target router is not operationally impaired, Bongo analyzes routing information and tells the underlying switch to allow or disallow access.

Under current BGP “it’s really about the next hop, whereas with SDN it’s about what flow you are. Dropping packets that don’t correspond to an incoming flow is much easier with SDN,” Camp said. “So the ability to stop all these amplification attacks by having a subset of people adopt SDN egress filtering is a way the network can become much more resilient.”

Bongo achieves increased network routing security by building and continuously examining the ever-changing routing information base. While analysis slows internet response times, the model is able to detect amplification attacks that block access to network resources – all while letting the flow continue in a way that is not disruptive.

Camp’s research has also demonstrated economic packet filtering with SDN. Whereas Cisco put in a $1 billion bid to Amazon to create BGP routing for its cloud infrastructure, Amazon accepted a bid using SDN that cost only $11 million. Yet SDN and BGP do share one thing: They need to be more secure. On top of router resilience and cost savings, InCNTRE and Camp’s research adds an explicit management plane above SDN control and data planes. 

Camp’s partnership with InCNTRE perfectly exemplifies our mission, said Uwe Dahlmann, lead test engineer at InCNTRE’s Software-Defined Networking (SDN) Lab. Our function, he said, “is to give academics a better understanding of what real networks have as problems, and to allow the professional side to learn from the research and try new things and see what they can bring to the table.”