|Title:||Secure Split Assignment Trajectory Sampling: A Malicious Router Detection System|
|Authors:||Franck Le, Sihyung Lee, Tina Wong, Hyong S. Kim, Darrell Newcomb|
|Publication Date:||June 12, 2006|
The current Internet routing landscape presents a number of challenges, especially in the configuration of routing policies. There have been numerous proposals to tackle the misconfiguration problem: configuration checking, policy language (re)design, and clean-slate routing architecture. In this paper, we present an analysis of routing policies and a misconfiguration detection mechanism. With an operational perspective, we first present a study on the configuration and evolution of routing policies, using data from three different types of networks. Our results show that configurations are changed frequently and mostly incrementally. We found that the most commonly used and changed commands are related to route tagging and filtering, and there are substantial amount of duplication in policy configurations within a network. More interestingly, based on these results, we develop a data mining method to find inconsistencies in a network’s configurations of routing policies. Our method is able to detect local, network-specific rules automatically, and differs from existing approaches that are based on universally applicable rules. In our evaluation, we found 30 confirmed errors and 29 warnings in three networks. More than half of the errors are related to route tagging. Our findings show that the next generation configuration language and routing platform should be sufficiently flexible to allow a network to express and frequently modify its route tagging, yet restrictive enough as this aspect is often misconfigured.
Full Report: CMU-CyLab-06-010