Symmetric Key Approaches to Securing BGP—A Little Bit Trust Is Enough

The Border Gateway Protocol (BGP) is the de facto interdomain routing protocol that connects autonomous systems (ASes). Despite its importance for the Internet infrastructure, BGP is vulnerable to a variety of attacks due to lack of security mechanisms in place. Many BGP security mechanisms have been proposed. However, none of them has been deployed because of either high cost or high complexity. The right trade-off between efficiency and security has been ever challenging. In this paper, we attempt to trade-off between efficiency and security by giving a little dose of trust to BGP routers. We present a new flexible threat model that assumes for any path of length h, at least one BGP router is trustworthy, where h is a parameter that can be tuned according to security requirements. Based on this threat model, we present two new symmetric key approaches to securing BGP: the centralized key distribution approach and the distributed key distribution approach. Comparing our approaches to the previous SBGP scheme, our centralized approach has a 98 percent improvement in signature verification. Our distributed approach has equivalent signature generation cost as in SBGP and an improvement of 98 percent in]signature verification. Comparing our approaches to the previous SPV scheme, our centralized approach has a 42 percent improvement in signature generation and a 96 percent improvement in signature verification. Our distributed approach has a 90 percent improvement on signature generation cost and a 95 percent improvement in signature verification cost. We also describe practical techniques for increasing the long-term security and collusion resistance of our key distribution protocols without increasing the signature generation and verification costs. By combining our approaches with previous public key approaches, it is possible to simultaneously provide an increased level of security and reduced computation cost.

[1]  Yih-Chun Hu Efficient Security Mechanisms for Routing Protocols , 2003 .

[2]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[3]  Neeraj Mittal Space-Efficient Keying in Wireless Communication Networks , 2007, Third IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob 2007).

[4]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[5]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[6]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[7]  Anish Arora,et al.  Secret instantiation in ad-hoc networks , 2006, Comput. Commun..

[8]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[9]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[10]  J. J. Garcia-Luna-Aceves,et al.  Efficient security mechanisms for the border gateway routing protocol , 1998, Comput. Commun..

[11]  Sean W. Smith,et al.  Evaluating the Performance Impact of PKI on BGP Security , 2005 .

[12]  Sandeep S. Kulkarni,et al.  An Optimal Symmetric Secret Distribution of Star Networks , 2007 .

[13]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[14]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[15]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[16]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Mohamed G. Gouda,et al.  Key Grids: A Protocol Family for Assigning Symmetric Keys , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[18]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[19]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[20]  Virgil D. Gligor,et al.  A key-management scheme for distributed sensor networks , 2002, CCS '02.

[21]  Patrick D. McDaniel,et al.  Optimizing BGP security by exploiting path stability , 2006, CCS '06.

[22]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[23]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[24]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[25]  Jennifer Rexford,et al.  A Survey of BGP Security , 2005 .

[26]  Alex X. Liu,et al.  Symmetric Key Approaches to Securing BGP - A Little Bit Trust Is Enough , 2011, IEEE Trans. Parallel Distributed Syst..

[27]  Ehab S. Elmallah,et al.  Logarithmic Keying of Communication Networks , 2006, SSS.

[28]  Vitaly Shmatikov,et al.  Truth in advertising: lightweight verification of route integrity , 2007, PODC '07.

[29]  Yih-Chun Hu,et al.  Efficient Security Mechanisms for Routing Protocolsa , 2003, NDSS.

[30]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[31]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[32]  Sean W. Smith,et al.  Efficient Security for BGP Route Announcements , 2003 .

[33]  It Informatics,et al.  Border Gateway Protocol , 2013 .