Evaluating the Performance Impact of PKI on BGP Security

The Border Gateway Protocol is central to making the Internet work. However, because it relies on routers from many organizations believing and passing along information they receive, it is vulnerable to many security attacks. Approaches to securing BGP typically rely on public key cryptography, in various encodings, to mitigate these risks; to work in practice, these approaches usually require public key infrastructure. This cryptography and the PKI may both potentially impact the performance of this security scheme; however, evaluating how these effects may scale to large networks is diffi cult to do analytically or empirically. In this paper, we use the tools of simulation to evaluate the impact that signatures, verification, and certificat e handling have on convergence time, message size, and storage, for the principal approaches to securing BGP.

[1]  Deborah Estrin,et al.  The impact of routing policy on Internet paths , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[2]  Stephen T. Kent,et al.  Securing the Border Gateway Protocol: A Status Update , 2003, Communications and Multimedia Security.

[3]  Sandra L. Murphy,et al.  BGP Security Vulnerabilities Analysis , 2006, RFC.

[4]  David M. Nicol,et al.  An analysis of convergence properties of the border gateway protocol using discrete event simulation , 2003 .

[5]  Daniel Massey,et al.  Improving BGP convergence through consistency assertions , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[6]  Kan Zhang,et al.  Efficient Protocols for Signing Routing Messages , 1998, NDSS.

[7]  J.H. Cowie,et al.  Modeling the global Internet , 1999, Comput. Sci. Eng..

[8]  Roger Wattenhofer,et al.  The impact of Internet policy and topology on delayed routing convergence , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[9]  Hovav Shacham,et al.  Sequential Aggregate Signatures from Trapdoor Permutations , 2004, EUROCRYPT.

[10]  Tim Polk,et al.  Internet X.509 Public Key Infrastructure Representation of Elliptic Curve Digital Signature Algorithm (ECDSA) Keys and Signatures in Internet X.509 Public Key Infrastructure Certificates , 1999 .

[11]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[12]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[13]  Russ White Architecture and Deployment Considerations for Secure Origin BGP (soBGP) , 2006 .

[14]  George Varghese,et al.  Route flap damping exacerbates internet routing convergence , 2002, SIGCOMM '02.

[15]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[16]  Sean W. Smith,et al.  Evaluation of efficient security for BGP route announcements using parallel simulation , 2004, Simul. Model. Pract. Theory.

[17]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[18]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[19]  Ramesh Govindan,et al.  An analysis of Internet inter-domain topology and route stability , 1997, Proceedings of INFOCOM '97.

[20]  OpenSSL OpenSSL : The open source toolkit for SSL/TSL , 2002 .

[21]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[22]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[23]  Gordon T. Wilfong,et al.  An analysis of BGP convergence properties , 1999, SIGCOMM '99.

[24]  Lixin Gao On inferring autonomous system relationships in the internet , 2001, TNET.

[25]  Susan Hares,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[26]  Aman Shaikh,et al.  Routing stability in congested networks: experimentation and analysis , 2000 .

[27]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[28]  Ramesh Govindan,et al.  Route flap damping exacerbates internet routing convergence , 2002, SIGCOMM 2002.

[29]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[30]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[31]  Farnam Jahanian,et al.  Experimental study of Internet stability and backbone failures , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[32]  J. J. Garcia-Luna-Aceves,et al.  Efficient security mechanisms for the border gateway routing protocol , 1998, Comput. Commun..

[33]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[34]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[35]  D. Boneh,et al.  A Survey of Two Signature Aggregation Techniques , 2003 .

[36]  Farnam Jahanian,et al.  Experimental Study of Internet Stabil-ity and Wide-Area Backbone Failures , 1998 .

[37]  FaloutsosMichalis,et al.  On power-law relationships of the Internet topology , 1999 .

[38]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.