SPV: secure path vector routing for securing BGP

As our economy and critical infrastructure increasingly relies on the Internet, the insecurity of the underlying border gateway routing protocol (BGP) stands out as the Achilles heel. Recent misconfigurations and attacks have demonstrated the brittleness of BGP. Securing BGP has become a priority.In this paper, we focus on a viable deployment path to secure BGP. We analyze security requirements, and consider tradeoffs of mechanisms that achieve the requirements. In particular, we study how to secure BGP update messages against attacks. We design an efficient cryptographic mechanism that relies only on symmetric cryptographic primitives to guard an ASPATH from alteration, and propose the Secure Path Vector (SPV) protocol. In contrast to the previously proposed S-BGP protocol, SPV is around 22 times faster. With the current effort to secure BGP, we anticipate that SPV will contribute several alternative mechanisms to secure BGP, especially for the case of incremental deployments.

[1]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[2]  A Digital Fountain Approach to Reliable Distribution of Bulk Data , 1998, SIGCOMM.

[3]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[4]  Dan S. Wallach,et al.  Denial of Service via Algorithmic Complexity Attacks , 2003, USENIX Security Symposium.

[5]  Gene Tsudik,et al.  Reducing the cost of security in link-state routing , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[6]  W. Trowbridge WOW , 2005 .

[7]  Deployment Considerations for Secure Origin BGP (soBGP) , 2003 .

[8]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[9]  Daniel Massey,et al.  A framework for resilient Internet routing protocols , 2004, IEEE Network.

[10]  Sean Convery,et al.  An Attack Tree for the Border Gateway Protocol , 2003 .

[11]  Yih-Chun Hu,et al.  SEAD: secure efficient distance vector routing for mobile wireless ad hoc networks , 2002, Proceedings Fourth IEEE Workshop on Mobile Computing Systems and Applications.

[12]  J. J. Garcia-Luna-Aceves,et al.  Securing distance-vector routing protocols , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[13]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[14]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[15]  Yih-Chun Hu Efficient Security Mechanisms for Routing Protocols , 2003 .

[16]  Pankaj Rohatgi,et al.  A compact and fast hybrid signature scheme for multicast packet authentication , 1999, CCS '99.

[17]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[18]  Fred Baker,et al.  RIP-2 MD5 Authentication , 1997, RFC.

[19]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[20]  Ralph C. Merkle,et al.  A Digital Signature Based on a Conventional Encryption Function , 1987, CRYPTO.

[21]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[22]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[23]  Karl N. Levitt,et al.  Protecting routing infrastructures from denial of service using cooperative intrusion detection , 1998, NSPW '97.

[24]  Sandra Murphy,et al.  BGP Security Protections , 2002 .

[25]  Yih-Chun Hu Packet Leashes : A Defense against Wormhole Attacks in Wireless Ad Hoc Networks , 2001 .

[26]  Michael Luby,et al.  A digital fountain approach to reliable distribution of bulk data , 1998, SIGCOMM '98.

[27]  Radia Perlman Interconnections: Bridges and Routers , 1992 .

[28]  John W. Stewart,et al.  BGP4 : inter-domain routing in the Internet , 1998 .

[29]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[30]  Christopher Krügel,et al.  Topology-Based Detection of Anomalous BGP Messages , 2003, RAID.

[31]  William P. Marnane,et al.  Efficient architectures for implementing montgomery modular multiplication and RSA modular exponentiation on reconfigurable logic , 2002, FPGA '02.

[32]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[33]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[34]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[35]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[36]  John Wawrzynek,et al.  The sfra: a fixed frequency fpga architecture , 2003 .

[37]  Silvio Micali,et al.  On-line/off-line digital signatures , 1996, Journal of Cryptology.

[38]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[39]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[40]  John Black,et al.  Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV , 2002, CRYPTO.

[41]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[42]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[43]  Kan Zhang,et al.  Efficient Protocols for Signing Routing Messages , 1998, NDSS.

[44]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.

[45]  Brijesh Kumar,et al.  Integration of security in network routing protocols , 1993, SGSC.

[46]  Yi Yang,et al.  Generic Threats to Routing Protocols , 2006, RFC.

[47]  Joan Daemen,et al.  AES Proposal : Rijndael , 1998 .

[48]  Jon Crowcroft,et al.  Integrating security in inter-domain routing protocols , 1993, CCRV.

[49]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[50]  Biswanath Mukherjee,et al.  Detecting disruptive routers: a distributed network monitoring approach , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[51]  Nick Feamster,et al.  Verifying the Correctness of Wide-Area Internet Routing , 2004 .

[52]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[53]  S. Cheung,et al.  An efficient message authentication scheme for link state routing , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[54]  Andy Heffernan,et al.  Protection of BGP Sessions via the TCP MD5 Signature Option , 1998, RFC.