Secure Border Gateway Protocol (S-BGP)

The Border Gateway Protocol (BGP), which is used to distribute routing information between autonomous systems (ASes), is a critical component of the Internet's routing infrastructure. It is highly vulnerable to a variety of malicious attacks, due to the lack of a secure means of verifying the authenticity and legitimacy of BGP control traffic. This paper describes a secure, scalable, deployable architecture (S-BGP) for an authorization and authentication system that addresses most of the security problems associated with BGP. The paper discusses the vulnerabilities and security requirements associated with BGP, describes the S-BGP countermeasures, and explains how they address these vulnerabilities and requirements. In addition, this paper provides a comparison of this architecture to other approaches that have been proposed, analyzes the performance implications of the proposed countermeasures, and addresses operational issues.

[1]  Donald E. Eastlake,et al.  Domain Name System Security Extensions , 1997, RFC.

[2]  Ravishanker Chandra,et al.  BGP Communities Attribute , 1996, RFC.

[3]  Kan Zhang,et al.  Efficient Protocols for Signing Routing Messages , 1998, NDSS.

[4]  Brijesh Kumar,et al.  Integration of security in network routing protocols , 1993, SGSC.

[5]  Stephen T. Kent,et al.  The NULL Encryption Algorithm and Its Use With IPsec , 1998, RFC.

[6]  Radia J. Perlman,et al.  Network layer protocols with Byzantine robustness , 1988 .

[7]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[8]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[9]  Andy Heffernan,et al.  Protection of BGP Sessions via the TCP MD5 Signature Option , 1998, RFC.

[10]  Ramesh Govindan,et al.  BGP Route Flap Damping , 1998, RFC.

[11]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[12]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[13]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[14]  Randy Bush,et al.  DNS-based NLRI origin AS verification in BGP , 1998 .

[15]  Paul Traina Autonomous System Confederations for BGP , 1996, RFC.

[16]  Cengiz Alaettinoglu,et al.  Routing Policy Specification Language (RPSL) , 1998, RFC.

[17]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[18]  J. J. Garcia-Luna-Aceves,et al.  Securing distance-vector routing protocols , 1997, Proceedings of SNDSS '97: Internet Society 1997 Symposium on Network and Distributed System Security.

[19]  J.J. Garcia-Luna-Aceves,et al.  Securing the border gateway routing protocol , 1996, Proceedings of GLOBECOM'96. 1996 IEEE Global Telecommunications Conference.