Sign what you really care about - Secure BGP AS-paths efficiently

The de facto inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system. However, the system may also be devastated by forged BGP routes that are generated by malicious attacks or mis-configurations. This security problem has attracted considerable attention, and although several solutions has been proposed, none of them have been widely deployed due to weaknesses such as high computational cost or potential security vulnerability. This paper proposes Fast Secure BGP (FS-BGP), an efficient mechanism that can secure AS-paths and prevent prefix hijacking by signing critical AS-path segments. We prove that FS-BGP achieves a similar level of security as S-BGP, but with much higher efficiency. Compared with S-BGP, the cost of signing and verification in FS-BGP can be reduced by orders of magnitude, as demonstrated in our experiments using BGP UPDATE data collected from real backbone routers. Indeed, the signing and verification can be accomplished as fast as the most bursty BGP UPDATE arrivals, which implies that FS-BGP will hardly delay the propagation of routing information.

[1]  Lan Wang,et al.  APT: A Practical Transit Mapping Service , 2007 .

[2]  Lixia Zhang,et al.  Cyclops: the AS-level connectivity observatory , 2008, CCRV.

[3]  Zhuoqing Morley Mao,et al.  Accurate Real-time Identification of IP Prefix Hijacking , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[4]  Yang Xiang,et al.  Internet Flattening: Monitoring and Analysis of Inter-Domain Routing , 2011, 2011 IEEE International Conference on Communications (ICC).

[5]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[6]  Ke Zhang,et al.  An analysis on selective dropping attack in BGP , 2004, IEEE International Conference on Performance, Computing, and Communications, 2004.

[7]  Santosh S. Vempala,et al.  Path splicing , 2008, SIGCOMM '08.

[8]  Robert Kisteleki,et al.  Securing RPSL Objects with RPKI Signatures , 2008 .

[9]  Sean W. Smith,et al.  Evaluation of efficient security for BGP route announcements using parallel simulation , 2004, Simul. Model. Pract. Theory.

[10]  Dipankar Raychaudhuri,et al.  MobilityFirst future internet architecture project , 2011, AINTEC '11.

[11]  Jennifer Rexford,et al.  Stable internet routing without global coordination , 2001, TNET.

[12]  Jennifer Rexford,et al.  Toward internet-wide multipath routing , 2008, IEEE Network.

[13]  Patrick D. McDaniel,et al.  Optimizing BGP security by exploiting path stability , 2006, CCS '06.

[14]  Brighten Godfrey,et al.  Pathlet routing , 2009, SIGCOMM '09.

[15]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[16]  Lixin Gao,et al.  On inferring and characterizing Internet routing policies , 2003, Journal of Communications and Networks.

[17]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[18]  Cengiz Alaettinoglu,et al.  Routing Policy Specification Language (RPSL) , 1998, RFC.

[19]  Alex X. Liu,et al.  Symmetric Key Approaches to Securing BGP—A Little Bit Trust Is Enough , 2008, IEEE Transactions on Parallel and Distributed Systems.

[20]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM 2002.

[21]  Daniel Massey,et al.  PHAS: A Prefix Hijack Alert System , 2006, USENIX Security Symposium.

[22]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[23]  Andreas Haeberlen,et al.  NetReview: Detecting When Interdomain Routing Goes Wrong , 2009, NSDI.

[24]  Jennifer Rexford,et al.  Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[25]  Steven M. Bellovin,et al.  Using Link Cuts to Attack Internet Routing , 2003 .

[26]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM 2004.

[27]  Lixia Zhang,et al.  Quantifying Path Exploration in the Internet , 2006, IEEE/ACM Transactions on Networking.

[28]  John C. S. Lui,et al.  Inter-AS Inbound Traffic Engineering via ASPP , 2007, IEEE Transactions on Network and Service Management.

[29]  Volker Roth,et al.  Listen and Whisper: Security Mechanisms for BGP (Awarded Best Student Paper!) , 2004, Symposium on Networked Systems Design and Implementation.

[30]  Geoff Huston,et al.  Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs) , 2012, RFC.

[31]  Cengiz Alaettinoglu,et al.  Routing Policy Specification Language (RPSL) , 1998, RFC.

[32]  A. Dammer How Secure are Secure Interdomain Routing Protocols , 2011 .

[33]  Sean Turner BGP Algorithms, Key Formats, & Signature Formats , 2011 .

[34]  Van Jacobson,et al.  Networking named content , 2009, CoNEXT '09.

[35]  Jennifer Rexford,et al.  Putting BGP on the right path: a case for next-hop routing , 2010, Hotnets-IX.

[36]  Randy Bush,et al.  Security Requirements for BGP Path Validation , 2014, RFC.

[37]  Russ White Architecture and Deployment Considerations for Secure Origin BGP (soBGP) , 2006 .

[38]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[39]  Bin Liu,et al.  Safeguarding Data Delivery by Decoupling Path Propagation and Adoption , 2010, 2010 Proceedings IEEE INFOCOM.

[40]  Dino Farinacci,et al.  The Locator/ID Separation Protocol (LISP) , 2009, RFC.

[41]  Randy Bush,et al.  iSPY: Detecting IP Prefix Hijacking on My Own , 2008, IEEE/ACM Transactions on Networking.

[42]  Dan Pei,et al.  A light-weight distributed scheme for detecting ip prefix hijacks in real-time , 2007, SIGCOMM 2007.

[43]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[44]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.