论文信息 - (R)Evolutionary Bootstrapping of a Global PKI for Securing BGP

(R)Evolutionary Bootstrapping of a Global PKI for Securing BGP

Most secure routing proposals require the existence of a global public-key infrastructure (PKI) to bind a public/private key-pair to a prefix, in order to authenticate route originations of that prefix. A major difficulty in secure routing deployment is the mutual dependency between the routing protocol and the establishment of a globally trusted PKI for prefixes and ASes: cryptographic mechanisms used to authenticate BGP Update messages require a PKI, but without a secure routing infrastructure in place, Internet registries and ISPs have little motivation to invest in the development and deployment of this PKI. This paper proposes a radically different mechanism to resolve this dilemma: an evolutionary Grassroots-PKI that bootstraps by letting any routing entity announce self-signed certificates to claim their address space. Despite the simple optimistic security of this initial stage, we demonstrate how a Grassroots-PKI provides ASes with strong incentives to evolve the infrastructure into a full top-down hierarchical PKI, as proposed in secure routing protocols like S-BGP. Central to the Grassroots-PKI concept is an attack recovery mechanism that by its very nature moves the system closer to a global PKI. This admittedly controversial proposal offers a rapid and incentivecompatible approach to achieving a global routing PKI.

Brian Weis | Yih-Chun Hu | Adrian Perrig | David A. McGrew | Dan Wendlandt

[1] Matthew K. Franklin,et al. Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[2] R. A. White,et al. Deployment Considerations for Secure Origin BGP (soBGP) , 2003 .

[3] Philip R. Zimmermann,et al. The official PGP user's guide , 1996 .

[4] Jennifer Rexford,et al. Pretty Good BGP: Improving BGP by Cautiously Adopting Routes , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[5] Yih-Chun Hu,et al. SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[6] Michael K. Reiter,et al. Authentication metric analysis and design , 1999, TSEC.

[7] Brian Weis. Secure Origin BGP (soBGP) Certificates , 2006 .

[8] Stephen T. Kent,et al. Secure Border Gateway Protocol (S-BGP) - Real World Performance and Deployment Issues , 2000, NDSS.

[9] Peter Hesse,et al. Managing Interoperability in Non-Hierarchical Public Key Infrastructures , 2002, NDSS.

[10] Patrick D. McDaniel,et al. Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[11] J. Linn. Trust Models and Management in Public-Key Infrastructures , 2000 .

[12] Peter Gutmann,et al. PKI: It's Not Dead, Just Resting , 2002, Computer.