Relieve Internet Routing Security of Public Key Infrastructure

Lack of security mechanisms expose the Border Gateway Protocol (BGP) to a wide range of threats that are constantly undermining security of the Internet. Most prominent attacks include prefix hijacking and announcement of false routes to maliciously attract or divert traffic. A number of cryptographic solutions to prevent both attacks have been proposed but have not been adopted due to involved operations and considerable overhead. Most of them rely on digital signatures to authorize Autonomous Systems to propagate route announcements. Surprisingly, the scientific community has devoted only little interest to the problem of revocation in BGP. In particular, BGP systems based on Public Key Infrastructure allow to revoke an Autonomous System by revoking its public key certificate. However, there seem to be no solution for selective revocation of AS-path announcements. This paper introduces reBGP, an enhanced version of BGP that leverages Identity Based Cryptography to secure BGP with minimal overhead. reBGP prevents prefix hijacking and false route announcement through Aggregate Identity Based Signatures and provides an effective revocation means to invalidate AS-path announcements. reBGP enjoys a constant overhead to verify authenticity of routes and does not require a Public Key Infrastructure. Extensive testing of our implementation, show that our proposal represents a practical solution to secure BGP.

[1]  Saurabh Panjwani,et al.  Analysis of the SPV secure routing protocol: weaknesses and lessons , 2007, CCRV.

[2]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[3]  Jianping Pan,et al.  Keychain-Based Signatures for Securing BGP , 2010, IEEE Journal on Selected Areas in Communications.

[4]  John W. Stewart,et al.  BGP4 : inter-domain routing in the Internet , 1998 .

[5]  Ramesh Govindan,et al.  BGP Route Flap Damping , 1998, RFC.

[6]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[7]  Vitaly Shmatikov,et al.  Truth in advertising: lightweight verification of route integrity , 2007, PODC '07.

[8]  Craig Gentry,et al.  Identity-Based Aggregate Signatures , 2006, Public Key Cryptography.

[9]  J.H. Cowie,et al.  Modeling the global Internet , 1999, Comput. Sci. Eng..

[10]  Evangelos Kranakis,et al.  On interdomain routing security and pretty secure BGP (psBGP) , 2007, TSEC.

[11]  A. Dammer How Secure are Secure Interdomain Routing Protocols , 2011 .

[12]  Abhijit Bose,et al.  Delayed Internet routing convergence , 2000, SIGCOMM.

[13]  Craig Gentry,et al.  Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing , 2007, CCS '07.

[14]  Sharon Goldberg,et al.  Sequential Aggregate Signatures with Lazy Verification for S-BGP , 2011 .

[15]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[16]  Arjen K. Lenstra,et al.  Selecting Cryptographic Key Sizes , 2000, Journal of Cryptology.

[17]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[18]  Ratul Mahajan,et al.  Understanding BGP misconfiguration , 2002, SIGCOMM '02.

[19]  Ke Xu,et al.  Enhancing the Trust of Internet Routing With Lightweight Route Attestation , 2011, IEEE Transactions on Information Forensics and Security.

[20]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[21]  Patrick D. McDaniel,et al.  A Survey of BGP Security Issues and Solutions , 2010, Proceedings of the IEEE.

[22]  Sharon Goldberg,et al.  Rationality and traffic attraction: incentives for honest path announcements in bgp , 2008, SIGCOMM '08.

[23]  Alex X. Liu,et al.  Symmetric Key Approaches to Securing BGP—A Little Bit Trust Is Enough , 2008, IEEE Transactions on Parallel and Distributed Systems.

[24]  Timothy G. Griffin,et al.  An experimental analysis of BGP convergence time , 2001, Proceedings Ninth International Conference on Network Protocols. ICNP 2001.