Embed Size (px)
Citation preview
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
1
Interdomain RoutingSecurity (BGP-4)A Comparison between S-BGP and soBGP in tacklingsecurity vulnerabilities in the Border Gateway ProtocolBy Rostom Zouaghi and StephenWolthusen
HE BORDER GATEWAY PROTOCOL (BGP) is the mostimportant protocol for the interconnectivity ofthe Internet. Although it has shown acceptableperformance, BGP suffers from many security
issues. In this article, we cover a few of thoseissues and provide the security requirements forthis protocol. We enumerate a few attacks thatcan be conducted against BGP. The aim of thisstudy is to examine two solutions that endeavourto provide security mechanisms at the protocollevel: Secure-BGP (S-BGP) and secure origin BGP(soBGP). The objective of this article is to comparethese protocols in terms of security, efficiency,performance, and deployability. Our findings haverevealed that ultimately, the solution chosen will bedependent on the desired level of security and thefeasibility of deployment. As is often the case withsecurity, a compromise between security and com-plexity is a major concern and cost-effectivenessis themain driver behind deployment.
1. INTRODUCTIONThe Internet has become a fundamental resourcein academic institutions, government agencies
and small to large businesses, as well as a vibrantpart of our daily lives. The smooth functioning ofcommunication in the Internet relies on routing,which is the component that determines feasiblepaths (or routes) for data to flow from a source toa destination. Computers on the Internet dependon routing information in order to be able to dis-cover and communicate with each other. Current-ly, the Internet routing infrastructure is intolerablyfrail due to many shortcomings. It is commonlymisconfigured [1], has considerable weak securi-ty properties [2] and becomes hard to manage[3]. As a consequence, communication becomesunreliable and unpredictable.
INTERNET ROUTING OVERVIEWAlthough it is generally thought that the Internetis a single network that people connect to; it isactually composed of a large number of intercon-nected networks that are independently operat-ed, called Autonomous Systems (ASes). Forinstance, when a user browses the Internet, thepackets sent and received travel across multipleASes before reaching their destination.In the Internet, Exterior Gateway Protocols
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
2
T
(EGPs) are used for routing informationexchange. Currently, the Border Gateway Protocol(BGP) is the protocol relied on when it comes torouting infrastructure for the Internet.In interdomain routing, the trivial parameters
required for routing are Autonomous SystemNumbers (ASNs) and Internet Protocol address-es (IP). Every AS holds an ASN and one or moreIP addresses. Public ASNs and IP addresses areassigned to different regions in the world by theInternet Corporation for Assigned Names andNumbers (ICANN). Owing to the complexity inmanaging the Internet, ICANN has delegated itsauthority to registries in different world regions[4].
BGP OVERVIEWIn each AS, one or more routers (or “speakers”)are assigned to perform interdomain routing byrunning BGP software, as shown in FIGURE 1. BGProuters are internally (i.e. inside the AS) linked toother internal routers through Internal-BGP links,and externally linked with routers in differentASes through External-BGP. Routing informationis propagated across the whole internetwork. Thisallows reachability information to be availableeverywhere, which ensures that every node in theinternetwork knows how to reach any other node.
Because of the flexibility that BGP provides, routedetermination and selection structure becomesrather complex.When two routers are configured to talk BGP
with each other, they first establish a TransportControl Protocol (TCP) session at port number
179. Knowing the importance of routing informa-tion, BGP requires the reliability found in TCP. Thelatter is a protocol that accomplishes the orderlydelivery of messages, detects duplicates, recog-nises when information has been lost andretransmits it, etc. After establishing the TCPconnection, the peers start their communicationby exchanging a few specific BGP messages toestablish a BGP session. Then, they exchangerouting information through UPDATEmessages
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
3
“Routing information ispropagated across the wholeinternetwork. This ensuresthat every node in theinternetwork knows howto reach any other node.”
and store it in a database named the RoutingInformation Base (RIB). Before storing routinginformation, the latter goes through filters deter-mined by AS’s routing policies reflecting not just
connectivity but also further considerations suchas commercial and security interests. Given thatmuch of this configuration is performed manually,human error is inevitable, leading to a consider-
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
4
FIGURE 1
AN EXAMPLEOF A BGPTOPOLOGY
able fraction of BGP announcements being erro-neous [5]. A malicious individual can exploitthose problems, abetted by a lack of security fea-tures as shown below.
2. BGP THREAT ANALYSISBGP provides no confidentiality, and only verylimited integrity and authentication services. Fur-thermore, BGP messages can be replayed sincethey do not use any freshness service. Thismeans that if a malicious individual intercepts anUPDATE message that adds a route, then theycan re-send that message after the route hasbeen withdrawn. This causes an invalid route tobe present in the RIB.In addition, no mechanism provides source
authentication of messages to BGP speakers. Thismeans that attackers can pretend to be a BGPpeer. This could be exploited to inject non-exis-tent routes, routes which send traffic through theattacker’s machine, etc.One of the major issues in BGP is dealing with
the quality of routing information transmitted. Inother words, the reachability information needsto be trusted. Thus, the announcement of thisinformation needs to be validated by an authori-tative AS. However, BGP does not provide an
authoritative hierarchy, allowing a malicious orcompromised AS to create new non-existent ormalicious routes and advertise them. This is fur-ther exacerbated by the fact that path attributescannot be validated through the existing BGP pro-tocol messaging.
ATTACKSThe absence of security controls and safeguardscan be exploited to craft attacks against interdo-main routing directly or exploited to realise high-er-impact malicious goals.There are several generic attacks that can be
performed against interdomain routing. The firstone is eavesdropping; which is the interceptionand reading of BGP messages. BGP does not pro-tect against replay attacks (i.e. recording andresending messages). In addition, there is no pro-tection against message deletion, insertion andmodification attacks. An attacker is also able toremove messages between two speakers, modifyand resend them back to the receiver. Thus, inter-domain routing is weak against man-in-the-mid-dle attacks. A malicious individual is able to cor-rupt the communication streams betweenspeakers and become an unnoticed and unknownintermediary. Furthermore, it is vulnerable todenial of service (DoS) attacks.
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
5
Generally, these attacks can be conducted byexploiting the TCP or BGP messaging vulnerabili-ties at all levels [6, 7, 8, 9, 10]. Two of the manyattacks that exist are briefly described.
BGP Spoofing Attack: In order to communicatewith a speaker in an existing BGP session formedby the speaker itself and its legitimate peer, theattacker needs to acquire more information aboutthe session. They must obtain the source IPaddress of the peer, through the use of Traceroutefor instance [11]. Because in a TCP connection aport number is required, it must be spoofed. Fur-thermore, the attacker is required to use a correctsequence number (i.e. the way TCP keeps track ofthe order of packets) and TTL (Time To Live)
attribute. TTL is a number that represents themaximum number of hops a packet can take; andis used as a safety mechanism to drop the lostpackets. Generally, BGP peer sessions are directlyconnected, so that the TTL is set to 1. The attack-er needs to set the TTL accordingly so that it isreceived when its value is 1. Crafting this attack isnot an easy task since it will require extra BGPsession knowledge. However, if accomplished, thetargeted speaker will think that the message islegitimate and processes it as if it was sent fromits peer, allowing e.g. false route injection, routedeletion, etc.
Setting up an unauthorised BGP session witha peer: Since a TCP session is required for peersto establish a BGP session, BGP inherits all TCP-based attacks. An attacker can use foot printingand reconnaissance techniques to gather infor-mation about an AS. If they can discover the IPaddress of a BGP speaker, its peer, and the portsused for a session, they can spoof the TCP pack-ets with the source IP address and port number ofthe peer. By making sure that the TTL arrives witha value not greater than 1, they can establish anunauthorised TCP session with the speaker. Thisattack can lead to adding false routes or retriev-ing existing ones for example.
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
6
“If attackers can discoverthe IP address of a BGPspeaker, its peer, and theports used for a session,they can spoof the TCPpackets.”
ATTACK SCENARIOSBased on the above generic attacks, an adversarycan construct attacks which achieve substantiallygreater damage.
Disable an AS:An example would be to disablean AS from receiving routing information. Thiscan be done by using any type of Denial of Serv-ice attack to disable BGP speakers. This willcause the targeted AS not to know how to routetraffic outside it. This means that it will not beable to respond to any request from its users. Ifthe company relies totally on the Internet, thenthe cost of the impact of the attack would belarge.
Disable critical portions in the internet: Sinceusing generic attacks can lead to disabling differ-ent ASes, critical portions in the Internet can betargeted. This can be done by injecting falseroutes into a global internet routing table. Thiswill make the portion of the Internet unreachablebecause the access to the AS is non-existent (bydeleting the routing information from the table)or altered (by changing a few parameters in therouting table).
Blackhole traffic: Blackholing traffic means that
all packets routed will be dropped and will notreach their destination. This attack performs bet-ter when it remotely targets an ISP for instancethat relies on a single upstream ISP. The attackerneeds to persuade the peer to route all the trafficto their router. For instance, they can establish anunauthorised BGP session with the target. Then,send UPDATE messages that route all trafficthrough the attacker’s machine. This way, theadversary receives all packets sent from the tar-geted ISP and drops all of them, while keeping theBGP session live. This creates a blackhole for theISP’s traffic.
DNS attacks:Many attackers aim to corrupt theDomain Name System (DNS) through routingattacks. This might allow, for instance, the attack-er to collect personal users’ data such as bankinginformation and passwords. After a successfulrouting attack, a malicious individual can attackthe DNS and lure traffic towards a compromisedweb server for example. When a user uses a serv-ice where credentials are required, the attackercan get hold of them [12]. Other more damagingattacks can be conducted using interdomain rout-ing as a proxy. For instance, the attacker can use aBGP-based attack to masquerade as root DNSservers. This provides the attacker with a huge
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
7
amount of flexibility and the potential to causeimmense damage to the Internet community.
3. BGP SECURITYThe following section provides a high-leveloverview selection of current and proposedsecurity mechanisms for BGP, but is by nomeans comprehensive.
CURRENT SECURITY MECHANISMS FOR BGPGenerally, the protection mechanisms usednowadays endeavour to protect TCP or BGPsessions from attacks. Moreover, traffic filteringis used extensively in border routers.
TCPMD5 authentication:Most ISPs use TCPMD5 authentication to protect BGP sessionsmostly against message injection. The proposedsolution is a mathematical cryptographic one wayfunction known as Hashed Message Authentica-tion Code (HMAC) applied at every exchangedmessage [13]. A password/key needs to be pro-vided manually at both ends of the session. Con-sidering thousands of routers used concurrently,maintaining shared secrets manually betweenthem becomes gradually more complicated.Moreover, MD5, as a cryptographic function, has
its weaknesses.
IPsec:Although much more effective than theprevious solution, IPsec is not widely used byISPs. It is commonly used for tunnelling VPNsover the Internet between endpoints when trans-mitting confidential or important data [14, 15].This security mechanism can be used to protectBGP sessions from integrity violation, replay andDoS attacks through its Authentication Headerprotocol (AH). It can also be extended to provid-ing confidentiality via its Encapsulating SecurityPayload (ESP). In addition, it can dynamicallynegotiate secret keys and has an implementedkey management mechanism. This safeguard canbe efficient against BGP session local vulnerabili-ties, but does not address other attacks.
Generalised TTL security mechanism (GTSM):This is a security mechanism that uses the TTLattribute in the packet [16]. It prevents attackersfrom remotely sending BGP spoofed messages.This mechanism does not protect from any othersecurity violation.
SECURITY REQUIREMENTSThe previous solutions, used by ISPs to temporar-ily protect their interdomain routing, are weak
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
8
against other attacks. In order to protect interdo-main routing, the solution needs to considermany parameters that relate to the protocol itself:
� Any security architecture must not rely onmutual trust amongst subscribers and ISPs.
� The solution must scale within the BGP archi-tecture and protocol.
� The resources required for the solution shouldbe in the same range as BGP.
� The security services required (i.e. integrity,freshness and data origin authentication)must be assured by the traffic itself.
� BGP routers should be capable of validation ofthe whole chain of ASes in the path.
From the previously derived requirements, themain focus on securing BGP deals with UPDATEmessages and the environment that they dependon. Vardar has provided three main security prob-lems for BGP: Hop Integrity, Origin Authentica-tion, and Path Validation [10]. Hop integritymeans that the data integrity and source authen-tication at each hop in the path can be verified byevery BGP speaker. Origin Authentication repre-sents the evidence that the data received is fromthe claimed sender. It represents the validation ofclaims of address ownership from ASes. Path vali-
dation assures that each BGP speaker in the routemust be reachable by the previous one. In otherwords, it verifies that the path is physically exis-tent in the Internet map. This guarantees thatmalicious UPDATE messages containing falseroutes are disclosed.
4. SOLUTIONS FORSECURING INTERDOMAIN ROUTINGThe mechanisms built to secure BGP are numer-ous. However, we cover two competitive proto-cols. The first is Secure-BGP (S-BGP) [17]. Theconcept was developed by Kent, Lynn and Seoand published in April 2000. The second one issecure origin BGP (soBGP) [18]. It was designedmainly by CISCO engineers and published in2003 as a draft for discussion.
SECURE-BGPSecure-BGP is based on three different securitymechanisms that endeavour to satisfy the BGPsecurity requirements. The S-BGP architectureuses Public Key Infrastructures (PKIs), Attesta-tions, and IPsec.
Public key infrastructure for S-BGP: Key manage-ment on such a large scale as the Internet neces-
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
9
sitates the existence of public key cryptographywhere every AS is provided with a pair of publicand private keys. This requires a Public Key Infra-structure (PKI) for key management [19]. The
hierarchy used follows the same scheme as theInternet’s making IANA/ICANN the root Certifi-cate Authority (CA). The latter provides keys forRIRs (i.e. Regional Internet Registries) which inturn supply for major ISPs and so on [20]. As aconsequence, every operational AS will be associ-ated with a pair of public/private keys. The cryp-tographic mechanism that provides the requiredsecurity services is digital signatures [21]. Whena speaker sends a message, it signs it with its sig-nature key (i.e. private key). When the peer
receives it, it can verify it with the verification key(i.e. public key) of the sending speaker. PKI anddigital signatures help provide secure identifica-tion of BGP speakers, ASes and IP address blocks.Moreover, it supports AS number ownership andBGP router authorisation to represent an AS.
Attestations:Attestations form a trivial part of S-BGP since they are used to encapsulate authori-sation information within UPDATE messages.This uses digital signatures ensuring authenticityand integrity of data provided in messages. More-over, they are utilised to check that each AS alongthe path was authorised to advertise the route bythe previous AS. In addition, attestations are usedto verify that the advertising AS was authorisedby the owners of the IP prefixes contained inUPDATE messages to advertise them. For back-ward compatibility, attestations are carried in anoptional attribute within BGP messages. It con-tains digital signatures covering the whole route.S-BGP provides two attestations used for differ-
ent services. Route attestations are issued byASes and used to provide path authentication.Address attestations are issued by the organisa-tion that owns the prefix and used for AS authen-tication.
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
10
“Attestations are used toverify that the advertisingAS was authorised by theowners of the IP prefixes.”
IPSEC: IPsec is used to secure point-to-pointcommunication between BGP speakers. As statedbefore, it provides different services: integrity,
anti-replay and anti-DoS attacks. These are thesecurity services required for UPDATE messages.It has proven to give great stability when imple-mented and used in VPNs (Virtual Private Net-works).In order to validate a route, attestations and
certificates are used in conjunction to verify thechain or attestations in the path. This starts fromthe last AS that advertised the route to the firstone, as shown in FIGURE 2. When the first one isvalidated, it means that each subsequent AS inthe path has been authorised to advertise theroute for the address blocks by the previous ASalong the path.
SECURE ORIGIN BGPsoBGP is based on a few mechanisms, mainlycertificates, to provide different security servicesfor interdomain routing. soBGP uses a differentapproach to S-BGP but has a few similarities.
As authentication and web of trust: The mostimportant point to start with is to have a secureway of authenticating peers. soBGP overcomesthis issue through the use of a certificate dedicat-ed for AS authentication between peers. This cer-tificate is called entity certification, or EntityCert[23]. An EntityCert binds an AS number to at
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
11
FIGURE 2
ROUTE VALIDATION
least one public key. EntityCert is classified as anX.509v3 certificate. A few keys are distributedand configured manually to have a high level oftrust. They are completely trusted by any ASsince they were verified and authenticatedbeforehand, such as top-level backbone serviceproviders and key authentication serviceproviders. The trusted AS can use its key to signEntityCerts of other validated ASes. Then, theweb of trust can start where the new trustedASes can sign other ASes’ certificates after vali-dating their authenticity. This way, these EntityC-erts will form a web of trust based on top-leveltrusted entities.
Advertisement authorisation: Having the web oftrust in place with EntityCerts, providing a prooffor the authorisation for each AS to advertise cer-tain block of addresses is the next step. soBGPuses another certificate to provide this securityservice. Authorisation certificates or AuthCertsare used to bind an AS to the IP address spacethey are allowed to advertise.
Policy certificate: AuthCerts are not advertisedindependently, but encapsulated into certificatesthat include a set of policies the originatorenforces to the advertised prefixes. PrefixPolicy-
Certs enclose an authorisation certificate, thepolicies applied to the prefix within the certifi-cate, and a signature signed by the authorised AS.This allows the originator to enforce a few poli-cies.
Topology map: Secure origin BGP designed a wayto verify that a given advertiser AS of a route hasa real path to the destination, through the use ofcertificates named ASPocilyCerts. Every AS cre-ates this certificate by signing with its private keya list of its peers. This way, an internetwork topol-
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
12
“A few keys are distributedand configured manually tohave a high level of trust.They are completely trustedby any AS since they wereverified and authenticatedbeforehand.”
ogy map is assembled. For example, in FIGURE 3,AS65003 sends an UPDATE message toAS65005 claiming it is capable of reachingAS65004 through the path {65003, 65001,65004}. The receiving AS (i.e. AS 65005) canverify that AS65003 has revealed concrete infor-
mation. AS65005 checks the ASPolicyCert ofAS65003 ensuring that it is connected toAS65001, then the ASPolicyCert of AS65001 val-idating that it is connected to AS65003. Addingthe different border policies between ASes, thetopology map can provide more flexibility and
preciseness.For all these certificates, soBGP
uses a new BGP message that han-dles the transportation of thosesecurity mechanisms. The newSECURITY message is used tocarry specifically soBGP certifi-cates [24].
5. S-BGP VS. SOBGPS-BGP and soBGP were designedto overcome certain security issuesin interdomain routing. They bothtackle the problems differentlywith a few similarities.S-BGP and soBGP rely on the
same cryptographic primitives (i.e.mainly digital signatures). Howev-er, the extensiveness of their use isdissimilar. While S-BGP requires asignature at every UPDATE, soBGP
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
13
FIGURE 3
CONNECTIVITY TOPOLOGYMAP EXAMPLE
uses a set of certificates in a relatively static way.Clearly, there is a tradeoff between security andcost.In terms of key distribution, PKIs in S-BGP offer
a better security level than soBGP. However, theyare more complex and expensive to implement
and deploy. Although, the web of trust of soBGPis more flexible and avoids the issue of a singlepoint of failure; the trust is distributed and there-fore harder to manage. Moreover, its definition isstill fuzzy and the security level is still debatable.For the exchange of security elements, the best
solution that does not include additional designissues is S-BGP’s new attribute included in the
ordinary BGP-4 message. Moreover, S-BGP pro-vides better security for message exchangebecause they are dynamically signed. In terms ofperformance, soBGP performs better because allcertificates can be signed by another externalentity. However, the fact of having another type ofmessage can cause issues in deployment andbackward compatibility.In terms of level of security, S-BGP dramatically
takes the lead. Although it has not covered all ofthe issues, it provides well structured and securemeasures. Origin authentication is provided byutilising PKI and address attestations. Path vali-dation is accomplished through route attesta-tions. In addition, hop integrity is suppliedthrough IPsec with integrity and source authenti-cation for every hop. The issue with S-BGP iscomplexity, especially with the PKIs. As quotedby Bellovin, “Complexity is the enemy of Securi-ty”, the issue that S-BGP encounters is cost andability for routers used nowadays to scale withthe required performance. soBGP is more light-weight and therefore a better choice on this side.However, there is still the issue of integrity ofmessages which is not ensured since it uses thenew SECURITY message. Route validation is metat a very weak level. soBGP provides a static pathplausibility rather than authenticity and no hop
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
14
“In terms of level of security,S-BGP dramatically takesthe lead. Although it hasnot covered all of the issues,it provides well structuredand secure measures.”
integrity. Although it provides a policy checkingmechanism, it becomes more complex whenmore policies come into play. Furthermore, bothpath authentication and policy checking requireadditional topology and policy databases respec-tively, increasing complexity and dependence.
6. CONCLUSIONInterdomain routing has received quite a lot ofinterest in the last decade, due to its importanceto many organisations and the whole Internetcommunity. Today, and for nearly two decades,the Internet has viewed BGP as an effective pro-tocol that could cope with its scale of growth.However, BGP has shown many weaknesses andvulnerabilities to malicious behaviour and inap-propriate configuration. Many countermeasureswere built to secure BGP, but these are not partof the protocol and some of them employ weaksecurity mechanisms. Many solutions for secur-ing interdomain routing have been proposed.However, majorly only a few have been discussedover the last five years. Two of them wereanalysed: S-BGP and soBGP. Both of these proto-cols have a similar aim which is to protect BGP-4.However, through their design, they seek tosecure it differently.
After comparing both S-BGP and soBGP, wetried to objectively come up with a conclusion.In terms of security, S-BGP is far more completethan soBGP. It provides clear security require-ments that work well theoretically. However, thecomplexity in S-BGP is immense. This leads toslow performance and convergence. Moreover,the practicality of deployment for S-BGP is stillquestionable. Although soBGP is lightweight and
overcomes some of these performance issues, itmerely provides good origin authentication andonly affords path plausibility service. This meansthat paths can be changed and an attacker canintrude into the path. While S-BGP provides fullpath authentication, soBGP provides a weaker
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
15
“For nearly two decades,the Internet has viewedBGP as an effective protocolthat could cope with itsscale of growth.”
static service for protecting the authenticity ofpaths. S-BGP on its own provides point-to-pointconnection security measures through the use ofIPsec. Now, the problem relies on performanceand complexity. There is a tradeoff between thelevel of security required, performance and com-plexity issues. However, S-BGP is a much bettersolution to be further researched. By trying toprovide less extensive cryptographic primitivesand a better way to deploy it, S-BGP can be thenext step towards a more secure InterdomainRouting. �
ABOUT THE AUTHORS
Rostom Zouaghi completed the MScdegree in Information Security (with Distinc-tion) in 2008 and recently started a PhD ininformation security. His interests lie in thefields of network security, distributed algo-rithms and cryptographic algorithms. In hisPhD, he is conducting research in mobility-aware routing and security protocols forMANETs.
Dr. StephenWolthusen is a lecturerin information security at Royal Holloway, Uni-versity of London, with research interests ininformation assurance and the use of formalmethods in security. Dr. Wolthusen teaches thecourses in Network Security and Digital Foren-sics on the M.Sc. in Information Security atRoyal Holloway.
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
16
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
17
REFERENCES:
[1] R. Mahajan, D. Wetherall, and T. Anderson. ”Understanding BGPMisconfiguration”. In Proc. ACM SIGCOMM, pages3.17, Pittsburgh, PA, Aug. 2002.
[2] S. Murphy, A. Barbir, and Y. Yang. “Generic Threats to Routing Protocols”. Internet Engineering Task Force, Oct.2004. http://www.ietf.org/internet-drafts/draft-ietf-rpsec-routing-threats-07.txt, expired April 2005.
[3] N. Feamster, J. Borkenhagen, and J. Rexford. “Guidelines for Interdomain Traffic Engineering”. ACM Computer Com-munications Review, 33(5):19.30, Oct. 2003.
[4] IANA/ICANN, “Number Resources”, URL: http://www.iana.com/numbers
[5] CNET News. “Router Glitch Cuts Net Access”, URL: http://news.com.com/2100-1033-279235.html, April 1997.
[6] S. Convery et. al. “An Attack Tree for the Border Gateway Protocol”, Technical Report, Internet Engineering TaskForce, November 2002.
[7] S. Murphy. “BGP Security Vulnerabilities Analysis”, NetworkWorking Group, Internet Engineering Task Force, Janu-ary 2006, RFC 4272.
[8] P. Savola, “Backbone Infrastructure Attacks and Protections”, Technical Report, Internet Engineering Task Force, Jan-uary 2007.
[9] B. R. Greene and P. Smith. “BGPv4 Security Risk Assessment”, ISP Essentials Supplement, Cisco Press Publications,June 11th, 2002..
[10] Tuna Vardar, "SECURITY IN INTERDOMAIN ROUTING", Helsinki University of Technology, T-110.551 Seminar ofInternetworking, 2004.
[11] Z. M. Mao, J. Rexford, et. al. “Towards an Accurate AS-Level Traceroute”, ACM SIGOMM, Germany, August 2003.
[12] L. Gao et. al. “Stable Internet routing without global coordination”, IEEE/ACM Transactions on Networking, p. 681-692, December 2001.
[13] H. Krawczyk et. al. “HMAC: Keyed-Hashing for Message Authentication”, Internet Engineering Task Force, April1997, RFC 2104.
[14] S. Kent and R. Atkinson. “Security Architecture for the Internet Protocol”, Internet Engineering Task Force, Novem-ber 1998, RFC 2401.
REFERENCES CONTINUED:
[15] R. Thayer et. al. “IP Security Document Roadmap”, Internet Engineering Task Force, November 1998, RFC 2411.
[16] V. Gill et. al. “The Generalized TTL Security Mechanism (GTSM)”, Internet Engineering Task Force, February 2004, RFC3682.
[17] S. Kent, et. al. “Secure Border Gateway Protocol (Secure-BGP)”, IEEE Communications Vol. 18, No. 4, pp. 582-592, April2000.
[18] R. White. “Securing BGP Through Secure Origin BGP”, The Internet Protocol Journal – Vol. 6, No 3, Cisco Systems, Sep-tember 2003.
[19] S. Chokhani et. al. “Internet x.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework”,NetworkWorking Group, Internet Engineering Task Force, March 1999, RFC 2527.
[20] K. Seo et. al. “Public-key Infrastructure for the Secure Border Gateway Protocol (S-BGP)”, Anaheim, CA, USA: IEEEDARPA Information Survivability Conference and Exposition II, June 2001.
[21] Alfred J. Menezes, P. Van Oorschot, and S. Vanstone. “Handbook of Applied Cryptography”, CRC Press, 1996.
[22] K. Butler et. al. “A Survey of BGP Security Issues and Solutions”, AT&T Labs Research, January 2008.
[23] B. Weis. “Secure Origin BGP (soBGP) Certificates”, Internet Engineering Task Force, Cisco Systems, draft-weis-sobgp-certificates-02.txt, July 2004.
[24] J. Ng. “Extensions to BGP Transport soBGP Certificates”, Interdomain RoutingWorking Group, Cisco Systems, draft-ng-sobgp-bgpextensions-01, May 2005.
Royal Holloway Series Interdomain Routing Security (BGP-4)
HOME
BGP OVERVIEW
BGP THREATANALYSIS
ATTACKSCENARIOS
SECURE BGP
SECUREORIGIN BGP
S-BGP V SOBGP
CONCLUSION
REFERENCES
18
