Lightwave Communications Research LaboratoryPrinceton University

SoBGP vs SBGP

Sharon Goldberg

Princeton Routing Security Seminar

June 27, 2006

and

July 11, 2006

Princeton University

sBGP Review

• A purist approach to secure the control plane using a centralized security approach

• Origin Authentication – Origin Authentication Public Key Infrastructure (PKI)– Signed “Address Attestations”

• Path Authentication– Autonomous System (AS) PKI– Nested Signatures in UPDATE Messages (Route Attestations)

Princeton University

Subscriber Organizations

Subscriber Organizations

Subscriber Organizations

DelegateAllocate

Subscriber Organizations

Subscriber Organizations

Regional Registries

DSPsDSPs

ISPs

ICANN

Subscriber Organizations

Origin Authentication – PKI Delegation Heirarchy

Type Subject Addresses Signature

Root ICANN All By ICANN

Registry ARIN (US+Canada Region) 10.0.0.0/8 By ICANN

ISP/DSP Bell Canada 10.10.0.0/16 By ARIN

Subscriber Bank of Montreal 10.10.10.0/24 By Bell Canada

Type` Subject Signer

Root ICANN ICANN

Registry Regional Reg ICANN

ISP/DSP ISP/DSP Reg/ICANN

Subscriber Subscriber ISP/Reg/ICANN

A Canadian Example

Princeton University

SBGP – Origin Authentication

• Given a Address Attestation

[AS #848, 128.12.50.0/24]Private Key of Bank of Montreal

• Verify Using the Origin Authentication PKI– First check for the next level certificate

[Public Key of BMO, 128.12.50.0/22]Private Key of Bell Canada

– And then the next level certificate

[Public Key of Bell Canada, 128.12.0.0/16]Private Key of ARIN

– And then the next level certificate

[Public Key of ARIN, 128.0.0.0/8]Private Key of ICANN

– And then everyone knows the Public Key of ICANN

Princeton University

AS # and Router Association PKI

Subscriber Organizations

Regional Registries

DSPsISPs

ICANN

Type` Subject Extentions Signer

Root ICANN All AS #’s ICANN

Registry Regional Reg AS #’s owned by Subject ICANN

AS Owner ISP/DSP

or Subscriber

AS #’s owned by Subject Reg/ICANN

AS AS Number AS # (only 1) of subject ISP/DSP

or Subscriber

BGP Speaker BGP Speaker AS #, Router ID of subject ISP/DSP

or Subscriber

AS#34

AS#23BGP SPEAKER

Bgp-spker-23-342

Princeton University

SBGP – Path Authentication

• Given a Route Attestation (a secure update message)For the network below:

[1]----[2]------[3]------[4]

[1] Sends to [2]:    {1,2}_1    (i.e.  (a path from 1 to 2) signed by 1) [2] Sends to [3]:    {1,2}_1 ,  {2,3}_2 [3] Sends to [4]:    {1,2}_1 ,  {2,3}_2,  {3,4}_3

• Verify Each Signature using the Router Association PKI– First check for the next level certificate

[Public Key PrincetonU - AS #1 - BGP Speaker #rtr_pton1_no4]PrincetonU

– And then the next level certificate

[Public Key PrincetonU, AS #1, AS#1001]ARIN

– And then the next level certificate

[Public Key ARIN, AS #1, AS #2, …, AS#1001,.., AS#4678] ICANN

– And then everyone knows the Public Key of ICANN

Owned byPrincetonU

Princeton University

SoBGP vs SBGP

SoBGP SBGP• Web of Trust• Fuzzy Security Level• New SECURITY Message• No crypto per UPDATE msg• Path Plausibility (Static)

• PKI• Fixed Security Level• Signed UPDATE Messages• Crypto required per UPDATE msg• Path Authentication ( Dynamic )

• The similarities:– Both secure only the control plane– Both do origin authentication– Both cannot defend against colluding adversaries (using wormhole

in sBGP, using two lying PolicyCerts in SoBGP)– Both are only “fuzzily” effective if incrementally deployed

Princeton University

Nomenclature and So On…

• Origin Authentication:

– SoBGP AuthCert = sBGP Address Attestation =

[AS#, IP prefix]Private Key of Signer

– sBGP also has an OA PKI but SoBGP doesn’t b/c of Web of Trust

• Path Authentication / Plausibiltiy:– SoBGP PolicyCerts (an AS lists the connections it has) – sBGP Route Attestation (a nested, signed AS path in each

UPDATE msg)

– SoBGP also has EntityCerts (a Web of Trust to bind PK’s to AS#’s)– sBGP also has an RA PKI

Princeton University

Path Plausibility vs Path Authentication

• Is Path Authentication stronger than Path Plausibility?“Since each AS in sBGP is authentication a relationship between itself and its predecessor and successor ASes, the set of acceptable AS paths in sBGP is a subset of the set paths acceptable under SoBGP”

– Path Lengthening attack can be done in P Plausibility but not PA

– What about a Path Shortening attack ? (assuming no colluding adversaries and full deployment)

• In SoBGP path shortening violates topology database• In SBGP it violates the structure of the RA chain (next slide)

Princeton University

A neat aside: Nested vs Pairwise Route Attestations

• With nested RA’s the following path shortening attack works:

• But, if we use pairwise RA’s, the attack fails:

43 2 1

(2,1) 2(3,(2,1 )2 ) 3

(4,(3,(2,1 )2 ) 3 ) 4

(4,(2,1 )2 ) 4

43 2 1

(2,1) 1(3,2)2 (2,1)1

(4,3)3 (3,2)2 (2,1)1

(4,3)3 (2,1)1

Princeton University

Another Neat Aside: SBGP does not bind OA to PA

• Recall that SBGP transmitts:– RA’s (e.g. (4,3)3 (3,2)2 (2,1)1 ) in the UPDATE message.

– AA (e.g. [AS #848, 128.12.50.0/24]Private Key of Bank of Montreal ) out of band

– Routing Certs and Origin Authentication Certs out of band

• Therefore, SBGP does not bind an prefix to a path!• eg. Suppose what should have been sent was

– 10.10.10.0/24 (4,3)4 (3,2)3 (2,1)2

– 45.45.45.0/24 (4,30)4 (30,2)30 (2,1)2

• And instead, malicious 2 sent:– 10.10.10.0/24 (4,3)4 (3,2)3 (2,1)2

– 45.45.45.0/24 (4,3)4 (3,2)3 (2,1)2

43 2 1Prefix 10.10.10.0/24

30Prefix 45.45.45.0/24

Princeton University

SoBGP vs SBGP: Discussion

• An now for Dan’s comments on performance…

• How does Aggregation impact Origin Authentication?• With Web of Trust you can do anything!!!• Not so good with a centralized PKI.

• SBGP vs SoBGP incremental deployment ?• Is WoT easier to deploy than PKI?• Benefits of partial deployment?• SoBGP has a new SECURITY message that could cause problems

• Other thoughts?