Origin authentication in interdomain routing

Center for Computational Learning Systems, Columbia University, 475 Riverside Ave, New York, NY 10115, United States
Computer Networks (Impact Factor: 1.28). 11/2003; DOI: 10.1016/j.comnet.2005.11.007
Source: DBLP

ABSTRACT Attacks against Internet routing are increasing in number and severity. Contributing greatly to these attacks is the absence of origin authentication; there is no way to validate claims of address ownership or location. The lack of such services not only enables attacks by malicious entities, but also indirectly allows seemingly inconsequential misconfigurations to disrupt large portions of the Internet. This paper considers the semantics, design, and costs of origin authentication in interdomain routing. We formalize the semantics of address delegation and use on the Internet, and develop and characterize original, broad classes of origin authentication proof systems. We estimate the address delegation graph representing the current use of IPv4 address space using available routing data. This effort reveals that current address delegation is dense and relatively static: as few as 16 entities perform 80% of the delegation on the Internet. We conclude by evaluating the proposed services via trace-based simulation, which demonstrates that the enhanced proof systems can significantly reduce resource costs associated with origin authentication.

  • [Show abstract] [Hide abstract]
    ABSTRACT: This paper provides the provable-security treatment of path vector routing protocols. We first design a security definition for routing path vector protocols by studying, generalizing, and formalizing numerous known threats. Our model incorporates three major security goals. It is quite strong, yet simple to use. We prove by reduction that S-BGP satisfies two out of the security model's three goals, assuming the underlying signature scheme is secure. Under the same assumption, we next show how the protocol can be modified to meet all three security goals simultaneously. Finally, we study security of partial PKI deployment of path vector protocols when not all nodes have public keys. We investigate the possibilities of relaxing the PKI requirement and relying on the non-cryptographic physical security of the protocol in order to achieve possibly weaker, but still well-defined, notions of security. We also present the necessary and sufficient conditions to achieve full security in the partial PKI deployment scenario. We believe our conclusions will prove useful for protocol developers, standards bodies and government agencies.
    Proceedings of the 2012 ACM conference on Computer and communications security; 10/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The provision of content confidentiality via message encryption is by no means sufficient when facing the significant privacy risks present in online communications. Indeed, the privacy literature abounds with examples of traffic analysis techniques aimed to reveal a great deal of information, merely from the knowledge, even if probabilistic, of who is communicating with whom, when, and how frequently. Anonymous-communication systems emerge as a response against such traffic analysis threats. Mixes, and in particular threshold pool mixes, are a building block of anonymous communications systems. These are nodes that receive, store, reorder and delay messages in batches. However, the anonymity gained from the statistical difficulty to link incoming and outgoing messages comes at the expense of introducing a potentially costly delay in the delivery of those messages. In this paper we address the design of such mixes in a systematic fashion, by defining quantitative measures of both anonymity and delay, and by mathematically formalizing practical design decisions as a multiobjective optimization problem. Our extensive theoretical analysis finds the optimal mix parametrization and characterizes the optimal trade-off between the contrasting aspects of anonymity and delay, for two information-theoretic measures of anonymity. Experimental results show that mix optimization may lead to substantial delay reductions for a desirable level of anonymity.
    Computer Networks 07/2014; 16:180-200. · 1.28 Impact Factor
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet, thus it plays a crucial role in current communications. Unfortunately, it was conceived without any internal security mechanism, and hence is prone to a number of vulnerabilities and attacks that can result in large scale outages in the Internet. In light of this, securing BGP has been an active research area since its adoption. Several security strategies, ranging from a complete replacement of the protocol up to the addition of new features in it were proposed, but only minor tweaks have found the pathway to be adopted. More recently, the IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) has put forward several recommendations to secure BGP. In this paper, we survey the efforts of the SIDR WG including, the Resource Public Key Infrastructure (RPKI), Route Origin Authorizations (ROAs), and BGP Security (BGPSEC), for securing the BGP protocol. We also discuss the post SIDR inter-domain routing unresolved security challenges along with the deployment and adoption challenges of SIDR’s proposals. Furthermore, we shed light on future research directions in managing the broader security issues in inter-domain routing. The paper is targeted to readers from the academic and industrial communities that are not only interested in an updated article accounting for the recent developments made by the Internet standardization body toward securing BGP (i.e., by the IETF), but also for an analytical discussion about their pros and cons, including promising research lines as well.
    Computer Networks 02/2015; · 1.28 Impact Factor


Available from