Origin authentication in interdomain routing

Center for Computational Learning Systems, Columbia University, 475 Riverside Ave, New York, NY 10115, United States
Computer Networks (Impact Factor: 1.26). 11/2003; 50(16):2953-2980. DOI: 10.1016/j.comnet.2005.11.007
Source: DBLP


Attacks against Internet routing are increasing in number and severity. Contributing greatly to these attacks is the absence of origin authentication; there is no way to validate claims of address ownership or location. The lack of such services not only enables attacks by malicious entities, but also indirectly allows seemingly inconsequential misconfigurations to disrupt large portions of the Internet. This paper considers the semantics, design, and costs of origin authentication in interdomain routing. We formalize the semantics of address delegation and use on the Internet, and develop and characterize original, broad classes of origin authentication proof systems. We estimate the address delegation graph representing the current use of IPv4 address space using available routing data. This effort reveals that current address delegation is dense and relatively static: as few as 16 entities perform 80% of the delegation on the Internet. We conclude by evaluating the proposed services via trace-based simulation, which demonstrates that the enhanced proof systems can significantly reduce resource costs associated with origin authentication.

  • Source
    • "This lack of authentication has been identified in the literature[40]and several extensions of the protocol propose to address this issue. The main contenders here include BGPSEC[41], S-BGP[42], HI[43], soBGP[44], psBGP[45], IRV[46], OA[47], SPV[48], and many more. Aside from the effects on router performance[49]and partial security improvements[50], several works have studied the efficacy of partial and mixed deployments of the proposed secure BGP variants[1],[18],[51]–[53]and new attacks defeating secure extensions have been proposed[54]. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The Internet is often thought to be a model of resilience , due to a decentralised, organically-grown architecture. This paper puts this perception into perspective through the results of a security analysis of the Border Gateway Protocol (BGP) routing infrastructure. BGP is a fundamental Internet protocol and its intrinsic fragilities have been highlighted extensively in the literature. A seldom studied aspect is how robust the BGP infrastructure actually is as a result of nearly three decades of perpetual growth. Although global blackouts seem unlikely, local security events raise growing concerns on the robustness of the backbone. In order to better protect this critical infrastructure, it is crucial to understand its topology in the context of the weaknesses of BGP and to identify possible security scenarios. Firstly, we establish a comprehensive threat model that classifies main attack vectors , including but non limited to BGP vulnerabilities. We then construct maps of the European BGP backbone based on publicly available routing data. We analyse the topology of the backbone and establish several disruption scenarios that highlight the possible consequences of different types of attacks, for different attack capabilities. We also discuss existing mitigation and recovery strategies, and we propose improvements to enhance the robustness and resilience of the backbone. To our knowledge, this study is the first to combine a comprehensive threat analysis of BGP infrastructures with advanced network topology considerations. We find that the BGP infrastructure is at higher risk than already understood, due to topologies that remain vulnerable to certain targeted attacks as a result of organic deployment over the years. Significant parts of the system are still uncharted territory, which warrants further investigation in this direction.
    Full-text · Conference Paper · Mar 2016
  • Source
    • "There are detailed best practices and recommendations [59], which can be used as a first line of defense in mitigating the BGP anomalies, but even after such countermeasures, BGP remains vulnerable to some major attacks related to the authenticity and integrity of the exchanged information, stemming from the implicit trust model and the lack of intrinsic security mechanisms in BGP. As a result, several security mechanisms and protocols have been proposed during the past decade or so [60] [61] [62] [63] [64] [65] [66] [67] [68] [69] [70] [71] [72] [73] [74] [75] [76] [77] [78] [79] [80] [81], suggesting from small changes up to the complete replacement of the BGP protocol . Despite these efforts, only minor tweaks have finally reached an operational status in practice. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol in the Internet, thus it plays a crucial role in current communications. Unfortunately, it was conceived without any internal security mechanism, and hence is prone to a number of vulnerabilities and attacks that can result in large scale outages in the Internet. In light of this, securing BGP has been an active research area since its adoption. Several security strategies, ranging from a complete replacement of the protocol up to the addition of new features in it were proposed, but only minor tweaks have found the pathway to be adopted. More recently, the IETF Secure Inter-Domain Routing (SIDR) Working Group (WG) has put forward several recommendations to secure BGP. In this paper, we survey the efforts of the SIDR WG including, the Resource Public Key Infrastructure (RPKI), Route Origin Authorizations (ROAs), and BGP Security (BGPSEC), for securing the BGP protocol. We also discuss the post SIDR inter-domain routing unresolved security challenges along with the deployment and adoption challenges of SIDR’s proposals. Furthermore, we shed light on future research directions in managing the broader security issues in inter-domain routing. The paper is targeted to readers from the academic and industrial communities that are not only interested in an updated article accounting for the recent developments made by the Internet standardization body toward securing BGP (i.e., by the IETF), but also for an analytical discussion about their pros and cons, including promising research lines as well.
    Full-text · Article · Feb 2015 · Computer Networks
  • Source
    • "For example, the secure border gateway protocol (S-BGP) [38] makes use of public key encryption to authenticate route announcements, but the computational costs it incurs are seen as prohibitive. Motivated by this, a great deal of research has investigated how to optimize such costs [36] [34] [1]. A quite recent work [73] in this line has proposed a routing control platform that does not require cooperation among domains. "
    [Show abstract] [Hide abstract]
    ABSTRACT: The provision of content confidentiality via message encryption is by no means sufficient when facing the significant privacy risks present in online communications. Indeed, the privacy literature abounds with examples of traffic analysis techniques aimed to reveal a great deal of information, merely from the knowledge, even if probabilistic, of who is communicating with whom, when, and how frequently. Anonymous-communication systems emerge as a response against such traffic analysis threats. Mixes, and in particular threshold pool mixes, are a building block of anonymous communications systems. These are nodes that receive, store, reorder and delay messages in batches. However, the anonymity gained from the statistical difficulty to link incoming and outgoing messages comes at the expense of introducing a potentially costly delay in the delivery of those messages. In this paper we address the design of such mixes in a systematic fashion, by defining quantitative measures of both anonymity and delay, and by mathematically formalizing practical design decisions as a multiobjective optimization problem. Our extensive theoretical analysis finds the optimal mix parametrization and characterizes the optimal trade-off between the contrasting aspects of anonymity and delay, for two information-theoretic measures of anonymity. Experimental results show that mix optimization may lead to substantial delay reductions for a desirable level of anonymity.
    Full-text · Article · Jul 2014 · Computer Networks
Show more