The Border Gateway Protocol (BGP), which is used to distribute routing information between autonomous systems, is an important component of the Internet's routing infrastructure. Secure BGP (S-BGP) addresses critical BGP vulnerabilities by providing a scalable means of verifying the authenticity and authorization of BGP control traffic. To facilitate widespread adoption, S-BGP must avoid introducing undue overhead (processing, bandwidth, storage) and must be incrementally deployable, i.e., interoperable with BGP. To provide a proof of concept demonstration, we developed a prototype implementation of S-BGP and deployed it in DARPA's CAIRN testbed. Real Internet BGP traffic was fed to the testbed routers via replay of a recorded BGP peering session with an ISP's BGP router. This document describes the results of these experiments -examining interoperability, the efficacy of the S-BGP countermeasures in securing BGP control traffic, and their impact on BGP performance, and thusevaluating the feasibility of deployment in the Internet. Border Gateway Protocol (BGP)Internet routing is implemented using a distributed system composed of many routers, grouped into administrative domains called Autonomous Systems (ASes). Routing information is exchanged between ASes using Border Gateway Protocol (BGP) [2,3] UPDATE messages. BGP has a number of vulnerabilities [1,3,5] which can be exploited to cause problems such as misdelivery or non-delivery of user traffic, misuse of network resources, network congestion and packet delays, and violation of local routing policies.Communication between BGP peers is subject to active and passive wiretapping attacks. BGP and the TCP/IP protocol used by it can be attacked. A BGP speaker can be compromised, e.g., a speaker's BGP-related software, configuration information, or routing databases may be modified or replaced illicitly via unauthorized access to a router, or to a server from which router software is downloaded, or via a spoofed distribution channel, etc. Such attacks could result in transmission of fictitious BGP messages, modification or replay of valid messages, or suppression of valid messages. If cryptographic keying material is used to secure BGP control traffic, that too may be compromised. We have developed security enhancements to BGP that address most of these vulnerabilities by providing a secure, scalable system: Secure-BGP (S-BGP) [1,3]. Better physical, procedural and basic communication security for BGP routers could address some of these attacks. However, such measures would not counter any of the many forms of attacks that compromise routers themselves. Experience with accidental misconfigurations, and the many vulnerabilities of management system components, strongly argue in favor of countering such Byzantine failures if we are to provide adequate protection for the Internet.The BGP-4 protocol, including descriptions of the UPDATE message and the route propagation algorithm, is described in [2,3]. Briefly, the numbers that identify IP networks are spec...
This document describes the certificate policy for a Public Key Infrastructure (PKI) used to support attestations about Internet Number Resource (INR) holdings. Each organization that distributes IP addresses or Autonomous System (AS) numbers to an organization will, in parallel, issue a (public key) certificate reflecting this distribution. These certificates will enable verification that the resources indicated in the certificate have been distributed to the holder of the associated private key and that this organization is the current, unique holder of these resources.
The Border Gateway Protocol (BGP), which is used to distribute routing information between autonomous systems (ASes), is a critical component of the Internet's routing infrastructure. It is highly vulnerable to a variety of malicious attacks, due to the lack of a secure means of verifying the authenticity and legitimacy of BGP control traffic. This document describes a secure, scalable, deployable architecture, S-BGP, for a system that addresses most of the security problems associated with BGP. The paper discusses the vulnerabilities and security requirements associated with BGP, describes the S-BGP countermeasures, and explains how they address these vulnerabilities and requirements. The paper also provides a comparison of this architecture with other approaches that have been proposed, analyzes the performance implications of the proposed countermeasures, and reports on prototype implementation experience.
REPORT DOCUMENTATION PAGE Public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing this collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.