A Survey of BGP Security Issues and Solutions

Butler, Kevin; Farley, Toni; McDaniel, Patrick; Rexford, Jennifer

doi:10.1109/jproc.2009.2034031

Cited by 278 publications

(263 citation statements)

References 103 publications

Supporting

Mentioning

261

Contrasting

Unclassified

Order By: Relevance

“…We compare our hash-based verification with the signaturebased verification adopted in most of the prefix attestation proposals [9]. We consider the protocol to be the same in both approaches (i.e., both issue an Interest Update that will be verified at each router).…”

Section: Discussionmentioning

confidence: 99%

“…Prefix attestation has also been proposed to prevent IP prefix hijacking in inter-domain [9,19,20,28,31] and intra-domain [25,29] IP routing. A widely used approach for achieving address attestation exploits digital signatures and certificates.…”

Section: Related Workmentioning

confidence: 99%

“…Retrieving the security context only adds a negligible time. In fact, the security context is stored together with the forwarding state in the corresponding table and it can be retrieve during the regular lookup for processing an interest 9 . Therefore, the time needed to verify the proof is the dominating factor in both the hash-based verification or the signature-based verification.…”

Section: Computational Overheadmentioning

confidence: 99%

“…We compare our approach with a signature based mechanism adopted in most of the prefix attestation proposals [9,19,20,28,31,34]. Results show that our lightweight approach maintains more than 90% of the original goodput (i.e., without any security mechanism), while the signature approach drops it close to 0%.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Secure producer mobility in information-centric network

Compagno

Zeng

Muscariello

et al. 2017

Proceedings of the 4th ACM Conference on Information-Centric Networking

View full text Add to dashboard Cite

One of the fundamental requirements of the next generation 5G networks is to support seamless mobility over an heterogeneous access network by design. The shift from host-based to contentbased location-independent communication makes InformationCentric Networking (ICN) an appealing technology to provide not only mobility, but also security and storage as native properties of the network architecture.Previous work in ICN literature focused on name-based mobility management solutions and particularly on the challenges of producer mobility, which involves an interaction between forwarding and control plane.In this paper, we consider the security implications of producer mobility in ICN and we highlight the importance of securing producer to network interactions. We focus on the problem of prefix hijacking: a class of attacks that can be exploited to threaten both the security of the ICN networks and the privacy of its users. To prevent this class of attacks, we propose a fully distributed and very low-overhead protocol for name prefix attestation based on hash-chaining. First results show order of magnitudes improvement in verification latency with respect to signature verification, the leading alternative approach to thwart prefix hijacking attacks.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Computational Overheadmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Secure producer mobility in information-centric network

Compagno

Zeng

Muscariello

et al. 2017

Proceedings of the 4th ACM Conference on Information-Centric Networking

View full text Add to dashboard Cite

show abstract

“…Attracting extra traffic enables the AS to increase revenue from customers, or drop, tamper, or snoop on the packets [1,2,3]. While the proposed extensions to BGP prevent many attacks (see [4] for a survey), even these secure protocols are susceptible to a strategic manipulator who deliberately exploits their weaknesses to attract large volumes of traffic to its network. Given the difficulty of upgrading the Internet to a new secure routing protocol, it is crucial to understand how well these protocols blunt the impact of traffic attraction attacks.…”

Section: Introductionmentioning

confidence: 99%

How secure are secure interdomain routing protocols?

et al. 2014

View full text Add to dashboard Cite

In response to high-profile Internet outages, BGP security variants have been proposed to prevent the propagation of bogus routing information. To inform discussions of which of these variants should be deployed in the Internet, we quantify the ability of the main protocols (origin authentication, soBGP, S-BGP, and data-plane verification) to blunt trafficattraction attacks; i.e., , an attacker that deliberately attracts traffic to drop, tamper, or eavesdrop on packets.Intuition suggests that an attacker can maximize the amount of traffic he attracts by widely announcing a short path that is not flagged as bogus by the secure protocol. Through simulations on an empirically-determined AS-level topology, we show that this strategy is surprisingly effective, even when the network uses an advanced security solution like S-BGP or data-plane verification. Worse yet, we show that these results underestimate the severity of attacks. We prove that finding the most damaging strategy is NP-hard, and show how counterintuitive strategies, like announcing longer paths, announcing to fewer neighbors, or triggering BGP loop-detection, can be used to attract even more traffic the strategy above. These counterintuitive examples are not merely hypothetical; we searched the empirical AS topology to identify specific ASes that can launch them. Finally, we find that a clever export policy can often attract almost as much traffic as a bogus path announcement. Thus, our work implies that mechanisms that police export policies (e.g., defensive filtering) are crucial, even if S-BGP is fully deployed.

show abstract

Cooperative monitoring BGP among autonomous systems

Wang

Liu

2014

Security Comm Networks

View full text Add to dashboard Cite

As the de facto Internet inter-domain routing protocol, BGP protocol has a number of vulnerabilities and weakness. Monitoring BGP is an effective way to improve the security of inter-domain routing. This paper presents a cooperative BGP monitoring method, which is called cooperative information sharing model (CoISM). CoISM is based on self-organization and can be used to solve some problems during BGP monitoring, such as route validation and bogus route notification delivery. CoISM provides autonomous systems with a more comprehensive information view by introducing information diffuse reflection based on initiative inquiry and making use of the relativity of monitoring information. CoISM optimizes the information transmission by leveraging the data locality caused by BGP policy and implements ISP coordination with low communication and deployment cost. More specifically, CoISM provides a self-organizing and incentive mechanism, which drives autonomous systems to coordinate independently and shares information on-demand. CoISM supports incremental deployment and can also be applied to a wide range of inter-domain cooperative management applications such as inter-domain routing failure analysis and intrusion detection.

show abstract

A Survey of BGP Security Issues and Solutions

Cited by 278 publications

References 103 publications

Secure producer mobility in information-centric network

Secure producer mobility in information-centric network

How secure are secure interdomain routing protocols?

Cooperative monitoring BGP among autonomous systems

Contact Info

Product

Resources

About