On interdomain routing security and pretty secure BGP (psBGP)

Oorschot, Paul C. van; Wan, Tao; Kranakis, Evangelos

doi:10.1145/1266977.1266980

Cited by 86 publications

(74 citation statements)

References 36 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Certificates are necessary for authenticating public keys and binding IP prefixes to these public keys belonging to the organization to which the IP prefixes are assigned [7], in existing cryptography-based schemes for preventing IP prefix hijacking such as some typical schemes of which are S-BGP [8], SoBGP [9], psBGP [10], OA [11], SPV [13], HCBGP [12], and so on. Each certificate contains a private extension that specifies the set of address blocks that have been allocated to the organization.…”

Section: Existing Authentication Of Origin Asmentioning

confidence: 99%

See 1 more Smart Citation

A DSA-based scheme for defending against IP prefix hijacking without repositories

Yang

2016

Teh. vjesn.

View full text Add to dashboard Cite

Original scientific paper IP prefix hijacking poses a serious threat to the security of the Internet. Cryptographic authenticating origin ASes (Autonomous Systems) of advertised prefix, which is an effective way of preventing IP prefix hijacking, has received wide acceptance. However, these existing schemes received various critical comments on their inefficiency when cryptographic authenticating origin ASes. For improving efficiency, we take full advantage of specific characteristics of DSA (Digital Signature Algorithm) and thus present a scheme for preventing IP prefix hijacking. There are two characteristics, which are DSA-based and efficient, in the proposed scheme. Firstly, because DSA is a United States Federal Government standard for digital signatures, the DSA-based can maintain compatibility with the DSA and its analytical tools, and thus it is easier for proposed scheme to be widely accepted and applied into practice. Secondly, public key certificates are not necessary because public keys can be computed by using a formula. Separated verifying signatures in these certificates, which are inevitable in almost all existing cryptography-based schemes, can be replaced with computing of a multi-exponentiation formula. Thus, the efficiency is achieved. Keywords: certificates; DSA; IP prefix hijacking; multi-exponentiation Shema za obranu od krađe IP prefiksa bez repozitorija utemeljena na DSAIzvorni znanstveni članak Krađa IP prefiksa predstavlja ozbiljnu prijetnju za sigurnost Interneta. Kriptografsko ustanovljavanje autentičnosti porijekla ASes (Autonomnih Sustava) oglašenog prefiksa, što predstavlja učinkovit način sprećavanja krađe IP prefiksa, široko je prihvaćeno. Međutim, postojećim se shemama upućuju različiti kritički komentari vezani za njihovu neučinkovitost kod kriptografskog ustanovljavanja autentičnosti porijekla ASes. U svrhu poboljšanja učinkovitosti, koristimo prednosti specifičnih obilježja DSA (Digital Signature Algorithm) te predstavljamo shemu za sprećavanje krađe IP prefiksa. Postoje dva obilježja predložene sheme, temeljena na DSA i učinkovita. Prvo, budući da je DSA standard za digitalne potpise federalne vlade SAD, DSA temeljeno obilježje može zadržati kompatibilnost s DSA i njegovim analitičkim alatima te je na taj način olakšano široko prihvaćanje i primjena u praksi predložene sheme. Drugo, državni ključni certifikati (key certificates) nisu potrebni jer se mogu izračunati pomoću formule. Odvojeni potpisi za verifikaciju u tim certifikatima, koji su neizbježni u gotovo svim postojećim shemama temeljenim na kriptografiji, mogu se zamijeniti računanjem multi-eksponencijalne formule. Na taj je način postignuta učinkovitost.

show abstract

Section: Existing Authentication Of Origin Asmentioning

confidence: 99%

“…It obviously belongs to asymmetric cryptography based solutions as S-BGP [8], SoBGP [9], psBGP [10], and OA [11].…”

Section: Introductionmentioning

confidence: 99%

A DSA-based scheme for defending against IP prefix hijacking without repositories

Yang

2016

Teh. vjesn.

View full text Add to dashboard Cite

show abstract

“…Another refinement of the SBGP model is pretty secure BGP (psBGP) proposed by Oorschot et al [17]. This approach represents a similar effort aimed at achieving a compromise between security and deployed capability through the introduction of a trust rating for assertions based on assessment of confidence in corroborating material.…”

Section: Pretty Secure Bgp (Psbgp)mentioning

confidence: 99%

Practical Security Approaches against Border Gateway Protocol (BGP) Session Hijacking Attacks between Autonomous Systems

Oti¹,

Hayfron-Acquah²

2014

JCC

View full text Add to dashboard Cite

The border gateway protocol (BGP) is the default inter domain routing protocol used on the internet for exchanging information between autonomous systems. Available literature suggests that BGP is vulnerable to session hijacking attacks. There are a number of proposals aimed at improving BGP security which have not been fully implemented. This paper examines a number of approaches for securing BGP through a comparative study and identifies the reasons why these proposals have not been implemented commercially. This paper analyses the architecture of internet routing and the design of BGP while focusing on the problem of BGP session hijacking attacks. Using Graphical Network Simulator 3 (GNS-3), a session hijack is demonstrated and a solution which involves the implementation of route filtering, policy-maps and route-maps on CISCO routers representing ASes is carried out. In the end, a workable industry standard framework for securing and protecting BGP sessions and border routers from exploitation with little or no modification to the existing routing infrastructure is demonstrated.

show abstract

“…To prevent false routing updates, a wide array of secure BGP schemes has been proposed [6], [12], [16], [19], [20], [30], [32]. Among these, BGPsec [20] has recently been proposed by the IETF.…”

Section: Introductionmentioning

confidence: 99%