Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security

Outline  BGP security problems & requirements  Making S-BGP a reality  Securing BGP UPDATE messages  PKI design  Repository design  Program history  Program status

BGP Security Problems  BGP is the critical infrastructure for Internet, the basis for all inter-ISP routing  Configuration errors affect about 1% of all routing table entries at any time  The current system is highly vulnerable to human errors, and a wide range of malicious attacks  At best, BGP routers use a point-to-point keyed MAC (with no automated key management) for point-to-point communication security  Solutions must account for the operational realities of Internet topology, size, update rates,...

BGP Security Requirements  Address space “ownership” verification  Autonomous System (AS) authentication  Router authentication and authorization (relative to an AS)  Route and address advertisement authorization  Route withdrawal authorization  Integrity and authenticity of all BGP traffic on the wire  Timeliness of BGP traffic*

S-BGP Design Overview  IPsec: secure point-to-point (router) comms  Public Key Infrastructure: an authorization framework for all S-BGP entities  Attestations: digitally-signed authorizations to advertise specified address blocks  Validation of UPDATEs based on a new path attribute, using PKI certificates and attestations  Repositories for distribution of certificates, CRLs, and address attestations  Tools for ISPs to manage address attestations, process certificates & CRLs, etc.

Who Needs to Do What for S-BGP to Become a Reality?  S-BGP PKI l Regional Registries and ISPs need to act as Certification Authorities, issuing certificates to the organizations to whom they have delegated portions of IP address space l Repositories must be deployed for S-BGP PKI data  S-BGP protocol implementation l Router vendors need to offer S-BGP software in router products (with enough memory and non-volatile storage) l OR an ancillary device that implements S-BGP and connects to existing BGP routers needs to be offered  ISPs need to acquire, deploy, and manage S-BGP products

Securing UPDATE messages  A secure UPDATE consists of an UPDATE message with a new, optional, transitive path attribute for route authorization  This attribute contains a signed sequence of route attestations  This attribute is structured to support both route aggregation and AS sets (BGP function details)  Validation of the attribute verifies that the route was authorized by each AS along the path and by the address space owner

An UPDATE with Attestations BGP Header Addr Blks of Rtes Being Withdrawn BGP Path Attributes Dest Addr Blks(NLRI) Attribute Header Route Attestations Attestation Header Issuer Certificate ID Algorithm ID & Signature Signed Info Route Attestation Path Attribute for Attestations UPDATE Message

A PKI for S-BGP  Certificates identify owners of AS numbers and address blocks  Address block data is used as an input to UPDATE message processing  Other certificates are used for management of repository access control, IPsec (IKE), etc.  PKI design uses a multi-rooted tree, rooted at regional registries, with delegation to national registries, ISPs, DSPs, subscribers

Subscriber Organizations Delegate Allocate Subscriber Organizations Regional Registries DSPs ISPs ICANN Subscriber Organizations Address Delegation and Allocation Subscriber Organizations ISPs/DSPs IANA (historical)

Delegate Subscriber Organizations Regional Registries DSPsISPs ICANN AS Number Delegation Hierarchy

Registry Root CA (ARIN) [1] Registry Root CA (APNIC) [1] Registry Root CA (RIPE) [1] Repository CA [2] Repository CA [2] Repository CA [2] Registry CA (APNIC) [5] Registry CA (ARIN) [5] Registry CA (RIPE) [5] certification cross-certification S-BGP PKI: Top Tiers

S-BGP PKI: Registry “Branch” Repository CA (1 per Repository) [2] Repository Admin EE (1 per Repository Admin) [3] Repository EE (1 per Repository) [4] Router EE (1/Router) [8] CA (Certification Authority) EE (End Entity) Used for initialization phase only Registry CA (1 per Registry) [5] ISP/Org CA (1 per ISP or Org) [5] DSP/Org CA (1 per DSP or Org) [5] Grandfather CA (1 per Registry) [5] Generic CA (1 per ISP or Org) [5] AS # EE (1/AS#) [9] Generic EE (1 per ISP or Org) [6] Network EE (1/ISP or Org) [6] Org that owns IP addresses Org that is running S-BGP Operator EE (1/Operator) [7] IPsec EE (1/router) [10]

S-BGP PKI Repositories  Putting certificates, CRLs, or address attestations in UPDATEs would be redundant and make UPDATEs too big  Solution: use servers l replicate for reliability & scaling, loose synch l locate at high availability, non-routed access points l ISPs and dual-homed subscribers upload certificates, CRLs, and AAs that they generate l every ISP and multi-homed subscriber downloads the whole certificate/AA/CRL database l Access controlled based on PKI structure, to mitigate denial of service attacks against the repositories

S-BGP NOC Software  Software to help ISPs manage data required by S- BGP l Mini-RA facility for managing organization, router, and operator certificates, generating address attestations l Software for uploading & downloading certificates, CRLs, and address attestations to/from repositories l Software for validating certificates and address attestations and producing extract for download to routers  Policy management l Software to configure S-BGP routers to know which AS’s implement S-BGP

Program Status  Good news l NOC tools & repository almost complete l Reference S-BGP software available in Spring 02 l Registrar CA technology available in June 02  Not so good news l Not much router vendor interest recently l Minimal recent ISP interest (except Genuity & DISA)  Registry Interactions l Initial interactions with ARIN, awaiting updated database l APNIC expressing interest in the PKI

Any More Questions?