Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign.

Slides:



Advertisements
Similar presentations
Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed
Advertisements

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Chapter 5 Network Security Protocols in Practice Part I
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
3/9/2004Presenter: Lan Gao1 Origin Authentication in Interdomain Routing William Aiello, John Ioannidis, and Patrick McDaniel Proceedings of 10th ACM Conference.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Lightwave Communications Research Laboratory Princeton University SoBGP vs SBGP Sharon Goldberg Princeton Routing Security Seminar June 27, 2006 and July.
Inter-domain Routing security Problems Solutions.
1 Origin Authentication in Interdomain Routing Security Reading Group September 3, 2004 William Aiello, John Ioannidis, and Patrick McDaniel Proceedings.
Slide 1 Vitaly Shmatikov CS 378 Routing Security.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Computer Networks Layering and Routing Dina Katabi
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
Securing Data Authentication with Cryptographic Signatures in BitTorrent Du Wei cc.hut.fi / Supervisor : Professor Jukka Manner Instructor.
GZ06 : Mobile and Adaptive Systems A Secure On-Demand Routing Protocol for Ad Hoc Networks Allan HUNT Wandao PUNYAPORN Yong CHENG Tingting OUYANG.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies.
Routing Security and the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security.
Implementing EFECT Easy Fast Efficient Certification Technique Ivan Nestlerode Bell Labs Lucent Technologies Based on EFECT paper by: Phil MacKenzie, Bell.
Border Gateway Protocol
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
Towards a Billion Routing Lookups per Second in Software  Author: Marko Zec, Luigi, Rizzo Miljenko Mikuc  Publisher: SIGCOMM Computer Communication Review,
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
ASYNCHRONOUS LARGE-SCALE CERTIFICATION BASED ON CERTIFICATE VERIFICATION TREES Josep Domingo-Ferrer, Marc Alba and Francesc Sebé Dept. of Computer Engineering.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Welcome to the Introduction of Digital Signature Submitted By: Ankit Saxena.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Design and Analysis of the Secure Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security BBN Technologies A Part of.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Bridge Certification Architecture A Brief Overview by Tim Sigmon May, 2000.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Inter-domain Routing Outline Border Gateway Protocol.
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.
Boarder Gateway Protocol (BGP)
Goals of soBGP Verify the origin of advertisements
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
APNIC Trial of Certification of IP Addresses and ASes
Presentation transcript:

Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign

08/01/200563rd IETF - Paris, FRANCE 2 Motivation  BGP — central routing for the Internet  BGP lacks security Black holes Disconnected networks Suboptimal routes …  Secure BGP  Deployment difficulties Processing overheads Storage demands PKIs  Goal Efficient AND practical security

08/01/200563rd IETF - Paris, FRANCE 3 Outline  Overview BGP S-BGP  Path authentication  PKI and origin authentication  Discussion  Conclusions

08/01/200563rd IETF - Paris, FRANCE 4 Border Gateway Protocol (BGP)  Inter-domain routing protocol  Mainly between autonomous systems (ASes)  Updates are in form of route announcements (AS_PATH, prefix) A sequence of AS numbers e.g., “ ” A range of IP addresses (prefix) e.g., / {1}, p{2, 1}, p {3, 2, 1}, p p 5

08/01/200563rd IETF - Paris, FRANCE 5 Secure BGP (S-BGP) AS pathPrefix  Attestations Route Attestations — authenticate AS path Address Attestations — authorization of IP address ownerships  Public key infrastructures Certificates for routers Certificates for address ownership Route Attestations (RAs)Address Attestations (AAs) Public Key Infrastructures (PKIs)

08/01/200563rd IETF - Paris, FRANCE 6 Outline  Overview  Path authentication S-BGP RAs Aggregated Path Authentication Performance evaluation  PKI and origin authentication  Discussion  Conclusions

08/01/200563rd IETF - Paris, FRANCE 7 S-BGP Route Attestations (RAs)  Router signs (AS path, prefix, next_hop)  Sends all previous signatures  Verify AS path {1, 2, 3} Needs 3 signatures  Sign AS path {1, 2, 3} Creates n signatures  Signature Algorithm — DSA  Caching optimization 1, p, 2 2, 1, p, 33, 2, 1, p, P, {3, 2, 1} 1, p, 22, 1, p, 3 1, p, 2

08/01/200563rd IETF - Paris, FRANCE 8 Performance Problems  Time Processing latency 230% longer  Space Message size: 800% longer Memory cost: > 10 times more  For Attestations & Certificate database  Current routers: 128MB or 256MB RAM

9 Signature Amortization (S-A)  Fast signature verification — RSA  Fewer signature signings — amortized cost Bit vectors (indicating recipients) Merkle hash trees  Auxiliary values for each signature m 1 B 1 m 2 B 2 m k B k Router output buffers Grouped messages Aggregated hash “ Evaluation of efficient security for BGP route announcements using parallel simulation ” Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3 — 4, 2004

10 Aggregate Signatures  k signers {s 1, s 2, …, s k } k messages {m 1, m 2, …, m k } one aggregate signature   One aggregate signature for entire AS path 1, p, 2 2, 1, p, 3 3, 2, 1, p, 4  Boneh et al. “ A Survey of Two Signature Aggregation Techniques ”. RSA CryptoBytes 2003

08/01/200563rd IETF - Paris, FRANCE 11  General aggregate signature (GAS) Based on BLS short signature on Anyone can aggregate in any ordering Takes k+1 pairing calculation for verifying  Sequential aggregate signature (SAS) Based on homomorphic trapdoor permutation AggrSign by signers only Must be in sequence Takes k layers of verification  Advantage—save space! Aggregate Signature Variants

08/01/200563rd IETF - Paris, FRANCE 12 Aggregated Path Authentication  Aggregated Path Authentication Signature Amortization + Aggregate Signature  Efficient on time AND space S-A options Bit VectorsTrees Aggregate Signature Schemes GASGAS-VGAS-T SASSAS-VSAS-T

08/01/200563rd IETF - Paris, FRANCE 13 Aggregated Path Authentication  Vector-based  Tree-based (GAS-T and SAS-T) 1, p, “1110” 2, 1, p, “1011” 3, 2, 1, p, “1101” m1m1 m2m2 m3m3 R1R1 R2R2 R3R3  SAS-V    AggrSign(0, h(m 1 ))    AggrSign(  , h(m 2 ))    AggrSign(  , h(m 3 )) GAS-V    s i = s   s   s     s   s      s  ss ss ss

08/01/200563rd IETF - Paris, FRANCE 14 Outline  Overview  Path authentication S-BGP RAs Aggregated Path Authentication Performance evaluation  Methodology  Performance  PKI and origin authentication  Discussion  Conclusions

08/01/200563rd IETF - Paris, FRANCE 15 Evaluation Methodology  AS-level network simulation — 110 ASes  BGP router under stress — router reboot  Metrics Speed — BGP convergence time Signature memory overheads Message size  SSFNet simulator  Benchmarks OpenSSL Algorithm decomposition for GAS and SAS

08/01/200563rd IETF - Paris, FRANCE 16 Benchmarks SHA-1 hashMD5 hashAttestationsCertificatesIdentifier Length20 bytes16 bytes110 bytes600 bytes4 bytes RSADSASAS GAS on GF    Sign (ms) Verify (ms) SW Aggregate Verify (ms) HW Aggregate Verify (ms)  k   ( k +1) 1.3  ( k +1) Signature length (bytes) Tate pairing calculation Running Time (1GHz) Miller ’ s Algorithm on GF(3 97 ) (2002) BKLS on GF(3 97 ) (2003) Refined Duursam-Lee on GF(3 97 ) (2004) Modified Duursam-Lee on GF(3 97 ) (2004) Hardware implementation (2005) 24.0 ms 23.6 ms 16.8 ms 8.6 ms 1.3 ms

08/01/200563rd IETF - Paris, FRANCE 17 Number of Signing Operations  S-BGP: 22,072/11,521 signings  Decreases 98.5% (SW) (HW)

08/01/200563rd IETF - Paris, FRANCE 18 Path Authentication Convergence seconds (SW) (HW) 3.4% 230.2% 46%

08/01/200563rd IETF - Paris, FRANCE 19 Path Authentication Message Size  GAS-V — 66% shorter messages!  Tree construction — inefficient bytes Average Maximum

08/01/200563rd IETF - Paris, FRANCE 20 kilobytes Path Auth Performance — Memory  GAS-V — saves 73% memory for signatures!

08/01/200563rd IETF - Paris, FRANCE 21 Performance Competition  Winner: GAS-V Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%

08/01/200563rd IETF - Paris, FRANCE 22 Outline  Overview  Path authentication  PKI and origin authentication Design Performance  Discussion  Conclusions

08/01/200563rd IETF - Paris, FRANCE 23 Secure BGP (S-BGP) AS pathPrefix  IP address owners create AAs  X.509 Certificates for IP address allocation (prefix 1, …, prefix k, org y ) address assignment Route Attestations (RAs)Address Attestations (AAs)  Routers create RAs  X.509 Certificates for AS# and Routers (AS, AS#, PK) binding (RtrID, AS#, PK) binding

08/01/200563rd IETF - Paris, FRANCE 24 S-BGP PKIs ICANN APNICARINRIPEAT&T … ISP / DSP / Subscribers Subscribers … … IP Address AllocationAS number assignment & Binding a Router to an AS ICANN APNICARINRIPELACNIC IP address blocks Organizations (AS k, ASNs)(RtrID, ASN) … AS numbers RtrID  Match existing infrastructures

08/01/200563rd IETF - Paris, FRANCE 25 S-BGP Address Attestations (AAs) {prefix list, ASN} org x ICANN APNICARINRIPEAT&T … ISP / DSP / Subscribers Subscribers … … IP address blocks  Authorize ASes to originate routes  CAs prepare and distribute AAs  Long-lived, need revocation

08/01/200563rd IETF - Paris, FRANCE 26 Evaluate PKI  PKI model ASes, Routers, Organizations, CAs, Directories, and OCSP responders Routers trust the roots, and OCSP responders; may trust other CAs as well Check certificate revocation status  OCSP — sequential or parallel requests  CRLs (fetch fresh copies) OCSP requestCRL fetching Operation latency (second)0.5 — 1.0

08/01/200563rd IETF - Paris, FRANCE 27 AA Performance — OCSP requests Convergence Time of OCSP Requests seconds  ≈ 68,000 OCSP requests

08/01/200563rd IETF - Paris, FRANCE 28 AA Performance — CRLs fetching Convergence Time of CRL Fetching

08/01/200563rd IETF - Paris, FRANCE 29 Convergence Time of OCSP Requests seconds PA PKI Performance — OCSP Requests  ≈ 88,000 OCSP requests

08/01/200563rd IETF - Paris, FRANCE 30 Convergence Time of CRL fecthing PA PKI Performance — CRLs Fetching

31 Real-world Deployment  Certificate database 75 — 85 MB [Kent:CMS03]  RouteViews table dump (209MB) 162,237 prefixes 2,011,005 routes, avg. path length 4.1 S-BGP signatures: 393MB GAS-V cache: 108MB Decreases 72% signature memory cost  Overall memory decrease: 60%  S-BGP RAs: 30 — 35MB per peer [Kent:CMS03] Problem for routers at Internet exchange > 1GB Kent. “ Securing the Border Gateway Protocol: A Status Update ”. IFIP TC-6 TC-11, 2003

08/01/200563rd IETF - Paris, FRANCE 32 ECDSA  S-BGP uses ECDSA  Shorter key size  Same signature length  Faster signing  Slower verification RSA (1024-bit) BLS DSA (1024-bit) ECDSA secp192r1sect163k1sect163r2 Key Size (bytes) Signature (bytes) Sign (ms) Verify (ms)

08/01/200563rd IETF - Paris, FRANCE 33 Conclusions  Efficient path authentication Aggregated Path Authentication Efficient on time and space  PKI performance impact OCSP vs. CRLs  Practical issues Certificate database Memory demands ECDSA

08/01/200563rd IETF - Paris, FRANCE 34 Thank you! Homepage  Sun Microsystems  Mellon Foundation  Cisco Systems  Intel Corporation  NSF  DoJ/DHS

08/01/200563rd IETF - Paris, FRANCE 35

08/01/200563rd IETF - Paris, FRANCE 36 Related Work  S-BGP [Kent:NDSS00, Kent:CMS03]  OASim [Aiello:CCS03]  psBGP [Wan:NDSS05]  Listen and Whisper [Subramanian:NSDI04]  Symmetric cryptography Potentially more efficient Key distribution [Goodrich00] Time synchronization [Hu:SIGCOMM04]

08/01/200563rd IETF - Paris, FRANCE 37 General Aggregate Signatures  Bilinear map Bilinear: for all and Non-degenerate:  Key pair  Sign  Verify  Aggregation  Aggregate Verify Boneh et al. “ Aggregate and Verifiably Encrypted Signatures from Bilinear Maps ”. Eurocrypt 2003 Implementation Tate pairing Weil pairing

08/01/200563rd IETF - Paris, FRANCE 38 Performance Competition  Winner: GAS-V Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%  Further improvements? Hardware accelerator Parallelization AS path length: 3.7/11

08/01/200563rd IETF - Paris, FRANCE 39 Origin Authentication (OA)  Variants OA-Simple { (p, org)} K OA-List { (p 1, org 1 ), (p 2, org 2 ), …, (p i, org i )} K OA-AS-List { (p 1, p 2, …, p k, org)} K OA-Tree Merkle hash tree, leaves: (p i, org i ) IANA APNICARINRIPEAT&T … ISP / DSP / Subscribers … … IP address blocks AS1 ASk AS2 Aiello, Ioannidis, and McDaniel. “ Origin Authentication in Interdomain Routing ”. CCS03  Short-lived attestations  Possible in-band transmission for address delegation paths

08/01/200563rd IETF - Paris, FRANCE 40 OA Signature Performance — Storage Attestation Constructions Memory for Attestations (KB) Message Size (Bytes) OA-Simple OA-List OA-AS-List OA-Tree  Different costs on memory and message size  OA-AS-List is most efficient  Possible in-band transmission

08/01/200563rd IETF - Paris, FRANCE 41 OA Signature Performance — Convergence  Slight slow down convergence time seconds

08/01/200563rd IETF - Paris, FRANCE 42 Certificate Distribution  Scale 197,709 active prefixes 19,357 unique ASes >50,000 organizations  BGP Update message MTU: 4KB  S-BGP X.509 Certificates: 600 bytes  Store certificates/CRLs locally >200MB

08/01/200563rd IETF - Paris, FRANCE 43 Aggregate Signatures  k signers {s 1, s 2, …, s k } k messages {m 1, m 2, …, m k } one aggregate signature   One aggregate signature for entire AS path 1, p, 2 2, p, 3 3, p, 4  Lysyanskava et al. “ Sequential Aggregate Signatures from Trapdoor Permutations ”. Eurocrypt2004

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.