Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.

Slides:



Advertisements
Similar presentations
SCION: Scalability, Control and Isolation On Next-Generation Networks
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
CS Summer 2003 Lecture 3. CS Summer 2003 What is a BGP Path Attribute? BGP uses a set of parameters known as path attributes to characterize.
CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.
Computer Networking Lecture 10: Inter-Domain Routing
More on BGP Check out the links on politics: ICANN and net neutrality To read for next time Path selection big example Scaling of BGP.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Lightwave Communications Research Laboratory Princeton University SoBGP vs SBGP Sharon Goldberg Princeton Routing Security Seminar June 27, 2006 and July.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.
Inter-domain Routing security Problems Solutions.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
PKI To The Masses IPCCC 2004 Dan Massey USC/ISI. 1 March PKI Is Necessary l My PKI related actions since arriving at IPCCC n Used an.
Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.
1 Securing BGP Large scale trust to build an Internet again Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
R OUTING IN THE INTERNET. A UTONOMOUS SYSTEM ( AS ) Collections of routers that has the same protocol, administative and technical control Intra-AS routing.
The Resource Public Key Infrastructure Geoff Huston APNIC.
Computer Networks Layering and Routing Dina Katabi
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Information-Centric Networks04a-1 Week 4 / Paper 1 Open issues in Interdomain Routing: a survey –Marcelo Yannuzzi, Xavier Masip-Bruin, Olivier Bonaventure.
9/15/2015CS622 - MIRO Presentation1 Wen Xu and Jennifer Rexford Department of Computer Science Princeton University Chuck Short CS622 Dr. C. Edward Chow.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.
Lecture 4: BGP Presentations Lab information H/W update.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.
Routing Security and the Border Gateway Protocol Dr. Stephen Kent Chief Scientist - Information Security.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
BGP4 - Border Gateway Protocol. Autonomous Systems Routers under a single administrative control are grouped into autonomous systems Identified by a 16.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
1 APNIC Trial of Certification of IP Addresses and ASes RIPE October 2005 Geoff Huston.
Status Report SIDR and Origination Validation Geoff Huston SIDR WG, IETF 71 March 2008.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Lab 6-2 Debrief.
Internet Routing Verification John “JI” Ioannidis AT&T Labs – Research Copyright © 2002 by John Ioannidis. All Rights Reserved.
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Border Gateway Protocol BGP-4 BGP environment How BGP works BGP information BGP administration.
BGP Validation Russ White Rule11.us.
Connecting an Enterprise Network to an ISP Network
Boarder Gateway Protocol (BGP)
Goals of soBGP Verify the origin of advertisements
COS 561: Advanced Computer Networks
Some Thoughts on Integrity in Routing
APNIC Trial of Certification of IP Addresses and ASes
COS 561: Advanced Computer Networks
CS 3700 Networks and Distributed Systems
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
COMP/ELEC 429/556 Introduction to Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Fixing the Internet: Think Locally, Impact Globally
BGP Instability Jennifer Rexford
Computer Networks Protocols
Design Expectations vs. Deployment Reality in Protocol Development
Presentation transcript:

Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group

History Created by Cisco engineers as a light-weight (computation and PKI) alternative to s-bgp. Originally only secured “origin” of routes, but topology information added later for additional security. Goal: A more real-world and usable system

Certificate Types Entity Cert: Organization -> ASN, Public Key Policy Cert: ASN -> Neighbors, Security Parameters Authorization Cert: ASN -> Network Prefixes, meta-data

Changes to BGP New “Security” Message (ie: updates are not used for security data). Ability to “ask” neighbor for security certificates. Authorization, Entity Certificate and Path Database

“Web of Trust” for Public Keys Root of Entity Cert trust hierarchy is not necessarily ICANN, but instead a group of “well- known entities”. It could also be private entity like Verisign, or a collection of tier-1 ISPs. Ambiguity with respect to Auth Certs (need ICANN hierarchy or not?)

Origin Auth + Path “Plausibility” Originating AS's are validated much like s-BGP AS-Path's are checked plausibility against topology database, not attested with cryptography Path Check bits in Policy Cert. Security Preference allows for “fuzzy” match.

Processing Updates Find Auth Cert for this prefix in local database. If route is originated by an ASN in the cert, continue, else discard If path-check bit is set, check that each hop in the AS-PATH exists in both directions in the path database (alternately, just check 1 st hop). Set “security preference” and install in RIB.

Other Benefits Policy Flexibility (let's you split an update, advertising some prefixes, but not others) Less verification load vs path attestation (still need crypto hardware though?). Robustness to gaps in deployment? Ability to “outsource” certificate validation to servers, provide routers with databases. Include policy information in certificates (AS X may not transit this route, etc)

Dirty “Little” Issues Peer links advertised (confidentiality)? Aggregation Determining extent of trust propagation within web-of-trust. Difference between path plausibility and path attestation? Where is database stored? Memory Issues in keeping AS-level topology? Incremental Deployment needs multi-hop BGP sessions to participants.

References ftp://ftp-eng.cisco.com/sobgp/index.html Extensions to BGP to Support Secure Origin BGP: draft-ng-sobpg-bgp-extensions-01.txt soBGP Architecture & Deployment: draft-white- sobgp-architecture-01.txt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.