1. Lightwave Communications Research Laboratory Princeton University SoBGP vs SBGP Sharon Goldberg Princeton Routing Security Seminar June 27, 2006 and July 11, 2006

2. Princeton University sBGP Review A purist approach to secure the control plane using a centralized security approach Origin Authentication –Origin Authentication Public Key Infrastructure (PKI) –Signed “Address Attestations” Path Authentication –Autonomous System (AS) PKI –Nested Signatures in UPDATE Messages (Route Attestations)

3. Princeton University Subscriber Organizations Delegate Allocate Subscriber Organizations Regional Registries DSPs ISPs ICANN Subscriber Organizations Origin Authentication – PKI Delegation Heirarchy TypeSubjectAddressesSignature RootICANNAllBy ICANN RegistryARIN (US+Canada Region) 10.0.0.0/8By ICANN ISP/DSPBell Canada10.10.0.0/16By ARIN SubscriberBank of Montreal10.10.10.0/24By Bell Canada Type`SubjectSigner RootICANN RegistryRegional RegICANN ISP/DSP Reg/ICANN Subscriber ISP/Reg/ICANN A Canadian Example

4. Princeton University SBGP – Origin Authentication Given a Address Attestation [AS #848, 128.12.50.0/24] Private Key of Bank of Montreal Verify Using the Origin Authentication PKI –First check for the next level certificate [Public Key of BMO, 128.12.50.0/22] Private Key of Bell Canada –And then the next level certificate [Public Key of Bell Canada, 128.12.0.0/16] Private Key of ARIN –And then the next level certificate [Public Key of ARIN, 128.0.0.0/8] Private Key of ICANN –And then everyone knows the Public Key of ICANN

5. Princeton University AS # and Router Association PKI Subscriber Organizations Regional Registries DSPsISPs ICANN Type`SubjectExtentionsSigner RootICANNAll AS #’sICANN RegistryRegional RegAS #’s owned by SubjectICANN AS OwnerISP/DSP or Subscriber AS #’s owned by SubjectReg/ICANN ASAS NumberAS # (only 1) of subjectISP/DSP or Subscriber BGP Speaker AS #, Router ID of subjectISP/DSP or Subscriber AS#34 AS#23 BGP SPEAKER Bgp-spker-23-342

6. Princeton University SBGP – Path Authentication Given a Route Attestation (a secure update message) For the network below: [1]----[2]------[3]------[4] [1] Sends to [2]: {1,2}_1 (i.e. (a path from 1 to 2) signed by 1) [2] Sends to [3]: {1,2}_1, {2,3}_2 [3] Sends to [4]: {1,2}_1, {2,3}_2, {3,4}_3 Verify Each Signature using the Router Association PKI –First check for the next level certificate [Public Key PrincetonU - AS #1 - BGP Speaker #rtr_pton1_no4] PrincetonU –And then the next level certificate [Public Key PrincetonU, AS #1, AS#1001] ARIN –And then the next level certificate [Public Key ARIN, AS #1, AS #2, …, AS#1001,.., AS#4678] ICANN –And then everyone knows the Public Key of ICANN Owned by PrincetonU

7. Princeton University SoBGP vs SBGP SoBGPSBGP Web of Trust Fuzzy Security Level New SECURITY Message No crypto per UPDATE msg Path Plausibility (Static) PKI Fixed Security Level Signed UPDATE Messages Crypto required per UPDATE msg Path Authentication ( Dynamic ) The similarities: –Both secure only the control plane –Both do origin authentication –Both cannot defend against colluding adversaries (using wormhole in sBGP, using two lying PolicyCerts in SoBGP) –Both are only “fuzzily” effective if incrementally deployed

8. Princeton University Nomenclature and So On… Origin Authentication: –SoBGP AuthCert = sBGP Address Attestation = [AS#, IP prefix] Private Key of Signer –sBGP also has an OA PKI but SoBGP doesn’t b/c of Web of Trust Path Authentication / Plausibiltiy: –SoBGP PolicyCerts (an AS lists the connections it has) –sBGP Route Attestation (a nested, signed AS path in each UPDATE msg) –SoBGP also has EntityCerts (a Web of Trust to bind PK’s to AS#’s) –sBGP also has an RA PKI

9. Princeton University Path Plausibility vs Path Authentication Is Path Authentication stronger than Path Plausibility? “Since each AS in sBGP is authentication a relationship between itself and its predecessor and successor ASes, the set of acceptable AS paths in sBGP is a subset of the set paths acceptable under SoBGP” –Path Lengthening attack can be done in P Plausibility but not PA –What about a Path Shortening attack ? (assuming no colluding adversaries and full deployment) In SoBGP path shortening violates topology database In SBGP it violates the structure of the RA chain (next slide)

10. Princeton University A neat aside: Nested vs Pairwise Route Attestations With nested RA’s the following path shortening attack works: But, if we use pairwise RA’s, the attack fails: 4 321 (2,1) 2 (3,(2,1 ) 2 ) 3 (4,(3,(2,1 ) 2 ) 3 ) 4 (4,(2,1 ) 2 ) 4 4 321 (2,1) 1 (3,2) 2 (2,1) 1 (4,3) 3 (3,2) 2 (2,1) 1 (4,3) 3 (2,1) 1

11. Princeton University Another Neat Aside: SBGP does not bind OA to PA Recall that SBGP transmitts: –RA’s (e.g. (4,3) 3 (3,2) 2 (2,1) 1 ) in the UPDATE message. –AA (e.g. [AS #848, 128.12.50.0/24] Private Key of Bank of Montreal ) out of band –Routing Certs and Origin Authentication Certs out of band Therefore, SBGP does not bind an prefix to a path! eg. Suppose what should have been sent was – 10.10.10.0/24 (4,3) 4 (3,2) 3 (2,1) 2 –45.45.45.0/24 (4,30) 4 (30,2) 30 (2,1) 2 And instead, malicious 2 sent: – 10.10.10.0/24 (4,3) 4 (3,2) 3 (2,1) 2 –45.45.45.0/24 (4,3) 4 (3,2) 3 (2,1) 2 4 321 Prefix 10.10.10.0/24 30 Prefix 45.45.45.0/24

12. Princeton University SoBGP vs SBGP: Discussion An now for Dan’s comments on performance… How does Aggregation impact Origin Authentication? With Web of Trust you can do anything!!! Not so good with a centralized PKI. SBGP vs SoBGP incremental deployment ? Is WoT easier to deploy than PKI? Benefits of partial deployment? SoBGP has a new SECURITY message that could cause problems Other thoughts?