1. Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign

2. 08/01/200563rd IETF - Paris, FRANCE 2 Motivation  BGP — central routing for the Internet  BGP lacks security Black holes Disconnected networks Suboptimal routes …  Secure BGP  Deployment difficulties Processing overheads Storage demands PKIs  Goal Efficient AND practical security

3. 08/01/200563rd IETF - Paris, FRANCE 3 Outline  Overview BGP S-BGP  Path authentication  PKI and origin authentication  Discussion  Conclusions

4. 08/01/200563rd IETF - Paris, FRANCE 4 Border Gateway Protocol (BGP)  Inter-domain routing protocol  Mainly between autonomous systems (ASes)  Updates are in form of route announcements (AS_PATH, prefix) A sequence of AS numbers e.g., “500 300 100” A range of IP addresses (prefix) e.g., 129.170.0.0/16 123 4 {1}, p{2, 1}, p {3, 2, 1}, p p 5

5. 08/01/200563rd IETF - Paris, FRANCE 5 Secure BGP (S-BGP) AS pathPrefix  Attestations Route Attestations — authenticate AS path Address Attestations — authorization of IP address ownerships  Public key infrastructures Certificates for routers Certificates for address ownership Route Attestations (RAs)Address Attestations (AAs) Public Key Infrastructures (PKIs)

6. 08/01/200563rd IETF - Paris, FRANCE 6 Outline  Overview  Path authentication S-BGP RAs Aggregated Path Authentication Performance evaluation  PKI and origin authentication  Discussion  Conclusions

7. 08/01/200563rd IETF - Paris, FRANCE 7 S-BGP Route Attestations (RAs)  Router signs (AS path, prefix, next_hop)  Sends all previous signatures  Verify AS path {1, 2, 3} Needs 3 signatures  Sign AS path {1, 2, 3} Creates n signatures  Signature Algorithm — DSA  Caching optimization 1, p, 2 2, 1, p, 33, 2, 1, p, 4 1234 P, {3, 2, 1} 1, p, 22, 1, p, 3 1, p, 2

8. 08/01/200563rd IETF - Paris, FRANCE 8 Performance Problems  Time Processing latency 230% longer  Space Message size: 800% longer Memory cost: > 10 times more  For Attestations & Certificate database  Current routers: 128MB or 256MB RAM

9. 9 Signature Amortization (S-A)  Fast signature verification — RSA  Fewer signature signings — amortized cost Bit vectors (indicating recipients) Merkle hash trees  Auxiliary values for each signature m 1 B 1 m 2 B 2 m k B k Router output buffers Grouped messages Aggregated hash “ Evaluation of efficient security for BGP route announcements using parallel simulation ” Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3 — 4, 2004

10. 10 Aggregate Signatures  k signers {s 1, s 2, …, s k } k messages {m 1, m 2, …, m k } one aggregate signature   One aggregate signature for entire AS path 1, p, 2 2, 1, p, 3 3, 2, 1, p, 4  Boneh et al. “ A Survey of Two Signature Aggregation Techniques ”. RSA CryptoBytes 2003

11. 08/01/200563rd IETF - Paris, FRANCE 11  General aggregate signature (GAS) Based on BLS short signature on Anyone can aggregate in any ordering Takes k+1 pairing calculation for verifying  Sequential aggregate signature (SAS) Based on homomorphic trapdoor permutation AggrSign by signers only Must be in sequence Takes k layers of verification  Advantage—save space! Aggregate Signature Variants

12. 08/01/200563rd IETF - Paris, FRANCE 12 Aggregated Path Authentication  Aggregated Path Authentication Signature Amortization + Aggregate Signature  Efficient on time AND space S-A options Bit VectorsTrees Aggregate Signature Schemes GASGAS-VGAS-T SASSAS-VSAS-T

13. 08/01/200563rd IETF - Paris, FRANCE 13 Aggregated Path Authentication  Vector-based  Tree-based (GAS-T and SAS-T) 1, p, “1110” 2, 1, p, “1011” 3, 2, 1, p, “1101” m1m1 m2m2 m3m3 R1R1 R2R2 R3R3  SAS-V    AggrSign(0, h(m 1 ))    AggrSign(  , h(m 2 ))    AggrSign(  , h(m 3 )) GAS-V    s i = s   s   s     s   s      s  ss ss ss

14. 08/01/200563rd IETF - Paris, FRANCE 14 Outline  Overview  Path authentication S-BGP RAs Aggregated Path Authentication Performance evaluation  Methodology  Performance  PKI and origin authentication  Discussion  Conclusions

15. 08/01/200563rd IETF - Paris, FRANCE 15 Evaluation Methodology  AS-level network simulation — 110 ASes  BGP router under stress — router reboot  Metrics Speed — BGP convergence time Signature memory overheads Message size  SSFNet simulator  Benchmarks OpenSSL Algorithm decomposition for GAS and SAS

16. 08/01/200563rd IETF - Paris, FRANCE 16 Benchmarks SHA-1 hashMD5 hashAttestationsCertificatesIdentifier Length20 bytes16 bytes110 bytes600 bytes4 bytes RSADSASAS GAS on GF    Sign (ms) Verify (ms) SW Aggregate Verify (ms) HW Aggregate Verify (ms) 50.0 2.5 -- 25.5 31.0 -- 50.0 2.5 2.5  k -- 11.0 43.0  2 43.0  ( k +1) 1.3  ( k +1) Signature length (bytes)1284012820 Tate pairing calculation Running Time (1GHz) Miller ’ s Algorithm on GF(3 97 ) (2002) BKLS on GF(3 97 ) (2003) Refined Duursam-Lee on GF(3 97 ) (2004) Modified Duursam-Lee on GF(3 97 ) (2004) Hardware implementation (2005) 24.0 ms 23.6 ms 16.8 ms 8.6 ms 1.3 ms

17. 08/01/200563rd IETF - Paris, FRANCE 17 Number of Signing Operations  S-BGP: 22,072/11,521 signings  Decreases 98.5% (SW) (HW)

18. 08/01/200563rd IETF - Paris, FRANCE 18 Path Authentication Convergence seconds (SW) (HW) 3.4% 230.2% 46%

19. 08/01/200563rd IETF - Paris, FRANCE 19 Path Authentication Message Size  GAS-V — 66% shorter messages!  Tree construction — inefficient bytes Average Maximum

20. 08/01/200563rd IETF - Paris, FRANCE 20 kilobytes Path Auth Performance — Memory  GAS-V — saves 73% memory for signatures!

21. 08/01/200563rd IETF - Paris, FRANCE 21 Performance Competition  Winner: GAS-V Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%

22. 08/01/200563rd IETF - Paris, FRANCE 22 Outline  Overview  Path authentication  PKI and origin authentication Design Performance  Discussion  Conclusions

23. 08/01/200563rd IETF - Paris, FRANCE 23 Secure BGP (S-BGP) AS pathPrefix  IP address owners create AAs  X.509 Certificates for IP address allocation (prefix 1, …, prefix k, org y ) address assignment Route Attestations (RAs)Address Attestations (AAs)  Routers create RAs  X.509 Certificates for AS# and Routers (AS, AS#, PK) binding (RtrID, AS#, PK) binding

24. 08/01/200563rd IETF - Paris, FRANCE 24 S-BGP PKIs ICANN APNICARINRIPEAT&T … ISP / DSP / Subscribers Subscribers … … IP Address AllocationAS number assignment & Binding a Router to an AS ICANN APNICARINRIPELACNIC IP address blocks Organizations (AS k, ASNs)(RtrID, ASN) … AS numbers RtrID  Match existing infrastructures

25. 08/01/200563rd IETF - Paris, FRANCE 25 S-BGP Address Attestations (AAs) {prefix list, ASN} org x ICANN APNICARINRIPEAT&T … ISP / DSP / Subscribers Subscribers … … IP address blocks  Authorize ASes to originate routes  CAs prepare and distribute AAs  Long-lived, need revocation

26. 08/01/200563rd IETF - Paris, FRANCE 26 Evaluate PKI  PKI model ASes, Routers, Organizations, CAs, Directories, and OCSP responders Routers trust the roots, and OCSP responders; may trust other CAs as well Check certificate revocation status  OCSP — sequential or parallel requests  CRLs (fetch fresh copies) OCSP requestCRL fetching Operation latency (second)0.5 — 1.0

27. 08/01/200563rd IETF - Paris, FRANCE 27 AA Performance — OCSP requests Convergence Time of OCSP Requests seconds  ≈ 68,000 OCSP requests

28. 08/01/200563rd IETF - Paris, FRANCE 28 AA Performance — CRLs fetching Convergence Time of CRL Fetching

29. 08/01/200563rd IETF - Paris, FRANCE 29 Convergence Time of OCSP Requests seconds PA PKI Performance — OCSP Requests  ≈ 88,000 OCSP requests

30. 08/01/200563rd IETF - Paris, FRANCE 30 Convergence Time of CRL fecthing PA PKI Performance — CRLs Fetching

31. 31 Real-world Deployment  Certificate database 75 — 85 MB [Kent:CMS03]  RouteViews table dump (209MB) 162,237 prefixes 2,011,005 routes, avg. path length 4.1 S-BGP signatures: 393MB GAS-V cache: 108MB Decreases 72% signature memory cost  Overall memory decrease: 60%  S-BGP RAs: 30 — 35MB per peer [Kent:CMS03] Problem for routers at Internet exchange > 1GB Kent. “ Securing the Border Gateway Protocol: A Status Update ”. IFIP TC-6 TC-11, 2003

32. 08/01/200563rd IETF - Paris, FRANCE 32 ECDSA  S-BGP uses ECDSA  Shorter key size  Same signature length  Faster signing  Slower verification RSA (1024-bit) BLS DSA (1024-bit) ECDSA secp192r1sect163k1sect163r2 Key Size (bytes)135100408180139155 Signature (bytes)1282040 Sign (ms)7.82.23.51.03.1 Verify (ms)0.48.64.54.48.28.7

33. 08/01/200563rd IETF - Paris, FRANCE 33 Conclusions  Efficient path authentication Aggregated Path Authentication Efficient on time and space  PKI performance impact OCSP vs. CRLs  Practical issues Certificate database Memory demands ECDSA

34. 08/01/200563rd IETF - Paris, FRANCE 34 Thank you! Email zhaom@cs.dartmouth.eduzhaom@cs.dartmouth.edu Homepage http://www.cs.dartmouth.edu/~zhaomhttp://www.cs.dartmouth.edu/~zhaom  Sun Microsystems  Mellon Foundation  Cisco Systems  Intel Corporation  NSF  DoJ/DHS

35. 08/01/200563rd IETF - Paris, FRANCE 35

36. 08/01/200563rd IETF - Paris, FRANCE 36 Related Work  S-BGP [Kent:NDSS00, Kent:CMS03]  OASim [Aiello:CCS03]  psBGP [Wan:NDSS05]  Listen and Whisper [Subramanian:NSDI04]  Symmetric cryptography Potentially more efficient Key distribution [Goodrich00] Time synchronization [Hu:SIGCOMM04]

37. 08/01/200563rd IETF - Paris, FRANCE 37 General Aggregate Signatures  Bilinear map Bilinear: for all and Non-degenerate:  Key pair  Sign  Verify  Aggregation  Aggregate Verify Boneh et al. “ Aggregate and Verifiably Encrypted Signatures from Bilinear Maps ”. Eurocrypt 2003 Implementation Tate pairing Weil pairing

38. 08/01/200563rd IETF - Paris, FRANCE 38 Performance Competition  Winner: GAS-V Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%  Further improvements? Hardware accelerator Parallelization AS path length: 3.7/11

39. 08/01/200563rd IETF - Paris, FRANCE 39 Origin Authentication (OA)  Variants OA-Simple { (p, org)} K OA-List { (p 1, org 1 ), (p 2, org 2 ), …, (p i, org i )} K OA-AS-List { (p 1, p 2, …, p k, org)} K OA-Tree Merkle hash tree, leaves: (p i, org i ) IANA APNICARINRIPEAT&T … ISP / DSP / Subscribers … … IP address blocks AS1 ASk AS2 Aiello, Ioannidis, and McDaniel. “ Origin Authentication in Interdomain Routing ”. CCS03  Short-lived attestations  Possible in-band transmission for address delegation paths

40. 08/01/200563rd IETF - Paris, FRANCE 40 OA Signature Performance — Storage Attestation Constructions Memory for Attestations (KB) Message Size (Bytes) OA-Simple42.80496.97 OA-List666.2736293.37 OA-AS-List13.23575.35 OA-Tree30.221029.24  Different costs on memory and message size  OA-AS-List is most efficient  Possible in-band transmission

41. 08/01/200563rd IETF - Paris, FRANCE 41 OA Signature Performance — Convergence  Slight slow down convergence time seconds

42. 08/01/200563rd IETF - Paris, FRANCE 42 Certificate Distribution  Scale 197,709 active prefixes 19,357 unique ASes >50,000 organizations  BGP Update message MTU: 4KB  S-BGP X.509 Certificates: 600 bytes  Store certificates/CRLs locally >200MB

43. 08/01/200563rd IETF - Paris, FRANCE 43 Aggregate Signatures  k signers {s 1, s 2, …, s k } k messages {m 1, m 2, …, m k } one aggregate signature   One aggregate signature for entire AS path 1, p, 2 2, p, 3 3, p, 4  Lysyanskava et al. “ Sequential Aggregate Signatures from Trapdoor Permutations ”. Eurocrypt2004