Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.

Published byElaine Flowers Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group."— Presentation transcript:

1 Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group

2 History Created by Cisco engineers as a light-weight (computation and PKI) alternative to s-bgp. Originally only secured “origin” of routes, but topology information added later for additional security. Goal: A more real-world and usable system

3 Certificate Types Entity Cert: Organization -> ASN, Public Key Policy Cert: ASN -> Neighbors, Security Parameters Authorization Cert: ASN -> Network Prefixes, meta-data

4 Changes to BGP New “Security” Message (ie: updates are not used for security data). Ability to “ask” neighbor for security certificates. Authorization, Entity Certificate and Path Database

5 “Web of Trust” for Public Keys Root of Entity Cert trust hierarchy is not necessarily ICANN, but instead a group of “well- known entities”. It could also be private entity like Verisign, or a collection of tier-1 ISPs. Ambiguity with respect to Auth Certs (need ICANN hierarchy or not?)

6 Origin Auth + Path “Plausibility” Originating AS's are validated much like s-BGP AS-Path's are checked plausibility against topology database, not attested with cryptography Path Check bits in Policy Cert. Security Preference allows for “fuzzy” match.

7 Processing Updates Find Auth Cert for this prefix in local database. If route is originated by an ASN in the cert, continue, else discard If path-check bit is set, check that each hop in the AS-PATH exists in both directions in the path database (alternately, just check 1 st hop). Set “security preference” and install in RIB.

8 Other Benefits Policy Flexibility (let's you split an update, advertising some prefixes, but not others) Less verification load vs path attestation (still need crypto hardware though?). Robustness to gaps in deployment? Ability to “outsource” certificate validation to servers, provide routers with databases. Include policy information in certificates (AS X may not transit this route, etc)

9 Dirty “Little” Issues Peer links advertised (confidentiality)? Aggregation Determining extent of trust propagation within web-of-trust. Difference between path plausibility and path attestation? Where is database stored? Memory Issues in keeping AS-level topology? Incremental Deployment needs multi-hop BGP sessions to participants.

10 References ftp://ftp-eng.cisco.com/sobgp/index.html Extensions to BGP to Support Secure Origin BGP: draft-ng-sobpg-bgp-extensions-01.txt soBGP Architecture & Deployment: draft-white- sobgp-architecture-01.txt

Download ppt "Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group."

Similar presentations

SCION: Scalability, Control and Isolation On Next-Generation Networks

SCION: Scalability, Control and Isolation On Next-Generation Networks
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Securing BGP Geoff Huston November 2007. Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.

Securing BGP Geoff Huston November Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.

Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
CS 672 1 Summer 2003 Lecture 3. CS 672 2 Summer 2003 What is a BGP Path Attribute? BGP uses a set of parameters known as path attributes to characterize.

CS Summer 2003 Lecture 3. CS Summer 2003 What is a BGP Path Attribute? BGP uses a set of parameters known as path attributes to characterize.
CS 672 1 Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.

CS Summer 2003 Quiz 1 A1) IGP (IS-IS, OSPF) BGP A2) Stub Transit. because it is adverting AS2’s routes to AS1 and vice versa. A3) Traffic discarded.
Computer Networking Lecture 10: Inter-Domain Routing

Computer Networking Lecture 10: Inter-Domain Routing
More on BGP Check out the links on politics: ICANN and net neutrality To read for next time Path selection big example Scaling of BGP.

More on BGP Check out the links on politics: ICANN and net neutrality To read for next time Path selection big example Scaling of BGP.
Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.

Interdomain Routing Security Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays.
Lightwave Communications Research Laboratory Princeton University SoBGP vs SBGP Sharon Goldberg Princeton Routing Security Seminar June 27, 2006 and July.

Lightwave Communications Research Laboratory Princeton University SoBGP vs SBGP Sharon Goldberg Princeton Routing Security Seminar June 27, 2006 and July.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 Exterior Gateway Protocols: EGP, BGP-4, CIDR Shivkumar Kalyanaraman Rensselaer Polytechnic Institute.

Similar presentations

Ads by Google