ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
SPV: secure path vector routing for securing BGP
Full text PdfPdf (237 KB)
Source Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications table of contents
Portland, Oregon, USA
SESSION: Secure networks table of contents
Pages: 179 - 192  
Year of Publication: 2004
ISBN:1-58113-862-8
Also published in ...
Authors
Yih-Chun Hu  UC Berkeley
Adrian Perrig  Carnegie Mellon University
Marvin Sirbu  Carnegie Mellon University
Sponsors
ACM: Association for Computing Machinery
SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 10,   Downloads (12 Months): 91,   Citation Count: 24
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1015467.1015488
What is a DOI?

ABSTRACT

As our economy and critical infrastructure increasingly relies on the Internet, the insecurity of the underlying border gateway routing protocol (BGP) stands out as the Achilles heel. Recent misconfigurations and attacks have demonstrated the brittleness of BGP. Securing BGP has become a priority.In this paper, we focus on a viable deployment path to secure BGP. We analyze security requirements, and consider tradeoffs of mechanisms that achieve the requirements. In particular, we study how to secure BGP update messages against attacks. We design an efficient cryptographic mechanism that relies only on symmetric cryptographic primitives to guard an ASPATH from alteration, and propose the Secure Path Vector (SPV) protocol. In contrast to the previously proposed S-BGP protocol, SPV is around 22 times faster. With the current effort to secure BGP, we anticipate that SPV will contribute several alternative mechanisms to secure BGP, especially for the case of incremental deployments.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
F. Baker and R. Atkinson. RIP-2 MD5 Authentication. Internet Request for Comment RFC 2082, Internet Engineering Task Force, January 1997.
 
2
A. Barbir, S. Murphy, and Y. Yang. Generic Threats to Routing Protocols. Internet-Draft draft-ietf-rpsec-routing-threats-06, April 2004.
 
3
Mihir Bellare , Anand Desai , Eron Jokipii , Phillip Rogaway, A Concrete Security Treatment of Symmetric Encryption, Proceedings of the 38th Annual Symposium on Foundations of Computer Science (FOCS '97), p.394, October 19-22, 1997
4
S. M. Bellovin, Security problems in the TCP/IP protocol suite, ACM SIGCOMM Computer Communication Review, v.19 n.2, p.32-48, April 1, 1989  [doi>10.1145/378444.378449]
 
5
John Black , Phillip Rogaway , Thomas Shrimpton, Black-Box Analysis of the Block-Cipher-Based Hash-Function Constructions from PGV, Proceedings of the 22nd Annual International Cryptology Conference on Advances in Cryptology, p.320-335, August 18-22, 2002
 
6
Dan Boneh , Matthew K. Franklin, Identity-Based Encryption from the Weil Pairing, Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology, p.213-229, August 19-23, 2001
 
7
K. A. Bradley, S. Cheung, N. Puketza, B. Mukherjee, and R. A. Olsson. Detecting Disruptive Routers: A Distributed Network Monitoring Approach. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 115--124, May 1998.
8
John W. Byers , Michael Luby , Michael Mitzenmacher , Ashutosh Rege, A digital fountain approach to reliable distribution of bulk data, Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication, p.56-67, August 31-September 04, 1998, Vancouver, British Columbia, Canada
 
9
S. Cheung, An efficient message authentication scheme for link state routing, Proceedings of the 13th Annual Computer Security Applications Conference, p.90, December 08-12, 1997
10
Steven Cheung , Karl N. Levitt, Protecting routing infrastructures from denial of service using cooperative intrusion detection, Proceedings of the 1997 workshop on New security paradigms, p.94-106, September 23-26, 1997, Langdale, Cumbria, United Kingdom  [doi>10.1145/283699.283744]
 
11
S. Convery, D. Cook, and M. Franz. An Attack Tree for the Border Gateway Protocol. Internet-Draft draft-ietf-rpsec-bgpattack-00, February 2004.
 
12
S. Crosby and D. Wallach. Denial of Service via Algorithmic Complexity Attacks. In Proceedings of the 11th USENIX Security Symposium, pages 29--44, August 2003.
 
13
Security of E-commerce threatened by 512-bit number factorization. http://www.cwi.nl/~kik/persb-UK.html, August 1999. CWI press release.
 
14
J. Daemen and V. Rijmen. AES Proposal: Rijndael, March 1999.
15
Alan Daly , William Marnane, Efficient architectures for implementing montgomery modular multiplication and RSA modular exponentiation on reconfigurable logic, Proceedings of the 2002 ACM/SIGDA tenth international symposium on Field-programmable gate arrays, February 24-26, 2002, Monterey, California, USA  [doi>10.1145/503048.503055]
 
16
Shimon Even , Oded Goldreich , Silvio Micali, On-line/off-line digital signatures, Proceedings on Advances in cryptology, p.263-275, July 1989, Santa Barbara, California, United States
 
17
N. Feamster and H. Balakrishnan. Verifying the Correctness of Wide-Area Internet Routing. Technical Report MIT-LCS-TR-948, MIT, May 2004.
18
Oded Goldreich , Shafi Goldwasser , Silvio Micali, How to construct random functions, Journal of the ACM (JACM), v.33 n.4, p.792-807, Oct. 1986  [doi>10.1145/6490.6503]
 
19
G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin. Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing. In Proceedings of NDSS 2003, February 2003.
 
20
R. Hauser , T. Przygienda , G. Tsudik, Reducing The Cost Of Security In Link-State Routing, Proceedings of the 1997 Symposium on Network and Distributed System Security, p.93, February 10-11, 1997
 
21
A. Heffernan. Protection of BGP Sessions via the TCP MD5 Signature Option. RFC 2385, August 1998.
 
22
Y.-C. Hu, D. B. Johnson, and A. Perrig. SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks. Ad Hoc Networks, 1(1):175--192, 2003.
 
23
Y.-C. Hu, A. Perrig, and D. B. Johnson. Efficient Security Mechanisms for Routing Protocols. In Proceedings of NDSS 2003, February 2003.
 
24
Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks. In Proceedings of the Twenty-Second Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM 2003), April 2003.
 
25
S. Kent and R. Atkinson. IP Encapsulating Security Payload (ESP). Internet Request for Comment RFC 2406, Internet Engineering Task Force, November 1998.
 
26
S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. Internet Request for Comment RFC 2401, Internet Engineering Task Force, November 1998.
 
27
S. Kent, C. Lynn, J. Mikkelson, and K. Seo. Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues. In Proceedings of NDSS 2000, pages 103--116, February 2000.
 
28
S. Kent, C. Lynn, and K. Seo. Secure Border Gateway Protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 18(4):582--592, April 2000.
 
29
C. Kruegel, D. Mutz, W. Robertson, and F. Valeur. Topology-based Detection of Anomalous BGP Messages. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID), September 2003.
30
Brijesh Kumar, Integration of security in network routing protocols, ACM SIGSAC Review, v.11 n.2, p.18-25, Spring 1993  [doi>10.1145/153949.153953]
31
Brijesh Kumar , Jon Crowcroft, Integrating security in inter-domain routing protocols, ACM SIGCOMM Computer Communication Review, v.23 n.5, p.36-51, Oct. 1993  [doi>10.1145/165611.165615]
 
32
L. Lamport. Constructing Digital Signatures from a One-Way Function. Technical Report SRI-CSL-98, SRI International Computer Science Laboratory, October 1979.
 
33
A. Lenstra and E. Verheul. Selecting Cryptographic Key Sizes. Journal of Cryptology, 14(4):255--293, 2001.
34
Ratul Mahajan , David Wetherall , Tom Anderson, Understanding BGP misconfiguration, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
35
G. Malkin. RIP Version 2. Internet Request for Comment RFC 2453, Internet Engineering Task Force, November 1998.
 
36
S. Matyas, C. Meyer, and J. Oseas. Generating Strong One-Way Functions with Cryptographic Algorithm. IBM Technical Disclosure Bulletin, 27:5658--5659, 1985.
 
37
Alfred J. Menezes , Scott A. Vanstone , Paul C. Van Oorschot, Handbook of Applied Cryptography, CRC Press, Inc., Boca Raton, FL, 1996
 
38
R. Merkle. Protocols for Public Key Cryptosystems. In 1980 IEEE Symposium on Security and Privacy, 1980.
 
39
Ralph C. Merkle, A Digital Signature Based on a Conventional Encryption Function, A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, p.369-378, August 16-20, 1987
 
40
D. Meyer. Route Views Project Page. http://www.routeviews.org.
 
41
S. A. Misel. Wow, AS7007! NANOG mail archives, http://www.merit.edu/mail.archives/nanog/1997-04/msg00340. html, 1997.
 
42
S. Murphy. BGP Security Protections. Internet-Draft draft-murphy-bgp-protect-01, October 2002.
43
Ola Nordström , Constantinos Dovrolis, Beware of BGP attacks, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004  [doi>10.1145/997150.997152]
 
44
D. Pei, D. Massey, and L. Zhang. A Framework for Resilient Internet Routing Protocols. IEEE Network, 18(2):5--12, April 2004.
 
45
Radia Perlman, Interconnections: bridges and routers, Addison Wesley Longman Publishing Co., Inc., Redwood City, CA, 1992
 
46
Y. Rekhter and T. Li. A Border Gateway Protocol 4 (BGP-4). RFC 1771, March 1995.
 
47
Leonid Reyzin , Natan Reyzin, Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying, Proceedings of the 7th Australian Conference on Information Security and Privacy, p.144-153, July 03-05, 2002
 
48
R. L. Rivest. The MD5 Message-Digest Algorithm. RFC 1321, April 1992.
49
R. L. Rivest , A. Shamir , L. Adleman, A method for obtaining digital signatures and public-key cryptosystems, Communications of the ACM, v.21 n.2, p.120-126, Feb. 1978  [doi>10.1145/359340.359342]
50
Pankaj Rohatgi, A compact and fast hybrid signature scheme for multicast packet authentication, Proceedings of the 6th ACM conference on Computer and communications security, p.93-100, November 01-04, 1999, Kent Ridge Digital Labs, Singapore  [doi>10.1145/319709.319722]
 
51
Routing Protocol Security Requirements (rpsec). IETF working group, http://www.ietf.org/html.charters/rpsec-charter.html, 2004.
 
52
B. R. Smith and J.J. Garcia-Luna-Aceves. Securing the Border Gateway Routing Protocol. In Global Internet'96, pages 81--85, November 1996.
 
53
Bradley R. Smith , Shree Murthy , J. J. Garcia-Luna-Aceves, Securing Distance-Vector Routing Protocols, Proceedings of the 1997 Symposium on Network and Distributed System Security, p.85, February 10-11, 1997
 
54
John W. Stewart, III, BGP4: Inter-Domain Routing in the Internet, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1998
 
55
L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz. Listen and Whisper: Security Mechanisms for BGP. In Proceedings of First Symposium on Networked Systems Design and Implementation (NSDI 2004), March 2004.
 
56
Nicholas Croyle Weaver , John Wawrzynek, The sfra: a fixed frequency fpga architecture, 2003
 
57
R. White. Deployment Considerations for Secure Origin BGP (soBGP), draft-white-sobgp-bgp-deployment-01.txt. Draft, Internet Engineering Task Force, June 2003. Available at http://www.watersprings.org/pub/id/draft-white-sobgp-bgp-deployment-01.txt.
 
58
A. Yaar, A. Perrig, and D. Song. SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. In Proceedings of the IEEE Symposium on Security and Privacy, May 2004.
 
59
K. Zhang. Efficient Protocols for Signing Routing Messages. In Proceedings of NDSS '98, March 1998.

CITED BY  24
Lakshminarayanan Subramanian , Matthew Caesar , Cheng Tien Ee , Mark Handley , Morley Mao , Scott Shenker , Ion Stoica, HLP: a next generation inter-domain routing protocol, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Meiyuan Zhao , Sean W. Smith , David M. Nicol, Aggregated path authentication for efficient BGP security, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
E-yong Kim , Klara Nahrstedt , Li Xiao , Kunsoo Park, Identity-based registry for secure interdomain routing, Proceedings of the 2006 ACM Symposium on Information, computer and communications security, March 21-24, 2006, Taipei, Taiwan
Kevin Butler , Patrick McDaniel , William Aiello, Optimizing BGP security by exploiting path stability, Proceedings of the 13th ACM conference on Computer and communications security, October 30-November 03, 2006, Alexandria, Virginia, USA
Haowen Chan , Debabrata Dash , Adrian Perrig , Hui Zhang, Modeling adoptability of secure BGP protocols, ACM SIGMETRICS Performance Evaluation Review, v.34 n.1, June 2006
Patrick McDaniel , William Aiello , Kevin Butler , John Ioannidis, Origin authentication in interdomain routing, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.50 n.16, p.2953-2980, 14 November 2006
Hitesh Ballani , Paul Francis , Xinyang Zhang, A study of prefix hijacking and interception in the internet, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Haowen Chan , Debabrata Dash , Adrian Perrig , Hui Zhang, Modeling adoptability of secure BGP protocol, ACM SIGCOMM Computer Communication Review, v.36 n.4, October 2006
Raj Kumar Rajendran , Vishal Misra , Dan Rubenstein, Theoretical bounds on control-plane self-monitoring in routing protocols, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
Barath Raghavan , Saurabh Panjwani , Anton Mityagin, Analysis of the SPV secure routing protocol: weaknesses and lessons, ACM SIGCOMM Computer Communication Review, v.37 n.2, April 2007
P.C. van Oorschot , Tao Wan , Evangelos Kranakis, On interdomain routing security and pretty secure BGP (psBGP), ACM Transactions on Information and System Security (TISSEC), v.10 n.3, p.11-es, July 2007
Zheng Zhang , Ying Zhang , Y. Charlie Hu , Z. Morley Mao, Practical defenses against BGP prefix hijacking, Proceedings of the 2007 ACM CoNEXT conference, December 10-13, 2007, New York, New York
Karthik Lakshminarayanan , Matthew Caesar , Murali Rangan , Tom Anderson , Scott Shenker , Ion Stoica, Achieving convergence-free routing using failure-carrying packets, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Jing Dong , Kurt E. Ackermann , Brett Bavar , Cristina Nita-Rotaru, Mitigating attacks against virtual coordinate based routing in wireless sensor networks, Proceedings of the first ACM conference on Wireless network security, March 31-April 02, 2008, Alexandria, VA, USA
John P. John , Ethan Katz-Bassett , Arvind Krishnamurthy , Thomas Anderson , Arun Venkataramani, Consensus routing: the internet as a distributed system, Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, p.351-364, April 16-18, 2008, San Francisco, California
Karthik Lakshminarayanan , Daniel Adkins , Adrian Perrig , Ion Stoica, Securing user-controlled routing infrastructures, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.549-561, June 2008
Liang Xie , Sencun Zhu, Message Dropping Attacks in Overlay Networks: Attack Detection and Attacker Identification, ACM Transactions on Information and System Security (TISSEC), v.11 n.3, p.1-30, March 2008
Craig A. Shue , Minaxi Gupta , Matthew P. Davy, Packet forwarding with source verification, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.8, p.1567-1582, June, 2008
Changxi Zheng , Lusheng Ji , Dan Pei , Jia Wang , Paul Francis, A light-weight distributed scheme for detecting ip prefix hijacks in real-time, ACM SIGCOMM Computer Communication Review, v.37 n.4, October 2007
Alexandra Boldyreva , Craig Gentry , Adam O'Neill , Dae Hyun Yum, Ordered multisignatures and identity-based sequential aggregate signatures, with applications to secure routing, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
Zheng Zhang , Ying Zhang , Y. Charlie Hu , Z. Morley Mao , Randy Bush, Ispy: detecting ip prefix hijacking on my own, ACM SIGCOMM Computer Communication Review, v.38 n.4, October 2008
Xia Zhao , Fang Fang , Andrew B. Whinston, An economic mechanism for better Internet security, Decision Support Systems, v.45 n.4, p.811-821, November, 2008
Chi-Kin Chau , Jon Crowcroft , Kang-Won Lee , Starsky H.Y. Wong, Inter-domain routing for mobile ad hoc networks, Proceedings of the 3rd international workshop on Mobility in the evolving internet architecture, August 22-22, 2008, Seattle, WA, USA
Andreas Haeberlen , Ioannis Avramopoulos , Jennifer Rexford , Peter Druschel, NetReview: detecting when interdomain routing goes wrong, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.437-452, April 22-24, 2009, Boston, Massachusetts

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.2 Network Protocols
          Subjects: Routing protocols


General Terms:
Performance, Security


Keywords:
BGP, Border Gateway Protocol, interdomain routing, routing, security

Collaborative Colleagues:
Yih-Chun Hu: colleagues
Adrian Perrig: colleagues
Marvin Sirbu: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player