Article

Towards a framework for evaluating BGP security

Authors:

Debbie Perouli,

Askar JaboldinovAuthors Info & Claims

CSET'12: Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test

Page 3

Published: 06 August 2012 Publication History

Abstract

Security and performance evaluation of Internet protocols can be greatly aided by emulation in realistic deployment scenarios. We describe our implementation of such methods which uses high-level abstractions to bring simplicity into a virtualized test-lab.

We argue that current test-labs have not adequately captured those challenges, partly because their design is too static. To achieve more flexibility and to allow the experimenter to easily deploy many alternative scenarios we need abstractions that allow autoconfiguration and auto-deployment of real router and server code in a multi-AS infrastructure. We need to be able to generate scenarios for multi-party players in a fully isolated emulated test-lab and deploy the network using virtualized routers, switches, and servers.

In this paper, our abstractions are specifically designed to evaluate the BGP security framework currently being documented by the IETF SIDR working group. We capture the relevant aspects of the SIDR security proposals, and allow experimenters to evaluate the technology in topologies of real router and server code. We believe such methods are also useful for teaching newcomers and operators, as it allows them to gain experience in a sand-box before deployment. It allows security experts to set up controlled experiments at various levels of complexity, and concentrate on discovering weaknesses, instead of having to spend time on tedious configuration tasks. Finally, it allows router vendors and implementers to test their code and to perform scalability evaluation.

References

[1]

Y. Rekhter, T. Li, and S. Hares, "A Border Gateway Protocol 4 (BGP-4)," 2006, RFC 4271.

[2]

K. Butler, T. R. Farley, P. McDaniel, and J. Rexford, "A Survey of BGP Security Issues and Solutions," Proceedings of the IEEE, vol. 98, no. 1, pp. 100-122, January 2010.

[3]

G. Huston, M. Rossi, and G. Armitage, "Securing BGP - A Literature Survey," Communications Surveys Tutorials, IEEE, vol. 13, no. 2, pp. 199-222, 2011.

[4]

D. Wetherall, R. Mahajan, and T. Anderson, "Understanding BGP misconfigurations," in Proc. ACM SIGCOMM, 2002.

[5]

S. Kent, C. Lynn, and K. Seo, "Secure Border Gateway Protocol (S-BGP)," IEEE Journal on Selected Areas in Communications, vol. 18, no. 4, pp. 582-592, 2000.

[6]

R. White, "Securing BGP through secure origin BGP (soBGP)," Business communication review, vol. 33, no. 5, pp. 47-53, 2003.

[7]

IETF Working Group, "Secure Inter-Domain Routing (sidr)." {Online}. Available: http://datatracker.ietf.org/wg/sidr/

[8]

Rob Austein, Dragon Research Lab. {Online}. Available: https://trac.rpki.net/

[9]

J. Mirkovic, T. Benzel, T. Faber, R. Braden, J. Wroclawski, and S. Schwab, "The DETER project: Advancing the science of cyber security experimentation and test," in IEEE Technologies for Homeland Security, nov. 2010, pp. 1-7.

[10]

C. Elliott and A. Falk, "An update on the GENI project," SIGCOMM Comput. Commun. Rev., vol. 39, no. 3, June 2009.

[11]

M. Lepinski and S. Kent, "An Infrastructure to Support Secure Internet Routing," 2012, RFC 6480.

[12]

R. Bush, R. Austein, S. Bellovin, and M. Elkins, "The RPKI & Origin Validation," NANOG 52, 2011, slide 54.

[13]

T. Griffin and G. Huston, "BGP Wedgies," 2005, rFC 4264.

[14]

D. McPerson, V. Gill, D. Walton, and A. Retana, "Border Gateway Protocol (BGP) Persistent Route Oscillation Condition," 2002, RFC 3345.

[15]

L. Vanbever, S. Vissicchio, C. Pelsser, P. Francois, and O. Bonaventure, "Lossless Migrations of Link-State IGPs," IEEE/ACM Transactions on Networking, 2012, (To appear).

[16]

A. Kapela and A. Pilosov, "Stealing the Internet - A Routed, Wide-area, Man in the Middle Attack," 2008. {Online}. Available: http://defcon.org/html/defcon-16/dc-16-speakers.html#Kapela

[17]

H. Nguyen, M. Roughan, S. Knight, N. Falkner, R. Bush, and O. Maennel, "How to build complex, large-scale emulated networks," in TridentCom, Berlin, Germany, May 2010.

[18]

R. Bush and R. Austein, "The RPKI/Router Protocol," 2012, draft-ietf-sidr-rpki-rtr-26.

[19]

G. Huston and G. Michaelson, "Validation of Route Origination Using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs)," 2012, RFC 6483.

[20]

M. Lepinski and S. Turner, "An Overview of BGPSEC," 2011, draft-ietf-sidr-bgpsec-overview-01.

[21]

"StarBED Project," http://www.starbed.org/.

Cited By

Reuter ABush RCunha IKatz-Bassett ESchmidt TWählisch M(2018)Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and FilteringACM SIGCOMM Computer Communication Review10.1145/3211852.321185648:1(19-27)Online publication date: 27-Apr-2018
https://dl.acm.org/doi/10.1145/3211852.3211856

Recommendations

BGP security in partial deployment: is the juice worth the squeeze?

As the rollout of secure route origin authentication with the RPKI slowly gains traction among network operators, there is a push to standardize secure path validation for BGP (i.e., S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin authentication already does ...
BGP security in partial deployment: is the juice worth the squeeze?
SIGCOMM '13: Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM

As the rollout of secure route origin authentication with the RPKI slowly gains traction among network operators, there is a push to standardize secure path validation for BGP (i.e., S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin authentication already does ...
Jumpstarting BGP Security with Path-End Validation
SIGCOMM '16: Proceedings of the 2016 ACM SIGCOMM Conference

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

CSET'12: Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test

August 2012

12 pages

Program Chairs:
Sean Peisert
University of California, Davis and Lawrence Berkeley National Laboratory
,
Stephen Schwab
USC, Information Sciences Institute

Publisher

USENIX Association

United States

Publication History

Published: 06 August 2012

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Reuter ABush RCunha IKatz-Bassett ESchmidt TWählisch M(2018)Towards a Rigorous Methodology for Measuring Adoption of RPKI Route Validation and FilteringACM SIGCOMM Computer Communication Review10.1145/3211852.321185648:1(19-27)Online publication date: 27-Apr-2018
https://dl.acm.org/doi/10.1145/3211852.3211856

View Options

View options

Figures

Tables

Media

View Table of Conten