research-article

Enhancing the trust of internet routing with lightweight route attestation

Authors:

Patrick P. C. Lee,

Ke XuAuthors Info & Claims

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 92 - 101

https://doi.org/10.1145/1966913.1966927

Published: 22 March 2011 Publication History

Abstract

The weak trust model in Border Gateway Protocol (BGP) introduces severe vulnerabilities for Internet routing including active malicious attacks and unintended misconfigurations. Although various secure BGP solutions have been proposed, they share similar weaknesses such as high complexity of security enforcement and incapability of data-plane attack prevention. We propose TBGP, a trusted BGP scheme aiming to achieve high authenticity of Internet routing with a simple and lightweight attestation mechanism. TBGP introduces a set of route update and withdrawal rules that, if correctly enforced by each router, can guarantee the authenticity and integrity of route information that is announced to other routers in the Internet. Through this, TBGP builds a transitive trust relationship among all routers on a routing path. We implement a prototype of TBGP to investigate its practicality. In our implementation, we use identity-based signature (IBS) and trusted computing (TC) techniques to further reduce the complexity of security operations. The performance study show that TBGP can achieve significantly better convergence performance and lower computation overhead than existing secure BGP solutions.

References

[1]

GNU Zebra. http://http://www.zebra.org/.

[2]

Shamus software ltd, MIRACL. http://www.shamus.ie/.

[3]

SSF network models (SSFNet). http://www.ssfnet.org/homePage.html.

[4]

TPM emulator. http://tpm-emulator.berlios.de.

[5]

Trusted computing group. https://www.trustedcomputinggroup.org/.

[6]

Youtube hijacking: A RIPE NCC RIS case study. http://www.ripe.net/news/study-youtube-hijacking.html.

[7]

N. Aaraj, A. Raghunathan, and N. K. Jha. Analysis and design of a hardware/software trusted platform module for embedded systems. ACM Transactions on Embedded Computing Systems, 8(1), 2008.

Digital Library

[8]

W. Aiello, J. Ioannidis, and P. McDaniel. Origin authentication in interdomain routing. In Proc. of the ACM CCS, pages 165--178, 2003.

Digital Library

[9]

A. Beimel and B. Chor. Universally ideal secret sharing schemes. IEEE Trans. on Info. Theory, 40(3), 1994.

Digital Library

[10]

J. Caballero, T. Kampouris, D. Song, and J. Wang. Would diversity really increase the robustness of the routing infrastructure against software defects? In Proc. of the ISOC NDSS, 2008.

[11]

N. Feamster and H. Balakrishnan. Detecting bgp configuration faults with static analysis. In Proc. of the NSDI, 2005.

Digital Library

[12]

S. Goldberg, S. Halevi, A. D. Jaggard, V. Ramachandran, and R. N. Wright. Rationality and traffic attraction: Incentives for honest path announcements in BGP. In Proc. of the ACM SIGCOMM, pages 267--278, 2008.

Digital Library

[13]

G. Goodell, W. Aiello, T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin. Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In Proc. of the ISOC NDSS, pages 75--85, 2003.

[14]

T. G. Griffin, F. B. Shepherd, and G. Wilfong. The stable paths problem and interdomain routing. IEEE/ACM Transactions on Networking, 10(2):232--243, 2002.

Digital Library

[15]

R. Gummadi, H. Balakrishnan, P. Maniatis, and S. Ratnasamy. Not-a-bot: Improving service availability in the face of botnet attacks. In Proc. of the NSDI, 2009.

Digital Library

[16]

A. Haeberlen, I. Avramopoulos, J. Rexford, and P. Druschel. Netreview: Detecting bgp configuration faults with static analysis. In Proc. of the NSDI, 2009.

[17]

X. Hu and Z. M. Mao. Accurate real-time identification of IP prefix hijacking. In Proc. of the IEEE Symposium on Security and Privacy, 2007.

Digital Library

[18]

Y. Hu, A. Perrig, and M. Sirbu. SPV: Secure path vector routing for securing bgp. In Proc. of the ACM SIGCOMM, pages 179--192, 2004.

Digital Library

[19]

J. Karlin, S. Forrest, and J. Rexford. Pretty good bgp: Improving BGP by cautiously adopting routes. In Proc. of the IEEE ICNP, pages 290--299, 2006.

Digital Library

[20]

E. Keller, M. Yu, M. Caesar, and J. Rexford. Virtually eliminating router bugs. In Proc. of the ACM CoNext, 2009.

Digital Library

[21]

S. Kent, C. Lynn, and K. Seo. Secure border gateway protocol. IEEE JSAC, 18(4):582--592, 2000.

Digital Library

[22]

M. Lad, D. Massey, D. Pei, Y. Wu, B. Zhang, and L. Zhang. PHAS: a prefix hijack alert system. In Proc. of the USENIX Security Symposium, 2006.

Digital Library

[23]

Q. Li, M. Xu, J. Wu, X. Zhang, Patrick P. C. Lee, and K. Xu. Enhancing the trust of internet routing with lightweight route attestation. Tsinghua CS Technical Report, 2010.

[24]

Y. Rekhter, T. Li, and S. Hares. A border gateway protocol 4 (BGP-4). RFC 4271, 2006.

[25]

P. Reynolds, O. Kennedy, E. G. Sirer, and F. B. Schneider. Securing BGP using external security monitors. Cornell University, Computing and Information Science, Technical Report TR2006-2065, 2006.

[26]

A. Shamir. Identity-based cryptosystems and signature schemes. In Proc. of Crypto, pages 47--53, 1984.

Digital Library

[27]

E. Shi, A. Perrig, and L. van Doorn. BIND: A fine-grained attestation service for secure distributed systems. In Proc. of the IEEE Symposium on Security and Privacy, pages 154--168, 2005.

Digital Library

[28]

L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. H. Katz. Listen and whisper: Security mechanisms for BGP. In Proc. of the NSDI, 2004.

Digital Library

[29]

W. Sun, Z. Mao, and K. Shin. Differentiated bgp update processing for improved routing convergence. In Proc. of the ICNP, 2006.

Digital Library

[30]

P. C. van Oorschot, T. Wan, and E. Kranakis. On inter-domain routing security and pretty secure BGP (psBGP). ACM TISSEC, 10(3):1--41, 2007.

Digital Library

[31]

R. White. Through secure origin BGP. The Internet Protocol Journal, 6(3):15--22, 2003.

[32]

Z. Zhang, Y. Zhang, Y. C. Hu, Z. M. Mao, and R. Bush. ispy: Detecting IP prefix hijacking on my own. In Proc. of the ACM SIGCOMM, 2008.

Digital Library

[33]

M. Zhao, S. W. Smith, and D. M. Nicol. The performance impact of BGP security. IEEE Network, 19(6):42--48, 2005.

Digital Library

Cited By

Siddiqui MMontero DSerral-Gracià RMasip-Bruin XYannuzzi M(2015)A survey on the recent efforts of the Internet Standardization Body for securing inter-domain routingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2015.01.01780:C(1-26)Online publication date: 7-Apr-2015
https://dl.acm.org/doi/10.1016/j.comnet.2015.01.017
Siddiqui MMontero DYannuzzi MSerral-Gracia RMasip-Bruin X(2014)Diagnosis of route leaks among autonomous systems in the Internet2014 International Conference on Smart Communications in Network Technologies (SaCoNeT)10.1109/SaCoNeT.2014.6867765(1-6)Online publication date: Jun-2014
https://doi.org/10.1109/SaCoNeT.2014.6867765
Mancini LSpognardi ASoriente CVillani AVitali D(2012)Relieve Internet Routing Security of Public Key Infrastructure2012 21st International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN.2012.6289235(1-9)Online publication date: Jul-2012
https://doi.org/10.1109/ICCCN.2012.6289235

Index Terms

Enhancing the trust of internet routing with lightweight route attestation
1. Security and privacy
  1. Network security

Recommendations

Enhancing the Trust of Internet Routing With Lightweight Route Attestation

The weak trust model in Border Gateway Protocol (BGP) introduces severe vulnerabilities for Internet routing including active malicious attacks and unintended misconfigurations. Although various secure BGP solutions have been proposed, the complexity of ...
Architecture of the remote routing validation tool for BGP anomaly detection
RACS '12: Proceedings of the 2012 ACM Research in Applied Computation Symposium

The Border Gateway Protocol (BGP) is an Inter-domain routing protocol that has gradually evolved over the past few decades. The main functionality of BGP is to exchange Network Layer Reachability Information (NLRI) between ASes so that a BGP speaker can ...
Optimal Route Reflection Topology Design
LANC '18: Proceedings of the 10th Latin America Networking Conference

Autonomous Systems (ASes) exchange routing information about networks they can reach in the Internet, and the most widely extended way to connect them is by means of Border Gateway Protocol (BGP) sessions. ASes set up external BGP (eBGP) sessions ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

March 2011

527 pages

ISBN:9781450305648

DOI:10.1145/1966913

General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Ministry of Science and Technology of the People's Republic of China
National Science & Technology Pillar Program of China
National Natural Science Foundation of China

Conference

ASIA CCS '11

Sponsor:

SIGSAC

ASIA CCS '11: 6th ACM Symposium on Information, Compuer and Communications Security

March 22 - 24, 2011

Hong Kong, China

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
251
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Siddiqui MMontero DSerral-Gracià RMasip-Bruin XYannuzzi M(2015)A survey on the recent efforts of the Internet Standardization Body for securing inter-domain routingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2015.01.01780:C(1-26)Online publication date: 7-Apr-2015
https://dl.acm.org/doi/10.1016/j.comnet.2015.01.017
Siddiqui MMontero DYannuzzi MSerral-Gracia RMasip-Bruin X(2014)Diagnosis of route leaks among autonomous systems in the Internet2014 International Conference on Smart Communications in Network Technologies (SaCoNeT)10.1109/SaCoNeT.2014.6867765(1-6)Online publication date: Jun-2014
https://doi.org/10.1109/SaCoNeT.2014.6867765
Mancini LSpognardi ASoriente CVillani AVitali D(2012)Relieve Internet Routing Security of Public Key Infrastructure2012 21st International Conference on Computer Communications and Networks (ICCCN)10.1109/ICCCN.2012.6289235(1-9)Online publication date: Jul-2012
https://doi.org/10.1109/ICCCN.2012.6289235

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten