Kyoungha Kim
ABSTRACT
The Internet consists of a large number of interconnected Autonomous Systems (ASes) which exchange their routes using Border Gateway Protocol (BGP). However, it was originally designed to operate in a trusted environment, and there are no internal mechanisms to protect the information it carries. We have implemented RTR-BIRD, which is an enhancement of BIRD software router to interact with RTRPKI which is another implementation of us to allow RTR-BIRD to support origin validation using Resource Public Key Infrastructure (RPKI). In contrast to QuaggaSRx that is the only one RPKI-capable software router implementation at this time, our implementation enables users to access an empirical cache rather than a virtual cache which is implemented by National Institute of Standards and Technology (NIST) and resides in a local. Subsequently, RTR-BIRD can be exploited for practical testing in software-based routing environment against QuaggaSRx. Our main contribution here is that we have developed the originator which not only makes a software router (BIRD) interact with RPKI but also shares a validated cache as well as Route Origin Authorizations (ROAs) of the cache with the other software routers. We also expect that RTR-BIRD is faster than QuaggaSRx as much as the difference in performance between the deployed and latest version of BIRD and that of Quagga. It's because an algorithm theoretically shows the same performance in a same situation, and each origin validation scheme of RTR-BIRD and QuaggaSRx, each of which is implemented based on the same standard defined by IETF, is equivalent to each other.
- A. Barbir. RFC 4593: Generic Threats to Routing Protocols. http://tools.ietf.org/html/rfc4593, October 2006.Google Scholar
- R. Barrett. Routing snafu causes Internet Outage. Interactive Week Magazine. 1997.Google Scholar
- I. Beijnum. BGP: Building Reliable Networks with the Border Gateway Protocol. O' Reilly, Border Gateway Protocol, 2002. Google ScholarDigital Library
- S. Bellovin. IETF Internet Draft: Security Requirements for BGP Path Validation. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-reqs-01, October 2011.Google Scholar
- V. J. Bono. NANOG Email: 7007 Explanation and Apology. http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html, April 1997.Google Scholar
- R. Bush. RFC 6810: The Resource Public Key Infrastructure (RPKI) to Router Protocol. https://datatracker.ietf.org/doc/rfc6810/, January 2013.Google Scholar
- K. Butler, T. R. Farley, and P. McDaniel. A Survey of BGP Security Issues and Solutions. In In Proceedings of the IEEE, pages 100--122. IEEE, January 2010.Google ScholarCross Ref
- M. Caesar and J. Rexford. BGP routing policies in ISP networks. IEEE Network, 19(6):5--11, November 2005. Google ScholarDigital Library
- CZ.NIC Labs. Bird internet routing daemon. http://bird.network.cz/.Google Scholar
- Department of Homeland Security (DHS). The National Strategy to Secure Cyberspace. http://www.us-cert.gov/sites/default/files/publications/cyberspace_strategy.pdf, 2003.Google Scholar
- O. Filip. BIRD Internet Routing Daemon. http://www.nanog.org/meetings/nanog48/presentations/Monday/Filip_BIRD_final_N48.pdf, 2010.Google Scholar
- T. Griffin, F. Shepherd, and G. Wilfong. The stable paths problem and interdomain routing. IEEE/ACM Transactions on Networking (TON), 10(2):232--243, April 2002. Google ScholarDigital Library
- J. Hawkinson and T. Bates. RFC 1930: Guidelines for Creation, Selection, and Registration of an Autonomous System (AS). http://datatracker.ietf.org/doc/rfc1930/, March 1996. Google ScholarDigital Library
- X. Hu and Z. Mao. Accurate Real-time Identification of IP Prefix Hijacking. In In Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 3--17. IEEE Computer Society, May 2007. Google ScholarDigital Library
- G. Huston. RFC 6483: Validation of Route Origination using the Resource Certificate Public Key Infrastructure (PKI) and Route Origin Authorizations (ROAs). http://tools.ietf.org/html/rfc6483, November 2010.Google Scholar
- G. Huston, M. Rossi, and G. Armitage. Securing BGP - A Literature Survey. IEEE Communications Surveys and Tutorials, 13(2):199--222, May 2010.Google ScholarCross Ref
- INET research group at the Hamburg University of Applied Sciences and the CST research group at Freie University Berlin. RTRlib. http://rpki.realmv6.org/.Google Scholar
- S. Kent, C. Lynn, and J. Mikkelson. Secure Border Gateway Protocol (S-BGP). IEEE Journal on Selected Areas in Communications, 18(4):582--592, August 2002. Google ScholarDigital Library
- E. Kranakis, P. Oorschot, and T. Wan. On inter-domain routing security and pretty secure BGP (ps-BGP). ACM Transactions on Information and System Security (TISSEC), 10(3):1--41, July 2007. Google ScholarDigital Library
- M. Lepinski. RFC 6482: A Profile for Route Origin Authorizations (ROAs). http://tools.ietf.org/html/rfc6482, February 2010.Google Scholar
- M. Lepinski. IETF Internet Draft: An Overview of BGPSEC. http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-overview-03, July 2013.Google Scholar
- C. Lynn. IETF Internet Draft: Secure BGP (S-BGP). http://tools.ietf.org/html/draft-clynn-s-bgp-protocol-01, 2003.Google Scholar
- C. Lynn. RFC 3779: X.509 Extensions for IP Addresses and AS Identifiers. http://tools.ietf.org/html/rfc3779, June 2004.Google Scholar
- R. Mahajan, D. Wetherall, and T. Anderson. Understanding BGP Misconfiguration. In In Proceedings of the 2002 SIGCOMM conference, pages 3--16. ACM Press, October 2002. Google ScholarDigital Library
- D. Meyer. Routeviews. http://www.routeviews.org/, January 2005.Google Scholar
- D. Montgomery and S. Murphy. Toward Secure Routing Infrastructures. IEEE Security and Privacy, 4(5):84--87, September 2006. Google ScholarDigital Library
- S. Murphy. RFC 4272: BGP Security Vulnerabilities Analysis. http://datatracker.ietf.org/doc/rfc4272/, January 2006.Google Scholar
- NIST. Bgp secure routing extension (bgp-srx). http://www-x.antd.nist.gov/bgpsrx/.Google Scholar
- North American Network Operators Group (NANOG). http://www.nanog.org, 1994.Google Scholar
- T. Paseka. Cloudflare Blog: Why Google went offline today and a bit about how the Internet works. http://blog.cloudflare.com/why-google-went-offline-today-and-a-bit-about, November 2012.Google Scholar
- B. Quotin, C. Pelsser, and O. Bonaventure. A performance evaluation of BGP-based traffic engineering. International Journal of Network Management, 15(3):177--191, May 2005. Google ScholarDigital Library
- Y. Rekhter, T. Li, and S. Hares. RFC 4271: A Border Gateway Protocol 4 (BGP-4). http://datatracker.ietf.org/doc/rfc4271/, January 2006.Google Scholar
- RIPE NCC. Resource Certification. http://ripe.net/certification/.Google Scholar
- RIPENCC. RPKI Validator. http://195.13.63.18:8080/trust-anchors/.Google Scholar
- RIPE NCC. RIPE NCC News: YouTube Hijacking: A RIPE NCC RIS case study. http://www.ripe.net/internet-coordination/news/industry-developments/youtube-hijacking-a-ripe-ncc-ris-case-study, March 2008.Google Scholar
- Savannah Project team. Quagga Routing Suite. http://www.nongnu.org/quagga/.Google Scholar
- Secure Inter-Domain Routing (SIDR) Working Group. http://www.ietf.org/html.charters/sidr-charter.html, 2006.Google Scholar
- T. Underwood. Rensys Blog: Con-Ed Steals the 'Net occurred on Jan 22nd. http://www.renesys.com/2006/01/coned-steals-the-net/, January 2006.Google Scholar
- D. Vieira. A Survey of BGP Session Maintenance Issues and Solutions. Network Protocols and Algorithms, 2(1):132, March 2010.Google ScholarCross Ref
- Vyatta. Vyatta virtual router. http://www.vyatta.com/.Google Scholar
- T. Wan and V. Oorschot. Analysis of BGP Prefix Origins during Google's May 2005 Outage. In Proceedings of the 20th International Parallel and Distributed Processing Symposium (IPDPS) on Security in Systems and Networks, April 2006. Google ScholarDigital Library
- F. Wang. On inferring and characterizing internet routing policies. IEEE Journal of Communications and Networks, 9(4): 350--355, December 2007.Google ScholarCross Ref
- R. White. Securing BGP through secure origin BGP (soBGP). Internet Protocol Journal, 6:15--22, May 2003.Google Scholar
- Y. Xiang, Z. Wang, and J. Wu. Sign what you really care about - Secure BGP AS-paths efficiently. Elsevier Computer Networks, 57(10):2250--2265, July 2013. Google ScholarDigital Library
- XORPteam. Xorp. http://www.xorp.org/.Google Scholar
- M. Yannuzzi, X. Masip-Bruin, and O. Bonaventure. Open Issues in Interdomain Routing: A Survey. IEEE Network, 19(6):49--56, November 2005. Google ScholarDigital Library
- M. Zhao, S. Smith, and D. Nicol. The Performance Impact of BGP Security. IEEE Netowrk, 19(6):42--48, November 2005. Google ScholarDigital Library
- P. Zhu, H. Cao, and L. T. Yang. AS Alliance based security enhancement for inter-domain routing protocol. Elsevier Mathematical and Computer Modelling, 55(1-2):241--255, January 2012.Google ScholarCross Ref
Index Terms
- The security appliance to BIRD software router
Recommendations
Evaluating the performance impact of RTR-BIRD in origin validation
RACS '14: Proceedings of the 2014 Conference on Research in Adaptive and Convergent SystemsRTR-BIRD we previously developed is the only software router that is not only capable of the resource public key infrastructure (RPKI) but able to access the route origin authorizations (ROAs) in the practical validated cache. Although RTR-BIRD ...
Inter-domain collaborative routing (IDCR): Server selection for optimal client performance
Communication between institutions, or domains, residing in the Internet requires a route to be created between the routing domains. Each of these domains is controlled by a single administrative authority, and is referred to as an autonomous system (AS)...
BGP convergence delay after multiple simultaneous router failures: Characterization and solutions
Border Gateway Protocol (BGP) is the default routing protocol between various autonomous systems (AS) in the Internet. In the event of a failure, BGP may repeatedly withdraw routes to some destinations and advertise new ones until a stable state is ...
Comments