Moreover, the design and ubiquity of BGP has frustrated past efforts at securing intermediation routing. This paper considers the vulnerabilities currently existing within intermediation routing and surveys works relating to BGP security. The limitations and advantages of proposed solutions are explored, and the systemic and operational implications of their designs considered. We note that no current solution has yet found an adequate balance between comprehensive security and deployment cost.
This work calls not only for the application of ideas described within this paper, but also tort further investigation into the problems and solutions to BGP security. Index Terms authentication, authorization, BGP, border gateway protocol, integrity, intermediation routing, network security, networks, routing l. I INTRODUCTION The Internet is a global, decentralized network comprised of many smaller interconnected networks Networks are largely comprised of end systems, referred to as hosts, and intermediate systems, called routers.
Information travels through a network on one of many paths, which are selected through a routing process. Routing protocols communicate respectability information (how to locate Other hosts and routers) and ultimately perform path selection. A network under the administrative control of a single organization is called an autonomous system (AS) The process Of routing Within an AS is called antinomian routing, and routing benzene Asses is called intermediation routing.
The dominant interdiction routing protocol on the Internet is the Border Gateway Protocol (BGP) [21. BGP has been deployed since the centralization of the Internet, and version 4 of the protocol has been in wide use for over a decade. BGP generally works well in practice, and its simplicity and resilience have enabled it to play a fundamental role within the global Internet [3], despite roving no performance or security guarantees. Unfortunately, the limited guarantees provided by BGP sometimes contribute to serious instability and outages. While many routing failures have limited impact and scope, others may lead to significant and widespread damage. One such tailored occurred on 25 April 1 997, when a misconstrued router maintained by a small service provider in Florida injected incorrect routing information into the global Internet and claimed to have optimal connectivity to all Internet destinations.
Because such statements were not validated in any way, they were widely accepted. As a August 7, 2008 DRAFT result, most Internet traffic was routed to this small ISP. The traffic overwhelmed the misconstrued and intermediate routers, and effectively crippled the Internet for almost two hours Several similar incidents have taken place in recent years [51, including a major outage caused by Coned (61 and an outage for the popular Youth site (http://www. Youth. Com/) caused by Pakistan Telecoms 171. In addition, "spammed” (i. E. People sending spam e-mail) sometimes introduce false information into ESP. to enable them to exchange e-mail with mail rivers using unallocated IP addresses that are hard to trace Introducing false information into BGP is also an effective way for an attacker to snoop on traffic en route to a legitimate destination, impersonate a Wee site (e. G. , to perform identity theft), or block access to certain sites [9]. These attacks and misconstructions can Gauge anything from an inconsequential annoyance to a devastating communications failure.
For example, critical applications such as online banking, stock trading, and telekinetic run over the Internet. Significant harm may arise if communication is lost at a crucial time. As the number of radical applications on the Internet grows, so will the reliance on the underlying network infrastructure to provide reliable and secure services. Consequently, there is great interest in increasing the security of BGP, as it is essentially the glue that holds the disparate parts of the Internet together.
For example, the United States government cites BGP security as part of the national strategy to secure cyberspace [1[10]In addition, the Internet Engineering Task Force (IETF) has working groups focusing on Routing Protocol Security Requirements [I[I I]nd Secure Intermediation Routing [1[121 to investigate these security issues and fine practical solutions. BGP security is also a prominent topic at network operator meetings and mailing lists, such as the North American Network Operators Group (MANGO) [13]/p>
Current research on BGP focuses on exposing and resolving both operational and security concerns. Operational concerns relating to BGP, such as scalability, convergence delay (i. E. , the time required for all routers to have a consistent view of the network), routing stability, and performance, have been the subject of much effort. Similarly, much of the contemporary security research has focused on the integrity, confidentiality, authentication, authorization, and validation of BGP messages.
These two fields of operational issues and security research are inherently connected. Successes and tailored in each domain are interactive to both communities. This paper explores operational practice, standards activity, and ongoing research in intermediation routing security, exposing the similarities and differences in the proposed approaches to building a more secure Internet infrastructure. The next section provides a brief overview of intermediation routing and BGP.
Subsequent sections examine today’s security practices and longer-term solutions for secure immoderation routing. II. B ORDER G TIDEWAY P ROTATOR The Internet consists of tens of thousands of Autonomous Systems (Asses) that use the Border Gateway Protocol (BGP) to exchange information about how to reach blocks of destination IP addresses (called IP prefixes). BGP is an incremental protocol-?a BGP-speaking router sends an announcement message even a new route is available, and a withdrawal message When a route no longer exists.
BGP is also a path-vector protocol, where each AS adds its AS number to the beginning of the AS path before advertising the route to the next AS. Each router selects a single best BGP route for each destination prefix and may apply complex policies for selecting a route and deciding August 7, 2008 DRAFT ICANN 12. 0-0. 0/8 202. C. o. On AT 120. 0-0/8 202. 12. 128. 0/18 211. 120. 0. 0/12 SAAB’S 202. 12. 128. 0/18 ASSESS TALLEST JOPLIN 211. 120. 132. 0/22 SONY 211. 120. 132. 0/22 ASSESS PANIC 210. 0. 0. 0’7 An example of address delegation from the root (IANA) to regional and national registries. Whether to advertise the route to a neighboring router in another AS, In this section, we present an overview of intermediation routing in the Internet and scribe how most of Bag’s security problems stem from (i) uncertainty about the relationship between IP prefixes and the AS numbers of the Asses vivo manage them, (ii) the use of the Transmission Control Protocol (TCP) as the underlying transport protocol, and (iii) the potential to tamper with route announcements in order to subvert BGP routing policy.
A. IP Prefixes and AS Numbers An IP address is a 32-bit number, typically represented in dotted- decimal notation With a separate integer for each Of the four octets. Addresses are assigned to institutions in blocks of contiguous addresses, represented by he first address and a mask length. For example, the prefix 1920. 20/24 contains all addresses where the first three octets are 192, O, and 2-?the 256 addresses 192. 0-2. 0 to 1920. 2255.
Allocating addresses in blocks leads to smaller routing tables and fewer route advertisements, as most routers need only know how to direct traffic toward the block of addresses, rather than storing separate routing information for every IP address, Since prefixes have variable length, one IP prefix may be completely contained within another. For example, a router may have routing information for two prefixes 211. 120. 0/12 and where the first prefix completely covers the second one.
To decide how to forward a data packet, an IP router identifies the longest prefix that matches the destination IP address. For example, a packet with destination IP address would match 211 , 1 20, 1320/22, since this prefix is more specific than 211. 12000/12. Initially, institutions received address assignments directly from the Internet Assigned Numbers Authority (IANA), and later from the Internet Corporation for Assigned Names and Numbers (ICANN). More recently, ICANN began to delegate this responsibility to address registries responsible for efferent parts of the world.
For example, the American Registry for Internet Numbers (ARIN) manages the IP address assignments for North America, whereas the R ; Essex IP Europe en’s (RIPE) assigns much of the address space for Europe, the Middle East, and North e E Africa; the Asia-Pacific Network Information Center (PANIC) assigns IP addresses in Asia and the Pacific Rim, the Latin American and Caribbean Internet Address Registry (LACTIC) distributes address space through the Latin August 7, 2008 DRAFT 12. 34-0. 0/16: AS AS 3 AS 4 AS 3 12,34. 0. /16: AS AS 4 AS 2 AS 7 AS 5 AS 2 AS 5 AS 7 12. 4. 0. 0/16: AS 6 12. 34. 0. 0/16: AS AS 1 ASS 12,34. 0. 0/16: AS 1 AS 6 (a) Regular advertisement from AS 6, (b) Malicious advertisement from AS l. Pig. 2. Announcement of prefix originating from the valid AS 6 and from a malicious AS 1. AS 2 and 3 will prefer the malicious advertisement from AS I because the path length will be shorter than the valid advertisements from AS American and Caribbean regions, and the African Internet Numbers Registry (African) serves the African region.
These regional registries can assign IP addresses directly to organizations or other registries, including national strategies and Internet Service Providers that may, in turn, assign smaller portions of the address block to other institutions. Figure 1 shows an example of address delegation. Here, ICANN delegates the large address block 210. 0-0. 0/7 to PANIC, which delegates 21 1. 120. 0. 0/12 to the Japan Network Information Center OPINION), which in turn assigns 211. 120. 132. 0/22 to Sony.
Sony can then perform further delegation based on its organizational setup. Autonomous Systems are assigned AS numbers (Sans) in a similar manner, with ICANN serving as the ultimate authority for delegating numbers. AS numbers from 1 to 6451 1 are public and have Internet-wide scope, requiring each number to correspond to a single AS. For example, Sony has been assigned AS number 2527. In contrast, some companies have multiple Asses. For example, AS 701 corresponds to Minuet’s North American backbone, whereas AS 702 corresponds to Minuet’s European backbone.
Public AS numbers can appear in the AS-path attribute of BGP advertisements, However, many institutions do not need a unique AS number. For example, an Autonomous System may connect to a single upstream network that bears sole responsibility for providing connectivity to the rest of the Internet. The customer AS may be assigned a private AS number in the range 64512-65535 for communicating via BGP faith its provider The provider’s routers would then advertise the BGP routes on behalf of this customer, without including the private AS number in the path.