Lack of security mechanisms expose the Border Gateway Protocol (BGP) to a wide range of threats that are constantly undermining security of the Internet. Most prominent attacks include prefix hijacking and announcement of false routes to maliciously attract or divert traffic. A number of cryptographic solutions to prevent both attacks have been proposed but have not been adopted due to involved operations and considerable overhead. Most of them rely on digital signatures to authorize Autonomous Systems to propagate route announcements. Surprisingly, the scientific community has devoted only little interest to the problem of revocation in BGP. In particular, BGP systems based on Public Key Infrastructure allow to revoke an Autonomous System by revoking its public key certificate. However, there seem to be no solution for selective revocation of AS-path announcements. This paper introduces reBGP, an enhanced version of BGP that leverages Identity Based Cryptography to secure BGP with minimal overhead. reBGP prevents prefix hijacking and false route announcement through Aggregate Identity Based Signatures and provides an effective revocation means to invalidate AS-path announcements. reBGP enjoys a constant overhead to verify authenticity of routes and does not require a Public Key Infrastructure. Extensive testing of our implementation, show that our proposal represents a practical solution to secure BG
Relieve internet routing security of public key infrastructure / Mancini, Luigi Vincenzo; Spognardi, Angelo; Claudio, Soriente; Villani, Antonio; Vitali, Domenico. - STAMPA. - (2012), pp. 1-9. (Intervento presentato al convegno 21st IEEE International Conference on Computer Communications and Networks tenutosi a Munich, Germany nel July 2012) [10.1109/ICCCN.2012.6289235].
Relieve internet routing security of public key infrastructure
MANCINI, Luigi Vincenzo;SPOGNARDI, Angelo;VILLANI, Antonio;VITALI, Domenico
2012
Abstract
Lack of security mechanisms expose the Border Gateway Protocol (BGP) to a wide range of threats that are constantly undermining security of the Internet. Most prominent attacks include prefix hijacking and announcement of false routes to maliciously attract or divert traffic. A number of cryptographic solutions to prevent both attacks have been proposed but have not been adopted due to involved operations and considerable overhead. Most of them rely on digital signatures to authorize Autonomous Systems to propagate route announcements. Surprisingly, the scientific community has devoted only little interest to the problem of revocation in BGP. In particular, BGP systems based on Public Key Infrastructure allow to revoke an Autonomous System by revoking its public key certificate. However, there seem to be no solution for selective revocation of AS-path announcements. This paper introduces reBGP, an enhanced version of BGP that leverages Identity Based Cryptography to secure BGP with minimal overhead. reBGP prevents prefix hijacking and false route announcement through Aggregate Identity Based Signatures and provides an effective revocation means to invalidate AS-path announcements. reBGP enjoys a constant overhead to verify authenticity of routes and does not require a Public Key Infrastructure. Extensive testing of our implementation, show that our proposal represents a practical solution to secure BGI documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.