1 / 22

SECURE ORIGIN BGP (soBGP) draft-ng-sobgp-bgp-extensions-00 Editor: James Ng (jamng@cisco)

SECURE ORIGIN BGP (soBGP) draft-ng-sobgp-bgp-extensions-00 Editor: James Ng (jamng@cisco.com). Goals of soBGP. Design Constraints. Signaling mechanism to provide security information should be as flexible as possible Must be incrementally deployable

druss
Download Presentation

SECURE ORIGIN BGP (soBGP) draft-ng-sobgp-bgp-extensions-00 Editor: James Ng (jamng@cisco)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURE ORIGIN BGP(soBGP)draft-ng-sobgp-bgp-extensions-00Editor: James Ng (jamng@cisco.com)

  2. Goals of soBGP

  3. Design Constraints • Signaling mechanism to provide security information should be as flexible as possible • Must be incrementally deployable • Should provide security benefit without the participation of every AS

  4. Design Constraints • Should not rely on routing to secure routing (No external database connection on system initialization is required) • Flexibility should be provided to allow operators to configure the level of security vs. overhead and convergence speed • Minimize impact to current optimizations in the implementation of the BGP protocol

  5. soBGP Doesn’t Protect • Inter-AS (peer to peer) Connections • BGP Attribute authentication • The full validity of the AS_PATH; while an AS_PATH can be checked for correctness, soBGP does not verify that the AS_PATH of any given route has not been modified in transit

  6. Topology Map AS1 AS2 AS3 AS4 • If AS3 cuts AS2 out of the path, this would be caught by the proposed construction of a topology map • The topology map is verified using a two way connectivity check • Gaps in the topology map also limit the ability to validate/sanity check the AS_PATH

  7. The Security Message • New BGP message type 7 • Used to carry security information within the protocol (security info can also be transported outside of BGP) • Transmits 3 types of certificates and a request • Negotiated at session startup

  8. Certificate Types • Entity Certificate (Entitycert) • Policy Certificate (Policycert) • Authorization Certificate (Authcert)

  9. Entity Certificate Entitycert function Distributes the public keys Used to authenticate other security messages Provides a way to change keys/authentication info without causing routing disruption

  10. Who Signs the Entity Certificates • Authority which issued the AS number • Commercial authority • Any universally known and trusted party in the Internet domain • Web of trust model • Private keys are never transmitted inside or outside the AS

  11. Policy Certificate Policycert function Specifies security options Communicates level of security requested by Originating AS (Allows Flexibility) Lists attached AS’ for AS_Path sanity checking Also provides a non-disruptive way to invalidate old security information

  12. Authentication Certificate Authcert function Used to authorize an AS to advertise a prefix block Information is used to build a database the BGP speaker can use to verify the origin of a prefix

  13. soBGP Operation Manually Entered Entity Certificate (Entitycert) Begin with a small set of manually configured Entitycerts for well-known parties

  14. soBGP Operation Manually Entered Entity Certificate (Entitycert) Entitycerts transmitted in BGP are signed using the private key of a third party AS and are authenticated using the manually configured entitycerts, or previously authenticated entitycerts verifies Entity Certificate (Entitycert)

  15. soBGP Operation Manually Entered Entity Certificate (Entitycert) Policy Certificate (Policycert) Public key inside Entitycerts then verifies Policycerts and Authcerts verifies verifies Authentication Certificate (Authcert) Entity Certificate (Entitycert)

  16. soBGP Operation Authorization Certificate (Authcert) Prefix Block – A, B, C • Authcert contains a list of AS’ authorized to originate an address block • Each prefix is then checked against the Authcert database to verify the correct origin AS

  17. soBGP Operation Policy Certificate (Policycert) A attached to (X, Y, Z) • Policycert contains a list of attached AS’ and security policy options • Each AS_PATH can then be sanity checked against the Policycert database • Placing policies in a certificate allows us to expand and change policy options in the future

  18. Certificate Advertisement • Advertisement of certificates is not restricted to the Originating AS • Once an AS generates a certificate, it may be advertised by another AS or third party

  19. Request • Security messages may be filtered for various reasons • The Request message provides the ability to readvertise all security information or just a subset

  20. Aggregation • Aggregation is a problem for any mechanism that uses the AS_PATH to authenticate information • The problem can be avoided by restricting AS’ to only aggregate for prefixes that they are authorized to originate

  21. Next Steps • Modify the WG charter to include BGP Security as a work item. • Wait for requirements document from RPsec. • Possibly form a subgroup to look at BGP security solutions (?).

  22. For Further Discussion • ftp://ftp-eng.cisco.com/sobgp/index.html • Mailing List: • sobgp@external.cisco.com • Send request sobgp-approval@cisco.com

More Related