1 / 43

Efficient BGP Security

Efficient BGP Security. Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign. Motivation. BGP — central routing for the Internet BGP lacks security Black holes Disconnected networks Suboptimal routes … Secure BGP Deployment difficulties

sauda
Download Presentation

Efficient BGP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign

  2. Motivation • BGP—central routing for the Internet • BGP lacks security • Black holes • Disconnected networks • Suboptimal routes • … • Secure BGP • Deployment difficulties • Processing overheads • Storage demands • PKIs • Goal • Efficient AND practical security 63rd IETF - Paris, FRANCE

  3. Outline • Overview • BGP • S-BGP • Path authentication • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE

  4. (AS_PATH, prefix) A range of IP addresses (prefix) e.g., 129.170.0.0/16 A sequence of AS numbers e.g., “500 300 100” Border Gateway Protocol (BGP) • Inter-domain routing protocol • Mainly between autonomous systems (ASes) • Updates are in form of route announcements p 4 {3, 2, 1}, p {1}, p {2, 1}, p 5 1 2 3 {3, 2, 1}, p 63rd IETF - Paris, FRANCE

  5. Secure BGP (S-BGP) • Attestations • Route Attestations—authenticate AS path • Address Attestations—authorization of IP address ownerships • Public key infrastructures • Certificates for routers • Certificates for address ownership AS path Prefix Route Attestations (RAs) Address Attestations (AAs) Public Key Infrastructures (PKIs) 63rd IETF - Paris, FRANCE

  6. Outline • Overview • Path authentication • S-BGP RAs • Aggregated Path Authentication • Performance evaluation • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE

  7. 1, p, 2 1, p, 2 2, 1, p, 3 1, p, 2 2, 1, p, 3 3, 2, 1, p, 4 1 2 3 4 P, {3, 2, 1} S-BGP Route Attestations (RAs) • Router signs (AS path, prefix, next_hop) • Sends all previous signatures • Verify AS path {1, 2, 3} • Needs 3 signatures • Sign AS path {1, 2, 3} • Creates n signatures • Signature Algorithm—DSA • Caching optimization 63rd IETF - Paris, FRANCE

  8. Performance Problems • Time • Processing latency 230% longer • Space • Message size: 800% longer • Memory cost: > 10 times more • For Attestations & Certificate database • Current routers: 128MB or 256MB RAM 63rd IETF - Paris, FRANCE

  9. m1 B1 m2 B2 mk Bk Signature Amortization (S-A) • Fast signature verification—RSA • Fewer signature signings—amortized cost • Bit vectors (indicating recipients) • Merkle hash trees • Auxiliary values for each signature Aggregated hash Router output buffers Grouped messages “Evaluation of efficient security for BGP route announcements using parallel simulation” Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3—4, 2004

  10. Aggregate Signatures • k signers {s1, s2, …, sk} k messages {m1, m2, …, mk} one aggregate signature s • One aggregate signature for entire AS path 1, p, 2 2, 1, p, 3 s 3, 2, 1, p, 4 Boneh et al. “A Survey of Two Signature Aggregation Techniques”. RSA CryptoBytes 2003

  11. Aggregate Signature Variants • General aggregate signature (GAS) • Based on BLS short signature on • Anyone can aggregate • in any ordering • Takes k+1 pairing calculation for verifying • Sequential aggregate signature (SAS) • Based on homomorphic trapdoor permutation • AggrSign by signers only • Must be in sequence • Takes k layers of verification • Advantage—save space! 63rd IETF - Paris, FRANCE

  12. Aggregated Path Authentication • Aggregated Path Authentication • Signature Amortization + Aggregate Signature • Efficient on time ANDspace 63rd IETF - Paris, FRANCE

  13. SAS-V s1 AggrSign(0, h(m1)) s2  AggrSign(s1, h(m2)) s3AggrSign(s2, h(m3)) s1 s2 s3 GAS-Vs3 =  si =s1s2s3 = s1s2s3 = s2s3 Aggregated Path Authentication • Vector-based • Tree-based (GAS-T and SAS-T) m1 1, p, “1110” m2 2, 1, p, “1011” m3 3, 2, 1, p, “1101” s R1 R2 R3 63rd IETF - Paris, FRANCE

  14. Outline • Overview • Path authentication • S-BGP RAs • Aggregated Path Authentication • Performance evaluation • Methodology • Performance • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE

  15. Evaluation Methodology • AS-level network simulation—110 ASes • BGP router under stress—router reboot • Metrics • Speed—BGP convergence time • Signature memory overheads • Message size • SSFNet simulator • Benchmarks • OpenSSL • Algorithm decomposition for GAS and SAS 63rd IETF - Paris, FRANCE

  16. Benchmarks 63rd IETF - Paris, FRANCE

  17. Number of Signing Operations • S-BGP: 22,072/11,521 signings • Decreases 98.5% (SW) (SW) (HW) (HW) 63rd IETF - Paris, FRANCE

  18. Path Authentication Convergence 230.2% 3.4% 46% seconds (SW) (SW) (HW) (HW) 63rd IETF - Paris, FRANCE

  19. Path Authentication Message Size • GAS-V —66% shorter messages! • Tree construction — inefficient Average Maximum bytes 63rd IETF - Paris, FRANCE

  20. Path Auth Performance—Memory • GAS-V — saves 73% memory for signatures! kilobytes 63rd IETF - Paris, FRANCE

  21. Performance Competition • Winner: GAS-V • Fast convergence, decreasing 32% / 69% • Short Update messages, decreasing 66% • Economic on signature memory, decreasing 72% 63rd IETF - Paris, FRANCE

  22. Outline • Overview • Path authentication • PKI and origin authentication • Design • Performance • Discussion • Conclusions 63rd IETF - Paris, FRANCE

  23. Secure BGP (S-BGP) • IP address owners create AAs • X.509 Certificates for IP address allocation • (prefix1, …, prefixk, orgy) address assignment AS path Prefix Route Attestations (RAs) Address Attestations (AAs) • Routers create RAs • X.509 Certificates for AS# and Routers • (AS, AS#, PK) binding • (RtrID, AS#, PK) binding 63rd IETF - Paris, FRANCE

  24. S-BGP PKIs • Match existing infrastructures AS number assignment & Binding a Router to an AS IP Address Allocation ICANN ICANN … APNIC ARIN RIPE LACNIC APNIC ARIN RIPE AT&T AS numbers IP address blocks … Organizations ISP / DSP / Subscribers … AS numbers RtrID … (ASk, ASNs) (RtrID, ASN) Subscribers 63rd IETF - Paris, FRANCE

  25. ICANN … APNIC ARIN RIPE AT&T IP address blocks … ISP / DSP / Subscribers … Subscribers S-BGP Address Attestations (AAs) {prefix list, ASN} orgx • Authorize ASes to originate routes • CAs prepare and distribute AAs • Long-lived, need revocation 63rd IETF - Paris, FRANCE

  26. Evaluate PKI • PKI model • ASes, Routers, Organizations, CAs, Directories, and OCSP responders • Routers trust the roots, and OCSP responders; may trust other CAs as well • Check certificate revocation status • OCSP—sequential or parallel requests • CRLs (fetch fresh copies) 63rd IETF - Paris, FRANCE

  27. AA Performance—OCSP requests • ≈ 68,000 OCSP requests Convergence Time of OCSP Requests seconds 63rd IETF - Paris, FRANCE

  28. AA Performance—CRLs fetching Convergence Time of CRL Fetching 63rd IETF - Paris, FRANCE

  29. PA PKI Performance—OCSP Requests • ≈ 88,000 OCSP requests Convergence Time of OCSP Requests seconds 63rd IETF - Paris, FRANCE

  30. PA PKI Performance—CRLs Fetching Convergence Time of CRL fecthing 63rd IETF - Paris, FRANCE

  31. Real-world Deployment • Certificate database75—85 MB[Kent:CMS03] • RouteViews table dump (209MB) • 162,237 prefixes • 2,011,005 routes, avg. path length 4.1 • S-BGP signatures: 393MB • GAS-V cache: 108MB • Decreases 72% signature memory cost • Overall memory decrease: 60% • S-BGP RAs: 30—35MB per peer [Kent:CMS03] • Problem for routers at Internet exchange > 1GB Kent. “Securing the Border Gateway Protocol: A Status Update”. IFIP TC-6 TC-11, 2003

  32. ECDSA • S-BGP uses ECDSA • Shorter key size • Same signature length • Faster signing • Slower verification 63rd IETF - Paris, FRANCE

  33. Conclusions • Efficient path authentication • Aggregated Path Authentication • Efficient on time and space • PKI performance impact • OCSP vs. CRLs • Practical issues • Certificate database • Memory demands • ECDSA 63rd IETF - Paris, FRANCE

  34. Thank you! Email zhaom@cs.dartmouth.edu Homepage http://www.cs.dartmouth.edu/~zhaom • Sun Microsystems • Mellon Foundation • Cisco Systems • Intel Corporation • NSF • DoJ/DHS 63rd IETF - Paris, FRANCE

  35. 63rd IETF - Paris, FRANCE

  36. Related Work • S-BGP [Kent:NDSS00, Kent:CMS03] • OASim [Aiello:CCS03] • psBGP [Wan:NDSS05] • Listen and Whisper [Subramanian:NSDI04] • Symmetric cryptography • Potentially more efficient • Key distribution [Goodrich00] • Time synchronization [Hu:SIGCOMM04] 63rd IETF - Paris, FRANCE

  37. Implementation Tate pairing Weil pairing General Aggregate Signatures • Bilinear map • Bilinear: for all and • Non-degenerate: • Key pair • Sign • Verify • Aggregation • Aggregate Verify Boneh et al. “Aggregate and Verifiably Encrypted Signatures from Bilinear Maps”. Eurocrypt 2003 63rd IETF - Paris, FRANCE

  38. Performance Competition • Winner: GAS-V • Fast convergence, decreasing 32% / 69% • Short Update messages, decreasing 66% • Economic on signature memory, decreasing 72% • Further improvements? • Hardware accelerator • Parallelization AS path length: 3.7/11 63rd IETF - Paris, FRANCE

  39. Origin Authentication (OA) • Short-lived attestations • Possible in-band transmission for address delegation paths • Variants • OA-Simple {(p, org)}K • OA-List {(p1, org1), (p2, org2), …, (pi, orgi)}K • OA-AS-List {(p1, p2, …, pk, org)}K • OA-Tree Merkle hash tree, leaves:(pi, orgi) IANA … APNIC ARIN RIPE AT&T … IP address blocks ISP / DSP / Subscribers … AS2 AS1 ASk Aiello, Ioannidis, and McDaniel. “Origin Authentication in Interdomain Routing”. CCS03 63rd IETF - Paris, FRANCE

  40. OA Signature Performance—Storage • Different costs on memory and message size • OA-AS-List is most efficient • Possible in-band transmission 63rd IETF - Paris, FRANCE

  41. OA Signature Performance—Convergence • Slight slow down convergence time seconds 63rd IETF - Paris, FRANCE

  42. Certificate Distribution • Scale • 197,709 active prefixes • 19,357 unique ASes • >50,000 organizations • BGP Update message MTU: 4KB • S-BGP X.509 Certificates: 600 bytes • Store certificates/CRLs locally • >200MB 63rd IETF - Paris, FRANCE

  43. Aggregate Signatures • k signers {s1, s2, …, sk} k messages {m1, m2, …, mk} one aggregate signature s • One aggregate signature for entire AS path 1, p, 2 2, p, 3 s 3, p, 4 Lysyanskava et al. “Sequential Aggregate Signatures from Trapdoor Permutations”. Eurocrypt2004 63rd IETF - Paris, FRANCE

More Related