1 / 23

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez leonel.ocsa.sanchez@hotmail.com School of Computer Science. Introduction. Economy and Critical Infrastructure. Internet. BGP. Security. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez.

ina
Download Presentation

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez leonel.ocsa.sanchez@hotmail.com School of Computer Science

  2. Introduction Economy and CriticalInfrastructure Internet BGP Security SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  3. Introduction Border Gateway RoutingProtocol BGP Internet PacketRouting • Trusted enviroment • Minimal Security against attacks SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  4. Introduction S-BGP Secure BGP RoutingProtocol Requieres Computationalefficiency Authenticating of messages Receive a high volumen of messages Internet Routers Burst SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  5. Introduction It’s necessary Public Keys, Private Keys should be minimized for authenticating SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  6. BGP Security Threats SecurePath Vector SPV It’s considered active attackers that actively inject malicious traffic StrongAttackerModel CompromisesRouters in thenetwork • There are two main attack classes: • Denial of Service (DoS) • Falsification Attacks

  7. BGP Security Threats - Denial of Service DoS The classic DoS attack is a resource exhaustic attack. The attacker fabricates inputs to evoke the worst-case running time. The attacker can inject malicious TCP packets (TCP poising) Theattackercouldsimplyflood TCP 179 Tostarveoutthe TCP connectionbetweenthetworouters

  8. BGP Security Threats – Falsification Attacks The attacker has caused a routing loop

  9. Closely Related Work – Hop by Hop Authentication TopreventattacksagainsteBGP TCP Hop by Hop Authentication However the disadvantage is: The falsification of access route cannot be adressed SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  10. Closely Related Work – Securing BGP Updates S-BGP AnAdressSpace PKI AnAssOwnership Certificates ASPATH It´s a sequence of intermediate Ases between source an destination routers that form a direct route for packets to travel. The main Goal of S-BGP: Is to protect the ASPATH and prevent unauthorized advertisements of an IP prefix. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  11. Securing BGP SPV Removestheneedforroutersperformcomputationallyexpensivepublickeycryptographicoperations and tostoreasymmetricprivatekeys Developsan ASPATH protector Routersneedonlystorethe short-livedprimarykeys SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  12. Securing BGP – Efficient Prefix Ownership Certificates • It works with a smaller blocks service providers. • Service providers often delegate blocks to their costumers. • At each step in the delegation, the recipient of the address block an aymmetric prefix primary key to the represent the block. • The address issuer uses it prefix private key to sign the prefix . SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  13. Securing BGP – Cryptographic Mechanisms This system uses Merkle hash trees. For this it’s posible to use a hash function like MD5 Oneway hash chains Thismakesimpossibleforanattackerto derive values The main property of values of one-way chain is that once the receiver trusts that a value v_i is authentic, it can derive all following values of the chain, so an adversary cannot derive later values. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  14. Securing BGP – Cryptographic Mechanisms • SPV uses hash trees for three purposes: • To authenticate the values of the single-ASN private key. • To authenticate several single-ASN public keys. • To authenticate de epoch public keys. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  15. Securing BGP – Basic ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  16. Securing BGP – Basic ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  17. Securing BGP – Advanced ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  18. Evaluation - SPV Security against Attacks For compute the security against signature forgery, and use these results to derive the parameters: n (number of private values per one-time signature) m (number of private values disclosed per one-time signature). This graphic shows the probabilty of a number of attacks to be successfull In particular, the attacker will not have a certificate for the correct prefix The attacker is also generally unable to truncate arbitrary ASPATHs SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  19. Evaluation - Comparison to S-BGP S-BGP SPV • Ensuring that an S-BGP AS cannot be falsely added to the ASPATH. • In S-BGP, threshold cryptogra- phy could be used, wherein peers together generate a key for the non-deploying AS, and use a separate protocol to sign UPDATEs for each other. • S-BGP ensures that each AS on the ASPATH has been transited by the UPDATE, and that ASNs cannot be dropped from the ASPATH. • SPV does not achieve any properties in this case. • In SPV, a single entity computes the private keys, and signs each peer’s ASN into every UPDATE that would be protected by that private key. • In SPV, an attacker controlling two ASes can insert bogus ASNs between its two ASNs. In addition, as an AS receives several UPDATEs from a single prefix, this increment the probability truncate. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  20. Evaluation - Comparison to S-BGP SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  21. Evaluation – Performance Evaluation Computational Overhead When an AS connects to many peers, the UPDATEs received over one second often take BGP over 100 seconds to process in software SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez When an AS connects to many peers, the UPDATEs received over one second often take BGP over 100 seconds to process in software

  22. Conclusions • Secure BGP software implementations enjoy at least a 20-fold speedup over digital signatures • SPV is a protocol leveraging symmetric-key cryptography for securing against the truncation and modification attacks. SPV is configurable to allow tradeoffs between security and CPU usage. • SPV introduces three novel concepts to the design space of se- cure routing protocols: first, it includes private keys within the UPDATEs themselves; second, it does not authenticate the AS that inserts itself onto the path and finally, it provides security not by requiring overwhelming computational complexity • SPV is much faster than S-BGP, so SPV would perform better in periods of high BGP traffic • When replay attacks are considered a threat, SPV allows for shorter timeouts than does S-BGP, and therefore can more effectively secure against replay attacks. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

  23. SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez leonel.ocsa.sanchez@hotmail.com School of Computer Science

More Related