Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai - - PowerPoint PPT Presentation

jumpstarting bgp security
SMART_READER_LITE
LIVE PREVIEW

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai - - PowerPoint PPT Presentation

Jun 28, 2023 623 likes •887 views

Jumpstarting BGP Security Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira Prefix hijacking prefers shorter route Victim 168.122/16 168.122/16 Path: X-111 AS X Path: 666 AS 666 168.122/16 AS Path: 111

slide-1
SLIDE 1

Jumpstarting BGP Security

Yossi Gilad Joint work with: Avichai Cohen, Amir Herzberg, and Michael Schapira

slide-2
SLIDE 2

Prefix hijacking

Victim AS X AS 111 AS 666 168.122/16 Path: 111 168.122/16 Path: X-111 168.122/16 Path: 666

BGP Ad. Data flow prefers shorter route

2

Boston University

slide-3
SLIDE 3

RPKI

Resource Public Key Infrastructure (RPKI)

  • Origin Authentication

–Protects against hijacks –Slowly gaining traction (6% of prefixes covered)

Verify signature BGP Routers local cache

Autonomous System ROA: AS 111 168.122/16

168.122/16: AS 111 168.122/16: AS 111

slide-4
SLIDE 4

RPKI prevents prefix hijacks

Victim AS Y AS X AS 111 AS 666 168.122/16 Path: Y-X-111 168.122/16 Path: 666

BGP Ad. Data flow

ROA: AS 111 168.122/16 RPKI

slide-5
SLIDE 5

ROA: AS 111 168.122/16 RPKI

Forged origin circumvents RPKI

Victim AS Y AS X AS 111 168.122/16 Path: Y-X-111 168.122/16 Path: 666-111

BGP Ad. Data flow False link

AS 666

slide-6
SLIDE 6

Current paradigm: a two step solution

  • First, RPKI against prefix-hijacking
  • Then, add BGPsec

–Protects against false paths (e.g., next-AS attacks) –Deployment challenge: •Real-time signature and validation

  • Different message format

AS 111 168.122/16 AS X Prefix: 168.122/16 Secure-Path: X-111 AS Y Prefix: 168.122/16 Secure-Path: Y-X-111

Matches RPKI policy? 168.122/16: AS 111 Path signature OK?

Add signature, then relay

Matches RPKI policy? Path signatures valid?

slide-7
SLIDE 7

BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM’13]

Victim AS Y AS X AS 666 AS 111 BGP BGPsec ROA: AS 111 168.122/16 RPKI

168.122/16 Sec Path: X-111

168.122/16 Path: 666-111

slide-8
SLIDE 8

BGPsec in partial adoption? Meager benefits [Lychev et al., SIGCOMM’13]

Victim AS Y AS X AS 666 168.122/16 Path: Y-X-111 AS 111 BGP BGPsec ROA: AS 111 168.122/16 RPKI “Breaks” BGPsec 168.122/16 Path: 666-111

slide-9
SLIDE 9

Our Goals

Security:

  • Protect against ``false links’’ in BGP advertisements
  • Significant benefits in partial deployment

– In contrast to BGPsec

Deployment:

  • Minimal computation overhead

– Signatures and verifications: only offline, off-router

  • No changes to BGP messages
  • Similar to RPKI
slide-10
SLIDE 10

Path-end validation

Victim AS Y AS X AS 111 AS 666 168.122/16 Path: Y-X-111 168.122/16 Path: 666-111

BGP Ad. Data flow False link

ROA: AS 111 168.122/16 RPKI RPKI path end Edge auth: AS 111 AS X Covers all edges

slide-11
SLIDE 11

Inter domain routing security: Mechanism comparison

5 10 15 20 25 30 35 40 45 50

Attacker success rate (%) Protocol

BGP (no auth.) RPKI RPKI + Path-end validation RPKI + BGPsec, BGP still allowed This talk

slide-12
SLIDE 12

path-end validation

Path-end validation

  • Path-end validation extends RPKI to authenticate

the “last hop”

  • Key insight: Securing path-suffixes provides

significant benefits

d v a

Prefix

RPKI Did d approve reaching it via v?

slide-13
SLIDE 13

Path-end validation

4 4.5 3.5

slide-14
SLIDE 14

Deployment

  • Similar to RPKI

Verify signatures BGP Routers RPKI Local cache 168.122/16: AS 111 AS 111  AS X 168.122/16: AS 111 AS 111  AS X

ROA: 168.122/16 -> AS 111

Path End

RPKI Edge auth: AS 111 -> AS X Autonomous System

slide-15
SLIDE 15

Deployment

  • Use existing Access List interface
  • Validated suffix extends automatically with adoption

ip as-path access-list as1 deny _[^X]_111_

slide-16
SLIDE 16

Security in partial adoption: Simulation framework

B D H J E I G K L F C A

  • Pick victim & attacker
  • Victim’s prefix has a ROA+EA
  • Pick set of filtering ASes
  • Evaluate which ASes send

traffic to the attacker Empirically-derived AS-level network from CAIDA Including inferred peering links [Giotsas et al., SIGCOMM’13]

ROA: 1.2.0.0/16  AS A Path End

RPKI

Edge auth: AS A  AS D

slide-17
SLIDE 17

Simulation results

slide-18
SLIDE 18

Simulation results

slide-19
SLIDE 19

Simulation results

slide-20
SLIDE 20

Local deployment & local benefits

slide-21
SLIDE 21

Impact of authenticating hops

BGP (no authentication) Origin authentication (RPKI) Path-end validation 2-hop validation

slide-22
SLIDE 22

More results

  • Large content providers are better protected
  • Path-end validation mitigates high profile incidents
  • Security monotone

–BGPsec is not [Lychev et al., SIGCOMM’13]

slide-23
SLIDE 23

Conclusion

  • Path-end validation

–Can significantly improve inter-domain routing security while avoiding BGPsec’s deployment hurdles

  • We advocate

–Extending RPKI to support path-end validation –Regulatory/financial efforts on gathering critical mass of adopters

slide-24
SLIDE 24

Thank You