Secure Border Gateway Protocol (S-BGP): Real World Performance - - PowerPoint PPT Presentation

secure border gateway
SMART_READER_LITE
LIVE PREVIEW

Secure Border Gateway Protocol (S-BGP): Real World Performance - - PowerPoint PPT Presentation

Feb 18, 2023 322 likes •531 views

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies A Part of Outline BGP Model BGP security concerns & requirements

slide-1
SLIDE 1

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues

Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo

BBN Technologies

A Part of

slide-2
SLIDE 2

BBN Technologies

A Part of

Outline

 BGP Model  BGP security concerns & requirements  S-BGP design  S-BGP performance & scaling  Conclusions

slide-3
SLIDE 3

BBN Technologies

A Part of

Basic BGP Model

DSP-A ISP-2 DSP-B Org-X Org-Z ISP-3 ISP-4 ISP-1 Org-Y DSP-C

non-BGP Router BGP Router

  • path vector inter-domain routing protocol
  • UPDATEs generated in response to loss of

connectivity or receipt of an UPDATE from a peer router, that results in a LOCRIB change

NAP

slide-4
SLIDE 4

BBN Technologies

A Part of

The BGP Security Problem

 BGP is the critical infrastructure for Internet,

inter-domain routing

 Benign configuration errors have wreaked havoc

for portions of the Internet address space

 The current system is highly vulnerable to human

errors, as well as a wide range of attacks

 At best, BGP uses point-to-point keyed MAC, with

no automated key management

 Most published BGP security proposals have

been pedagogic, not detailed, not deployable

 Solutions must take into account Internet

topology, size, update rates, ...

slide-5
SLIDE 5

BBN Technologies

A Part of

Attack Model

 BGP can be attacked in various ways

  • active or passive wiretapping of communications links

between routers

  • tampering with BGP speaker software
  • tampering with router management data en route
  • tampering with router management workstations/servers

(the last three can result in Byzantine failures)

 Addition of the proposed countermeasures

introduces a new concern

  • compromise of secret/private keying material in the routers or

in the management infrastructure

slide-6
SLIDE 6

BBN Technologies

A Part of

BGP Security Requirements

 Verification of address space “ownership”  Authentication of Autonomous Systems (AS)  Router authentication and authorization

(relative to an AS)

 Route and address advertisement authorization  Route withdrawal authorization  Integrity and authenticity of all BGP traffic on

the wire

 Timeliness of BGP traffic

slide-7
SLIDE 7

BBN Technologies

A Part of

S-BGP Design Overview

 IPsec: authenticity and integrity of peer-to-peer

communication, automated key management

 Public Key Infrastructures (PKIs): secure

identification of BGP speakers and of owners of AS’s and of address blocks

 Attestations --> authorization of the subject (by

the issuer) to advertise specified address blocks

 Validation of UPDATEs based on a new path

attribute, using certificates and attestations

 Distribution of countermeasure data: certificates,

CRLs, attestations

slide-8
SLIDE 8

BBN Technologies

A Part of

S-BGP Residual Vulnerabilities

 Failure to advertise route withdrawal  Premature re-advertisement of withdrawn routes  Erroneous application of local policy  Erroneous traffic forwarding, bogus traffic

generation, etc. (not really a BGP issue)

slide-9
SLIDE 9

BBN Technologies

A Part of

Internet Address Space Ownership

DSP-A ORG-X ORG-Z ISP-2 DSP-D DSP-B ORG-XX ISP-1 DSP-C ORG-YY ICANN/IANA ARIN/RIPE/APNIC ORG-Y ORG-ZZ

slide-10
SLIDE 10

BBN Technologies

A Part of

Simplified PKI for Address Blocks

ICANN All Addr blocks APNIC Addr blocks ARIN Addr blocks GTE-I Addr block(s) RIPE Addr blocks AT&T Addr block(s) DSP 1 Addr block(s) ISP 2 Addr block(s) MCI Addr block(s) DSP 3 Addr block(s) Subscriber A Addr block(s) Subscriber B Addr block(s) ISP 4 Addr block(s) Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ ҐҐ ҐҐ Ґ ҐҐҐ Ґ Ґ Ґ ICANN All Addr blocks APNIC Addr blocks ARIN Addr blocks GTE-I Addr block(s) RIPE Addr blocks AT&T Addr block(s) DSP 1 Addr block(s) ISP 2 Addr block(s) MCI Addr block(s) DSP 3 Addr block(s) Subscriber A Addr block(s) Subscriber B Addr block(s) ISP 4 Addr block(s) Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ ҐҐ Ґ ҐҐ ҐҐ Ґ ҐҐ Ґ ҐҐҐ ҐҐҐ Ґ Ґ Ґ Ґ Ґ Ґ

  • Only networks that execute BGP need certificates
  • All ISPs are BGP users, but only about ~10% of DSPs,

maybe 5% of subscribers, are BGP users

slide-11
SLIDE 11

BBN Technologies

A Part of

PKI for Speaker ID & AS Assignment

ICANN All AS Numbers APNIC AS Numbers ARIN AS Numbers GTE-I AS Numbers RIPE AS Numbers AT&T AS Numbers DSP 1 AS# W ISP 2 AS Numbers MCI AS Numbers AS# X DSP 3 AS# Y Routers in AS# X AS# X, Router BGP ID ISP 4 AS# Z

  • • •
  • • •

AS# Y Routers in AS# Y AS# Y, Router BGP ID AS# Z Routers in AS# Z AS# Z, Router BGP ID

  • • •
  • • •

ICANN All AS Numbers APNIC AS Numbers ARIN AS Numbers GTE-I AS Numbers RIPE AS Numbers AT&T AS Numbers DSP 1 AS# W ISP 2 AS Numbers MCI AS Numbers AS# X DSP 3 AS# Y Routers in AS# X AS# X, Router BGP I ISP 4 AS# Z

  • • •
  • • •
  • • •
  • • •

AS# Y Routers in AS# Y AS# Y, Router BGP I AS# Z Routers in AS# Z AS# Z, Router BGP I

  • • •
  • • •
slide-12
SLIDE 12

BBN Technologies

A Part of

Securing UPDATE messages

 A secure UPDATE consists of an UPDATE

message with a new, optional, transitive path attribute for route authorization

 This attribute consists of a signed sequence of

route attestations, nominally terminating in an address space attestation

 This attribute is structured to support both route

aggregation and AS sets

 Validation of the attribute verifies that the route

was authorized by each AS along the path and by the ultimate address space owner

slide-13
SLIDE 13

BBN Technologies

A Part of

An UPDATE with Attestations

BGP Header Addr Blks of Rtes Being Withdrawn BGP Path Attributes Dest Addr Blks (NLRI) Attribute Header Route Attestations Attestation Header Issuer Certificate ID Algorithm ID & Signature Signed Info Validity Dates Subject AS Path Info Other Protected Path Attributes NLRI Info Signed Information Route Attestation Path Attribute for Attestations UPDATE Message

slide-14
SLIDE 14

BBN Technologies

A Part of

Simplified Attribute Format

AA: Owning Org, NLRI, first Hop AS, SIG RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG (usually omitted)

slide-15
SLIDE 15

BBN Technologies

A Part of

Distributing Certificates, CRLs, & AAs

 Putting certificates & CRLs in UPDATEs would

be redundant and make UPDATEs too big

 Same is true for address attestations  Solution: use servers for these data items

  • replicate for redundancy & scalability
  • locate at NAPs for direct (non-routed) access
  • download options:

– whole certificate/AA/CRL databases – queries for specific certificates/AAs/CRLs

 To minimize processing & storage overhead,

NOCs should validate certificates & AAs, and send processed extracts to routers

slide-16
SLIDE 16

BBN Technologies

A Part of

Distributing Route Attestations

 Distributed with BGP UPDATEs as path attributes  RAs have implicit encoding option to reduce size,

avoid exceeding UPDATE size limit (4096b)

 Cache with associated routes in ADJ-RIBs to

reduce validation overhead

 Expiration date present, but no revocation

mechanism chosen yet

slide-17
SLIDE 17

BBN Technologies

A Part of

BGP Statistics

 ~ 1,800 organizations own AS numbers  ~ 44,000 own address prefixes (NLRI)  ~ 7,500 BGP speakers  ~ 75,000 routes in an ISP BGP database  Few AS sets (~100), little address aggregation  Average path length (NAP perspective) is 2.6

hops; 50% of routes ≤ 2 hops, 96% ≤4 hops

 ~ 43,000 UPDATEs received each day at a BGP

speaker at a NAP (30 peers)

slide-18
SLIDE 18

BBN Technologies

A Part of

S-BGP Storage Statistics

 ~ 58,000 certificates in database (~550b each)  Certificate & CRL database ~35Mb  Address attestation database ~4 Mbytes  Extracted certificate & AA database (with data

structure overhead in GateD) ~ 42Mb

 Route attestations occupy ~16 Mb per ADJ-RIB:

about 64 Mb (4 peers) to 480 Mb (at NAP)

 ADJ-RIB caching for received UPDATEs

increases storage requirements by about 50%, and yields about 58% validation savings

slide-19
SLIDE 19

BBN Technologies

A Part of

Route Attestation Overhead

 Transmission

  • RAs add ~450 bytes to a typical (3.6 ASes in path) UPDATE
  • f 63 bytes, 700% overhead!
  • But UPDATEs represent a very small portion of all traffic, so

steady state bandwidth for RA transmission is only ~ 1.4Kb/s

 Processing

  • Average of 3.6 signature validations per received UPDATE

and 1 generation per emitted UPDATE

  • Peak rates ~ 18/s validation and ~5/s generation w/o caching

(peak estimated as ten times average)

  • UPDATE caching reduces validation rate by ~50%
  • Start up transient would overwhelm a speaker, thus some

form of NV storage or heuristic is required

slide-20
SLIDE 20

BBN Technologies

A Part of

Conclusions

 The transmission and processing costs of S-BGP

are not significant

 The proposed distribution mechanisms for

certificates, CRLs, and AAs is viable

 Storage overhead exceeds the capacity of existing

routers, but adding adequate storage is feasible, especially for ISP BGP speakers

 Testing and deployment issues

  • Cisco handling of optional, transitive path attributes
  • Intra-domain distribution of S-BGP attribute

 But deployment poses a chicken and egg problem!