Rostom Zouaghi (2008) Interdomain Routing Security (BGP-4).
Full text access: Open
The Border Gateway Protocol (BGP) is the most important protocol for the interconnectivity of the Internet. Although it has shown acceptable performance, there are many issues about its capability to meet the scale of the growth of the Internet, mainly because of the security issues that surround interdomain routing. The Internet is important to many organisations in various contexts. Thus, it is required to provide a highly secure protocol to keep the normal operation of the Internet. BGP suffers from many security issues. In this dissertation, we cover those issues and provide the security requirements for this protocol. We enumerate the numerous attacks that can be conducted against BGP. The aim of this study is to examine two considerably discussed protocols. Secure-BGP (S-BGP) and secure origin BGP (soBGP) have shown a revolutionary view on interdomain routing since they endeavour to providing security mechanisms at the protocol level. The objective is extended to comparing these two solutions by examining their contribution to the Border Gateway Protocol in terms of security. Moreover, we study their interoperability, efficiency, performance, and the residual vulnerabilities that each solution failed to resolve. Our findings have revealed that ultimately, the solution chosen will be dependent on the desired level of security and deployability. As is often the case with security, a compromise between security and feasibility is of a major concern and cost-effectiveness is the main driver behind deployment.
This is a Published version This version's date is: 05/09/2008 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/33ae688c-ee87-866a-2f88-ae93dc011ccf/1/
Deposited by () on 23-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010
[1] R. Mahajan, D. Wetherall, and T. Anderson. ”Understanding BGP Misconfiguration”. InProc. ACM SIGCOMM, pages 3.17, Pittsburgh, PA, Aug. 2002.
[2] S. Murphy, A. Barbir, and Y. Yang. “Generic Threats to Routing Protocols”. InternetEngineering Task Force, Oct. 2004. http://www.ietf.org/internet-drafts/draft-ietf-rpsecrouting-threats-07.txt, expired April 2005.
[3] N. Feamster, J. Borkenhagen, and J. Rexford. “Guidelines for Interdomain TrafficEngineering”. ACM Computer Communications Review, 33(5):19.30, Oct. 2003.
[4] Y. Rekhter et. al. “A Border Gateway Protocol 4 (BGP-4)”, Network working Group,Internet Engineering Task Force, January 2006, RFC 4271
[5] “INTERNET PROTOCOL”, Information Science Institute, University of Southern California,September 1981, RFC 791
[6] A. Feldmann and J. Rexford. “IP Network Configuration for Intradomain TrafficEngineering”. IEEE Network, 15(5):46.57, Sept. 2001.
[7] A. Chakrabarti, G. Manimaran. “Secure Link State Routing Protocol”, Technical Report,Dept. ECpE, Iowa State University, 2002.
[8] E. Jones et. al. “OSPF Security Vulnerabilities Analysis”, Routing Protocol SecurityRequirements, Technical Report, draft-ietf-rpsec-ospf-vuln-02.txt, June 2006.
[9] K. Egevang et. al.“The IP Network Address Translator (NAT)”. Internet Engineering TaskForce, May 1994, RFC 1631.
[10] Y. Rekhter et. al. “An Architecture for IP Address Allocation with CIDR”, InternetEngineering Task Force, Septembre 1993, RFC 1518.
[11] V. Fuller et. al. “Classless Inter-Domain Routing (CIDR): an Address Assignment andAggregation Strategy”, Internet Engineering Task Force, Septembre 1993, RFC 1519.
[12] J. Hawkinson et. al. “Guidelines for creation, selection, and registration of anAutonomous System (AS)”, Internet Engineering Task Force, March 1996, RFC 1930.
[13] K. Lougheed et. al. “A Border Gateway Protocol (BGP)”. Internet Engineering Task Force,June 1989, RFC 1105.
[14] Y. Rekhter et. al. “A Border Gateway Protocol 4 (BGP-4)”. Internet Engineering TaskForce, March 1995, RFC 1771.
[15] Y. Rekhter et. al. “Application of the Border Gateway Protocol in the Internet”. InternetEngineering Task Force, March 1995, RFC 1772.
[16] P. Traina. “Experience with the BGP-4 protocol”. Internet Engineering Task Force,March 1995, RFC 1773.
[17] P. Traina. “BGP-4 Protocol Analysis”. Internet Engineering Task Force, March 1995, RFC1774.
[18] Y. Rekhter et. al. “A Border Gateway Protocol 4 (BGP-4)”. Internet Engineering TaskForce, January 2006, RFC 4271.
[19] D. Estrin et. al. “A Unified Approach to Inter-Domain Routing”, Internet EngineeringTask Force, May 1992, RFC 1322.
[20] Charles M. Kozierok. “TCP/IP Guide: A Comprehensive, Illustrative Internet ProtocolReference”, No Starch Press, Inc., San Francisco, 2005.
[21] Information Sciences Institute. “Transmission Control Protocol”, Internet EngineeringTask Force, University of Southern California, California, September 1981, RFC 793.
[22] T. Bates et. al. “BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP)”,Internet Engineering Task Force, April 2006, RFC 4456.
[23] P. Traina et al. “Autonomous System Confederations for BGP”, Internet EngineeringTask Force, August 2007, RFC 5065.
[24] C. Villamizar et. al. “BGP Route Flap Damping”, Internet Engineering Task Force,November 1998, RFC 2439.
[25] Alfred J. Menezes, P. Van Oorschot, and S. Vanstone. “Handbook of AppliedCryptography”, CRC Press, 1996.
[26]R. Rivest. “The MD5 Message-Digest Algorithm”, Internet Engineering Task Force, MITLaboratory for Computer Science and RSA Data Security, Inc., April 1992, RFC 1321.
[27] A. Heffernan. “Protection of BGP Sessions via the TCP MD5 Signature Option”, InternetEngineering Task Force, Cisco Systems, August 1998, RFC 2385.
[28] N. Barret. “Penetration testing and social engineering: hacking the weakest link”,Information Security Technical Report, Vol. 8, No. 4, December 2003.
[29] E. Guttman et. al. “Users’ Security Handbook”, Network Working Group, InternetEngineering Task Force, February 1999, RFC 2504.
[30] V. Antoine et. al. “Router Security Configuration Guide”, System and Network AttackCenter, National Security Agency, December 2005.
[31] P. Oechslin. “Making a Faster Cryptanalytic Time-Memory Trade-Off”, Laboratoire deSecurite et de Cryptographie (LASEC), Ecole Polytechnique Federale de Lausanne, 23rdAnnual International Cryptology Conference, CRYPTO ’03, 2003.
[32] V. Klima. “Tunnels in Hash Functions: MD5 Collisions within a Minute”, CharlesUniversity, Prague, Czech Republic, April 2006
[33] S. Convery et. al. “An Attack Tree for the Border Gateway Protocol”, Technical Report,Internet Engineering Task Force, November 2002.
[34] Z. M. Mao, J. Rexford, et. al. “Towards an Accurate AS-Level Traceroute”, ACMSIGOMM, Germany, August 2003.
[35] F. Gont. “ICMP Attacks against TCP”, Internet Engineering Task Force, Internet Draft,draft-gont-tcpm-icmp-attacks-03.txt, December 2004.
[36] “NISCC Vulnerability Advisory 236929: Vulnerability Issues in TCP”, NISCC VulnerabilityManagement Team, April 2004.
[37] S. Murphy. “BGP Security Vulnerabilities Analysis”, Network Working Group, InternetEngineering Task Force, January 2006, RFC 4272.
[38] P. Savola, “Backbone Infrastructure Attacks and Protections”, Technical Report, InternetEngineering Task Force, January 2007.
[39] P. Watson. “Slipping In The Window: TCP Reset Attacks”, CanSecWest 2004, April 2004.
[40] B. R. Greene and P. Smith. “BGPv4 Security Risk Assessment”, ISP EssentialsSupplement, Cisco Press Publications, June 11th, 2002.
[41] Tuna Vardar, "SECURITY IN INTERDOMAIN ROUTING", Helsinki University of Technology,T-110.551 Seminar of Internetworking, 2004.
[42] H. Krawczyk et. al. “HMAC: Keyed-Hashing for Message Authentication”, InternetEngineering Task Force, April 1997, RFC 2104.
[43] S. Kent and R. Atkinson. “Security Architecture for the Internet Protocol”, InternetEngineering Task Force, November 1998, RFC 2401.
[44] R. Thayer et. al. “IP Security Document Roadmap”, Internet Engineering Task Force,November 1998, RFC 2411.
[45] D. Maughan et. al. “Internet Security Association and Key Management Protocol(ISAKMP)”, Internet Engineering Task Force, November 1998, RFC 2408.
[46] D. Carrel et. al. “The Internet Key Exchange”, Internet Engineering Task Force,November 1998, RFC 2409.
[47] G. Armitage et. al. “A Framework for IP Based Virtual Private Networks”, InternetEngineering Task Force, February 2000, RFC 2764.
[48] V. Gill et. al. “The Generalized TTL Security Mechanism (GTSM)”, Internet EngineeringTask Force, February 2004, RFC 3682.
[49] K. Butler et. al. “A Survey of BGP Security Issues and Solutions”, AT&T Labs Research,January 2008.
[50] S. Kent, et. al. “Secure Border Gateway Protocol (Secure-BGP)”, IEEE CommunicationsVol. 18, No. 4, pp. 582-592, April 2000.
[51] M. G. Gouda et. al. “Hop Integrity in Computer Networks”, Proceedings of the IEEEInternational Conference on Network Protocols, 2000.
[52] S. Chokhani et. al. “Internet x.509 Public Key Infrastructure Certificate Policy andCertification Practices Framework”, Network Working Group, Internet Engineering TaskForce, March 1999, RFC 2527.
[53] K. Seo et. al. “Public-key Infrastructure for the Secure Border Gateway Protocol (SBGP)”,Anaheim, CA, USA: IEEE DARPA Information Survivability Conference and ExpositionII, June 2001.
[54] R. Housley et. al. “Internet X.509 Public Key Infrastructure Certificate and CertificateRevocation List (CRL) Profile”, Network Working Group, Internet Engineering Task Force,April 2002, RFC 3280.
[55] C. Lynn, S. Kent and K. Seo. “X.509 Extensions for IP Addresses and AS Identifiers”,Network Working Group, Internet Engineering Task Force, June 2004, RFC 3779.
[56] M. Zhao and S. W. Smith. “Evaluating the Performance Impact of PKI on BGP Security”,Dartmouth College and University of Illinois, February 2005.
[57] R. White. “Securing BGP Through Secure Origin BGP”, The Internet Protocol Journal –Vol. 6, No 3, Cisco Systems, September 2003.
[58] J. Ng. “Extensions to BGP Transport soBGP Certificates”, Interdomain Routing WorkingGroup, Cisco Systems, draft-ng-sobgp-bgpextensions-01, May 2005.
[59] R. White. “Architecture and Deployment Considerations for Secure Origin BGP(soBGP)”, Network Working Group, Cisco Systems, draft-white-sobgp-architecture-01, May2005.
[60] B. Weis. “Secure Origin BGP (soBGP) Certificates”, Internet Engineering Task Force,Cisco Systems, draft-weis-sobgp-certificates-02.txt, July 2004.
[61] L. Gao et. al. “Stable Internet routing without global coordination”, IEEE/ACMTransactions on Networking, p. 681-692, December 2001.
[62] N. Feamster et. al. “Network-Wide BGP Route Prediction for Traffic Engineering”, InProc. SPIE ITCom, vol. 4868, p. 55-68, Boston, MA, August 2002.
[63] CNET News. “Router Glitch Cuts Net Access”, URL: http://news.com.com/2100-1033-279235.html, April 1997.
[64] USA TODAY. “WorldCom suffers widespread Internet outage”, URL:http://www.usatoday.com/tech/news/2002-10-03-net-outage_x.htm, October 2002.
[65] N. G. Feamster. “Proactive Techniques for Correct and Predictable Internet Routing”,EECE dept, Massachusetts Institute of Technology, February 2006.
[66] S. Kent. “Securing the Border Gateway Protocol: A status update”, Torino, Italy, SeventhIFIP TC-6 TC-11 Conference on Communications and Multimedia Security, October 2003.
[67] S. Kent, et. al. “Secure Border Gateway Protocol (S-BGP) real world performance anddeployment issues”. ISOC Symposium on Network and Distributed System Security,February 2000.
[68] T. Wan, E. Kranakis and P.C. van Oorschot. “Pretty Secure BGP (psBGP)”, CarletonUniversity, Ottawa, Canada, September 2004.