WANG Bin,AN Jin-liang,WU Chun-ming,LAN Ju-long

DOI: https://doi.org/10.3969/j.issn.1000-436x.2012.05.012

2012-01-01

Journal of Communications

Abstract:A new approach was studied for BGP security:SE-BGP.By analyzing the security of SE-BGP,was found it had some secure leaks which couldnt resist active attack.To solve these secure problems of SE-BGP,an AS-alliance-based secure BGP scheme :SA-BGP was proposed,which used the aggregate signatures algorithm based on RSA.The SA-BGP has strong ability of security that can effectively verify the propriety of IP prefix origination and verifies the validity of an AS to announce network layer reachability information (NLRI).SA-BGP can large-scale reduced the number of the used certificates.Performance evaluation results that SA-BGP can be implemented efficiently and the incurred overhead,in terms of time and space,ptable in practice.

Xiaoliang Wang,Zhuotao Liu,Qi Li,Yangfei Guo,Sitong Ling,Jiangou Zhan,Yi Xu,Ke Xu,Jianping Wu

2023-11-09

Abstract:The Internet inter-domain routing system is vulnerable. On the control plane, the de facto Border Gateway Protocol (BGP) does not have built-in mechanisms to authenticate routing announcements, so an adversary can announce virtually arbitrary paths to hijack network traffic; on the data plane, it is difficult to ensure that actual forwarding path complies with the control plane decisions. The community has proposed significant research to secure the routing system. Yet, existing secure BGP protocols (e.g., BGPsec) are not incrementally deployable, and existing path authorization protocols are not compatible with the current Internet routing infrastructure. In this paper, we propose FC-BGP, the first secure Internet inter-domain routing system that can simultaneously authenticate BGP announcements and validate data plane forwarding in an efficient and incrementally-deployable manner. FC-BGP is built upon a novel primitive, name Forwarding Commitment, to certify an AS's routing intent on its directly connected hops. We analyze the security benefits of FC-BGP in the Internet at different deployment rates. Further, we implement a prototype of FC-BGP and extensively evaluate it over a large-scale overlay network with 100 virtual machines deployed globally. The results demonstrate that FC-BGP saves roughly 55% of the overhead required to validate BGP announcements compared with BGPsec, and meanwhile FC-BGP introduces a small overhead for building a globally-consistent view on the desirable forwarding paths.

Networking and Internet Architecture

Jaber Daneshamooz,Melody Yu,Sucheer Maddury

2024-02-14

Abstract:The current routing protocol used in the internet backbone is based on manual configuration, making it susceptible to errors. To mitigate these configuration-related issues, it becomes imperative to validate the accuracy and convergence of the algorithm, ensuring a seamless operation devoid of problems. However, the process of network verification faces challenges related to privacy and scalability. This paper addresses these challenges by introducing a novel approach: leveraging privacy-preserving computation, specifically multiparty computation (MPC), to verify the correctness of configurations in the internet backbone, governed by the BGP protocol. Not only does our proposed solution effectively address scalability concerns, but it also establishes a robust privacy framework. Through rigorous analysis, we demonstrate that our approach maintains privacy by not disclosing any information beyond the query result, thus providing a comprehensive and secure solution to the intricacies associated with routing protocol verification in large-scale networks.

Cryptography and Security,Networking and Internet Architecture

Qi Li,Mingwei Xu,Jianping Wu,Xinwen Zhang,Patrick P. C. Lee,Ke Xu

DOI: https://doi.org/10.1109/tifs.2011.2177822

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The weak trust model in Border Gateway Protocol (BGP) introduces severe vulnerabilities for Internet routing including active malicious attacks and unintended misconfigurations. Although various secure BGP solutions have been proposed, the complexity of security enforcement and data-plane attacks still remain open problems. We propose TBGP, a trusted BGP scheme aiming to achieve high authenticity of Internet routing with a simple and lightweight attestation mechanism. TBGP introduces a set of route update and withdrawal rules that, if correctly enforced by each router, can guarantee the authenticity and integrity of route information that is announced to other routers in the Internet. To verify this enforcement, an attestation service running on each router provides interfaces for a neighboring router to challenge the integrity of its routing stack, enforced rules, and the attestation service itself. If this attestation succeeds, the neighboring router updates its routing table or announces the route to its neighbors, following the same rules. Thus, a router on a routing path only needs to verify one neighbor's routing status to ensure that the route information is valid. Through this, TBGP builds a transitive trust relationship among all routers on a routing path. We implement a prototype of TBGP to investigate its practicality. In our implementation, we use identity-based signature and trusted computing techniques to further reduce the complexity of security operations. Our security analysis and performance study shows that TBGP can achieve the security goals of BGP with significantly better convergence performance and lower computation overhead than existing secure BGP solutions.

Yang Xiang,Xingang Shi,Jianping Wu,Zhiliang Wang,Xia Yin

DOI: https://doi.org/10.1016/j.comnet.2012.11.019

2012-01-01

Abstract:The inter-domain routing protocol, Border Gateway Protocol (BGP), plays a critical role in the reliability of the Internet routing system, but forged routes generated by malicious attacks or mis-configurations may devastate the system. The security problem of BGP has attracted considerable attention, and although several solutions have been proposed, none of them have been widely deployed due to weaknesses such as high computational cost or potential security compromise. This paper proposes Fast Secure BGP (FS-BGP), an efficient mechanism for securing AS paths and preventing prefix hijacking by signing critical AS path segments. We prove that FS-BGP can achieve a similar level of security as S-BGP, but with much higher efficiency. Our experiments use BGP UPDATE data collected from real backbone routers. Compared with S-BGP, FS-BGP only requires a very small cache, and can reduce the cost of signing and verification by orders of magnitude. Indeed, the signing and verification can be accomplished as fast as the most bursty BGP UPDATE arrivals, which implies that FS-BGP will hardly delay the propagation of routing information.

Jiang Li,Mingwei Xu,Zhuotao Liu,Zili Meng,Yuan Yang,Qi Li,Yangyang Wang

DOI: https://doi.org/10.2139/ssrn.4199288

2022-01-01

SSRN Electronic Journal

Abstract:The Internet has been evolving for decades with rapidly increasing parties, from thousands of Autonomous Systems (ASes) to hundreds of thousands of ASes nowadays.Unfortunately, the inter domain routing protocol, specifically the Border Gateway Protocol (BGP), is not designed to provide a reliable routing service for hundreds of thousands of ASes.In BGP, a minor misbehavior of AS operators (e.g., intentional attack or unintentional misconfiguration) will cause routing anomaly (e.g., prefix hijack and path manipulation) in a large scale. However, existing solutions to enhance BGP security face the trade-off between robustness against failures and effectiveness in providing real-time and accurate detection.To break the trade-off, we propose HyperBGP, which exploits the decentralization and trustworthiness features of blockchain. We design a blockchain to validate the integrity of a routing path from its upstream ASes, so that BGP will operate functionally as long as more than a half of ASes are functional.To make HyperBGP deployable in practice, we introduce several design blocks to improve the scalability, facilitate deployment and reduce resource consumption of HyperBGP.We implement the prototype and evaluate its security and performance. Our results demonstrate that HyperBGP is robust and effective at securing inter-domain routing against route anomaly and incurs negligible cost in performance.

Pang-Wei Tsai,Aris Cahyadi Risdianto,Meng Hui Choi,Satis Kumar Permal,Teck Chaw Ling

DOI: https://doi.org/10.3390/fi13070171

2021-06-30

Future Internet

Abstract:In global networks, Border Gateway Protocol (BGP) is widely used in exchanging routing information. While the original design of BGP did not focus on security protection against deliberate or accidental errors regarding to routing disruption, one of fundamental vulnerabilities in BGP is a lack of insurance in validating authority for announcing network layer reachability. Therefore, a distributed repository system known as Resource Public Key Infrastructure (RPKI) has been utilized to mitigate this issue. However, such a validation requires further deployment steps for Autonomous System (AS), and it might cause performance and compatibility problems in legacy network infrastructure. Nevertheless, with recent advancements in network innovation, some traditional networks are planning to be restructured with Software-Defined Networking (SDN) technology for gaining more benefits. By using SDN, Internet eXchange Point (IXP) is able to enhance its capability of management by applying softwarized control methods, acting as a Software-Defined eXchange (SDX) center to handle numerous advertisement adaptively. To use the SDN method to strengthen routing security of IXP, this paper proposed an alternative SDX development, SD-BROV, an SDX-based BGP Route Origin Validation mechanism that establishes a flexible route exchange scenario with RPKI validation. The validating application built in the SDN controller is capable of investigating received routing information. It aims to support hybrid SDN environments and help non-SDN BGP neighbors to get trusted routes and drop suspicious ones in transition. To verify proposed idea with emulated environment, the proof-of-concept development is deployed on an SDN testbed running over Research and Education Networks (RENs). During BGP hijacking experiment, the results show that developed SD-BROV is able to detect and stop legitimate traffic to be redirected by attacker, making approach to secure traffic forwarding on BGP routers.

Henry Birge-Lee,Joel Wanner,Grace Cimaszewski,Jonghoon Kwon,Liang Wang,Francois Wirz,Prateek Mittal,Adrian Perrig,Yixin Sun

DOI: https://doi.org/10.48550/arXiv.2206.06879

2022-06-14

Networking and Internet Architecture

Abstract:Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. How can we leverage emerging secure routing backbones and extend their security properties to the broader Internet? We design and deploy an architecture to bootstrap secure routing. Our key insight is to abstract the secure routing backbone as a virtual Autonomous System (AS), called Secure Backbone AS (SBAS). While SBAS appears as one AS to the Internet, it is a federated network where routes are exchanged between participants using a secure backbone. SBAS makes BGP announcements for its customers' IP prefixes at multiple locations (referred to as Points of Presence or PoPs) allowing traffic from non-participating hosts to be routed to a nearby SBAS PoP (where it is then routed over the secure backbone to the true prefix owner). In this manner, we are the first to integrate a federated secure non-BGP routing backbone with the BGP-speaking Internet. We present a real-world deployment of our architecture that uses SCIONLab to emulate the secure backbone and the PEERING framework to make BGP announcements to the Internet. A combination of real-world attacks and Internet-scale simulations shows that SBAS substantially reduces the threat of routing attacks. Finally, we survey network operators to better understand optimal governance and incentive models.

Congcong Miao,Yunming Xiao,Marco Canini,Ruiqiang Dai,Shengli Zheng,Jilong Wang,Jiwu Bu,Aleksandar Kuzmanovic,Yachen Wang

DOI: https://doi.org/10.1145/3603269.3604852

2023-01-01

Abstract:As the solitary inter-domain protocol, BGP plays an important role in today's Internet. Its failures threaten network stability and will usually result in large-scale packet losses. Thus, the non-stop routing (NSR) capability that protects inter-domain connectivity from being disrupted by various failures, is critical to any Autonomous System (AS) operator. Replicating the BGP and underlying TCP connection status is key to realizing NSR. But existing NSR solutions, which heavily rely on OS kernel modifications, have become impractical due to providers' adoption of virtualized network gateways for better scalability and manageability. In this paper, we tackle this problem by proposing TENSOR, which incorporates a novel kernel-modification-free replication design and lightweight architecture. More concretely, the kernel-modification-free replication design mitigates the reliance on OS kernel modification and hence allows the virtualization of the network gateway. Meanwhile, lightweight virtualization provides strong performance guarantees and improves system reliability. Moreover, TENSOR provides a solution to the split-brain problem that affects NSR solutions. Through extensive experiments, we show that TENSOR realizes NSR while bearing little overhead compared to open-source BGP implementations. Further, our two-year operational experience on a fleet of 400 servers controlling over 31,000 BGP peering connections demonstrates that TENSOR reduces the development, deployment, and maintenance costs significantly - at least by factors of 20, 5, and 10, respectively, while retaining the same SLA with the NSR-enabled routers.

Yan Yang,Xingang Shi,Qiang Ma,Yahui Li,Xia Yin,Zhiliang Wang

DOI: https://doi.org/10.1016/j.comnet.2022.108762

IF: 5.493

2022-01-01

Computer Networks

Abstract:Border Gateway Protocol (BGP), as the current de-facto routing protocol connecting various cooperating domains on the Internet, did not consider security when it was originally designed. With the expansion of the Internet, security is increasingly valued and many BGP enhancement mechanisms are proposed and experimented. Some of them like BGPsec have been standardized and promoted by the IETF. However, the deployment of these inter-domain secure routing mechanisms is subject to many economic and political restrictions. Consequently, there will be a long period of partial deployment, during which instability of BGP can be observed. Specifically, when some networks start deploying secure BGP mechanisms, they may be involved in some temporary or persistent route oscillations. In this paper, we systematically study the stability problem induced by partially deployed secure BGP mechanisms. We analyze the characteristics of topology and routing strategies when BGP oscillations will be introduced. In particular, we propose dispute chain, a derived structure of dispute wheel proposed in Griffin et al. (2002), to formally analyze this problem. Based on dispute chain, we analyze how different security adoption strategies can cause BGP oscillations under the general Gao–Rexford model. Our analysis shows that, even in a situation when there is no dispute wheel, dispute chains may widely appear, indicating that BGP oscillation problems will be introduced when security mechanisms are casually deployed, affecting the security and quality of inter-domain communications. To avoid possible oscillations, we also propose some deployment guidelines from different perspectives of the operator and the Internet, so that a wider deployment of security mechanisms will not blindly disrupt the Internet.

李琦,吴建平,徐明伟,徐恪,张新文

DOI: https://doi.org/10.3724/sp.j.1016.2009.00506

2009-01-01

Chinese Journal of Computers

Abstract:Inter-domain routing(BGP) directly influences availability of Internet routing which may be disrupted by misconfigured or malicious BGP updates.Although several secure solutions have been proposed to resolve the BGP security problem,they have many design drawbacks(e.g.,large router resource consumption).Considered the design and performance of secure BGP,this paper proposes a Good-Enough-Security BGP(GesBGP).Identity-based signature(IBS) algorithm presented in GesBGP guarantees the authenticity of BGP routes in the help of Trusted Computing(TC) technology.The presented IBS can effectively eliminate the centralized public key infrastructure(PKI) and resolve the problem of public key certificate distribution and restoration.Furthermore,GesBGP does not only rely on cryptography functions provided by IBS.BGP attestation service integrated in GesBGP prevents router from malicious change radically and thus builds strong trust relationship between different routers.In the optimized GesBGP,BGP security rules are enforced and the cumulated signature in original GesBGP is eliminated.The security analysis and performance study show that the optimized GesBGP improves the performance of GesBGP while achieving the goal of BGP security at the same time.

Qi Li,Jiajia Liu,Yih-Chun Hu,Mingwei Xu,Jianping Wu

DOI: https://doi.org/10.1109/mnet.2018.1800171

IF: 10.294

2019-01-01

IEEE Network

Abstract:The BGP suffers from numerous security vulnerabilities, for example, fake routing updates incurring traffic hijacking and interception. The BGPsec protocol is supposed to fix these vulnerabilities by attesting routing updates. Although the BGP security problem has been extensively studied, the security of BGP with BGPsec is not well studied yet. We argue that even secured with BGPsec, BGP still has inherent security vulnerabilities. In particular, traffic can still be hijacked. In this article, we systematically study the vulnerabilities of BGP with BGPsec. We find that the protocol still cannot achieve the desired security guarantee of inter-domain routing. In particular, it is unable to ensure correct packet delivery on the Internet. We measure the impacts of the vulnerabilities by using a real data trace, and discuss enhancements to the design and the implementation of the secure BGP protocol, which allows BGP to achieve strong secure inter-domain routing.

Mingui Zhang,Bin Liu,Beichuan Zhang

DOI: https://doi.org/10.1109/infcom.2010.5462200

2010-01-01

Abstract:False routing announcements are a serious security problem, which can lead to widespread service disruptions in the Internet. A number of detection systems have been proposed and implemented recently, however, it takes time to detect attacks, notify operators, and stop false announcements. Thus detection systems should be complemented by a mitigation scheme that can protect data delivery before the attack is resolved. We propose such a mitigation scheme, QBGP, which decouples the propagation of a path and the adoption of a path for data forwarding. QBGP does not use suspicious paths to forward data traffic, but still propagates them in the routing system to facilitate attack detection. It can protect data delivery from routing announcements of false sub-prefixes, false origins, false nodes and false links. QBGP incurs overhead only when there are suspicious paths, which happen infrequently in real BGP traces. Results from large scale simulations and BGP trace analysis show that QBGP is light-weight yet effective, and it converges faster and incurs less overhead than Pretty Good BGP.

Meng Meng,Ruijuan Zheng,Mingchuan Zhang,Junlong Zhu,Qingtao Wu

DOI: https://doi.org/10.1007/978-3-030-38961-1_12

2019-01-01

Abstract:The Border Gateway Protocol (BGP) is a vital protocol on the Internet. However, the BGP is susceptible against the prefix interception attack, how to seek a secure route against prefix interception attacks is an important problem. For this reason, we propose a novel and effective router selection method on the Internet. First, we evaluate resilience of autonomous systems against prefix interception attacks. Second, we evaluate security risk of next-hop routers and we also obtain the historical performance of next-hop routers via online learning. Finally, we compromise the two performance metrics of routers' resilience and historical performance to choose a secure route. Our method is verified by network simulations. The results show that the proposed method has more resilience against prefix interception attacks.

Yaping Liu,Shuo Zhang,Haojin Zhu,Peng-Jun Wan,Lixin Gao,Yaoxue Zhang,Zhihong Tian

DOI: https://doi.org/10.1016/j.jpdc.2020.04.005

IF: 4.542

2020-08-01

Journal of Parallel and Distributed Computing

Abstract:<p>In recent years, with the continuous expansion of metropolitan area networks, the routing security problem has become more and more serious. In particular, promise-violating attack to inter-domain routing protocol is one of the most difficult attacks to defend, which always leads to serious consequences, such as maliciously attracting traffic and disrupting the network. To deal with such attack, current research generally adopts routing verification. However, it can only detect attacks violating a specific routing policy triggered by one malicious node, and no research has yet solved the problem caused by multiple collusion nodes. In this paper, we propose BRVM, a blockchain-based routing verification model, to address the issue that violating the shortest AS Path policy. The main idea of BRVM is to construct a route proof chain to verify whether a route violates the policy with the help of the blockchain technology. The precondition that avoiding the collusion attack is that the proportion of the malicious verification nodes is lower than the fault tolerance rate of the consensus algorithm. Then, we prove the correctness of BRVM in theory, and implement a prototype based on Quagga and Hyperledger Fabric. Some experiments on this prototype show that BRVM can indeed solve the promise-violating problem caused by multiple collusion nodes, and about 15.5% faster in performance compared with SPIDeR.</p>

computer science, theory & methods

Chen Zhao,Hanbing Yan,Wang Tang

DOI: https://doi.org/10.1007/978-81-322-2580-5_106

2015-01-01

Abstract:The inter-domain routing system faces serious security threats for lack of effective security mechanisms. Although many security solutions have addressed anomaly forwarding of Border Gateway Protocol (BGP) routes, the research is short of nonfeasance behavior. Based on AS relationships between two-hop distance neighbors, a security mechanism called TwoReply is designed for detecting nonfeasance through introducing feedback approach into the process of BGP route announcements. Furthermore, combined of BGP route selection, TwoReply offers an efficient penalty algorithm to select secure path. Security and performance analysis demonstrate that this mechanism can detect nonfeasance behavior effectively with few route resource consumption. It improves the overall security of inter-domain routing system and has good scalability.

Xuezhi Jiang,Mingwei Xu,Qi Li

DOI: https://doi.org/10.1109/IPDPS.2011.302

2011-01-01

Abstract:Nowadays Internet routers are overwhelmed by a large quantity of BGP (Border Gateway Protocol) updates triggered by route changes. The fast growth of the Internet size further aggravates router workloads and exacerbates routing convergence performance. Scalable routers, such as cluster routers and ForCES, are proposed to exploit distributed control plane (DCP) with multiple control elements (CEs) to scale route processing capacity. Previous studies show that most route updates are duplicated in the Internet. Traditional parallel computation schemes only consider calculating route in parallel but most routes are computed in vain since they will not be finally selected. This paper proposes a simple and novel idea of compact route computation (CRC) to reduce BGP route processing load and improve routing convergence performance. Our scheme partitions Adj-RIBs-in among multiple CEs in the granularity of prefixes, which makes non-consecutive updates for a prefix queued adjacently in distributed control plane. Route computations triggered by a prefix's consecutive updates are compacted into one. We evaluate our scheme by simulations with real BGP update data, and results show that our scheme is very effective to reduce route computation workloads. For example, for a scalable router with 4 CEs and the updates received from 24 neighbors, our scheme reduces 60% route computation load. It can distinctly reduce route computation load with more CEs.

Qi Li,Yih-Chun Hu,Xinwen Zhang

DOI: https://doi.org/10.14722/sent.2014.23001

2014-01-01

Abstract:The Border Gateway Protocol (BGP) suffers from numerous security vulnerabilities, which the BGPsec protocol is supposed to fix. In this paper, we argue that fundamental properties of BGP have inherent security vulnerabilities, and that a complete re-design of BGP is needed to achieve strong security guarantees.

Qi Li,Xinwen Zhang,Xin Zhang,Purui Su

DOI: https://doi.org/10.1109/tdsc.2014.2345381

2015-01-01

Abstract:Border Gateway Protocol (BGP) is vulnerable to routing attacks because of the lack of inherent verification mechanism. Several secure BGP schemes have been proposed to prevent routing attacks by leveraging cryptographic verification of BGP routing updates. In this paper, we present a new type of attacks, called TIGER, which aims to invalidate the “proven” security of these secure BGP schemes and allow ASes to announce forged routes even under full deployment of any existing secure BGP proposal. By launching TIGER attacks, malicious ASes can easily generate and announce forged routes which can be successfully verified by the existing secure BGP schemes. Furthermore, TIGER attacks can evade existing routing anomaly detection schemes by guaranteeing routing data-plane availability and consistency of control- and data-plane. Toward a new securing BGP scheme, we propose Anti-TIGER to detect and defend against TIGER attacks. Anti-TIGER enables robust TIGER detection by collaborations between ASes. In particular, we leverage Spread Spectrum Communication technique to watermark certain special probing packets, which manifest the existence of TIGER attacks. Anti-TIGER does not require any modifications in routing data-plane, therefore it is easy to deploy and incrementally deployable. We evaluate the effectiveness of TIGER and Anti-TIGER by experiments with real AS topologies of the Internet. Our experiment results show that TIGER attacks can successfully hijack a considerable number of prefixes. In the meanwhile, Anti-TIGER can achieve 100 percent detection ratio of TIGER attacks.

Lancheng Qin,Li Chen,Dan Li,Honglin Ye,Yutian Wang

DOI: https://doi.org/10.14722/ndss.2024.24214

2024-01-01

Abstract:BGP hijacking is one of the most important threats to routing security.To improve the reliability and availability of inter-domain routing, a lot of work has been done to defend against BGP hijacking, and Route Origin Validation (ROV) has become the best current practice.However, although the Mutually Agreed Norms for Routing Security (MANRS) has been encouraging network operators to at least validate announcements of their customers, recent research indicates that a large number of networks still do not fully deploy ROV or propagate illegitimate announcements of their customers.To understand ROV deployment in the real world and why network operators are not following the action proposed by MANRS, we make a long-term measurement for ROV deployment and further find that many non-compliant networks may deploy ROV only at part of customer interfaces, or at provider or peer interfaces.Then, we present the first notification experiment to investigate the impact of notifications on ROV remediation.However, our analysis indicates that none of the notification treatments has a significant effect.After that, we conduct a survey among network operators and find that economical and technical problems are the two major classes of reasons for non-compliance.Seeking a realistic ROV deployment strategy, we perform large-scale simulations, and, to our surprise, find that not following MANRS Action 1 can lead to better defence of prefix hijacking.Finally, with all our findings, we provide practical recommendations and outline future directions to help promote ROV deployment.