A Survey of BGP SecurityKEVIN BUTLERSystems and Internet Infrastructure LabratoryPennsylvania State UniversityTONI FARLEYArizona State UniversityPATRICK MCDANIELSystems and Internet Infrastructure LabratoryPennsylvania State UniversityandJENNIFER REXFORDPrinceton UniversityThe Border Gateway Protocol (BGP) is the de facto interdomain routing protocol of the Internet.Although the performance BGP has been historically acceptable, there are mounting concernsabout its ability to meet the needs of the rapidly evolving Internet. A central limitation of BGPis its failure to adequately address security. Recent outages and security analyses clearly indicatethat the Internet routing infrastructure is highly vulnerable. Moreover, the design and ubiquityof BGP ha s frustrated pa st efforts at securing interdomain routing. This paper considers thevulnerabilities of existing interdomain routing and surveys works relating to BGP security. Thelimitations and advantages of proposed solutions are explore d, and the systemic and operationalimplications of their design considered. We centrally note that no current solution has yet foundan adequate balance between comprehensive security and deployment cost. This work calls notonly for the application of ideas described within this pape r, but also for further introspection onthe problems and solutions of BGP security.Categories and Subject Descriptors: C.2.0 [Computer-Communication Networks]: General—Security and Protection; C.2.2 [Computer-Communication Networks]: Network Protocols—Routing protocols; C.2.5 [Computer-Communication Networks]: Local and Wide-Area Net-works—InternetGeneral Terms: SecurityAdditional Key Words and Phrases: authentication, authorization, BGP, border gateway protocol,integrity, interdomain routing, network secu rity, networks, routingThis work was performed while Farley and Butler were interns at AT&T Labs.Authors’ addresses: T. Farley, Information an d Systems Assura nce Laboratory, Arizona StateUniversity, 1711 S. Rural Road, Goldwater Center, Tempe, AZ 85287, USA; email: [email protected]. Butler and P. McDaniel, Systems and Internet Infrastructure Laboratory, Pennsylvania StateUniversity, 344 Information Sciences and Technology Building, University Park, PA 16802, USA;email: {butler, mcdaniel}@cse.psu.edu.Permission to make digital/hard copy of all or part of this material without fee for personalor classroom use provided that the copies are not made or distributed for profit or commercialadvantage, the ACM copyright/server notice, the title of the publication, and its date appear, andnotice is given that copying is by permission of the ACM, Inc. To copy otherwise, to republish,to post on servers, or to redistribute to lists requires prior specific permission and/or a fee.c! 2005 ACM 0000-0000/2005/0000-0001 $5.00DRAFT VERSION, Vol. V, No. N, April 2005, Pages 1–35.2 · Kevin Butler et al.1. INTRODUCTIONThe Internet is a global, decentralized network comprised of many smaller inter-connected networks. Networks are largely comprise d of end systems, referred toas hosts, and intermediate systems, called routers. Information travels through anetwork on one of many paths, which are selected through a routing process. Rout-ing protocols communicate reachability information (how to locate other hosts androuters) and ultimately perform path selection. A network under the administrativecontrol of a single organization is called an autonomous system (AS) [Hawkinsonand Bates 1996]. The process of routing within an AS is called intradomain routing,and routing between ASes is called interdomain routing. The dominant interdomainrouting protocol on the Internet is the Border Gateway Protocol (BGP) [Rekhterand Li 1995]. BGP has been deployed since the comme rc ialization of the Inter-net, and version 4 of the protocol has been in wide use for over a decade. BGPworks well in practice, and its simplicity and resilience have enabled it to play afundamental role within the global Internet [Stewart 1999]. However, BGP hashistorically provided few performance or security guarantees.The limited guarantees provided by BGP often contribute to global instabilityand outage s. While many routing failures have limited impact and scope, otherslead to significant and widespread damage. One such failure occurred on 25 April1997, when a misconfigured router maintained by a small service provider in Vir-ginia injected incorrect routing information into the global Internet and claimedto have optimal connectivity to all Internet destinations. Because such statementswere not validated in any way, they were widely accepted. As a result, most In-ternet traffic was routed to this small ISP. The traffic overwhelmed the misconfig-ured and intermediate routers, and effectively crippled the Internet for almost twohours [Barrett et al. 1997].Loss of connectivity on the Internet can be manifested as anything from aninconsequential annoyance to a devastating communications failure. For example,today’s Internet is home to an increasing number of critical business applications,such as online banking and stock trading. Significant financial harm to an individualor institution can arise if communication is lost at a critical time (such as duringa time-sensitive trading session). As the number of critical applications on theInternet grows, so will the reliance on it to provide reliable and secure services.Because of the increased importance of the Internet, there is much more interestin increasing the security of its underlying infrastructure, including BGP. Suchassertions are not novel: the United States government cites BGP security as partof the national strategy for securing the Internet [Department of Homeland Security2003].Current research on BGP focuses on exposing and resolving operational andsecurity concerns. Operational concerns relating to BGP, such as scalability, con-vergence time (the time required for all routers to have a consistent view of thenetwork), route stability, and performance, have been the subject of much effort.Similarly, much of the contemporary security research has focused on the integrity,authentication, confidentiality, authorization, and validation of BGP data. Thesetwo fields of operational issues and security research are inherently connected. Suc-cesses and failures in each domain are informative to both communities.DRAFT VERSION, Vol. V, No. N, April 2005.A Survey of BGP Security · 3This paper explores current research
View Full Document
Unlocking...