How Secure are Secure Interdomain Routing Protocols Flashcards
the four major extensions to BGP, ordered
from weakest to strongest
0) (unmodified) BGP
1) origin authentication
2) soBGP
3) S-BGP
4) data-plane verification
Stub ASes
ASes without customers
the manipulator’s goal is to attract trac, i.e., to convince the maximum number of ASes in the graph to
forward trac that is destined to the victim IP prex via
the manipulator’s own network.
an attraction attack
the manipulator has the additional goal of ensuring that he has an available path to the victim. This is in contrast to an attraction attack, where the manipulator is allowed, but not required, to create a blackhole where he has no working path to the victim IP prex
interception attacks.
uses a trusted database to guarantee that an AS cannot falsely claim to be the rightful owner for an IP prefix. However, the manipulator can still get away with announcing any path that ends at the AS that rightfully owns the victim IP prex.
Origin Authentication.
provides origin authentication as well as a trusted database that guarantees that any announced path physically exists in the AS-level topology of the internet work. However, a manipulator can still get away with announcing a path that exists but is not actually available.
soBGP
In addition to origin authentication, Secure BGP also uses cryptographically-signed routing announcements to provides a property called path verification. Path verification guarantees that every AS ‘a’ can only announce a path abP to its neighbors if it has a neighbor b that announced the path bP to ‘a’. Thus, it effectively limits a single manipulator to announcing available paths.
S-BGP
prevents an AS from announcing one path, while forwarding on another.
Data-plane verication.
polices the BGP announcements made by stubs. A stub is an AS with no customers
Defensive Filtering
does not include mechanisms for validating
information in routing announcements. Thus, the manipulator can get away with announcing any path he wants, including (falsely) claiming that he is the owner of the victim’s IP prefix.
(unmodified) BGP
Thus, we suggest that secure routing protocols (e.g., soBGP and S-BGP) should be deployed in combination with mechanisms that police export policies (e.g., defensive ltering). We believe both are needed; defensive ltering to eliminate attacks by stub ASes, and secure routing protocols to blunt attacks launched by larger ASes, (especially since we found that large ASes can launch the most damaging attacks).
export policies are a very effective attack vector that these protocols do not address.
It was found that a manipulator can still attract traffic by cleverly manipulating…
… his export policies. Indeed, we found that announcing a short path is often less important than exporting that path to the right set of neighbors.
