design and analysis of the secure border gateway protocol (s-bgp) dr. stephen kent chief scientist -...
TRANSCRIPT
Design and Analysis of the Secure Border Gateway Protocol
(S-BGP)
Dr. Stephen Kent
Chief Scientist - Information Security
BBN TechnologiesA Part of
BBN TechnologiesA Part of
Outline BGP Model BGP security concerns & requirements S-BGP design S-BGP performance & scaling Related work What’s next
BBN TechnologiesA Part of
Basic BGP Model
DSP-AISP-2
DSP-B
Org-X
Org-Z
ISP-3 ISP-4
ISP-1
Org-Y
DSP-C
non-BGP RouterBGP Router
- path vector inter-domain routing protocol
- UPDATEs generated in response to loss of connectivity or receipt of an UPDATE from a peer router, that results in a LOCRIB change
NAP
BBN TechnologiesA Part of
The BGP Security Problem
BGP is the critical infrastructure for Internet, inter-domain routing
Benign configuration errors have wreaked havoc for portions of the Internet address space
The current system is highly vulnerable to human errors, as well as a wide range of attacks
At best, BGP uses point-to-point keyed MAC (a poor algorithm) & no automated key management
Solutions must take into account the realities of Internet topology, size, update rates, ...
BBN TechnologiesA Part of
Attack Model
BGP can be attacked in various ways• active or passive wiretapping of communications links
between routers• tampering with BGP speaker software• tampering with router management data en route• tampering with router management workstations/servers
(the last three can result in Byzantine failures) Addition of the proposed countermeasures
introduces a new concern• compromise of secret/private keying material in the routers or
in the management infrastructure
BBN TechnologiesA Part of
BGP Security Requirements Address space “ownership” verification Autonomous System (AS) authentication Router authentication and authorization
(relative to an AS) Route and address advertisement authorization Route withdrawal authorization Integrity and authenticity of all BGP traffic on
the wire Timeliness of BGP traffic*
BBN TechnologiesA Part of
S-BGP Design Overview IPsec: authenticity and integrity of peer-to-peer
communication, automated key management Public Key Infrastructures (PKIs): secure
identification of BGP speakers and of owners of AS’s and of address blocks
Attestations --> authorization of the subject (by the issuer) to advertise specified address blocks
Validation of UPDATEs based on a new path attribute, using certificates and attestations
Distribution of countermeasure data: certificates, CRLs, attestations
BBN TechnologiesA Part of
S-BGP Residual Vulnerabilities Failure to advertise route withdrawal Premature re-advertisement of withdrawn routes Erroneous application of local policy Erroneous traffic forwarding, bogus traffic
generation, etc. (not really a BGP issue, since BGP deals with routing, but not traffic forwarding)
BBN TechnologiesA Part of
Internet Address Space Ownership
DSP-AORG-X
ORG-ZISP-2
DSP-D
DSP-B
ORG-XX
ISP-1
DSP-C
ORG-YY
ICANN/IANA
ARIN/RIPE/APNIC
ORG-Y
ORG-ZZ
BBN TechnologiesA Part of
Certificates and Address Space Attestations ICANN issues certificates for address space
ownership to regional authorities and to entities that have direct address allocations (from IANA)
Each of these certificates contains an extension specifying the address space being delegated, so that certificate validation is address-constrained
Holders of address space certificates can create an address attestation, authorizing an AS (or a router) to advertise the specified address space
Only networks that execute BGP need certificates All ISPs are BGP users, but only about ~10% of
DSPs, maybe 5% of subscribers, are BGP users
BBN TechnologiesA Part of
Simplified PKI for Address BlocksICANN
All Addr blocks
APNICAddr blocks
ARINAddr blocks
GTE-IAddr block(s)
RIPEAddr blocks
AT&TAddr block(s)
DSP 1Addr block(s)
ISP 2Addr block(s)
MCIAddr block(s)
DSP 3Addr block(s)
Subscriber AAddr block(s)
Subscriber BAddr block(s)
ISP 4Addr block(s)
• • •
• •• • • •• • • •• •• •• •
• • • • • • • • •
• • •
ICANNAll Addr blocks
APNICAddr blocks
ARINAddr blocks
GTE-IAddr block(s)
RIPEAddr blocks
AT&TAddr block(s)
DSP 1Addr block(s)
ISP 2Addr block(s)
MCIAddr block(s)
DSP 3Addr block(s)
Subscriber AAddr block(s)
Subscriber BAddr block(s)
ISP 4Addr block(s)
• • •• • •
• •• • • •• • • •• • • •• • • •• • • •• •• •• • • •• •
• • •• • • • • •• • • • • •• • •
• • •• • •
BBN TechnologiesA Part of
Certificates and Route Attestations ICANN issues certificates for AS ownership to
ISPs, DSPs, and organizations that run BGP AS operators issue certificates to routers, as AS
representatives Holders of AS (or router) certificates generate
route attestations, authorizing advertisement of a route by a specified next hop AS
Route attestations are used to express a secure route as a sequence of AS hops
BBN TechnologiesA Part of
PKI for Speaker ID & AS Assignment
ICANNAll AS Numbers
APNICAS Numbers
ARINAS Numbers
GTE-IAS Numbers
RIPEAS Numbers
AT&TAS Numbers
DSP 1AS# W
ISP 2AS Numbers
MCIAS Numbers
AS# XDSP 3AS# Y
Routers in AS# XAS# X, Router BGP ID
ISP 4AS# Z
• • •
• •• • • •• •
• • •
AS# Y Routers in AS# YAS# Y, Router BGP ID
AS# Z Routers in AS# ZAS# Z, Router BGP ID
• • • • • •
ICANNAll AS Numbers
APNICAS Numbers
ARINAS Numbers
GTE-IAS Numbers
RIPEAS Numbers
AT&TAS Numbers
DSP 1AS# W
ISP 2AS Numbers
MCIAS Numbers
AS# XDSP 3AS# Y
Routers in AS# XAS# X, Router BGP I
ISP 4AS# Z
• • •• • •
• •• • • •• • • •• • • •• •
• • •• • •
AS# Y Routers in AS# YAS# Y, Router BGP I
AS# Z Routers in AS# ZAS# Z, Router BGP I
• • • • • •
BBN TechnologiesA Part of
Securing UPDATE messages A secure UPDATE consists of an UPDATE
message with a new, optional, transitive path attribute for route authorization
This attribute consists of a signed sequence of route attestations, nominally terminating in an address space attestation
This attribute is structured to support both route aggregation and AS sets
Validation of the attribute verifies that the route was authorized by each AS along the path and by the ultimate address space owner
BBN TechnologiesA Part of
An UPDATE with Attestations
BGPHeader
Addr Blks of Rtes Being Withdrawn
BGP PathAttributes
Dest AddrBlks (NLRI)
AttributeHeader
Route Attestations
AttestationHeader
IssuerCertificate
IDAlgorithm ID& Signature
SignedInfo
ValidityDates
SubjectAS Path
InfoOther ProtectedPath Attributes
NLRIInfoSigned Information
Route Attestation
Path Attribute for Attestations
UPDATE Message
BBN TechnologiesA Part of
Simplified Attribute Format
AA: Owning Org, NLRI, first Hop AS, SIG
RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI
RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG
(usually omitted)
BBN TechnologiesA Part of
Distributing Certificates, CRLs, & AAs
Putting certificates & CRLs in UPDATEs would be redundant and make UPDATEs too big
Same is true for address attestations Solution: use servers for these data items
• replicate for redundancy & scalability • locate at NAPs for direct (non-routed) access • download options:
– whole certificate/AA/CRL databases
– queries for specific certificates/AAs/CRLs
To minimize processing & storage overhead, NOCs should validate certificates & AAs, and send processed extracts to routers
BBN TechnologiesA Part of
Distributing Route Attestations Distributed with BGP UPDATEs as path attributes RAs have implicit encoding option to reduce size,
avoid exceeding UPDATE size limit (4096b) Cache with associated routes in ADJ-RIBs to
reduce validation overhead Expiration date present, but no revocation
mechanism chosen yet
BBN TechnologiesA Part of
BGP Statistics (from Merit) ~ 1,800 organizations own AS numbers ~ 44,000 own address prefixes (NLRI) ~ 7,500 BGP speakers ~ 75,000 routes in an ISP BGP database Few AS sets (~100), little address aggregation Average path length (NAP perspective) is 2.6
hops; 50% of routes ≤ 2 hops, 96% ≤4 hops ~ 43,000 UPDATEs received each day at a BGP
speaker at a NAP (30 peers)
BBN TechnologiesA Part of
S-BGP Storage Statistics ~ 58,000 certificates in database (~550b each) Certificate & CRL database ~35Mb Address attestation database ~4 Mbytes Extracted certificate & AA database (with data
structure overhead in GateD) ~ 42Mb Route attestations occupy ~16 Mb per ADJ-RIB:
about 64 Mb (4 peers) to 480 Mb (at NAP) ADJ-RIB caching for received UPDATEs
increases storage requirements by about 50%, and yields about 53% validation savings
BBN TechnologiesA Part of
Route Attestation Overhead Transmission
• RAs add ~450 bytes to a typical (3.6 ASes in path) UPDATE of 63 bytes, 700% overhead!
• But UPDATEs represent a very small portion of all traffic, so steady state bandwidth for RA transmission is only ~ 1.4Kb/s
Processing• Average of 3.6 signature validations per received UPDATE
and 1 generation per emitted UPDATE• Peak rates ~ 18/s validation and ~5/s generation w/o caching
(peak estimated as ten times average)• UPDATE caching should reduce validation value by ~50%• Start up transient would overwhelm a speaker, thus NV
storage or heuristics are required
BBN TechnologiesA Part of
Auxiliary S-BGP Device Option No changes required to router hardware or
software, just re-configuration Use PC to provide CPU, memory, and NV storage
needed to handle BGP routing and S-BGP Collocated with current border routers
• auxiliary boxes peer with each other (boxes in same AS and boxes collocated with neighbor routers) and the border router
• border router peers only with auxiliary box and internal BGP routers (in the same AS)
Downside: requires extra rack space, uses a router port, & increases the managed device count
BBN TechnologiesA Part of
Related Work Link state (e.g., OSPF) security mechanisms Distance vector routing security proposals
• Some clever schemes developed, but not applicable to BGP, a path vector protocol (e.g., due to local policy processing)
• Many designs assume signature processing, not memory, is the biggest performance problem to be solved
Routing Policy Specification Language (RPSL)• Product of IETF RPSL WG• Requires ISPs/DSPs to publish (local) policy info• Secures distribution of policy info, but relies on ISP/DSP staff
to retrieve, interpret, and employ policy info for enforcement
BBN TechnologiesA Part of
What’s Next? Tech transfer
• Distribute S-BGP software to all interested parties• Work with ISPs and router vendors to develop
implementations and operational experience• Work with ICANN, ARIN, etc. to establish PKIs and to deploy
certificate/CRL/AA servers (other uses for parts of this PKI) Testing and deployment issues
• CAIRN test bed is small and tests were too short• ISP feed was not a good test for NAP router scenario,
though probably representative of a feed to a DSP• Intra-domain distribution of S-BGP attribute options