working group 6: secure bgp deployment december 16, 2011 andy ogielski, renesys jennifer rexford,...
TRANSCRIPT
Working Group 6: Secure BGP Deployment
December 16, 2011
Andy Ogielski, RenesysJennifer Rexford, Princeton U.WG 6 Co-Chairs
2
Working Group 6: Secure BGP Deployment
Short Description: The Border Gateway Protocol (BGP) controls inter-domain packet traffic routing on the entire global Internet. BGP relies on trust among operators of gateway routers to ensure the integrity of the Internet routing infrastructure. Over the years, this trust has been compromised on a number of occasions, revealing fundamental weaknesses of this critical infrastructure.
This Working Group will recommend the framework for industry regarding incremental adoption of secure routing procedures and protocols based on existing work in industry and research. The framework will include specific technical procedures and protocols. The framework will be proposed in a way suitable for opt-in by large Internet Service Providers (ISPs) in order to create incentives for a wider scale, incremental ISP deployment of secure BGP protocols and practices in a market-driven, cost-effective manner.
Duration: August 2011 – March 2013
Working Group 6 – Participants
Participant list updated 2011/09/30
Jennifer Rexford, Princeton, Co-ChairAndy Ogielski, Renesys, Co-Chair
Shane Amante, Level 3 Eric Lent, Comcast
Daniel Awduche, Verizon Danny McPherson, Verisign
Ron Bonica, Juniper Doug Maughan, DHS S&T
Jay Borkenhagen, AT&T Doug Montgomery, NIST
Martin Dolly, ATIS/AT&T Christopher Morrow, Google
Andy Ellis, Akamai Sandra Murphy, SPARTA
Sharon Goldberg, Boston U. Mary Retka, Century Link
Adam Golodner, Cisco Isil Sebuktekin, Telcordia
Kyle Hambright, Las Vegas Metro Police Greg Sharp, Internet Identity
Lars Harvey, Internet Identity Tony Tauber, Comcast
Michael Kelsen, Time Warner Cable David Ward, Juniper
Ed Kern, Cisco William Wells, TeleCommunication Systems
Working Group 6 - Work Completed
Documenting known threats Real BGP security incidents, and known vulnerabilities
Identifying suite of BGP security solutions Current best common practices (i.e., local filters) Anomaly detection to flag and avoid suspicious routes Global database of certified origins, with conventional configuration Cache-to-router origin certification protocol to push filters Cryptographic validation of the entire route (e.g., S-BGP)
Identifying dimensions for comparing solutions Technical maturity, and cost to deploy and operate Security benefits, and new attack surfaces Feasibility of incremental deployment Impact on autonomy of networks and nations
4
Working Group 6 – Ongoing Work Activity
Comparing the BGP security solutions Analyzing each solution across all dimensions Comparing with the other proposed solutions Identifying ways to encourage incremental deployment
Identifying important usage scenarios Number of BGP-speaking routers Structure within and between networks Frequency of BGP routing changes
Designing experimental methodology Measurement infrastructure (e.g., RouteViews, Renesys) Quantifying extent/scope of security incidents Quantifying effectiveness of partial deployments Safe active experiments with participating networks
5
Working Group 6 - Project Timeline
WG regular meetings
1st and 3rd Tuesdays of each month
Soon, smaller groups on major sub-topics
WG Final Recommendations: March 2013
Intermediate Milestones (Preliminary): Secure Routing Implementation Practices – March 8, 2012
Secure Routing Performance Metrics – September 12, 2012
Secure Routing Performance Metrics – December 5, 2012
6