Securing the Border Gateway Protocol SBGP - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Securing the Border Gateway Protocol SBGP

Description:

Repositories for distribution of certificates, CRLs, and address ... Other certificates are used for management of repository access control, IPsec (IKE), etc. ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 18
Provided by: irB7
Category:

less

Transcript and Presenter's Notes

Title: Securing the Border Gateway Protocol SBGP


1
Securing the Border Gateway Protocol (S-BGP)
  • Dr. Stephen Kent
  • Chief Scientist - Information Security

2
Outline
  • BGP security problems requirements
  • Making S-BGP a reality
  • Securing BGP UPDATE messages
  • PKI design
  • Repository design
  • Program history
  • Program status

3
BGP Security Problems
  • BGP is the critical infrastructure for Internet,
    the basis for all inter-ISP routing
  • Configuration errors affect about 1 of all
    routing table entries at any time
  • The current system is highly vulnerable to human
    errors, and a wide range of malicious attacks
  • At best, BGP routers use a point-to-point keyed
    MAC (with no automated key management) for
    point-to-point communication security
  • Solutions must account for the operational
    realities of Internet topology, size, update
    rates, ...

4
BGP Security Requirements
  • Address space ownership verification
  • Autonomous System (AS) authentication
  • Router authentication and authorization (relative
    to an AS)
  • Route and address advertisement authorization
  • Route withdrawal authorization
  • Integrity and authenticity of all BGP traffic on
    the wire
  • Timeliness of BGP traffic

5
S-BGP Design Overview
  • IPsec secure point-to-point (router) comms
  • Public Key Infrastructure an authorization
    framework for all S-BGP entities
  • Attestations digitally-signed authorizations to
    advertise specified address blocks
  • Validation of UPDATEs based on a new path
    attribute, using PKI certificates and
    attestations
  • Repositories for distribution of certificates,
    CRLs, and address attestations
  • Tools for ISPs to manage address attestations,
    process certificates CRLs, etc.

6
Who Needs to Do What for S-BGP to Become a
Reality?
  • S-BGP PKI
  • Regional Registries and ISPs need to act as
    Certification Authorities, issuing certificates
    to the organizations to whom they have delegated
    portions of IP address space
  • Repositories must be deployed for S-BGP PKI data
  • S-BGP protocol implementation
  • Router vendors need to offer S-BGP software in
    router products (with enough memory and
    non-volatile storage)
  • OR an ancillary device that implements S-BGP and
    connects to existing BGP routers needs to be
    offered
  • ISPs need to acquire, deploy, and manage S-BGP
    products

7
Securing UPDATE messages
  • A secure UPDATE consists of an UPDATE message
    with a new, optional, transitive path attribute
    for route authorization
  • This attribute contains a signed sequence of
    route attestations
  • This attribute is structured to support both
    route aggregation and AS sets (BGP function
    details)
  • Validation of the attribute verifies that the
    route was authorized by each AS along the path
    and by the address space owner

8
An UPDATE with Attestations
BGP
Addr Blks
of Rtes
BGP Path
Dest Addr
UPDATE Message
Header
Being Withdrawn
Attributes
Blks
(NLRI)
Attribute
Path Attribute
Route Attestations
Header
for Attestations
Attestation
Certificate
Algorithm ID
Signed
Issuer
Route Attestation
Header
ID
Signature
Info
9
A PKI for S-BGP
  • Certificates identify owners of AS numbers and
    address blocks
  • Address block data is used as an input to UPDATE
    message processing
  • Other certificates are used for management of
    repository access control, IPsec (IKE), etc.
  • PKI design uses a multi-rooted tree, rooted at
    regional registries, with delegation to national
    registries, ISPs, DSPs, subscribers

10
Address Delegation and Allocation
ICANN
IANA (historical)
Regional Registries
Subscriber Organizations
ISPs/DSPs
Subscriber Organizations
ISPs
DSPs
DSPs
Subscriber Organizations
Subscriber Organizations
Subscriber Organizations
Subscriber Organizations
Subscriber Organizations
11
AS Number Delegation Hierarchy
ICANN
Delegate
Regional Registries
Subscriber Organizations
DSPs
ISPs
12
S-BGP PKI Top Tiers
13
S-BGP PKI Registry Branch
14
S-BGP PKI Repositories
  • Putting certificates, CRLs, or address
    attestations in UPDATEs would be redundant and
    make UPDATEs too big
  • Solution use servers
  • replicate for reliability scaling, loose synch
  • locate at high availability, non-routed access
    points
  • ISPs and dual-homed subscribers upload
    certificates, CRLs, and AAs that they generate
  • every ISP and multi-homed subscriber downloads
    the whole certificate/AA/CRL database
  • Access controlled based on PKI structure, to
    mitigate denial of service attacks against the
    repositories

15
S-BGP NOC Software
  • Software to help ISPs manage data required by
    S-BGP
  • Mini-RA facility for managing organization,
    router, and operator certificates, generating
    address attestations
  • Software for uploading downloading
    certificates, CRLs, and address attestations
    to/from repositories
  • Software for validating certificates and address
    attestations and producing extract for download
    to routers
  • Policy management
  • Software to configure S-BGP routers to know which
    ASs implement S-BGP

16
Program Status
  • Good news
  • NOC tools repository almost complete
  • Reference S-BGP software available in Spring 02
  • Registrar CA technology available in June 02
  • Not so good news
  • Not much router vendor interest recently
  • Minimal recent ISP interest (except Genuity
    DISA)
  • Registry Interactions
  • Initial interactions with ARIN, awaiting updated
    database
  • APNIC expressing interest in the PKI

17
Any More Questions?
http//www.ir.bbn.com/projects/s-bgp
Write a Comment
User Comments (0)
About PowerShow.com