Literature Review
As Border Gateway protocol has been researched through different angles by various researchers including its functionality, operations, mechanism, attacks and security a thorough review has been done on initial level to identify the problem definition.
Smith B., J. Garcia-Luna-Aceves 1996
In this paper Authors analyze the security of the BGP routing protocol, and identify a number of vulnerabilities in its design and the corresponding threats. They present a set of proposed modifications to the protocol RFC 1771 which minimize or eliminate the most significant threats. They introduced the protection of the second-to-last information contained in the AS-PATHattributes by digital signatures, and the use of techniques developed for detecting loops in path-finding protocols to verify the selected route's path information. They identified threats like deception, disruption, and disclosure of routing message traffic. They propose countermeasures that eliminate or minimize most of these threats. They showed that it is possible to effectively and efficiently secure the BGP routing protocol.
Kent S., Lynn C., and K. Seo, 2000.
Secure Border Gateway Protocol is the first major solution to secure BGP and renowned worldwide. Author started their paper with addressing the vulnerabilities associated with BGP as it is a critical component of the Internet's routing infrastructure. The S-BGP countermeasures use IPsec and Public Key Infrastructure (PKI) to ensure the authenticity and integrity of BGP communication on a point-to-point basis, also they talk about validation of BGP routing UPDATE’s on a source to destination basis. Author argues that these enhancements will allow Internet Service Providers (ISP’s) and their customers to verify authenticity of reachability information they receive and also the authorization of an organization to claim ownership of a block of IP addresses. They further elaborate the assurance of authorization of an originating AS and weather these ASes are not compromised.
Mahajan R., Wetherall D., and T. Anderson, 2002.
In this paper author presented the systematic study of BGP configuration errors that propagate across the Internet. Their study focused on two kinds of misconfigurations: the accidental insertion of routes into the BGP tables and the accidental propagation of routes that should have been filtered which they named as origin misconfiguration and export misconfiguration respectively. They took input from RouteViews over a period of 21 days and showed how to find misconfigurations in the stream of BGP updates. They observed around 0.2-1% misconfiguration of the global table size each day. They also analyzed the impact of misconfigurations on Internet connectivity by actively probing faulty paths. To validate their result they used email to survey the operators involved in the incidents. This paper discusses in the end that how human errors can be minimized in large distributed systems suggesting some changes in router and protocol design.
Goodell G., Aiello W., T. Griffin, J. Ioannidis, P. McDaniel, and A. Rubin, 2003.
Author claims that the current implementations of BGP provide little security and emerging standards attempt to address this limitation by adding the existing protocol with security infrastructure but such infrastructure frequently assumes universal deployment which needs significant computational overhead. Author introduced the Interdomain Routing Validation (IRV) system which is used in conjunction with BGP, IRV provides interfaces through which BGP data can be validated and additional routing information can be acquired. They provided a common interface as IRV is a receiver-driven architecture, providing the users of routing announcements with a role in obtaining the information they need to function correctly.They reported that the routing facilities supported by a AS are specific to its administration therefore IRV is a necessary and natural progression of interdomain routing.
White R, 2003.
This article discusses another BGP security solution named Secure Origin BGP (soBGP), this solution is proposed by a group mostly within Cisco Systems. Author believed soBGP to be a deployable mechanism for validating the correctness and authorization of the data carried within BGP, and also for preventing the sorts of attacks resulting from misconfiguration or intentional insertion of bad data into the Internet routing system. Through their survey of soBGP, they have shown it to be a flexible, moderately lightweight, yet strong system for validating the information carried through BGP in a large internetwork. They proved that this solution has low overhead processing requirements and very flexible deployment options as compare to the previously proposed solutions in this field.
Hu Y.-C., Perrig A., and M. Sirbu, 2004.
This paper proposes BGP security solution ensuring secure path vector routing. Author uses purely symmetric cryptographic primitives to secure BGP. In this paper they developed the SPV protocol, a protocol using symmetric-key cryptography for securing against the truncation and modification attacks. SPV is configurable to allow tradeoffs between security and CPU usage. SPV introduces three novel concepts to the design space of secure routing protocols: first, it includes private keys within the UPDATEs themselves; second, it does not authenticate the AS that inserts itself onto the path, and finally, it provides security not by requiring overwhelming computational complexity but instead by limiting the number of options an attacker has for modifying critical routing information. Author claim SPV is much faster than S-BGP, so SPV would perform better in periods of high BGP traffic
Subramanian L., Roth V., I. Stoica, S. Shenker, and R. H. Katz, 2004.
The assumption that the routing information propagated by authenticated routers is correct makes the current infrastructure vulnerable to both accidental misconfigurations and deliberate attacks as reported by author. To reduce this vulnerability, they present a combination of two mechanisms: Listen and Whisper. Listen passively probes the data plane and checks whether the underlying routes to different destinations work. Whisper uses cryptographic functions along with routing redundancy to detect bogus route advertisements in the control plane. The combination of Listen and Whisper can detect and contain isolated adversaries that propagate even a few invalid route announcements. They demonstrate the utility of Listen and Whisper through real-world deployment, measurements and empirical analysis. In particular, they show that Listen can detect unreachable prefixes with a low probability of false negatives, and that Whisper can limit the percentage of nodes affected by a randomly placed isolated adversary to less than 1%. Listen is incrementally deployable and does not require any changes to BGP, while Whisper can be integrated with BGP without changing the packet format. These mechanisms do not rely on public key infrastructure.
White Paper, 2004
This White paper discusses the functionality and operation of BGP and developed various test-beds to test BGP performances. Also they address the need of testing and validation of applications, hardware and related services looking to the complexity of BGP. BGP standards and implementations are continuously changing looking to the need to Industries and markets so this paper suggested a time to time critical performance and conformance testing for real time deployability of BGP. In the end different test beds have been developed for BGP conformance testing. In these test beds they Verified the Device Under Test’s (DUT’s) compliance with the capabilities defined in various BGP specifications like RFC 1771, RFC 1772. In BGP route capacity test they determined the number of routes that a BGP-enabled DUT can sustain at a single time. Similarly other tests on Route Convergence and BGP Damping are done
Zhang K., Zhao X., F. Wu, 2004.
In this paper Author addresses an attack named as selective dropping attack which was unturned in the previous literature. A selective dropping attack occurs when a malicious router intentionally drops incoming and outgoing UPDATE messages, which results in data traffic being black holed or trapped in a loop. In this paper they conducted a thorough analysis on this type of attack and advocate new security countermeasures that should be developed to detect and prevent such attack. They demonstrated that a particular kind of BGP routing attack, malicious dropping attack, may cause severe routing problems. They proved via formal analysis and experiments that this attack can lead to traffic blackhole and persistent routing loop. They claim that previous security solutions are not sufficient to address this attack, which may call for novel approaches to detect and prevent such kind of attack.
Nordstrom O., and Dovrolis C., 2004.
In this paper author raised awareness of various BGP attacks which were ignored in the previous literature. They discussed the security associated with interdomain routing infrastructure and identified several objectives and mechanism assuming that BGP routers have been compromised. They also reviewed the available countermeasures including sBGP, route filtering e.t.c. They proposed to work on routing paths and forwarding behavior. They elaborated that a BGP speaker can install a null route for a set of prefixes, and drop all the traffic destined to those networks. A BGP router can also choose to deny forwarding routing updates containing certain prefixes or ASNs, or to simply withdraw those routes. In the end they raise some questions related to securing path of BGP and proposes that there should be tradeoff between the resilience and security of a routing protocol.
Mizrak A.T., Cheng Yu-Chung, Keith Marzullo and Stefan Savage, 2005.
In this paper Author reported that by manipulating, diverting or dropping packets arriving at a compromised router, an attacker can mount denial-of-service or man-in-the-middle attacks on end host systems. They specify the problem of detecting routers with incorrect packet forwarding behavior and explore the design space of protocols that implement a detector. They further present a protocol for practical implementation at scale. Their approach is to separate the problem into three parts: First - efficiently characterizing traffic to detect deviations, second - synchronizing routers to collect and distribute these traffic characterizations and lastly taking countermeasures when significant traffic deviations are detected.
Wendlandt D., Avramopoulos I., D. Andersen, and J. Rexford, 2006.
Securing routing protocol is efficient or securing data delivery, this paper addresses this issue. Author proposes Availability Centric Routing (ACR) which is based on three principles. End systems learn multiple paths to a destination. End systems monitor end-to-end integrity and path performance to determine if a path is working and End systems can change paths to find one that works. ACR demonstrates that communication security can be achieved without securing the routing protocols as confidentiality and integrity can, and often already are, provided end-to-end by applications requiring strong security, this paper argues that availability is the only property that the routing system must provide. ACR presents a compelling point in the routing security design space. ACR demonstrates that robust routing and forwarding are in fact achievable given building blocks already common on the Internet today, and that the adoption of these mechanisms can occur in an incremental way.
Karlin J., Forrest S., and J. Rexford, 2006.
In this paper Authors reported that BGP is vulnerable to bogus routes as the contents of route announcements cannot be easily verified. They introduced an incrementally deployable modification to the BGP decision process, called PGBGP, which can mitigate BGP’s most critical vulnerabilities. The basic principle behind PGBGP is that routers should be cautious about adopting a route with new information, such as an unfamiliar origin AS. By avoiding new routes when possible, many attacks can be blocked for long enough to correct the attacks before they cause widespread damage. They evaluated the performance of PGBGP on types of attack, prefix and sub-prefix hijacks. They showed the effectiveness of PGBGP at blocking the spread of hijacked routes. According to their results PGBGP can protect 97% of ASs from malicious prefix routes and 85% from bogus sub-prefix routes when deployed only on the 62 core ASs in their study network.
Lad M., Massey D., D. Pei, Y. Wu, B. Zhang, and L. Zhang, 2006.
Prefix hijacking events have been widely reported and are a serious problem in the Internet. This paper presents a new Prefix Hijack Alert System (PHAS). PHAS is a real-time notification system that alerts prefix owners when their BGP origin changes. In addition to protecting against false BGP origins, the PHAS concept can be extended to detect prefix hijacking events that involve announcing more specific prefixes or modifying the last hop in the path. PHAS aims at providing timely notification of origin AS changes to the owners of individual prefixes in a reliable way. The prefix owners can then easily identify real hijack alerts and filter out normal origin changes. By avoiding running complex data processing at BGP data collectors, PHAS can be quickly implemented and run with little overhead at the data collectors. PHAS leverages on the existing routing logs for data input and the universally available email system for notification delivery. PHAS is light on authentication of users because its information is derived from publicly available data, and is light on data filtering because it simply provides information to users for hijack detection.
Rekhter Y, Li T., and S. Hares, 2006.
This RFC explains about Border Gateway Protocol (BGP), it obsoletes the old RFC 1771 introduced in 1995. BGP has provided interdomain routing services for the Internet’s disparate component networks. BGP’s underlying distributed distance vector computations rely heavily on informal trust models associated with information propagation to produce reliable and correct results. It can be assumed like a network where information is flooded across a network as a series of point-to-point exchanges, with the information being incrementally modified each time it is exchanged between BGP speakers. The design of BGP was undertaken in the relatively homogeneous and mutually trusting environment of the early Internet. It is quite reasonable to characterize today’s Internet environment as one where both customers and service providers are potentially hostile actors, and where trust must be explicitly negotiated rather than assumed by default. This environment is no longer consistent with the inter-domain trust framework assumed by BGP, and BGP’s operational assumptions relating to trust are entirely inappropriate today.
Oorschot P.V, Wan T., and E. Kranakis, 2007.
This is another major security solution of BGP after sBGP, soBGP and IRV which uses cryptographic approach. Authors of this paper concentrated more on securing AS PATH since BGP is a policy-driven routing protocol, each AS can individually decide whether or not a received route advertisement should be further propagated to a neighboring AS. Such route-exporting policies are mainly defined based on the business relationship with a neighboring AS. Without such verification, a misconfigured BGP speaker may be able to readvertise routes which are prohibited by its route-exporting policies. They believe that psBGP adopts the best features of earlier solutions, while differing fundamentally with a novel approach taken to verify IP prefix assignments and AS PATH integrity. Author believe that the decentralized approach taken by psBGP provides a more feasible means of increasing confidence in correct prefix origin.
Zhang Z., Zhang Y., Y. C. Hu, Z. M. Mao, and R. Bush, 2008.
In Authors view the current hijack detection schemes are unable to satisfy all the critical requirements of a truly effective system: real-time, accurate, light-weight, easily and incrementally deployable. In this paper, they present an approach that fulfills all these goals by monitoring network reachability from key external transit networks to one's own network through lightweight prefix-owner-based active probing. ISPY can differentiate between IP prefix hijacking and network failures based on the observation that hijacking is likely to result in topologically more diverse polluted networks and unreachability. It continuously monitors network reachability from external transit networks to its own network through light-weight probing and scans for the hijacking signature as the trigger for hijacking alarms. Through detailed simulations of Internet routing and experiments with hijacking events they demonstrate that ISPY is accurate with false negative ratio below 0.45% and false positive ratio below 0.17%
Nicholes M., and Mukherjee B., 2009.
This work surveys various techniques to secure BGP as per following category. Cryptographic, database, penalty, and data-plane testing. The techniques are reviewed here in a tutorial format, and shortcomings of the techniques are summarized as well. This survey provides a basis for evaluation of the techniques to understand coverage of published works as well as to determine the best avenues for future research. Authors explain although the use of PKI and databases has been present for over the last ten to twenty years, recent works have started to explore new directions, such as non-database group protocols, and data-plane testing techniques. Understanding the techniques that have been published and the minority that are in production routers can assist researchers in choosing research directions.