1 / 17

Securing the Border Gateway Protocol (S-BGP)

Securing the Border Gateway Protocol (S-BGP). Dr. Stephen Kent Chief Scientist - Information Security. Outline. BGP security problems & requirements Making S-BGP a reality Securing BGP UPDATE messages PKI design Repository design Program history Program status. BGP Security Problems.

finola
Download Presentation

Securing the Border Gateway Protocol (S-BGP)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security

  2. Outline • BGP security problems & requirements • Making S-BGP a reality • Securing BGP UPDATE messages • PKI design • Repository design • Program history • Program status

  3. BGP Security Problems • BGP is the critical infrastructure for Internet, the basis for all inter-ISP routing • Configuration errors affect about 1% of all routing table entries at any time • The current system is highly vulnerable to human errors, and a wide range of malicious attacks • At best, BGP routers use a point-to-point keyed MAC (with no automated key management) for point-to-point communication security • Solutions must account for the operational realities of Internet topology, size, update rates, ...

  4. BGP Security Requirements • Address space “ownership” verification • Autonomous System (AS) authentication • Router authentication and authorization (relative to an AS) • Route and address advertisement authorization • Route withdrawal authorization • Integrity and authenticity of all BGP traffic on the wire • Timeliness of BGP traffic*

  5. S-BGP Design Overview • IPsec: secure point-to-point (router) comms • Public Key Infrastructure: an authorization framework for all S-BGP entities • Attestations: digitally-signed authorizations to advertise specified address blocks • Validation of UPDATEs based on a new path attribute, using PKI certificates and attestations • Repositories for distribution of certificates, CRLs, and address attestations • Tools for ISPs to manage address attestations, process certificates & CRLs, etc.

  6. Who Needs to Do What for S-BGP to Become a Reality? • S-BGP PKI • Regional Registries and ISPs need to act as Certification Authorities, issuing certificates to the organizations to whom they have delegated portions of IP address space • Repositories must be deployed for S-BGP PKI data • S-BGP protocol implementation • Router vendors need to offer S-BGP software in router products (with enough memory and non-volatile storage) • OR an ancillary device that implements S-BGP and connects to existing BGP routers needs to be offered • ISPs need to acquire, deploy, and manage S-BGP products

  7. Securing UPDATE messages • A secure UPDATE consists of an UPDATE message with a new, optional, transitive path attribute for route authorization • This attribute contains a signed sequence of route attestations • This attribute is structured to support both route aggregation and AS sets (BGP function details) • Validation of the attribute verifies that the route was authorized by each AS along the path and by the address space owner

  8. An UPDATE with Attestations BGP Addr Blks of Rtes BGP Path Dest Addr UPDATE Message Header Being Withdrawn Attributes Blks (NLRI) Attribute Path Attribute Route Attestations Header for Attestations Attestation Certificate Algorithm ID Signed Route Attestation Issuer Header ID & Signature Info

  9. A PKI for S-BGP • Certificates identify owners of AS numbers and address blocks • Address block data is used as an input to UPDATE message processing • Other certificates are used for management of repository access control, IPsec (IKE), etc. • PKI design uses a multi-rooted tree, rooted at regional registries, with delegation to national registries, ISPs, DSPs, subscribers

  10. Address Delegation and Allocation Delegate Allocate ICANN IANA (historical) Regional Registries ISPs/DSPs Subscriber Organizations Subscriber Organizations ISPs DSPs DSPs Subscriber Organizations Subscriber Organizations Subscriber Organizations Subscriber Organizations Subscriber Organizations

  11. AS Number Delegation Hierarchy ICANN Delegate Regional Registries Subscriber Organizations ISPs DSPs

  12. S-BGP PKI: Top Tiers Registry Root CA (ARIN) [1] Registry Root CA (RIPE) [1] Registry Root CA (APNIC) [1] Repository CA [2] Registry CA (ARIN) [5] Repository CA [2] Registry CA (RIPE) [5] Repository CA [2] Registry CA (APNIC) [5] certification cross-certification

  13. S-BGP PKI: Registry “Branch” CA (Certification Authority) EE (End Entity) Repository CA (1 per Repository) [2] Registry CA (1 per Registry) [5] Repository Admin EE (1 per Repository Admin) [3] Repository EE (1 per Repository) [4] ISP/Org CA (1 per ISP or Org) [5] Grandfather CA (1 per Registry) [5] Generic CA (1 per ISP or Org) [5] DSP/Org CA (1 per DSP or Org) [5] Used for initialization phase only Generic EE (1 per ISP or Org) [6] Network EE (1/ISP or Org) [6] Operator EE (1/Operator) [7] Router EE (1/Router) [8] AS # EE (1/AS#) [9] IPsec EE (1/router) [10] Org that owns IP addresses Org that is running S-BGP

  14. S-BGP PKI Repositories • Putting certificates, CRLs, or address attestations in UPDATEs would be redundant and make UPDATEs too big • Solution: use servers • replicate for reliability & scaling, loose synch • locate at high availability, non-routed access points • ISPs and dual-homed subscribers upload certificates, CRLs, and AAs that they generate • every ISP and multi-homed subscriber downloads the whole certificate/AA/CRL database • Access controlled based on PKI structure, to mitigate denial of service attacks against the repositories

  15. S-BGP NOC Software • Software to help ISPs manage data required by S-BGP • Mini-RA facility for managing organization, router, and operator certificates, generating address attestations • Software for uploading & downloading certificates, CRLs, and address attestations to/from repositories • Software for validating certificates and address attestations and producing extract for download to routers • Policy management • Software to configure S-BGP routers to know which AS’s implement S-BGP

  16. Program Status • Good news • NOC tools & repository almost complete • Reference S-BGP software available in Spring 02 • Registrar CA technology available in June 02 • Not so good news • Not much router vendor interest recently • Minimal recent ISP interest (except Genuity & DISA) • Registry Interactions • Initial interactions with ARIN, awaiting updated database • APNIC expressing interest in the PKI

  17. Any More Questions? http://www.ir.bbn.com/projects/s-bgp

More Related