430 likes | 584 Views
Efficient BGP Security. Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign. Motivation. BGP — central routing for the Internet BGP lacks security Black holes Disconnected networks Suboptimal routes … Secure BGP Deployment difficulties
E N D
Efficient BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois, Urbana-Champaign
Motivation • BGP—central routing for the Internet • BGP lacks security • Black holes • Disconnected networks • Suboptimal routes • … • Secure BGP • Deployment difficulties • Processing overheads • Storage demands • PKIs • Goal • Efficient AND practical security 63rd IETF - Paris, FRANCE
Outline • Overview • BGP • S-BGP • Path authentication • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE
(AS_PATH, prefix) A range of IP addresses (prefix) e.g., 129.170.0.0/16 A sequence of AS numbers e.g., “500 300 100” Border Gateway Protocol (BGP) • Inter-domain routing protocol • Mainly between autonomous systems (ASes) • Updates are in form of route announcements p 4 {3, 2, 1}, p {1}, p {2, 1}, p 5 1 2 3 {3, 2, 1}, p 63rd IETF - Paris, FRANCE
Secure BGP (S-BGP) • Attestations • Route Attestations—authenticate AS path • Address Attestations—authorization of IP address ownerships • Public key infrastructures • Certificates for routers • Certificates for address ownership AS path Prefix Route Attestations (RAs) Address Attestations (AAs) Public Key Infrastructures (PKIs) 63rd IETF - Paris, FRANCE
Outline • Overview • Path authentication • S-BGP RAs • Aggregated Path Authentication • Performance evaluation • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE
1, p, 2 1, p, 2 2, 1, p, 3 1, p, 2 2, 1, p, 3 3, 2, 1, p, 4 1 2 3 4 P, {3, 2, 1} S-BGP Route Attestations (RAs) • Router signs (AS path, prefix, next_hop) • Sends all previous signatures • Verify AS path {1, 2, 3} • Needs 3 signatures • Sign AS path {1, 2, 3} • Creates n signatures • Signature Algorithm—DSA • Caching optimization 63rd IETF - Paris, FRANCE
Performance Problems • Time • Processing latency 230% longer • Space • Message size: 800% longer • Memory cost: > 10 times more • For Attestations & Certificate database • Current routers: 128MB or 256MB RAM 63rd IETF - Paris, FRANCE
m1 B1 m2 B2 mk Bk Signature Amortization (S-A) • Fast signature verification—RSA • Fewer signature signings—amortized cost • Bit vectors (indicating recipients) • Merkle hash trees • Auxiliary values for each signature Aggregated hash Router output buffers Grouped messages “Evaluation of efficient security for BGP route announcements using parallel simulation” Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3—4, 2004
Aggregate Signatures • k signers {s1, s2, …, sk} k messages {m1, m2, …, mk} one aggregate signature s • One aggregate signature for entire AS path 1, p, 2 2, 1, p, 3 s 3, 2, 1, p, 4 Boneh et al. “A Survey of Two Signature Aggregation Techniques”. RSA CryptoBytes 2003
Aggregate Signature Variants • General aggregate signature (GAS) • Based on BLS short signature on • Anyone can aggregate • in any ordering • Takes k+1 pairing calculation for verifying • Sequential aggregate signature (SAS) • Based on homomorphic trapdoor permutation • AggrSign by signers only • Must be in sequence • Takes k layers of verification • Advantage—save space! 63rd IETF - Paris, FRANCE
Aggregated Path Authentication • Aggregated Path Authentication • Signature Amortization + Aggregate Signature • Efficient on time ANDspace 63rd IETF - Paris, FRANCE
SAS-V s1 AggrSign(0, h(m1)) s2 AggrSign(s1, h(m2)) s3AggrSign(s2, h(m3)) s1 s2 s3 GAS-Vs3 = si =s1s2s3 = s1s2s3 = s2s3 Aggregated Path Authentication • Vector-based • Tree-based (GAS-T and SAS-T) m1 1, p, “1110” m2 2, 1, p, “1011” m3 3, 2, 1, p, “1101” s R1 R2 R3 63rd IETF - Paris, FRANCE
Outline • Overview • Path authentication • S-BGP RAs • Aggregated Path Authentication • Performance evaluation • Methodology • Performance • PKI and origin authentication • Discussion • Conclusions 63rd IETF - Paris, FRANCE
Evaluation Methodology • AS-level network simulation—110 ASes • BGP router under stress—router reboot • Metrics • Speed—BGP convergence time • Signature memory overheads • Message size • SSFNet simulator • Benchmarks • OpenSSL • Algorithm decomposition for GAS and SAS 63rd IETF - Paris, FRANCE
Benchmarks 63rd IETF - Paris, FRANCE
Number of Signing Operations • S-BGP: 22,072/11,521 signings • Decreases 98.5% (SW) (SW) (HW) (HW) 63rd IETF - Paris, FRANCE
Path Authentication Convergence 230.2% 3.4% 46% seconds (SW) (SW) (HW) (HW) 63rd IETF - Paris, FRANCE
Path Authentication Message Size • GAS-V —66% shorter messages! • Tree construction — inefficient Average Maximum bytes 63rd IETF - Paris, FRANCE
Path Auth Performance—Memory • GAS-V — saves 73% memory for signatures! kilobytes 63rd IETF - Paris, FRANCE
Performance Competition • Winner: GAS-V • Fast convergence, decreasing 32% / 69% • Short Update messages, decreasing 66% • Economic on signature memory, decreasing 72% 63rd IETF - Paris, FRANCE
Outline • Overview • Path authentication • PKI and origin authentication • Design • Performance • Discussion • Conclusions 63rd IETF - Paris, FRANCE
Secure BGP (S-BGP) • IP address owners create AAs • X.509 Certificates for IP address allocation • (prefix1, …, prefixk, orgy) address assignment AS path Prefix Route Attestations (RAs) Address Attestations (AAs) • Routers create RAs • X.509 Certificates for AS# and Routers • (AS, AS#, PK) binding • (RtrID, AS#, PK) binding 63rd IETF - Paris, FRANCE
S-BGP PKIs • Match existing infrastructures AS number assignment & Binding a Router to an AS IP Address Allocation ICANN ICANN … APNIC ARIN RIPE LACNIC APNIC ARIN RIPE AT&T AS numbers IP address blocks … Organizations ISP / DSP / Subscribers … AS numbers RtrID … (ASk, ASNs) (RtrID, ASN) Subscribers 63rd IETF - Paris, FRANCE
ICANN … APNIC ARIN RIPE AT&T IP address blocks … ISP / DSP / Subscribers … Subscribers S-BGP Address Attestations (AAs) {prefix list, ASN} orgx • Authorize ASes to originate routes • CAs prepare and distribute AAs • Long-lived, need revocation 63rd IETF - Paris, FRANCE
Evaluate PKI • PKI model • ASes, Routers, Organizations, CAs, Directories, and OCSP responders • Routers trust the roots, and OCSP responders; may trust other CAs as well • Check certificate revocation status • OCSP—sequential or parallel requests • CRLs (fetch fresh copies) 63rd IETF - Paris, FRANCE
AA Performance—OCSP requests • ≈ 68,000 OCSP requests Convergence Time of OCSP Requests seconds 63rd IETF - Paris, FRANCE
AA Performance—CRLs fetching Convergence Time of CRL Fetching 63rd IETF - Paris, FRANCE
PA PKI Performance—OCSP Requests • ≈ 88,000 OCSP requests Convergence Time of OCSP Requests seconds 63rd IETF - Paris, FRANCE
PA PKI Performance—CRLs Fetching Convergence Time of CRL fecthing 63rd IETF - Paris, FRANCE
Real-world Deployment • Certificate database75—85 MB[Kent:CMS03] • RouteViews table dump (209MB) • 162,237 prefixes • 2,011,005 routes, avg. path length 4.1 • S-BGP signatures: 393MB • GAS-V cache: 108MB • Decreases 72% signature memory cost • Overall memory decrease: 60% • S-BGP RAs: 30—35MB per peer [Kent:CMS03] • Problem for routers at Internet exchange > 1GB Kent. “Securing the Border Gateway Protocol: A Status Update”. IFIP TC-6 TC-11, 2003
ECDSA • S-BGP uses ECDSA • Shorter key size • Same signature length • Faster signing • Slower verification 63rd IETF - Paris, FRANCE
Conclusions • Efficient path authentication • Aggregated Path Authentication • Efficient on time and space • PKI performance impact • OCSP vs. CRLs • Practical issues • Certificate database • Memory demands • ECDSA 63rd IETF - Paris, FRANCE
Thank you! Email zhaom@cs.dartmouth.edu Homepage http://www.cs.dartmouth.edu/~zhaom • Sun Microsystems • Mellon Foundation • Cisco Systems • Intel Corporation • NSF • DoJ/DHS 63rd IETF - Paris, FRANCE
Related Work • S-BGP [Kent:NDSS00, Kent:CMS03] • OASim [Aiello:CCS03] • psBGP [Wan:NDSS05] • Listen and Whisper [Subramanian:NSDI04] • Symmetric cryptography • Potentially more efficient • Key distribution [Goodrich00] • Time synchronization [Hu:SIGCOMM04] 63rd IETF - Paris, FRANCE
Implementation Tate pairing Weil pairing General Aggregate Signatures • Bilinear map • Bilinear: for all and • Non-degenerate: • Key pair • Sign • Verify • Aggregation • Aggregate Verify Boneh et al. “Aggregate and Verifiably Encrypted Signatures from Bilinear Maps”. Eurocrypt 2003 63rd IETF - Paris, FRANCE
Performance Competition • Winner: GAS-V • Fast convergence, decreasing 32% / 69% • Short Update messages, decreasing 66% • Economic on signature memory, decreasing 72% • Further improvements? • Hardware accelerator • Parallelization AS path length: 3.7/11 63rd IETF - Paris, FRANCE
Origin Authentication (OA) • Short-lived attestations • Possible in-band transmission for address delegation paths • Variants • OA-Simple {(p, org)}K • OA-List {(p1, org1), (p2, org2), …, (pi, orgi)}K • OA-AS-List {(p1, p2, …, pk, org)}K • OA-Tree Merkle hash tree, leaves:(pi, orgi) IANA … APNIC ARIN RIPE AT&T … IP address blocks ISP / DSP / Subscribers … AS2 AS1 ASk Aiello, Ioannidis, and McDaniel. “Origin Authentication in Interdomain Routing”. CCS03 63rd IETF - Paris, FRANCE
OA Signature Performance—Storage • Different costs on memory and message size • OA-AS-List is most efficient • Possible in-band transmission 63rd IETF - Paris, FRANCE
OA Signature Performance—Convergence • Slight slow down convergence time seconds 63rd IETF - Paris, FRANCE
Certificate Distribution • Scale • 197,709 active prefixes • 19,357 unique ASes • >50,000 organizations • BGP Update message MTU: 4KB • S-BGP X.509 Certificates: 600 bytes • Store certificates/CRLs locally • >200MB 63rd IETF - Paris, FRANCE
Aggregate Signatures • k signers {s1, s2, …, sk} k messages {m1, m2, …, mk} one aggregate signature s • One aggregate signature for entire AS path 1, p, 2 2, p, 3 s 3, p, 4 Lysyanskava et al. “Sequential Aggregate Signatures from Trapdoor Permutations”. Eurocrypt2004 63rd IETF - Paris, FRANCE