secure border gateway
play

Secure Border Gateway Protocol (S-BGP): Real World Performance - PowerPoint PPT Presentation

Feb 18, 2023 •322 likes •528 views

Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies A Part of Outline BGP Model BGP security concerns & requirements

  1. Secure Border Gateway Protocol (S-BGP): Real World Performance & Deployment Issues Stephen Kent, Charles Lynn, Joanne Mikkelson, and Karen Seo BBN Technologies A Part of

  2. Outline  BGP Model  BGP security concerns & requirements  S-BGP design  S-BGP performance & scaling  Conclusions BBN Technologies A Part of

  3. Basic BGP Model Org-X ISP-2 ISP-1 DSP-A NAP Org-Z ISP-4 ISP-3 DSP-B DSP-C BGP Router non-BGP Router - path vector inter-domain routing protocol Org-Y - UPDATEs generated in response to loss of connectivity or receipt of an UPDATE from a peer router, that results in a LOCRIB change BBN Technologies A Part of

  4. The BGP Security Problem  BGP is the critical infrastructure for Internet, inter-domain routing  Benign configuration errors have wreaked havoc for portions of the Internet address space  The current system is highly vulnerable to human errors, as well as a wide range of attacks  At best, BGP uses point-to-point keyed MAC, with no automated key management  Most published BGP security proposals have been pedagogic, not detailed, not deployable  Solutions must take into account Internet topology, size, update rates, ... BBN Technologies A Part of

  5. Attack Model  BGP can be attacked in various ways • active or passive wiretapping of communications links between routers • tampering with BGP speaker software • tampering with router management data en route • tampering with router management workstations/servers (the last three can result in Byzantine failures)  Addition of the proposed countermeasures introduces a new concern • compromise of secret/private keying material in the routers or in the management infrastructure BBN Technologies A Part of

  6. BGP Security Requirements  Verification of address space “ownership”  Authentication of Autonomous Systems (AS)  Router authentication and authorization (relative to an AS)  Route and address advertisement authorization  Route withdrawal authorization  Integrity and authenticity of all BGP traffic on the wire  Timeliness of BGP traffic BBN Technologies A Part of

  7. S-BGP Design Overview  IPsec: authenticity and integrity of peer-to-peer communication, automated key management  Public Key Infrastructures (PKIs): secure identification of BGP speakers and of owners of AS’s and of address blocks  Attestations --> authorization of the subject (by the issuer) to advertise specified address blocks  Validation of UPDATEs based on a new path attribute, using certificates and attestations  Distribution of countermeasure data: certificates, CRLs, attestations BBN Technologies A Part of

  8. S-BGP Residual Vulnerabilities  Failure to advertise route withdrawal  Premature re-advertisement of withdrawn routes  Erroneous application of local policy  Erroneous traffic forwarding, bogus traffic generation, etc. (not really a BGP issue) BBN Technologies A Part of

  9. Internet Address Space Ownership ICANN/IANA ARIN/RIPE/APNIC DSP-A ISP-1 ORG-X ISP-2 ORG-Y DSP-B ORG-Z DSP-C DSP-D ORG-XX ORG-YY ORG-ZZ BBN Technologies A Part of

  10. Simplified PKI for Address Blocks ICANN ICANN All Addr blocks All Addr blocks APNIC APNIC ARIN ARIN RIPE RIPE Addr blocks Addr blocks Addr blocks Addr blocks Addr blocks Addr blocks Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ AT&T AT&T DSP 1 DSP 1 GTE-I GTE-I ISP 2 ISP 2 MCI MCI Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Ґ Subscriber A Subscriber A DSP 3 DSP 3 Subscriber B Subscriber B ISP 4 ISP 4 Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Addr block(s) Ґ ҐҐ Ґ ҐҐ Ґ ҐҐ ҐҐ Ґ ҐҐ Ґ ҐҐ Ґ ҐҐҐ ҐҐҐ ҐҐҐ - Only networks that execute BGP need certificates BBN Technologies - All ISPs are BGP users, but only about ~10% of DSPs, A Part of maybe 5% of subscribers, are BGP users

  11. PKI for Speaker ID & AS Assignment ICANN ICANN All AS Numbers All AS Numbers APNIC APNIC ARIN ARIN RIPE RIPE AS Numbers AS Numbers AS Numbers AS Numbers AS Numbers AS Numbers • • • • • • • • • • • • • • • • • • AT&T AT&T DSP 1 DSP 1 GTE-I GTE-I ISP 2 ISP 2 MCI MCI AS Numbers AS Numbers AS# W AS# W AS Numbers AS Numbers AS Numbers AS Numbers AS Numbers AS Numbers • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • DSP 3 DSP 3 AS# X AS# X Routers in AS# X Routers in AS# X ISP 4 ISP 4 AS# Y AS# Y AS# X, Router BGP ID AS# X, Router BGP I AS# Z AS# Z AS# Y AS# Y Routers in AS# Y Routers in AS# Y AS# Z AS# Z Routers in AS# Z Routers in AS# Z AS# Y, Router BGP ID AS# Y, Router BGP I AS# Z, Router BGP ID AS# Z, Router BGP I BBN Technologies A Part of

  12. Securing UPDATE messages  A secure UPDATE consists of an UPDATE message with a new, optional, transitive path attribute for route authorization  This attribute consists of a signed sequence of route attestations, nominally terminating in an address space attestation  This attribute is structured to support both route aggregation and AS sets  Validation of the attribute verifies that the route was authorized by each AS along the path and by the ultimate address space owner BBN Technologies A Part of

  13. An UPDATE with Attestations BGP Addr Blks of Rtes BGP Path Dest Addr UPDATE Message Header Being Withdrawn Attributes Blks (NLRI) Attribute Path Attribute Route Attestations Header for Attestations Attestation Issuer Certificate Algorithm ID Signed Route Attestation Header ID & Signature Info Validity AS Path Other Protected NLRI Subject Signed Information Dates Info Path Attributes Info BBN Technologies A Part of

  14. Simplified Attribute Format BGP Hdr: Withdrawn NLRI, Path Attributes, Dest. NLRI RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG RA: Issuer, Cert ID, Validity, Subject, Path, NLRI, SIG AA: Owning Org, NLRI, first Hop AS, SIG (usually omitted) BBN Technologies A Part of

  15. Distributing Certificates, CRLs, & AAs  Putting certificates & CRLs in UPDATEs would be redundant and make UPDATEs too big  Same is true for address attestations  Solution: use servers for these data items • replicate for redundancy & scalability • locate at NAPs for direct (non-routed) access • download options: – whole certificate/AA/CRL databases – queries for specific certificates/AAs/CRLs  To minimize processing & storage overhead, NOCs should validate certificates & AAs, and send processed extracts to routers BBN Technologies A Part of

  16. Distributing Route Attestations  Distributed with BGP UPDATEs as path attributes  RAs have implicit encoding option to reduce size, avoid exceeding UPDATE size limit (4096b)  Cache with associated routes in ADJ-RIBs to reduce validation overhead  Expiration date present, but no revocation mechanism chosen yet BBN Technologies A Part of

  17. BGP Statistics  ~ 1,800 organizations own AS numbers  ~ 44,000 own address prefixes (NLRI)  ~ 7,500 BGP speakers  ~ 75,000 routes in an ISP BGP database  Few AS sets (~100), little address aggregation  Average path length (NAP perspective) is 2.6 hops; 50% of routes ≤ 2 hops, 96% ≤4 hops  ~ 43,000 UPDATEs received each day at a BGP speaker at a NAP (30 peers) BBN Technologies A Part of

  18. S-BGP Storage Statistics  ~ 58,000 certificates in database (~550b each)  Certificate & CRL database ~35Mb  Address attestation database ~4 Mbytes  Extracted certificate & AA database (with data structure overhead in GateD) ~ 42Mb  Route attestations occupy ~16 Mb per ADJ-RIB: about 64 Mb (4 peers) to 480 Mb (at NAP)  ADJ-RIB caching for received UPDATEs increases storage requirements by about 50%, and yields about 58% validation savings BBN Technologies A Part of

  19. Route Attestation Overhead  Transmission • RAs add ~450 bytes to a typical (3.6 ASes in path) UPDATE of 63 bytes, 700% overhead! • But UPDATEs represent a very small portion of all traffic, so steady state bandwidth for RA transmission is only ~ 1.4Kb/s  Processing • Average of 3.6 signature validations per received UPDATE and 1 generation per emitted UPDATE • Peak rates ~ 18/s validation and ~5/s generation w/o caching (peak estimated as ten times average) • UPDATE caching reduces validation rate by ~50% • Start up transient would overwhelm a speaker, thus some form of NV storage or heuristic is required BBN Technologies A Part of

  20. Conclusions  The transmission and processing costs of S-BGP are not significant  The proposed distribution mechanisms for certificates, CRLs, and AAs is viable  Storage overhead exceeds the capacity of existing routers, but adding adequate storage is feasible, especially for ISP BGP speakers  Testing and deployment issues • Cisco handling of optional, transitive path attributes • Intra-domain distribution of S-BGP attribute  But deployment poses a chicken and egg problem! BBN Technologies A Part of

Recommend

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug Emina Michael Arvind Zachary Weitz Woos Torlak D. Ernst Krishnamurthy Tatlock The Border Gateway Protocol The Border Gateway Protocol AS AS

645 views • 29 slides
CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching hardware [PD] chapter 4.1.2 Xiaowei Yang xwy@cs.duke.edu Today Border Gateway Protocol (BGP) Lab 2 The Internet The Internet: Zooming In 2x

932 views • 50 slides
Lab Course RouterLab BGP - Border Gateway Protocol (RFC 4271) Some of the slides come

Lab Course RouterLab BGP - Border Gateway Protocol (RFC 4271) Some of the slides come

Lab Course RouterLab BGP - Border Gateway Protocol (RFC 4271) Some of the slides come from: http://www.ietf.org/proceedings/07dec/slides/IDRTut-0.pdf 1 Miscellaneous Anything that needs discussion? BGP 2 Miscellaneous Anything

859 views • 38 slides
BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol

BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol

BGP Introduction and Basic Procedures 2005/03/11 (C) Herbert Haas Border Gateway Protocol (BGP) BGP-3 Was classful Central AS needed (didn't scale well) Not further discussed here! RFC 1267 BGP-4 Classless Meshed

472 views • 15 slides
Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist

Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist

Border Gateway Protocol: The Good, Bad, and Ugly of Internet Routing Jim Cowie, Chief Scientist @jimcowie / @DynResearch Stanford EE Computer Systems Colloquium 11 February 2015 On the menu today The Core Problem: Attribution and Belief on

1.68k views • 84 slides
CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching

CS 356: Computer Network Architectures Lecture 13: Border Gateway Protocol and switching hardware [PD] chapter 4.1.2 Xiaowei Yang xwy@cs.duke.edu The Internet The Internet: Zooming In 2x AT&T Abilene Comcast BGP Duke Cogent All

815 views • 47 slides
LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead,

LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead,

LinuxCon Tokyo, Japan 2016 Secure IoT Gateway Jim Gallagher Senior Technical Marketing Lead, MontaVista Software Setting the Stage This presentation will Applications focus on developing Secure Gateways (Edge Computing &

520 views • 23 slides
How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017

How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017

Chair of Network Architectures and Services - Prof. Carle Department of Computer Science Technical University of Munich How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017 Technical University of

687 views • 67 slides
Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS

Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS

Lab Course RouterLab Border Gateway Protocol (BGP) Internet: Network of Networks AS 2 AS 1 AS 5 AS 3 AS 4 Internet: Structure and Routing Structure : > 20,000 autonomous systems (ASs) Examples for ASs? Routing

374 views • 20 slides
Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019

Project Things A secure gateway to connect your things to Internet February 2, 2019 <https://fosdem.org/2019/schedule/event/project_things> Speakers Dipesh Monga @ Mozilla Techspeakers Philippe Coval @ Samsung OpenSource 2 The hidden

558 views • 28 slides
Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department

Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department

Secure Gateway 3.0 for Presentation Server Troubleshooters Guide Author Jay Tomlin Department Technical Support Revision 2.0 Distribution Public Table of Contents About this document

1.11k views • 34 slides
Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix B1 Prefix D1 Prefix C1 ISP B CDN D IXP CDN C IXP Prefix E1

669 views • 27 slides
Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with

Border Gateway Protocol (BGP) Structure of the Internet Networks (ISPs, CDNs, etc.) group with IP prefixes Networks are richly interconnected, often using IXPs Prefix B1 Prefix D1 Prefix C1 ISP B CDN D IXP CDN C IXP Prefix E1

641 views • 33 slides
SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs

SECURE HOME GATEWAY PROJECT ICANN63 BARCELONA OCTOBER 22, 2018 Jacques Latour, CTO, CIRA Labs Canadian Internet Registration Authority Jacques.Latour [@] cira.ca Today's home network and IoT products and solutions lack secure testing and

696 views • 24 slides
Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design

T he Dog Gateway A SHORT INTRODUCTION A brief overview on the Dog gateway, starting from the design principles and going deep into the gateway architecture and modules, with some application sample http://dog-gateway.github.io/ WIRELESS

576 views • 30 slides
The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving

The Southern Gateway The Southern Gateway Metropolitan Memphis A vital gateway for moving people and freight Home to critical transportation infrastructure Railroads, Airport, Inland Port, Interstates Four Mississippi River Bridge

405 views • 19 slides
API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API

API Gateway API Gateway Gateway ESB At present tooling for API gateways is achingly immature and so while defining applications with API gateways is possible its most definitely not for the

416 views • 22 slides
R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE

R T L INVESTING IN THE GATEWAY TO THE CONSUMER I N D E X WHY RTL INDEX? GATEWAY TO THE CONSUMER The storefront is the gateway to the consumer with commercial real estate serving as an ideal medium for connecting with established shoppers and

447 views • 18 slides
from Sarp Border Crossing which constitutes the border between CIS and Republic of Georgia. ROAD

from Sarp Border Crossing which constitutes the border between CIS and Republic of Georgia. ROAD

PARK DENZCLK VE HOPA LMANI LETMELER A DESCRIPTION AND HISTORY HopaPort is located at the eastern border of Eastern Black Sea, and 15 kilometers from Sarp Border Crossing which constitutes the border between CIS and Republic of

470 views • 31 slides
Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway

Campus Gateway Project Spring 2017 Planning Studio May 10th, 2017 Identified Potential Gateway Sites Impact Threshold Likelihood of remaining a gateway VCU Campus IDENTITY Gateway Project Implement gateway elements that expand the

725 views • 44 slides
BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center BORDER

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center BORDER

BGP HIJACKING OS3: Bram ter Borch & Jeroen Schutrup National Cyber Security Center BORDER GATEWAY PROTOCOL (BGP) Internets main routing protocol RFC 4271 - original from 1989 Connects Autonomous Systems (AS) BGP hijack WHAT

422 views • 30 slides
CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service

CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service

CARER GATEWAY PRESENTATION 2020 carergateway.gov.au Carer Gateway is the national service Carers, funded by the Australian Government. It includes: Carer A website with information and advice Phone or online services Gateway

488 views • 14 slides
Distribution of Federal Funds to the Texas Border Presented to the House Committee on Border and

Distribution of Federal Funds to the Texas Border Presented to the House Committee on Border and

Distribution of Federal Funds to the Texas Border Presented to the House Committee on Border and International Affairs March 5, 2003 Legislative Budget Board Texas Border Definitions El Paso Hudspeth Culberson Reeves Crockett Pecos Jeff

315 views • 28 slides
CV Border Wait- -Time Time CV Border Wait Measurement Project Measurement Project Border

CV Border Wait- -Time Time CV Border Wait Measurement Project Measurement Project Border

TC/Ontario: CV Border Wait Time Measurement Project CV Border Wait- -Time Time CV Border Wait Measurement Project Measurement Project Border Challenges & Regional Solutions: The 2010 Olympics & The Pacific Northwest Experience

300 views • 6 slides

More recommend