Internet routing is based on a distributed system composed of many routers, grouped into management domains called Autonomous Systems (ASes). Routing information is exchanged between ASes in Border Gateway Protocol (BGP) UPDATE messages. BGP is a critical component of the Internet's routing infrastructure. However, it is highly vulnerable to a variety of attacks due to the lack of a scalable means of verifying the authenticity and authorization of BGP control traffic. Secure BGP (S-BGP) addresses these vulnerabilities. The S-BGP architecture employs three security mechanisms. First, a Public Key Infrastructure (PKI) is used to support the authentication of ownership of IP address blocks, ownership of Autonomous System (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS. This PKI parallels the IP address and AS number assignment system and takes advantage of the existing infrastructure (Internet registries, etc.) Second, a new, optional, BGP transitive path attribute is employed to carry digital signatures (in "attestations") covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to verify the address prefixes and path information that it contains. Third, IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic. Under a previous contract with DARPA, a proof-of-concept prototype of S-BGP was developed and used to demonstrate the effectiveness and feasibility of deploying S-BGP. However, a major obstacle to the deployment of S-BGP is that it requires the participation of several distinct organizations -- the Internet registries, router vendors, and Internet service providers (ISPs). Because there will be no security benefits unless a few of each type of the organizations participate, each organization cannot justify the expense of investing in this new technology unless the others have also done so -- a classic chicken-and-egg problem. The goal of this project is to overcome these obstacles and promote deployment of S-BGP into the Internet. Deploying S-BGP will require working with the Internet registries and ISPs to set up the PKI; working with router vendors to implement the S-BGP enhancements (new path attribute, IPsec, etc.) on COTS routers; and convincing ISPs to buy and use these routers.
(source: www.ir.bbn.com)
0 comments:
Post a Comment