Security in Interdomain Routing

The Internet is a collection of many disparate networks, or autonomous systems (ASes) connected together. In order to reach hosts outside the local AS, the Border Gateway Protocol (BGP) is required; it is responsible for routing packets to their destination throughout the Internet. BGP is essential to the Internet's operation, but there are few security guarantees, with global ramifications. Central to the security problems with BGP are the lack of origin authentication and path authentication, the inability to attest to the source of a route advertisement and the correct path to a destination, respectively.

We have devised cryptographic constructions that allow for real-time origin authentication, previously thought to be untenable. Additionally, our cryptographic structures for path authentication (shown above) reduce the number of signature validations -- the most costly cryptographic operation associated with the authentication operation -- by up to 95 per cent over currently accepted solutions.

Related Publications

Kevin Butler, William Aiello, and Patrick McDaniel. Optimizing BGP Security by Exploiting Path Stability. Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06), November 2006.

Patrick McDaniel, William Aiello, Kevin Butler, and John Ioannidis. Origin Authenticationin Interdomain Routing. Computer Networks, accepted for publication, 2006. [Full Paper: pdf Abstract]

Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer Rexford. A Survey of BGP Security Issues and Solutions. Technical Report TD-5UGJ33, AT&T Labs - Research, Florham Park, NJ, February 2004. (revised June 2004). [Full Paper: pdf Abstract]

William Aiello, John Ioannidis, and Patrick McDaniel. Origin Authentication in Interdomain Routing. Proceedings of 10th ACM Conference on Computer and Communications Security, pages 165-178, October 2003. Washington, D.C. [Full Paper: pdf Abstract]

Geoff Goodell, William Aiello, Tim Griffin, John Ioannidis, Patrick McDaniel, and Avi Rubin. Working Around BGP: An Incremental Approach to Improving Security and Accuracy of Interdomain Routing. Proceedings of Network and Distributed Systems Security 2003 (NDSS), Internet Society, pages 75-85, February 2003. San Diego, CA.