TY - GEN
T1 - DISCO
T2 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
AU - Hlavacek, Tomas
AU - Cunha, Italo
AU - Gilad, Yossi
AU - Herzberg, Amir
AU - Katz-Bassett, Ethan
AU - Schapira, Michael
AU - Shulman, Haya
N1 - Publisher Copyright: © 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.
PY - 2020
Y1 - 2020
N2 - BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean efforts, ubiquitous deployment of the RPKI remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present DISCO, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate DISCO's security and deployability via live experiments on the Internet using a prototype implementation of DISCO and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code [30].
AB - BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean efforts, ubiquitous deployment of the RPKI remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present DISCO, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate DISCO's security and deployability via live experiments on the Internet using a prototype implementation of DISCO and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code [30].
UR - http://www.scopus.com/inward/record.url?scp=85124429577&partnerID=8YFLogxK
U2 - 10.14722/ndss.2020.24355
DO - 10.14722/ndss.2020.24355
M3 - منشور من مؤتمر
T3 - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
BT - 27th Annual Network and Distributed System Security Symposium, NDSS 2020
PB - The Internet Society
Y2 - 23 February 2020 through 26 February 2020
ER -