Jumpstarting BGP security with path-end validation

Avichai Cohen; Yossi Gilad; Amir Herzberg; Michael Schapira

doi:10.1145/2934872.2934883

Jumpstarting BGP security with path-end validation

Avichai Cohen, Yossi Gilad, Amir Herzberg, Michael Schapira

Bar-Ilan University, The Hebrew University of Jerusalem

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

Original language	English
Title of host publication	SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication
Pages	342-355
Number of pages	14
ISBN (Electronic)	9781450341936
DOIs	https://doi.org/10.1145/2934872.2934883
State	Published - 22 Aug 2016
Event	2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016 - Florianopolis, Brazil Duration: 22 Aug 2016 → 26 Aug 2016

Publication series

Name	SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

Conference

Conference	2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016
Country/Territory	Brazil
City	Florianopolis
Period	22/08/16 → 26/08/16

Keywords

BGP security
RPKI
Routing security

All Science Journal Classification (ASJC) codes

Electrical and Electronic Engineering
Communication
Computer Networks and Communications
Signal Processing

Access to Document

10.1145/2934872.2934883

Cite this

Cohen, A., Gilad, Y., Herzberg, A., & Schapira, M. (2016). Jumpstarting BGP security with path-end validation. In SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication (pp. 342-355). Article 2934883 (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication). https://doi.org/10.1145/2934872.2934883

@inproceedings{294b23a53ef6497e9fcc7bb219a28a44,

title = "Jumpstarting BGP security with path-end validation",

abstract = "Extensive standardization and R\&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called {"}path-end validation{"}, which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.",

keywords = "BGP security, RPKI, Routing security",

author = "Avichai Cohen and Yossi Gilad and Amir Herzberg and Michael Schapira",

note = "Publisher Copyright: {\textcopyright} 2016 ACM.; 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016 ; Conference date: 22-08-2016 Through 26-08-2016",

year = "2016",

month = aug,

day = "22",

doi = "10.1145/2934872.2934883",

language = "الإنجليزيّة",

series = "SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication",

pages = "342--355",

booktitle = "SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication",

}

Cohen, A, Gilad, Y, Herzberg, A & Schapira, M 2016, Jumpstarting BGP security with path-end validation. in SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication., 2934883, SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication, pp. 342-355, 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016, Florianopolis, Brazil, 22/08/16. https://doi.org/10.1145/2934872.2934883

Jumpstarting BGP security with path-end validation. / Cohen, Avichai; Gilad, Yossi; Herzberg, Amir et al.
SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication. 2016. p. 342-355 2934883 (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Jumpstarting BGP security with path-end validation

AU - Cohen, Avichai

AU - Gilad, Yossi

AU - Herzberg, Amir

AU - Schapira, Michael

PY - 2016/8/22

Y1 - 2016/8/22

N2 - Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

AB - Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

KW - BGP security

KW - RPKI

KW - Routing security

UR - http://www.scopus.com/inward/record.url?scp=84986576686&partnerID=8YFLogxK

U2 - 10.1145/2934872.2934883

DO - 10.1145/2934872.2934883

M3 - منشور من مؤتمر

T3 - SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

SP - 342

EP - 355

BT - SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

T2 - 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016

Y2 - 22 August 2016 through 26 August 2016

ER -

Jumpstarting BGP security with path-end validation

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this