skip to main content
research-article

Comparing ingress and egress detection to secure interdomain routing: An experimental analysis

Published:12 December 2011Publication History
Skip Abstract Section

Abstract

The global economy and society increasingly depends on computer networks linked together by the Internet. The importance of computer networks reaches far beyond the telecommunications sector since they have become a critical factor for many other crucial infrastructures and markets. With threats mounting and security incidents becoming more frequent, concerns about network security grow.

It is an acknowledged fact that some of the most fundamental network protocols that make the Internet work are exposed to serious threats. One of them is the Border Gateway Protocol (BGP) which determines how Internet traffic is routed through the topology of administratively independent networks that the Internet is comprised of. Despite the existence of a steadily growing number of BGP security proposals, to date none of them has been adopted.

Using a precise definition of BGP robustness we experimentally show that the degree of robustness is distributed unequally across the administrative domains of the Internet, the so-called Autonomous Systems (ASes). The experiments confirm the intuition that the contribution ASes are able to make towards securing the correct working of the inter-domain routing infrastructure by deploying countermeasures against routing attacks differ depending on their position in the AS topology. We also show that the degree of this asymmetry can be controlled by the choice of the security strategy. We compare the strengths and weaknesses of two fundamentally different approaches in increasing BGP's robustness which we termed ingress and egress detection of false route advertisements and indicate their implications. Our quantitative results have important implications for Internet security policy, in particular with respect to the crucial question where to start the deployment of which type of security scheme in order to maximize the Internet's robustness to routing attacks.

References

  1. Butler, K., Farley, T., McDaniel, P., and Rexford, J. 2004. A survey of BGP security issues and solutions. Proc. IEEE 98, 1, 100--122.Google ScholarGoogle ScholarCross RefCross Ref
  2. Chan, H., Dash, D., Perrig, A., and Zhang, H. 2006. Modeling adoptability of secure BGP protocols. In Proceedings of the CM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (ACM SIGCOMM'06). ACM, 389--390. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. European Union. 2001. Network and information security: Proposal for a European policy approach. http://ec.europa.eu/information_society/eeurope/2002/news_library/pdf_files/netsec_en.pdf.Google ScholarGoogle Scholar
  4. Feamster, N., Borkenhagen, J., and Rexford, J. 2003. Guidelines for Interdomain traffic engineering. SIGCOMM Comput. Comm. Rev. 33, 5, 19--30. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Feldman, M., Chuang, J., Stoica, I., and Shenker, S. 2005. Hidden-action in multi-hop routing. In Proceedings of the 6th ACM Conference on Electronic Commerce. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Feldmann, A. 2007. Internet clean-slate design: What and why? SIGCOMM Comput. Comm. Rev. 37, 3, 59--64. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. CAIDA. 2009. Data Collection at CAIDA. http://www.caida.org/data/.Google ScholarGoogle Scholar
  8. Gao, L. 2001. On Inferring Autonomous System Relationships in the Internet. IEEE/ACM Trans. Network. 9, 6, 733--745. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Gill, V., Heasley, J., and Meyer, D. 2004. The generalized TTL security mechanism (GTSM). RFC 3682. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Goodell, G., Aiello, W., Griffin, T., Ioannidis, J., McDaniel, P., and Rubin, A. 2003. Working around BGP: An incremental approach to improving security and accuracy of interdomain routing. In Proceedings of the Network and Distributed System Security Symposium (NDSS '03).Google ScholarGoogle Scholar
  11. Heffernan, A. 2002. Protection of BGP sessions via the TCP MD5 signature option. RFC 2385. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Hu, Y., Perrig, A., and Sirbu, M. A. 2004. SPV: Secure Path Vector Routing for Securing BGP. In Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (ACM SIGCOMM'04). ACM, 179--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Kent, S., Lynn, C., Mikkelson, J., and Seo, K. 2000. Secure border gateway protocol (S-BGP): Real world performance and deployment issues. In Proceedings of the Network and Distributed System Security Symposium (NDSS'00).Google ScholarGoogle Scholar
  14. Kent, S., Lynn, C., and Seo, K. 2000. Secure border gateway protocol (S-BGP). IEEE J. Select. Areas Comm. 18, 4, 582--592. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Labovitz, C., Ahuja, A., Bose, A., and Jahanian, F. 2001. Delayed internet routing convergence. IEEE/ACM Trans. Netw. 9, 3, 293--306. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Labovitz, C., Malan, G., and Jahanian, F. 1999. Origins of internet routing instability. In Proceedings of the 18th Annual Joint Conference of the IEEE Computer and Communications Societies. 218 --226.Google ScholarGoogle Scholar
  17. Mahajan, R., Wetherall, D., and Anderson, T. 2002. Understanding BGP misconfiguration. In Proceedings of the ACM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (ACM SIGCOMM'02). ACM, 3--16. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Mao, Z. M., Govindan, R., Varghese, G., and Katz, R. H. 2002. Route flap damping exacerbates internet routing convergence. SIGCOMM Comput. Comm. Rev. 32, 4, 221--233. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Misel, S. 1997. Wow, AS 7007! lurlhttp://www.merit.eduJmail.archives/nanog/1997-04/msg00340.html.Google ScholarGoogle Scholar
  20. Murphy, S. 2006. BGP security vulnerabilities analysis. RFC 4272.Google ScholarGoogle Scholar
  21. Nicol, D. M., Smith, S. W., and Zhao, M. 2003. Efficientsecurity for BGP route announcements. Tech. rep. TR2003-440, Dartmouth College.Google ScholarGoogle Scholar
  22. Odlyzko, A. 2003. Economics, psychology, and sociology of security. http://www.dtc.umn.edu/odlyzko/doc/econ.psych.security.pdf.Google ScholarGoogle Scholar
  23. Rekhter, Y. and Li, T. 2006. A border gateway protocol 4 (BGP 4). RFC 4271.Google ScholarGoogle Scholar
  24. Subramanian, L., Caesar, M., Ee, C. T., Handley, M., Mao, Z. M., Shenker, S., and Stoica, I. 2004a. Towards a next generation inter-domain routing protocol. In Proceedings of the 3rd Workshop on Hot Topics in Networks.Google ScholarGoogle Scholar
  25. Subramanian, L., Roth, V., Stoica, I., Shenker, S., and Katz, R. H. 2004b. Listen and whisper: Security mechanisms for BGP. In Proceedings of the 1st Symposium on Networked Systems Design and Implementation (NSDl). USENIX, 127--140. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Tangmunarunkit, H., Govindan, R., Shenker, S., and Estrin, D. 2001. The Impact of Routing Policy on Internet Paths. In Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE INFOCOM'01). 736--742.Google ScholarGoogle Scholar
  27. The President's Critical Infrastructure Protection Board. 2003. The national strategy to secure cyberspace. http://www.us-cert.gov/reading_room/cyberspace_strategy.pdf.Google ScholarGoogle Scholar
  28. Varadhan, K., Govindan, R., and Estrin, D. 2000. Persistent Route Oscillations in Inter-domain Routing. Comput. Netw. 32, 1, 1--16.Google ScholarGoogle ScholarCross RefCross Ref
  29. Wendlandt, D., Avramopoulos, I., Andersen, D. G., and Rexford, J. 2006. Don't secure routing protocols, secure data delivery. In Proceedings of the Workshop on Hot Topics in Networks (HotNets'06).Google ScholarGoogle Scholar
  30. White, R. 2004. Deployment considerations for secure origin BGP (soBGP). http://tools.ietf.org/html/draft-white-sobgp-architecture-OO.Google ScholarGoogle Scholar
  31. Yu, H., Rexford, J., and Felten, E. W. 2005. A distributed reputation approach cooperative internet routing protection. In Proceedings of the 1st IEEE Workshop on Secure Network Protocols. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Zhao, X., Pei, D., Wang, L., Massey, D., Mankin, A., Wu, S. F., and Zhang, L. 2002. Detection of invalid routing announcement in the internet. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'02). IEEE Computer Society, 59--68. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Comparing ingress and egress detection to secure interdomain routing: An experimental analysis

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM Transactions on Internet Technology
      ACM Transactions on Internet Technology  Volume 11, Issue 2
      December 2011
      130 pages
      ISSN:1533-5399
      EISSN:1557-6051
      DOI:10.1145/2049656
      Issue’s Table of Contents

      Copyright © 2011 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 12 December 2011
      • Accepted: 1 January 2011
      • Revised: 1 May 2009
      • Received: 1 February 2008
      Published in toit Volume 11, Issue 2

      Permissions

      Request permissions about this article.

      Request Permissions

      Check for updates

      Qualifiers

      • research-article
      • Research
      • Refereed
    • Article Metrics

      • Downloads (Last 12 months)4
      • Downloads (Last 6 weeks)0

      Other Metrics

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!