Secure BGP Project (S-BGP)

Introduction

Internet routing is based on a distributed system composed of many routers, grouped into management domains called Autonomous Systems (ASes). Routing information is exchanged between ASes in Border Gateway Protocol (BGP) UPDATE messages. BGP is a critical component of the Internet's routing infrastructure. However, it is highly vulnerable to a variety of attacks due to the lack of a scalable means of verifying the authenticity and authorization of BGP control traffic. Secure BGP (S-BGP) addresses these vulnerabilities.
Bull Frog
Esmerelda
"Finding and eliminating bugs
in S-BGP is my #1 job!"
Click here for a smile

The S-BGP architecture employs three security mechanisms. First, a Public Key Infrastructure (PKI) is used to support the authentication of ownership of IP address blocks, ownership of Autonomous System (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS. This PKI parallels the IP address and AS number assignment system and takes advantage of the existing infrastructure (Internet registries, etc.) Second, a new, optional, BGP transitive path attribute is employed to carry digital signatures (in "attestations") covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to verify the address prefixes and path information that it contains. Third, IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic.

Under a previous contract with DARPA, a proof-of-concept prototype of S-BGP was developed and used to demonstrate the effectiveness and feasibility of deploying S-BGP. However, a major obstacle to the deployment of S-BGP is that it requires the participation of several distinct organizations -- the Internet registries, router vendors, and Internet service providers (ISPs). Because there will be no security benefits unless a few of each type of the organizations participate, each organization cannot justify the expense of investing in this new technology unless the others have also done so -- a classic chicken-and-egg problem. The goal of this project is to overcome these obstacles and promote deployment of S-BGP into the Internet.

Approach

Deploying S-BGP will require working with the Internet registries and ISPs to set up the PKI; working with router vendors to implement the S-BGP enhancements (new path attribute, IPsec, etc.) on COTS routers; and convincing ISPs to buy and use these routers. To do this, BBN intends to take the following steps:

Setting up the Public Key Infrastructure
BBN will modify an existing certificate management system to support the X.509 v3 certificate extensions that S-BGP uses as a basis for authorization and to enforce the S-BGP hierarchical address and AS number delegation constraints before signing a subordinate certificate. Policies and Procedures will be written for the operation of the S-BGP Certification Authority. Additional tools/systems will be developed for the distribution of the resulting certificates. A Certification Authority (CA) will be set up at an Internet Registry. This will include installation of the CA system, training for operations staff, creation of an initial set of certificates and attestations to cover the existing address and AS number allocations, and setting up the certificate and attestation distribution system.

COTS implementation of S-BGP
BBN will enhance the prototype S-BGP software to be more robust and to support features that were not needed in the proof-of-concept testing, e.g., multi-protocol support (IPv6) and communities. The availability of working code (a reference implementation) will reduce the cost of integrating S-BGP into routers. BBN will also enhance the current S-BGP protocol specification to reflect "lessons learned" from implementation efforts, experience with ISPs, etc. As needed, BBN will provide guidance to router vendors on their implementation efforts and will develop a test suite to assess interoperability.

ISP adoption of S-BGP
BBN will use the existing S-BGP proof of concept prototype to create a test system, e.g., on a PC, that can be run in parallel with a real BGP speaker without interfering with the operational networks. BBN will then work with ISPs to run "outboard" experiments that involve using these test systems with real world networks to demonstrate the effectiveness of the S-BGP enhancements and verify that the performance impact is acceptable. In addition, tools, policies and procedures will be developed to support the NOC operations that will be needed for S-BGP, e.g., downloading and validation of certificates and creation of certificate extracts to be pushed to the ISP's S-BGP routers.


Further Information about Secure BGP

Note that the design and details of S-BGP have evolved in response to implementation and other feedback. The older materials have not been updated to reflect these changes.

  Papers

Date Source Size Title/Description
Feb 00 PostScript 940300 "Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues"
Apr 00 html 95638 IEEE JSAC Issue on Network Security article on "Secure Border Gateway Protocol (S-BGP)" architecture
Jun 01 Word 162304 DARPA Information Survivability Conference and Exposition paper "Public-Key Infrastructure for the Secure Border Gateway Protocol (S-BGP)"
Oct 03 PDF 32933 Seventh IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, "Securing the Border Gateway Protocol: A Status Update"

  Presentations

Date Source Size Title/Description
Aug 98 PowerPoint 141312 IDR Working Group at IETF 42
Dec 98 PowerPoint 133632 IDR Working Group at IETF 43
Feb 99 html 231936 "Securing the Internet's Exterior Routing Protocol" at NDSS'99
Mar 99 PowerPoint 77824 IDR Working Group at IETF 44
Feb 00 PowerPoint 224256 "Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues" at NDSS'00
Jun 00 PowerPoint 233984 "Secure BGP" at Forum on Technology Transition for Internet Infrastructure Security
Jan 02 PowerPoint 402432 "Securing the Border Gateway Protocol (S-BGP)"
a briefing for Richard Clarke's ISP and Router Vendor Workshop
Oct 02 Text 51643 Oregon Workshop Meeting Notes
Jan 03 PowerPoint 255488 DC Workshop Slides illustrating S-BGP router demonstration and NOC Tools

  Internet Drafts

Date Source Size Title/Description
Oct 99 Text 33795 (old) S-BGP X.509 Certificate Extensions
Jul 03 Text 200025 S-BGP Protocol Specification
Sep 03 Text 63147 X.509 Extensions for IP Addresses and AS Identifiers 02

Source Code

Prototype S-BGP source code based on MRT and supporting infrastructure components -- NOC Tools to manage certificates, CRLs, and Address Attestations; Open Source CMS Certification Authority; and S-BGP Repository -- is available.

Source code for the old proof-of-concept implementation of S-BGP in GateD 4.0.2, as well as some tools used for experiements is also available.


[HOME] Internetworking Research Dept.