IntroductionInternet routing is based on a distributed system composed of many routers, grouped into management domains called Autonomous Systems (ASes). Routing information is exchanged between ASes in Border Gateway Protocol (BGP) UPDATE messages. BGP is a critical component of the Internet's routing infrastructure. However, it is highly vulnerable to a variety of attacks due to the lack of a scalable means of verifying the authenticity and authorization of BGP control traffic. Secure BGP (S-BGP) addresses these vulnerabilities.
"Finding and eliminating bugs
in S-BGP is my #1 job!"
Click here for a smile
The S-BGP architecture employs three security mechanisms. First, a Public Key Infrastructure (PKI) is used to support the authentication of ownership of IP address blocks, ownership of Autonomous System (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS. This PKI parallels the IP address and AS number assignment system and takes advantage of the existing infrastructure (Internet registries, etc.) Second, a new, optional, BGP transitive path attribute is employed to carry digital signatures (in "attestations") covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to verify the address prefixes and path information that it contains. Third, IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic.
Under a previous contract with DARPA, a proof-of-concept prototype of S-BGP was developed and used to demonstrate the effectiveness and feasibility of deploying S-BGP. However, a major obstacle to the deployment of S-BGP is that it requires the participation of several distinct organizations -- the Internet registries, router vendors, and Internet service providers (ISPs). Because there will be no security benefits unless a few of each type of the organizations participate, each organization cannot justify the expense of investing in this new technology unless the others have also done so -- a classic chicken-and-egg problem. The goal of this project is to overcome these obstacles and promote deployment of S-BGP into the Internet.
Deploying S-BGP will require working with the Internet registries and ISPs to set up the PKI; working with router vendors to implement the S-BGP enhancements (new path attribute, IPsec, etc.) on COTS routers; and convincing ISPs to buy and use these routers. To do this, BBN intends to take the following steps:
Note that the design and details of S-BGP have evolved in response to implementation and other feedback. The older materials have not been updated to reflect these changes.
|Feb 00||PostScript||940300||"Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues"|
|Apr 00||html||95638||IEEE JSAC Issue on Network Security article on "Secure Border Gateway Protocol (S-BGP)" architecture|
|Jun 01||Word||162304||DARPA Information Survivability Conference and Exposition paper "Public-Key Infrastructure for the Secure Border Gateway Protocol (S-BGP)"|
|Oct 03||32933||Seventh IFIP TC-6 TC-11 Conference on Communications and Multimedia Security, "Securing the Border Gateway Protocol: A Status Update"|
|Aug 98||PowerPoint||141312||IDR Working Group at IETF 42|
|Dec 98||PowerPoint||133632||IDR Working Group at IETF 43|
|Feb 99||html||231936||"Securing the Internet's Exterior Routing Protocol" at NDSS'99|
|Mar 99||PowerPoint||77824||IDR Working Group at IETF 44|
|Feb 00||PowerPoint||224256||"Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues" at NDSS'00|
|Jun 00||PowerPoint||233984||"Secure BGP" at Forum on Technology Transition for Internet Infrastructure Security|
"Securing the Border Gateway Protocol (S-BGP)"
a briefing for Richard Clarke's ISP and Router Vendor Workshop
|Oct 02||Text||51643||Oregon Workshop Meeting Notes|
|Jan 03||PowerPoint||255488||DC Workshop Slides illustrating S-BGP router demonstration and NOC Tools|
|Oct 99||Text||33795||(old) S-BGP X.509 Certificate Extensions|
|Jul 03||Text||200025||S-BGP Protocol Specification|
|Sep 03||Text||63147||X.509 Extensions for IP Addresses and AS Identifiers 02|
Source code for the old proof-of-concept implementation of S-BGP in GateD 4.0.2, as well as some tools used for experiements is also available.
Internetworking Research Dept.