Jumpstarting BGP security with path-end validation

Avichai Cohen; Yossi Gilad; Amir Herzberg; Michael Schapira

doi:10.1145/2934872.2934883

Jumpstarting BGP security with path-end validation

Avichai Cohen, Yossi Gilad, Amir Herzberg, Michael Schapira

Department of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

51 Scopus citations

Abstract

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

Original language	English
Title of host publication	SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication
Publisher	Association for Computing Machinery, Inc
Pages	342-355
Number of pages	14
ISBN (Electronic)	9781450341936
DOIs	https://doi.org/10.1145/2934872.2934883
State	Published - 22 Aug 2016
Event	2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016 - Florianopolis, Brazil Duration: 22 Aug 2016 → 26 Aug 2016

Publication series

Name	SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

Conference

Conference	2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016
Country/Territory	Brazil
City	Florianopolis
Period	22/08/16 → 26/08/16

Bibliographical note

Publisher Copyright:
© 2016 ACM.

Funding

This work was supported by ISF grants 420/12 and 1354/11, Israel Ministry of Science grants 3-9772 and 3-10884, the Israeli Center for Research Excellence in Algorithms, and an ERC Starting Grant. We thank Aditya Akella, Steve Bellovin, Randy Bush, Sharon Goldberg, Joel Halpern, Hezi Moriel, and Alvaro Retana for their helpful comments and suggestions.

Funders	Funder number
Israel Ministry of Science	3-10884, 3-9772
Israeli Center for Research Excellence in Algorithms
Horizon 2020 Framework Programme	678921
European Commission
Israel Science Foundation	1354/11, 420/12

Keywords

BGP security
RPKI
Routing security

Access to Document

10.1145/2934872.2934883

Cite this

Cohen, A., Gilad, Y., Herzberg, A., & Schapira, M. (2016). Jumpstarting BGP security with path-end validation. In SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication (pp. 342-355). Article 2934883 (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication). Association for Computing Machinery, Inc. https://doi.org/10.1145/2934872.2934883

Cohen, Avichai ; Gilad, Yossi ; Herzberg, Amir et al. / Jumpstarting BGP security with path-end validation. SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication. Association for Computing Machinery, Inc, 2016. pp. 342-355 (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication).

@inproceedings{8c4ff7aa5a464b969cec74ed8a94a6b0,

title = "Jumpstarting BGP security with path-end validation",

abstract = "Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called {"}path-end validation{"}, which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.",

keywords = "BGP security, RPKI, Routing security",

author = "Avichai Cohen and Yossi Gilad and Amir Herzberg and Michael Schapira",

note = "Publisher Copyright: {\textcopyright} 2016 ACM.; 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016 ; Conference date: 22-08-2016 Through 26-08-2016",

year = "2016",

month = aug,

day = "22",

doi = "10.1145/2934872.2934883",

language = "אנגלית",

series = "SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication",

publisher = "Association for Computing Machinery, Inc",

pages = "342--355",

booktitle = "SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication",

}

Cohen, A, Gilad, Y, Herzberg, A & Schapira, M 2016, Jumpstarting BGP security with path-end validation. in SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication., 2934883, SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication, Association for Computing Machinery, Inc, pp. 342-355, 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016, Florianopolis, Brazil, 22/08/16. https://doi.org/10.1145/2934872.2934883

Jumpstarting BGP security with path-end validation. / Cohen, Avichai; Gilad, Yossi; Herzberg, Amir et al.
SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication. Association for Computing Machinery, Inc, 2016. p. 342-355 2934883 (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Jumpstarting BGP security with path-end validation

AU - Cohen, Avichai

AU - Gilad, Yossi

AU - Herzberg, Amir

AU - Schapira, Michael

PY - 2016/8/22

Y1 - 2016/8/22

N2 - Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

AB - Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called "path-end validation", which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

KW - BGP security

KW - RPKI

KW - Routing security

UR - http://www.scopus.com/inward/record.url?scp=84986576686&partnerID=8YFLogxK

U2 - 10.1145/2934872.2934883

DO - 10.1145/2934872.2934883

M3 - ???researchoutput.researchoutputtypes.contributiontobookanthology.conference???

AN - SCOPUS:84986576686

T3 - SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

SP - 342

EP - 355

BT - SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication

PB - Association for Computing Machinery, Inc

T2 - 2016 ACM Conference on Special Interest Group on Data Communication, SIGCOMM 2016

Y2 - 22 August 2016 through 26 August 2016

ER -

Cohen A, Gilad Y, Herzberg A, Schapira M. Jumpstarting BGP security with path-end validation. In SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication. Association for Computing Machinery, Inc. 2016. p. 342-355. 2934883. (SIGCOMM 2016 - Proceedings of the 2016 ACM Conference on Special Interest Group on Data Communication). doi: 10.1145/2934872.2934883

Jumpstarting BGP security with path-end validation

Abstract

Publication series

Conference

Bibliographical note

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this