Efficient BGP Security

1
Efficient BGP Security

• Meiyuan Zhao, Sean Smith
• Dartmouth College
• David Nicol
• University of Illinois, Urbana-Champaign

2
Motivation

• BGPcentral routing for the Internet
• BGP lacks security
• Black holes
• Disconnected networks
• Suboptimal routes
• Secure BGP
• Deployment difficulties
• Processing overheads
• Storage demands
• PKIs
• Goal
• Efficient AND practical security

3
Outline

• Overview
• BGP
• S-BGP
• Path authentication
• PKI and origin authentication
• Discussion
• Conclusions

4
Border Gateway Protocol (BGP)

• Inter-domain routing protocol
• Mainly between autonomous systems (ASes)
• Updates are in form of route announcements

p
4
3, 2, 1, p
1, p
2, 1, p
5
1
2
3
3, 2, 1, p
5
Secure BGP (S-BGP)
AS path
Prefix
Route Attestations (RAs)
Address Attestations (AAs)
Public Key Infrastructures (PKIs)

• Attestations
• Route Attestationsauthenticate AS path
• Address Attestationsauthorization of IP address
  ownerships
• Public key infrastructures
• Certificates for routers
• Certificates for address ownership

6
Outline

• Overview
• Path authentication
• S-BGP RAs
• Aggregated Path Authentication
• Performance evaluation
• PKI and origin authentication
• Discussion
• Conclusions

7
S-BGP Route Attestations (RAs)

• Router signs (AS path, prefix, next_hop)
• Sends all previous signatures
• Verify AS path 1, 2, 3
• Needs 3 signatures
• Sign AS path 1, 2, 3
• Creates n signatures
• Signature AlgorithmDSA
• Caching optimization

8
Performance Problems

• Time
• Processing latency 230 longer
• Space
• Message size 800 longer
• Memory cost gt 10 times more
• For Attestations Certificate database
• Current routers 128MB or 256MB RAM

9
Signature Amortization (S-A)

• Fast signature verificationRSA
• Fewer signature signingsamortized cost
• Bit vectors (indicating recipients)
• Merkle hash trees
• Auxiliary values for each signature

Aggregated hash
Router output buffers
Grouped messages
Evaluation of efficient security for BGP route
announcements using parallel simulation Nicol,
Smith, and Zhao. Simulation Modelling Practice
and Theory Journal, Vol. 12, Issue 34, 2004
10
Aggregate Signatures

• k signers s1, s2, , sk
• k messages m1, m2, , mk
• one aggregate signature s
• One aggregate signature for entire AS path

1, p, 2
2, 1, p, 3
s
3, 2, 1, p, 4
Boneh et al. A Survey of Two Signature
Aggregation Techniques. RSA CryptoBytes 2003
11
Aggregate Signature Variants

• General aggregate signature (GAS)
• Based on BLS short signature on
• Anyone can aggregate
• in any ordering
• Takes k1 pairing calculation for verifying
• Sequential aggregate signature (SAS)
• Based on homomorphic trapdoor permutation
• AggrSign by signers only
• Must be in sequence
• Takes k layers of verification
• Advantagesave space!

12
Aggregated Path Authentication

• Aggregated Path Authentication
• Signature Amortization Aggregate Signature
• Efficient on time AND space

S-A options S-A options
Bit Vectors Trees
Aggregate Signature Schemes GAS GAS-V GAS-T
Aggregate Signature Schemes SAS SAS-V SAS-T
13
Aggregated Path Authentication

• Vector-based
• Tree-based (GAS-T and SAS-T)

m1
1, p, 1110
m2
2, 1, p, 1011
m3
3, 2, 1, p, 1101
s
R1
R2
R3
14
Outline

• Overview
• Path authentication
• S-BGP RAs
• Aggregated Path Authentication
• Performance evaluation
• Methodology
• Performance
• PKI and origin authentication
• Discussion
• Conclusions

15
Evaluation Methodology

• AS-level network simulation110 ASes
• BGP router under stressrouter reboot
• Metrics
• Speed BGP convergence time
• Signature memory overheads
• Message size
• SSFNet simulator
• Benchmarks
• OpenSSL
• Algorithm decomposition for GAS and SAS

16
Benchmarks
Tate pairing calculation Running Time (1GHz) Running Time (1GHz)
Millers Algorithm on GF(397) (2002) BKLS on GF(397) (2003) Refined Duursam-Lee on GF(397) (2004) Modified Duursam-Lee on GF(397) (2004) Hardware implementation (2005) 24.0 ms 23.6 ms 16.8 ms 8.6 ms 1.3 ms
RSA DSA SAS GAS on GF(397)
Sign (ms) Verify (ms) SW Aggregate Verify (ms) HW Aggregate Verify (ms) 50.0 2.5 -- -- 25.5 31.0 -- -- 50.0 2.5 2.5 ? k -- 11.0 43.0 ? 2 43.0 ? (k1) 1.3 ? (k1)
Signature length (bytes) 128 40 128 20
SHA-1 hash MD5 hash Attestations Certificates Identifier
Length 20 bytes 16 bytes 110 bytes 600 bytes 4 bytes
17
Number of Signing Operations

• S-BGP 22,072/11,521 signings
• Decreases 98.5

(SW)
(SW)
(HW)
(HW)
18
Path Authentication Convergence
230.2
3.4
46
seconds
(SW)
(SW)
(HW)
(HW)
19
Path Authentication Message Size

• GAS-V 66 shorter messages!
• Tree construction inefficient

Average Maximum
bytes
20
Path Auth PerformanceMemory

• GAS-V saves 73 memory for signatures!

kilobytes
21
Performance Competition

• Winner GAS-V
• Fast convergence, decreasing 32 / 69
• Short Update messages, decreasing 66
• Economic on signature memory, decreasing 72

22
Outline

• Overview
• Path authentication
• PKI and origin authentication
• Design
• Performance
• Discussion
• Conclusions

23
Secure BGP (S-BGP)
AS path
Prefix
Route Attestations (RAs)
Address Attestations (AAs)

• Routers create RAs
• X.509 Certificates for AS and Routers
• (AS, AS, PK) binding
• (RtrID, AS, PK) binding

• IP address owners create AAs
• X.509 Certificates for IP address allocation
• (prefix1, , prefixk, orgy) address assignment

24
S-BGP PKIs

• Match existing infrastructures

IP Address Allocation
AS number assignment Binding a Router to an AS
ICANN
ICANN

APNIC
ARIN
RIPE
ATT
APNIC
ARIN
RIPE
LACNIC
AS numbers
IP address blocks

Organizations
ISP / DSP / Subscribers

AS numbers
RtrID

(ASk, ASNs)
(RtrID, ASN)
Subscribers
25
S-BGP Address Attestations (AAs)

• Authorize ASes to originate routes
• CAs prepare and distribute AAs
• Long-lived, need revocation

• prefix list, ASN orgx

26
Evaluate PKI

• PKI model
• ASes, Routers, Organizations, CAs, Directories,
  and OCSP responders
• Routers trust the roots, and OCSP responders may
  trust other CAs as well
• Check certificate revocation status
• OCSPsequential or parallel requests
• CRLs (fetch fresh copies)

OCSP request CRL fetching
Operation latency (second) 0.51.0 0.51.0
27
AA PerformanceOCSP requests

• 68,000 OCSP requests

Convergence Time of OCSP Requests
seconds
28
AA PerformanceCRLs fetching
Convergence Time of CRL Fetching
29
PA PKI PerformanceOCSP Requests

• 88,000 OCSP requests

Convergence Time of OCSP Requests
seconds
30
PA PKI PerformanceCRLs Fetching
Convergence Time of CRL fecthing
31
Real-world Deployment

• Certificate database 7585 MB KentCMS03
• RouteViews table dump (209MB)
• 162,237 prefixes
• 2,011,005 routes, avg. path length 4.1
• S-BGP signatures 393MB
• GAS-V cache 108MB
• Decreases 72 signature memory cost
• Overall memory decrease 60
• S-BGP RAs 3035MB per peer KentCMS03
• Problem for routers at Internet exchange gt 1GB

Kent. Securing the Border Gateway Protocol A
Status Update. IFIP TC-6 TC-11, 2003
32
ECDSA

• S-BGP uses ECDSA
• Shorter key size
• Same signature length
• Faster signing
• Slower verification

RSA (1024-bit) BLS DSA (1024-bit) ECDSA ECDSA ECDSA
RSA (1024-bit) BLS DSA (1024-bit) secp192r1 sect163k1 sect163r2
Key Size (bytes) 135 100 408 180 139 155
Signature (bytes) 128 20 40 40 40 40
Sign (ms) 7.8 2.2 3.5 1.0 3.1 3.1
Verify (ms) 0.4 8.6 4.5 4.4 8.2 8.7
33
Conclusions

• Efficient path authentication
• Aggregated Path Authentication
• Efficient on time and space
• PKI performance impact
• OCSP vs. CRLs
• Practical issues
• Certificate database
• Memory demands
• ECDSA

34
Thank you!

• Sun Microsystems
• Mellon Foundation
• Cisco Systems
• Intel Corporation
• NSF
• DoJ/DHS

• Email zhaom_at_cs.dartmouth.edu
• Homepage http//www.cs.dartmouth.edu/zhaom

35
(No Transcript)
36
Related Work

• S-BGP KentNDSS00, KentCMS03
• OASim AielloCCS03
• psBGP WanNDSS05
• Listen and Whisper SubramanianNSDI04
• Symmetric cryptography
• Potentially more efficient
• Key distribution Goodrich00
• Time synchronization HuSIGCOMM04

37
General Aggregate Signatures

• Bilinear map
• Bilinear for all and
• Non-degenerate
• Key pair
• Sign
• Verify
• Aggregation
• Aggregate Verify

Boneh et al. Aggregate and Verifiably Encrypted
Signatures from Bilinear Maps. Eurocrypt 2003
38
Performance Competition

• Winner GAS-V
• Fast convergence, decreasing 32 / 69
• Short Update messages, decreasing 66
• Economic on signature memory, decreasing 72
• Further improvements?
• Hardware accelerator
• Parallelization
• AS path length 3.7/11

39
Origin Authentication (OA)

• Short-lived attestations
• Possible in-band transmission for address
  delegation paths

IANA

APNIC
ARIN
RIPE
ATT

IP address blocks
ISP / DSP / Subscribers

AS2
AS1
ASk

• Variants
• OA-Simple (p, org)K
• OA-List (p1, org1), (p2, org2), , (pi,
  orgi)K
• OA-AS-List (p1, p2, , pk, org)K
• OA-Tree Merkle hash tree, leaves (pi, orgi)

Aiello, Ioannidis, and McDaniel. Origin
Authentication in Interdomain Routing. CCS03
40
OA Signature PerformanceStorage

• Different costs on memory and message size
• OA-AS-List is most efficient
• Possible in-band transmission

Attestation Constructions Memory for Attestations (KB) Message Size (Bytes)
OA-Simple 42.80 496.97
OA-List 666.27 36293.37
OA-AS-List 13.23 575.35
OA-Tree 30.22 1029.24
41
OA Signature PerformanceConvergence

• Slight slow down convergence time

seconds
42
Certificate Distribution

• Scale
• 197,709 active prefixes
• 19,357 unique ASes
• gt50,000 organizations
• BGP Update message MTU 4KB
• S-BGP X.509 Certificates 600 bytes
• Store certificates/CRLs locally
• gt200MB

43
Aggregate Signatures

• k signers s1, s2, , sk
• k messages m1, m2, , mk
• one aggregate signature s
• One aggregate signature for entire AS path

1, p, 2
2, p, 3
s
3, p, 4
Lysyanskava et al. Sequential Aggregate
Signatures from Trapdoor Permutations.
Eurocrypt2004