Symmetric Key Approaches to Securing BGP— A Little Bit Trust Is Enough

摘要

The Border Gateway Protocol (BGP) is the de facto inter-domain routing protocol that connects autonomous systems (ASes). De-spite its importance for the Internet infrastructure, BGP is vulnerableto a variety of attacks due to lack of security mechanisms in place. ManyBGP security mechanisms have been proposed, however, none of themhas been deployed because of either high cost or high complexity. Theright trade-off between efficiency and security has been ever challenging.In this paper, we attempt to trade-off between efficiency and secu-rity by giving a little dose of trust to BGP routers. We present a newflexible threat model that assumes for any path of length h, at leastone BGP router is trustworthy, where h is a parameter that can betuned according to security requirements. Based on this threat model,we present two new symmetric key approaches to securing BGP: the cen-tralized key distribution approach and the distributed key distributionapproach. Comparing our approaches to the previous SBGP scheme, ourcentralized approach has a 98% improvement in signature verification.Our distributed approach has equivalent signature generation cost as inSBGP and an improvement of 98% in signature verification. Comparingour approaches to the previous SPV scheme, our centralized approachhas a 42% improvement in signature generation and a 96% improvementin signature verification. Our distributed approach has a 90% improve-ment on signature generation cost and a 95% improvement in signatureverification cost. By combining our approaches with previous public keyapproaches, it is possible to simultaneously provide an increased level ofsecurity and reduced computation cost.