Keychain-based signatures for securing BGP

Authors:
Heng Yin;Bo Sheng;Haining Wang;Jianping Pan
Affiliations:
Department of Electrical Engineering and Computer Science, Syracuse University, Syracuse, New York;Department of Computer Science, University of Massachusetts Boston, Boston, MA;Department of Computer Science, College of William and Mary, Williamsburg, VA;Department of Computer Science, University of Victoria, BC, Canada
Venue:
IEEE Journal on Selected Areas in Communications - Special issue title on scaling the internet routing system: an interim report
Year:
2010

Citing 11
Cited 0

Towards capturing representative AS-level Internet topologies

SIGMETRICS '02 Proceedings of the 2002 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying

ACISP '02 Proceedings of the 7th Australian Conference on Information Security and Privacy
Origin authentication in interdomain routing

Proceedings of the 10th ACM conference on Computer and communications security
SPV: secure path vector routing for securing BGP

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Aggregated path authentication for efficient BGP security

Proceedings of the 12th ACM conference on Computer and communications security
Identity-based registry for secure interdomain routing

ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Optimizing BGP security by exploiting path stability

Proceedings of the 13th ACM conference on Computer and communications security
Listen and whisper: security mechanisms for BGP

NSDI'04 Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation - Volume 1
Pretty Good BGP: Improving BGP by Cautiously Adopting Routes

ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
A survey of security techniques for the border gateway protocol (BGP)

IEEE Communications Surveys & Tutorials
Secure Border Gateway Protocol (S-BGP)

IEEE Journal on Selected Areas in Communications

Quantified Score

Hi-index	0.01

Visualization

Abstract

As a major component of Internet routing infrastructure, the Border Gateway Protocol (BGP) is vulnerable to malicious attacks. While Secure BGP (S-BGP) provides a comprehensive framework to secure BGP, its high computational cost and low incremental deployment benefits seriously impede its wide usage in practice. Using a lightweight symmetric signature scheme, SPV is much faster than S-BGP. However, the speed boost comes at the price of prohibitively large signatures. Aggregated path authentication reduces the overhead of securing BGP in terms of both time and space, but the speed improvement is still limited by public key computation. In this paper, we propose a keychain-based signature scheme called KC-x. It has low CPU and memory overheads and provides strong incentive for incremental deployment on the Internet. As a generic framework, KC-x has the flexibility of using different signature algorithms, which can even co-exist in a hybrid deployment. We investigate two implementations of KC-x: KC-RSA based on RSA and KCMT based on Merkle hash tree. Using real BGP workloads, our experimental results show that KC-RSA is as efficient as SAS-V (the most efficient software approach for aggregated path authentication), and KC-MT is even three times faster than SPV with 40% smaller signatures. Through the hybrid deployment of KC-MT and KC-RSA, KC-x can achieve both small signature and high processing rate for BGP speakers.