BGP security in partial deployment: is the juice worth the squeeze?

  • Authors:
  • Robert Lychev;Sharon Goldberg;Michael Schapira

  • Affiliations:
  • Georgia Tech, Atlanta, GA, USA;Boston University, Boston, MA, USA;Hebrew University of Jerusalem, Jerusalem, Israel

  • Venue:
  • Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM
  • Year:
  • 2013

Quantified Score

Hi-index 0.00

Visualization

Abstract

As the rollout of secure route origin authentication with the RPKI slowly gains traction among network operators, there is a push to standardize secure path validation for BGP (i.e., S*BGP: S-BGP, soBGP, BGPSEC, etc.). Origin authentication already does much to improve routing security. Moreover, the transition to S*BGP is expected to be long and slow, with S*BGP coexisting in "partial deployment" alongside BGP for a long time. We therefore use theoretical and experimental approach to study the security benefits provided by partially-deployed S*BGP, vis-a-vis those already provided by origin authentication. Because routing policies have a profound impact on routing security, we use a survey of 100 network operators to find the policies that are likely to be most popular during partial S*BGP deployment. We find that S*BGP provides only meagre benefits over origin authentication when these popular policies are used. We also study the security benefits of other routing policies, provide prescriptive guidelines for partially-deployed S*BGP, and show how interactions between S*BGP and BGP can introduce new vulnerabilities into the routing system.