Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

Published byJoella King Modified over 9 years ago

Similar presentations

Presentation on theme: "SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science."— Presentation transcript:

1 SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez leonel.ocsa.sanchez@hotmail.com School of Computer Science

2 Economy and Critical Infrastructure Internet BGP Security SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez Introduction

3 Internet Packet Routing BGP Border Gateway Routing Protocol Trusted enviroment Minimal Security against attacks Introduction SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

4 S-BGP Secure BGP Routing Protocol Authenticating of messages Internet Routers Requieres Computational efficiency Receive a high volumen of messages Burst Introduction SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

5 It’s necessary Public Keys, Private Keys should be minimized for authenticating Introduction SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

6 BGP Security Threats SPV Secure Path Vector It’s considered active attackers that actively inject malicious traffic Strong Attacker Model Compromises Routers in the network There are two main attack classes: Denial of Service (DoS) Falsification Attacks

7 BGP Security Threats - Denial of Service DoS The classic DoS attack is a resource exhaustic attack. The attacker fabricates inputs to evoke the worst-case running time. The attacker can inject malicious TCP packets (TCP poising) The attacker could simply flood TCP 179 To starve out the TCP connection between the two routers

8 BGP Security Threats – Falsification Attacks The attacker has caused a routing loop

9 Closely Related Work – Hop by Hop Authentication Hop by Hop Authentication To prevent attacks against eBGP TCP However the disadvantage is: The falsification of access route cannot be adressed SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

10 Closely Related Work – Securing BGP Updates S-BGP Certificates An Adress Space PKI An Ass Ownership The main Goal of S-BGP: Is to protect the ASPATH and prevent unauthorized advertisements of an IP prefix. ASPATH It´s a sequence of intermediate Ases between source an destination routers that form a direct route for packets to travel. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

11 Securing BGP SPV Removes the need for routers perform computationally expensive public key cryptographic operations and to store asymmetric private keys Develops an ASPATH protector Routers need only store the short- lived primary keys SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

12 Securing BGP – Efficient Prefix Ownership Certificates It works with a smaller blocks service providers. Service providers often delegate blocks to their costumers. At each step in the delegation, the recipient of the address block an aymmetric prefix primary key to the represent the block. The address issuer uses it prefix private key to sign the prefix. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

13 Securing BGP – Cryptographic Mechanisms This system uses Merkle hash trees. For this it’s posible to use a hash function like MD5 One way hash chains This makes impossible for an attacker to derive values The main property of values of one-way chain is that once the receiver trusts that a value v_i is authentic, it can derive all following values of the chain, so an adversary cannot derive later values. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

14 Securing BGP – Cryptographic Mechanisms SPV uses hash trees for three purposes: To authenticate the values of the single-ASN private key. To authenticate several single-ASN public keys. To authenticate de epoch public keys. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

15 Securing BGP – Basic ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

16 Securing BGP – Basic ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

17 Securing BGP – Advanced ASPATH Protector SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

18 Evaluation - SPV Security against Attacks For compute the security against signature forgery, and use these results to derive the parameters: n (number of private values per one-time signature) m (number of private values disclosed per one-time signature). This graphic shows the probabilty of a number of attacks to be successfull In particular, the attacker will not have a certificate for the correct prefix The attacker is also generally unable to truncate arbitrary ASPATHs SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

19 Evaluation - Comparison to S-BGP S-BGPSPV Ensuring that an S-BGP AS cannot be falsely added to the ASPATH. In S-BGP, threshold cryptogra- phy could be used, wherein peers together generate a key for the non- deploying AS, and use a separate protocol to sign UPDATEs for each other. S-BGP ensures that each AS on the ASPATH has been transited by the UPDATE, and that ASNs cannot be dropped from the ASPATH. SPV does not achieve any properties in this case. In SPV, a single entity computes the private keys, and signs each peer’s ASN into every UPDATE that would be protected by that private key. In SPV, an attacker controlling two ASes can insert bogus ASNs between its two ASNs. In addition, as an AS receives several UPDATEs from a single prefix, this increment the probability truncate. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

20 Evaluation - Comparison to S-BGP SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

21 Evaluation – Performance Evaluation Computational Overhead When an AS connects to many peers, the U PDATE s received over one second often take BGP over 100 seconds to process in software When an AS connects to many peers, the UPDATEs received over one second often take BGP over 100 seconds to process in software SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

22 Conclusions Secure BGP software implementations enjoy at least a 20-fold speedup over digital signatures SPV is a protocol leveraging symmetric-key cryptography for securing against the truncation and modification attacks. SPV is configurable to allow tradeoffs between security and CPU usage. SPV introduces three novel concepts to the design space of se- cure routing protocols: first, it includes private keys within the UPDATEs themselves; second, it does not authenticate the AS that inserts itself onto the path and finally, it provides security not by requiring overwhelming computational complexity SPV is much faster than S-BGP, so SPV would perform better in periods of high BGP traffic When replay attacks are considered a threat, SPV allows for shorter timeouts than does S-BGP, and therefore can more effectively secure against replay attacks. SPV: Secure Path Vector Routing for Securing BGP Presented by: Leonel Ocsa Sáchez

23 SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez leonel.ocsa.sanchez@hotmail.com School of Computer Science

Download ppt "SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science."

Similar presentations

Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed www.uniunderground.com.

Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed
A Threat Model for BGPSEC

A Threat Model for BGPSEC
A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.

BIND: A F INE - GRAINED ATTESTATION S ERVICE FOR S ECURE D ISTRIBUTED S YSTEMS Presented by: Maryam Alipour-Aghdam University of Guelph.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”

A Quick and Dirty Guide to BGP attacks Or “How to 0wn the Backbone in your Spare Time”
NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.

NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.

Similar presentations

Ads by Google