Comparative analysis on the signature algorithms to validate AS paths in BGPsec

Abstract

Because of the lack of security in Border Gateway Protocol (BGP) and its world-wide coverage, BGP is categorized into one of the most vulnerable network protocols. As the Internet grows all around, BGP, which lays the groundwork for all network protocols by connecting all of them together, is being updated by protocol designers in security. The most noticeable topic to secure BGP is to validate paths in BGP. At this point, the most plausible solution to protect BGP paths is BGPsec. However, validating paths in BGPsec gives much more pressure to BGP in routing performance than validating the origin of a BGP message. In order to maximize the path-validating performance, BGPsec currently uses Elliptic Curve Digital Signature Algorithm (ECDSA), which is well known as one of best asymmetric cryptographic algorithms in performance. However, is ECDSA really better than the signature algorithms (i.e., DSA or RSA) originally used in BGP? In this paper, we found that RSA is better than ECDSA in BGPsec due to its outstanding verification speed. Among the signature algorithms (i.e., DSA, RSA, and ECDSA) that are utilized for RPKI and BGPsec, we argue that RSA is the best one in performance to validate paths in BGP Update messages.