Effective border gateway protocol protection that does not require universal adoption of a public key infrastructure

Abstract

Although it is fundamental to inter-domain routing in the Internet, the border gateway protocol (BGP) is susceptible to both misconfiguration and malicious attacks. Prefix-hijacking problems arise when an Internet service provider incorrectly advertises a route to one or more prefixes, and path hijacking problems arise when an advertisement contains an incorrect path. Several proposals have been made for ways to avoid or at least ameliorate catastrophic outcomes (such as black holes and man-in-the-middle attacks) that can occur as the result of a hijack. The techniques can be divided into two broad categories: those that use an external authority to validate incoming BGP information and those that validate incoming BGP messages against a historical record of past BGP advertisements. The study begins by defining terms, reviewing the existing methods, and explaining approaches used for external validation. It considers the effectiveness of each mechanism. The study then proposes a hybrid scheme that combines the use of an external authority and historical validation to improve effectiveness. It discusses the difference between our approach and validation using certificates plus a public key infrastructure. We show that it is possible to construct a hybrid hijack deterrent scheme that does not depend on a public key infrastructure and yet remains as effective as schemes that rely on the resource public key infrastructure and certificates to validate path origins. We present measurements that show the cost of maintaining a local cache of registry information and a local cache of historical data as well as the effectiveness of our approach.