Path stability in partially deployed secure BGP routing

Abstract

Border Gateway Protocol (BGP), as the current de-facto routing protocol connecting various cooperating domains on the Internet, did not consider security when it was originally designed. With the expansion of the Internet, security is increasingly valued and many BGP enhancement mechanisms are proposed and experimented. Some of them like BGPsec have been standardized and promoted by the IETF. However, the deployment of these inter-domain secure routing mechanisms is subject to many economic and political restrictions. Consequently, there will be a long period of partial deployment, during which instability of BGP can be observed. Specifically, when some networks start deploying secure BGP mechanisms, they may be involved in some temporary or persistent route oscillations. In this paper, we systematically study the stability problem induced by partially deployed secure BGP mechanisms. We analyze the characteristics of topology and routing strategies when BGP oscillations will be introduced. In particular, we propose dispute chain, a derived structure of dispute wheel proposed in Griffin et al. (2002), to formally analyze this problem. Based on dispute chain, we analyze how different security adoption strategies can cause BGP oscillations under the general Gao–Rexford model. Our analysis shows that, even in a situation when there is no dispute wheel, dispute chains may widely appear, indicating that BGP oscillation problems will be introduced when security mechanisms are casually deployed, affecting the security and quality of inter-domain communications. To avoid possible oscillations, we also propose some deployment guidelines from different perspectives of the operator and the Internet, so that a wider deployment of security mechanisms will not blindly disrupt the Internet.