Abstract
In global networks, Border Gateway Protocol (BGP) is widely used in exchanging routing information. While the original design of BGP did not focus on security protection against deliberate or accidental errors regarding to routing disruption, one of fundamental vulnerabilities in BGP is a lack of insurance in validating authority for announcing network layer reachability. Therefore, a distributed repository system known as Resource Public Key Infrastructure (RPKI) has been utilized to mitigate this issue. However, such a validation requires further deployment steps for Autonomous System (AS), and it might cause performance and compatibility problems in legacy network infrastructure. Nevertheless, with recent advancements in network innovation, some traditional networks are planning to be restructured with Software-Defined Networking (SDN) technology for gaining more benefits. By using SDN, Internet eXchange Point (IXP) is able to enhance its capability of management by applying softwarized control methods, acting as a Software-Defined eXchange (SDX) center to handle numerous advertisement adaptively. To use the SDN method to strengthen routing security of IXP, this paper proposed an alternative SDX development, SD-BROV, an SDX-based BGP Route Origin Validation mechanism that establishes a flexible route exchange scenario with RPKI validation. The validating application built in the SDN controller is capable of investigating received routing information. It aims to support hybrid SDN environments and help non-SDN BGP neighbors to get trusted routes and drop suspicious ones in transition. To verify proposed idea with emulated environment, the proof-of-concept development is deployed on an SDN testbed running over Research and Education Networks (RENs). During BGP hijacking experiment, the results show that developed SD-BROV is able to detect and stop legitimate traffic to be redirected by attacker, making approach to secure traffic forwarding on BGP routers.
Highlights
One of the common vulnerabilities [1] in Border Gateway Protocol (BGP) is accidental announcement—the IP prefixes are misdirected to inaccurate Autonomous System (AS)due to misconfiguration or other intentional purposes
Software-Defined Networking (SDN)-IP controller application is used to communicate with Resource Public Key Infrastructure (RPKI) validator server, which is responsible for validating all the BGP routes exchanged in the Software-Defined eXchange (SDX)
To strengthen the security of BGP route exchange, this paper proposed SD-BROV—an idea that provides BGP route validation with flexibility and alternation in SDX
Summary
One of the common vulnerabilities [1] in Border Gateway Protocol (BGP) is accidental announcement—the IP prefixes are misdirected to inaccurate Autonomous System (AS). To mitigate route exchange vulnerabilities in BGP with SDN method, this paper proposes an alternative SDX development that aims to establish a flexible validation scenario with RPKI validation. By integrating ROV with RPKI, SDX is able to provide security protection that against deliberate or accidental routing events to its members This implementation aims to reduce the time of stopping poisoned router spreading unauthorized routes and avoiding it hijacking the traffic from legitimate routers. It shows the evaluation result of SD-BROV, which is experimented in an overlay network testbed based on Research and Education Networks (RENs).
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
