• DocumentCode
    1386773
  • Title

    Enhancing the Trust of Internet Routing With Lightweight Route Attestation

  • Author

    Li, Qi ; Xu, Mingwei ; Wu, Jianping ; Zhang, Xinwen ; Lee, Patrick P C ; Xu, Ke

  • Author_Institution
    Dept. of Comput. Sci., Tsinghua Univ., Beijing, China
  • Volume
    7
  • Issue
    2
  • fYear
    2012
  • fDate
    4/1/2012 12:00:00 AM
  • Firstpage
    691
  • Lastpage
    703
  • Abstract
    The weak trust model in Border Gateway Protocol (BGP) introduces severe vulnerabilities for Internet routing including active malicious attacks and unintended misconfigurations. Although various secure BGP solutions have been proposed, the complexity of security enforcement and data-plane attacks still remain open problems. We propose TBGP, a trusted BGP scheme aiming to achieve high authenticity of Internet routing with a simple and lightweight attestation mechanism. TBGP introduces a set of route update and withdrawal rules that, if correctly enforced by each router, can guarantee the authenticity and integrity of route information that is announced to other routers in the Internet. To verify this enforcement, an attestation service running on each router provides interfaces for a neighboring router to challenge the integrity of its routing stack, enforced rules, and the attestation service itself. If this attestation succeeds, the neighboring router updates its routing table or announces the route to its neighbors, following the same rules. Thus, a router on a routing path only needs to verify one neighbor´s routing status to ensure that the route information is valid. Through this, TBGP builds a transitive trust relationship among all routers on a routing path. We implement a prototype of TBGP to investigate its practicality. In our implementation, we use identity-based signature and trusted computing techniques to further reduce the complexity of security operations. Our security analysis and performance study shows that TBGP can achieve the security goals of BGP with significantly better convergence performance and lower computation overhead than existing secure BGP solutions.
  • Keywords
    Internet; computer network security; digital signatures; routing protocols; trusted computing; Internet routing trust enhancement; Internet routing vulnerability; TBGP; active malicious attacks; attestation service; border gateway protocol; computation overhead; convergence performance; data-plane attacks; identity-based signature; interdomain routing protocol; lightweight route attestation; route information authenticity; route information integrity; route update rules; route withdrawal rules; secure BGP solutions; security analysis; security enforcement complexity; security operation complexity reduction; transitive trust relationship; trusted BGP scheme; trusted computing techniques; unintended misconfigurations; weak trust model; Authentication; Cryptography; Internet; Prototypes; Routing; Routing protocols; Border gateway protocol (BGP); hijacking; prevention; routing; secure BGP;
  • fLanguage
    English
  • Journal_Title
    Information Forensics and Security, IEEE Transactions on
  • Publisher
    ieee
  • ISSN
    1556-6013
  • Type

    jour

  • DOI
    10.1109/TIFS.2011.2177822
  • Filename
    6093959