Efficient BGP Security
description
Transcript of Efficient BGP Security
Efficient BGP Security
Meiyuan Zhao, Sean SmithDartmouth College
David NicolUniversity of Illinois, Urbana-Champaign
08/01/2005 63rd IETF - Paris, FRANCE
2
Motivation BGP—central routing for the Internet BGP lacks security
Black holes Disconnected networks Suboptimal routes …
Secure BGP Deployment difficulties
Processing overheads Storage demands PKIs
Goal Efficient AND practical security
08/01/2005 63rd IETF - Paris, FRANCE
3
Outline
Overview BGP S-BGP
Path authentication PKI and origin authentication Discussion Conclusions
08/01/2005 63rd IETF - Paris, FRANCE
4
Border Gateway Protocol (BGP) Inter-domain routing protocol Mainly between autonomous systems (ASes) Updates are in form of route announcements
(AS_PATH, prefix)
A sequence of AS numberse.g., “500 300 100”
A range of IP addresses (prefix)e.g., 129.170.0.0/16
1 2 3
4
{1}, p {2, 1}, p {3, 2, 1
}, pp
5{3, 2, 1}, p
08/01/2005 63rd IETF - Paris, FRANCE
5
Secure BGP (S-BGP)
AS path Prefix
Attestations Route Attestations—authenticate AS path Address Attestations—authorization of IP address
ownerships Public key infrastructures
Certificates for routers Certificates for address ownership
Route Attestations (RAs) Address Attestations (AAs)
Public Key Infrastructures (PKIs)
08/01/2005 63rd IETF - Paris, FRANCE
6
Outline
Overview Path authentication
S-BGP RAs Aggregated Path Authentication Performance evaluation
PKI and origin authentication Discussion Conclusions
08/01/2005 63rd IETF - Paris, FRANCE
7
S-BGP Route Attestations (RAs)
Router signs (AS path, prefix, next_hop) Sends all previous signatures Verify AS path {1, 2, 3}
Needs 3 signatures Sign AS path {1, 2, 3}
Creates n signatures
Signature Algorithm—DSA Caching optimization
1, p, 2 2, 1, p, 3 3, 2, 1, p, 4
1 2 3 4
P, {3, 2, 1}
1, p, 2 2, 1, p, 3
1, p, 2
08/01/2005 63rd IETF - Paris, FRANCE
8
Performance Problems Time
Processing latency 230% longer Space
Message size: 800% longer Memory cost: > 10 times more
For Attestations & Certificate database Current routers: 128MB or 256MB RAM
9
Signature Amortization (S-A)
Fast signature verification—RSA Fewer signature signings—amortized cost
Bit vectors (indicating recipients) Merkle hash trees
Auxiliary values for each signature
m1 B1
m2 B2
mk Bk
Router output buffers Grouped messages Aggregated hash
“Evaluation of efficient security for BGP route announcements using parallel simulation”Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3—4, 2004
10
Aggregate Signatures k signers {s1, s2, …, sk} k messages {m1, m2, …, mk}
one aggregate signature One aggregate signature for entire AS path
1, p, 2
2, 1, p, 3
3, 2, 1, p, 4
Boneh et al. “A Survey of Two Signature Aggregation Techniques”. RSA CryptoBytes 2003
08/01/2005 63rd IETF - Paris, FRANCE
11
General aggregate signature (GAS) Based on BLS short signature on Anyone can aggregate in any ordering Takes k+1 pairing calculation for verifying
Sequential aggregate signature (SAS) Based on homomorphic trapdoor permutation AggrSign by signers only Must be in sequence Takes k layers of verification
Advantage—save space!
Aggregate Signature Variants
lE3
/
08/01/2005 63rd IETF - Paris, FRANCE
12
Aggregated Path Authentication
Aggregated Path Authentication
Signature Amortization + Aggregate Signature
Efficient on time AND space
S-A options
Bit Vectors Trees
AggregateSignature Schemes
GAS GAS-V GAS-T
SAS SAS-V SAS-T
08/01/2005 63rd IETF - Paris, FRANCE
13
Aggregated Path Authentication Vector-based
Tree-based (GAS-T and SAS-T)
1, p, “1110”
2, 1, p, “1011”
3, 2, 1, p, “1101”
m1m2m3
R1 R2 R3
SAS-V AggrSign(0,
h(m1))
AggrSign(,
h(m2))
AggrSign(,
h(m3))GAS-V si = ss sss s
sss
08/01/2005 63rd IETF - Paris, FRANCE
14
Outline
Overview Path authentication
S-BGP RAs Aggregated Path Authentication Performance evaluation
Methodology Performance
PKI and origin authentication Discussion Conclusions
08/01/2005 63rd IETF - Paris, FRANCE
15
Evaluation Methodology
AS-level network simulation—110 ASes BGP router under stress—router reboot Metrics
Speed— BGP convergence time Signature memory overheads Message size
SSFNet simulator Benchmarks
OpenSSL Algorithm decomposition for GAS and SAS
08/01/2005 63rd IETF - Paris, FRANCE
16
Benchmarks
SHA-1 hash MD5 hash Attestations Certificates Identifier
Length 20 bytes 16 bytes 110 bytes 600 bytes 4 bytes
RSA DSA SAS GAS on GF
Sign (ms)Verify (ms)SW Aggregate Verify (ms)HW Aggregate Verify (ms)
50.02.5----
25.531.0
----
50.02.5
2.5 k--
11.043.0 2
43.0 (k+1)
1.3 (k+1)
Signature length (bytes) 128 40 128 20
Tate pairing calculation Running Time (1GHz)
Miller’s Algorithm on GF(397) (2002)BKLS on GF(397) (2003)Refined Duursam-Lee on GF(397) (2004)Modified Duursam-Lee on GF(397) (2004)Hardware implementation (2005)
24.0 ms23.6 ms16.8 ms
8.6 ms1.3 ms
08/01/2005 63rd IETF - Paris, FRANCE
17
Number of Signing Operations
413.9
756.1
358.4349.8 338333.3
353.4
0
100
200
300
400
500
600
700
800
900
S-A GAS-V GAS-T GAS-V GAS-T SAS-V SAS-T
S-BGP: 22,072/11,521 signings Decreases 98.5%
(SW) (SW) (HW) (HW)
08/01/2005 63rd IETF - Paris, FRANCE
18
Path Authentication Convergence
507.5
224.4
407.8
153.7 168.5
345.7
158.9160.2177.4 170.5
0
100
200
300
400
500
600
BGP S-BGP S-BGP(c p)
S-A GAS-VGAS-T GAS-VGAS-T SAS-VSAS-T
secon
ds
(SW) (SW) (HW) (HW)
3.4%
230.2%
46%
08/01/2005 63rd IETF - Paris, FRANCE
19
Path Authentication Message Size
GAS-V — 66% shorter messages! Tree construction — inefficient
1107.1
318.6
108.5
378.5324.7
630
36.10
200400600800
100012001400160018002000
BGP S-BGP S-A GAS-V GAS-T SAS-V SAS-T
byte
s
AverageMaximum
08/01/2005 63rd IETF - Paris, FRANCE
20
9
118112
314
31
0
50
100
150
200
250
300
350
BGP S-BGP S-A(V) GAS-V SAS-V
kilob
yte
sPath Auth Performance—Memory
GAS-V — saves 73% memory for signatures!
08/01/2005 63rd IETF - Paris, FRANCE
21
Performance Competition
Winner: GAS-V
Fast convergence, decreasing 32% / 69%
Short Update messages, decreasing 66%
Economic on signature memory,
decreasing 72%
08/01/2005 63rd IETF - Paris, FRANCE
22
Outline
Overview Path authentication PKI and origin authentication
Design Performance
Discussion Conclusions
08/01/2005 63rd IETF - Paris, FRANCE
23
Secure BGP (S-BGP)
AS path Prefix
IP address owners create AAs X.509 Certificates for IP address allocation
(prefix1, …, prefixk, orgy) address assignment
Route Attestations (RAs) Address Attestations (AAs)
Routers create RAs X.509 Certificates for AS# and Routers
(AS, AS#, PK) binding (RtrID, AS#, PK) binding
08/01/2005 63rd IETF - Paris, FRANCE
24
S-BGP PKIs
ICANN
APNIC ARIN RIPE AT&T…
ISP / DSP / Subscribers
Subscribers
…
…
IP Address AllocationAS number assignment &Binding a Router to an AS
ICANN
APNIC ARIN RIPE LACNIC
IP address blocksOrganizations
(ASk, ASNs) (RtrID, ASN)
…AS numbers
AS numbers
RtrID
Match existing infrastructures
08/01/2005 63rd IETF - Paris, FRANCE
25
S-BGP Address Attestations (AAs)
{prefix list, ASN} orgx
ICANN
APNIC ARIN RIPE AT&T…
ISP / DSP / Subscribers
Subscribers
…
…
IP address blocks
Authorize ASes to originate routes CAs prepare and distribute AAs Long-lived, need revocation
08/01/2005 63rd IETF - Paris, FRANCE
26
Evaluate PKI
PKI model ASes, Routers, Organizations, CAs, Directories, and OCS
P responders Routers trust the roots, and OCSP responders; may trus
t other CAs as well Check certificate revocation status
OCSP—sequential or parallel requests CRLs (fetch fresh copies)
OCSP request CRL fetching
Operation latency (second)
0.5—1.0 0.5—1.0
08/01/2005 63rd IETF - Paris, FRANCE
27
AA Performance—OCSP requests
153.7
938.7
155.1
2420.9
0
500
1000
1500
2000
2500
3000
BGP S-BGP SequentialOCSP
Parallel OCSP
Convergence Time of OCSP Requests
secon
ds
≈ 68,000 OCSP requests
08/01/2005 63rd IETF - Paris, FRANCE
28
AA Performance—CRLs fetching
Convergence Time of CRL Fetching
08/01/2005 63rd IETF - Paris, FRANCE
29
153.7
334.3224.3
2720.4
0
500
1000
1500
2000
2500
3000
BGP S-BGP(cp) SequentialOCSP
Parallel OCSP
Convergence Time of OCSP Requests
secon
ds
PA PKI Performance—OCSP Requests
≈ 88,000 OCSP requests
08/01/2005 63rd IETF - Paris, FRANCE
30
Convergence Time of CRL fecthing
PA PKI Performance—CRLs Fetching
31
Real-world Deployment
Certificate database 75—85 MB [Kent:CMS03] RouteViews table dump (209MB)
162,237 prefixes 2,011,005 routes, avg. path length 4.1 S-BGP signatures: 393MB GAS-V cache: 108MB Decreases 72% signature memory cost
Overall memory decrease: 60% S-BGP RAs: 30—35MB per peer [Kent:CMS03]
Problem for routers at Internet exchange > 1GB
Kent. “Securing the Border Gateway Protocol: A Status Update”. IFIP TC-6 TC-11, 2003
08/01/2005 63rd IETF - Paris, FRANCE
32
ECDSA S-BGP uses ECDSA
Shorter key size Same signature length Faster signing Slower verification
RSA
(1024-bit)BLS
DSA
(1024-bit)
ECDSA
secp192r1 sect163k1 sect163r2
Key Size (bytes) 135 100 408 180 139 155
Signature (bytes) 128 20 40 40 40 40
Sign (ms) 7.8 2.2 3.5 1.0 3.1 3.1
Verify (ms) 0.4 8.6 4.5 4.4 8.2 8.7
08/01/2005 63rd IETF - Paris, FRANCE
33
Conclusions
Efficient path authentication Aggregated Path Authentication Efficient on time and space
PKI performance impact OCSP vs. CRLs
Practical issues Certificate database Memory demands ECDSA
08/01/2005 63rd IETF - Paris, FRANCE
34
Thank you!
Email [email protected] http://www.cs.dartmouth.edu/~zhaom
Sun Microsystems Mellon Foundation Cisco Systems Intel Corporation NSF DoJ/DHS
08/01/2005 63rd IETF - Paris, FRANCE
35
08/01/2005 63rd IETF - Paris, FRANCE
36
Related Work
S-BGP [Kent:NDSS00, Kent:CMS03] OASim [Aiello:CCS03] psBGP [Wan:NDSS05] Listen and Whisper [Subramanian:NSDI04] Symmetric cryptography
Potentially more efficient Key distribution [Goodrich00] Time synchronization [Hu:SIGCOMM04]
08/01/2005 63rd IETF - Paris, FRANCE
37
General Aggregate Signatures Bilinear map
Bilinear: for all and
Non-degenerate:
Key pair Sign Verify Aggregation Aggregate Verify
2),(' GxhMhh ),(),( 1 hvege
21, GvGu Zba ,
1),( 21 gge
abba vuevue ),(),(
k
i i1
k
i ii hvege11 ),(),(
Boneh et al. “Aggregate and Verifiably Encrypted Signatures from Bilinear Maps”. Eurocrypt 2003
TT GGGGGGe 2121 where,:
),( 1xgvx
ImplementationTate pairing Weil pairing
08/01/2005 63rd IETF - Paris, FRANCE
38
Performance Competition Winner: GAS-V
Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%
Further improvements? Hardware accelerator
Parallelization
AS path length: 3.7/11
k
i ii hvege11 ),(),(
08/01/2005 63rd IETF - Paris, FRANCE
39
Origin Authentication (OA)
Variants OA-Simple {(p, org)}K
OA-List {(p1, org1), (p2, org2), …, (pi, orgi)}K
OA-AS-List {(p1, p2, …, pk, org)}K OA-Tree Merkle hash tree, leaves: (pi, orgi)
IANA
APNIC ARIN RIPE AT&T…
ISP / DSP / Subscribers
…
…
IP address blocks
AS1 ASkAS2
Aiello, Ioannidis, and McDaniel. “Origin Authentication in Interdomain Routing”. CCS03
Short-lived attestations
Possible in-band transmission for address delegation paths
08/01/2005 63rd IETF - Paris, FRANCE
40
OA Signature Performance—Storage
Attestation Constructions
Memory for Attestations
(KB)
Message Size (Bytes)
OA-Simple 42.80 496.97
OA-List 666.27 36293.37
OA-AS-List 13.23 575.35
OA-Tree 30.22 1029.24
Different costs on memory and message size OA-AS-List is most efficient Possible in-band transmission
08/01/2005 63rd IETF - Paris, FRANCE
41
OA Signature Performance—Convergence
Slight slow down convergence time
153.7166
155.1 156.2
181.3
0
40
80
120
160
200
240
BGP OA-Simple
OA-List OA-AS-List
OA-Tree
secon
ds
08/01/2005 63rd IETF - Paris, FRANCE
42
Certificate Distribution
Scale 197,709 active prefixes 19,357 unique ASes >50,000 organizations
BGP Update message MTU: 4KB S-BGP X.509 Certificates: 600 bytes Store certificates/CRLs locally
>200MB
08/01/2005 63rd IETF - Paris, FRANCE
43
Aggregate Signatures k signers {s1, s2, …, sk} k messages {m1, m2, …, mk}
one aggregate signature
One aggregate signature for entire AS path
1, p, 2
2, p, 3
3, p, 4
Lysyanskava et al. “Sequential Aggregate Signatures from Trapdoor Permutations”. Eurocrypt2004