Efficient BGP Security

Efficient BGP Security

Meiyuan Zhao, Sean SmithDartmouth College

David NicolUniversity of Illinois, Urbana-Champaign

08/01/2005 63rd IETF - Paris, FRANCE

2

Motivation BGP—central routing for the Internet BGP lacks security

Black holes Disconnected networks Suboptimal routes …

Secure BGP Deployment difficulties

Processing overheads Storage demands PKIs

Goal Efficient AND practical security


3

Outline

Overview BGP S-BGP

Path authentication PKI and origin authentication Discussion Conclusions


4

Border Gateway Protocol (BGP) Inter-domain routing protocol Mainly between autonomous systems (ASes) Updates are in form of route announcements

(AS_PATH, prefix)

A sequence of AS numberse.g., “500 300 100”

A range of IP addresses (prefix)e.g., 129.170.0.0/16

1 2 3

4

{1}, p {2, 1}, p {3, 2, 1

}, pp

5{3, 2, 1}, p


5

Secure BGP (S-BGP)

AS path Prefix

Attestations Route Attestations—authenticate AS path Address Attestations—authorization of IP address

ownerships Public key infrastructures

Certificates for routers Certificates for address ownership

Route Attestations (RAs) Address Attestations (AAs)

Public Key Infrastructures (PKIs)


6

Outline

Overview Path authentication

S-BGP RAs Aggregated Path Authentication Performance evaluation

PKI and origin authentication Discussion Conclusions


7

S-BGP Route Attestations (RAs)

Router signs (AS path, prefix, next_hop) Sends all previous signatures Verify AS path {1, 2, 3}

Needs 3 signatures Sign AS path {1, 2, 3}

Creates n signatures

Signature Algorithm—DSA Caching optimization

1, p, 2 2, 1, p, 3 3, 2, 1, p, 4

1 2 3 4

P, {3, 2, 1}

1, p, 2 2, 1, p, 3

1, p, 2


8

Performance Problems Time

Processing latency 230% longer Space

Message size: 800% longer Memory cost: > 10 times more

For Attestations & Certificate database Current routers: 128MB or 256MB RAM

9

Signature Amortization (S-A)

Fast signature verification—RSA Fewer signature signings—amortized cost

Bit vectors (indicating recipients) Merkle hash trees

Auxiliary values for each signature

m1 B1

m2 B2

mk Bk

Router output buffers Grouped messages Aggregated hash

“Evaluation of efficient security for BGP route announcements using parallel simulation”Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3—4, 2004

10

Aggregate Signatures k signers {s1, s2, …, sk} k messages {m1, m2, …, mk}

one aggregate signature One aggregate signature for entire AS path

1, p, 2

2, 1, p, 3

3, 2, 1, p, 4

Boneh et al. “A Survey of Two Signature Aggregation Techniques”. RSA CryptoBytes 2003


11

General aggregate signature (GAS) Based on BLS short signature on Anyone can aggregate in any ordering Takes k+1 pairing calculation for verifying

Sequential aggregate signature (SAS) Based on homomorphic trapdoor permutation AggrSign by signers only Must be in sequence Takes k layers of verification

Advantage—save space!

Aggregate Signature Variants

lE3

/


12

Aggregated Path Authentication

Aggregated Path Authentication

Signature Amortization + Aggregate Signature

Efficient on time AND space

S-A options

Bit Vectors Trees

AggregateSignature Schemes

GAS GAS-V GAS-T

SAS SAS-V SAS-T


13

Aggregated Path Authentication Vector-based

Tree-based (GAS-T and SAS-T)

1, p, “1110”

2, 1, p, “1011”

3, 2, 1, p, “1101”

m1m2m3

R1 R2 R3

SAS-V AggrSign(0,

h(m1))

AggrSign(,

h(m2))

AggrSign(,

h(m3))GAS-V si = ss sss s

sss


14

Outline

Overview Path authentication

S-BGP RAs Aggregated Path Authentication Performance evaluation

Methodology Performance

PKI and origin authentication Discussion Conclusions


15

Evaluation Methodology

AS-level network simulation—110 ASes BGP router under stress—router reboot Metrics

Speed— BGP convergence time Signature memory overheads Message size

SSFNet simulator Benchmarks

OpenSSL Algorithm decomposition for GAS and SAS


16

Benchmarks

SHA-1 hash MD5 hash Attestations Certificates Identifier

Length 20 bytes 16 bytes 110 bytes 600 bytes 4 bytes

RSA DSA SAS GAS on GF

Sign (ms)Verify (ms)SW Aggregate Verify (ms)HW Aggregate Verify (ms)

50.02.5----

25.531.0

----

50.02.5

2.5 k--

11.043.0 2

43.0 (k+1)

1.3 (k+1)

Signature length (bytes) 128 40 128 20

Tate pairing calculation Running Time (1GHz)

Miller’s Algorithm on GF(397) (2002)BKLS on GF(397) (2003)Refined Duursam-Lee on GF(397) (2004)Modified Duursam-Lee on GF(397) (2004)Hardware implementation (2005)

24.0 ms23.6 ms16.8 ms

8.6 ms1.3 ms


17

Number of Signing Operations

413.9

756.1

358.4349.8 338333.3

353.4

0

100

200

300

400

500

600

700

800

900

S-A GAS-V GAS-T GAS-V GAS-T SAS-V SAS-T

S-BGP: 22,072/11,521 signings Decreases 98.5%

(SW) (SW) (HW) (HW)


18

Path Authentication Convergence

507.5

224.4

407.8

153.7 168.5

345.7

158.9160.2177.4 170.5

0

100

200

300

400

500

600

BGP S-BGP S-BGP(c p)

S-A GAS-VGAS-T GAS-VGAS-T SAS-VSAS-T

secon

ds

(SW) (SW) (HW) (HW)

3.4%

230.2%

46%


19

Path Authentication Message Size

GAS-V — 66% shorter messages! Tree construction — inefficient

1107.1

318.6

108.5

378.5324.7

630

36.10

200400600800

100012001400160018002000

BGP S-BGP S-A GAS-V GAS-T SAS-V SAS-T

byte

s

AverageMaximum


20

9

118112

314

31

0

50

100

150

200

250

300

350

BGP S-BGP S-A(V) GAS-V SAS-V

kilob

yte

sPath Auth Performance—Memory

GAS-V — saves 73% memory for signatures!


21

Performance Competition

Winner: GAS-V

Fast convergence, decreasing 32% / 69%

Short Update messages, decreasing 66%

Economic on signature memory,

decreasing 72%


22

Outline

Overview Path authentication PKI and origin authentication

Design Performance

Discussion Conclusions


23

Secure BGP (S-BGP)

AS path Prefix

IP address owners create AAs X.509 Certificates for IP address allocation

(prefix1, …, prefixk, orgy) address assignment

Route Attestations (RAs) Address Attestations (AAs)

Routers create RAs X.509 Certificates for AS# and Routers

(AS, AS#, PK) binding (RtrID, AS#, PK) binding


24

S-BGP PKIs

ICANN

APNIC ARIN RIPE AT&T…

ISP / DSP / Subscribers

Subscribers

…

…

IP Address AllocationAS number assignment &Binding a Router to an AS

ICANN

APNIC ARIN RIPE LACNIC

IP address blocksOrganizations

(ASk, ASNs) (RtrID, ASN)

…AS numbers

AS numbers

RtrID

Match existing infrastructures


25

S-BGP Address Attestations (AAs)

{prefix list, ASN} orgx

ICANN



Subscribers

…

…

IP address blocks

Authorize ASes to originate routes CAs prepare and distribute AAs Long-lived, need revocation


26

Evaluate PKI

PKI model ASes, Routers, Organizations, CAs, Directories, and OCS

P responders Routers trust the roots, and OCSP responders; may trus

t other CAs as well Check certificate revocation status

OCSP—sequential or parallel requests CRLs (fetch fresh copies)

OCSP request CRL fetching

Operation latency (second)

0.5—1.0 0.5—1.0


27

AA Performance—OCSP requests

153.7

938.7

155.1

2420.9

0

500

1000

1500

2000

2500

3000

BGP S-BGP SequentialOCSP

Parallel OCSP

Convergence Time of OCSP Requests

secon

ds

≈ 68,000 OCSP requests


28

AA Performance—CRLs fetching

Convergence Time of CRL Fetching


29

153.7

334.3224.3

2720.4

0

500

1000

1500

2000

2500

3000

BGP S-BGP(cp) SequentialOCSP

Parallel OCSP

Convergence Time of OCSP Requests

secon

ds

PA PKI Performance—OCSP Requests

≈ 88,000 OCSP requests


30

Convergence Time of CRL fecthing

PA PKI Performance—CRLs Fetching

31

Real-world Deployment

Certificate database 75—85 MB [Kent:CMS03] RouteViews table dump (209MB)

162,237 prefixes 2,011,005 routes, avg. path length 4.1 S-BGP signatures: 393MB GAS-V cache: 108MB Decreases 72% signature memory cost

Overall memory decrease: 60% S-BGP RAs: 30—35MB per peer [Kent:CMS03]

Problem for routers at Internet exchange > 1GB

Kent. “Securing the Border Gateway Protocol: A Status Update”. IFIP TC-6 TC-11, 2003


32

ECDSA S-BGP uses ECDSA

Shorter key size Same signature length Faster signing Slower verification

RSA

(1024-bit)BLS

DSA

(1024-bit)

ECDSA

secp192r1 sect163k1 sect163r2

Key Size (bytes) 135 100 408 180 139 155

Signature (bytes) 128 20 40 40 40 40

Sign (ms) 7.8 2.2 3.5 1.0 3.1 3.1

Verify (ms) 0.4 8.6 4.5 4.4 8.2 8.7


33

Conclusions

Efficient path authentication Aggregated Path Authentication Efficient on time and space

PKI performance impact OCSP vs. CRLs

Practical issues Certificate database Memory demands ECDSA


34

Thank you!

Email [email protected] http://www.cs.dartmouth.edu/~zhaom

Sun Microsystems Mellon Foundation Cisco Systems Intel Corporation NSF DoJ/DHS


35


36

Related Work

S-BGP [Kent:NDSS00, Kent:CMS03] OASim [Aiello:CCS03] psBGP [Wan:NDSS05] Listen and Whisper [Subramanian:NSDI04] Symmetric cryptography

Potentially more efficient Key distribution [Goodrich00] Time synchronization [Hu:SIGCOMM04]


37

General Aggregate Signatures Bilinear map

Bilinear: for all and

Non-degenerate:

Key pair Sign Verify Aggregation Aggregate Verify

2),(' GxhMhh ),(),( 1 hvege

21, GvGu Zba ,

1),( 21 gge

abba vuevue ),(),(

k

i i1

k

i ii hvege11 ),(),(

Boneh et al. “Aggregate and Verifiably Encrypted Signatures from Bilinear Maps”. Eurocrypt 2003

TT GGGGGGe 2121 where,:

),( 1xgvx

ImplementationTate pairing Weil pairing


38

Performance Competition Winner: GAS-V

Fast convergence, decreasing 32% / 69% Short Update messages, decreasing 66% Economic on signature memory, decreasing 72%

Further improvements? Hardware accelerator

Parallelization

AS path length: 3.7/11

k

i ii hvege11 ),(),(


39

Origin Authentication (OA)

Variants OA-Simple {(p, org)}K

OA-List {(p1, org1), (p2, org2), …, (pi, orgi)}K

OA-AS-List {(p1, p2, …, pk, org)}K OA-Tree Merkle hash tree, leaves: (pi, orgi)

IANA



…

…

IP address blocks

AS1 ASkAS2

Aiello, Ioannidis, and McDaniel. “Origin Authentication in Interdomain Routing”. CCS03

Short-lived attestations

Possible in-band transmission for address delegation paths


40

OA Signature Performance—Storage

Attestation Constructions

Memory for Attestations

(KB)

Message Size (Bytes)

OA-Simple 42.80 496.97

OA-List 666.27 36293.37

OA-AS-List 13.23 575.35

OA-Tree 30.22 1029.24

Different costs on memory and message size OA-AS-List is most efficient Possible in-band transmission


41

OA Signature Performance—Convergence

Slight slow down convergence time

153.7166

155.1 156.2

181.3

0

40

80

120

160

200

240

BGP OA-Simple

OA-List OA-AS-List

OA-Tree

secon

ds


42

Certificate Distribution

Scale 197,709 active prefixes 19,357 unique ASes >50,000 organizations

BGP Update message MTU: 4KB S-BGP X.509 Certificates: 600 bytes Store certificates/CRLs locally

>200MB


43

Aggregate Signatures k signers {s1, s2, …, sk} k messages {m1, m2, …, mk}

one aggregate signature

One aggregate signature for entire AS path

1, p, 2

2, p, 3

3, p, 4

Lysyanskava et al. “Sequential Aggregate Signatures from Trapdoor Permutations”. Eurocrypt2004

Efficient BGP Security

Documents

Transcript of Efficient BGP Security