23-01-2013, 02:38 PM
Enhancing the Trust of Internet Routing With Lightweight Route Attestation
1Enhancing the Trust.doc (Size: 35 KB / Downloads: 31)
Abstract:
The Border Gateway Protocol (BGP) is the interdomain routing protocol that connects autonomous systems (ASes). Despite its importance for the network infrastructure, BGP is vulnerable to a variety of attacks due to lack of security mechanisms in place. Many BGP security mechanisms have been proposed, the complexity of security enforcement and data-plane attacks still remain open problems. We propose TBGP, a trusted BGP scheme aiming to achieve high authenticity of Internet routing with a simple and lightweight attestation mechanism. Designing infrastructures that give untrusted third parties (such as end-hosts) control over routing is a promising research direction for achieving flexible and efficient communication. However, serious concerns remain over the deployment of such infrastructures, particularly the new security vulnerabilities they introduce. The flexible control plane of these infrastructures can be exploited to launch many types of powerful attacks with little effort. In this paper, we make several contributions towards studying security issues in forwarding infrastructures (FIs).We present a general model for an FI, analyze potential security vulnerabilities, and present techniques to address these vulnerabilities. The main technique that we introduce in this paper is the use of simple lightweight cryptographic constraints on forwarding entries. We show that it is possible to prevent a large class of attacks on end-hosts and bound the flooding attacks that can be launched on the infrastructure nodes to a small constant value. Our mechanisms are general and apply to a variety of earlier proposals such as, Data Router, and Network Pointers. We also describe practical techniques for increasing the long-term security and collusion resistance of our key distribution protocols without increasing the signature generation and verification costs.
Existing System:
o SEVERAL recent proposals have argued for giving third parties and end-users control over routing in the network infrastructure.
o Some examples of such routing architectures include TRIAD NIRA Data Router and Network Pointers.
o While exposing control over routing to third-parties departs from conventional network architecture, these proposals have shown that such control significantly increases the flexibility and extensibility of these networks.
Proposed System:
We improve the security that flexible communication infrastructures which provide a diverse set of operations (such as packet replication) allow. Our main goal in this paper is to show that FIs are no more vulnerable than traditional communication networks (such as IP networks) that do not export control on forwarding.
o Forward Infrastructure (FI) achieves certain specific security properties, the essential features and efficiency for Network Path and Data Router.
o Our main defense technique, which is based on light-weight cryptographic constraints on forwarding entries, prevents several attacks including eavesdropping, loops, and traffic amplification.
o TBGP a trusted BGP scheme aiming to achieve high authenticity of
Internet routing with a simple and lightweight attestation mechanism.
o From earlier work, we leverage some techniques, such as challenge-responses and erasure-coding, to other attacks.
o ASymmetric to construct a consistent view of the network topology to secure the Network Path.