TR-04-07: Pretty Secure BGP (psBGP)

Abstract

The Border Gateway Protocol (BGP) is the de-facto standard inter-domain routing protocol on the Internet. However, it is well known that BGP is vulnerable to a variety of types of attacks, and that a single misconfigured or malicious BGP speaker could result in large scale service disruption. We first summarize a set of security goals for BGP, and then propose Pretty Secure BGP (psBGP) as a new security protocol achieving these goals. psBGP makes use of a centralized trust model for authenticating Autonomous System (AS) numbers, and a decentralized trust model for verifying the propriety of IP prefix origination. We compare psBGP with S-BGP and soBGP, the two leading security proposals for BGP. Our analysis suggests that psBGP provides a better balance between security and practicality than either S-BGP or soBGP: it significantly reduces the complexity of prefix onwership verification in SBGP and soBGP, although in theory offering somewhat less security; and psBGP offers more security than soBGP in terms of AS number authentication and AS PATH verification, albeit requiring expensive digital signature operations. Our performance analysis using real world BGP data suggests that psBGP is practical with respect to the number of certificates to be stored and to be updated per AS. We also raise a number of issues of independent interest about the design of S-BGP and soBGP.