Jumpstarting BGP Security with Path-End Validation

Speaker/Bio

Yossi Gilad joined BUsec as a postdoctoral researcher in 2015. His research focuses on the security aspects of networks and protocols. Prior to joining Boston University he was a researcher at IBM and a postdoctoral researcher at the Hebrew University where his host was Dr. Michael Schapira. Yossi holds a Ph.D in Computer Science from Bar-Ilan University, Israel, where he was advised by prof. Amir Herzberg.

Abstract

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon due to inherent, possibly insurmountable, obstacles, including the need to replace today's routing infrastructure and meagre benefits in partial deployment. Consequently, secure interdomain routing remains a distant dream. We propose an easily deployable, modest extension to RPKI, called “path-end validatio”, which does not entail replacing/upgrading today's BGP routers. We show, through rigorous security analyses and extensive simulations on empirically derived datasets, that path-end validation yields significant benefits even in very limited partial adoption. We present an open-source, readily deployable prototype implementation of path-end validation.

Joint work with Avichai Cohen, Amir Herzberg, and Michael Schapira