IDR

Inter-Domain Routing

Attacks on Routing Protocols are a major problem for the Internet. If an attacker is able to corrupt or modify routing tables as he chooses, he has a great amount of power to mount further attacks or simply to create massive DoS attacks. The IETF has been seriously concerned about these threats and has started a set of working items to deal with them.

The current proposal for the Border Gateway Protocol (Version 4, BGP-4) is described in [158]. The BGP Security Vulnerabilities are analyzed in [125].

Two main solutions for securing BGP have emerged: Protocol S-BGP (29), Secure BGP, ([111]) and Protocol soBGP (30), Secure Origin BGP, ([133]).

S-BGP addresses seven security goals:

1. Each update received by a BGP speaker from a peer was sent by the indicated peer and was not modified en-route from the peer.

2. Each update contains routing information no less recent than the routing information previously received for the indicated prefixes from that peer.

3. The update was intended for receipt by the peer that received it.

4. The peer that sent the update was authorized to advertise the routing information contained within the update.

5. The entity with the right to use an address space corresponding to a reachable prefix advertised in an update was given custodianship of that address space by a higher-level/parent entity.

6. The originating Domain was authorized, by the entity(s) with the right to use address space corresponding to the set of reachable prefixes, to advertise those prefixes.

7. If the update indicates a withdrawn route, then the peer withdrawing the route was a legitimate advertiser for that route, prior to its withdrawal.

soBGP addresses two security goals:

1. Is the Domain originating the destination authorized to advertise it? In other words, if a router receives an advertisement for the dest network originating in advertiser, is there any way to verify that advertiser is supposed to be advertising dest?

2. Does the Domain advertising the destination actually have a path to the destination? In other words, if a router is receiving an advertisement from advertiser that it can reach dest, is there any way to verify that advertiser actually has a path to the Domain dest?

To achieve those goals, Authentication is also necessary.

In summary, both Protocol S-BGP and Protocol soBGP should provide Authentication, 3P-Authorization, and a property that may be expressed as a Temporal Formula (G1,2,6,12,20).