Search for: All records

Withdrawal suppression has been a known weakness of BGP for over a decade. It has a significant detrimental impact on both the reliability and security of inter-domain routing on the Internet. This paper presents Route Status Transparency (RoST), the first design that efficiently and securely thwarts withdrawal suppression misconfigurations and attacks. RoST allows ASes to efficiently verify whether a route has been withdrawn; it is compatible with BGP as well as with BGP security enhancements. We use simulations on the Internet’s AS-level topology to evaluate the benefits from adopting RoST. We use an extensive real-world BGP announcements dataset to show that it is efficient in terms of storage, bandwidth, and computational requirements. 

We present BGP-iSec, an enhancement of the BGPsec protocol for securing BGP, the Internet’s inter-domain routing protocol. BGP-iSec ensures additional and stronger security properties, compared to BGPsec, without significant extra overhead. The main improvements are: (i) Security for partial adoption: BGP-iSec provides significant security benefits for early adopters, in contrast to BGPsec, which requires universal adoption. (ii) Defense against route leakage: BGP-iSec defends against route leakage, a common cause of misrouting that is not prevented by BGPsec. (iii) Integrity of attributes: BGP-iSec ensures the integrity of integrity-protected attributes, thereby preventing announcement manipulation attacks not prevented by BGPsec. We argue that BGP-iSec achieves these goals using extensive simulations as well as security analysis. The BGP-iSec design conforms, where possible, with the BGPsec design, modifying it only where necessary to improve security or ease deployment. By providing stronger security guarantees, especially for partial adoption, we hope BGP-iSec will be a step towards finally protecting interdomain routing, which remains, for many years, a vulnerability of the Internet’s infrastructure. 

The security of Border Gateway Protocol (BGP), and inter-domain routing in general, remains a challenge, in spite of its well-known importance, repeated attacks and incidents, and extensive efforts and research over decades. We present BGPy, an open-source, extensible, robust, easy-to-use and efficient BGP security simulator, to be used for research and education. BGPy allows realistic simulations of a large variety of BGP attacks and defenses. It is provided as a Python package, and can be further customized and extended, e.g., to investigate new attacks and new defense mechanisms. We describe how BGPy is currently used by multiple BGP security projects.