| ¡¡ | Chinese Journal of Computers Full Text |
| Title | GesBGP: A Good-Enough-Security BGP |
| Authors | LI Qi1) WU Jian-Ping1) XU Ming-Wei1) XU Ke1) ZHANG Xin-Wen2) |
| Address | 1)(Department of Computer Science and Technology, Tsinghua University, Beijing 100084) 2)(Samsung Information Systems America, San Jose, CA, USA) |
| Year | 2009 |
| Issue | No.3(506¡ª515) |
| Abstract & Background | Abstract Inter-domain routing (BGP) directly influences availability of Internet routing which may be disrupted by misconfigured or malicious BGP updates. Although several secure solutions have been proposed to resolve the BGP security problem, they have many design drawbacks (e.g., large router resource consumption). Considered the design and performance of secure BGP, this paper proposes a Good-Enough-Security BGP (GesBGP). Identity-based signature (IBS) algorithm presented in GesBGP guarantees the authenticity of BGP routes in the help of Trusted Computing (TC) technology. The presented IBS can effectively eliminate the centralized public key infrastructure (PKI) and resolve the problem of public key certificate distribution and restoration. Furthermore, GesBGP does not only rely on cryptography functions provided by IBS. BGP attestation service integrated in GesBGP prevents router from malicious change radically and thus builds strong trust relationship between different routers. In the optimized GesBGP, BGP security rules are enforced and the cumulated signature in original GesBGP is eliminated. The security analysis and performance study show that the optimized GesBGP improves the performance of GesBGP while achieving the goal of BGP security at the same time. Keywords inter-domain routing£» BGP£» secure BGP£» GesBGP Background This critical Internet infrastructure has significant security vulnerabilities that are well studied but have been unresolved for many years. Prefix hijack and AS path spoofing attacks on BGP directly influence availability of Internet routing. Although several improved BGP security proposals have been proposed to mitigate or partly solve the problem, these proposals are unable to deploy in real networks because of their complexity or security weaknesses. In this paper, the authors propose a trusted routing attestation service which is used to verify and validate routes with the help of the identity-based signature(IBS) algorithm. IBS eliminates central PKI deployment and certificate distribution. Furthermore, optimized GesBGP fully utilizes the internal features of BGP route selection with the help of trusted computing to improve GesBGP performance. The security analysis and performance study show that optimized GesBGP greatly improves the secure BGP performance without sacrificing BGP security. The GesBGP proposals and the built trust model cast light on design and development of secure Inter-domain routing in next generation Internet. This research is supported in part by the National Natural Science Foundation (NSFC) of China under grant No.90604024, the National High Technology Research and Development Program(863 Program) of China under grant No.2007AA01Z2A2, the Key Project of Chinese Ministry of Education under grant No.106012. |