CSE Colloquium: Dr. Amir Herzberg

Title: Securing Internet Routing

Abstract:

Routing is the basic infrastructure connecting the Internet together; yet, it remains woefully insecure, in spite of extensive standardization and R&D efforts over decades. In the recent years, most efforts focus on two mechanisms: the Border Gateway Protocol security enhancements (BGPsec), and the Routing Public Key Infrastructure (RPKI).  for origin authentication, and BGPsec for path validation. 

RPKI is easier to deploy, and also a pre-requisite to BGPsec. Properly deployed, RPKI will prevent devastating, common attacks such as IP prefix hijacking; indeed, there are extensive efforts to encourage deployment. However, we show measurements indicating that RPKI deployment is slow – and, worse, there are many deployment errors. We study the impact and causes of this slow, partial adoption, and explore ways to improve deployment. 

Adoption of BGPsec, on the other hand, struggles with inherent, possibly insurmountable, obstacles, including the need to upgrade today’s routing infrastructure and meager benefits in partial deployment. Therefore, we propose an easily-deployable alternative: {\em path-end validation}. Extensive simulations on empirically-derived datasets show that path-end validation yields significant benefits – even in limited, partial adoption – much improving compared to BGPsec. 

Finally, we discuss the inherent security limitations of the current routing protocols, and ongoing works toward an alternative routing infrastructure, which will ensure connectivity even under extreme Denial-of-Service attacks.