Technical Report 1130009

Title: TASRS: Towards a Secure Routing System Through Internet Number Resource Certification
Version (s): < 1 >
Authors: Eric Osterweil
Danny McPherson
Date: 2013-02-03
Paper: Download here
Abstract: The Border Gateway Protocol (BGP) is the Internet's core routing protocol. Today, any BGP speaker can attest to be the origin for any IP prefix, and this results in the implicit assertion that this ASN is the rightful resource holder for that IP prefix. Unfortunately, any BGP speaker can lie about this. Such lies have allowed BGP speakers to "leak routes" and "hijack" each others prefixes. There has never been a programmatic way to securely disambiguate who the rightful resource holder actually is for any given IP prefix, or any Autonomous System Number (ASN). This leaves a very pronounced need for an Internet number resource certification framework. BGP, for example, currently propagates unverified announcements from origin ASNs to their neighbors, who selectively re-announce them to their neighbors in a form of gossip. Meanwhile, none of these parties have any way to properly assure the veracity of the announcements they are working from. We assert that the Internet needs Internet number resource certification and that routing stability suggests that a proactive approach is paramount. For that, we propose the Towards A Secure Routing System (TASRS) architecture, so named because it enables the security of the tried an true operational practice used for origin-based assurances in BGP. The TASRS architecture is evolved from the simple observation that securing the route computation can be done by learning an ASÂ’ resources and corresponding routed resource policies, and then proactively verifying the set of allowed states at each BGP peer. Moreover, this proactive practice already exists today, in service providers that maintain a trusted list of clients and policies that are known to be genuine and accurate. With a secure Internet number resource certification framework, routing policy semantics can be securely discovered and used to effectuate verifiable intent of operators in inter-domain routing.
SHA256
fingerprint
866c034ed275151667af2886a44dec7a58e6dbca7e8a8261fbdcbf75c5f20b6b
BibTeX:
@TECHREPORT{verisignlabs-tr-1130009-1,
                author = {Eric Osterweil and Danny McPherson},
                title = {TASRS: Towards a Secure Routing System Through Internet Number Resource Certification},
                booktitle = {Verisign Labs Technical Reports},
                number = {1130009 version 1},
                year = {2013},
}

          

[Home]