TY - GEN
T1 - Securing BGP through keychain-based signatures
AU - Heng, Yin
AU - Bo, Sheng
AU - Haining, Wang
AU - Jianping, Pan
PY - 2007
Y1 - 2007
N2 - As the major component of Internet routing infrastructure, the Border Gateway Protocol (BGP) is vulnerable to malicious attacks. While Secure BGP (S-BGP) provides a comprehensive framework to secure BGP, its high computational cost and low incremental deployment benefits seriously impede its wide usage in practice. Using a lightweight symmetric signature scheme, SPV is much faster than S-BGP. However, the speed boost comes at the price of prohibitively large signatures. Aggregated path authentication reduces the overhead of securing BGP in terms of both time and space, but the speed improvement is still limited by public key computation. In this paper, we propose a simple keychain-based signature scheme called KC-x, which has low CPU and memory overheads and provides strong incentive for incremental deployment over the Internet. As a generic framework, KC-x has the flexibility of using different signature algorithms. We implement two realizations of KC-x. One is based on RSA called KC-RSA, and the other is based on Merkle hash tree called KC-MT. After characterizing the overheads of KC-RSA and KC-MT, we evaluate their performance with real BGP workloads. Our experimental results show that KC-RSA is as efficient as SAS-V, and KC-MT is even 3-fold faster than SPV with a 40% smaller signature. Through the hybrid deployment of KC-MT and KC-RSA, KC-x can achieve both small signature and high processing rate for BGP speakers.
AB - As the major component of Internet routing infrastructure, the Border Gateway Protocol (BGP) is vulnerable to malicious attacks. While Secure BGP (S-BGP) provides a comprehensive framework to secure BGP, its high computational cost and low incremental deployment benefits seriously impede its wide usage in practice. Using a lightweight symmetric signature scheme, SPV is much faster than S-BGP. However, the speed boost comes at the price of prohibitively large signatures. Aggregated path authentication reduces the overhead of securing BGP in terms of both time and space, but the speed improvement is still limited by public key computation. In this paper, we propose a simple keychain-based signature scheme called KC-x, which has low CPU and memory overheads and provides strong incentive for incremental deployment over the Internet. As a generic framework, KC-x has the flexibility of using different signature algorithms. We implement two realizations of KC-x. One is based on RSA called KC-RSA, and the other is based on Merkle hash tree called KC-MT. After characterizing the overheads of KC-RSA and KC-MT, we evaluate their performance with real BGP workloads. Our experimental results show that KC-RSA is as efficient as SAS-V, and KC-MT is even 3-fold faster than SPV with a 40% smaller signature. Through the hybrid deployment of KC-MT and KC-RSA, KC-x can achieve both small signature and high processing rate for BGP speakers.
UR - http://www.scopus.com/inward/record.url?scp=34748884882&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34748884882&partnerID=8YFLogxK
U2 - 10.1109/IWQOS.2007.376562
DO - 10.1109/IWQOS.2007.376562
M3 - Conference contribution
AN - SCOPUS:34748884882
SN - 1424411858
SN - 9781424411856
T3 - IEEE International Workshop on Quality of Service, IWQoS
SP - 154
EP - 163
BT - 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
T2 - 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
Y2 - 21 June 2007 through 22 June 2007
ER -