Design of Lightweight Alternatives to Secure Border Gateway Protocol and Mitigate against Control and Data Plane Attacks

Abstract

Border Gateway Protocol (BGP) is the backbone of routing infrastructure in the Internet. In its current form, it is an insecure protocol with potential for propagation of bogus routing information. There have been several high-profiles Internet outages linked to BGP in recent times. Several BGP security proposals have been presented in the literature; however, none has been adopted so far and, as a result, securing BGP remains an unsolved problem to this day. Among existing BGP security proposals, Secure BGP (S-BGP) is considered most comprehensive. However, it presents significant challenges in terms of number of signature verifications and deployment considerations. For it to provide comprehensive security guarantees, it requires that all Autonomous Systems (ASes) in the Internet to adopt the scheme and participate in signature additions and verifications in BGP messages. Among others, these challenges have prevented S-BGP from being deployed today. In this thesis, we present two novel lightweight security protocols, called Credible BGP (C-BGP) and Hybrid Cryptosystem BGP (HC-BGP), which rely on security mechanisms in S-BGP but are designed to address signature verification overhead and deployment challenges associated with S-BGP. We develop original and detailed analytical and simulation models to study performance of our proposals and demonstrate that the proposed schemes promise significant savings in terms of computational overhead and security performance in presence of malicious ASes in the network. We also study the impact of IP prefix hijacking on control plane as well as data plane. Specifically, we analyze the impact of bogus routing information on Inter-Domain Packet Filters and propose novel and simple extensions to existing BGP route selection algorithm to combat bogus routing information.