The Ins and Outs of Inter-Domain Routing Security

Abstract

Security of the Internet routing infrastructure, that is, the packet routing between networks (inter-domain), is a long-standing subject of research. Academic work has been published to identify the inter-domain routing security risk, the requirements of the solution space, and strategies and methods to mitigate the security risks.

This presentation will go into the (more academic) background of the complexity of inter-domain routing security, and the inherent trust model built into the Border Gateway Protocol (BGP), the current default inter-domain routing protocol. In the past decade, most commonly security measures were session authentication (on TCP-IP level) and IP prefix, IP path, and max prefix filtering. All with its own merits and weaknesses. To improve on this, approaches from academic to more practical signature have been proposed by researchers and the engineering community.

Recently, work in the IETF Secure Inter-domain Routing (SIDR) working group is initiated to design a stopgap for the longstanding weakness in inter-domain routing, namely the ability to validate the authenticity of the IP prefix origin and the network (routing) paths that are forwarded by the routing fabric. With route origin validation and path validation, network operators can protect their networks from IP hijacks, spoofing, and man-in-the-middle attacks (from traffic deviation---eavesdropping, revenue generating, or impersonation---to black-holing traffic as denial-of-service attack).

Biography

Benno Overeinder is a senior research engineer at NLnet Labs, with interests in inter-domain (Internet) routing, routing security, IPv6 transition and deployment, and modeling and simulation. He is active in the IETF and RIPE community, and publishes scientific and technical papers and reports. Before working at NLnet Labs, Overeinder obtained his MSc and PhD at the University of Amsterdam, and worked as a researcher on parallel and distributed computing runtime systems and middleware. At the VU University, Overeinder fulfilled the position of assistant professor and worked on distributed middleware, distributed/grid resource management, and self-managing systems (autonomic computing).