Exploring the Benefit of Path Plausibility Algorithms in BGP

Nils Miro Rodday; Gabi Dreo Rodosek; Aiko Pras; Roland Martijn van Rijswijk - Deij

doi:10.1109/NOMS59830.2024.10575088

Exploring the Benefit of Path Plausibility Algorithms in BGP

Nils Miro Rodday, Gabi Dreo Rodosek, Aiko Pras, Roland Martijn van Rijswijk - Deij

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

1 Citation (Scopus)

336 Downloads (Pure)

Abstract

The Border Gateway Protocol (BGP) is known to have several security weaknesses. Two major threats are BGP prefix hijacking and BGP route leaks. A hijack refers to the illegitimate announcement of another Autonomous System’s (AS) IP prefix space while a route leak is the accidental forwarding of a route to a peer that should not have received such an announcement. The Resource Public Key Infrastructure (RPKI) provides origin validation and is able to mitigate a subset of prefix hijacking attacks. Route leaks and forged-origin prefix hijacks are not yet properly addressed. Autonomous System Provider Authorization (ASPA) and AS-Cones are two path plausibility algorithms proposed within the Internet Engineering Task Force (IETF) to mitigate these issues. This work implements ASPA and AS-Cones in a simulation testbed. We compare deployment strategies and recommend to start deploying both algorithms in a top-down manner, starting with the AS with the highest connectivity. While AS-Cones requires less ASes to participate it shows similar benefits in route leak mitigation. Only ASPA can mitigate the forged-origin prefix hijack and results heavily depend on the victim AS to participate in ASPA object creation.

Original language	English
Title of host publication	Proceedings of the 2024 Network Operations and Management Symposium (NOMS 2024)
Place of Publication	Seoul, Korea
Publisher	IFIP
ISBN (Electronic)	979-8-3503-2793-9
DOIs	https://doi.org/10.1109/NOMS59830.2024.10575088
Publication status	Published - 2 Jul 2024
Event	IEEE/IFIP Network Operations and Management Symposium, NOMS 2024 - Seoul, Korea, Republic of Duration: 6 May 2024 → 10 May 2024 https://noms2024.ieee-noms.org

Conference

Conference	IEEE/IFIP Network Operations and Management Symposium, NOMS 2024
Abbreviated title	NOMS 2024
Country/Territory	Korea, Republic of
City	Seoul
Period	6/05/24 → 10/05/24
Internet address	https://noms2024.ieee-noms.org

Access to Document

10.1109/NOMS59830.2024.10575088

1093_Camera-ready_manuscriptAccepted author version, 1.6 MB

Best Paper Award NOMS 2024
Rodday, N. M. (Recipient), Dreo Rodosek, G. (Recipient), Pras, A. (Recipient) & van Rijswijk - Deij, R. M. (Recipient), 9 May 2024
Prize

Cite this

@inproceedings{43686cd4e99643c1827d1fb63986ec7c,

title = "Exploring the Benefit of Path Plausibility Algorithms in BGP",

abstract = "The Border Gateway Protocol (BGP) is known to have several security weaknesses. Two major threats are BGP prefix hijacking and BGP route leaks. A hijack refers to the illegitimate announcement of another Autonomous System{\textquoteright}s (AS) IP prefix space while a route leak is the accidental forwarding of a route to a peer that should not have received such an announcement. The Resource Public Key Infrastructure (RPKI) provides origin validation and is able to mitigate a subset of prefix hijacking attacks. Route leaks and forged-origin prefix hijacks are not yet properly addressed. Autonomous System Provider Authorization (ASPA) and AS-Cones are two path plausibility algorithms proposed within the Internet Engineering Task Force (IETF) to mitigate these issues. This work implements ASPA and AS-Cones in a simulation testbed. We compare deployment strategies and recommend to start deploying both algorithms in a top-down manner, starting with the AS with the highest connectivity. While AS-Cones requires less ASes to participate it shows similar benefits in route leak mitigation. Only ASPA can mitigate the forged-origin prefix hijack and results heavily depend on the victim AS to participate in ASPA object creation.",

author = "Rodday, {Nils Miro} and {Dreo Rodosek}, Gabi and Aiko Pras and {van Rijswijk - Deij}, {Roland Martijn}",

year = "2024",

month = jul,

day = "2",

doi = "10.1109/NOMS59830.2024.10575088",

language = "English",

booktitle = "Proceedings of the 2024 Network Operations and Management Symposium (NOMS 2024)",

publisher = "IFIP",

note = "IEEE/IFIP Network Operations and Management Symposium, NOMS 2024, NOMS 2024 ; Conference date: 06-05-2024 Through 10-05-2024",

url = "https://noms2024.ieee-noms.org",

}

Rodday, NM, Dreo Rodosek, G, Pras, A & van Rijswijk - Deij, RM 2024, Exploring the Benefit of Path Plausibility Algorithms in BGP. in Proceedings of the 2024 Network Operations and Management Symposium (NOMS 2024). IFIP, Seoul, Korea, IEEE/IFIP Network Operations and Management Symposium, NOMS 2024, Seoul, Korea, Republic of, 6/05/24. https://doi.org/10.1109/NOMS59830.2024.10575088

TY - GEN

T1 - Exploring the Benefit of Path Plausibility Algorithms in BGP

AU - Rodday, Nils Miro

AU - Dreo Rodosek, Gabi

AU - Pras, Aiko

AU - van Rijswijk - Deij, Roland Martijn

PY - 2024/7/2

Y1 - 2024/7/2

N2 - The Border Gateway Protocol (BGP) is known to have several security weaknesses. Two major threats are BGP prefix hijacking and BGP route leaks. A hijack refers to the illegitimate announcement of another Autonomous System’s (AS) IP prefix space while a route leak is the accidental forwarding of a route to a peer that should not have received such an announcement. The Resource Public Key Infrastructure (RPKI) provides origin validation and is able to mitigate a subset of prefix hijacking attacks. Route leaks and forged-origin prefix hijacks are not yet properly addressed. Autonomous System Provider Authorization (ASPA) and AS-Cones are two path plausibility algorithms proposed within the Internet Engineering Task Force (IETF) to mitigate these issues. This work implements ASPA and AS-Cones in a simulation testbed. We compare deployment strategies and recommend to start deploying both algorithms in a top-down manner, starting with the AS with the highest connectivity. While AS-Cones requires less ASes to participate it shows similar benefits in route leak mitigation. Only ASPA can mitigate the forged-origin prefix hijack and results heavily depend on the victim AS to participate in ASPA object creation.

AB - The Border Gateway Protocol (BGP) is known to have several security weaknesses. Two major threats are BGP prefix hijacking and BGP route leaks. A hijack refers to the illegitimate announcement of another Autonomous System’s (AS) IP prefix space while a route leak is the accidental forwarding of a route to a peer that should not have received such an announcement. The Resource Public Key Infrastructure (RPKI) provides origin validation and is able to mitigate a subset of prefix hijacking attacks. Route leaks and forged-origin prefix hijacks are not yet properly addressed. Autonomous System Provider Authorization (ASPA) and AS-Cones are two path plausibility algorithms proposed within the Internet Engineering Task Force (IETF) to mitigate these issues. This work implements ASPA and AS-Cones in a simulation testbed. We compare deployment strategies and recommend to start deploying both algorithms in a top-down manner, starting with the AS with the highest connectivity. While AS-Cones requires less ASes to participate it shows similar benefits in route leak mitigation. Only ASPA can mitigate the forged-origin prefix hijack and results heavily depend on the victim AS to participate in ASPA object creation.

U2 - 10.1109/NOMS59830.2024.10575088

DO - 10.1109/NOMS59830.2024.10575088

M3 - Conference contribution

BT - Proceedings of the 2024 Network Operations and Management Symposium (NOMS 2024)

PB - IFIP

CY - Seoul, Korea

T2 - IEEE/IFIP Network Operations and Management Symposium, NOMS 2024

Y2 - 6 May 2024 through 10 May 2024

ER -

Exploring the Benefit of Path Plausibility Algorithms in BGP

Abstract

Conference

Access to Document

Fingerprint

Prizes

Best Paper Award NOMS 2024

Cite this