ROUTING SECURITY
BGP uses TCP to connect two routers via port 179. They exchange data about the routers between domains including regularly changing information on the best paths between ASs.
BGPSec
The Directorate for Science & Technology is developing BGPSec and expects to finish within a few years. The technology would add digital signatures and PKI to the BGP process.This is to verify that the routers which send the packets are really the ones that they claim to be.
The technical details of BGPsec haven't been worked out yet.
A PKI enables public key cryptography in which is message is encrypted using a public key which can be opened only by a private key. Therefore,for each public key, a private key is made which makes it impossible for anyone to open the message, but only for the intended router.
senders utilize the public key of the recipient to encrypt the message. the message can only be decrypted by a private key, which only the recipient knows.
How does the sender know that the public key he is using is that of the recipient?Here comes the role of third party certificate authority, which verifies the recipient's ownership of the public key.
An important issue is that the process adds cryptographic overhead to router functionality. This can slow down the infrastructure or require software upgrades which may hinder adoption.
RPKIInternet Engineering Task Force (IETF)'s secure inter domain routing workgroup is working on RPKI (Resource Public Key Infrastructure) to provide specific PKI for routing authentication.
The goal is to create a system that verifies that internet users have been allocated the IP addresses and AS numbers they are working with.The organization like ..ISP or IANA which issues this certificate attests this allocation.
During interent communications, if a router receiving routing data verifies that the sending router's host organization owns the IP address and AS numbers it is using, the recipient would assume that the information it transmits is accurate.
In RPKI, the organizations that allocate IP addresses would act as certificate authorities.
Two other projects which add authentication to routing process are also underway.
S-BGP
BBN has developed Secure BGP (S-BGP) which provides for a specific plan for using PKI and digital certificates to let routers validate other routers, as well as blocks of address space, belong to a specific organization. The PKI lets each org issue certificates to its routers certifying that these routers represent it.
The PKI would let routers verify the owner of one or more address space blocks by binding the owner 's addresses to one of its public keys.
S-BGP would change data packet's structure by adding address-ownership attestations. This implies change in infrastructure software.
SoBGP
SoBGP was developed by Cisco systems which works with a decentralized approach rather than centralized PKI approach that S-BGP uses.
Each AS would operate its own routing authentication system with a database of trustworthy keys and certificates. Over time as more routing data arrives, the database would get bigger.
The system would try to match the stored keys and certificates to arriving routing data to authenticate the information. If incoming routing information doesn't match keys and certificates in the database, the sender would need a digital certificate from a trusted third party to authenticate itself.
VARIOUS TYPES OF ROUTING ATTACKS
SPOOFING
When a device assumes the identity of another router by providing information about itself that actually belongs to another routing domain.
FALSIFICATION
Falsification is sending alse routing data that causes router to send bad information to its peers. Hackers could use it to send flase information about best routes to and from various points into the internet. A BGP peer adds the best route information it receives to its routing tables and advertises the data to other peers. This adds the incorrect information to the internet's global routing tables.
PREFIX HIJACKING
Hackers advertise false best routes throughout the internet and thereby have large amounts of traffic sent through networks they control.
This can result in usurpation, in which an atacker redirects traffic through rogue routers and thereby hijacks a session, gaining control over related routing functions.
InterferenceInterference occurs when an attacker disrupts the communication of legitimate routers.
Overloadoverload takes place when a hacker reroutes large traffic volumes and overwhelms routers.
Man in the middle attacks
Hacker uses false routing information to impersonate two routers and relay messages between them, thereby accessing and controlling hteir communications.
