A carregar...
Publicação
Securing the Internet at the Exchange Points
| Nome: | Descrição: | Tamanho: | Formato: | |
|---|---|---|---|---|
| 2.44 MB | Adobe PDF |
Orientador(es)
Resumo(s)
BGP, the border gateway protocol, is the inter-domain routing protocol that glues the
Internet. Despite its importance, it has well-known security problems. Frequently, the
BGP infrastructure is the target of prefix hijacking and path manipulation attacks. These
attacks disrupt the normal functioning of the Internet by either redirecting the traffic,
potentially allowing eavesdropping, or even preventing it from reaching its destination
altogether, affecting availability.
These problems result from the lack of a fundamental security mechanism: the ability
to validate the information in routing announcements. Specifically, it does not authenticate the prefix origin nor the validity of the announced routes. This means that an intermediate network that intercepts a BGP announcement can maliciously announce an IP
prefix that it does not own as theirs, or insert a bogus path to a prefix with the goal to
intercept traffic.
Several solutions have been proposed in the past, but they all have limitations, of
which the most severe is arguably the requirement to perform drastic changes on the
existing BGP infrastructure (i.e., requiring the replacement of existing equipment). In
addition, most solutions require their widespread adoption to be effective. Finally, they
typically require secure communication channels between the participant routers, which
entails computationally-intensive cryptographic verification capabilities that are normally
unavailable in this type of equipment.
With these challenges in mind, this thesis proposes to investigate the possibility to
improve BGP security by leveraging the software-defined networking (SDN) technology
that is increasingly common at Internet Exchange Points (IXPs). These interconnection
facilities are single locations that typically connect hundreds to thousands of networks,
working as Internet “middlemen” ideally placed to implement inter-network mechanisms,
such as security, without requiring changes to the network operators’ infrastructure. Our
key idea is to include a secure channel between IXPs that, by running in the SDN server
that controls these modern infrastructures, avoids the cryptographic requirements in the
routers. In our solution, the secure channel for communication implements a distributed
ledger (a blockchain), for decentralized trust and its other inherent guarantees. The rationale is that by increasing trust and avoiding expensive infrastructure updates, we hope to
create incentives for operators to adhere to these new IXP-enhanced security services.
Descrição
Tese de mestrado, Engenharia Informática (Arquitectura, Sistemas e Redes de Computadores), 2022, Universidade de Lisboa, Faculdade de Ciências
Palavras-chave
BGP IXP SDN AS segurança protocolo de roteamento roubo de prefixo manipulação de rotas blockchain smart contract Hyperledger Fabric Teses de mestrado - 2023