Secure Inter-domain Routing and Forwarding via Verifiable Forwarding Commitments

The Internet inter-domain routing system is vulnerable. On the control plane, the de facto Border Gateway Protocol (BGP) does not have built-in mechanisms to authenticate routing announcements, so an adversary can announce virtually arbitrary paths to hijack network traffic; on the data plane, it is difficult to ensure that actual forwarding path complies with the control plane decisions. The community has proposed significant research to secure the routing system. Yet, existing secure BGP protocols (e.g., BGPsec) are not incrementally deployable, and existing path authorization protocols are not compatible with the current Internet routing infrastructure. In this paper, we propose FC-BGP, the first secure Internet inter-domain routing system that can simultaneously authenticate BGP announcements and validate data plane forwarding in an efficient and incrementally-deployable manner. FC-BGP is built upon a novel primitive, name Forwarding Commitment, to certify an AS's routing intent on its directly connected hops. We analyze the security benefits of FC-BGP in the Internet at different deployment rates. Further, we implement a prototype of FC-BGP and extensively evaluate it over a large-scale overlay network with 100 virtual machines deployed globally. The results demonstrate that FC-BGP saves roughly 55% of the overhead required to validate BGP announcements compared with BGPsec, and meanwhile FC-BGP introduces a small overhead for building a globally-consistent view on the desirable forwarding paths.Comment: 16 pages, 17 figure

All Pairs Routing Path Enumeration Using Latin Multiplication and Julia

Enumerating all routing paths among Autonomous Systems (ASes) at an Internet-scale is an intractable problem. The Border Gateway Protocol (BGP) is the standard exterior gateway protocol through which ASes exchange reachability information. Building an efficient path enumeration tool for a given network is an essential step toward estimating the resiliency of the network to cyber security attacks, such as routing origin and path hijacking. In our work, we use the matrix Latin multiplication method to compute all possible paths among all pairs of nodes. We parallelize this computation through the domain decomposition for matrix multiplication and implement our solution in the Julia high-performance programming language. We also compare our method with the classical Monte Carlo method. Our results provide positive evidence for the applicability of the method