Autonomous security for autonomous systems

Josh Karlin, Stephanie Forrest, Jennifer Rexford

Research output: Contribution to journalArticle

41 Citations (Scopus)

Abstract

The Internet's interdomain routing protocol, BGP, supports a complex network of Autonomous Systems which is vulnerable to a number of potentially crippling attacks. Several promising cryptography-based solutions have been proposed, but their adoption has been hindered by the need for community consensus, cooperation in a public key infrastructure (PKI), and a common security protocol. Rather than force centralized control in a distributed network, this paper examines distributed security methods that are amenable to incremental deployment. Typically, such methods are less comprehensive and not provably secure. The paper describes a distributed anomaly detection and response system that provides comparable security to cryptographic methods and has a more plausible adoption path. Specifically, the paper makes the following contributions: (1) it describes pretty good BGP (PGBGP), whose security is comparable (but not identical) to secure origin BGP; (2) it gives theoretical proofs on the effectiveness of PGBGP; (3) it reports simulation experiments on a snapshot of the Internet topology annotated with the business relationships between neighboring networks; (4) it quantifies the impact that known exploits could have on the Internet; and (5) it determines the minimum number of ASes that would have to adopt a distributed security solution to provide global protection against these exploits. Taken together these results explore the boundary between what can be achieved with provably secure centralized security mechanisms for BGP and more distributed approaches that respect the autonomous nature of the Internet.

Original languageEnglish (US)
Pages (from-to)2908-2923
Number of pages16
JournalComputer Networks
Volume52
Issue number15
DOIs
StatePublished - Oct 23 2008
Externally publishedYes

Fingerprint

Internet
Internet protocols
Complex networks
Routing protocols
Cryptography
Topology
Network protocols
Industry
Experiments

Keywords

  • Anomaly
  • BGP
  • Interdomain
  • Security

ASJC Scopus subject areas

  • Computer Networks and Communications

Cite this

Autonomous security for autonomous systems. / Karlin, Josh; Forrest, Stephanie; Rexford, Jennifer.

In: Computer Networks, Vol. 52, No. 15, 23.10.2008, p. 2908-2923.

Research output: Contribution to journalArticle

Karlin, Josh ; Forrest, Stephanie ; Rexford, Jennifer. / Autonomous security for autonomous systems. In: Computer Networks. 2008 ; Vol. 52, No. 15. pp. 2908-2923.
@article{b8cd23c3533f4b36a005adfb544fb405,
title = "Autonomous security for autonomous systems",
abstract = "The Internet's interdomain routing protocol, BGP, supports a complex network of Autonomous Systems which is vulnerable to a number of potentially crippling attacks. Several promising cryptography-based solutions have been proposed, but their adoption has been hindered by the need for community consensus, cooperation in a public key infrastructure (PKI), and a common security protocol. Rather than force centralized control in a distributed network, this paper examines distributed security methods that are amenable to incremental deployment. Typically, such methods are less comprehensive and not provably secure. The paper describes a distributed anomaly detection and response system that provides comparable security to cryptographic methods and has a more plausible adoption path. Specifically, the paper makes the following contributions: (1) it describes pretty good BGP (PGBGP), whose security is comparable (but not identical) to secure origin BGP; (2) it gives theoretical proofs on the effectiveness of PGBGP; (3) it reports simulation experiments on a snapshot of the Internet topology annotated with the business relationships between neighboring networks; (4) it quantifies the impact that known exploits could have on the Internet; and (5) it determines the minimum number of ASes that would have to adopt a distributed security solution to provide global protection against these exploits. Taken together these results explore the boundary between what can be achieved with provably secure centralized security mechanisms for BGP and more distributed approaches that respect the autonomous nature of the Internet.",
keywords = "Anomaly, BGP, Interdomain, Security",
author = "Josh Karlin and Stephanie Forrest and Jennifer Rexford",
year = "2008",
month = "10",
day = "23",
doi = "10.1016/j.comnet.2008.06.012",
language = "English (US)",
volume = "52",
pages = "2908--2923",
journal = "Computer Networks",
issn = "1389-1286",
publisher = "Elsevier",
number = "15",

}

TY - JOUR

T1 - Autonomous security for autonomous systems

AU - Karlin, Josh

AU - Forrest, Stephanie

AU - Rexford, Jennifer

PY - 2008/10/23

Y1 - 2008/10/23

N2 - The Internet's interdomain routing protocol, BGP, supports a complex network of Autonomous Systems which is vulnerable to a number of potentially crippling attacks. Several promising cryptography-based solutions have been proposed, but their adoption has been hindered by the need for community consensus, cooperation in a public key infrastructure (PKI), and a common security protocol. Rather than force centralized control in a distributed network, this paper examines distributed security methods that are amenable to incremental deployment. Typically, such methods are less comprehensive and not provably secure. The paper describes a distributed anomaly detection and response system that provides comparable security to cryptographic methods and has a more plausible adoption path. Specifically, the paper makes the following contributions: (1) it describes pretty good BGP (PGBGP), whose security is comparable (but not identical) to secure origin BGP; (2) it gives theoretical proofs on the effectiveness of PGBGP; (3) it reports simulation experiments on a snapshot of the Internet topology annotated with the business relationships between neighboring networks; (4) it quantifies the impact that known exploits could have on the Internet; and (5) it determines the minimum number of ASes that would have to adopt a distributed security solution to provide global protection against these exploits. Taken together these results explore the boundary between what can be achieved with provably secure centralized security mechanisms for BGP and more distributed approaches that respect the autonomous nature of the Internet.

AB - The Internet's interdomain routing protocol, BGP, supports a complex network of Autonomous Systems which is vulnerable to a number of potentially crippling attacks. Several promising cryptography-based solutions have been proposed, but their adoption has been hindered by the need for community consensus, cooperation in a public key infrastructure (PKI), and a common security protocol. Rather than force centralized control in a distributed network, this paper examines distributed security methods that are amenable to incremental deployment. Typically, such methods are less comprehensive and not provably secure. The paper describes a distributed anomaly detection and response system that provides comparable security to cryptographic methods and has a more plausible adoption path. Specifically, the paper makes the following contributions: (1) it describes pretty good BGP (PGBGP), whose security is comparable (but not identical) to secure origin BGP; (2) it gives theoretical proofs on the effectiveness of PGBGP; (3) it reports simulation experiments on a snapshot of the Internet topology annotated with the business relationships between neighboring networks; (4) it quantifies the impact that known exploits could have on the Internet; and (5) it determines the minimum number of ASes that would have to adopt a distributed security solution to provide global protection against these exploits. Taken together these results explore the boundary between what can be achieved with provably secure centralized security mechanisms for BGP and more distributed approaches that respect the autonomous nature of the Internet.

KW - Anomaly

KW - BGP

KW - Interdomain

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=52049098470&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=52049098470&partnerID=8YFLogxK

U2 - 10.1016/j.comnet.2008.06.012

DO - 10.1016/j.comnet.2008.06.012

M3 - Article

AN - SCOPUS:52049098470

VL - 52

SP - 2908

EP - 2923

JO - Computer Networks

JF - Computer Networks

SN - 1389-1286

IS - 15

ER -