Securing BGP Communities

Design of a new RPKI object to mitigate BGP Community Attacks

Master thesis (2022)

Authors

R.F. Huisman Electrical Engineering, Mathematics and Computer Science

Contributors

A. Zarras Cyber Security - EEMCS (mentor)
G. Smaragdakis Cyber Security - EEMCS (graduation committee member)
G. Iosifidis Embedded Systems - EEMCS (graduation committee member)
Faculty
Electrical Engineering, Mathematics and Computer Science, Electrical Engineering, Mathematics and Computer Science
Copyright: © 2022 Rick Huisman
More Info
expand_more

Published Date

15-07-2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

Research has shown that the Border Gateway Protocol (BGP) is vulnerable to a new attack that exploits the community attribute. These community attacks can influence BGP routing in unintended ways. Currently, there are no effective mitigations against these attacks which do not limit the normal usage of BGP communities or offer cryptographic authorization of community values. In this thesis, we are the first to design and evaluate a new Resource Public Key Infrastructure (RPKI) object that provides these properties, called a Route Community Authorization (RCA). Autonomous Systems (ASes) can sign and upload an RCA that includes which communities are authorized to be used and under which conditions to reduce the attack surface. The approach does not alter BGP itself and ASes that deploy the security solution can verify if route announcements with community values are allowed to use those communities. With the RPKI construction of our solution, cryptographic operations are offloaded from the router to a separate server. This is because most BGP routers deployed on the internet are not capable yet of performing cryptographic operations on every announcement.

We simulate attack scenarios and evaluate the developed solution to see if it is a viable option to be deployed on the internet. The results show that the developed solution can block the community attacks, on the condition that ASes have properly configured the RCA and at least the target, or an AS between the attacker and the target, deploys the solution. If ASes configure the RCAs too broad, then there is still room for an attacker to abuse the community values. We show that the performance of the solution using properly configured RCAs can keep up with the rate of announcements seen on the internet. Since experiments were performed in simulations, additional experiments are needed in the future on hardware routers and by ASes on the internet to see if the results are the same. The biggest issue for the developed solution is the initial adoption by ASes since security benefits are low in the beginning, but increase once more ASes participate.

Once deployed BGP routers can handle cryptographic operations on every announcement, we suggest using BGPsec and extending it to include the community attribute. Using a BGPsec approach will improve security and provide integrity of the community attribute, which RCA does not provide.