Availability-Centric Routing (ACR) makes the case that current proposals to secure interdomain routing (e.g., S-BGP) are simultaneously too much and too little. They are too much in that they require heavy-weight control plane cryptography as well as extensive address ownership registries and a global PKI. They are too little in that even a secure control plane cannot protect against the many problems that may occur in the data plane (adversaries, packet filter misconfiguration, even congestion from link DoS). ACR takes the approach that because end-hosts can protect communication confidentiality and integrity using end-to-end mechanisms (e.g., SSL or IPSec), the only thing that the routing system must support is availability . Because we only care about availability in the control plane, we use an insecure multipath protocol in the control plane, and rely on the ability to explore many of these paths in order to find a working path. We find that not only does ACR protect against data plane adversaries, but it has compelling deployment properties. Particularly, ACR provides benefits to stubs even if most of the Internet has not yet deployed the scheme. Also, a more limited multi-path scheme, requiring tier-1 providers only to deploy, provides significant benefits in the face of many attackers.
Most secure routing proposals require the existence of a global public-key infrastructure (PKI) to bind a public/private key-pair to a prefix, in order to authenticate route originations of that prefix. A major difficulty in secure routing deployment is the mutual dependency between the routing protocol and the establishment of a globally trusted PKI for prefixes and ASes: cryptographic mechanisms used to authenticate BGP Update messages require a PKI, but without a secure routing infrastructure in place, Internet registries and ISPs have little motivation to invest in the development and deployment of this PKI. This paper proposes a radically different mechanism to resolve this dilemma: an evolutionary Grassroots-PKI that bootstraps by letting any routing entity announce self-signed certificates to claim their address space. Despite the simple optimistic security of this initial stage, we demonstrate how a Grassroots-PKI provides ASes with strong incentives to evolve the infrastructure into a full top-down hierarchical PKI, as proposed in secure routing protocols like S-BGP. Central to the Grassroots-PKI concept is an attack recovery mechanism that by its very nature moves the system closer to a global PKI. This admittedly controversial proposal offers a rapid and incentive-compatible approach to achieving a global routing PKI.
Please contact me if you have comments on any of this work, or would like to learn more about papers we have in submission, etc. I love to chat/debate/argue :)
You may also be interested in my BGP Routing Security Reference Page .