BGP security and the future

Abstract

The Internet consists of many subnetworks, which are connected to each other. These subnetworks are the autonomous systems (ASes) that make up the Internet: each hosts a part of it. In order to successfully determine routes from one of these ASes to the other, the Border Gateway Protocol (BGP) is used. This protocol has several security flaws however, and exploitation of them has lead to parts of the Internet being temporarily unreachable. In order to combat these flaws, several security solutions have been developed already. However, none of these have been deployed on a wide scale yet. As such, this thesis focuses on the question: why not, and what can be done to protect BGP in the future? This thesis includes an analysis of the BGP threat landscape, to find which threats are most relevant, and to find out whether or not solutions have adapted to the threat landscape. It also includes a comparison of solutions on different practical security aspects. From this comparison, I found that no solution is able to prevent attacks if only one autonomous system deploys it. Due to this, I suggest to shift attention to detective security. This thesis also includes an analysis of some detective security schemes, to see which properties of these schemes can be used for a new scheme. This new scheme is designed to comply with a list of requirements, and it uses properties from three other schemes. Development of this scheme is left as future work. Altogether, this thesis should provide a new direction for the future of BGP security.