Evaluating the Performance Impact of PKI on BGP Security

Evaluating the Performance Impact of PKI on BGP Security Meiyuan Zhao, Sean Smith Dartmouth College David Nicol University of Illinois at Urbana-Champaign Outline Overview BGP S-BGP’s PKIs and attestations Improved schemes OA, S-A, and SAS Performance evaluation Simulation methodology Experiment results Related work Conclusions and future work Border Gateway Protocol (BGP) Inter-domain routing protocol Mainly between autonomous systems (ASes) Updates are in form of route announcements (AS_PATH, prefix) A sequence of AS numbers e.g., “500 300 100” p {1}, p 1 2 A range of IP addresses (prefix) e.g., 129.170.0.0/16 ,p 1} 2, 3, { 3 4 {2, 1}, p {3, 2, 1}, p 5 Secure BGP (S-BGP) AS path Route Attestations (RAs) Prefix Address Attestations (AAs) IP address owners create AAs X.509 Certificates for IP address allocation (prefix1, …, prefixk, orgy) address assignment Routers create RAs X.509 Certificates for AS# and Routers (AS, AS#, PK) binding (RtrID, AS#, PK) binding S-BGP PKIs Match existing infrastructures AS number assignment & Binding a Router to an AS ICANN APNIC ARIN RIPE LACNIC APNIC IP Address Allocation ICANN ARIN … RIPE … AT&T AS numbers AS numbers Organizations … IP address blocks RtrID ISP / DSP / Subscribers … Subscribers (ASk, ASNs) (RtrID, ASN) Certificate Distribution Scale 197,709 active prefixes 19,357 unique ASes >50,000 organizations BGP Update message MTU: 4KB S-BGP X.509 Certificates: 600 bytes Store certificates/CRLs locally >200MB S-BGP Address Attestations (AAs) Authorize ASes to originate routes CAs prepare and distribute AAs Long-lived, need revocation ICANN APNIC ARIN RIPE … AT&T … … IP address blocks ISP / DSP / Subscribers Subscribers {prefix list, ASN} orgx Origin Authentication (OA) Short-lived attestations Possible in-band transmission for address delegation paths Variants APNIC ARIN … IANA RIPE … AT&T IP address blocks ISP / DSP / Subscribers … AS1 AS2 ASk OA-Simple {(p, org)}K OA-List {(p1, org1), (p2, org2), …, (pi, orgi)}K OA-AS-List {(p1, p2, …, pk, org)}K OA-Tree Merkle hash tree, leaves: (pi, orgi) Aiello, Ioannidis, and McDaniel. “Origin Authentication in Interdomain Routing”. CCS03 Evaluation Methodology AS-level network simulation—110 ASes BGP router under stress—router reboot PKI model ASes, Routers, Organizations, CAs, Directories, and OCSP responders Routers trust the roots, and OCSP responders; may trust other CAs as well Check certificate revocation status OCSP—sequential or parallel requests CRLs (fetch fresh copies) Reduced OA approximate delegation graph Metrics Speed—BGP convergence time Memory Message Size OA Signature Performance—Convergence Slight slow down convergence time 240 seconds 200 160 120 80 40 0 153.7 181.3 166 155.1 156.2 BGP OAOA-List OA-AS- OA-Tree Simple List OA Signature Performance—Storage Different costs on memory and message size OA-AS-List is most efficient Possible in-band transmission Attestation Constructions OA-Simple OA-List OA-AS-List OA-Tree Memory for Attestations (KB) 42.80 666.27 13.23 30.22 Message Size (Bytes) 496.97 36293.37 575.35 1029.24 OA Performance—OCSP requests ≈ 68,000 OCSP requests Convergence Time of OCSP Requests 3000 2500 seconds 2420.9 2000 1500 1000 500 0 BGP OA-AS-List Sequential OCSP Parallel OCSP 153.7 155.1 938.7 OA Performance—CRLs fetching Convergence Time of CRL Fetching 210 200 190 seconds 180 170 160 150 0 20 40 60 80 100 120 Number of Expired CRLs Secure BGP (S-BGP) AS path Route Attestations (RAs) Prefix Address Attestations (AAs) IP address owners create AAs X.509 Certificates for IP address allocation Routers create RAs X.509 Certificates for AS# and Routers (AS, AS#, PK) binding (RtrID, AS#, PK) binding (prefix1, …, prefixk, orgy) address assignment S-BGP Route Attestations (RAs) Router signs (new AS number, prefix, next_hop) Sends all previous signatures Verify aspath {1, 2, 3} Needs 3 signatures Sign aspath {1, 2, 3} Creates n signatures 1, p, 2 1 2 2, p, 3 3 3, p, 4 4 Signature Algorithm—DSA {3, 2, 1}, p Signature Amortization (S-A) Fast signature verification—RSA Few signature signing—aggregate messages Bit vectors Merkle hash trees Auxiliary values for each signature m1 m2 mk Router output buffers B1 B2 Bk Aggregated hash Grouped messages “Evaluation of efficient security for BGP route announcements using parallel simulation” Nicol, Smith, and Zhao. Simulation Modelling Practice and Theory Journal, Vol. 12, Issue 3—4, 2004 Sequential Aggregate Signature k signers {s1, s2, …, sk} k messages {m1, m2, …, mk} one aggregate signature σ 1, p, 2 2, p, 3 3, p, 4 σ One aggregate signature for entire AS path Lysyanskava et al. “Sequential Aggregate Signatures from Trapdoor Permutations”. Eurocrypt2004 PA Signature Performance—Convergence S-A converges fast — aggregates 60 messages 700 600 500 seconds 621.1 507.5 400 300 200 100 0 153.7 224.4 168.5 BGP S-BGP S-BGP (c p) S-A SAS PA Signature Performance—Message SAS — shortest messages S-A — longest messages 1200 1000 bytes 1107.1 800 600 400 200 0 36.1 318.6 184.3 BGP S-BGP S-A SAS PA Signature Performance—Memory S-A — expensive on memory 350 kilobytes 300 250 200 150 100 50 0 9 112.2 314.3 122 BGP S-BGP S-A SAS PA PKI Performance—OCSP Requests ≈ 88,000 OCSP requests Convergence Time of OCSP Requests 3000 2500 seconds 2720.4 2000 1500 1000 500 0 BGP S-BGP Sequential OCSP Parallel OCSP 224.3 153.7 334.3 PA PKI Performance—CRLs Fetching Convergence Time of CRL fecthing 290 convergence time (seconds) 280 270 260 250 240 230 220 0 20 40 60 80 Number of Expired CRLs 100 120 Related Work S-BGP [Kent:NDSS00] OASim [Aiello:CCS03] psBGP [Wan:NDSS05] Listen and Whisper [Subramanian:NSDI04] Symmetric cryptography Potentially more efficient Key distribution [Goodrich00] Time synchronization [Hu:SIGCOMM04] Conclusions PKI proposed for a REAL problem Large-scale network simulation Performance trade-offs PKIs S-BGP cert out-of-band transmission vs. OA in-band transmission OCSP timely notification vs. CRLs fast status checking Signature processing S-A fast speed vs. SAS short messages Next Steps More efficient public key cryptography Combine S-A and SAS Certificate-using decisions Revoke routes, if a certificate is revoked? Comprehensive PKI simulation model Issuing/revoking activity Certification path discovery/validation Thank you! Sun Microsystems Mellon Foundation Cisco Systems Intel Corporation NSF DoJ/DHS Email zhaom@cs.dartmouth.edu Homepage http://www.cs.dartmouth.edu/~zhaom Benchmarks SHA-1 hash Length 20 bytes MD5 hash 16 bytes Attestations 110 bytes Certificates 600 bytes Identifier 4 bytes RSA Verify Time (ms) Sign Time (ms) Signature length (bytes) 2.5 50.0 128 DSA 31.0 25.5 40 DSA(p) 31.0 0.015 40 SAS 2.5 50.0 128 OCSP request Operation latency (second) 0.5—1.0 CRL fetching 0.5—1.0