Creating a Secure Underlay for the Internet

Birge-Lee, Henry; Wanner, Joel; Cimaszewski, Grace; Kwon, Jonghoon; Wang, Liang; Wirz, Francois; Mittal, Prateek; Perrig, Adrian; Sun, Yixin

Creating a Secure Underlay for the Internet

METADATA ONLY

Author / Producer

Birge-Lee, Henry

Wanner, Joel person

Cimaszewski, Grace

Date

2022

Publication Type

Conference Paper

ETH Bibliography

yes

METADATA ONLY

Abstract

Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. How can we leverage emerging secure routing backbones and extend their security properties to the broader Internet? We design and deploy an architecture to bootstrap secure routing. Our key insight is to abstract the secure routing backbone as a virtual Autonomous System (AS), called Secure Backbone AS (SBAS). While SBAS appears as one AS to the Internet, it is a federated network where routes are exchanged between participants using a secure backbone. SBAS makes BGP announcements for its customers' IP prefixes at multiple locations (referred to as Points of Presence or PoPs) allowing traffic from non-participating hosts to be routed to a nearby SBAS PoP (where it is then routed over the secure backbone to the true prefix owner). In this manner, we are the first to integrate a federated secure non-BGP routing backbone with the BGP-speaking Internet. We present a real-world deployment of our architecture that uses SCIONLab to emulate the secure backbone and the PEERING framework to make BGP announcements to the Internet. A combination of real-world attacks and Internet-scale simulations shows that SBAS substantially reduces the threat of routing attacks. Finally, we survey network operators to better understand optimal governance and incentive models.

Permanent link

http://hdl.handle.net/20.500.11850/579336

Publication status

published

External links

https://www.usenix.org/conference/usenixsecurity22/presentation/birge-lee north_east

Book title

Proceedings of the 31st Usenix Security Symposium

Pages / Article No.

2601 - 2618

Publisher

USENIX Association

Event

31st USENIX Security Symposium (USENIX Security 2022)

Organisational unit

03975 - Perrig, Adrian / Perrig, Adrian check_circle

More

Show all metadata

Creating a Secure Underlay for the Internet

Author / Producer

Date

Publication Type

ETH Bibliography

Citations

Altmetric

Data

Rights / License

Abstract

Permanent link

Publication status

External links

Editor

Book title

Journal / series

Volume

Pages / Article No.

Publisher

Event

Edition / version

Methods

Software

Geographic location

Date collected

Date created

Subject

Organisational unit

Notes

Funding

Related publications and datasets

More