Evaluation of efficient security for BGP route announcements using parallel simulation

David M. Nicol, Sean W. Smith, Meiyuan Zhao

Research output: Contribution to journalArticlepeer-review

Abstract

The Border Gateway Protocol (BGP) determines how Internet traffic is routed throughout the entire world; malicious behavior by one or more BGP speakers could create serious security issues. Since the protocol depends on a speaker honestly reporting path information sent by previous speakers and involves a large number of independent speakers, the Secure BGP (S-BGP) approach uses public-key cryptography to ensure that a malicious speaker cannot fabricate this information. However, such public-key cryptography is expensive: S-BGP requires a digital signature operation on each announcement sent to each peer, and a linear (in the length of the path) number of verifications on each receipt. We use simulation of AS models derived from the Internet to evaluate the impact that the processing costs of cryptography have on BGP convergence time. As the size of these models grows, inherent memory requirements grow beyond what is normally available in serial computers, motivating us to use distributed memory cluster computers, just to hold the model state. We find that under heavy load the convergence time using ordinary S-BGP is significantly larger than BGP. We examine the impact of highly aggressive caching and pre-computation optimizations for S-BGP, and find that convergence time is much closer to BGP. However, these optimizations may be unrealistic, and are certainly expensive of memory. We consequently use the structure of BGP processing to design optimizations that reduce cryptographic overhead by amortizing the cost of private-key signatures over many messages. We call this method Signature-Amortization (S-A). We find that S-A provides as good or better convergence times as the highly optimized S-BGP, but without the cost and complications of caching and pre-computation. These experiments - whose memory demands easily exceed 10Gb - are made possible using parallel simulation. They show that it is is possible therefore to minimize the impact route validation has on convergence, by being careful with signatures, rather than consumptive of memory.

Original languageEnglish (US)
Pages (from-to)187-216
Number of pages30
JournalSimulation Modelling Practice and Theory
Volume12
Issue number3-4 SPEC. ISS.
DOIs
StatePublished - Jul 2004

Keywords

  • Inter domain routing
  • Parallel simulation for routing
  • S-BGP

ASJC Scopus subject areas

  • Software
  • Modeling and Simulation
  • Hardware and Architecture

Fingerprint Dive into the research topics of 'Evaluation of efficient security for BGP route announcements using parallel simulation'. Together they form a unique fingerprint.

Cite this