(R)Evolutionary Bootstrapping of a Global PKI for Securing BGP

Yih Chun Hu, David McGrew, Adrian Perrig, Brian Weis, Dan Wendlandt

Research output: Contribution to conferencePaperpeer-review

Abstract

Most secure routing proposals require the existence of a global public-key infrastructure (PKI) to bind a public/private key-pair to a prefix, in order to authenticate route originations of that prefix. A major difficulty in secure routing deployment is the mutual dependency between the routing protocol and the establishment of a globally trusted PKI for prefixes and ASes: cryptographic mechanisms used to authenticate BGP Update messages require a PKI, but without a secure routing infrastructure in place, Internet registries and ISPs have little motivation to invest in the development and deployment of this PKI. This paper proposes a radically different mechanism to resolve this dilemma: an evolutionary Grassroots-PKI that bootstraps by letting any routing entity announce self-signed certificates to claim their address space. Despite the simple optimistic security of this initial stage, we demonstrate how a Grassroots-PKI provides ASes with strong incentives to evolve the infrastructure into a full top-down hierarchical PKI, as proposed in secure routing protocols like S-BGP. Central to the Grassroots-PKI concept is an attack recovery mechanism that by its very nature moves the system closer to a global PKI. This admittedly controversial proposal offers a rapid and incentive-compatible approach to achieving a global routing PKI.

Original languageEnglish (US)
Pages1-6
Number of pages6
StatePublished - 2006
Externally publishedYes
Event5th ACM Workshop on Hot Topics in Networks, HotNets 2006 - Irvine, United States
Duration: Nov 29 2006Nov 30 2006

Conference

Conference5th ACM Workshop on Hot Topics in Networks, HotNets 2006
Country/TerritoryUnited States
CityIrvine
Period11/29/0611/30/06

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of '(R)Evolutionary Bootstrapping of a Global PKI for Securing BGP'. Together they form a unique fingerprint.

Cite this