While tremendous effort has been devoted in the last years to application-level security and a number of effective new technologies and paradigms have been developed and implemented, there is a lack of research and testing about the network infrastructure-level attacks, particularly pertaining to routing protocol and network devices’ security. Since routing protocols are the main responsible for maintaining network connectivity for all the IP traffic, we can surely say that routing security is an essential issue for the entire network infrastructure. Correct operation of dynamic routing protocols depends upon the integrity, authenticity and timeliness of the control and reachability information they distribute. Because of the lack of a scalable means of verifying the authenticity and legitimacy of the routing control traffic, almost all the existing routing protocols are extremely vulnerable to a variety of malicious attacks and faulty, misconfigured or deliberately malicious sources can disrupt overall Internet behavior by injecting bogus routing information into the distributed routing tables (by modifying, forging, or replaying routing protocol packets). Consequently, it is an accepted fact that control and routing protocols need stronger security than the one that can be reached by simply using packet filtering or providing simple plain-text or hashed password authentication for their sessions. To cope with the above problems we propose a framework for routing security hardening based on three types of public key cryptographic protection schemes: secure neighbor-to-neighbor communication, authentication, and authorization. This framework, capable of supporting all the above protection schemes for the major routing protocols implementing the concept of neighborship, will be based on a scalable, standards-based hierarchical PKI architecture structured according to the complex Internet routing environment to provide efficient key management/distribution and to verify and validate the routing-related identities and authorizations.
[1]
Yakov Rekhter,et al.
A Border Gateway Protocol 4 (BGP-4)
,
1994,
RFC.
[2]
Brian Wellington,et al.
OSPF with Digital Signatures
,
1997,
RFC.
[3]
Russ Housley,et al.
Internet X.509 Public Key Infrastructure Certificate and CRL Profile
,
1999,
RFC.
[4]
Christian Huitema,et al.
Routing in the Internet
,
1995
.
[5]
John Moy,et al.
OSPF Version 2
,
1998,
RFC.
[6]
Radia J. Perlman,et al.
Network layer protocols with Byzantine robustness
,
1988
.
[7]
Stephen T. Kent,et al.
Secure Border Gateway Protocol (S-BGP)
,
2000,
IEEE Journal on Selected Areas in Communications.
[8]
Randall J. Atkinson,et al.
Security Architecture for the Internet Protocol
,
1995,
RFC.