Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. How can we leverage emerging secure routing backbones and extend their security properties to the broader Internet? We design and deploy an architecture to bootstrap secure routing. Our key insight is to abstract the secure routing backbone as a virtual Autonomous System (AS), called Secure Backbone AS (SBAS). While SBAS appears as one AS to the Internet, it is a federated network where routes are exchanged between participants using a secure backbone. SBAS makes BGP announcements for its customers' IP prefixes at multiple locations (referred to as Points of Presence or PoPs) allowing traffic from non-participating hosts to be routed to a nearby SBAS PoP (where it is then routed over the secure backbone to the true prefix owner). In this manner, we are the first to integrate a federated secure non-BGP routing backbone with the BGP-speaking Internet. We present a real-world deployment of our architecture that uses SCIONLab to emulate the secure backbone and the PEERING framework to make BGP announcements to the Internet. A combination of real-world attacks and Internet-scale simulations shows that SBAS substantially reduces the threat of routing attacks. Finally, we survey network operators to better understand optimal governance and incentive models.
翻译:反versaries 能够利用路由安全漏洞拦截通信并损害关键互联网应用的安全性; 同时,部署安全路线解决办法,如边境网关协议安全(BGPsec)和下一代网络的扩缩、控制和隔离(SCION)仍然有限; 我们如何利用新出现的安全路线主干网,并将其安全特性扩展到更广泛的互联网? 我们设计并部署一个架构,以诱导安全路线; 我们的关键见解是将安全路线主干网作为虚拟自动系统(AS),称为安全后骨AS(SBAS)。 虽然SBS是互联网的运行者之一,但它是一个连接网络的网络,参与者使用安全的主干网进行线路交换。 SBSAS在多个地点(称为存在点或POPs)为客户的IP前缀发布BGP公告; 我们设计和部署非参加方主干线主网的交通网路连接到附近的SSAS SEB 网络安全脊椎框架(随后将安全线路连接到真正的前所有者) 。 在这种方式中,我们首先把互联网的互联网安全路线连接网路路路路段的S-BIL 向目前的SL 的网络连接连接连接连接连接连接化。