Author | Hlavacek, Tomas; Cunha, Italo; Gilad, Yossi; Herzberg, Amir; Katz-Bassett, Ethan; Schapira, Michael; Shulman, Haya |
---|
Abstract | BGP is a gaping security hole in todays Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean efforts, ubiquitous deployment of the RPKI remains distant, due to RPKIs manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to todays r outing infrastructure. We present DISCO, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP path-filtering rules at routers. We evaluate DISCOs security and deployability via live experiments on the Internet using a prototype implementation of DISCO and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code [30]. |
---|