Abstract
BGP is a gaping security hole in today's Internet, as evidenced by numerous Internet outages and blackouts, repeated traffic hijacking, and surveillance incidents. To protect against prefix hijacking, the Resource Public Key Infrastructure (RPKI) has been standardized. Yet, despite Herculean efforts, ubiquitous deployment of the RPKI remains distant, due to RPKI's manual and error-prone certification process. We argue that deploying origin authentication at scale requires substituting the standard requirement of certifying legal ownership of IP address blocks with the goal of certifying de facto ownership. We show that settling for de facto ownership is sufficient for protecting against hazardous prefix hijacking and can be accomplished without requiring any changes to today's routing infrastructure. We present DISCO, a readily deployable system that automatically certifies de facto ownership and generates the appropriate BGP-path-filtering rules at routers. We evaluate DISCO's security and deployability via live experiments on the Internet using a prototype implementation of DISCO and through simulations on empirically-derived datasets. To facilitate the reproducibility of our results, we open source our prototype, simulator, and measurement analysis code [30].
Original language | English |
---|---|
Title of host publication | 27th Annual Network and Distributed System Security Symposium, NDSS 2020 |
Publisher | The Internet Society |
ISBN (Electronic) | 1891562614, 9781891562617 |
DOIs | |
State | Published - 2020 |
Event | 27th Annual Network and Distributed System Security Symposium, NDSS 2020 - San Diego, United States Duration: 23 Feb 2020 → 26 Feb 2020 |
Publication series
Name | 27th Annual Network and Distributed System Security Symposium, NDSS 2020 |
---|
Conference
Conference | 27th Annual Network and Distributed System Security Symposium, NDSS 2020 |
---|---|
Country/Territory | United States |
City | San Diego |
Period | 23/02/20 → 26/02/20 |
Bibliographical note
Publisher Copyright:© 2020 27th Annual Network and Distributed System Security Symposium, NDSS 2020. All Rights Reserved.