Cristel Pelsser

The Multiple Benefits of a Secure Transport for BGP

Thomas Wirtgen , Nicolas Rybowski , Cristel Pelsser and Olivier Bonaventure

Proceedings of the ACM on Networking November 2024

Featured image for The Multiple Benefits of a Secure Transport for BGP

bgp certificates network automation quic tls x.509 certificates

Abstract

BGP distributes prefixes advertised by Autonomous Systems (ASes) and computes the best paths between them. It is the only routing protocol used to exchange interdomain routes on the Internet. Since its original definition in the late 1980s, BGP uses TCP. To prevent attacks, BGP has been extended with features such as TCP-MD5, TCP-AO, GTSM and data-plane filters. However, these ad hoc solutions were introduced gradually as the Internet grew. In parallel, TLS was standardized to secure end-to-end data-plane communications. Today, a large proportion of the Internet traffic is secured using TLS. Surprisingly, BGP still does not use TLS despite its adequate security features to establish BGP sessions. In this paper, we make the case for using a secure transport with BGP. This can be achieved with TLS combined with TCP-AO or by replacing TCP by QUIC. This protects the BGP stream using established secure transport protocols. In addition, we show that a secure transport using X.509 certificates enables BGP routers to be securely and automatically configured from these certificates. We extend the open-source BIRD BGP daemon to support TLS with TCP-AO and QUIC, to handle such certificates and demonstrate several use cases that benefit from the secure and automated capabilities enabled by our proposal.

Publication Details

Publication Type: Journal Article
Publication Date: November 2024
Published In: Proceedings of the ACM on Networking
Volume & Issue: Vol. 2, No. CoNEXT4
Publisher: Association for Computing Machinery
Location: New York, NY, USA
Digital Object Identifier (DOI): 10.1145/3696406
External Link: https://doi.org/10.1145/3696406

Suggested citation

Thomas Wirtgen, Nicolas Rybowski, Cristel Pelsser, and Olivier Bonaventure. 2024. The Multiple Benefits of a Secure Transport for BGP. In Proceedings of the ACM on Networking. Association for Computing Machinery, New York, NY, USA. https://doi.org/10.1145/3696406

BibTeX Citation

@article{Wirtgen2024,
	title        = {The Multiple Benefits of a Secure Transport for BGP},
	author       = {Wirtgen, Thomas and Rybowski, Nicolas and Pelsser, Cristel and Bonaventure, Olivier},
	year         = 2024,
	month        = nov,
	journal      = {Proceedings of the ACM on Networking},
	publisher    = {Association for Computing Machinery},
	address      = {New York, NY, USA},
	volume       = 2,
	number       = {CoNEXT4},
	doi          = {10.1145/3696406},
	url          = {https://doi.org/10.1145/3696406},
	abstract     = {BGP distributes prefixes advertised by Autonomous Systems (ASes) and computes the best paths between them. It is the only routing protocol used to exchange interdomain routes on the Internet. Since its original definition in the late 1980s, BGP uses TCP. To prevent attacks, BGP has been extended with features such as TCP-MD5, TCP-AO, GTSM and data-plane filters. However, these ad hoc solutions were introduced gradually as the Internet grew. In parallel, TLS was standardized to secure end-to-end data-plane communications. Today, a large proportion of the Internet traffic is secured using TLS. Surprisingly, BGP still does not use TLS despite its adequate security features to establish BGP sessions. In this paper, we make the case for using a secure transport with BGP. This can be achieved with TLS combined with TCP-AO or by replacing TCP by QUIC. This protects the BGP stream using established secure transport protocols. In addition, we show that a secure transport using X.509 certificates enables BGP routers to be securely and automatically configured from these certificates. We extend the open-source BIRD BGP daemon to support TLS with TCP-AO and QUIC, to handle such certificates and demonstrate several use cases that benefit from the secure and automated capabilities enabled by our proposal.},
	articleno    = 36,
	groups       = {International Journals and Magazines},
	issue_date   = {December 2024},
	keywords     = {bgp, certificates, network automation, quic, tls, x.509 certificates},
	numpages     = 23
}

The Multiple Benefits of a Secure Transport for BGP

Abstract

Publication Details

Suggested citation

BibTeX Citation

Related publications

Routing over QUIC: Bringing transport innovations to routing protocols

oFIQUIC: Leveraging QUIC in OSPF for seamless network topology changes

The Multiple Roles That IPv6 Addresses Can Play in Today's Internet

Detecting the Unintended in BGP Policies

Related publications

Routing over QUIC: Bringing transport innovations to routing protocols

Thomas Wirtgen, Nicolas Rybowski, and Cristel Pelsser, et al.

Poster session of the 20th USENIX Symposium on Networked Systems Design and Implementation (NSDI 23' Poster Session), 2023

oFIQUIC: Leveraging QUIC in OSPF for seamless network topology changes

Nicolas Rybowski, Cristel Pelsser, and Olivier Bonaventure

IFIP Networking Conference, 2024

The Multiple Roles That IPv6 Addresses Can Play in Today's Internet

Maxime Piraux, Tom Barbette, and Nicolas Rybowski, et al.

SIGCOMM Comput. Commun. Rev., 2022

Detecting the Unintended in BGP Policies

Debbie Perouli, Timothy G. Griffin, and Olaf Maennel, et al.

20th IEEE International Conference on Network Protocols (ICNP) (Poster session), 2012