High Performance BGP Security: Algorithms and Architectures

The BGPsec protocol addresses several vulnerabilities associated with BGP. In particular, it provides cryptographic protection against prefix mis-originations and …

The BGPsec protocol addresses several vulnerabilities associated with BGP. In particular, it provides cryptographic protection against prefix mis-originations and AS path attacks. However, the required cryptographic processing imposes additional workload on the route processor in edge routers. In this talk, we first provide an insight into the nature of computational complexities associated with BGPsec update processing. We then propose and evaluate optimizations for BGPsec update processing, including algorithmic, field level, and group level optimizations. We quantify the impact of these optimizations on BGPsec processing at the core cryptographic operations level as well as at the update message processing level. ECDSA signing and verification speeds with the proposed enhancements are compared against the fastest available OpenSSL implementation for the same. Further, we also report results on the speed of BGPsec update processing including the essential BGPsec functions such as data assembly, packet parsing, sorting AS path segments, fetching public keys, and executing ECDSA P256 signing and verification. Finally, we make use of reasonable projections for IPv4 and IPv6 growth rates, BGPsec adoption rate, and processor speedup, and present a model for BGPsec routing convergence time. This model considers BGPsec processing as incremental to the basic BGP processing, which includes best path selection, route filtering, applying policy filters, etc. A relative comparison is provided for convergence time projections for the BGP only scenario vs. mixed (BGP + BGPsec) scenario, which assumes that BGPsec adoption takes about two decades to go from zero to nearly complete global adoption.