The popularity of the current generation Internet protocols such as BGP and DNS is in no doubt. However, they are designed during an era where malicious intent was not considered as a serious issue to grapple with. Each domain administrator was able to manage and configure the administrative entities in that domain easily.
However, as the scale of the Internet grew rapidly, more so in recent years, such issues have come to the fore. Consider the example of BGP. It was identified that 8% of all BGP routes are erroneous. Similarly, attacks on the Internet have the potential to bring it down for a significant amount of time resulting in enormous economic loss. Attacks could be because of an incorrect configuration of routers or due to malicious intent or could be motivated by personal or economic considerations. For example, peer BGP routers could be configured so as to make certain routes preferable or non-preferable. A router can advertise incorrect routing updates resulting in wrong routing information at other routers. Hence, it is important that security issues be identified in the current generation Internet protocols.
Security weaknesses in routing protocols need not be solely due to incorrect routing information. An attacker can use the actual packet delivery phase, the data plane, to divert packets along routes that are different from the computed and advertised routes. These are much harder to detect in general.
The project aims to understand the security weaknesses in the currently used Internet protocols such as BGP and DNS and propose efficient mechanisms to address the identified weaknesses. While there has been lot of work in recent years in this direction, the practicality of the proposed schemes is a major concern. Many of the existing schemes make use of public key crypto-systems, such as RSA, that are not as practical compared to symmetry key systems. Moreover, the proposed mechanisms should properties such as being light-weight, provable secure, and incrementally deployable. The proposed mechanisms should be light-weight so that the additional computational or storage burden is kept as small as possible. Incrementally deployability is required so that the solution can be deployed even at a few routers and the new mechanism can continue to operate with the existing protocols.
Coming soon...