soBGP (Secure Origin BGP)
A proposed specification for adding security to BGP, backed by Cisco and some ISP's as an alternative to BBN's S-BGP.
Under soBGP, ISPs can authenticate route advertisements and implement policy on them. Backers say this is a significant improvement over S-BGP.
"[With S-BGP, the] downstream service provider cannot apply a policy that says, 'I'm going to accept this prefix from you but not that one,'" says Cisco Fellow Fred Baker, former chair of the IETF. "It fundamentally breaks BGP's ability to be used in a policy system where you might redivide the information. S-BGP is the right concept, but it's put together in a way that an ISP can't really effectively use."
But Steve Kent, chief scientist for information security at BBN, which developed S-BGP, counters: "Some of the options offered in soBGP would be disastrous from a security standpoint. There are concerns that soBGP doesn't architecturally nail things down."
From Fortifying BGP: No quick fix, Network World, 10/06/03.
Under soBGP, digital certificates are used to authorize and authenticate packets. It also proposes a new mechanism to rely information about the security of the routing system outside of the routing system itself:
[T]o advertise certificates in much the same way as routing information is propagated todaythrough an interdomain protocol. Currently the soBGP drafts specify a new type of BGP message, the SECURITY message, which can be used to transport the required certificates, the EntityCert, the PrefixPolicyCert, and the ASPolicyCert, throughout an internetwork. Other methods of transporting data such as these certificates throughout an internetwork are currently being pursued by the IETF; if other methods are offered, soBGP could transport certificates across any such distribution mechanism.
From Securing BGP Through Secure Origin BGP
Latest soBGP drafts and presentations
Router and switch research center
Latest router news, analysis and links from Network World Fusion.
Add a comment