Don't Secure Routing Protocols, Secure Data Delivery

Internet routing and forwarding are vulnerable to attacks and misconfigurations that compromise secure commu-nications between end systems. With networks facing ex-ternal attempts to compromise their routers [3] and in-siders able to commandeer infrastructure, subversion of Internet communication is an ever more serious threat. Much prior work has proposed to improve commu-nication security with secure interdomain routing pro-tocols (e. g., S-BGP [10] and so-BGP [12]). We argue that solving the problem of secure routing is both harder and less effective than directly solving the core problems needed to communicate securely: end-to-end confiden-tiality, integrity, and availability. Secure routing proto-cols focus on providing origin authentication and path validity, identified as necessary by the IETF to secure BGP [7]. Unfortunately, these properties are both too lit-tle and too much: Secure routing is too little: As we discuss further in 搂2, secure routing does not completely address the core problems in secure communication. For example, it can-not prevent adversaries on the communication path from eavesdropping or modifying data traffic. Hosts must still use end-to-end cryptography to defend against these at-tacks. Similarly, secure routing cannot detect or prevent packet loss due to data-plane bugs, misconfigurations, or attacks. Secure routing is too much: The mechanisms be-hind secure routing, both cryptographic and adminis-trative, are painfully heavy-weight. They require router hardware upgrades for cryptographic processing, time-consuming maintenance of address registries, and a new public key infrastructure (PKI). Recognizing that a secure version of BGP will be dif-ficult to deploy, yet provide only limited protection, we ask: what is the best division of labor between end sys-tems (end hosts, or edge routers acting on behalf of end hosts) and the routing infrastructure to provide secure, robust communication? The answer, we argue, is that the routing infrastructure must only provide availability, i. e., enable an end system to find a working path to the valid destination as long as such a path exists. End systems can provide confidentiality and integrity as needed. Following this model, we present Availability Centric Routing (ACR), which is based on three principles: 1.End systems learn multiple paths to a destination.