304 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 3, NO. 2, JUNE 2008 Secure Interdomain Routing Registry E-yong Kim, Li Xiao, Klara Nahrstedt, Fellow, IEEE, and Kunsoo Park Abstract—The current Internet has no secure way to validate the correctness of routing information. We propose a mechanism that supports secure validation of routing information in the inter- domain routing protocol of the Internet. Our mechanism focuses on alleviating obstacles which previously prevent the complete and correct construction of the Internet routing information. In par- ticular, we present a registry with authorized and verifiable search (RAVS) by which routing information can be constructed securely. We give an efficient RAVS scheme and prove its securities in the random oracle model. By our scheme, the routing information can be securely stored and tested without revealing contents of registry entries and search queries. Only legal autonomous systems (ASes) can construct valid registry entries and a single compromised AS can be detected. Our experiment shows that our RAVS scheme can be implemented efficiently and the incurred overhead, in terms of time and space, is acceptable in practice. Index Terms—Authorized search, border gateway protocol (BGP), interdomain routing, provably secure registry, verifiable search. I. INTRODUCTION T HE Internet routing infrastructure is a large distributed system that is composed of many independently managed networks, called autonomous systems (ASes). To find routes across multiple domains, ASes exchange routing information using an interdomain routing protocol. The de-facto standard of the interdomain routing protocol is the border gateway pro- tocol (BGP) [2], a path vector protocol. BGP routers exchange routing information incrementally using UPDATE messages. A BGP UPDATE message consists of a number of attributes. One notable attribute is AS_PATH, a vector of ASes which is used to forward packets to their destination. BGP is developed under the assumption that the UPDATE message advertised by peers is correct. However, this assumption is challenged in the current Internet environment. This is because BGP is vulnerable to many kinds of attacks [3]. Even a simple misconfiguration can disrupt significant parts of the Internet [4]. Therefore, it is important to reduce the vulnerability of BGP to make Internet routing more robust. Quite a few proposed solutions exist for Manuscript received July 19, 2007; revised January 9, 2008. A preliminary version of this paper appeared in Proceedings of the ACM Symposium on In- formation, Computer and Communications Security, March 2006 [1]. The as- sociate editor coordinating the review of this manuscript and approving it for publication was Prof. Mohan S. Kankanhalli. E. Kim is with Samsung Electronics, Suwon-si, Gyeonggi-do 443-742, Korea (e-mail: eyong.kim@samsung.com). L. Xiao is with Google, Inc., Mountain View, CA 94043 USA (e-mail: lixiao@google.com). K. Nahrstedt is with the Department of Computer Science, University of Illi- nois at Urbana-Champaign, Urbana, IL 61801 USA (e-mail: klara@cs.uiuc. edu). K. Park is with the School of Computer Science and Engineering, Seoul Na- tional University, Seoul 151-744, Korea (e-mail: kpark@theory.snu.ac.kr). Digital Object Identifier 10.1109/TIFS.2008.922050 Fig. 1. Simple illustration of the IRR in operation. Each AS submits its routing information to the IRR. For instance, AS2 registers its neighbor information AS2-AS1 and AS2-AS3 to the IRR. AS5 can issue a query to the IRR about the existence of routing information between AS2 and AS1 in the received UPDATE message with AS_PATH [AS4 AS3 AS2 AS1]. The IRR responds “yes” because it has that routing information. addressing the vulnerability of BGP [5]–[15]. Most approaches are difficult to be adopted to the Internet due to modifications of existing protocols or routing message formats, cost of heavy operation, and lack of backward compatibility. Presently, route filtering [16], [17] is an effective way to address BGP vulner- abilities by removing incorrect or malicious BGP UPDATE messages and is widely deployed in the current Internet. In order to build correct filters, ASes should have the knowledge about the policies of the global Internet. Generally, this knowl- edge is provided by the Internet Routing Registry (IRR) [18], the set of more than 50 databases of routing policy information. The IRR records routing policies and topological information for all ASes, which can be used by ASes to validate the BGP UP- DATE messages. For example, in Fig. 1, all ASes submit their peering relationships to the IRR. If AS5 receives a route in an UPDATE message from AS4 that claims it has a direct path to AS1, AS5 can identify that AS4 is misbehaving by checking with the topology information in the IRR and reject the route. In order to make this process dependable, it is crucial to have the information in the IRR be complete and correct. However, the IRR information is not well maintained or updated in reality. The reason is that ASes consider their business relationships, policies, and topology information to be confidential. Presently, there is no authorization of database queries to the IRR and this sensitive information in the IRR is not protected. Moreover, the information in the IRR can be forged by an adversary. There- fore, making IRR secure is required to address the vulnerabili- ties in BGP routing. However, the security of the IRR is not well studied. The aim of this paper is to build a routing information reg- istry that supports both authorized and verifiable search. With the devised registry, we can protect the sensitive information in the registry from various security attacks. Thus, ASes have in- centives to contribute their routing information and to make the registry complete. 1556-6013/$25.00 © 2008 IEEE