52 IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 11, NO. 1, FIRST QUARTER 2009 A Survey of Security Techniques for the Border Gateway Protocol (BGP) Martin O. Nicholes, Student Member, IEEE, and Biswanath Mukherjee, Fellow, IEEE, Abstract—Web surfing is an example (and popular) Internet application where users desire services provided by servers that exist somewhere in the Internet. To provide the service, data must be routed between the user’s system and the server. Local network routing (relative to the user) can not provide a complete route for the data. In the core Internet, a portion of the network controlled by a single administrative authority, called an Au- tonomous System (AS), provides local network support and also exchanges routing information with other ASes using the Border Gateway Protocol (BGP). Through the BGP route exchange, a complete route for the data is created. Security at this level in the Internet is challenging due to the lack of a single administration point and because there are numerous ASes which interact with one another using complex peering policies. This work reviews recent techniques to secure BGP. These security techniques are categorized as follows: 1) cryptographic/attestation, 2) database, 3) overlay/group protocols, 4) penalty, and 5) data-plane testing. The techniques are reviewed at a high level in a tutorial format, and shortcomings of the techniques are summarized as well. The depth of coverage for particular published works is intentionally kept minimal, so that the reader can quickly grasp the techniques. This survey provides a basis for evaluation of the techniques to understand coverage of published works as well as to determine the best avenues for future research. Index Terms—Internet, Border Gateway Protocol (BGP), BGP routing, BGP security, survey. I. I NTRODUCTION W EB surfing is an example (and popular) Internet ap- plication where users click on a web site using a web browser, and they desire network services provided by a server somewhere in the Internet. However, the local routing infrastructure (relative to the user), which provides routing support within a domain, cannot provide a complete routing solution between the user and the target server that may exist in another domain. All the local networks in the Internet exchange high-level routing information in order to create a full path for data flow across the Internet. The routers which provide the interface between domains run a protocol called Border Gateway Protocol (BGP). Figure 1 shows a high-level abstraction of BGP routers connecting up domains in the Internet. Each local routing domain is called an Autonomous System (AS). This work provides a survey of security techniques that are useful for the BGP control protocol used between routers serving at the interface between ASes in the Internet. The Manuscript received September 12, 2007; revised February 20, 2008. M. O. Nicholes is with the Department of Electrical and Computer Engineering, University Of California, Davis, CA, 95616, USA (e-mail: monicholes@ucdavis.edu). B. Mukherjee is with the Department of Computer Science, University Of California, Davis, CA, 95616, USA (e-mail: bmukherjee@ucdavis.edu). Digital Object Identifier 10.1109/SURV.2009.090105. Fig. 1. BGP routers. techniques are used to determine the validity of and provide protection for routing updates sent between these routers. If the BGP protocol is unable to provide valid routing infor- mation, then users have no hope of getting a response from the intended server. This work reviews the various techniques, along with their shortcomings at a high level, in order to enable the reader to quickly grasp the techniques. The goal is to illustrate the direction of research, not to dwell on the full details of any approach. Table I lists many network routing security works and the techniques used in each (these techniques are discussed in more detail in Section II). The works in Table I are listed in chronological order to clarify the temporal progression of research. Table I includes more recent works, in order to update works listed in prior published BGP security reviews. Some of these security works were targeted at local routing protocols, but the ideas can be extended to the BGP routing protocol. A. Review of Internet Routing The Internet is organized in a hierarchical fashion, with network endpoints existing in ASes. So, when the user seeks service from a server anywhere in the Internet, a network path is required between ASes, assuming the remote server is hosted inside another AS. The data required from the remote server will flow along this network path. An AS, in addition to hosting a local routing domain, is a portion of the Internet controlled by a single administration, which allows for a standardized routing infrastructure and network policy within the AS. The standardized infrastructure and policy make it possible to tightly control the creation, modification, and operation of the intra-AS routing infrastructure. Intra-AS routing is based on Interior Gateway Protocols (IGPs), such as Open Shortest Path First (OSPF) and Interme- diate System to Intermediate System (IS-IS). These protocols 1553-877X/09/$25.00 c  2009 IEEE