Professional Documents
Culture Documents
IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 8, NO. 12, DECEMBER 2021
Abstract—The border gateway protocol (BGP) has become the routing protocol. The border gateway protocol (BGP) is a
indispensible infrastructure of the Internet as a typical inter- typical inter-domain routing protocol which has become the
domain routing protocol. However, it is vulnerable to
misconfigurations and malicious attacks since BGP does not infrastructure of the Internet nowadays because of its robust
provide enough authentication mechanism to the route and reliable design of the routing function. However, the secu-
advertisement. As a result, it has brought about many security rity is weak and it even does not protect the authenticity to the
incidents with huge economic losses. Exiting solutions to the route advertisement. Therefore, it remains vulnerable to miscon-
routing security problem such as S-BGP, So-BGP, Ps-BGP, and figurations and malicious attacks, which would lead to instabi-
RPKI, are based on the Public Key Infrastructure and face a high
security risk from the centralized structure. In this paper, we
lity in the routing system or severe reachability problems.
propose the decentralized blockchain-based route registration The research by Murphy et al. [1], [2] shows that BGP has
framework-decentralized route registration system based on significant design flaws and security risks in terms of security.
blockchain (DRRS-BC). In DRRS-BC, we produce a global In BGP route propagation process, when a BGP router
transaction ledge by the information of address prefixes and performs route propagation, the AS can only advertise its own
autonomous system numbers between multiple organizations and
ASs, which is maintained by all blockchain nodes and further prefix address block to the outside. The BGP neighbor node
used for authentication. By applying blockchain, DRRS-BC accepts any routing update information sent by the peer by
perfectly solves the problems of identity authentication, behavior default. In other word, the BGP router unconditionally trusts
authentication as well as the promotion and deployment problem the routing advertisement of the peer. Even if an AS
rather than depending on the authentication center. Moreover, it
advertises a forged prefix while not its own, it will be
resists to prefix and subprefix hijacking attacks and meets the
performance and security requirements of route registration. accepted by the peer and the protocol will continue to
propagate. This forged routing information will undoubtedly
Index Terms—Blockchain, decentralized, routing protocol, routing
registration. lead to many security problems. The most typical is the prefix
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
LU et al.: DRRS-BC: DECENTRALIZED ROUTING REGISTRATION SYSTEM BASED ON BLOCKCHAIN 1869
prefix and the AS identity. However, it brings about large behavior authentication rather than depending on the
computational cost and prolonged path convergence time [9]. authentication center.
White proposed the secure origin BGP protocol (SoBGP) in In a word, the contributions of this paper can be
2003 [10]. The SoBGP authenticates the prefix and AS summarized as follows.
identity by verifying the correctness and authorizing of the 1) We propose the decentralized blockchain-based route
data from BGP and can resist misconfiguration and prefix registration framework in routing system to protect the origin
hijacking. But the lack of the anchor’s address authorization of IP address prefix and avoid centralized structural risk.
reduces the security of SoBGP and it cannot defend against 2) DRRS-BC establishes a global network resource
prefix-based hijacking attacks bases on routing policies [11]. transaction ledge by the information of address prefixes and
And then, Orschot et al. proposed the pretty secure BGP AS numbers between multiple organizations and ASs, which
protocol (PsBGP) in 2007 [12]. The PsBGP uses the mutual perfectly solves the security problems of identity
authentication between neighbors to prefix source AS authentication and behavior authentication in traditional BGP
authentication. In the PsBGP, each AS creates a public key by introducing blockchain rather than depending on the
certificate of its own BGP router and a prefix assertion list authentication center.
PAL. Where PAL consists of a set of address prefixes owned 3) Security analysis shows that DRRS-BC is secure to
by itself and its neighbor ASs. However, due to the possibility prefix and subprefix hijacking attacks. Experiments also show
of “perjury” between ASs, the feasibility of this scheme is that DRRS-BC system can meet the performance and security
greatly reduced. Hu proposed the security enhanced BGP requirements of route registration.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
1870 IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 8, NO. 12, DECEMBER 2021
Organization 5 Organization 4
Client Storage Storage
node Client
node
Endorsement
node Core organization of Endorsement
node
the Internet 1
Client Endorsement
node
Block Storage
production node
node
AS6
AS7
Storage Core organization of Core organization of
node Storage
the Internet 2 the Internet 3 node
Organization 8
AS9
Client Storage
node
Storage
Endorsement node
node
unified consensus between all organizations creates like this. The function is to arrange legitimate transactions into a well-
In the process of forming a global network resource defined sequence, and package them into blocks for
transaction ledge, each organization runs a variety of nodes. subsequent distribution. These blocks will become the blocks
Each type of node between organizations constitutes the entire of the blockchain. The block production nodes collect all
blockchain network and the system is permissioned. All nodes legitimate transactions submitted by the client, verify their
that participate in the network have an identity provided by a endorsements, and package the transactions according to the
modular membership service provider. In other words, only block size or time window. Finally, a globally unique block is
registered organizations can participate in this blockchain generated between the block production nodes through the
system for network resource transactions. SBFT consensus protocol and broadcasted to each ledger
There are four main types of nodes in the system. storage node.
Client is an entity that actually creates a transaction and it Ledger storage nodes are run in each organization and
can communicate with all endorsement nodes and block autonomous system. They are the ultimate storage nodes in
production nodes in the network. When an organization wants the network resource transaction blockchain. All BGP routers
to initiate a network resource transaction, the client creates a or ASs in the network can access the ledger storage nodes and
transaction according to a specific transaction structure. The query the ownership of the AS numbers and address prefixes.
transaction structure will be described in detail in Section The ledger storage nodes are responsible for periodically
II-B. Then, the client submits the transaction to each receiving transaction blocks sorted by block production nodes,
endorsement node for endorsement. Finally, the client conducting final checks on these transactions and maintaining
constructs a legitimate transaction request and submits it to the blockchain ledger. Once the transactions are recorded in
each block production node. the blockchain, the ledger can not be changed. They can
Endorsement nodes are run in each organization. They provide tamper proof and traceable proof of ownership of the
verify the transaction submitted by the client and complete the AS numbers and address prefixes.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
LU et al.: DRRS-BC: DECENTRALIZED ROUTING REGISTRATION SYSTEM BASED ON BLOCKCHAIN 1871
Create a (1) Verify (2) Collect (3) Submit legitimat (4) Block Form blockchain (5) Query the
transaction transaction endorsement transaction verification ledger blockchain
Create a transaction
Prefix address
authorization
10.0.0.0/8 (A→B)
Client A signature
(1) (1) (1) Block
...
ve production
Appro ve
(2) Collect Appro
TRANSACTION- e
s Sorting of
ENDORSED Refu
transactions;
(3)
Transaction
package;
Consensus
(4) algorithm (4)
(4) (4)
(4)
(4)
(5)
Client (C) Endorsement Endorsement Endorsement Block production Ledger Ledger Ledger
node 1 node 2 node 3 nodes storage storage storage
node 1 node 2 node 3
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
1872 IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 8, NO. 12, DECEMBER 2021
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
LU et al.: DRRS-BC: DECENTRALIZED ROUTING REGISTRATION SYSTEM BASED ON BLOCKCHAIN 1873
D leases [1000000000,
1020000000] to F for 1 year.
Input Output
{1,
[1000000000,
1020000000], 0,
C authorizes [1000000000, {tr34…t4u5, 1, <PubkF>}
1050000000] to D <sigD>,
{2,
<PubkD>}
[1020000000,
1050000000], 0,
{tr34…t4u5, 1430864125000,
<PubkD>}
0,0}
Input Output
{1,
[1000000000, {jkg2…54gb, 1480889725000,
1050000000], 0, 0, 0}
{ersf…de2j, 1, <PubkD>}
<sigC>,
{aasd…dw2d, 1396736125000, {2, Input Output
{ersf…de2j, 1399328125000, <PubkC>}
0,0} [1050000000, {1,
0, 0}
1100000000], 0, [1050000000,
Input Output <PubkC>} 1070000000], 0,
Input Output
{1, <PubkC>}
[1000000000, {2,
1100000000], 0, [1070000000,
{1, {aasd…dw2d, {yhgd…45sh, 1459894525000, {tr34…t4u5, 2,
{sse2…de34, 1, <PubkC>} 1090000000],
[1000000000, 1, 0,12354} <sigC>,
<sigA>, 11323,
1200000000], 0, <sigB>, {2, <PubkC>}
<PubkA>} <PubkG>}
<PubkB>} <PubkB>} [1100000000,
1200000000], 0, Input Output
{3,
<PubkB>}
[1090000000,
1100000000], 0,
A authorizes [1000000000, B authorizes [1000000000, {1, <PubkC>}
1200000000] to B 1100000000] to C {ersf…de2j, 2, [1100000000,
<sigB>, 1200000000], C allocates [1070000000,
<PubkB>} 12354, 1090000000] to AS11323
<PubkE>}
B allocates [1100000000,
1200000000] to AS12354
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
1874 IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 8, NO. 12, DECEMBER 2021
the current transactions, the timestamp, and the block this attack can be considered as double-spending. Therefore,
signature. The block body packs the verified and sorted the prefix update information forged by AS5 will be easily
transactions in the current time period.
identified by DRRS-BC, and AS4 will reject the routing
update information sent by AS5.
III. Security Analysis Subprefix Hijacking: The subprefix hijacking occurs when
In this section, we analyze the security of DRRS-BC in the an attacker announces de-aggregated thus a more specific IP
light of the threat model. The target of the adversaries in our prefix than the actual owner of the prefix. The longest prefix
model is prefix or subprefix hijacking. That means a network match rule prefers more specific route. In this attack, A
operator that has not been authorized to originate a prefix announces more specific prefixes than the ones owned by A.
announces in the BGP route massage that the prefix is bound As such, this behavior cannot be immediately detected as a
to its own AS number (ASN), and this false route origination double-spent transaction since routing table will not have a
is legitimized successfully and accepted by the BGP system. prior transaction linked to V that contains prefixes announced
Hackers can achieve prefix hijacking by forging network layer by A. In this case, AS1 is the legal owner of the prefix
reachability information in BGP update. In the following, we 16.1.0.0/16, and it advertises the route to the segment of the
show how DRRS-BC defends against these attacks. URL. In Fig. 8 , AS5 maliciously forged NLRI and also
Prefix Hijacking: Prefix hijacking means that an AS advertised the route to 16.1.0.0/20. In this way, according to
advertises an unauthorized prefix. The so-called “unauthori- the longest matching principle of BGP, all other ASs will
zed” means that the prefix belongs to other ASs or the address choose the fake path.
space of this segment has not been allocated. The allocation of
Internet addresses follows the authorization level from IANA NLRI: 16.1.0.0/20 AS3 NLRI: 16.1.0.0/20
to regional Internet registries (RIR) to local Internet registries AS_PATH: 3, 4, 5 AS_PATH: 4, 5
(LIR). If the AS violates the authorization to announce illegal
NLRI: 16.1.0.0/16 AS2 AS4 NLRI: 16.1.0.0/20
prefixes, it will directly cause traffic hijacking. In this case,
AS_PATH: 1 AS_PATH: 5
the malicious AS forges the NLRI information in the BGP
Update message and advertises an illegal prefix. As shown in
AS1 AS5
Fig. 7(a), AS1 is the legal owner of the prefix 16.1.0.0/16, and
it advertises the route to this segment of the URL. As shown
Fig. 8. Forged sub-prefixes in NLRI information.
in Fig. 7(b), AS5 maliciously forged NLRI and also advertised
the route to 16.1.0.0/16. In this way, according to the principle In a subprefix hijacking attack, the adversarial AS5
of BGP selecting the shortest AS_PATH path, AS4 will announces a subset of the BGP prefixes belonging to the
preferentially select the path from AS5 to 16.1.0.0/16. victim AS1. The transaction structure of DRRS-BC makes the
output of each transaction come from the input of the previous
transaction, and the attribution of any sub-prefix can be traced
NLRI: 16.1.0.0/16 AS3
NLRI: 16.1.0.0/16
AS_PATH: 2, 1 AS_PATH: 3, 2, 1
back to its prefix set. Therefore, the proposed input and output
transaction structure makes each transaction traceable. Each
output of a particular transaction can only be used as an input
NLRI: 16.1.0.0/16 AS2 AS4
AS_PATH: 1 once in the blockchain. Since AS2, AS3, AS4 all have joined
DRRS-BC and their local blockchain ledgers have been
synchronized, the prefix update information forged by AS5
AS1 AS5
will be easily identified by DRRS-BC, and all AS will reject
(a) AS1 advertises legal 16.1.0.0/16 the routing update information sent by AS5.
Because the global network resource allocation is recorded
NLRI: 16.1.0.0/16 AS3 NLRI: 16.1.0.0/16
in the blockchain, and all synchronized ledgers maintain the
AS_PATH: 2, 1 AS_PATH: 3, 2, 1 consistency of transactions, all inter-domain routers and any
audit program can access it and verify the authenticity of
NLRI: 16.1.0.0/16 AS2 AS4 NLRI: 16.1.0.0/16
routing information. Therefore, based on historical trustworthi-
AS_PATH: 1 AS_PATH: 5 ness, autonomous transaction auditing, and explicit resource
ownership, DRRS-BC can minimize the ability of authorized
AS1 AS5 institutions to eliminate the risk of configuration errors.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
LU et al.: DRRS-BC: DECENTRALIZED ROUTING REGISTRATION SYSTEM BASED ON BLOCKCHAIN 1875
transaction performance of the system, the scalability of the In order to test the impact of block size on the processing
system, and the impact of block size on the processing efficiency of the system, we fill blocks of different sizes with
efficiency of the system. real transactions. Before the block consensus, each production
For system performance evaluation, we tested the system’s node will perform various verifications on the transactions in
processing time for different quantities of transactions by the block, so the size of the block will directly affect the
sending a large number of transactions to the system. Since overall operating efficiency of the system. The more
the construction of each transaction needs to undergo transactions that are included in the block in Table II , the
verification of UTXO status, transaction construction, greater the processing delay of the block.
transaction signature, sending transaction, etc. The throughput
of the system is closely related to the processing efficiency of TABLE II
the transaction. The experimental results (Fig. 9) show that System Operation Efficiency Test Result
each autonomous system can send 39 transactions per second Block size Number of transaction Block processing time
to the network in the DRRS-BC system. This performance is 1M 4594 txs 9.06 s
sufficient for the performance requirements of organizations
2M 9256 txs 17.58 s
and autonomous systems for IP prefix registration.
3M 13821 txs 25.97 s
180 4M 18542 txs 37.48 s
160 157.05
140 5M 23102 txs 45.73 s
Cost of time (s)
120 129.915
100 96.48
80 72.3 82.46 In summary, in order to make the DRRS-BC system meet
59.62
60 60.45
40 26.82
the performance requirements of route registration, we
36.48
20 2.325 actually set up 16 production nodes and 1 M block size system
12.155
0 for deployment. The DRRS-BC is incrementally deployable
100 500 1000 1500 2000 2500 3000 3500 4000 4500 5000
Number of transactions and backwards compatible with the current operations of ASs.
Organizations and autonomous systems can use the DRRS-BC
Fig. 9. Transaction processing efficiency.
as an additional security feature in parallel with existing
For the evaluation of system scalability, we tested the routing policies and do not require the AS to switch from the
impact of different numbers of nodes and block sizes on the old system to the new protocol paradigm.
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.
1876 IEEE/CAA JOURNAL OF AUTOMATICA SINICA, VOL. 8, NO. 12, DECEMBER 2021
combine blockchain with other technologies such as Internet internet number resource authority and BGP security solution,”
Symmetry, vol. 10, no. 9, p. 408, Sept. 2018.
of Things [22], cloud computing, edge computing [23], and
[19] A. Buzachis, A. Celesti, A. Galletta, M. Fazio, G. Fortino, and M.
sensor network [24] to design a new BGP protocol that is Villari, “ A multi-agent autonomous intersection management (MA-
suitable for practical applications. AIM) system for smart cities leveraging edge-of-things and
blockchain,” Inf. Sci., vol. 522, pp. 148–163, Jun. 2020.
[20] G. Fortino, F. Messina, D. Rosaci, and G. M. L. Sarné, “Using
References blockchain in a reputation-based model for grouping agents in the
[1] S. Murphy, BGP Security Vulnerabilities Analysis, RFC 4272, 2006. internet of things,” IEEE Trans. Eng. Manage. , vol. 67, no. 4,
pp. 1231–1243, Nov. 2020.
[2] O. Nordström and C. Dovrolis, “ Beware of BGP attacks,” ACM
SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp. 1–8, Apr. 2004. [21] G. Fortino, F. Messina, D. Rosaci, and G. M. L. Sarne, “ResIoT: An IoT
social framework resilient to malicious activities,” IEEE/CAA J. Autom.
[3] T. Wan and P. C. van Oorschot, “Analysis of BGP prefix origins during Sinica, vol. 7, no. 5, pp. 1263–1278, Sept. 2020.
Google’s May 2005 outage,” in Proc. 20th IEEE Int. Parallel &
[22] R. Casadei, G. Fortino, D. Pianini, W. Russo, C. Savaglio, and M.
Distributed Processing Symp., Rhodes, Greece, 2006.
Viroli, “ Modelling and simulation of opportunistic IoT services with
[4] R. Blog, “ Con-Ed steals the net,” [Online]. Available: aggregate computing,” Future Generat. Comput. Syst. , vol. 91,
http://www.renesys.com/blog/2006/01/coned_steals_the_net.shtml. pp. 252–262, Feb. 2019.
Accessed on: 2006.
[23] G. R. Alam, M. M. Hassan, Z. Uddin, A. Almogren, and G. Fortino,
[5] R. Blog, “ Pakistan hijacks YouTube,” [Online]. Available: “Autonomic computation offloading in mobile edge for IoT
http://www.renesys.Com/blog/2008/02/pakistan_hijiacks_youtube_1.sht applications,” Future Generat. Comput. Syst., vol. 90, pp. 149–157, Jan.
ml. Accessed on: 2008. 2019.
[6] Sohu News, “ Google accidentally hijacked BGP routes,” [Online]. [24] G. Fortino, D. Parisi, V. Pirrone, and G. Di Fatta, “BodyCloud: A SaaS
Available: http://www.sohu.com/a/168006154_257305 . Accessed on: approach for community body sensor networks,” Future Generat.
Aug. 29, 2017. Comput. Syst., vol. 35, pp. 62–79, Jun. 2014.
[7] S. Kent, C. Lynn, and K. Seo, “ Secure border gateway protocol (S-
BGP),” IEEE J. Sel. Areas Commun. , vol. 18, no. 4, pp. 582–592, Apr.
Huimin Lu (SM’ 19) received the B.S. degree in
2000.
electronics information science and technology from
[8] S. T. Kent, “Securing the border gateway protocol: A status update,” in Yangzhou University in 2008. He received the M.S.
Proc. 7th IFIP TC-6 TC-11 Int. Conf. Communications and Multimedia degrees in electrical engineering from Kyushu
Security, Torino, Italy, 2003. Institute of Technology and Yangzhou University in
[9] S. Kent, C. Lynn, J. Mikkelson, and K. Seo, “ Secure border gateway 2011. He received the Ph.D. degree in electrical
protocol (S-BGP)—Real world performance and deployment issues,” in engineering from Kyushu Institute of Technology in
Proc. Network and Distributed System Security Symp., San Diego, USA, 2014. From 2013 to 2016, he was a JSPS Research
2000. Fellow at Kyushu Institute of Technology. Currently,
he is an Associate Professor in Kyushu Institute of
[10] R. White, “ Securing BGP through secure origin BGP (soBGP),” Bus. Technology and an Excellent Young Researcher of MEXT-Japan. His
Commun. Rev., vol. 33, no. 5, pp. 47–53, 2003. research interests include computer vision, robotics, artificial intelligence, and
[11] G. Huston, M. Rossi, and G. Armitage, “ Securing BGP—A literature ocean observing.
survey,” IEEE Commun. Surv. Tut. , vol. 13, no. 2, pp. 199–222, Jan.
2011.
Yu Tang is a Ph.D. candidate of Beijing University
[12] P. C. van Oorschot, T. Wan, and E. Kranakis, “On interdomain routing
of Posts and Telecommunications. He received the
security and pretty secure BGP (psBNGP),” ACM Trans. Inf. Syst.
B.S. degree in electronic information science and
Secur., vol. 10, no. 3, p. 11, Jul. 2007. technology from Xidian University in 2016. His
[13] X. J. Hu, “ Research on inter-domain routing system security,” Ph.D. research interests include blockchain, distributed
dissertation, National Univ. Defense Technology, Changsha, China, system, and network security.
2009.
[14] Y. Gilad, A. Cohen, A. Herzberg, M. Schapira, and H. Shulman, “Are
we there yet? On RPKI’s deployment and security,” in Proc. NDSS
Symp., San Diego, USA, 2017.
[15] D. Cooper, E. Heilman, K. Brogle, L. Reyzin, and S. Goldberg, “On the
risk of misbehaving RPKI authorities,” in Proc. 12th ACM Workshop on Yi Sun (M’20) received the Ph.D. degree from State
Hot Topics in Networks, College Park, USA, 2013, pp. 16. Key Laboratory of Networking and Switching Techno-
[16] E. Heilman, D. Cooper, L. Reyzin, and S. Goldberg, “From the consent logy, Beijing University of Posts and Telecommu-
of the routed: Improving the transparency of the RPKI,” ACM nications in 2015. Currently, she is a Lecturer of
SIGCOMM Comput. Commun. Rev., vol. 44, no. 4, pp. 51–62, Oct. 2014. Beijing University of Posts and Telecommunications.
Her research interests include information security,
[17] H. Birge-Lee, Y. X. Sun, A. Edmundson, J. Rexford, and P. Mittal, privacy-preserving data mining, secure multiparty
“Bamboozling certificate authorities with BGP,” in Proc. 27th USENIX computation, malware detection and blockchain.
Security Symp., Baltimore, USA, 2018, pp. 833–849.
[18] Q. Q. Xing, B. S. Wang, and X. F. Wang, “BGPcoin: Blockchain-based
Authorized licensed use limited to: UNIVERSITY PUTRA MALAYSIA. Downloaded on May 17,2023 at 07:18:56 UTC from IEEE Xplore. Restrictions apply.