How Effective is Multiple-Vantage-Point Domain Control Validation?
Authors:
Grace Cimaszewski,
Henry Birge-Lee,
Liang Wang,
Jennifer Rexford,
Prateek Mittal
Abstract:
Multiple-vantage-point domain control validation (multiVA) is an emerging defense for mitigating BGP hijacking attacks against certificate authorities. While the adoption of multiVA is on the rise, little work has quantified its effectiveness against BGP hijacks in the wild. We bridge the gap by presenting the first analysis framework that measures the security of a multiVA deployment under real-w…
▽ More
Multiple-vantage-point domain control validation (multiVA) is an emerging defense for mitigating BGP hijacking attacks against certificate authorities. While the adoption of multiVA is on the rise, little work has quantified its effectiveness against BGP hijacks in the wild. We bridge the gap by presenting the first analysis framework that measures the security of a multiVA deployment under real-world network configurations (e.g., DNS and RPKI). Our framework accurately models the attack surface of multiVA by 1) considering the attacks on DNS nameservers involved in domain validation, 2) considering deployed practical security techniques such as RPKI, 3) performing fine-grained internet-scale analysis to compute multiVA resilience (i.e., how difficult it is to launch a BGP hijack against a domain and get a bogus certificate under multiVA). We use our framework to perform a rigorous security analysis of the multiVA deployment of Let's Encrypt, using a dataset that consists of about 1 million certificates and 31 billion DNS queries collected over four months. Our analysis shows while DNS does enlarge the attack surface of multiVA, the of Let's Encrypt's multiVA deployment still offers an 88% median resilience against BGP hijacks, a notable improvement over 76% offered by single-vantage-point validation. RPKI, even in its current state of partial deployment, effectively mitigates BGP attacks and improves the security of the deployment by 15% as compared to the case without considering RPKI. Exploring 11,000 different multiVA configurations, we find that Let's Encrypt's deployment can be further enhanced to achieve a resilience of over 99% by using a full quorum policy with only two additional vantage points in different public clouds.
△ Less
Submitted 17 February, 2023; v1 submitted 15 February, 2023;
originally announced February 2023.
Creating a Secure Underlay for the Internet
Authors:
Henry Birge-Lee,
Joel Wanner,
Grace Cimaszewski,
Jonghoon Kwon,
Liang Wang,
Francois Wirz,
Prateek Mittal,
Adrian Perrig,
Yixin Sun
Abstract:
Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. How can we leverage emerging secure routing backbone…
▽ More
Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. How can we leverage emerging secure routing backbones and extend their security properties to the broader Internet?
We design and deploy an architecture to bootstrap secure routing. Our key insight is to abstract the secure routing backbone as a virtual Autonomous System (AS), called Secure Backbone AS (SBAS). While SBAS appears as one AS to the Internet, it is a federated network where routes are exchanged between participants using a secure backbone. SBAS makes BGP announcements for its customers' IP prefixes at multiple locations (referred to as Points of Presence or PoPs) allowing traffic from non-participating hosts to be routed to a nearby SBAS PoP (where it is then routed over the secure backbone to the true prefix owner). In this manner, we are the first to integrate a federated secure non-BGP routing backbone with the BGP-speaking Internet.
We present a real-world deployment of our architecture that uses SCIONLab to emulate the secure backbone and the PEERING framework to make BGP announcements to the Internet. A combination of real-world attacks and Internet-scale simulations shows that SBAS substantially reduces the threat of routing attacks. Finally, we survey network operators to better understand optimal governance and incentive models.
△ Less
Submitted 15 June, 2022; v1 submitted 14 June, 2022;
originally announced June 2022.
