ABSTRACT
Existing security mechanisms for managing the Internet infrastructural resources like IP addresses, AS numbers, BGP advertisements and DNS mappings rely on a Public Key Infrastructure (PKI) that can be potentially compromised by state actors and Advanced Persistent Threats (APTs). Ideally the Internet infrastructure needs a distributed and tamper-resistant resource management framework which cannot be subverted by any single entity. A secure, distributed ledger enables such a mechanism and the blockchain is the best known example of distributed ledgers.
In this paper, we propose the use of a blockchain based mechanism to secure the Internet BGP and DNS infrastructure. While the blockchain has scaling issues to be overcome, the key advantages of such an approach include the elimination of any PKI-like root of trust, a verifiable and distributed transaction history log, multi-signature based authorizations for enhanced security, easy extensibility and scriptable programmability to secure new types of Internet resources and potential for a built in cryptocurrency. A tamper resistant DNS infrastructure also ensures that it is not possible for the application level PKI to spoof HTTPS traffic.
- 1.7 Transactions Per Second? Really? http://hashingit.com/analysis/33-7-transactions-per-second.Google Scholar
- 2.BGPSec Protocol Specification. https://tools.ietf.org/html/draft-ietf-sidr-bgpsec-protocol-17.Google Scholar
- 3.Bitcoin Mining Pools. http://www.nytimes.com/2016/07/03/business/dealbook/bitcoin-china.html?_r=0.Google Scholar
- 4.Bitcoin Scalability. https://en.bitcoin.it/wiki/Scalability.Google Scholar
- 5.DNS Security Extensions. https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions.Google Scholar
- 6.Hashgraph. http://www.swirlds.com/wp-content/uploads/2016/06/2016-05-31-Overview-of-Swirlds-Hashgraph-1.pdf.Google Scholar
- 7.IBM ADEPT. http://www-935.ibm.com/services/multimedia/GBE03662USEN.pdf.Google Scholar
- 8.IETF DANE WG. https://datatracker.ietf.org/wg/dane/charter/.Google Scholar
- 9.NameCoin. https://namecoin.info.Google Scholar
- 10.Nuage Networks. http://www.nuagenetworks.net.Google Scholar
- 11.Payment Channels. https://en.bitcoin.it/wiki/Payment_channels.Google Scholar
- 12.Secure BGP Deployment Final Report. http://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG6_Report_March_202013.pdf.Google Scholar
- 13.The BGP Instability Report. http://bgpupdates.potaroo.net/instability/bgpupd.html.Google Scholar
- 14.The Ethereum Project. www.ethereum.org.Google Scholar
- 15.The Hyperledger Project. https://en.wikipedia.org/wiki/Hyperledger.Google Scholar
- 16.University of Oregon Route Views Project. www.routeviews.org.Google Scholar
- 17.Adam Back et. al. Enabling Blockchain Innovations with Pegged Sidechains. https://blockstream.com/sidechains.pdf.Google Scholar
- 18.M. Ali, J. Nelson, R. Shea, and M. J. Freedman. Blockstack: A Global Naming and Storage System Secured by Blockchains. In 2016 USENIX Annual Technical Conference (USENIX ATC 16), pages 181–194, Denver, CO, June 2016. USENIX Association.Google Scholar
- 19.Arvind Narayanan et.al. Bitcoin and Cryptocurrency Technologies. https://d28rh4a8wq0iu5.cloudfront.net/bitcointech/readings/princeton_bitcoin_book.pdf?a=1. Google ScholarDigital Library
- 20.J. Bailey, D. Pemberton, A. Linton, C. Pelsser, and R. Bush. Enforcing RPKI-based Routing Policy on the Data Plane at an Internet Exchange. In Proceedings of the Third Workshop on Hot Topics in Software Defined Networking, HotSDN '14. Google ScholarDigital Library
- 21.M. Castro and B. Liskov. Practical Byzantine Fault Tolerance. OSDI '99, 1999. Google ScholarDigital Library
- 22.C. Decker, J. Seidel, and R. Wattenhofer. Bitcoin Meets Strong Consistency. In Proceedings of the 17th International Conference on Distributed Computing and Networking, pages 13:1–13:10, 2016. Google ScholarDigital Library
- 23.Eleftherios Kokoris Kogias et. al. Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing. In 25th USENIX Security Symposium (USENIX Security 16), pages 279–296, 2016.Google Scholar
- 24.A. Elmokashfi and A. Dhamdhere. Revisiting BGP Churn Growth. ACM SIGCOMM Computer Communication Review, 44(1), 2013. Google ScholarDigital Library
- 25.I. Eyal, A. E. Gencer, E. G. Sirer, and R. Van Renesse. Bitcoin-NG: A scalable blockchain protocol. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16), pages 45–59, 2016. Google ScholarDigital Library
- 26.S. Goldberg. Why Is It Taking So Long To Secure Internet Routing? Communications of the ACM, 57(10):56–63, 2014. Google ScholarDigital Library
- 27.A. Gupta, N. Feamster, and L. Vanbever. Authorizing Network Control at Software Defined Internet Exchange Points. 2016.Google Scholar
- 28.D. Gupta, A. Segal, A. Panda, G. Segev, M. Schapira, J. Feigenbaum, J. Rexford, and S. Shenker. A New Approach to Interdomain Routing Based on Secure Multi-Party Computation. Hotnets'12. Google ScholarDigital Library
- 29.Gupta, Arpit et. al. SDX: a software defined internet exchange. ACM SIGCOMM Computer Communication Review, 44(4):551–562, 2015. Google ScholarDigital Library
- 30.A. Haeberlen. NetReview: Detecting When Interdomain Routing Goes Wrong. NSDI, 2009. Google ScholarDigital Library
- 31.E. Heilman, D. Cooper, L. Reyzin, and S. Goldberg. From the consent of the routed: Improving the transparency of the rpki. ACM SIGCOMM Computer Communication Review, 44(4):51–62, 2015. Google ScholarDigital Library
- 32.L. Lamport. The Part-Time Parliament. ACM Transactions on Computer Systems, 16(2), 1998. Google ScholarDigital Library
- 33.M. Lepinski et. al. A Profile for Route Origin Authorizations (ROAs). RFC 6482 (Proposed Standard), 2012.Google Scholar
- 34.M. Lepinski et. al. An Infrastructure to Support Secure Internet Routing. RFC 6480 (Informational), 2012.Google Scholar
- 35.S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. https://bitcoin.org/bitcoin.pdf.Google Scholar
Recommendations
Securing the Internet's Routing Infrastructure
Experts have been concerned about the security of the Internet's routing infrastructure, which was designed many years ago. Now, organizations are developing proposals to secure the infrastructure.
A blockchain-based certificate revocation management and status verification system
AbstractRevocation management is one of the main tasks of the Public Key Infrastructure (PKI). It is also critical to the security of any PKI. As a result of the increase in the number and sizes of networks as well as the adoption of novel ...
Efficient hybrid centralized and blockchain-based authentication architecture for heterogeneous IoT systems
AbstractWith the rapid increase in the number of Internet of Things (IoT) devices in recent years, massive amounts of sensitive IoT data are being generated and transmitted over the Internet. Despite its growing adoption in various fields, IoT ...
Comments