3S: three-signature path authentication for BGP security.

Because of the lack of mechanism to verify a route's path authorization, border gateway protocol (BGP) has been disrupted by route hijacking for decades. Although several secure inter-domain protocols have been proposed during the past years, such as secure BGP (S-BGP) and BGPsec, they all have serious performance issues in both time and space cost, preventing their further deployment in the practical Internet. Statistical results from the real Internet reveal that multiple Internet protocol prefixes could often been announced along with the same AS path/sub-path to its downstream autonomous systems; hence, the route announcements can be aggregated at the level of prefix. In light of this, we propose a three-signature path authentication ( 3S) scheme to improve the performance of path authentication. We first introduce the concept of 'virtual AS,' to reflect a cluster of prefixes that are announced along a common path/sub-path. Then we aggregate those prefixes into an atom and only need to sign the first route announcement of a virtual AS instead of single prefixes; thus, it can reduce the number of cryptographic operations significantly. We evaluate the performance of 3 S scheme in both theoretical and experimental ways; the results have shown that our proposed scheme is more efficient yet without losing security capabilities as existing methods such as S-BGP and BGPsec. Copyright © 2015 John Wiley & Sons, Ltd. [ABSTRACT FROM AUTHOR]