Press Releases
| COMPANY CONTACT Jeff Raice Packet Design, Inc 650.739.1880 jeff@packetdesign.com |
AGENCY CONTACT Janis Ulevich Ulevich & Orrange, Inc. 650.329.1590 info@u-o.com |
PACKET DESIGN SOLVES SECURITY, RELIABILITY PROBLEMS OF MAJOR INTERNET ROUTING PROTOCOL, BGP
Addition of New Transport Protocol to Routers/Switches Can Allay BGP Concerns Publicized by National Security Experts
PALO ALTO, Calif., Nov. 4, 2002 - A solution to the well-known security and reliability problems that have long plagued BGP (Border Gateway Protocol), the routing protocol used by virtually all network routers for communication between service provider and large enterprise domains, has been introduced by Packet Design.
Packet Design's BGP Scalable Transport (BST) is a new protocol that addresses BGP issues long recognized throughout the industry and recently voiced by White House security experts. By streamlining the communication mechanism used to transport BGP routing information, BST dramatically lowers the cost and overhead associated with implementing security (authentication and encryption) and reliability measures.
BST works with, but requires no changes to, any router vendor's existing BGP implementation. Packet Design has applied for several patents on BST.
Judy Estrin, Packet Design CEO, said that, contrary to views that BGP will ultimately have to be replaced altogether to make networks sufficiently secure and reliable, the solution lies in augmenting BGP with a new transport mechanism alongside the one it currently uses, TCP (Transport Control Protocol).
TCP: The Wrong Transport for the Job
"The crux of BGP's problem is that the transport protocol approach originally chosen for it could not scale to meet today's requirements," Estrin said. "As a point-to-point protocol, TCP sends data from one sender to one receiver. A connection must be kept open between every pair of routers, and many copies of the same information travel across the network simultaneously, rapidly eating up router resources."
"While TCP worked well as a transport for BGP when the Internet was relatively small, today a full mesh of open TCP connections is highly inefficient even in a moderately-sized network of 10 or 20 routers. Security is compromised, both because the routers lack the capacity to do resource-heavy authentication and encryption while managing such large numbers of connections, and because the necessary act of 'peering' exposes routing services and leaves the network routers vulnerable to attacks. Reliability suffers as well, because the failure of even one TCP connection leads to the exchange of large routing tables, causing large-scale ripple effects across the network."
Flooding: Neighbors Talking to Neighbors
Packet Design's answer is to provide BGP with a new alternative transport protocol optimized for BGP, called BST. Rather than TCP's point-to-point communications, BST transmits information using a technique known as "flooding." Instead of a message being sent from an originating router to every other router in the network, it is sent only to the first router's immediate "neighbor" routers, which in turn send it to their neighbors, and so on. No matter how large the network, there is at most one copy of a given message traversing any network link. If a given link between two neighboring routers is down, flooding will automatically transmit the message via alternate routes in the network.
Long recognized as the fastest, most reliable way to disseminate information from one source to many destinations, flooding has been used successfully for years by interior gateway protocols - e.g., OSPF (Open Shortest Path First), IS-IS (Intermediate System to Intermediate System) and Cisco's EIGRP (Enhanced Interior Gateway Routing Protocol) - to communicate within networks. BST represents the first time flooding has been used to help an exterior gateway protocol such as BGP address its peering issues (i.e., the method of exchanging routes between autonomous networks).
Addressing BGP's Trouble Spots: Reliability, Security, Configuration, Convergence
Because using BST requires significantly fewer connections than TCP, a network can scale to a much greater size with minimal concern for connection loss, security breaches, slow convergence times and - a major trouble spot with BGP - configuration complexity.
Reliability. One-to-one backup, the method used to implement "TCP failover," an approach commonly recommended by router vendors, quickly boosts costs by doubling the number of routers needed. BST's flooding approach and its primary/secondary failover scheme let the user choose any standard reliability model: graceful degradation, hot or cold standby, 1-for-1 or 1-for-n sparing, etc. And, unlike the typical proprietary TCP Failover implementation, BST has the flexibility to work in a multi-vendor environment because a given router need not be backed up by an exact duplicate of itself from the same router vendor.
Security. BGP's vulnerability to malicious "spoofing" - illicit interception and alteration of messages as they move between peers - has become a serious security concern. BST addresses this issue in two ways. First, rather than exposing all router services outside the network during peering - which makes routers easy prey for intruders - BST exposes only the BGP service. Second, BST's linear scalability enables routers to perform compute-intensive authentication and encryption services such as IPSEC even in networks with a large number of peers, something not practical with TCP.
Configuration. Normally, when a new BGP peer is added, every other peer in the network must be reconfigured with the new peer's ID, and the new peer must be configured with the IDs of all existing peers - a tedious, error-prone task that contributes to unreliability. With BST flooding, only the immediate neighbors of the new peer need to be reconfigured.
Convergence. Fast convergence times - the delay intervals required for routers to come back up after a failure - are critical for growing applications such as voice over IP. BST significantly speeds up convergence, both by improving reliability (through reduction of peering loss) and by enabling peers to synchronize faster if failure does occur.
BST Architecture and Implementation
In the BST architecture, BST is added to the router vendor's BGP implementation, existing side-by-side with TCP; BGP continues to use TCP for startup and to communicate with routers not running BST. A group of BST-enhanced routers (e.g., those within a POP) can use a special BST translation service to peer with external (e.g., enterprise) routers that use only TCP.
When BST is added to BGP, all features and capabilities of the existing BGP implementation remain intact and unchanged. Because BST- enhanced routers are fully compatible with routers not running BST, BST can be deployed incrementally as time and cost permit. The new protocol can be used between route processors in a single router, between routers in a point of presence (POP), between POPs in an autonomous network, or between autonomous networks.
Pricing and Availability
Packet Design's BST reference implementation will be available in December. Pricing includes an initial license fee starting at $100,000 plus a per-device royalty dependent on volume.
About Packet Design
Packet Design was founded in May 2000 to develop technologies that enhance the performance, scalability and manageability of the Internet infrastructure for telecom carriers and enterprises. The company conducts research and development through the product prototype stage, with marketing done through separate venture-funded spin-off companies (e.g., wireless LAN management vendor Vernier Networks); technology licensing agreements; or directly through the Packet Design CNS business unit, whose first product is Route Explorer, a layer 3 visualization, diagnostic and analysis tool for IP networks.
Packet Design is the fourth networking company started by husband-and-wife entrepreneurs Judy Estrin and Bill Carrico, who founded Bridge Communications in 1981, Network Computing Devices in 1988 and Precept Software in 1995. Estrin served as Cisco Systems' chief technology officer from 1998-2000, and Carrico as senior vice president of Cisco's small and medium line of business. Estrin, who sits on the boards of directors of The Walt Disney Company, The Federal Express Corporation and Sun Microsystems, has been named three times to Fortune Magazine's list of the 50 most powerful women in American business. Packet Design has raised $29 million in private funding from Foundation Capital, Sun Microsystems and individual investors. For more information, visit http://www.packetdesign.com.
© 2005. Packet Design Inc.
