The Internet is subject to attacks due to vulnerabilities in its routing protocols. One proposed approach to attain greater security is to cryptographically protect network reachability announcements exchanged between Border Gateway Protocol (BGP) routers. This study proposes and evaluates the performance and efficiency of various optimization algorithms for validation of digitally signed BGP updates. In particular, this investigation focuses on the BGPSEC (BGP with SECurity extensions) protocol, currently under consideration for standardization in the Internet Engineering Task Force. We analyze three basic BGPSEC update processing algorithms: Unoptimized, Cache Common Segments (CCS) optimization, and Best Path Only (BPO) optimization. We further propose and study cache management schemes to be used in conjunction with the CCS and BPO algorithms. The performance metrics used in the analyses are: (1) routing table convergence time after BGPSEC peering reset or router reboot events and (2) peak-second signature verification workload. Both analytical modeling and detailed trace-driven simulation were performed. Results show that the BPO algorithm is 330% to 628% faster than the unoptimized algorithm for routing table convergence in a typical Internet core-facing provider edge router.

中文翻译：

---

BGP安全协议中用于最小化加密处理的优化算法的设计和分析。

互联网由于其路由协议中的漏洞而受到攻击。一种获得更高安全性的建议方法是用密码保护在边界网关协议（BGP）路由器之间交换的网络可达性公告。这项研究提出并评估了各种优化算法的性能和效率，以验证数字签名的BGP更新。尤其是，此调查的重点是BGPSEC（具有SECurity扩展名的BGP）协议，目前正在Internet工程任务组中对其进行标准化。我们分析了三种基本的BGPSEC更新处理算法：未优化，缓存公共段（CCS）优化和仅最佳路径（BPO）优化。我们进一步提出并研究与CCS和BPO算法结合使用的缓存管理方案。分析中使用的性能指标是：（1）BGPSEC对等重置或路由器重新启动事件后的路由表收敛时间，以及（2）高峰秒签名验证工作量。进行了分析建模和详细的跟踪驱动的仿真。结果表明，在典型的面向Internet核心的提供商边缘路由器中，BPO算法比未优化的路由表收敛算法快330％至628％。