Network routers typically forward data packets based on the destination address of the packet. Routers determine the next hop for forwarding each packet based on routing look-up tables determined by routing protocols. Routers controlled by the same administrative authority are part of an autonomous system (AS) and thereby share common routing strategies, policies and protocols. Interior Gateway Protocols (IGPs) are routing protocols used within an AS to provide local routing information to local routers. This information is communicated in various messages between routers and is used to update the look-up tables. Examples of IGPs include Routing Information Protocols (RIP), the Open Shortest Path First protocol (OSPF), and Intermediate System-to-Intermediate System Routing Protocol (IS-IS).
Exterior Gateway Protocols (EGP) are routing protocols that are used for exchanging information about routes between AS's and boundary routers. One type of EGP is the protocol commonly found on the backbone of the Internet known as the Border Gateway Protocol (BGP). Boundary routers using BGP typically communicate with other routers using UPDATE messages. BGP uses the TCP/IP protocol for communications between routers and includes a number of security features for these communications. For example, it includes incorporating digital signatures for communications between boundary routers.
Conventional systems for using these security features are often inefficient, which can discourage their widespread use. For example, in the context of a Public Key Infrastructure (PKI), secure routing using PKI may involve repeated communications with trusted third parties for key transfer or require multiple encryption/decryption steps. These additional steps are generally inefficient for high speed routing within the Internet. Another example is use of the Host Identity Protocol (HIP). As with PKI, HIP has not been put into widespread practice for Internet routing due to associated changes required in the Internet infrastructure.
Other conventional mechanisms for providing security features in the Internet include the Internet Engineering Task Force (IETF) Internet Key Exchange (IKE) protocol and the Internet Protocol Security protocol (IPSec). IPSec permits two endpoints to negotiate and establish a security association (SA) between each other to permit secure transmissions, such as via tunneling. The deployment and adoption of IPSec, however, is slow and requires lots of processing elements. Further, with IPSec, users cannot validate certificates and they are not sure whether they are communicating with the actual desired endpoint. IKE is used in conjunction with IPSec for key establishment and management; however, it is complicated and has numerous options that make it difficult to use for normal operation.
Without such systems, however, security vulnerabilities for packets traveling through the Internet are frequently exploited. For example, denial of service attacks, worms, and viruses exploit various weaknesses in the Internet infrastructure. Thus, a need exists for efficient mechanisms for managing and distributing keys among network components using existing infrastructure.