Proof of Concept: Quagga and Bongo
The purpose of Bongo is to illustrate that SDN provides an opportunity to strengthen the entire BGP infrastructure by transparently optimizing and hardening SDN islands. Essentially, Bongo knows the status and topology of a subset of the network (everything southbound) and leverages this for improved security and performance across. Essentially, Bongo allows BGP updates to be translated into flow rules.
The long-term design of Bongo is to do the following: at all times, costlessly implement ingress and egress filtering of data flows; accept route updates at control plane; process and update these route updates, given a known SDN state; and update the controller state so the controller installs updated rules in switches.
As a result there is limited ability for attackers to leverage devices southbound of BONGO to deny traffic that violates BGP policies at ingress.
What are perceived now as the necessary tasks for secure BGP (i.e., S-BGP, route authentication) are handled by Quagga. However, higher level trust architecture can be added by Bongo using a trust API, on a logically distinct COTS processor. The demonstrated prototype system will shows a simple but previously infeasible analysis of the RIB. The system will detect paths distributed with multiple hops within one AS; which is sometimes done for economic reasons. The current instantiation of the reputation system will also identify loops, thus offering the possibility of identifying content hijacking. Even if the only result is identification of current path hijacking, because SDN does not give one AS any power to determine the routing of another, this is a fundamental change in today's where path hijacking is identified by expert examination. Thus, hijacking incidents occur frequently (presumably usually in error) but may persist for months.
The demonstration illustrates in one case economically alignment of security and operations in the merged networks (BGP, SDN). It offers the promise of a more resilient BGP though merging this with islands of SDN.