As the rollout of secure route origin authentication with RPKI slowly gains traction, there is a push to standardize secure path validation for BGP (i.e., S*BGP: "Secure BGP", soBGP, BGPSEC, etc.). The transition to S*BGP is expected to be long and slow, with S*BGP coexisting in "partial deployment" alongside BGP for a long time. We show that, given the routing policies likely to be most popular during partial deployment, S*BGP can provide only meagre improvements to security over route origin authentication with RPKI. We also present new vulnerabilities that can arise from the complex interactions betweenBGP and S*BGP in partial deployment, and guidelines for S*BGP deployment that can alleviate some of these vulnerabilities.
full paper is at http://arxiv.org/abs/1307.2690