DISCO - Decentralized Infrastructure for Security and Certification of Origins

Schapira Michael, HUJI, School of Computer Science and Engineering, Computer Science


The Internet infrastructure was not designed with security in mind, and is consequently alarmingly vulnerable to attacks and configuration errors. Despite the consensus on the urgency of securing BGP routing, replacing BGP with S*BGP is still not on the horizon.

Our Innovation

New paradigm for securing BGP (Border Gateway Protocol) routing and a simple-to-deploy system.

DISCO is intended as a means to “jumpstart” BGP security and is hence engineered to both bypass the obstacles to deployment of RPKI (Resource Public Key Infrastructure) and S*BGP (Secure BGP), and to provide significant security benefits and incentives for adoption even under partial deployment.


Fig.1 DISCO Registration Architecture



DISCO (1) does not involve replacing or modifying legacy BGP routers, and (2) is inherently decentralized and flat in that it allows any AS to adopt the system without having to wait for other ASes to adopt, and does not rely on a single root-of-trust. A combination of security analyses, extensive simulations, and experiments with an open-source prototype implementation of DISCO, shows that it is remarkably effective, even with a modest number of adopting parties, and can significantly improve interdomain routing security. We view DISCO as a practical solution for the (potentially many years long, if not indefinite) interim period before RPKI and S*BGP are fully deployed.



DISCO deploys prefix-DB servers, distributed across national, political, organizational, and geographic boundaries. To adopt DISCO an AS administrator installs its agent on a host machine and registers its IP-prefix in DISCO as described below. Figure 1 illustrates a deployment of DISCO with 5 pre x-DB servers and two adopting ASes, 1 and 2.  The network contains 11 other ASes (with numbers in the range 10 to 300).

To facilitate rapid deployment, installation of DISCO requires minimal effort by the AS administrator. To deploy DISCO, the administrator only has to install the agent, as illustrated for AS 1 and AS 2 in Figure 1. The administrator can configure the agents with the addresses of the AS's BGP routers and administrative credentials to automate network configuration, allowing simple plug-and-play deployment



Contact for more information:

Aviv Shoher
Contact ME: