1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005

1

Border Gateway Protocol (BGP)

and BGP Security

Jeff GribschawSai Thwin

ECE 4112 Final ProjectApril 28, 2005

ECE 4112 - Internetwork Security 2

Agenda

• BGP Overview• Security Issues of BGP• Proposed Security Solutions for BGP• Introduction to the Lab


BGP Overview

• Border Gateway Protocol (BGP) Provides inter-domain routing between Autonomous Systems (ASes) BGP Neighbors exchange Reachability information by using Route

Advertisements Uses Path Vector Routing to prevent loops

– Route Advertisements include the AS-Path– BGP routers will not forward a received advertisement if their AS number

is in the AS-Path Application layer protocol that relies on TCP to provide reliable

transport layer services Supports Policy Based Routing


BGP Overview

• Autonomous Systems A set of routers that fall under a single management

authority Can use various interior routing systems Develop relationships with other Autonomous Systems

– Peering Connections and Transit Connections Have at least one BGP router (or BGP Speaker) which

serves as the gateway to the internet


BGP OverviewAutonomous Systems Tiers and Connections

BIG ISP

TransitConnection

Peer Connection

TransitConnection

Tier 1

Tier 2


BGP Overview

• Exterior Border Gateway Protocol (EBGP) Used between BGP Speakers in separate ASes EBGP Routers exchange reach-ability information only

with neighbor ASes with whom they are willing to carry traffic

• Interior BGP (IBGP) Used between BGP speakers in ASes which have multiple

BGP routers (gateways to other ASes) Purpose is to maintain a common view of current reach-

ability information


BGP Overview

• BGP Message Types OPEN—sent immediately after a TCP session is initiated UPDATE—used to exchange routing information

– Route Advertisements– Route Withdrawals

KEEPALIVE—used to maintain the TCP Connection NOTIFICATION—used to report errors (closes the

connection)


BGP Overview

• BGP Path Selection Process Supports Policy Based Routing Algorithm includes the following attributes (in relative

order)1. Weight2. Local Preference3. Use route originated by current router4. Shortest AS_Path5. Lowest Origin type (internal, external, incomplete)6. Multi-Exit Discriminator

Many other BGP Attributes


“BAD ISP”AS 64700

“UNIVERSITY”AS 64900

“ENTERPRISE”AS 64800

“GOOD ISP”AS 64600

GTISC Mini-Net

“TIER 1 - Sigma”AS 64515

“TIER 1 - omega”AS 64514 Omega-rtr

Cisco 2621-XM

Sigma1-rtrCisco 2621-XM

Sigma2-rtrCisco 3550

Badisp-rtrCisco 3550-24-EMI (L3)

StorageRus-rtr1760-K9

Cust2-rtrCisco 1720

Joe-travel-rtrCisco 1720

Gateway2-rtrCisco 3550-24-EMI (L3)

Admin-rtrCisco 1760-K9

CS2-rtrCisco 1720

CS-rtrCisco 1720

NASDell Network

Attached Storage

PWR

OK

WIC0ACT /CH0

A CT /CH1

WIC0ACT/ CH0

ACT/CH1

E THA CT

COL

Admin-vpnCisco VPN Conc. 3005

Edge-fwallCisco PIX-515E

Edge1-rtrCisco 1760-K9


Gateway-rtrCisco 1760-K9

Accounting-rtrCisco 1720

Engineering-rtrCisco 1720

172.16.7.0/24:107

Goodisp-rtrCisco 3550-24-EMI (L3)

Cust1-site1-rtrCisco 1760-K9+NAT

Cust1-site2-rtrCisco 1760-K9+NAT

Cust1-hq-rtrCisco 1760-K9+NAT

Cust1-intr1-rtrCisco 1720

Cust1-intr2-rtrCisco 1720

Enterprise Web ServerRedhat Apache

http://www.enterprise.com

StorageRus WebserverMS IIS

http://www.storagerus.com

Cust1 WebserverRedhat Apache

http://www.cust1.com

CS WebserverRedhat Apache

http://www.cc.university.edu

Admin WebserverMS IIS

http://www.admin.university.edu

University WebserverRedhat Apache

http://www.university.edu

University-dnsDell Poweredge

Root1-dnsDell Poweredge

Badisp-dnsDell Poweredge

Goodisp-dnsDell Poweredge

NETWORK/MASK:VLAN Autonomous System

172.16.5.0/24:105

172.16.4.0/24:104

212.43.0.0/24:100

172.16.2.0/24:102

192.168.0.0/24:101

62.7.245.252/30:308

199.77.32.0/30:300

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

138.210.251.0/24:200

192.168.110.0/24:209

138.210.237.0/24:207

138.210.238.0/24:208

138.210.235.0/24:205

138.210.236.0/24:206

138.210.232.0/24:202

138.210.233.0/24:203

138.210.234.0/24:204

138.210.231.0/24:201

138.210.240.0/24:210

57.35.0.16/30:252

57.35.10.0/24:260

57.35.5.0/24:258

57.35.6.0/24:259 57.35.4.0/24:257

57.35.3.0/24:256

57.35.2.0/24:255

57.35.1.0/24:254

57.35.0.0/30:253

57.35.0.128/30:251

57.35.7.0/24:250

64.0.1.32/28:151

64.0.1.16/28:152

64.0.2.0/24:153

192.168.10.0/24:161

192.168.20.0/24:162

192.168.10.0/24:163

192.168.20.0/24:164

75.196.18.0/24:160

75.196.17.0/24:159

75.196.15.0/30:157

75.196.14.0/30:156

75.196.10.0/24:155

64.0.1.48/30:150

199.77.30.16/30:306

172.16.8.0/24:108

172.16.6.0/24:106

192.168.30.0/24:154

75.196.16.0/24:158

172.16.3.0/24:103

.1

.2

.4

.1

.10

.2.1

.1.1

.1

.1

.2

.2

.1

.1

.2

.254

.2

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.254

.34.2

.1

.1

.1

.5

.2

.3

.4.1

.1.1

.100

.1.1

.1

.1.2

.42

.1

.254

.151

.1

.1.1

.1.17

.129

.1

.1

.1

.1

.1

.10

.16

.254

.130

.18

.2

.42

.254

.1

.13

.49

.33.17

.50.1

.99

.1.1 .2

.1.1

.2

.1 .1

.34.18

.1.1

.1.1

EBGP

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

EBGP

RIPOSPF 0

OSPF 0OSPF 0

OSPF 1

RIP OSPF BGP

#23

#22

#24

#25

#4

#2

#20

#21

#19

#18

#1

#11

#8

#10

#7

#6

#12

#14 #15

#13

#17

#16

#26

9

R5

R4

R3

R1

R2

R6

R10

R11

R10

R10

Printer

.20

…W1 W20

R10

CS Ftp ServerRedhat

.43R7

Enterprise-dnsDell Poweredge

.3R10

OSPF 0

Virtual IP Addresses

Bridge

XP honeypot

Redhat honeypot

138.210.228.0/24:211HUB

Honeynet

Honeynet

H3

H2

H1.1

.11

.10






GTISC Mini-Net



Cisco 2621-XM








NETWORK/MASK:VLAN Autonomous System

62.7.245.252/30:308

199.77.32.0/30:300

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

199.77.30.16/30:306

.254

.2

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.34.2

.42

.254

EBGP

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

EBGP

RIP OSPF BGP

#22

#4

#2

#18

#1

#7

#6

#12

Honeynet

64.0.1.16/2864.0.1.32/2864.0.1.48/3064.0.2.0/24

75.196.10.0/2475.196.14.0/3075.196.15.0/3075.196.16.0/2475.196.17.0/2475.196.18.0/24192.168.10.0/24192.168.20.0/24192.168.30.0/24

57.35.0.0/3057.35.0.16/30

57.35.0.128/3057.35.1.0/2457.35.2.0/2457.35.3.0/2457.35.4.0/2457.35.5.0/2457.35.6.0/2457.35.7.0/24

57.35.10.0/24

138.210.228.0/24138.210.231.0/24138.210.232.0/24138.210.233.0/24138.210.234.0/24138.210.235.0/24138.210.236.0/24138.210.237.0/24138.210.238.0/24138.210.240.0/24138.210.251.0/24192.168.110.0/24

192.168.0.0/24172.16.2.0/24172.16.3.0/24172.16.4.0/24172.16.5.0/24172.16.6.0/24172.16.7.0/24172.16.8.0/24

212.43.0.0/24

Edge-fwallCisco PIX-515E


BGP Overview



Cisco 2621-XM








62.7.245.252/30:308

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

199.77.30.16/30:306

.254

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.254

.34.2

.42

.254

EBGP

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

#4

#2

#18

#1

#6

#12

R10






BGP Overview

• BGP is the only protocol that provides inter-domain routing for the internet

• It is a critical piece of the Internet’s infrastructure


Security Issues of BGP

• Communication between peers is not protected from eavesdropping Modification can be prevented by using TCP MD5 “signatures”

• Subject to all lower layer vulnerabilities• DOS/DDOS Attacks

Can be used to target TCP Port 179 used by BGP Potential to close connections Potential to result in dropped Update messages

• Attacks may come from trusted routers that have been compromised Smaller ISPs with poor security provide good targets Mesh connected design means gaining access to any BGP speaker can

have a significant impact on the Internet


Security Issues of BGP

• Easy to Inject False Advertisements Bad Configuration (BGP is hard!) Malicious Attacks

– TCP Spoofing (Can be used to close TCP connection)– Hijack TCP Sesssion– Can result in a Denial of Service Attack based on flood

of BGP Update messages to withdraw routes and then advertise new routes

• No authentication within BGP


Proposed Security Solutions for BGP

• Secure-BGP and Secure Origin BGP Both use PKI (public-key cryptography) to verify

the source of advertisements– Verify that the originating AS has the authority to

advertise certain IP networks– Limit the effects of a compromise to one AS



• Secure-BGP Uses out of band certificates Each AS on the path must go to a certificate site to

verify the source of the route• Secure Origin BGP

Uses in band certificates Each AS along the path adds its signature to the

update message



• Secure-BGP and Secure Origin BGP Both have severe routing overheads

– May increase routing overhead by 800% For either protocol to be effective, every AS must

adopt it No consensus, so neither protocol has experienced

widespread adoption


Introduction to the Lab

• Introduction to BGP• Provide opportunity to get hands on BGP

Observe BGP traffic Observe BGP configurations Configure a BGP router Conduct 2 Practical Exercises







Cisco 2621-XM








62.7.245.252/30:308

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

199.77.30.16/30:306

.254

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.254

.34.2

.42

.254

EBGP

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

#4

#2

#18

#1

#6

#12

R10






Screenshot#1



Observe BGP Router Information using the show ip bgp command

BGP table version is 80, local router ID is 199.110.254.41Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 57.35.5.0/24 199.110.254.42 0 0 64700 i*> 57.35.6.0/24 199.110.254.42 0 0 64700 i*> 57.35.7.0/24 199.110.254.42 0 0 64700 i*> 57.35.10.0/24 199.110.254.42 0 0 64700 i* 62.7.200.32/30 199.77.33.2 0 0 64900 i*> 199.77.250.241 0 0 64514 i* i 199.77.31.1 0 100 0 64514 i



Observe BGP Neighbor information using the Show BGP Neighbors command

BGP neighbor is 199.77.30.18, remote AS 64515, internal link BGP version 4, remote router ID 199.107.254.253 BGP state = Established, up for 11w2d Last read 00:00:14, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Received 113822 messages, 0 notifications, 0 in queue Sent 113853 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Default minimum time between advertisement runs is 5 seconds


Introduction to the LabSection 1.5 Scenario

EBGP



Cisco 2621-XM








62.7.245.252/30:308

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

199.77.30.16/30:306

.254

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.254

.34.2

.42

.254

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

#4

#2

#18

#1

#6

#12

R10





Primary Route


Introduction to the LabSection 3 Scenario

EBGP



Cisco 2621-XM








62.7.245.252/30:308

62.7.200.32/30:309

199.77.33.0/30:303

199.77.31.0/30:301

199.77.250.240/30:302

199.110.254.40/30:307

199.107.254.252/30:304

199.107.12.0/24:305

199.77.30.16/30:306

.254

.253 .1

.241.33

.1

.1

.242 .17

.18

.41

.2

.1 .253

.254

.34.2

.42

.254

EBGP

EBGP

EBGP

EBGP EBGP

EBGP

IBGP

#4

#2

#18

#1

#6

#12

R10





Alternate Route


Questions?

Documents

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005