Upload
angel-sullivan
View
224
Download
0
Embed Size (px)
DESCRIPTION
ECE Internetwork Security 3 BGP Overview Border Gateway Protocol (BGP) Provides inter-domain routing between Autonomous Systems (ASes) BGP Neighbors exchange Reachability information by using Route Advertisements Uses Path Vector Routing to prevent loops – Route Advertisements include the AS-Path – BGP routers will not forward a received advertisement if their AS number is in the AS-Path Application layer protocol that relies on TCP to provide reliable transport layer services Supports Policy Based Routing
Citation preview
1
Border Gateway Protocol (BGP)
and BGP Security
Jeff GribschawSai Thwin
ECE 4112 Final ProjectApril 28, 2005
ECE 4112 - Internetwork Security 2
Agenda
• BGP Overview• Security Issues of BGP• Proposed Security Solutions for BGP• Introduction to the Lab
ECE 4112 - Internetwork Security 3
BGP Overview
• Border Gateway Protocol (BGP) Provides inter-domain routing between Autonomous Systems (ASes) BGP Neighbors exchange Reachability information by using Route
Advertisements Uses Path Vector Routing to prevent loops
– Route Advertisements include the AS-Path– BGP routers will not forward a received advertisement if their AS number
is in the AS-Path Application layer protocol that relies on TCP to provide reliable
transport layer services Supports Policy Based Routing
ECE 4112 - Internetwork Security 4
BGP Overview
• Autonomous Systems A set of routers that fall under a single management
authority Can use various interior routing systems Develop relationships with other Autonomous Systems
– Peering Connections and Transit Connections Have at least one BGP router (or BGP Speaker) which
serves as the gateway to the internet
ECE 4112 - Internetwork Security 5
BGP OverviewAutonomous Systems Tiers and Connections
BIG ISP
TransitConnection
Peer Connection
TransitConnection
Tier 1
Tier 2
ECE 4112 - Internetwork Security 6
BGP Overview
• Exterior Border Gateway Protocol (EBGP) Used between BGP Speakers in separate ASes EBGP Routers exchange reach-ability information only
with neighbor ASes with whom they are willing to carry traffic
• Interior BGP (IBGP) Used between BGP speakers in ASes which have multiple
BGP routers (gateways to other ASes) Purpose is to maintain a common view of current reach-
ability information
ECE 4112 - Internetwork Security 7
BGP Overview
• BGP Message Types OPEN—sent immediately after a TCP session is initiated UPDATE—used to exchange routing information
– Route Advertisements– Route Withdrawals
KEEPALIVE—used to maintain the TCP Connection NOTIFICATION—used to report errors (closes the
connection)
ECE 4112 - Internetwork Security 8
BGP Overview
• BGP Path Selection Process Supports Policy Based Routing Algorithm includes the following attributes (in relative
order)1. Weight2. Local Preference3. Use route originated by current router4. Shortest AS_Path5. Lowest Origin type (internal, external, incomplete)6. Multi-Exit Discriminator
Many other BGP Attributes
ECE 4112 - Internetwork Security 9
“BAD ISP”AS 64700
“UNIVERSITY”AS 64900
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
GTISC Mini-Net
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
StorageRus-rtr1760-K9
Cust2-rtrCisco 1720
Joe-travel-rtrCisco 1720
Gateway2-rtrCisco 3550-24-EMI (L3)
Admin-rtrCisco 1760-K9
CS2-rtrCisco 1720
CS-rtrCisco 1720
NASDell Network
Attached Storage
PWR
OK
WIC0ACT /CH0
A CT /CH1
WIC0ACT/ CH0
ACT/CH1
E THA CT
COL
Admin-vpnCisco VPN Conc. 3005
Edge-fwallCisco PIX-515E
Edge1-rtrCisco 1760-K9
Edge2-rtrCisco 1760-K9
Gateway-rtrCisco 1760-K9
Accounting-rtrCisco 1720
Engineering-rtrCisco 1720
172.16.7.0/24:107
Goodisp-rtrCisco 3550-24-EMI (L3)
Cust1-site1-rtrCisco 1760-K9+NAT
Cust1-site2-rtrCisco 1760-K9+NAT
Cust1-hq-rtrCisco 1760-K9+NAT
Cust1-intr1-rtrCisco 1720
Cust1-intr2-rtrCisco 1720
Enterprise Web ServerRedhat Apache
http://www.enterprise.com
StorageRus WebserverMS IIS
http://www.storagerus.com
Cust1 WebserverRedhat Apache
http://www.cust1.com
CS WebserverRedhat Apache
http://www.cc.university.edu
Admin WebserverMS IIS
http://www.admin.university.edu
University WebserverRedhat Apache
http://www.university.edu
University-dnsDell Poweredge
Root1-dnsDell Poweredge
Badisp-dnsDell Poweredge
Goodisp-dnsDell Poweredge
NETWORK/MASK:VLAN Autonomous System
172.16.5.0/24:105
172.16.4.0/24:104
212.43.0.0/24:100
172.16.2.0/24:102
192.168.0.0/24:101
62.7.245.252/30:308
199.77.32.0/30:300
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
138.210.251.0/24:200
192.168.110.0/24:209
138.210.237.0/24:207
138.210.238.0/24:208
138.210.235.0/24:205
138.210.236.0/24:206
138.210.232.0/24:202
138.210.233.0/24:203
138.210.234.0/24:204
138.210.231.0/24:201
138.210.240.0/24:210
57.35.0.16/30:252
57.35.10.0/24:260
57.35.5.0/24:258
57.35.6.0/24:259 57.35.4.0/24:257
57.35.3.0/24:256
57.35.2.0/24:255
57.35.1.0/24:254
57.35.0.0/30:253
57.35.0.128/30:251
57.35.7.0/24:250
64.0.1.32/28:151
64.0.1.16/28:152
64.0.2.0/24:153
192.168.10.0/24:161
192.168.20.0/24:162
192.168.10.0/24:163
192.168.20.0/24:164
75.196.18.0/24:160
75.196.17.0/24:159
75.196.15.0/30:157
75.196.14.0/30:156
75.196.10.0/24:155
64.0.1.48/30:150
199.77.30.16/30:306
172.16.8.0/24:108
172.16.6.0/24:106
192.168.30.0/24:154
75.196.16.0/24:158
172.16.3.0/24:103
.1
.2
.4
.1
.10
.2.1
.1.1
.1
.1
.2
.2
.1
.1
.2
.254
.2
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34.2
.1
.1
.1
.5
.2
.3
.4.1
.1.1
.100
.1.1
.1
.1.2
.42
.1
.254
.151
.1
.1.1
.1.17
.129
.1
.1
.1
.1
.1
.10
.16
.254
.130
.18
.2
.42
.254
.1
.13
.49
.33.17
.50.1
.99
.1.1 .2
.1.1
.2
.1 .1
.34.18
.1.1
.1.1
EBGP
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
EBGP
RIPOSPF 0
OSPF 0OSPF 0
OSPF 1
RIP OSPF BGP
#23
#22
#24
#25
#4
#2
#20
#21
#19
#18
#1
#11
#8
#10
#7
#6
#12
#14 #15
#13
#17
#16
#26
9
R5
R4
R3
R1
R2
R6
R10
R11
R10
R10
Printer
.20
…W1 W20
R10
CS Ftp ServerRedhat
.43R7
Enterprise-dnsDell Poweredge
.3R10
OSPF 0
Virtual IP Addresses
Bridge
XP honeypot
Redhat honeypot
138.210.228.0/24:211HUB
Honeynet
Honeynet
H3
H2
H1.1
.11
.10
ECE 4112 - Internetwork Security 10
“BAD ISP”AS 64700
“UNIVERSITY”AS 64900
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
GTISC Mini-Net
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
Gateway2-rtrCisco 3550-24-EMI (L3)
Edge1-rtrCisco 1760-K9
Edge2-rtrCisco 1760-K9
Goodisp-rtrCisco 3550-24-EMI (L3)
NETWORK/MASK:VLAN Autonomous System
62.7.245.252/30:308
199.77.32.0/30:300
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
199.77.30.16/30:306
.254
.2
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.34.2
.42
.254
EBGP
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
EBGP
RIP OSPF BGP
#22
#4
#2
#18
#1
#7
#6
#12
Honeynet
64.0.1.16/2864.0.1.32/2864.0.1.48/3064.0.2.0/24
75.196.10.0/2475.196.14.0/3075.196.15.0/3075.196.16.0/2475.196.17.0/2475.196.18.0/24192.168.10.0/24192.168.20.0/24192.168.30.0/24
57.35.0.0/3057.35.0.16/30
57.35.0.128/3057.35.1.0/2457.35.2.0/2457.35.3.0/2457.35.4.0/2457.35.5.0/2457.35.6.0/2457.35.7.0/24
57.35.10.0/24
138.210.228.0/24138.210.231.0/24138.210.232.0/24138.210.233.0/24138.210.234.0/24138.210.235.0/24138.210.236.0/24138.210.237.0/24138.210.238.0/24138.210.240.0/24138.210.251.0/24192.168.110.0/24
192.168.0.0/24172.16.2.0/24172.16.3.0/24172.16.4.0/24172.16.5.0/24172.16.6.0/24172.16.7.0/24172.16.8.0/24
212.43.0.0/24
Edge-fwallCisco PIX-515E
ECE 4112 - Internetwork Security 11
BGP Overview
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
Gateway2-rtrCisco 3550-24-EMI (L3)
Edge1-rtrCisco 1760-K9
Goodisp-rtrCisco 3550-24-EMI (L3)
Root1-dnsDell Poweredge
62.7.245.252/30:308
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
199.77.30.16/30:306
.254
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34.2
.42
.254
EBGP
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
#4
#2
#18
#1
#6
#12
R10
“BAD ISP”AS 64700
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
“UNIVERSITY”AS 64900
ECE 4112 - Internetwork Security 12
BGP Overview
• BGP is the only protocol that provides inter-domain routing for the internet
• It is a critical piece of the Internet’s infrastructure
ECE 4112 - Internetwork Security 13
Security Issues of BGP
• Communication between peers is not protected from eavesdropping Modification can be prevented by using TCP MD5 “signatures”
• Subject to all lower layer vulnerabilities• DOS/DDOS Attacks
Can be used to target TCP Port 179 used by BGP Potential to close connections Potential to result in dropped Update messages
• Attacks may come from trusted routers that have been compromised Smaller ISPs with poor security provide good targets Mesh connected design means gaining access to any BGP speaker can
have a significant impact on the Internet
ECE 4112 - Internetwork Security 14
Security Issues of BGP
• Easy to Inject False Advertisements Bad Configuration (BGP is hard!) Malicious Attacks
– TCP Spoofing (Can be used to close TCP connection)– Hijack TCP Sesssion– Can result in a Denial of Service Attack based on flood
of BGP Update messages to withdraw routes and then advertise new routes
• No authentication within BGP
ECE 4112 - Internetwork Security 15
Proposed Security Solutions for BGP
• Secure-BGP and Secure Origin BGP Both use PKI (public-key cryptography) to verify
the source of advertisements– Verify that the originating AS has the authority to
advertise certain IP networks– Limit the effects of a compromise to one AS
ECE 4112 - Internetwork Security 16
Proposed Security Solutions for BGP
• Secure-BGP Uses out of band certificates Each AS on the path must go to a certificate site to
verify the source of the route• Secure Origin BGP
Uses in band certificates Each AS along the path adds its signature to the
update message
ECE 4112 - Internetwork Security 17
Proposed Security Solutions for BGP
• Secure-BGP and Secure Origin BGP Both have severe routing overheads
– May increase routing overhead by 800% For either protocol to be effective, every AS must
adopt it No consensus, so neither protocol has experienced
widespread adoption
ECE 4112 - Internetwork Security 18
Introduction to the Lab
• Introduction to BGP• Provide opportunity to get hands on BGP
Observe BGP traffic Observe BGP configurations Configure a BGP router Conduct 2 Practical Exercises
ECE 4112 - Internetwork Security 19
Introduction to the Lab
ECE 4112 - Internetwork Security 20
Introduction to the Lab
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
Gateway2-rtrCisco 3550-24-EMI (L3)
Edge1-rtrCisco 1760-K9
Goodisp-rtrCisco 3550-24-EMI (L3)
Root1-dnsDell Poweredge
62.7.245.252/30:308
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
199.77.30.16/30:306
.254
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34.2
.42
.254
EBGP
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
#4
#2
#18
#1
#6
#12
R10
“BAD ISP”AS 64700
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
“UNIVERSITY”AS 64900
ECE 4112 - Internetwork Security 21
Screenshot#1
ECE 4112 - Internetwork Security 22
Introduction to the Lab
Observe BGP Router Information using the show ip bgp command
BGP table version is 80, local router ID is 199.110.254.41Status codes: s suppressed, d damped, h history, * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path*> 57.35.5.0/24 199.110.254.42 0 0 64700 i*> 57.35.6.0/24 199.110.254.42 0 0 64700 i*> 57.35.7.0/24 199.110.254.42 0 0 64700 i*> 57.35.10.0/24 199.110.254.42 0 0 64700 i* 62.7.200.32/30 199.77.33.2 0 0 64900 i*> 199.77.250.241 0 0 64514 i* i 199.77.31.1 0 100 0 64514 i
ECE 4112 - Internetwork Security 23
Introduction to the Lab
Observe BGP Neighbor information using the Show BGP Neighbors command
BGP neighbor is 199.77.30.18, remote AS 64515, internal link BGP version 4, remote router ID 199.107.254.253 BGP state = Established, up for 11w2d Last read 00:00:14, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Received 113822 messages, 0 notifications, 0 in queue Sent 113853 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Default minimum time between advertisement runs is 5 seconds
ECE 4112 - Internetwork Security 24
Introduction to the LabSection 1.5 Scenario
EBGP
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
Gateway2-rtrCisco 3550-24-EMI (L3)
Edge1-rtrCisco 1760-K9
Goodisp-rtrCisco 3550-24-EMI (L3)
Root1-dnsDell Poweredge
62.7.245.252/30:308
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
199.77.30.16/30:306
.254
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34.2
.42
.254
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
#4
#2
#18
#1
#6
#12
R10
“BAD ISP”AS 64700
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
“UNIVERSITY”AS 64900
Primary Route
ECE 4112 - Internetwork Security 25
Introduction to the LabSection 3 Scenario
EBGP
“TIER 1 - Sigma”AS 64515
“TIER 1 - omega”AS 64514 Omega-rtr
Cisco 2621-XM
Sigma1-rtrCisco 2621-XM
Sigma2-rtrCisco 3550
Badisp-rtrCisco 3550-24-EMI (L3)
Gateway2-rtrCisco 3550-24-EMI (L3)
Edge1-rtrCisco 1760-K9
Goodisp-rtrCisco 3550-24-EMI (L3)
Root1-dnsDell Poweredge
62.7.245.252/30:308
62.7.200.32/30:309
199.77.33.0/30:303
199.77.31.0/30:301
199.77.250.240/30:302
199.110.254.40/30:307
199.107.254.252/30:304
199.107.12.0/24:305
199.77.30.16/30:306
.254
.253 .1
.241.33
.1
.1
.242 .17
.18
.41
.2
.1 .253
.254
.34.2
.42
.254
EBGP
EBGP
EBGP
EBGP EBGP
EBGP
IBGP
#4
#2
#18
#1
#6
#12
R10
“BAD ISP”AS 64700
“ENTERPRISE”AS 64800
“GOOD ISP”AS 64600
“UNIVERSITY”AS 64900
Alternate Route
ECE 4112 - Internetwork Security 26
Questions?