CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

CNT 5410 - Computer and Network Security:

BGP Security

Professor Kevin Butler Fall 2015


Internet inter-AS routing: BGP• BGP (Border Gateway Protocol): the de facto standard

• BGP provides each AS a means to:

• eBGP: Obtain subnet reachability information from neighboring Autonomous Systems (ASes).

• iBGP: Propagate reachability information to all AS-internal routers.

• Determine “good” routes to subnets based on reachability information and policy.

• allows subnet to advertise its existence to rest of Internet: “I am here”

2


BGP basics• BGP session: two BGP routers (“peers”) exchange BGP messages:

• advertising paths to different destination network prefixes (“path vector” protocol)

• exchanged over semi-permanent TCP connections

• When AS3 advertises a prefix to AS1:

• AS3 promises it will forward datagrams towards that prefix

• AS3 can aggregate prefixes in its advertisement

3

AS3

AS2

3b 3a

AS1

1c 1a

1d 1b

2a 2c

2b other networks

other networks

eBGP session

iBGP session


Prefix?• How do routers advertise sets of IP addresses?

• Having a full list of all addresses that can be reached through is wasteful - think of the memory usage?

• We instead rely on address aggregations:

4

192.168.1.0 192.168.1.1

… 192.168.1.255

192.168.1.0/24

192.168.0.0/16


Distributing reachability info• Using an eBGP session between 3a and 1c, AS3 sends prefix

reachability info to AS1.

• 1c can then use iBGP to distribute this new prefix reach info to all routers in AS1

• 1b can then re-advertise new reachability info to AS2 over 1b-to-2a eBGP session

• When router learns of new prefix, creates entry for prefix in its forwarding table.

5

AS3

AS2

3b 3a

AS1

1c 1a

1d 1b

2a 2c

2b other networks

other networks

eBGP session

iBGP session


Path attributes & BGP routes• When advertising a prefix, advert includes BGP attributes.

• prefix + attributes = “route”

• Two important attributes:

• AS-PATH: contains ASs through which prefix advertisement has passed: AS 67 AS 17

• NEXT-HOP: Indicates specific internal-AS router to next-hop AS. (There may be multiple links from current AS to next-hop-AS.)

• When gateway router receives route advertisement, uses import policy to accept/decline.

• e.g., never route through AS x

• policy-based routing

6


BGP route selection• Router may learn about more than 1 route to

some prefix. Router must select route.

• Elimination rules:

• Local preference value attribute: policy decision

• Shortest AS-PATH

• Closest NEXT-HOP router : hot potato routing

• Additional criteria

7


BGP messages• BGP messages exchanged using TCP.

• BGP messages:

• OPEN: opens TCP connection to peer and authenticates sender

• UPDATE: advertises new path (or withdraws old)

• KEEPALIVE keeps connection alive in absence of UPDATES; also ACKs OPEN request

• NOTIFICATION: reports errors in previous msg; also used to close connection

8


BGP routing policy

• A,B,C are provider networks.

• 1,2,3 are customer (of provider networks)

• 2 is multi-homed: attached to two networks

• 2 does not want to route from B via 2 to C

• ... so 2 will not advertise to B a route to C

9

1 A

B

C

2

3


BGP routing policy (2)

• A advertises to B the path A1

• B advertises to 2 the path BA1

• Should B advertise to C the path BA1?

• No way! 2 gets no “revenue” for routing 2BA1 since neither 1 nor C are B’s customers

• B wants to force C to route to 1 via A

• B wants to route only to/from its customers!10

1 A

B

C

2

3


BGP Security• Core Problem?

• BGP has absolutely no authentication, so…

• … anyone between two routers can inject traffic

• … anyone can claim any path

• … anyone can claim that they are any origin.

• How does this compare to the security issues we just discussed in DNS?

11


BGP Misconfiguration• There are numerous examples of BGP

misconfigurations that have lead to wide-spread traffic outages:

• AS 7007 (1997)

• Con Edison (2006)

• Pakistan Telecom (2008)

• These incidents are all confirmed to have been accidental.

12


BGP Misconfiguration?

13

November 2013


Protecting Sessions• BGP Nodes use TCP connections to communicate.

• What sorts of attacks are they susceptible to?

• Solutions:

• TTL “Security”

• MD5 Digests

• IPsec

14


IPsec and the IP protocol stack

• IPsec puts the two main protocols in between IP and the other protocols

‣ AH - authentication header

‣ ESP - encapsulating security payload

• Tunnel vs. transport?

‣ Key management/authentication

‣ Policy

• Other function provided by external protocols and architectures

SMTPFTP

TCPHTTP

ESPAH

IP

UDP

15


Practical Issues and Limitations

• IPsec implementations

• Large footprint

• resource poor devices are in trouble

• New standards to simplify (e.g, JFK, IKE2)

• Slow to adopt new technologies

• Issues

• IPsec tries to be “everything for everybody at all times”

• Massive, complicated, and unwieldy

• Policy infrastructure has not emerged

• Large-scale management tools are limited (e.g., CISCO)

• Often not used securely (common pre-shared keys)

16


Defensive Filtering• Prevent “bad” routing updates through careful

consideration of new advertisements.

• CIDR report (for “bogons/martians”)

• Routing Registries

• Filter small subnets

• Prefix number limitations

• Limitations? Such filtering can only remove updates that are obviously bad, and will miss subtle issues/attacks

17


S-BGP• First comprehensive solution specifically targeting BGP.

• Relies on a PKI for distributing certificates to all ASes

• Origins (address ranges) are signed and distributed out-of-band.

• Routes are attested by each AS signing the BGP UPDATE message

• Pro: Comprehensive!

• Con: Heavyweight, slow!

18


… and More• S-BGP is probably too heavyweight to actually deploy.

• So-BGP allows configurable tradeoffs between security and overhead.

• IRV creates a central repository for validating routing updates.

• Others explore techniques such as signature amortization and efficient data structures to solve S-BGPs deployment problems.

• Current status: No strong BGP security solution is deployed

19


Detection Mechanisms• Multiple Origin AS (MOAS) detection looks for

origins that are incorrectly advertised by multiple parties.

• Prefix Hijacking Alert System (PHAS) requires a prefix owner to be notified and approve changes.

• Pretty Good BGP (PGBGP) relies on historical data to determine which changes can be considered “normal”.

20


Importance• Without BGP, the Internet simply does not exist.

• Networks are simply isolated islands.

• If large-scale routing attacks occur, it may be a VERY long time before traffic becomes routable again.

• Bellovin argues that the Internet may actually NEVER come back up.

• Deploying some secure inter-domain routing system will be the next great challenge in Internet security.

21

Documents

CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)