Transcript Document 7521054

Border Gateway Protocol
Vasant Reddy
Contents
•
•
•
•
•
•
•
•
•
Introduction
Operation
BGP Types
BGP Header
Message & Attributes
BGP Route Processing
Security Issues
Vulnerabilities
Security Solution
Some Terminology…
• Autonomous System (a.k.a Administrative
Domain) is set of networks which share a
common routing polices Ex : UNT,AT&T
• Interior Gateway Protocols are routing
protocols within an Autonomous System
Ex : RIP,OSPF
• Exterior Gateway Protocols are routing
protocols used between Autonomous Systems
EX : BGP
Introduction
• Border Gateway Protocol –
the “exterior” gateway protocol for
IP address families.
• BGP uses a TCP connection to
exchange information between
peers.
• Policy based
• Incremental Updates
BGP v4
• RFC 1771
• The only Inter Domain routing protocol
currently in use.
• All previous versions of BGP are
obsolete and not in use today.
• Utilizes a Path Vector PV protocol.
• Employs CIDR or Classless inter-domain
routing.
BGP vs IGP
RIP
OSPF
BGP peering
R
R
R
R
R
R
R
R
R
R
R
Neither AS needs to know or care about
the IGP used by the neighboring AS.
BGP propagates routes between them.
R
BGP Operation
•
Runs over a reliable transport protocol (TCP)
•
Uses TCP port 179 to establish connections
•
BGP Speaker is router running BGP protocol ,speakers
communicate across TCP and become peers or neighbors.
•
External links: connections between BGP speakers in different
AS.
•
Internal links: connections between BGP speakers in the same
AS.
•
Resolve connection collisions if two BGP peers
Simultaneously try to open connection.
BGP Session Estblishment
•
Connect.req
SYN(179)
Connect.ind
SYN + ACK
CONNECT.conf
Connect.resp
ACK(179)
TCP session established
DATA.req(OPEN)
DATA(BGPopen)
TCP session Established
DATA.req
DATA.req(OPEN)
DATA(BGPopen)
DATA.req(open)
ACK
BGP Session Established
ACK
BGP Session Established
Origin of “Routes” for BGP
• Learned from other BGP routers
 BGP router only propagates the received routes
• Static configuration
 BGP router is configured to advertise some
prefixes
 Drawback : requires manual configuration
 Advantage : Stable set of advertised prefixes
• Learned from an Interior Gateway Protocol
 prefixes received from the IGP are advertised by
the BGP router usually as an aggregate
 Advantage :BGP advertisements follow network
state, prefix is automatically withdrawn by BGP it
is not reachable via IGP
eBGP and iBGP
• eBGP
– BGP running between two different
ASs
• iBGP
– BGP running within the same AS
– An AS has multiple BGP speakers
– Distribute routing info among BGP
routers
– Minor but important difference with
eBGP
BGP Header
•
16
Marker
•
Type
Data
Contains an authentication value that the message receiver can predict.
Indicates the total length of the message in bytes.
Type
–
•
Length
var
Length
–
•
1
Marker
–
•
2
Specifies the message type as one of the following:
• Open
• Update
• Notification
• Keep-alive
Data
–
Contains upper-layer information in this optional field.
BGP Message Types
•
•
•
•
Open
Update
Notification
Keep alive
TCP connection always established
throughout the BGP session
Open Messages
• Establish a peering session
• The first message sent after TCP established
• Each peer identify itself to each other
• Negotiate protocol version/parameters
• Security (optional)
Open Message Format
Version (1 octet)
My Autonomous System (2 octet)
Hold Time (2 octet)
BGP identifier (4 octet)
Optional Parameter
Length (1 octet)
Optional parameters (variable length)
Update Message
• Primary message used in a BGP
• Advertises (announces) a prefix to
BGP neighbors/withdraw a
previously advertised message
• Encourage multiple prefixes in a
single Update
Notification Message
• Used when error(s) happen(s)
• TCP will be closed immediately
after notification is sent
• Indicates to remote system why
BGP was terminated
Keepalive Message
• Confirm the connection is still active
• rate depend on the hold timer
negotiated by open message and
update message frequency
• A common header with no other
data
BGP attributes
•
•
•
•
•
•
AS-path attribute
Origin attribute
BGP Nexthop attribute
Weight Attribute
Local preference attribute
Metric attribute
AS-Path Attribute
• A list of AS numbers that a route
has traversed in order to reach a
destination
• Whenever a route update pass
through a new AS, the AS number
is prepended
• AS numbers are listed in order
• If the AS number is already in the
update, the route is dropped.
Origin Attribute
• Mandatory attribute
• Defines the origin of the path
information
• three typical values
– “i”: IGP, interior to the originating AS
– “e”: EGP, learnt via exterior gateway
protocol
– “?”: incomplete, unknown or via
others
Nexthop Attribute
• The next hop IP address used to
reach destination
• For eBGP, always the directly
connected neighbor’s interface
• For iBGP, the nexthop advertised
by eBGP should be carried through
into iBGP
Weight Attribute
• Cisco implementation
• Assigned locally to indicate a router
to choose best exit path
• Does not propagate through router
updates
• Higher weight is preferred
• Default is 0
Local Preference Attribute
• Indicate which route is preferred
• Exchanged among routers in the
same AS through updates
• Higher value is preferred
• Default value is 100
Metric Attribute
• Also called Multi_exit_discriminator
• Exchanged between AS, but not
carried through
• Low value of a metric is more
preferred
• Default value is 0
• Unless specified, router only
compare metrics for paths from the
same neighbor AS
BGP Policies
• BGP provides capability for enforcing various
policies
• Policies are not part of BGP: they are provided
to BGP as configuration information
• BGP enforces policies by choosing paths from
multiple alternatives and controlling
advertisement to other AS’s
Best Path Selection
• Decision Process
– Highest local preference
– Shortest AS path
– eBGP over iBGP
– Lowest IGP metric
– Lowest router id
BGP Router Model
Decide
exactly ONE
best path
Import policy
Receive routes
for prefixes
from multiple
neighbors
Filter out unwanted
routes, and
manipulate the
attributes of
remaining routes
Decision
Process
Export policy
Manipulate attributes of the
best route, influence
neighbor's choice, or decide
whether to advertise the
route to neighbors
BGP Security Issues
• The BGP architecture makes it highly vulnerable to
human errors and malicious attacks against
– Links between routers
– The routers themselves
– Management stations that control routers
• Most router implementations of BGP are susceptible to
various DoS attacks that can crash the router or
severely degrade performance
• Many ISPs rely on local policy filters to protect them
against configuration errors & some forms of attacks,
but creating and maintaining these filters is difficult, time
consuming, and error prone
Vulnerability Note VU#784540
• Overview:
Multiple implementations of the Border Gateway Protocol
(BGP) contain vulnerabilities related to the processing of UPDATE
and OPEN messages. The impacts of these vulnerabilities appear to
be limited to denial of service
• Impact :
A remote attacker can cause a denial of service in a vulnerable
system. In most cases, the attacker would need to act as a valid BGP
peer. BGP session instability can result in "flapping" and other routing
traffic that may adversely effect internet traffic
• Solution :
 Apply patch given by vendor
 Restrict BGP Access using ACL’s
 Authenticate BGP Messages( use MD5,IPSEC)
Vulnerability Note VU#689326
• Overview:
Cisco device running IOS that is enabled for BGP is vulnerable to
a denial-of-service attack via a malformed BGP packet. The specific
nature of the crafted packets exploiting this vulnerability is not known.
IOS is vulnerable only if the device is set up with the bgp log-neighborchanges command.
• Impact :
By sending a specially crafted BGP packet to an affected device,
a remote attacker could cause the device to reload resulting in a DOS
• Solution :
• Apply patch given by vendor
• Systems Affected
• Cisco Systems, Inc
Vulnerability Note VU#106392
•
Overview:
There is a problem involving BGP updates on Cisco routers with
BGP4 and prefix filtering and inbound route maps enabled. A route
update with an unrecognized transitive attribute may cause
vulnerable routers to crash.
•
Impact :
Attackers that are able to send malformed BGP updates can
cause vulnerable routers to crash causing network outages. Under
certain circumstances the attacker may be able to use BGP
infrastructure to propagate the bad route update to multiple routers
•
Solution :
• Apply patch from vendor
•
Systems Affected :
• Cisco Systems, Inc
Basic BGP Security Requirement
• For every UPDATE it receives, a BGP router should
be able to verify that the “owner” of each prefix
authorized the first (origin) AS to advertise the prefix
and that each subsequent AS in the path has been
authorized by the preceding AS to advertise a route
to the prefix
• This requirement, if achieved, allows a BGP router to
detect and reject unauthorized routes, irrespective of
what sort of attack resulted in the bad routes
• Conversely, if a security approach fails to achieve this
requirement, a BGP router will be vulnerable to attacks
that result in misrouting of traffic in some fashion
Security Solution Requirements
• Security architectures for BGP should not rely on “trust”
among ISPs or subscribes
– On a global scale, some ISPs will never be trusted
– Transitive trust in people or organizations causes
mistakes to propagate
• Security solutions must exhibit the same dynamics as the
aspects of BGP they protect
• Both implementation and architectural security concerns
must be addressed
Secure BGP (S-BGP)
• S-BGP is an architectural solution to the BGP security
problems described earlier
• S-BGP represents an extension of BGP
– It uses a standard BGP facility to carry additional data
about paths in UPDATE messages
– It adds an additional set of checks to the BGP route
selection algorithm
• S-BGP avoids the pitfalls of transitive trust that are
common in today’s routing infrastructure
How does S-BGP do it?
• S-BGP makes use of:
– IPsec to secure point-to-point communication of BGP
control traffic
– Public Key Infrastructure to provide an authorization
framework representing address space and AS
“ownership”
– Attestations (digitally-signed data) to bind authorization
information to UPDATE messages
• S-BGP requires routers to:
– Generate an attestation when generating an UPDATE for
another S-BGP router
– Validate attestations associated with each UPDATE
received from another S-BGP router
QUESTIONS?
Questions
• What is difference between IGP and
EGP?
• When is I-BGP needed?
• How does BGP implements
policies?
• Why is BGP vulnerable?
• How S-BGP overcomes security
problems of BGP?
References
• http://totem.info.ucl.ac.be/BGP/slides/bgp-4.pdf
• www.ida.liu.se/~TDTS02/bgp-slides.pdf
• ws.edu.isoc.org/data/2000/1392568124007367
7d0fb5/bgp.ppt
• www.cisco.com/univercd/cc/td/doc/cisintwk/ito_
doc/bgp.html
• www.freesoft.org/CIE/Topics/88.htm
THANK YOU!