Border Gateway Protocol (BGP) Security, LKNOG 8
0 likes269 views
The document provides an overview of Border Gateway Protocol (BGP), its vulnerabilities, and best practices for securing BGP operations. It discusses various security measures such as Resource Public Key Infrastructure (RPKI), community scrubbing, and bogon filtering, emphasizing the importance of configuration and tools. The content is designed for a technical audience and aims to enhance understanding of BGP security strategies.
![29
29
Prefix Limit
• neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
https://flylib.com/books/en/4.208.1.66/1/](https://image.slidesharecdn.com/7-240830015728-6fc82a13/85/Border-Gateway-Protocol-BGP-Security-LKNOG-8-29-320.jpg)
![38
38
BGP Security Measures
– Bogon Filtering
• Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and unallocated number resources to RIR by the Internet
Assigned Numbers Authority. Bogon Route Server Project by Team Cymru is a very helpful way to handle bogons.
– Prefix Limit
• neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only]
– AS Path Length Limit
• router bgp X0
• bgp maxas-limit 5
– Customer Route Preference
• Setting high local preference on receiving customer routes
– Transit AS Filter
• Carefully making filters on upstream peers so that prefix leaking doesn’t happen.
– Removing Private ASN
• neighbor <ipv4-ptp> remove-private-as
– BGP Admin Distance Higher than IGP & making external, internal, local same
• distance bgp 200 200 200
– MANRS Actions
• Filtering, Global Validation, Co-ordination, Anti-Spoofing](https://image.slidesharecdn.com/7-240830015728-6fc82a13/85/Border-Gateway-Protocol-BGP-Security-LKNOG-8-38-320.jpg)
Border Gateway Protocol (BGP) Security, LKNOG 8
- 1. 1 Securing BGP: Operational Strategies and Best Practices for Network Defenders
- 2. 2 2 • Network engineer and enthusiast for a long time • Working as a Trainer/Analyst @ APNIC • Have an exposer with multi-vendor multi-platform different technologies • A security minded person • Would love to contribute to the community zobair.khan@apnic.net $ whois MD ZOBAIR KHAN
- 3. 3 3 BGP – Border Gateway Protocol • Routing protocol for different network connection • Path vector protocol • Runs on TCP 179 • Lots of policy implement scope • Majorly used for Internet Networks • AS Number is a must • e-BGP & i-BGP
- 4. 4 4 BGP – A TCP Protocol https://www.geeksforgeeks.org/what-is-transmission-control-protocol-tcp/ https://medium.com/@R00tendo/tcp-connection-hijacking-deep-dive-9bbe03fce9a9
- 5. 5 5 BGP Vulnerabilities TCP SYN Floods Man-in-the-Middle Attacks TCP Sequence Number Prediction TCP Session Hijacking TCP Connection Teardown Attacks TCP ACK Storms Route Hijacking Route Leaks BGP Session Hijacking BGP Session Reset Attacks BGP Attribute Manipulation Resource Exhaustion Attacks
- 8. 8 8 TCP Sequence Number Prediction https://www.kareemccie.com/2018/01/what-is-tcp-session-hijacking.html
- 10. 10 10 TCP Connection Tear Down https://www.google.com/url?sa=i&url=https%3A%2F%2Flearningnetwork.cisco.com%2Fs%2Fquestion%2F0D53i00000KswSeCAJ%2Ftcp-connection-termination-is-the-diagram- correct&psig=AOvVaw31fN48L66D8FzJ1JBapdFr&ust=1716015638995000&source=images&cd=vfe&opi=89978449&ved=0CBQQjhxqGAoTCKChy8aOlIYDFQAAAAAdAAAAABD qBA
- 19. 19 19 RPKI – Resource Public Keying Infrastructure ROAs ROAs VALIDATOR SOFTWARE Verification Validated Cache RPKI-RTR ROUTERS RIR REPOSITORIES • Create ROA for owned resources for RPKI • Implementing Validator relying software for ROV • RIR Repositories send ROA information to Validator software • Software builds a validated cache and feed it to router infrastructure over RTR session • Routers enforces policies based on Validated Cache
- 21. 21 21 Filtering – BCP 194 – RFC 7454 Discard Special Case, Bogons, Prefixes Longer than /24(v4) & /48(v6), Own Prefixes, LAN Prefixes, Default Routes Special-Purpose Prefixes Unallocated Prefixes Prefixes That Are Too Specific Filtering Prefixes Belonging to the Local AS and Downstreams IXP LAN Prefixes The Default Route Filters with Internet Peers Filters with Customers Filters with Upstream Providers Inbound Filtering Outbound Filtering
- 25. 25 25 GTSM • Prevent 3rd party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers. • (neighbor <ipv4-ptp> ttl-security hops 1) https://www.researchgate.net/figure/The-Generalized-TTL- Security-Mechanism-GTSM-in-operation-Routers-set-the-TTL- on-a_fig4_228910855
- 26. 26 26 MD5 Authentication • Must be configured on both peers with same password. (neighbor <ipv4-ptp> password CISCO) https://costiser.ro/uploads/tcp-options- calculating-bgp-md5-digest.png
- 27. 27 27 Community Scrubbing Ingress BGP peering policy applied to transit/public/private and downstream peers should remove all inbound communities with SP’s number in the high- order bits, except for the ones used for signaling (e.g. setting BGP Local Preference) https://bgphelp.com/2017/02/02/bgp-best-practices-or-dissecting-rfc-7454/
- 29. 29 29 Prefix Limit • neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only] https://flylib.com/books/en/4.208.1.66/1/
- 30. 30 30 AS Path Length https://aboutnetworks.net/bgp-load-sharing/ • router bgp X0 • bgp maxas-limit 5
- 33. 33 33 Removing Private AS https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=k A10g000000ClInCAK • neighbor <ipv4-ptp> remove-private-as
- 34. 34 34 BGP Admin Distance BGP Admin Distance Higher than IGP & making external, internal, local same distance bgp 200 200 200 https://study-ccna.com/floating-static-route/
- 37. 37 37 BGP Security Measures – ROA & RPKI • Trust Anchor, Validator Software like Routinator 3000/Fort/OctoRPKI/RPKI-Client, RTR Session, Drop Invalids – Due Diligence Checking with IRR • Whois query, radb, IRR of RIRs – (whois –h whois.apnic.net –i or AS10075 | grep route:) – Filtering (Prefix & AS) • Discard Special Case, Bogons, Prefixes Longer than /24(v4) & /48(v6), Own Prefixes, LAN Prefixes, Default Routes – Using Tools for Filter Generation (bgpq3, rtconfig etc.) • bgpq3 -4 –l NAME AS10075 – RTBH • Black holing unwanted traffic to null – URPF • Difficult for multihoming networks. Can be used in feasible mode – GTSM • Prevent 3rd party attack on eBGP peers. Works best with MD5 Authentication. Must be configured on both peers. • (neighbor <ipv4-ptp> ttl-security hops 1) – MD5 Authentication • Must be configured on both peers with same password. (neighbor <ipv4-ptp> password CISCO) – Community Scrubbing • AS should scrub communities used internally but forward foreign communities.
- 38. 38 38 BGP Security Measures – Bogon Filtering • Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and unallocated number resources to RIR by the Internet Assigned Numbers Authority. Bogon Route Server Project by Team Cymru is a very helpful way to handle bogons. – Prefix Limit • neighbor <x.x.x.x> maximum-prefix <max> [restart N] [<threshold>] [warning-only] – AS Path Length Limit • router bgp X0 • bgp maxas-limit 5 – Customer Route Preference • Setting high local preference on receiving customer routes – Transit AS Filter • Carefully making filters on upstream peers so that prefix leaking doesn’t happen. – Removing Private ASN • neighbor <ipv4-ptp> remove-private-as – BGP Admin Distance Higher than IGP & making external, internal, local same • distance bgp 200 200 200 – MANRS Actions • Filtering, Global Validation, Co-ordination, Anti-Spoofing
- 39. 39 39 References RFC-7454 (BGP Operations and Security) RFC-2827 (Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing) https://bgp4all.com/pfs/_media/conferences/lknog5-bgp-bcp.pdf https://nsrc.org/activities/agendas/en/riso-5-days/networking/routing-security/en/labs/securing-bgp.html https://wq.apnic.net/static/search.html https://github.com/team-cymru/network-security-templates/tree/master/Secure-Router-Templates https://www.ietf.org/archive/id/draft-gill-btsh-01.txt https://datatracker.ietf.org/doc/html/draft-murphy-bgp-vuln-02#section-2 https://www.manrs.org
- 40. 40 40 https://conference.apnic.net/58 APNIC 58 – Save the Date
- 41. 41 41 Acknowledgement • This material is developed from different R&D, RFCs & APNIC Workshop Slides & Slides developed by APNIC, NSRC, MANRS, Dr. Philip Smith & Barry Greene. • This material is open & free to use as long as it is acknowledged and the notice remains in place • This material is designed considering that the audience will be predominantly technical people