Post on 23-Dec-2015
transcript
Border Gateway Protocol
Vasant Reddy
Contents
• Introduction• Operation• BGP Types• BGP Header• Message & Attributes• BGP Route Processing• Security Issues• Vulnerabilities• Security Solution
Some Terminology…
• Autonomous System (a.k.a Administrative Domain) is set of networks which share a common routing polices Ex : UNT,AT&T
• Interior Gateway Protocols are routing protocols within an Autonomous System
Ex : RIP,OSPF
• Exterior Gateway Protocols are routing protocols used between Autonomous Systems
EX : BGP
Introduction
• Border Gateway Protocol – the “exterior” gateway protocol for IP address families.
• BGP uses a TCP connection to exchange information between peers.
• Policy based
• Incremental Updates
BGP v4
• RFC 1771• The only Inter Domain routing protocol
currently in use. • All previous versions of BGP are
obsolete and not in use today.• Utilizes a Path Vector PV protocol. • Employs CIDR or Classless inter-domain
routing.
BGP vs IGP
R R
R
RR
R R
R
R
R
R
R
Neither AS needs to know or care aboutthe IGP used by the neighboring AS. BGP propagates routes between them.
OSPFRIP BGP peering
BGP Operation
• Runs over a reliable transport protocol (TCP)
• Uses TCP port 179 to establish connections
• BGP Speaker is router running BGP protocol ,speakers communicate across TCP and become peers or neighbors.
• External links: connections between BGP speakers in different AS.
• Internal links: connections between BGP speakers in the same AS.
• Resolve connection collisions if two BGP peers Simultaneously try to open connection.
BGP Session Estblishment
• Connect.req
SYN(179)
SYN + ACK
CONNECT.conf
TCP session established
DATA.req(OPEN)DATA(BGPopen)
DATA.req
TCP session Established
DATA(BGPopen)
ACK(179)
ACK
ACK
DATA.req(OPEN)
BGP Session Established
BGP Session Established
Connect.ind
Connect.resp
DATA.req(open)
Origin of “Routes” for BGP
• Learned from other BGP routers BGP router only propagates the received routes
• Static configuration BGP router is configured to advertise some
prefixes Drawback : requires manual configuration Advantage : Stable set of advertised prefixes
• Learned from an Interior Gateway Protocol prefixes received from the IGP are advertised by
the BGP router usually as an aggregate Advantage :BGP advertisements follow network
state, prefix is automatically withdrawn by BGP it is not reachable via IGP
eBGP and iBGP
• eBGP – BGP running between two different ASs
• iBGP– BGP running within the same AS– An AS has multiple BGP speakers– Distribute routing info among BGP
routers– Minor but important difference with
eBGP
BGP Header
• 16 2 1 var
• Marker– Contains an authentication value that the message receiver can predict.
• Length– Indicates the total length of the message in bytes.
• Type– Specifies the message type as one of the following:
• Open • Update • Notification • Keep-alive
• Data– Contains upper-layer information in this optional field.
Marker Length Type Data
BGP Message Types
• Open
• Update
• Notification
• Keep alive
TCP connection always established throughout the BGP session
Open Messages
• Establish a peering session
• The first message sent after TCP established
• Each peer identify itself to each other
• Negotiate protocol version/parameters
• Security (optional)
Open Message Format
Version (1 octet)
My Autonomous System (2 octet)
Hold Time (2 octet)
BGP identifier (4 octet)
Optional ParameterLength (1 octet)
Optional parameters (variable length)
Update Message
• Primary message used in a BGP
• Advertises (announces) a prefix to BGP neighbors/withdraw a previously advertised message
• Encourage multiple prefixes in a single Update
Notification Message
• Used when error(s) happen(s)
• TCP will be closed immediately after notification is sent
• Indicates to remote system why BGP was terminated
Keepalive Message
• Confirm the connection is still active
• rate depend on the hold timer negotiated by open message and update message frequency
• A common header with no other data
BGP attributes
• AS-path attribute
• Origin attribute
• BGP Nexthop attribute
• Weight Attribute
• Local preference attribute
• Metric attribute
AS-Path Attribute
• A list of AS numbers that a route has traversed in order to reach a destination
• Whenever a route update pass through a new AS, the AS number is prepended
• AS numbers are listed in order• If the AS number is already in the
update, the route is dropped.
Origin Attribute
• Mandatory attribute
• Defines the origin of the path information
• three typical values– “i”: IGP, interior to the originating AS– “e”: EGP, learnt via exterior gateway
protocol– “?”: incomplete, unknown or via
others
Nexthop Attribute
• The next hop IP address used to reach destination
• For eBGP, always the directly connected neighbor’s interface
• For iBGP, the nexthop advertised by eBGP should be carried through into iBGP
Weight Attribute
• Cisco implementation
• Assigned locally to indicate a router to choose best exit path
• Does not propagate through router updates
• Higher weight is preferred
• Default is 0
Local Preference Attribute
• Indicate which route is preferred
• Exchanged among routers in the same AS through updates
• Higher value is preferred
• Default value is 100
Metric Attribute
• Also called Multi_exit_discriminator• Exchanged between AS, but not
carried through• Low value of a metric is more
preferred• Default value is 0• Unless specified, router only
compare metrics for paths from the same neighbor AS
BGP Policies
• BGP provides capability for enforcing various policies
• Policies are not part of BGP: they are provided to BGP as configuration information
• BGP enforces policies by choosing paths from multiple alternatives and controlling advertisement to other AS’s
Best Path Selection
• Decision Process– Highest local preference– Shortest AS path– eBGP over iBGP– Lowest IGP metric– Lowest router id
BGP Router Model
Import policy
DecisionProcess
Export policy
Receive routes for
prefixes from multiple
neighbors
Filter out unwanted routes, and manipulate the attributes of remaining routes
Manipulate attributes of the best route, influence
neighbor's choice, or decide whether to
advertise the route to neighbors
Decide exactly
ONE best path
BGP Security Issues• The BGP architecture makes it highly vulnerable to
human errors and malicious attacks against– Links between routers– The routers themselves– Management stations that control routers
• Most router implementations of BGP are susceptible to various DoS attacks that can crash the router or severely degrade performance
• Many ISPs rely on local policy filters to protect them against configuration errors & some forms of attacks, but creating and maintaining these filters is difficult, time consuming, and error prone
Vulnerability Note VU#784540
• Overview: Multiple implementations of the Border Gateway Protocol
(BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service
• Impact :A remote attacker can cause a denial of service in a
vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing traffic that may adversely effect internet traffic
• Solution : Apply patch given by vendor Restrict BGP Access using ACL’s Authenticate BGP Messages( use MD5,IPSEC)
Vulnerability Note VU#689326
• Overview:Cisco device running IOS that is enabled for BGP is
vulnerable to a denial-of-service attack via a malformed BGP packet. The specific nature of the crafted packets exploiting this vulnerability is not known. IOS is vulnerable only if the device is set up with the bgp log-neighbor-changes command.
• Impact :By sending a specially crafted BGP packet to an affected
device, a remote attacker could cause the device to reload resulting in a DOS
• Solution :• Apply patch given by vendor
• Systems Affected• Cisco Systems, Inc
Vulnerability Note VU#106392
• Overview: There is a problem involving BGP updates on Cisco routers
with BGP4 and prefix filtering and inbound route maps enabled. A route update with an unrecognized transitive attribute may cause vulnerable routers to crash.
• Impact : Attackers that are able to send malformed BGP updates can
cause vulnerable routers to crash causing network outages. Under certain circumstances the attacker may be able to use BGP infrastructure to propagate the bad route update to multiple routers
• Solution :• Apply patch from vendor
• Systems Affected :• Cisco Systems, Inc
Basic BGP Security Requirement
• For every UPDATE it receives, a BGP router should be able to verify that the “owner” of each prefix authorized the first (origin) AS to advertise the prefix and that each subsequent AS in the path has been authorized by the preceding AS to advertise a route to the prefix
• This requirement, if achieved, allows a BGP router to detect and reject unauthorized routes, irrespective of what sort of attack resulted in the bad routes
• Conversely, if a security approach fails to achieve this requirement, a BGP router will be vulnerable to attacks that result in misrouting of traffic in some fashion
Security Solution Requirements
• Security architectures for BGP should not rely on “trust” among ISPs or subscribes– On a global scale, some ISPs will never be trusted– Transitive trust in people or organizations causes
mistakes to propagate
• Security solutions must exhibit the same dynamics as the aspects of BGP they protect
• Both implementation and architectural security concerns must be addressed
Secure BGP (S-BGP)
• S-BGP is an architectural solution to the BGP security problems described earlier
• S-BGP represents an extension of BGP– It uses a standard BGP facility to carry additional data
about paths in UPDATE messages– It adds an additional set of checks to the BGP route
selection algorithm
• S-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructure
How does S-BGP do it?
• S-BGP makes use of:– IPsec to secure point-to-point communication of BGP
control traffic– Public Key Infrastructure to provide an authorization
framework representing address space and AS “ownership”
– Attestations (digitally-signed data) to bind authorization information to UPDATE messages
• S-BGP requires routers to:– Generate an attestation when generating an UPDATE for
another S-BGP router– Validate attestations associated with each UPDATE
received from another S-BGP router
QUESTIONS?
Questions
• What is difference between IGP and EGP?
• When is I-BGP needed?
• How does BGP implements policies?
• Why is BGP vulnerable?
• How S-BGP overcomes security problems of BGP?
References
• http://totem.info.ucl.ac.be/BGP/slides/bgp-4.pdf
• www.ida.liu.se/~TDTS02/bgp-slides.pdf • ws.edu.isoc.org/data/
2000/13925681240073677d0fb5/bgp.ppt• www.cisco.com/univercd/cc/td/doc/cisintwk/
ito_doc/bgp.html• www.freesoft.org/CIE/Topics/88.htm
THANK YOU!