Date post: | 27-Mar-2015 |
Category: |
Documents |
Upload: | jenna-parsons |
View: | 217 times |
Download: | 0 times |
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
BGP Prefix Origin Validation
Keyur Patel ([email protected])
May, 2011
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Security issues with sourcing of BGP Routes
Any AS can source/announce incorrect prefixes within BGP- Either by mistake (most cases)
- Or with a malicious intent
In either case, AS can hijack prefixes owned by other AS- Has an impact on end-to-end data forwarding
BGP prefixes can be hijacked by- Sourcing a prefix (with better BGP metrics) that is owned by some other AS
- Sourcing a more specific for a prefix that is owned by some other AS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Prefix hijacking using same prefix with a shorter AS_PATH
Source: nanog 46 preso
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Prefix hijacking using a more specific prefix length
Source: nanog 46 preso
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
BGP Prefix Origin Validation
Mechanism within BGP to identify incorrectly sourced prefixes and prevent them from being selected as BGP Bestpaths
Provides Origin AS Validation for BGP prefixes
Solution for- You Tube accident
- 7007 accident (MAI) that affected SPRINT, UUNET and others
- Any kind of accidental announcements due to incorrect sourcing of BGP prefixes (99% of mis-announcements fall under this category)
Does NOT solve BGP path hijacking related issues- Origin validation does not provide assurance of BGP aspath received in an
update message
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Router Modifications for BGP Prefix Origin Validation
Router Modifications involves implementation of 3 SIDR drafts
Draft1: RPKI Router protocol defined in the ietf draft-sidr-rpki-rtr-protocol12.txt
Means of communication between a trusted Cache and BGP routers
Helps create and maintain within BGP a new address-family specific digested RPKI database in form of {IP prefixes, Origin AS} tuples
- Edge routers *do NOT* deal with RPKI complexity. It instead uses digested RPKI information to do Origin validation
Draft2: Origin Validation related BGP protocol modifications defined in the IETF draft-ietf-sidr-pfx-validate-01.txt
Perform Origin AS validation on ASPATHS of received EBGP prefixes
- Invalidate prefixes with incorrect origin AS
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Router Modifications (Cont’d)
Draft3: BGP RPKI origin validation state announcement defined in the ietf draft-ietf-sidr-origin-validation-signaling-00.txt
Announce path validation state within an IBGP network- Using new extended community defined in draft-ietf-sidr-origin-validation-signaling-00.txt
Alternate approach to using path validation state community- Implementations could translate path validation state into appropriate IBGP parameters that influence BGP Bestpath processing using route policies
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
RPKI Origin Validation Architecture
IRBack End
[Hardware]Signing Module
IRRPKI
Priv Keys
Private RPKIKeys
Issued ROAs
My MiscConfigOptions
PublicRPKIKeys
ID=Me ID=Me
RPKIEngine
Resource PKIIP Resource Certs
ASN Resource CertsRoute Origin Attestations
InternalCA Data
InternalCA Data
XML ObjectTransport& Handler
BusinessKey/Cert
Management
Private IR
Biz TrustAnchor
InternalCA Data
Up/Down EEPublic Keys
Keys forTalking to
IR BackEnd
CertsIssued to
DownStreams
My Resources
My RightsToRoute
Repo Mgt
Up / DownProtocol
Up / DownProtocol
PublicationProtocol
Internal
ProtocolBiz EESigningKey(s)
8
RCynicGatherer
RPKIto Rtr
Protocol
Near/In PoP
Cache /Server
88
ProvisioningGUI
BGP Speaker
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Large ISP deployment for Trusted Caches
GlobalRPKI
AsiaCach
e
NoAmCach
e
EuroCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
in-PoPCach
e
CustFacin
g
CustFacin
g
CustFacin
g
CustFacin
g
CustFacin
g
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
BGP RPKI Router Protocol
Client-Server protocol used between trusted RPKI Caches and BGP Routers having EBGP internet peering
Has TCP or SSHv2 as its transport
Announces digested RPKI Prefix Origin information in form of protocol IPvx PDUs
Has an ability:- to request/announce entire record table at any time during the lifetime of the session
- Can do Incremental re-sync or Full announcement of prefix records on session re-establishment
Initial Cisco IOS release plans to:
- Run TCP as a transport on its BGP Routers
- Implement Client side functionality of RPKI router protocol
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
RPKI Router Protocol PDUs
Serial Notify
– Local Cache informs router about new data
Serial Query
– Router requests Cache for updates
Reset Query
– Router requests Cache to send its entire database
Cache Response
– Cache replies to Reset Query by announcing its entire database
End of Data PDU
– Cache signals end of database announcements
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
RPKI Router Protocol PDU (cont’d)
Cache Reset
– Local Cache informs router about its inability to provide an incremental update for a particular Serial Query
Error Report
– Use to signal errors detected while parsing PDUs
– Internal Errors: memory exhaustion, code assertion failures, etc
– No Data Available: Cache cannot provide an incremental update to a particular Serial Query
IPV4 Prefix- Use to announce IPV4 Prefix
IPV6 Prefix- Use to announce IPV6 Prefix
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
RPKI Router Protocol Typical Exchange
Validator Cache Router
~ ~
| <----- Reset Query -------- | R requests data
| |
| ----- Cache Response -----> | C confirms request
| ------- IPvX Prefix ------> | C sends zero or more
| ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix
| ------- IPvX Prefix ------> | Payload PDUs
| ------ End of Data ------> | C sends End of Data
| | and sends new serial
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
RPKI Router Protocol Incremental Exchange (cont’d)
Validator Cache Router
~ ~
| -------- Notify ----------> | (optional)
| |
| <----- Serial Query ------- | R requests data
| |
| ----- Cache Response -----> | C confirms request
| ------- IPvX Prefix ------> | C sends zero or more
| ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix
| ------- IPvX Prefix ------> | Payload PDUs
| ------ End of Data ------> | C sends End of Data
| | and sends new serial
~ ~
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
RPKI Router Protocol and BGP Interaction
RPKI ValidatorCache
eeAF specific Prefix Validation database
RPKI Router protocol
- Receives prefixes from ibgp & ebgp peers- Does Inline prefix validation- Does Event-based validation on cache updates
AF Specific BGP tables
eBGP peering
BGP Border Router
eBGP Neighbor Router
RPKI Router Protocol(TCP based) Client
iBGP Neighbor Router
(ex. Route Reflector)
iBGP peering
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
BGP Modifications - High Level Code Flow
Process received EBGP update messages Set Validation State for BGP NLRIs and origin AS received in an
update message Apply any inbound policies if configured
– may use path validation state computed by Prefix origin validation to set different policies
Store the path in Adj-Rib-In Run Modified BGP Bestpath Evaluate the prefix for update generation to ibgp peers
– outbound policies may use path validation state to manipulate different BGP attributes – Use a well-known extended community to announce path validation state
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
Prefix Validation Logic
1. query key = <BGP prefix, masklen>, data = origin AS
2. result = BGP_PFXV_STATE_NOT_FOUND
3. walk prefix validation table to look for the query key
4. for each matched “entry” node in prefix validation table,
5. prefix_exists = TRUE
6. walk all records with different maxLength values
7. for each “record” within range (query masklen <= maxLength)
8. if query origin AS == record origin AS
9. result = BGP_PFXV_STATE_VALID
10. return (result)
11. endif
12. endfor
13. endfor
14. if prefix_exists == TRUE,
15. result = BGP_PFXV_STATE_INVALID
16. endif
17. return (result)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
BGP Bestpath Selection Modifications
Path Validation States (in order of preference)– BGP_FXV_STATE_VALID (Lookup Successful)– BGP_PFX_STATE_NOT_FOUND (Not in the table)– BGP_PFX_STATE_INVALID (Lookup invalid - different origin AS or masklen not in the range)
BGP Bestpath ModificationsInput: Received Path, Current Bestpath
If Received Path is an ibgp learnt path without path validation state, then skip the Prefix Origination check
If Received Path’s Prefix Origination Check state is BGP_PFX_STATE_INVALID then prefer the Current Bestpath
else If Received Path’s Prefix Origination Check state > Current Bestpath Prefix Origination Check state, then prefer the Current Bestpath else (they are equal) proceed to next Bestpath check step Rest of the BGP Bestpath Steps
Normal Bestpath computation to follow if the path validation state is converted into BGP parameters as part of policy change
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
Policy and Path Validation State Route-maps extended to modify policies based on path validation state Effective way of tweaking bestpath selection for ibgp paths based on its
path validation state Route-map example:
route-map rpki permit 10
match rpki invalid
set local-preference 50
route-map rpki permit 20
match rpki incomplete
set local-preference 100
route-map rpki permit 30
match rpki valid
set local-preference 200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
BGP CLI Modifications
Global CLI to [de-]configure the cache server AF specific BGP Bestpath CLI Changes
– Disable Prefix Validation Globally– Allow paths with an invalid rpki state for Bestpath computation
iBGP Neighbor CLI Changes– Announcement of Prefix Validation State using a well-known extended community
Route-map policy knob to filter on path validation state
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
IOS Show commandsuut1# show ip bgp rpki-table
12 BGP sovc network entries using 1056 bytes of memory
13 BGP sovc record entries using 208 bytes of memory
Network Maxlen Origin -AS Color Source
1.1.0.0/16 24 1 0 0
3.0.0.0/24 24 2 0 0
4.0.0.0/24 24 3 0 0
4.0.0.0/8 8 3 0 0
5.0.0.0/24 24 4 0 0
8.0.0.0/4 6 200 0 0
8.2.0.0/8 24 36394 0 0
9.2.0.0/16 24 34000 0 0
10.0.0.0/6 8 100 0 0
11.0.0.0/16 24 100 0 0
12.0.0.0/8 16 13979 0 0
12.0.0.0/8 8 7018 0 0
20.137.0.0/21 21 4237 0 0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
IOS Show Commands - Valid IPv4 Prefix
uut1# show ip bgp 1.1.0.0/16
BGP routing table entry for 1.1.0.0/16, version 19
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1 2
1
20.0.101.1 from 20.0.101.1 (20.0.101.1)
Origin IGP, localpref 100, valid, external, best
RPKI State valid
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
IOS Show Commands - Invalid IPv4 Prefix
uut1#show ip bgp 8.0.0.0/6
BGP routing table entry for 8.0.0.0/6, version 25
Paths: (1 available, no best path)
Not advertised to any peer
100
20.0.101.4 from 20.0.101.4 (20.0.101.4)
Origin IGP, localpref 100, valid, external
RPKI State invalid
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
IOS Show Commands - Not Found IPv4 Prefix
uut1#show ip bgp 8.0.0.0
BGP routing table entry for 8.0.0.0/8, version 10
Paths: (1 available, best #1, table default)
Advertised to update-groups:
1 2
65000
20.0.101.10 from 20.0.101.10 (20.0.101.10)
Origin IGP, localpref 100, valid, external, best
RPKI State not found
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
Code Status
Prototype code for BGP Origin Validation available for IOS (7200s) and IOS-XR
IOS Marketing Roadmap has it for RLS12 in 2011. Similar Roadmap for IOS-XR.
Contact Ed Kern ([email protected]) or Bertrand Duvivier ([email protected]) if interested
Remember: Please generate your Certificates and ROAs!