Border Gateway Protocol

Vasant Reddy

Contents

• Introduction• Operation• BGP Types• BGP Header• Message & Attributes• BGP Route Processing• Security Issues• Vulnerabilities• Security Solution

Some Terminology…

• Autonomous System (a.k.a Administrative Domain) is set of networks which share a common routing polices Ex : UNT,AT&T

• Interior Gateway Protocols are routing protocols within an Autonomous System

Ex : RIP,OSPF

• Exterior Gateway Protocols are routing protocols used between Autonomous Systems

EX : BGP

Introduction

• Border Gateway Protocol – the “exterior” gateway protocol for IP address families.

• BGP uses a TCP connection to exchange information between peers.

• Policy based

• Incremental Updates

BGP v4

• RFC 1771• The only Inter Domain routing protocol

currently in use. • All previous versions of BGP are

obsolete and not in use today.• Utilizes a Path Vector PV protocol. • Employs CIDR or Classless inter-domain

routing.

BGP vs IGP

R R

R

RR

R R

R

R

R

R

R

Neither AS needs to know or care aboutthe IGP used by the neighboring AS. BGP propagates routes between them.

OSPFRIP BGP peering

BGP Operation

• Runs over a reliable transport protocol (TCP)

• Uses TCP port 179 to establish connections

• BGP Speaker is router running BGP protocol ,speakers communicate across TCP and become peers or neighbors.

• External links: connections between BGP speakers in different AS.

• Internal links: connections between BGP speakers in the same AS.

• Resolve connection collisions if two BGP peers Simultaneously try to open connection.

BGP Session Estblishment

• Connect.req

SYN(179)

SYN + ACK

CONNECT.conf

TCP session established

DATA.req(OPEN)DATA(BGPopen)

DATA.req

TCP session Established

DATA(BGPopen)

ACK(179)

ACK

ACK

DATA.req(OPEN)

BGP Session Established

BGP Session Established

Connect.ind

Connect.resp

DATA.req(open)

Origin of “Routes” for BGP

• Learned from other BGP routers BGP router only propagates the received routes

• Static configuration BGP router is configured to advertise some

prefixes Drawback : requires manual configuration Advantage : Stable set of advertised prefixes

• Learned from an Interior Gateway Protocol prefixes received from the IGP are advertised by

the BGP router usually as an aggregate Advantage :BGP advertisements follow network

state, prefix is automatically withdrawn by BGP it is not reachable via IGP

eBGP and iBGP

• eBGP – BGP running between two different ASs

• iBGP– BGP running within the same AS– An AS has multiple BGP speakers– Distribute routing info among BGP

routers– Minor but important difference with

eBGP

BGP Header

• 16 2 1 var

• Marker– Contains an authentication value that the message receiver can predict.

• Length– Indicates the total length of the message in bytes.

• Type– Specifies the message type as one of the following:

• Open • Update • Notification • Keep-alive

• Data– Contains upper-layer information in this optional field.

Marker Length Type Data

BGP Message Types

• Open

• Update

• Notification

• Keep alive

TCP connection always established throughout the BGP session

Open Messages

• Establish a peering session

• The first message sent after TCP established

• Each peer identify itself to each other

• Negotiate protocol version/parameters

• Security (optional)

Open Message Format

Version (1 octet)

My Autonomous System (2 octet)

Hold Time (2 octet)

BGP identifier (4 octet)

Optional ParameterLength (1 octet)

Optional parameters (variable length)

Update Message

• Primary message used in a BGP

• Advertises (announces) a prefix to BGP neighbors/withdraw a previously advertised message

• Encourage multiple prefixes in a single Update

Notification Message

• Used when error(s) happen(s)

• TCP will be closed immediately after notification is sent

• Indicates to remote system why BGP was terminated

Keepalive Message

• Confirm the connection is still active

• rate depend on the hold timer negotiated by open message and update message frequency

• A common header with no other data

BGP attributes

• AS-path attribute

• Origin attribute

• BGP Nexthop attribute

• Weight Attribute

• Local preference attribute

• Metric attribute

AS-Path Attribute

• A list of AS numbers that a route has traversed in order to reach a destination

• Whenever a route update pass through a new AS, the AS number is prepended

• AS numbers are listed in order• If the AS number is already in the

update, the route is dropped.

Origin Attribute

• Mandatory attribute

• Defines the origin of the path information

• three typical values– “i”: IGP, interior to the originating AS– “e”: EGP, learnt via exterior gateway

protocol– “?”: incomplete, unknown or via

others

Nexthop Attribute

• The next hop IP address used to reach destination

• For eBGP, always the directly connected neighbor’s interface

• For iBGP, the nexthop advertised by eBGP should be carried through into iBGP

Weight Attribute

• Cisco implementation

• Assigned locally to indicate a router to choose best exit path

• Does not propagate through router updates

• Higher weight is preferred

• Default is 0

Local Preference Attribute

• Indicate which route is preferred

• Exchanged among routers in the same AS through updates

• Higher value is preferred

• Default value is 100

Metric Attribute

• Also called Multi_exit_discriminator• Exchanged between AS, but not

carried through• Low value of a metric is more

preferred• Default value is 0• Unless specified, router only

compare metrics for paths from the same neighbor AS

BGP Policies

• BGP provides capability for enforcing various policies

• Policies are not part of BGP: they are provided to BGP as configuration information

• BGP enforces policies by choosing paths from multiple alternatives and controlling advertisement to other AS’s

Best Path Selection

• Decision Process– Highest local preference– Shortest AS path– eBGP over iBGP– Lowest IGP metric– Lowest router id

BGP Router Model

Import policy

DecisionProcess

Export policy

Receive routes for

prefixes from multiple

neighbors

Filter out unwanted routes, and manipulate the attributes of remaining routes

Manipulate attributes of the best route, influence

neighbor's choice, or decide whether to

advertise the route to neighbors

Decide exactly

ONE best path

BGP Security Issues• The BGP architecture makes it highly vulnerable to

human errors and malicious attacks against– Links between routers– The routers themselves– Management stations that control routers

• Most router implementations of BGP are susceptible to various DoS attacks that can crash the router or severely degrade performance

• Many ISPs rely on local policy filters to protect them against configuration errors & some forms of attacks, but creating and maintaining these filters is difficult, time consuming, and error prone

Vulnerability Note VU#784540

• Overview: Multiple implementations of the Border Gateway Protocol

(BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service

• Impact :A remote attacker can cause a denial of service in a

vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing traffic that may adversely effect internet traffic

• Solution : Apply patch given by vendor Restrict BGP Access using ACL’s Authenticate BGP Messages( use MD5,IPSEC)

Vulnerability Note VU#689326

• Overview:Cisco device running IOS that is enabled for BGP is

vulnerable to a denial-of-service attack via a malformed BGP packet. The specific nature of the crafted packets exploiting this vulnerability is not known. IOS is vulnerable only if the device is set up with the bgp log-neighbor-changes command.

• Impact :By sending a specially crafted BGP packet to an affected

device, a remote attacker could cause the device to reload resulting in a DOS

• Solution :• Apply patch given by vendor

• Systems Affected• Cisco Systems, Inc

Vulnerability Note VU#106392

• Overview: There is a problem involving BGP updates on Cisco routers

with BGP4 and prefix filtering and inbound route maps enabled. A route update with an unrecognized transitive attribute may cause vulnerable routers to crash.

• Impact : Attackers that are able to send malformed BGP updates can

cause vulnerable routers to crash causing network outages. Under certain circumstances the attacker may be able to use BGP infrastructure to propagate the bad route update to multiple routers

• Solution :• Apply patch from vendor

• Systems Affected :• Cisco Systems, Inc

Basic BGP Security Requirement

• For every UPDATE it receives, a BGP router should be able to verify that the “owner” of each prefix authorized the first (origin) AS to advertise the prefix and that each subsequent AS in the path has been authorized by the preceding AS to advertise a route to the prefix

• This requirement, if achieved, allows a BGP router to detect and reject unauthorized routes, irrespective of what sort of attack resulted in the bad routes

• Conversely, if a security approach fails to achieve this requirement, a BGP router will be vulnerable to attacks that result in misrouting of traffic in some fashion

Security Solution Requirements

• Security architectures for BGP should not rely on “trust” among ISPs or subscribes– On a global scale, some ISPs will never be trusted– Transitive trust in people or organizations causes

mistakes to propagate

• Security solutions must exhibit the same dynamics as the aspects of BGP they protect

• Both implementation and architectural security concerns must be addressed

Secure BGP (S-BGP)

• S-BGP is an architectural solution to the BGP security problems described earlier

• S-BGP represents an extension of BGP– It uses a standard BGP facility to carry additional data

about paths in UPDATE messages– It adds an additional set of checks to the BGP route

selection algorithm

• S-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructure

How does S-BGP do it?

• S-BGP makes use of:– IPsec to secure point-to-point communication of BGP

control traffic– Public Key Infrastructure to provide an authorization

framework representing address space and AS “ownership”

– Attestations (digitally-signed data) to bind authorization information to UPDATE messages

• S-BGP requires routers to:– Generate an attestation when generating an UPDATE for

another S-BGP router– Validate attestations associated with each UPDATE

received from another S-BGP router

QUESTIONS?

Questions

• What is difference between IGP and EGP?

• When is I-BGP needed?

• How does BGP implements policies?

• Why is BGP vulnerable?

• How S-BGP overcomes security problems of BGP?

References

• http://totem.info.ucl.ac.be/BGP/slides/bgp-4.pdf

• www.ida.liu.se/~TDTS02/bgp-slides.pdf • ws.edu.isoc.org/data/

2000/13925681240073677d0fb5/bgp.ppt• www.cisco.com/univercd/cc/td/doc/cisintwk/

ito_doc/bgp.html• www.freesoft.org/CIE/Topics/88.htm

THANK YOU!