Peering Security DKNOG, March 14-15, 2019 Susan Forney and Walt Wollny Hurricane Electric AS6939
The Most Peering Exchanges Hurricane Electric - Massive Peering!
Why worry about peering security? A peering connection not much safer than the ports you expose to the Internet. A peering port can be a back door to your network. As the Internet as a whole is getting very serious about security, it’s probably time to take a very critical look at your peering sessions. Let’s start by reviewing the basics. Hurricane Electric - Massive Peering!
Defending your network The basic defenses for an exchange port are: Logical Port Security Routing Security Best practices Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Port Security Your IX port exposes your network to security risks that are inherent to a layer 2 port. Don’t connect an interface with a default configuration to an IX Port. Dozens, sometimes hundreds, of other networks are directly connected. Many IXPs will post their recommended port configuration (HKIX, AMS-IX, etc ). Most IXs allow only unicast traffic. (IPv6 neighbor discovery uses multicast, which is the exception.) Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Port Security Configure IPv4 and IPv6 ACLs for your interfaces: Permit traffic from the IX subnet to the IX subnet. Deny traffic from any other IPs to the IX subnet . Permit any any at the end of the ACL. Many exchanges have suggested port configurations. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! interface ethernet 0/1 no cdp enable no lldp transmit no mop enable udld port disable no ip directed-broadcast no ip redirects no ip proxy-arp ipv6 nd suppress-ra [if ra suppress does not work] ipv6 nd ra suppress [if suppress-ra does not work] no ipv6 mfib forwarding no ipv6 mld router no ipv6 pim no ipv6 redirects Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Routing security is important in two directions: The routes you receive The routes you announce We will start with the routes you receive. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security The IXP is responsible for protecting the infrastructure, but only you can prevent route leaks. The IX LAN is not Internet-routed IP space and should not be advertised by anyone and least of all, accepted by you. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Take control of the routes you receive: Install prefix filters Use AS-path filters to prevent leaks—not sure who they are? Limit peers to a maximum number of prefixes Hurricane Electric - Massive Peering!
Routing Security Most networks don’t filter their peers. This is behavior hurts both the network that doesn’t filter and its peers. Filters that only allow routes with valid origins and authorized advertisements should be on every peer. You can automate filter generation to make it easier. Free tools like bgpq3 can do most of the work for you. When you create a filter, you should be checking services like Spamhaus to prevent acceptance of blocked prefixes.
Routing Security: Why it matters On 28 December 2018 China Telecom hijacked a US Department of Energy prefix (192.208.19.0/24) and did not correct the problem for 6 days. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security route: 192.208.18.0/23 descr: Western Area Power Administration Lakewood, CO 80228 origin: AS36404 notify: ITNetwork@wapa.gov notify: nguyen@wapa.gov notify: gdharmon@wapa.gov mnt-by: MAINT-AS36404 changed: nguyen@wapa.gov 20160401 #12:56:20Z source: RADB Hurricane Electric - Massive Peering!
Routing Security AS-path filters can help you prevent leaks and other routing issues. In most cases, you should not be accepting routes from your peers that have major ISPs in their paths.
Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Maximum prefix limits are another tool to help you prevent route leaks into your network. Put them in place. Most of your peers will specify their suggested prefix limits on peeringdb.com. If you do not have your prefix limits documented on peeringdb.com, today would be a great day to do that. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security The next task is to secure the routes you announce. Leaks are easy to prevent. Create prefix lists or use communities to manage your advertisements. A best practice is to announce only directly learned routes to your peers. Be sure you are advertising routes with valid IRR records. If you don’t know, bgp.he.net is a quick and easy way to check. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Appearances matter. Check your route announcements. Do not advertise prefixes smaller than a /24. Do not advertise bogons. Do not leak your private (RFC 1918) IP space. Advertise all of the IP space that you are allocated, even if you currently don’t use it. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Your peering connection is a target for DDoS Attacks. Set your blackhole communities up in advance. Applying the best security practices will help keep your network online during attacks. Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Validate that your routes are being advertised to your peers as expected. Looking glasses and route servers can provide you with visibility. Contact peers when you think there may be an issue. For Hurricane Electric peers, routing.he.net will help you if your prefixes are being denied. Hurricane Electric - Massive Peering!
In the Wild
In the Wild
http://routing.he.net
Routing Security susan$ whois -h whois.radb.net 66.235.200.0/24 route: 66.235.200.0/24 descr: CMI (Customer Route) origin: AS38082 mnt-by: MAINT-AS58453 changed: qas_support@cmi.chinamobile.com 20180906 source: RADB descr: CMI IP Transit admin-c: MAINT-CMI-INT-HK tech-c: MAINT-CMI-INT-HK mnt-by: MAINT-CMI-INT-HK source: NTTCOM
Hurricane Electric Route Filtering Algorithm Read more here http://routing.he.net/algorithm.html Example: xx.7.224.0/24,rejected,does not strictly match IRR policy or RIR handles xx.10.254.0/23,accepted,strictly matched IRR policy xx.17.248.0/24,accepted,strictly matched IRR policy xx.26.36.0/22,rejected,does not strictly match IRR policy or RIR handles xx.26.39.0/24,rejected,does not strictly match IRR policy or RIR handles Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Routing Security Only you can ensure that route registries correctly reflect your network. Please check your IRR records and correct anything that is not valid. If you peer with Hurricane Electric, check your routing here: http://routing.he.net/ Hurricane Electric - Massive Peering!
Hurricane Electric - Massive Peering! Best Practices External monitors can help you detect leaks or hijacks. They can monitor how your prefixes are routed your prefixes and let you know if paths change in a way you were not expecting. An example of a free one is bgpmon.net. You can get monitoring and notification of when errors occur for up to five prefixes per month free. Hurricane Electric - Massive Peering!
Basics - Routing Security Hurricane Electric - Massive Peering!
Best Practices Other good security habits that your network can adopt are found in MANRS: Coordination Global validation in terms of IRR records and RPKI. Anti-spoofing Get it from the source: https://www.manrs.org
Best Practices Lastly, protect what you have worked so hard to achieve. Put processes in place to ensure that all of your deployments are secure. Guard against social engineering.
Susan Forney Hurricane Electric AS6939 susan@he.net Thanks! Susan Forney Hurricane Electric AS6939 susan@he.net
Resources and Acknowledgements Links to resources used in this presentation or as source material: https://www.seattleix.net/faq https://blogs.cisco.com/security/router_spring_cleaning_-_no_mop_required https://twitter.com/bgpstream/status/1078584924364595202?lang=en https://bgp.he.net https://github.com/snar/bgpq3 https://bgpmon.net/ https://www.manrs.org DYN Thanks to Tom Paseka of Cloudflare. Hurricane Electric - Massive Peering!