Border Gateway Protocol Vasant Reddy

Contents Introduction Operation BGP Types BGP Header Message & Attributes BGP Route Processing Security Issues Vulnerabilities Security Solution

Some Terminology… Autonomous System (a.k.a Administrative Domain) is set of networks which share a common routing polices Ex : UNT,AT&T Interior Gateway Protocols are routing protocols within an Autonomous System Ex : RIP,OSPF Exterior Gateway Protocols are routing protocols used between Autonomous Systems EX : BGP

Introduction Border Gateway Protocol – the “exterior” gateway protocol for IP address families. BGP uses a TCP connection to exchange information between peers. Policy based Incremental Updates

BGP v4 RFC 1771 The only Inter Domain routing protocol currently in use. All previous versions of BGP are obsolete and not in use today. Utilizes a Path Vector PV protocol. Employs CIDR or Classless inter-domain routing.

BGP vs IGP RR R R R RR R R R R R Neither AS needs to know or care about the IGP used by the neighboring AS. BGP propagates routes between them. OSPF RIP BGP peering

BGP Operation Runs over a reliable transport protocol (TCP) Uses TCP port 179 to establish connections BGP Speaker is router running BGP protocol,speakers communicate across TCP and become peers or neighbors. External links: connections between BGP speakers in different AS. Internal links: connections between BGP speakers in the same AS. Resolve connection collisions if two BGP peers Simultaneously try to open connection.

BGP Session Estblishment Connect.req SYN(179) SYN + ACK CONNECT.conf TCP session established DATA.req(OPEN) DATA(BGPopen) DATA.req TCP session Established DATA(BGPopen) ACK(179) ACK DATA.req(OPEN) BGP Session Established Connect.ind Connect.resp DATA.req(open)

Origin of “Routes” for BGP Learned from other BGP routers  BGP router only propagates the received routes Static configuration  BGP router is configured to advertise some prefixes  Drawback : requires manual configuration  Advantage : Stable set of advertised prefixes Learned from an Interior Gateway Protocol  prefixes received from the IGP are advertised by the BGP router usually as an aggregate  Advantage :BGP advertisements follow network state, prefix is automatically withdrawn by BGP it is not reachable via IGP

eBGP and iBGP eBGP –BGP running between two different ASs iBGP –BGP running within the same AS –An AS has multiple BGP speakers –Distribute routing info among BGP routers –Minor but important difference with eBGP

BGP Header var Marker –Contains an authentication value that the message receiver can predict. Length –Indicates the total length of the message in bytes. Type – Specifies the message type as one of the following: Open Update Notification Keep-alive Data –Contains upper-layer information in this optional field. Marker Length Type Data

BGP Message Types Open Update Notification Keep alive TCP connection always established throughout the BGP session

Open Messages Establish a peering session The first message sent after TCP established Each peer identify itself to each other Negotiate protocol version/parameters Security (optional)

Open Message Format Version (1 octet) My Autonomous System (2 octet) Hold Time (2 octet) BGP identifier (4 octet) Optional Parameter Length (1 octet) Optional parameters (variable length)

Update Message Primary message used in a BGP Advertises (announces) a prefix to BGP neighbors/withdraw a previously advertised message Encourage multiple prefixes in a single Update

Notification Message Used when error(s) happen(s) TCP will be closed immediately after notification is sent Indicates to remote system why BGP was terminated

Keepalive Message Confirm the connection is still active rate depend on the hold timer negotiated by open message and update message frequency A common header with no other data

BGP attributes AS-path attribute Origin attribute BGP Nexthop attribute Weight Attribute Local preference attribute Metric attribute

AS-Path Attribute A list of AS numbers that a route has traversed in order to reach a destination Whenever a route update pass through a new AS, the AS number is prepended AS numbers are listed in order If the AS number is already in the update, the route is dropped.

Origin Attribute Mandatory attribute Defines the origin of the path information three typical values –“i”: IGP, interior to the originating AS –“e”: EGP, learnt via exterior gateway protocol –“?”: incomplete, unknown or via others

Nexthop Attribute The next hop IP address used to reach destination For eBGP, always the directly connected neighbor’s interface For iBGP, the nexthop advertised by eBGP should be carried through into iBGP

Weight Attribute Cisco implementation Assigned locally to indicate a router to choose best exit path Does not propagate through router updates Higher weight is preferred Default is 0

Local Preference Attribute Indicate which route is preferred Exchanged among routers in the same AS through updates Higher value is preferred Default value is 100

Metric Attribute Also called Multi_exit_discriminator Exchanged between AS, but not carried through Low value of a metric is more preferred Default value is 0 Unless specified, router only compare metrics for paths from the same neighbor AS

BGP Policies BGP provides capability for enforcing various policies Policies are not part of BGP: they are provided to BGP as configuration information BGP enforces policies by choosing paths from multiple alternatives and controlling advertisement to other AS’s

Best Path Selection Decision Process –Highest local preference –Shortest AS path –eBGP over iBGP –Lowest IGP metric –Lowest router id

BGP Router Model Import policy Decision Process Export policy Receive routes for prefixes from multiple neighbors Filter out unwanted routes, and manipulate the attributes of remaining routes Manipulate attributes of the best route, influence neighbor's choice, or decide whether to advertise the route to neighbors Decide exactly ONE best path

BGP Security Issues The BGP architecture makes it highly vulnerable to human errors and malicious attacks against –Links between routers –The routers themselves –Management stations that control routers Most router implementations of BGP are susceptible to various DoS attacks that can crash the router or severely degrade performance Many ISPs rely on local policy filters to protect them against configuration errors & some forms of attacks, but creating and maintaining these filters is difficult, time consuming, and error prone

Vulnerability Note VU# Overview: Multiple implementations of the Border Gateway Protocol (BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service Impact : A remote attacker can cause a denial of service in a vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing traffic that may adversely effect internet traffic Solution :  Apply patch given by vendor  Restrict BGP Access using ACL’s  Authenticate BGP Messages( use MD5,IPSEC)

Vulnerability Note VU# Overview: Cisco device running IOS that is enabled for BGP is vulnerable to a denial-of-service attack via a malformed BGP packet. The specific nature of the crafted packets exploiting this vulnerability is not known. IOS is vulnerable only if the device is set up with the bgp log-neighbor- changes command. Impact : By sending a specially crafted BGP packet to an affected device, a remote attacker could cause the device to reload resulting in a DOS Solution : Apply patch given by vendor Systems Affected Cisco Systems, Inc

Vulnerability Note VU# Overview: There is a problem involving BGP updates on Cisco routers with BGP4 and prefix filtering and inbound route maps enabled. A route update with an unrecognized transitive attribute may cause vulnerable routers to crash. Impact : Attackers that are able to send malformed BGP updates can cause vulnerable routers to crash causing network outages. Under certain circumstances the attacker may be able to use BGP infrastructure to propagate the bad route update to multiple routers Solution : Apply patch from vendor Systems Affected : Cisco Systems, Inc

Basic BGP Security Requirement For every UPDATE it receives, a BGP router should be able to verify that the “owner” of each prefix authorized the first (origin) AS to advertise the prefix and that each subsequent AS in the path has been authorized by the preceding AS to advertise a route to the prefix This requirement, if achieved, allows a BGP router to detect and reject unauthorized routes, irrespective of what sort of attack resulted in the bad routes Conversely, if a security approach fails to achieve this requirement, a BGP router will be vulnerable to attacks that result in misrouting of traffic in some fashion

Security Solution Requirements Security architectures for BGP should not rely on “trust” among ISPs or subscribes –On a global scale, some ISPs will never be trusted –Transitive trust in people or organizations causes mistakes to propagate Security solutions must exhibit the same dynamics as the aspects of BGP they protect Both implementation and architectural security concerns must be addressed

Secure BGP (S-BGP) S-BGP is an architectural solution to the BGP security problems described earlier S-BGP represents an extension of BGP –It uses a standard BGP facility to carry additional data about paths in UPDATE messages –It adds an additional set of checks to the BGP route selection algorithm S-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructure

How does S-BGP do it? S-BGP makes use of: –IPsec to secure point-to-point communication of BGP control traffic –Public Key Infrastructure to provide an authorization framework representing address space and AS “ownership” –Attestations (digitally-signed data) to bind authorization information to UPDATE messages S-BGP requires routers to: –Generate an attestation when generating an UPDATE for another S-BGP router –Validate attestations associated with each UPDATE received from another S-BGP router

QUESTIONS?

Questions What is difference between IGP and EGP? When is I-BGP needed? How does BGP implements policies? Why is BGP vulnerable? How S-BGP overcomes security problems of BGP?

References ws.edu.isoc.org/data/2000/ d0fb5/bgp.ppt doc/bgp.html

THANK YOU!