SECURING BGP Matthew Nickasch University of Wisconsin-Platteville Dept. of Computer Science & Software Engineering.

Slides:



Advertisements
Similar presentations
Karlston D'Emanuele Distance Vector Routing Protocols Notes courtesy of Mr. Joe Cordina Password Removed
Advertisements

Routing Basics.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization –All routers are identical –Network is flat. Not true in Practice Hierarchical.
Mod 10 – Routing Protocols
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
CS335 Networking & Network Administration Tuesday, May 18, 2010.
Routing and Routing Protocols
14 – Inter/Intra-AS Routing
Institute of Technology Sligo - Dept of Computing Chapter 11 Layer 3 Protocols Paul Flynn.
Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.
Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.
Chapter 8 Routing. Introduction Look at: –Routing Basics (8.1) –Address Resolution (8.2) –Routing Protocols (8.3) –Administrative Classification (8.4)
1 Chapter 27 Internetwork Routing (Static and automatic routing; route propagation; BGP, RIP, OSPF; multicast routing)
Dr. John P. Abraham Professor University of Texas Pan American Internet Routing and Routing Protocols.
14 – Inter/Intra-AS Routing Network Layer Hierarchical Routing scale: with > 200 million destinations: can’t store all dest’s in routing tables!
Chapter 22 Network Layer: Delivery, Forwarding, and Routing
TCOM 515 Lecture 6.
Routing/Routed Protocols. Remember: A Routed Protocol – defines logical addressing. Most notable example on the test – IP A Routing Protocol – fills the.
Introduction to BGP.
CCNA 1 version 3.0 Rick Graziani Cabrillo College
Routing and Routing Protocols Routing Protocols Overview.
1 Chapter 27 Internetwork Routing (Static and automatic routing; route propagation; BGP, RIP, OSPF; multicast routing)
1 Routing. 2 Routing is the act of deciding how each individual datagram finds its way through the multiple different paths to its destination. Routing.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
CCNA 1 Module 10 Routing Fundamentals and Subnets.
Chapter 9. Implementing Scalability Features in Your Internetwork.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
1 Internet Routing. 2 Terminology Forwarding –Refers to datagram transfer –Performed by host or router –Uses routing table Routing –Refers to propagation.
1 Network Layer Lecture 13 Imran Ahmed University of Management & Technology.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
Network Layer4-1 Intra-AS Routing r Also known as Interior Gateway Protocols (IGP) r Most common Intra-AS routing protocols: m RIP: Routing Information.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
CCNA 2 Week 6 Routing Protocols. Copyright © 2005 University of Bolton Topics Static Routing Dynamic Routing Routing Protocols Overview.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
IP Routing Principles. Network-Layer Protocol Operations Each router provides network layer (routing) services X Y A B C Application Presentation Session.
Internet Protocols. ICMP ICMP – Internet Control Message Protocol Each ICMP message is encapsulated in an IP packet – Treated like any other datagram,
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
Routing and Routing Protocols PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
1 Agenda for Today’s Lecture The rationale for BGP’s design –What is interdomain routing and why do we need it? –Why does BGP look the way it does? How.
Routing Protocols Brandon Wagner.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 Module 10 Routing Fundamentals and Subnets.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
Breaking BGP sessions February 14, 2016 Udi Ben-Porat
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.
Chapter 25 Internet Routing. Static Routing manually configured routes that do not change Used by hosts whose routing table contains one static route.
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
Inter-domain Routing Outline Border Gateway Protocol.
BGP security some slides borrowed from Jen Rexford (Princeton U)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
1 Internet Routing 11/11/2009. Admin. r Assignment 3 2.
1 CS716 Advanced Computer Networks By Dr. Amir Qayyum.
Routing and Routing Protocols CCNA 2 v3 – Module 6.
Working at a Small-to-Medium Business or ISP – Chapter 6
CS 3700 Networks and Distributed Systems
CS 3700 Networks and Distributed Systems
Chapter 4: Network Layer
Department of Computer and IT Engineering University of Kurdistan
Chapter 4: Network Layer
Chapter 4: Network Layer
Working at a Small-to-Medium Business or ISP – Chapter 6
BGP Instability Jennifer Rexford
Computer Networks Protocols
Presentation transcript:

SECURING BGP Matthew Nickasch University of Wisconsin-Platteville Dept. of Computer Science & Software Engineering

BGP – Quick Overview External Routing Protocol ▫Interior vs. Exterior Gateway Protocols ▫The Autonomous System (AS) ▫Routing between ISPs BGP - Only EGP in use

Functions of BGP Shortest path not priority Routing policy Removal of routing loops Broken link removal Determine which IPs “go where” ▫Responsibility of address blocks

Basic Operation of BGP Connections between border routers peer with neighboring ASes TCP port 179 Manual session creation ▫Complete copies of routing table sent to neighbors ▫Evaluate received routes ▫Better route through neighbor? UPDATE ▫Only update when routes change

Intra/Inter AS Routing AS 100 AS 200 AS 500 AS 400 AS 300 (PEERING RULES) AS 500 LAN_CORBOR_1 BOR_2

Routing Policy When to send routes? Where to send routes? Peering Responsibility ▫Accept routes from known peers ▫Don’t accept routes from non-peers ▫Route efficiency hampered by political boundaries ▫Route preference configuration ACL (Access Control Lists) Error Checking

An ISP’s Use of BGP Importance of filtering Address block size ▫Prefix “overload” (small networks/subnets) ▫Delegate BGP handling to ISP Utilization of peering paths

BGP Looking Glass Demo Looking Glass ▫route-views.ab.bb.telus.comroute-views.ab.bb.telus.com ARIN AS Whois Lookup Prefix / AS Query

Security Considerations BGP – Single Point of Failure? ▫Only EGP in use ▫Comparison with IGPs  OSPF, RIP, IS-IS, etc. ▫EGP standardization difficult  “Big” router vendors  Early Cisco stronghold  Now Juniper, Nortel, etc.  Different vendors want different implementations

Security Considerations A “trusting protocol” ▫Very little error checking  Route verification requires route lookups  30,000 + ASes! * 120,000 unique routes! = TIME  Garbage in, garbage out Physical Infrastructure ▫9/11 “Meet Me Facilities” ▫Peering Points ▫Physical Router Compromisation

Security Considerations Human error ▫Human error to human intent (exploit errors) Remote router compromisation ▫IOS vulnerabilities, etc. Social Engineering vulnerabilities BGP traffic sniffing ▫Message injection / modification ▫Man-in-the-middle

Security – Assembling the Risk SPOF Trusting protocol + lack of error checking Physical Infrastructure Human Error Router security flaws Social Engineering Unencrypted message transport DoS / MIM / TCP-style attacks Supporting entire Internet routing structure

YouTube Route Hijacking Prime example of human ‘error’ ▫Illustrates violation of route trust ▫Easily replicated by attacker ▫Proves that attack vectors are in-place  Compromised router could cause similar results  Relatively simple attack, “invalid route announcement”  Potential large worldwide attack against many ASes

YouTube Route Hijacking YT always announces /22 Pakistani Telecom announces /24 Routes propagate to bordering ASes ▫Traffic destined for network directed to PT YT announces /24 Duplicate announcement entry (shortest path) YT announces /25 ▫Longest-prefix-match-rule  Most specific route

YouTube (AS 36561) Pre-Hijack

Pakistani Tel (AS 17557) Hijack

Detecting Invalid/False Routes Response ▫“Firefighter” mentality to BGP problems ▫Symptom-based response too late ▫Cooperation between ASes? ▫Governing ‘body’ for BGP disputes

YouTube – What We’ve Learned ISP Routing Policy “Routing Registry” – RIPE Certificate-based approvals BGP not substitute for ACLs! Exploitation of protocol “trust” Rapid replication Extreme vulnerability

Protocol Security MD5 & other encryption ▫Hard to standardize between all ASes ▫Vendor agreement issues “Reinventing” the protocol ▫Secure BGP ▫PGBGP ▫Revisions to existing BGP

Secure BGP (SBGP) Public key infrastructure (PKI) ▫Authentication/ownership of IP address space ▫AS identity verification ▫Encrypting BGP Update messages Implementation ▫Vendor support must be unanimous ▫All ASes must agree to adopt SBGP, or any other protocol-level change

Secure BGP (SBGP) Doesn’t prevent human error ▫“Encrypting garbage” Origins ▫NSA/DoD initial support (1997) ▫DARPA Next Steps ▫PKI infrastructure, CA ▫Oversight organization for PKI? Hosting?

Pretty Good BGP (PGBGP) Cautiously accepting/updating routes ▫Suspicious updaters ▫Quarantine routes ▫Time-delay updates Implementation – Adapt PGBGP logic? ▫Vendor support could vary – depends on route- accepting algorithms ▫Introduce PGBGP logic into existing BGP environment.

Layered Security Analysis PHYSICAL SECURITY SOCIAL ENGINEERING HUMAN ERROR INADEQUATE CORP /ORG / ISP POLICY AVAILABLE “TCP-STYLE” VECTORS SOURCE / SENDER AUTHENTICATION BGP PROTOCOL WEAKNESSES SINGLE POINT OF FAILURE (INTERNET)

Layered Solution Protocol level ▫SBGP (PKI) + PGBGP (update logic) = a more secure solution ▫Limits peer trust, introduces authentication and encryption ▫AS identity verification ▫Slower route change replication throughout the Internet ▫Not the end-all solution!

Layered Solution Implement stringent ISP routing policy Implement SBGP + PGBGP logic into existing protocol ▫Attain vendor agreement on implementation Reduce human error Enforce proper-use of BGP (ACL example) Router security / minimize vectors Physical security, etc.

Q/A ? Matthew Nickasch

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.