Securing BGP Bruce Maggs. BGP Primer AT&T 7018 12/8 Sprint 1239 144.223/16 CMU 9 128.2/16 bmm.pc.cs.cmu.edu 128.2.205.42 Autonomous System Number Prefix.

Slides:



Advertisements
Similar presentations
A Threat Model for BGPSEC
Advertisements

A Threat Model for BGPSEC Steve Kent BBN Technologies.
SCION: Scalability, Control and Isolation On Next-Generation Networks
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
Interdomain Routing Security COS 461: Computer Networks Michael Schapira.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
Inter-domain Routing security Problems Solutions.
The Resource Public Key Infrastructure Geoff Huston APNIC.
Computer Networks Layering and Routing Dina Katabi
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
Scaling IXPs Scalable Infrastructure Workshop. Objectives  To explain scaling options within the IXP  To introduce the Internet Routing Registry at.
IPv4 Addresses. Internet Protocol: Which version? There are currently two versions of the Internet Protocol in use for the Internet IPv4 (IP Version 4)
Copyright © 2011 Japan Network Information Center JPNIC ’ s RQA and Routing Related Activities JPNIC IP Department Izumi Okutani APNIC32 Aug 2011, Busan.
1 San Diego, California 25 February Securing Routing: RPKI Overview Mark Kosters Chief Technology Officer.
Impact of Prefix Hijacking on Payments of Providers Pradeep Bangera and Sergey Gorinsky Institute IMDEA Networks, Madrid, Spain Developing the Science.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
TDTS21: Advanced Networking Lecture 7: Internet topology Based on slides from P. Gill and D. Choffnes Revised 2015 by N. Carlsson.
David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)
BCNET Conference April 29, 2009 Andree Toonk BGPmon.net Prefix hijacking! Do you know who's routing your network? Andree Toonk
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Eliminating Packet Loss Caused by BGP Convergence Nate Kushman Srikanth Kandula, Dina Katabi, and Bruce Maggs.
CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)
IPv6. Why IPv6? Running out of IPv4 addresses Internet Assigned Numbers Authority allocated the last 5 /8 blocks on 3 Feb 2011 Internet Assigned Numbers.
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 16 PHILLIPA GILL - STONY BROOK U.
1 Auto-Detecting Hijacked Prefixes? Routing SIG 7 Sep 2005 APNIC20, Hanoi, Vietnam Geoff Huston.
Interdomain Routing Security Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101
Border Gateway Protocol (BGP) (Bruce Maggs and Nick Feamster)
Securing BGP Bruce Maggs. BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix.
1 IPv6 Allocation and Policy Update Global IPv6 Summit in China 2007 April 12, 2007 Guangliang Pan.
BGP security some slides borrowed from Jen Rexford (Princeton U)
BGP Validation Russ White Rule11.us.
One Hop for RPKI, One Giant Leap for BGP Security Yossi Gilad (Hebrew University) Joint work with Avichai Cohen (Hebrew University), Amir Herzberg (Bar.
Are We There Yet? On RPKI Deployment and Security
CS590B/690B Detecting Network Interference
CS 3700 Networks and Distributed Systems
Resource Public Key Infrastructure
CS 3700 Networks and Distributed Systems
Auto-Detecting Hijacked Prefixes?
Auto-Detecting Hijacked Prefixes?
Securing BGP Bruce Maggs.
Border Gateway Protocol
Interdomain Traffic Engineering with BGP
Addressing 2016 Geoff Huston APNIC.
CSCI-1680 Network Layer: Inter-domain Routing – Policy and Security
Are We There Yet? On RPKI Deployment and Security
IPv4 Addresses.
COS 561: Advanced Computer Networks
IP Addresses in 2016 Geoff Huston APNIC.
Some Thoughts on Integrity in Routing
COS 561: Advanced Computer Networks
Interdomain Routing Security
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
Securing BGP Bruce Maggs.
Improving global routing security and resilience
BGP Instability Jennifer Rexford
FIRST How can MANRS actions prevent incidents .
Border Gateway Protocol (BGP)
Amreesh Phokeer Research Manager AfPIF-10, Mauritius
Presentation transcript:

Securing BGP Bruce Maggs

BGP Primer AT&T /8 Sprint /16 CMU /16 bmm.pc.cs.cmu.edu Autonomous System Number Prefix of IP addresses 128.2/ / AS Path

BGP Details AS that owns a prefix “originates” an advertisement with only it’s AS number on path. AS advertises only its primary path to a prefix (the one it actually uses) to its neighbors Primary path for an IP address must be chosen from received advertisements with most specific (longest) prefix containing address, e.g., for , /24 is preferred over 128.2/16 Advertisement contains entire AS path 3

Problems with BGP 4 Not secure – susceptible to route “hijacking” Routing policy determined primarily by economics, not performance Slow to converge (and not guaranteed)

Who owns a prefix? Organizations are granted prefixes of addresses, e.g., 128.2/16, by regional Internet registries ARIN, RIPE NCC, APNIC, AFRINIC, LACNIC Source: of-apnic/history-of-the-regional-internet-registries Organizations also separately register AS numbers, but no linkage between AS numbers and prefixes. 5

Route Hijacking Any network can advertise that it knows a path to any prefix! No way to check if the path is legitimate. Highly specific advertisements (e.g., /24) will attract traffic. To mitigate risk, network operators manually create filters to limit what sorts of advertisements they will trust from their peers. 6

Why Hijack Routes? Steal some IP addresses temporarily, send SPAM until the addresses are blacklisted. Create a sinkhole to divert traffic away from a Web site, making it unavailable. Eavesdrop on traffic but ultimately pass it along. 7

The AS 7007 Incident On April 25, 1997, AS 7007 (MAI Network Services) leaked its entire routing table with all prefixes broken down (probably due to a bug) to /24 with original AS paths stripped off to AS 1790 Sprint. After MAI turned off their router, Sprint kept advertising the routes! See 04/msg00444.html 8

Pakistan Telecom v. YouTube Pakistan’s government ordered YouTube blocked to prevent viewing a video showing cartoons about Muhammad February 24, 2008, Pakistan’s state-owned ISP advertised YouTube’s address space /24 Route prefix was more specific than the genuine announcement /22 Upstream provider PCCW Global (AS3491) forwarded announcement to rest of Internet Requests for YouTube world wide hijacked! 9

YouTube Availability Source: offline-and-how-to-make-sure-it-never-happens-again/ 10

China Telecom Incident China Telecom AS (a data center) normally originates 40 prefixes. April 8, 2010, originated ~37,000 prefixes not assigned to them for 15 minutes. About 10% of these prefixes propagated outside of the Chinese network. Prefixes included cnn.com, dell.com, and many other Web sites. Some traffic was diverted to China, passed through, and then went on to its destination! 11

Impacted Prefixes Source: hijacked-10-of-the-internet/ 12

Example Traceroute ms# London ms# London ms# London ms# China Telecom ms# China Telecom ms# China Telecom ms# Level ms# Level ms# Level ms# Level ms# Level ms# Level ms# Verizon ms# Verizon [.. four more Verizon hops..] ms# Verizon ms# Verizon 13 Source:

Secure BGP Still under development – not supported by routers yet. Aims to prevent Bogus origin AS Bogus AS_PATH (unauthorized insertions and deletions of ASNs in the path) All RIRs (Regional Internet Registries) now offer RPKI (Resource Public Key Infrastructure) services … but no single root of trust, RIRs could (accidentally) conflict 14

Secure BGP – How will it work? Route Origin Authorization (ROA) certificate authorizes AS to originate an advertisement for a prefix Each AS that adds its ASN to an AS PATH signs the resulting PATH before passing it on further. Eventually, routers may choose not to accept unsigned advertisements. 15

Caveats An AS may still choose not to route packets along the primary path that it advertises. An AS can still eavesdrop on any traffic that passes through it. 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.