Presentation is loading. Please wait.

Presentation is loading. Please wait.

Border Gateway Protocol Vasant Reddy. Contents Introduction Operation BGP Types BGP Header Message & Attributes BGP Route Processing Security Issues Vulnerabilities.

Published byAugustus Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "Border Gateway Protocol Vasant Reddy. Contents Introduction Operation BGP Types BGP Header Message & Attributes BGP Route Processing Security Issues Vulnerabilities."— Presentation transcript:

1 Border Gateway Protocol Vasant Reddy

2 Contents Introduction Operation BGP Types BGP Header Message & Attributes BGP Route Processing Security Issues Vulnerabilities Security Solution

3 Some Terminology… Autonomous System (a.k.a Administrative Domain) is set of networks which share a common routing polices Ex : UNT,AT&T Interior Gateway Protocols are routing protocols within an Autonomous System Ex : RIP,OSPF Exterior Gateway Protocols are routing protocols used between Autonomous Systems EX : BGP

4 Introduction Border Gateway Protocol – the “exterior” gateway protocol for IP address families. BGP uses a TCP connection to exchange information between peers. Policy based Incremental Updates

5 BGP v4 RFC 1771 The only Inter Domain routing protocol currently in use. All previous versions of BGP are obsolete and not in use today. Utilizes a Path Vector PV protocol. Employs CIDR or Classless inter-domain routing.

6 BGP vs IGP RR R R R RR R R R R R Neither AS needs to know or care about the IGP used by the neighboring AS. BGP propagates routes between them. OSPF RIP BGP peering

7 BGP Operation Runs over a reliable transport protocol (TCP) Uses TCP port 179 to establish connections BGP Speaker is router running BGP protocol,speakers communicate across TCP and become peers or neighbors. External links: connections between BGP speakers in different AS. Internal links: connections between BGP speakers in the same AS. Resolve connection collisions if two BGP peers Simultaneously try to open connection.

8 BGP Session Estblishment Connect.req SYN(179) SYN + ACK CONNECT.conf TCP session established DATA.req(OPEN) DATA(BGPopen) DATA.req TCP session Established DATA(BGPopen) ACK(179) ACK DATA.req(OPEN) BGP Session Established Connect.ind Connect.resp DATA.req(open)

9 Origin of “Routes” for BGP Learned from other BGP routers  BGP router only propagates the received routes Static configuration  BGP router is configured to advertise some prefixes  Drawback : requires manual configuration  Advantage : Stable set of advertised prefixes Learned from an Interior Gateway Protocol  prefixes received from the IGP are advertised by the BGP router usually as an aggregate  Advantage :BGP advertisements follow network state, prefix is automatically withdrawn by BGP it is not reachable via IGP

10 eBGP and iBGP eBGP –BGP running between two different ASs iBGP –BGP running within the same AS –An AS has multiple BGP speakers –Distribute routing info among BGP routers –Minor but important difference with eBGP

11 BGP Header 16 2 1 var Marker –Contains an authentication value that the message receiver can predict. Length –Indicates the total length of the message in bytes. Type – Specifies the message type as one of the following: Open Update Notification Keep-alive Data –Contains upper-layer information in this optional field. Marker Length Type Data

12 BGP Message Types Open Update Notification Keep alive TCP connection always established throughout the BGP session

13 Open Messages Establish a peering session The first message sent after TCP established Each peer identify itself to each other Negotiate protocol version/parameters Security (optional)

14 Open Message Format Version (1 octet) My Autonomous System (2 octet) Hold Time (2 octet) BGP identifier (4 octet) Optional Parameter Length (1 octet) Optional parameters (variable length)

15 Update Message Primary message used in a BGP Advertises (announces) a prefix to BGP neighbors/withdraw a previously advertised message Encourage multiple prefixes in a single Update

16 Notification Message Used when error(s) happen(s) TCP will be closed immediately after notification is sent Indicates to remote system why BGP was terminated

17 Keepalive Message Confirm the connection is still active rate depend on the hold timer negotiated by open message and update message frequency A common header with no other data

18 BGP attributes AS-path attribute Origin attribute BGP Nexthop attribute Weight Attribute Local preference attribute Metric attribute

19 AS-Path Attribute A list of AS numbers that a route has traversed in order to reach a destination Whenever a route update pass through a new AS, the AS number is prepended AS numbers are listed in order If the AS number is already in the update, the route is dropped.

20 Origin Attribute Mandatory attribute Defines the origin of the path information three typical values –“i”: IGP, interior to the originating AS –“e”: EGP, learnt via exterior gateway protocol –“?”: incomplete, unknown or via others

21 Nexthop Attribute The next hop IP address used to reach destination For eBGP, always the directly connected neighbor’s interface For iBGP, the nexthop advertised by eBGP should be carried through into iBGP

22 Weight Attribute Cisco implementation Assigned locally to indicate a router to choose best exit path Does not propagate through router updates Higher weight is preferred Default is 0

23 Local Preference Attribute Indicate which route is preferred Exchanged among routers in the same AS through updates Higher value is preferred Default value is 100

24 Metric Attribute Also called Multi_exit_discriminator Exchanged between AS, but not carried through Low value of a metric is more preferred Default value is 0 Unless specified, router only compare metrics for paths from the same neighbor AS

25 BGP Policies BGP provides capability for enforcing various policies Policies are not part of BGP: they are provided to BGP as configuration information BGP enforces policies by choosing paths from multiple alternatives and controlling advertisement to other AS’s

26 Best Path Selection Decision Process –Highest local preference –Shortest AS path –eBGP over iBGP –Lowest IGP metric –Lowest router id

27 BGP Router Model Import policy Decision Process Export policy Receive routes for prefixes from multiple neighbors Filter out unwanted routes, and manipulate the attributes of remaining routes Manipulate attributes of the best route, influence neighbor's choice, or decide whether to advertise the route to neighbors Decide exactly ONE best path

28 BGP Security Issues The BGP architecture makes it highly vulnerable to human errors and malicious attacks against –Links between routers –The routers themselves –Management stations that control routers Most router implementations of BGP are susceptible to various DoS attacks that can crash the router or severely degrade performance Many ISPs rely on local policy filters to protect them against configuration errors & some forms of attacks, but creating and maintaining these filters is difficult, time consuming, and error prone

29 Vulnerability Note VU#784540 Overview: Multiple implementations of the Border Gateway Protocol (BGP) contain vulnerabilities related to the processing of UPDATE and OPEN messages. The impacts of these vulnerabilities appear to be limited to denial of service Impact : A remote attacker can cause a denial of service in a vulnerable system. In most cases, the attacker would need to act as a valid BGP peer. BGP session instability can result in "flapping" and other routing traffic that may adversely effect internet traffic Solution :  Apply patch given by vendor  Restrict BGP Access using ACL’s  Authenticate BGP Messages( use MD5,IPSEC)

30 Vulnerability Note VU#689326 Overview: Cisco device running IOS that is enabled for BGP is vulnerable to a denial-of-service attack via a malformed BGP packet. The specific nature of the crafted packets exploiting this vulnerability is not known. IOS is vulnerable only if the device is set up with the bgp log-neighbor- changes command. Impact : By sending a specially crafted BGP packet to an affected device, a remote attacker could cause the device to reload resulting in a DOS Solution : Apply patch given by vendor Systems Affected Cisco Systems, Inc

31 Vulnerability Note VU#106392 Overview: There is a problem involving BGP updates on Cisco routers with BGP4 and prefix filtering and inbound route maps enabled. A route update with an unrecognized transitive attribute may cause vulnerable routers to crash. Impact : Attackers that are able to send malformed BGP updates can cause vulnerable routers to crash causing network outages. Under certain circumstances the attacker may be able to use BGP infrastructure to propagate the bad route update to multiple routers Solution : Apply patch from vendor Systems Affected : Cisco Systems, Inc

32 Basic BGP Security Requirement For every UPDATE it receives, a BGP router should be able to verify that the “owner” of each prefix authorized the first (origin) AS to advertise the prefix and that each subsequent AS in the path has been authorized by the preceding AS to advertise a route to the prefix This requirement, if achieved, allows a BGP router to detect and reject unauthorized routes, irrespective of what sort of attack resulted in the bad routes Conversely, if a security approach fails to achieve this requirement, a BGP router will be vulnerable to attacks that result in misrouting of traffic in some fashion

33 Security Solution Requirements Security architectures for BGP should not rely on “trust” among ISPs or subscribes –On a global scale, some ISPs will never be trusted –Transitive trust in people or organizations causes mistakes to propagate Security solutions must exhibit the same dynamics as the aspects of BGP they protect Both implementation and architectural security concerns must be addressed

34 Secure BGP (S-BGP) S-BGP is an architectural solution to the BGP security problems described earlier S-BGP represents an extension of BGP –It uses a standard BGP facility to carry additional data about paths in UPDATE messages –It adds an additional set of checks to the BGP route selection algorithm S-BGP avoids the pitfalls of transitive trust that are common in today’s routing infrastructure

35 How does S-BGP do it? S-BGP makes use of: –IPsec to secure point-to-point communication of BGP control traffic –Public Key Infrastructure to provide an authorization framework representing address space and AS “ownership” –Attestations (digitally-signed data) to bind authorization information to UPDATE messages S-BGP requires routers to: –Generate an attestation when generating an UPDATE for another S-BGP router –Validate attestations associated with each UPDATE received from another S-BGP router

36 QUESTIONS?

37 Questions What is difference between IGP and EGP? When is I-BGP needed? How does BGP implements policies? Why is BGP vulnerable? How S-BGP overcomes security problems of BGP?

38 References http://totem.info.ucl.ac.be/BGP/slides/bgp-4.pdf www.ida.liu.se/~TDTS02/bgp-slides.pdf ws.edu.isoc.org/data/2000/1392568124007367 7d0fb5/bgp.ppt www.cisco.com/univercd/cc/td/doc/cisintwk/ito_ doc/bgp.html www.freesoft.org/CIE/Topics/88.htm

39 THANK YOU!

Download ppt "Border Gateway Protocol Vasant Reddy. Contents Introduction Operation BGP Types BGP Header Message & Attributes BGP Route Processing Security Issues Vulnerabilities."

Similar presentations

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.

1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
BGP.

BGP.
CS 672 1 Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.

CS Summer 2003 CS672: MPLS Architecture, Applications and Fault-Tolerance.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.

Path Vector Routing NETE0514 Presented by Dr.Apichan Kanjanavapastit.
Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)

Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.

1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
CS 672 1 Summer 2003 Lecture 4. CS 672 2 Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.

CS Summer 2003 Lecture 4. CS Summer 2003 Route Aggregation The process of representing a group of prefixes with a single prefix is known as.
The Border Gateway Protocol (BGP) Sharad Jaiswal.

The Border Gateway Protocol (BGP) Sharad Jaiswal.
Computer Networking Lecture 10: Inter-Domain Routing

Computer Networking Lecture 10: Inter-Domain Routing
Ion Stoica October 2, 2002 (* this presentation is based on Lakshmi Subramanian’s slides) EE 122: Inter-domain routing – Border Gateway Protocol (BGP)

Ion Stoica October 2, 2002 (* this presentation is based on Lakshmi Subramanian’s slides) EE 122: Inter-domain routing – Border Gateway Protocol (BGP)
Routing.

Routing.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

Similar presentations

Ads by Google