Title: Border Gateway Protocol
1Border Gateway Protocol
2Contents
- Introduction
- Operation
- BGP Types
- BGP Header
- Message Attributes
- BGP Route Processing
- Security Issues
- Vulnerabilities
- Security Solution
3Some Terminology
- Autonomous System (a.k.a Administrative Domain)
is set of networks which share a common routing
polices Ex UNT,ATT - Interior Gateway Protocols are routing protocols
within an Autonomous System - Ex RIP,OSPF
- Exterior Gateway Protocols are routing protocols
used between Autonomous Systems - EX BGP
4Introduction
- Border Gateway Protocol the exterior gateway
protocol for IP address families. - BGP uses a TCP connection to exchange information
between peers. - Policy based
- Incremental Updates
5BGP v4
- RFC 1771
- The only Inter Domain routing protocol currently
in use. - All previous versions of BGP are obsolete and not
in use today. - Utilizes a Path Vector PV protocol.
- Employs CIDR or Classless inter-domain routing.
6BGP vs IGP
OSPF
RIP
BGP peering
R
R
R
R
R
R
R
R
R
R
R
R
Neither AS needs to know or care about the IGP
used by the neighboring AS. BGP propagates
routes between them.
7BGP Operation
- Runs over a reliable transport protocol (TCP)
- Uses TCP port 179 to establish connections
- BGP Speaker is router running BGP protocol
,speakers communicate across TCP and become peers
or neighbors. - External links connections between BGP speakers
in different AS. - Internal links connections between BGP speakers
in the same AS. - Resolve connection collisions if two BGP peers
Simultaneously try to open connection.
8BGP Session Estblishment
SYN(179)
Connect.ind
SYN ACK
CONNECT.conf
Connect.resp
ACK(179)
TCP session established
DATA.req(OPEN)
TCP session Established
DATA(BGPopen)
DATA.req
DATA(BGPopen)
DATA.req(OPEN)
DATA.req(open)
ACK
BGP Session Established
ACK
BGP Session Established
9Origin of Routes for BGP
- Learned from other BGP routers
- BGP router only propagates the received routes
- Static configuration
- BGP router is configured to advertise some
prefixes - Drawback requires manual configuration
- Advantage Stable set of advertised prefixes
- Learned from an Interior Gateway Protocol
- prefixes received from the IGP are advertised by
the BGP router usually as an aggregate - Advantage BGP advertisements follow network
state, prefix is automatically withdrawn by BGP
it is not reachable via IGP
10eBGP and iBGP
- eBGP
- BGP running between two different ASs
- iBGP
- BGP running within the same AS
- An AS has multiple BGP speakers
- Distribute routing info among BGP routers
- Minor but important difference with eBGP
11BGP Header
- 16 2
1 var - Marker
- Contains an authentication value that the message
receiver can predict. - Length
- Indicates the total length of the message in
bytes. - Type
- Specifies the message type as one of the
following - Open
- Update
- Notification
- Keep-alive
- Data
- Contains upper-layer information in this optional
field.
Marker
Length Type Data
12BGP Message Types
- Open
- Update
- Notification
- Keep alive
- TCP connection always established throughout the
BGP session
13Open Messages
- Establish a peering session
- The first message sent after TCP established
- Each peer identify itself to each other
- Negotiate protocol version/parameters
- Security (optional)
14Open Message Format
Version (1 octet)
My Autonomous System (2 octet)
Hold Time (2 octet)
BGP identifier (4 octet)
Optional Parameter Length (1 octet)
Optional parameters (variable length)
15Update Message
- Primary message used in a BGP
- Advertises (announces) a prefix to BGP
neighbors/withdraw a previously advertised
message - Encourage multiple prefixes in a single Update
16Notification Message
- Used when error(s) happen(s)
- TCP will be closed immediately after notification
is sent - Indicates to remote system why BGP was terminated
17Keepalive Message
- Confirm the connection is still active
- rate depend on the hold timer negotiated by open
message and update message frequency - A common header with no other data
18BGP attributes
- AS-path attribute
- Origin attribute
- BGP Nexthop attribute
- Weight Attribute
- Local preference attribute
- Metric attribute
19AS-Path Attribute
- A list of AS numbers that a route has traversed
in order to reach a destination - Whenever a route update pass through a new AS,
the AS number is prepended - AS numbers are listed in order
- If the AS number is already in the update, the
route is dropped.
20Origin Attribute
- Mandatory attribute
- Defines the origin of the path information
- three typical values
- i IGP, interior to the originating AS
- e EGP, learnt via exterior gateway protocol
- ? incomplete, unknown or via others
21Nexthop Attribute
- The next hop IP address used to reach destination
- For eBGP, always the directly connected
neighbors interface - For iBGP, the nexthop advertised by eBGP should
be carried through into iBGP
22Weight Attribute
- Cisco implementation
- Assigned locally to indicate a router to choose
best exit path - Does not propagate through router updates
- Higher weight is preferred
- Default is 0
23Local Preference Attribute
- Indicate which route is preferred
- Exchanged among routers in the same AS through
updates - Higher value is preferred
- Default value is 100
24Metric Attribute
- Also called Multi_exit_discriminator
- Exchanged between AS, but not carried through
- Low value of a metric is more preferred
- Default value is 0
- Unless specified, router only compare metrics for
paths from the same neighbor AS
25BGP Policies
- BGP provides capability for enforcing various
policies - Policies are not part of BGP they are provided
to BGP as configuration information - BGP enforces policies by choosing paths from
multiple alternatives and controlling
advertisement to other ASs
26Best Path Selection
- Decision Process
- Highest local preference
- Shortest AS path
- eBGP over iBGP
- Lowest IGP metric
- Lowest router id
27BGP Router Model
Decide exactly ONE best path
Decision Process
Export policy
Import policy
Filter out unwanted routes, and manipulate the
attributes of remaining routes
Manipulate attributes of the best route,
influence neighbor's choice, or decide whether to
advertise the route to neighbors
Receive routes for prefixes from multiple
neighbors
28BGP Security Issues
- The BGP architecture makes it highly vulnerable
to human errors and malicious attacks against - Links between routers
- The routers themselves
- Management stations that control routers
- Most router implementations of BGP are
susceptible to various DoS attacks that can crash
the router or severely degrade performance - Many ISPs rely on local policy filters to protect
them against configuration errors some forms of
attacks, but creating and maintaining these
filters is difficult, time consuming, and error
prone
29Vulnerability Note VU784540
- Overview
- Multiple implementations of the Border
Gateway Protocol (BGP) contain vulnerabilities
related to the processing of UPDATE and OPEN
messages. The impacts of these vulnerabilities
appear to be limited to denial of service - Impact
- A remote attacker can cause a denial of service
in a vulnerable system. In most cases, the
attacker would need to act as a valid BGP peer.
BGP session instability can result in "flapping"
and other routing traffic that may adversely
effect internet traffic - Solution
- Apply patch given by vendor
- Restrict BGP Access using ACLs
- Authenticate BGP Messages( use MD5,IPSEC)
30Vulnerability Note VU689326
- Overview
- Cisco device running IOS that is enabled for
BGP is vulnerable to a denial-of-service attack
via a malformed BGP packet. The specific nature
of the crafted packets exploiting this
vulnerability is not known. IOS is vulnerable
only if the device is set up with the bgp
log-neighbor-changes command. - Impact
- By sending a specially crafted BGP packet to an
affected device, a remote attacker could cause
the device to reload resulting in a DOS - Solution
- Apply patch given by vendor
- Systems Affected
- Cisco Systems, Inc
-
31Vulnerability Note VU106392
- Overview
- There is a problem involving BGP updates on
Cisco routers with BGP4 and prefix filtering and
inbound route maps enabled. A route update with
an unrecognized transitive attribute may cause
vulnerable routers to crash. - Impact
- Attackers that are able to send malformed BGP
updates can cause vulnerable routers to crash
causing network outages. Under certain
circumstances the attacker may be able to use BGP
infrastructure to propagate the bad route update
to multiple routers - Solution
- Apply patch from vendor
- Systems Affected
- Cisco Systems, Inc
32Basic BGP Security Requirement
- For every UPDATE it receives, a BGP router should
be able to verify that the owner of each prefix
authorized the first (origin) AS to advertise the
prefix and that each subsequent AS in the path
has been authorized by the preceding AS to
advertise a route to the prefix - This requirement, if achieved, allows a BGP
router to detect and reject unauthorized routes,
irrespective of what sort of attack resulted in
the bad routes - Conversely, if a security approach fails to
achieve this requirement, a BGP router will be
vulnerable to attacks that result in misrouting
of traffic in some fashion
33 Security Solution Requirements
- Security architectures for BGP should not rely on
trust among ISPs or subscribes - On a global scale, some ISPs will never be
trusted - Transitive trust in people or organizations
causes mistakes to propagate - Security solutions must exhibit the same dynamics
as the aspects of BGP they protect - Both implementation and architectural security
concerns must be addressed
34Secure BGP (S-BGP)
- S-BGP is an architectural solution to the BGP
security problems described earlier - S-BGP represents an extension of BGP
- It uses a standard BGP facility to carry
additional data about paths in UPDATE messages - It adds an additional set of checks to the BGP
route selection algorithm - S-BGP avoids the pitfalls of transitive trust
that are common in todays routing infrastructure
35How does S-BGP do it?
- S-BGP makes use of
- IPsec to secure point-to-point communication of
BGP control traffic - Public Key Infrastructure to provide an
authorization framework representing address
space and AS ownership - Attestations (digitally-signed data) to bind
authorization information to UPDATE messages - S-BGP requires routers to
- Generate an attestation when generating an UPDATE
for another S-BGP router - Validate attestations associated with each UPDATE
received from another S-BGP router
36QUESTIONS?
37Questions
- What is difference between IGP and EGP?
- When is I-BGP needed?
- How does BGP implements policies?
- Why is BGP vulnerable?
- How S-BGP overcomes security problems of BGP?
38References
- http//totem.info.ucl.ac.be/BGP/slides/bgp-4.pdf
- www.ida.liu.se/TDTS02/bgp-slides.pdf
- ws.edu.isoc.org/data/2000/13925681240073677d0fb5/b
gp.ppt - www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/
bgp.html - www.freesoft.org/CIE/Topics/88.htm
39THANK YOU!