Episode 22 – Securing BGP

In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.

 


 

We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O’Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp

 


 

Show Notes:

  • Authentication
    1. Classic MD5
    2. Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn’t appear commonly used
    3. GTSM, and how it can be better than the previous option in some cases
  • Basic prefix filtering:
    1. From your customers: allow any number of their own AS prepended
    2. From the Internet: block bogons (RFC1918, class D/E, etc)
    3. To your peers: only your local space (ie, your customers)
    4. From your peers: only routes originating from their AS (any # of prepends)
  • BCP38
    1. Techniques for spoofing prevention
    2. Describe with a simple snail mail analogy
    3. Usually uRPF strict or loose, depending
    4. Sometimes ACLs with specific IPs as sources are used too
    5. Best suited for true customer edge, not transit/peering edge (performance)
  • Origin Security
    1. Try to prevent the hijacking of routes
    2. Hijacking is often used by spammers, etc., to source junk
    3. The main idea is — is this AS number really tied to this address block?
    4. The RPKI
      1. Signed x.500 certificates
      2. Carried around through a synchronized database (rsync)
      3. The certificates are rooted in the RIRs
      4. Which means that if you don’t pay your bill, your certificate is withdrawn — you lose the ability to route
    5. MANRS
      1. As your provider, I should know what addresses you plan to source services from
      2. If you try to source something from a space you didn’t tell me about, and I can’t verify, I should block it
      3. To some degree, relies on uRPF —
      4. Not always realistic, so deployed on a case by case basis
  • Path Security
    1. BGPsec
      1. Onion signing of all BGP updates
      2. This isn’t ever going to happen according to Russ
      3. Kills performance — packing, per hop public key crypto
      4. Either you have a timer in the update, converting BGP to RIP, or you have permanent replay attacks — there’s no clear solution to this problem
    2. OpenBMP, IRRs
      1. Community and history information
      2. Can be as accurate as the information gathered and stored
    3. First hop, graph overlay
      1. Validate first hop in RPKI or some other system
      2. Removes many of the real world problems, but not all of them
    4. All of these are active research
  • Remotely triggered blackhole (RTBH)
    1. Some router is the trigger
    2. Add a static route with specific community
    3. ASBRs match on this community and set next-hop to some TEST-NET IP
    4. ASBRs have static route to this TEST-NET IP pointing to null → fast path drops
    5. Pair it with uRPF at the ASBR for source-based RTBH too
    6. Remote static route from trigger router when DoS/DDoS attack ends
  • BGP flowspec
    1. QPPB on steroids
    2. More granular than RTBH
    3. QoS and security policy distribution and enforcement over BGP

Russ White
Guest
Nicholas Russo
Guest

Jordan Martin
Co-Host
Eyvonne Sharp
Co-Host


Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *