BGP Edge Security for Dummies. Layer , 2603, and others

Size: px

Start display at page:

Download "BGP Edge Security for Dummies. Layer , 2603, and others"

Kelly Henderson
5 years ago
Views:

1 BGP Edge Security for Dummies Layer , 2603, and others

4 Step 1 of 9 Question: Am I part of the problem (or the solution)? Answer: Are you currently operating a ASN with atleast one peer? (transit included)

5 Step 1 of 9 Question: Am I part of the problem (or the solution)? Answer: Are you currently operating a ASN with atleast one peer? (transit included) If yes! Then this is for you. Admit you have a problem and that you want to solve it! If no! Then dwell into s/memes ( I can recommend honestnetworker.net)

6 Step 2 of 9 Do the very needful basics. 1. Reject Bogon ASN 2. Reject Bogon Prefix

7 Step 2 of 9 Reject Bogon ASN JUNOS policy-options { as-path-group bogon-asns { /* RFC7607 */ as-path zero ".* 0.*"; /* RFC 4893 AS_TRANS */ as-path as_trans ".* *"; /* RFC 5398 and documentation/example ASNs */ as-path examples1 ".* [ ].*"; as-path examples2 ".* [ ].*"; /* RFC 6996 Private ASNs*/ as-path reserved1 ".* [ ].*"; as-path reserved2 ".* [ ].*"; /* RFC 6996 Last 16 and 32 bit ASNs */ as-path last16 ".* *"; as-path last32 ".* *"; /* RFC IANA reserved ASNs*/ as-path iana-reserved ".* [ ].*"; policy-statement import_from_ebgp { term bogon-asns { from as-path-group bogon-asns; then reject; term...

8 Step 2 of 9 Reject Bogon ASN XR as-path-set bogon-asns # RFC7607 ios-regex '_0_', # 2 to 4 byte ASN migrations passes-through '23456', # RFC5398 passes-through '[ ]', passes-through '[ ]', # RFC6996 passes-through '[ ]', passes-through '[ ]', # RFC7300 passes-through '65535', passes-through ' ', # IANA reserved passes-through '[ ]' end-set route-policy import_from_ebgp if as-path in bogon-asns then drop else... endif end-policy

9 policy-options { prefix-list BOGONS_v4 { /8; /8; /10; /8; /16; /12; /24; /24; /16; /15; /24; /24; /4; /4; policy-statement BGP_FILTER_IN { term IPv4 { from { prefix-list BOGONS_v4; then reject; Step 2 of 9 Reject Bogon Prefix JUNOS policy-statement ipv6-ebgp-relaxed { from { family inet6; route-filter 3ffe::/16 orlonger; route-filter 0000::/8 orlonger; route-filter 2001:db8::/32 orlonger; route-filter 2001::/32 exact next policy; route-filter 2001::/32 longer; route-filter 2002::/16 exact next policy; route-filter 2002::/16 longer; route-filter fe00::/9 orlonger; route-filter ff00::/8 orlonger; route-filter 2000::/3 prefix-length-range /49-/128; route-filter 0::/0 orlonger; then { trace; reject;

10 ipv6 prefix-list ipv6-ebgp-strict deny 3ffe::/16 le 128 ipv6 prefix-list ipv6-ebgp-strict permit 2001:500::/30 ge 48 le 48 ipv6 prefix-list ipv6-ebgp-strict deny 2001:db8::/32 le 128 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/32 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 35 le 35 ipv6 prefix-list ipv6-ebgp-strict permit 2001::/16 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2001:0678::/29 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:0c00::/23 ge 48 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:13c7:6000::/36 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:13c7:7000::/36 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2001:43f8::/29 ge 40 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2002::/16 ipv6 prefix-list ipv6-ebgp-strict permit 2003::/16 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2400::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2600::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2610::/23 ge 24 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2620::/23 ge 40 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2800::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2a00::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict permit 2801:0000::/24 le 48 ipv6 prefix-list ipv6-ebgp-strict permit 2c00::/12 ge 19 le 32 ipv6 prefix-list ipv6-ebgp-strict deny 0::/0 le 128 Step 2 of 9 Reject Bogon Prefix XR prefix-set BOGONS_V /8 le 32, /8 le 32, /10 le 32, /8 le 32, /16 le 32, /12 le 32, /24 le 32, /24 le 32, /16 le 32, /15 le 32, /24 le 32, /24 le 32, /4 le 32, /4 le 32 end-set! route-policy BGP_FILTER_IN if destination in BOGONS_V4 then drop endif end-policy

11 Step 3 of 9 Do the very needful basics extended version. 1. Reject small prefixes 2. Reject long AS-paths

12 Step 3 of 9 Do the very needful basics extended version. 1. Reject small prefixes 2. Reject long AS-paths

13 JUNOS Step 3 of 9 Reject Bogon Small Prefix policy-options { policy-statement bgp-import-policy { term reject_too_small_prefixes_v4 { from { route-filter /0 prefix-length-range /25-/32; then { reject; Cisco ip prefix-list peerfilter seq 5 deny /0 ip prefix-list peerfilter seq 10 permit /0 ge 8 le 24 #Use a template peer-policy that you configure for each neighbor like this:! template peer-policy ixe-v4 prefix-list peerfilter in maximum-prefix <number> exit-peer-policy!

14 Step 3 of 9 JUNOS Reject Long AS-paths policy-options { policy-statement bgp-import-policy { term no-long-paths { from as-path too-many-hops; then reject; as-path too-many-hops ".{100,"; Cisco route-policy BGP_FILTER_IN if as-path length ge 100 then drop endif end-policy

Step 4 of 9 1. Use maximum prefix to your advantage neighbor 194.68.123.127 { description "Facebook, Inc.

15 Step 4 of 9 1. Use maximum prefix to your advantage neighbor { description "Facebook, Inc."; import [ netnod-ix-in peering-in facebook-in ]; family inet { unicast { prefix-limit { maximum 114; teardown 80 idle-timeout 60; peer-as 32934;

16 Step 5 of 9 IRR-filtering Killing sessions leaking prefixes over IXPs

17 Step 5 of 9 IRR-filtering 1. Has inherit problems 2. Excessive filtering will most likely affect your routers in a negative way. 3. Still worth it

18 Step 5 of 9 IRR-filtering 1. Has inherit problems Not really authoritative data, many different sources of truth-ish and sometimes there is offending entries in various databases. RADB, RIPE, NTTCOM, AltDB, ARIN is examples of such IRR sources. Solutions is coming. For example having RPKI data drown out stale/conflicting IRR objects, clean out best-effort data with validated data etc. IRRd is getting updated ( to update the support and provide new functions for common IRR-aggregators such as rr.ntt.net and whois.radb.net. Most people adopting IRR-filtering today is using either of the public aggregators above.

19 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner Big configurations is bad for routers (especially Junos with its RPD monolith) Heavy Regexp-operations is Heavy it turns out.

20 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner

21 Step 5 of 9 IRR-filtering 1. Excessive filtering will most likely affect your routers in a negative manner hugge@nl-sar-re1> show configuration count Count: lines Commit time 2-6 minutes on 15.1F6-S10.11

22 Step 5 of 9 Definite must have to filter your customers, based on atleast IRR-Data. BGPQ3 is de-facto tool to generate filters with. hugge>bgpq3 -Jl bredbandskollen-in AS-BBK policy-options { replace: prefix-list bredbandskollen-in { /24; /24; hugge>bgpq3 -l bredbandskollen-in AS-BBK no ip prefix-list bredbandskollen-in ip prefix-list bredbandskollen-in permit /24 ip prefix-list bredbandskollen-in permit /24

23 Step 5 of 9 Definite must have to filter your customers, based on atleast IRR-Data. BGPQ3 is de-facto tool to generate filters with. hugge>bgpq3 -l comhem-in -f AS-COMHEM no ip as-path access-list comhem-in ip as-path access-list comhem-in permit ^39651(_39651)*$ ip as-path access-list comhem-in permit ^39651(_[0-9]+)*_( )$ hugge>bgpq3 -l comhem-in -Jf AS-COMHEM policy-options { replace: as-path-group comhem-in { as-path a0 "^39651(39651)*$"; as-path a1 "^39651(.)*( )$";

24 Step 5 of 9 Filter peers? Yes. Maybe, Hopefully sometimes. Atleast as-path mkay. Its getting better and easier (better methods of handling large controlplaneheavy-configs, multi-threaded processing, more aggregation, better regexpengines). Prefix filters extended Prefix filters non-extended hugge>bgpq3 -A AS-HURRICANE wc -l hugge>bgpq3 -JAE AS-HURRICANE wc -l hugge>bgpq3 AS-HURRICANE wc -l AS-path filters hugge>bgpq3 -l hurricane-in -f 6939 AS-HURRICANE wc -l 2892 hugge>bgpq3 -l hurricane-in -Jf 6939 AS-HURRICANE wc -l 1451

25 Step 5 of 9 Networker Committing a new 6939 peer with prefix-filters

Step 5 of 9 Seems complicated? Farm out the problems to the IXPs! Most IXPs today is doing IRR-filtering on the routeservers, free automation for the lazy. Consult peering.

26 Step 5 of 9 Seems complicated? Farm out the problems to the IXPs! Most IXPs today is doing IRR-filtering on the routeservers, free automation for the lazy. Consult peering.exposed for the latest updates. Some even do RPKI-validation for you. Routeservers has typically gone from a big NAY to a big YAY on global scale in recent years. And nowadays a route-server makes sense for almost anyone that peers with open or selective policys.

27 Step 6 of 9 Bragging time

28 Step 6 of 9 Congratulations Operator, you have at least fulfilled one pillar of the Routingmanifesto / MANRS Framework. Brag about it, put the logo on your website, put it in RFQ-material. Finish the next steps and become a full MANRS-member to join in on the fun to build a better Internet! 1. Prevent propagation of incorrect routing information. 2. Prevent traffic with spoofed source IP addresses. 3. Facilitate global operational communication and coordination between network operators. 4. Facilitate validation of routing information on a global scale.

29 Step 7 of 9 Do step 4 of MANRS concept. 4. Facilitate validation of routing information on a global scale. Make sure your organisation has knowledge, operational paradigms and the technical skills needed to care, update and follow up on the following objects. aut-num IRR Policy documentation route/route6 IRR NLRI/origin as-set IRR Customer cone ROA RPKI NLRI/origin Caring about your ROAs is important, with recent changes in networks with big borders in combination with changes in IRRd a ROA for your prefix is one of the most effective ways of signalling to others what your intention are. If you believe you have an important Internet resource, there is almost no excuses left to not register a ROA for it. Especially since its crazy easy in RIPE-region.

30 Step 8 of 9 Support modern ebgp border operational paradigms such as Graceful Shutdown. route-policy AS64497-ebgp-inbound if community matches-any (65535:0) then set local-preference 0 endif end-policy! router bgp neighbor 2001:db8:1:2::1 remote-as address-family ipv6 unicast send-community-ebgp route-policy AS64497-ebgp-inbound in!! hugge@se-tug-re0> show configuration policy-options policy-statement peering-in term draft-ietf-grow-bgp-gshut from community GRACEFUL_SHUTDOWN; then { local-preference add 0;

31 MODERNIZE YOUR BGP BORDER FUNCTIONS ACQUIRE CURRENCY

32 Step 9 of 9 RPKI

33 Step 9 of 9 Any network with important resources should make sure they have properly sized ROAs signed and published, to help other networks to filter traffic for you and optimise your chances of having your traffic coming to you, and not someone else.

34 Step 9 of 9 1. Validating ROAs from the RIR 2. Transport information to your BGP-border using RTR 3. Implement Origin Validation in your policys and drop invalids

Java NLNET-labs Routinator Up and running in 5 minutes with the packaged containers.

35 Step 9 of 9 Validator software RIPE-NCC RPKI Validator Toolkit Oldie, I have mostly encountered problems. Weird crashes and general hiccups. Java NLNET-labs Routinator Up and running in 5 minutes with the packaged containers. Not a single crash since day0 OpenBSD rpki-client(1) Currently WIP. Will most likely be a strong contender once finalized. (has received good sponsorships from IIS, SUNET, NETNOD)

36 Step 9 of 9 Talk RTR between router and Validator hugge@se-tug-re1> show validation session Session State Flaps Uptime #IPv4/IPv6 records Up 0 15w5d 21:09: /12076 {master hugge@se-tug-re1> show configuration routing-options validation group nordunet-rpki { session { port 8323; {master hugge@se-tug-re1>

37 Step 9 of 9 Implement a filter term rpki-invalids { from { protocol bgp; validation-database invalid; then { validation-state invalid; community add bgp-rpki-invalid; reject; term rpki-valids { from { protocol bgp; validation-database valid; then { validation-state valid; community add bgp-rpki-valid; next policy; term rpki-unknown { from { protocol bgp; validation-database unknown; then { validation-state unknown; community add bgp-rpki-unknown; next policy;

38 Step 9 of 9 RPKI just a fad? Can I just ignore it and it will go away?

39 Step 9 of 9 RPKI just a fad? Can I just ignore it and it will go away?

40 Step 9 of 9

41 Step 9 of 9 State of route-servers AMS-IX YYCIX DE-CIX NETNOD (almost done yes?) IXP-Manager based IXPs (very soon)

42 Step 9 of 9 But RPKI without path validation is it even worth doing it? Short Answer: Yes Long Answer: Meet me at the bar (i assume I am way over time at this point)

43 Step 9 of 9 Good sources!

44 DONE! Questions?

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut

Improving performance through BGP Graceful Shutdown draft-ietf-grow-bgp-gshut Fredrik hugge Korsbäck hugge@nordu.net hugge@sunet.se Netnod Tech Meeting 2017 1 What is BGP Graceful Shutdown? A simple procedure