CNT Computer and Network Security: BGP Security

Similar documents
Inter-AS routing and BGP. Network Layer 4-1

CSCI Topics: Internet Programming Fall 2008

Chapter 4: outline. Network Layer 4-1

Chapter IV: Network Layer

DATA COMMUNICATOIN NETWORKING

Chapter 4: Network Layer

Computer Networking Introduction

Last time. Transitioning to IPv6. Routing. Tunneling. Gateways. Graph abstraction. Link-state routing. Distance-vector routing. Dijkstra's Algorithm

CSC 4900 Computer Networks: Routing Protocols

Chapter 4: Network Layer. Lecture 12 Internet Routing Protocols. Chapter goals: understand principles behind network layer services:

Inter-AS routing. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley

CS 204: BGP. Jiasi Chen Lectures: MWF 12:10-1pm Humanities and Social Sciences

CSc 450/550 Computer Networks Internet Routing

PART III. Implementing Inter-Network Relationships with BGP

Hierarchical Routing. Our routing study thus far - idealization all routers identical network flat not true in practice

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

Inter-Domain Routing: BGP

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Announcements. CS 5565 Network Architecture and Protocols. Project 2B. Project 2B. Project 2B: Under the hood. Routing Algorithms

Chapter 4: Network Layer, partb

Routing in the Internet

Network layer: Overview. Network layer functions Routing IP Forwarding

Initial motivation: 32-bit address space soon to be completely allocated. Additional motivation:

Internet inter-as routing: BGP

Interdomain routing CSCI 466: Networks Keith Vertanen Fall 2011

Inter-Autonomous-System Routing: Border Gateway Protocol

Inter-Autonomous-System Routing: Border Gateway Protocol

Routing on the Internet! Hierarchical Routing! The NSFNet 1989! Aggregate routers into regions of autonomous systems (AS)!

Department of Computer and IT Engineering University of Kurdistan. Computer Networks II Border Gateway protocol (BGP) By: Dr. Alireza Abdollahpouri

Lecture 19: Network Layer Routing in the Internet

BGP. Daniel Zappala. CS 460 Computer Networking Brigham Young University

CSCE 463/612 Networks and Distributed Processing Spring 2018

Internet rou)ng. V. Arun CS491G: Computer Networking Lab University of MassachuseFs Amherst

Chapter 4: Network Layer

Border Gateway Protocol - BGP

Internet Routing : Fundamentals of Computer Networks Bill Nace

COMP211 Chapter 5 Network Layer: The Control Plane

Chapter 4 Network Layer

CS 457 Networking and the Internet. The Global Internet (Then) The Global Internet (And Now) 10/4/16. Fall 2016

5.1 introduction 5.5 The SDN control 5.2 routing protocols plane. Control Message 5.3 intra-as routing in Protocol the Internet

Introduction to Communication Networks Spring Unit 16 Global Internetworking

Chapter 5 Network Layer: The Control Plane

Review for Chapter 4 R1,R2,R3,R7,R10,R11,R16,R17,R19,R22,R24, R26,R30 P1,P2,P4,P7,P10,P11,P12,P14,P15,P16,P17,P22,P24,P29,P30

A Survey of BGP Security: Issues and Solutions

CSE543 Computer and Network Security Module: Network Security

CS4450. Computer Networks: Architecture and Protocols. Lecture 15 BGP. Spring 2018 Rachit Agarwal

Master Course Computer Networks IN2097

Security in inter-domain routing

Security Issues of BGP in Complex Peering and Transit Networks

Chapter 4: Network Layer. TDTS06 Computer networks. Subnets. Subnets. Subnets. IP Addressing: introduction

Master Course Computer Networks IN2097

Graph abstraction: costs. Graph abstraction 10/26/2018. Interplay between routing and forwarding

Topics for This Week

Network layer: Overview. Network layer functions Routing IP Forwarding

CS555, Spring /5/2005. April 12, 2005 No classes attend Senior Design Projects conference. Chapter 4 roadmap. Internet AS Hierarchy

HY 335 Φροντιστήριο 8 ο

Securing BGP. Geoff Huston November 2007

Configuring BGP. Cisco s BGP Implementation

Network Layer: Routing

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Routing on the Internet. Routing on the Internet. Hierarchical Routing. Computer Networks. Lecture 17: Inter-domain Routing and BGP

CSCD 433/533 Network Programming Fall Lecture 14 Global Address Space Autonomous Systems, BGP Protocol Routing

Interplay Between Routing, Forwarding

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

IP Addressing & Interdomain Routing. Next Topic

Other Developments: CIDR

BGP Configuration. BGP Overview. Introduction to BGP. Formats of BGP Messages. Header

Routing. Jens A Andersson Communication Systems

Internet Routing Basics

How the Internet works? The Border Gateway Protocol (BGP)

Networking: Network layer

Routing Protocols --- Exterior Gateway Protocol

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

BGP. Inter-domain routing with the Border Gateway Protocol. Iljitsch van Beijnum Amsterdam, 13 & 16 March 2007

An Operational Perspective on BGP Security. Geoff Huston February 2005

A Survey of BGP Security Review

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Computer Networks. Instructor: Niklas Carlsson

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

ETSF10 Internet Protocols Routing on the Internet

Routing Unicast routing protocols

CSC 8560 Computer Networks: Control Plane

CS118 Discussion 1A, Week 7. Zengwen Yuan Dodd Hall 78, Friday 10:00 11:50 a.m.

Routing part 2. Electrical and Information Technology

Routing Security Security Solutions

CS321: Computer Networks Unicast Routing

Routing Basics. SANOG July, 2017 Gurgaon, INDIA

Chapter 4: Network Layer: Part II

Inter-domain Routing. Outline. Border Gateway Protocol

On the State of the Inter-domain and Intra-domain Routing Security

Routing Between Autonomous Systems (Example: BGP4) RFC 1771

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

Routing Protocols. Autonomous System (AS)

COMP/ELEC 429 Introduction to Computer Networks

A PKI For IDR Public Key Infrastructure and Number Resource Certification

CSCI-1680 Network Layer: Inter-domain Routing Rodrigo Fonseca

CS4700/CS5700 Fundamentals of Computer Networks

CSCE 463/612 Networks and Distributed Processing Spring 2018

Network Layer: Routing

Transcription:

CNT 5410 - Computer and Network Security: BGP Security Professor Kevin Butler Fall 2015

Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: ebgp: Obtain subnet reachability information from neighboring Autonomous Systems (ASes). ibgp: Propagate reachability information to all AS-internal routers. Determine good routes to subnets based on reachability information and policy. allows subnet to advertise its existence to rest of Internet: I am here 2

BGP basics BGP session: two BGP routers ( peers ) exchange BGP messages: advertising paths to different destination network prefixes ( path vector protocol) exchanged over semi-permanent TCP connections When AS3 advertises a prefix to AS1: AS3 promises it will forward datagrams towards that prefix AS3 can aggregate prefixes in its advertisement other networks 3b 3a AS3 1a AS1 1c 1d ebgp session ibgp session 1b 2a AS2 2c 2b other networks 3

Prefix? How do routers advertise sets of IP addresses? Having a full list of all addresses that can be reached through is wasteful - think of the memory usage? We instead rely on address aggregations: 192.168.1.0 192.168.1.0/24 192.168.1.1 192.168.1.255 192.168.0.0/16 4

Distributing reachability info Using an ebgp session between 3a and 1c, AS3 sends prefix reachability info to AS1. 1c can then use ibgp to distribute this new prefix reach info to all routers in AS1 1b can then re-advertise new reachability info to AS2 over 1bto-2a ebgp session When router learns of new prefix, creates entry for prefix in its forwarding table. other networks 3b 3a AS3 1a AS1 1c 1d ebgp session ibgp session 1b 2a AS2 2c 2b other networks 5

Path attributes & BGP routes When advertising a prefix, advert includes BGP attributes. prefix + attributes = route Two important attributes: AS-PATH: contains ASs through which prefix advertisement has passed: AS 67 AS 17 NEXT-HOP: Indicates specific internal-as router to next-hop AS. (There may be multiple links from current AS to next-hop-as.) When gateway router receives route advertisement, uses import policy to accept/decline. e.g., never route through AS x policy-based routing 6

BGP route selection Router may learn about more than 1 route to some prefix. Router must select route. Elimination rules: Local preference value attribute: policy decision Shortest AS-PATH Closest NEXT-HOP router: hot potato routing Additional criteria 7

BGP messages BGP messages exchanged using TCP. BGP messages: OPEN: opens TCP connection to peer and authenticates sender UPDATE: advertises new path (or withdraws old) KEEPALIVE keeps connection alive in absence of UPDATES; also ACKs OPEN request NOTIFICATION: reports errors in previous msg; also used to close connection 8

BGP routing policy B 1 A 2 C 3 A,B,C are provider networks. 1,2,3 are customer (of provider networks) 2 is multi-homed: attached to two networks 2 does not want to route from B via 2 to C... so 2 will not advertise to B a route to C 9

BGP routing policy (2) B 1 A 2 C 3 A advertises to B the path A1 B advertises to 2 the path BA1 Should B advertise to C the path BA1? No way! 2 gets no revenue for routing 2BA1 since neither 1 nor C are B s customers B wants to force C to route to 1 via A B wants to route only to/from its customers! 10

BGP Security Core Problem? BGP has absolutely no authentication, so anyone between two routers can inject traffic anyone can claim any path anyone can claim that they are any origin. How does this compare to the security issues we just discussed in DNS? 11

BGP Misconfiguration There are numerous examples of BGP misconfigurations that have lead to wide-spread traffic outages: AS 7007 (1997) Con Edison (2006) Pakistan Telecom (2008) These incidents are all confirmed to have been accidental. 12

BGP Misconfiguration? November 2013 13

Protecting Sessions BGP Nodes use TCP connections to communicate. What sorts of attacks are they susceptible to? Solutions: TTL Security MD5 Digests IPsec 14

IPsec and the IP protocol stack IPsec puts the two main protocols in between IP and the other protocols HTTP TCP FTP SMTP UDP AH - authentication header AH ESP ESP - encapsulating security payload IP Tunnel vs. transport? Key management/authentication Policy Other function provided by external protocols and architectures 15

Practical Issues and Limitations IPsec implementations Large footprint resource poor devices are in trouble New standards to simplify (e.g, JFK, IKE2) Slow to adopt new technologies Issues IPsec tries to be everything for everybody at all times Massive, complicated, and unwieldy Policy infrastructure has not emerged Large-scale management tools are limited (e.g., CISCO) Often not used securely (common pre-shared keys) 16

Defensive Filtering Prevent bad routing updates through careful consideration of new advertisements. CIDR report (for bogons/martians ) Routing Registries Filter small subnets Prefix number limitations Limitations? Such filtering can only remove updates that are obviously bad, and will miss subtle issues/attacks 17

S-BGP First comprehensive solution specifically targeting BGP. Relies on a PKI for distributing certificates to all ASes Origins (address ranges) are signed and distributed out-of-band. Routes are attested by each AS signing the BGP UPDATE message Pro: Comprehensive! Con: Heavyweight, slow! 18

and More S-BGP is probably too heavyweight to actually deploy. So-BGP allows configurable tradeoffs between security and overhead. IRV creates a central repository for validating routing updates. Others explore techniques such as signature amortization and efficient data structures to solve S- BGPs deployment problems. Current status: No strong BGP security solution is deployed 19

Detection Mechanisms Multiple Origin AS (MOAS) detection looks for origins that are incorrectly advertised by multiple parties. Prefix Hijacking Alert System (PHAS) requires a prefix owner to be notified and approve changes. Pretty Good BGP (PGBGP) relies on historical data to determine which changes can be considered normal. 20

Importance Without BGP, the Internet simply does not exist. Networks are simply isolated islands. If large-scale routing attacks occur, it may be a VERY long time before traffic becomes routable again. Bellovin argues that the Internet may actually NEVER come back up. Deploying some secure inter-domain routing system will be the next great challenge in Internet security. 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback