CNT 5410 - Computer and Network Security: BGP Security Professor Kevin Butler Fall 2015
Internet inter-as routing: BGP BGP (Border Gateway Protocol): the de facto standard BGP provides each AS a means to: ebgp: Obtain subnet reachability information from neighboring Autonomous Systems (ASes). ibgp: Propagate reachability information to all AS-internal routers. Determine good routes to subnets based on reachability information and policy. allows subnet to advertise its existence to rest of Internet: I am here 2
BGP basics BGP session: two BGP routers ( peers ) exchange BGP messages: advertising paths to different destination network prefixes ( path vector protocol) exchanged over semi-permanent TCP connections When AS3 advertises a prefix to AS1: AS3 promises it will forward datagrams towards that prefix AS3 can aggregate prefixes in its advertisement other networks 3b 3a AS3 1a AS1 1c 1d ebgp session ibgp session 1b 2a AS2 2c 2b other networks 3
Prefix? How do routers advertise sets of IP addresses? Having a full list of all addresses that can be reached through is wasteful - think of the memory usage? We instead rely on address aggregations: 192.168.1.0 192.168.1.0/24 192.168.1.1 192.168.1.255 192.168.0.0/16 4
Distributing reachability info Using an ebgp session between 3a and 1c, AS3 sends prefix reachability info to AS1. 1c can then use ibgp to distribute this new prefix reach info to all routers in AS1 1b can then re-advertise new reachability info to AS2 over 1bto-2a ebgp session When router learns of new prefix, creates entry for prefix in its forwarding table. other networks 3b 3a AS3 1a AS1 1c 1d ebgp session ibgp session 1b 2a AS2 2c 2b other networks 5
Path attributes & BGP routes When advertising a prefix, advert includes BGP attributes. prefix + attributes = route Two important attributes: AS-PATH: contains ASs through which prefix advertisement has passed: AS 67 AS 17 NEXT-HOP: Indicates specific internal-as router to next-hop AS. (There may be multiple links from current AS to next-hop-as.) When gateway router receives route advertisement, uses import policy to accept/decline. e.g., never route through AS x policy-based routing 6
BGP route selection Router may learn about more than 1 route to some prefix. Router must select route. Elimination rules: Local preference value attribute: policy decision Shortest AS-PATH Closest NEXT-HOP router: hot potato routing Additional criteria 7
BGP messages BGP messages exchanged using TCP. BGP messages: OPEN: opens TCP connection to peer and authenticates sender UPDATE: advertises new path (or withdraws old) KEEPALIVE keeps connection alive in absence of UPDATES; also ACKs OPEN request NOTIFICATION: reports errors in previous msg; also used to close connection 8
BGP routing policy B 1 A 2 C 3 A,B,C are provider networks. 1,2,3 are customer (of provider networks) 2 is multi-homed: attached to two networks 2 does not want to route from B via 2 to C... so 2 will not advertise to B a route to C 9
BGP routing policy (2) B 1 A 2 C 3 A advertises to B the path A1 B advertises to 2 the path BA1 Should B advertise to C the path BA1? No way! 2 gets no revenue for routing 2BA1 since neither 1 nor C are B s customers B wants to force C to route to 1 via A B wants to route only to/from its customers! 10
BGP Security Core Problem? BGP has absolutely no authentication, so anyone between two routers can inject traffic anyone can claim any path anyone can claim that they are any origin. How does this compare to the security issues we just discussed in DNS? 11
BGP Misconfiguration There are numerous examples of BGP misconfigurations that have lead to wide-spread traffic outages: AS 7007 (1997) Con Edison (2006) Pakistan Telecom (2008) These incidents are all confirmed to have been accidental. 12
BGP Misconfiguration? November 2013 13
Protecting Sessions BGP Nodes use TCP connections to communicate. What sorts of attacks are they susceptible to? Solutions: TTL Security MD5 Digests IPsec 14
IPsec and the IP protocol stack IPsec puts the two main protocols in between IP and the other protocols HTTP TCP FTP SMTP UDP AH - authentication header AH ESP ESP - encapsulating security payload IP Tunnel vs. transport? Key management/authentication Policy Other function provided by external protocols and architectures 15
Practical Issues and Limitations IPsec implementations Large footprint resource poor devices are in trouble New standards to simplify (e.g, JFK, IKE2) Slow to adopt new technologies Issues IPsec tries to be everything for everybody at all times Massive, complicated, and unwieldy Policy infrastructure has not emerged Large-scale management tools are limited (e.g., CISCO) Often not used securely (common pre-shared keys) 16
Defensive Filtering Prevent bad routing updates through careful consideration of new advertisements. CIDR report (for bogons/martians ) Routing Registries Filter small subnets Prefix number limitations Limitations? Such filtering can only remove updates that are obviously bad, and will miss subtle issues/attacks 17
S-BGP First comprehensive solution specifically targeting BGP. Relies on a PKI for distributing certificates to all ASes Origins (address ranges) are signed and distributed out-of-band. Routes are attested by each AS signing the BGP UPDATE message Pro: Comprehensive! Con: Heavyweight, slow! 18
and More S-BGP is probably too heavyweight to actually deploy. So-BGP allows configurable tradeoffs between security and overhead. IRV creates a central repository for validating routing updates. Others explore techniques such as signature amortization and efficient data structures to solve S- BGPs deployment problems. Current status: No strong BGP security solution is deployed 19
Detection Mechanisms Multiple Origin AS (MOAS) detection looks for origins that are incorrectly advertised by multiple parties. Prefix Hijacking Alert System (PHAS) requires a prefix owner to be notified and approve changes. Pretty Good BGP (PGBGP) relies on historical data to determine which changes can be considered normal. 20
Importance Without BGP, the Internet simply does not exist. Networks are simply isolated islands. If large-scale routing attacks occur, it may be a VERY long time before traffic becomes routable again. Bellovin argues that the Internet may actually NEVER come back up. Deploying some secure inter-domain routing system will be the next great challenge in Internet security. 21