R&E ROUTING SECURITY BEST PRACTICES. Grover Browning Karl Newell

Similar documents
Chapter 17 BGP4 Commands

BGP Route Reflector Commands

Remember Extension Headers?

Border Gateway Protocol - BGP

BGP Edge Security for Dummies. Layer , 2603, and others

ACI Transit Routing, Route Peering, and EIGRP Support

Configuring Advanced BGP

Operation Manual BGP. Table of Contents

Connecting to a Service Provider Using External BGP

Configuring basic MBGP

IPv4/IPv6 BGP Routing Workshop. Organized by:

Configuring BGP. Cisco s BGP Implementation

Configuring BGP community 43 Configuring a BGP route reflector 44 Configuring a BGP confederation 44 Configuring BGP GR 45 Enabling Guard route

Multihoming Techniques. bdnog8 May 4 8, 2018 Jashore, Bangladesh.

BGP Attributes and Path Selection

An Operational Perspective on BGP Security. Geoff Huston February 2005

BraindumpStudy. BraindumpStudy Exam Dumps, High Pass Rate!

BGP Routing and BGP Policy. BGP Routing. Agenda. BGP Routing Information Base. L47 - BGP Routing. L47 - BGP Routing

Module 6 Implementing BGP

BGP Attributes and Policy Control

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Protecting an EBGP peer when memory usage reaches level 2 threshold 66 Configuring a large-scale BGP network 67 Configuring BGP community 67

Robust Routing Policy Architecture. Job Snijders NTT Communications

Configuration prerequisites 45 Configuring BGP community 45 Configuring a BGP route reflector 46 Configuring a BGP confederation 46 Configuring BGP

BGP can also be used for carrying routing information for IPv6 prefix over IPv6 networks.

BGP Support for Next-Hop Address Tracking

Multihoming with BGP and NAT

Chapter 13 Configuring BGP4

Configuring a BGP Route Server

Enhanced Feasible-Path Unicast Reverse Path Filtering draft-sriram-opsec-urpf-improvements-01

BGP Attributes and Policy Control

Table of Contents 1 MBGP Configuration 1-1

BGP Attributes and Policy Control

Basic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks

IPv6 Module 16 An IPv6 Internet Exchange Point

Junos OS Multiple Instances for Label Distribution Protocol Feature Guide Release 11.4 Published: Copyright 2011, Juniper Networks, Inc.

Module 16 An Internet Exchange Point

2016/01/17 04:05 1/19 Basic BGP Lab

Vendor: Alcatel-Lucent. Exam Code: 4A Exam Name: Alcatel-Lucent Border Gateway Protocol. Version: Demo

LACNIC XIII. Using BGP for Traffic Engineering in an ISP

InterAS Option B. Information About InterAS. InterAS and ASBR

BGP Part-1.

Basic IP Routing. Finding Feature Information. Information About Basic IP Routing. Variable-Length Subnet Masks

Service Provider Multihoming

FiberstoreOS BGP Command Line Reference

APNIC elearning: BGP Basics. 30 September :00 PM AEST Brisbane (UTC+10) Revision: 2.0

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

Connecting to a Service Provider Using External BGP

BGP Commands: M through N

Contents. BGP commands 1

Configuration Commands. Generic Commands. shutdown BGP XRS Routing Protocols Guide Page 731. Syntax [no] shutdown

MPLS VPN--Inter-AS Option AB

Contents. Configuring MSDP 1

Routing and router security in an operator environment

Security in inter-domain routing

IOS Implementation of the ibgp PE CE Feature

BGP Commands. Network Protocols Command Reference, Part 1 P1R-355

BGP and the Internet

BGP made easy. John van Oppen Spectrum Networks / AS11404

Service Provider Multihoming

Configuring BGP on Cisco Routers Volume 1

LARGE SCALE IP ROUTING

BGP101. Howard C. Berkowitz. (703)

BGP Commands. Network Protocols Command Reference, Part 1 P1R-355

MPLS VPN Inter-AS Option AB

An introduction to BGP security

Routing Control at Peering Points. HKNOG 0.1 Raphael Ho

BGP Configuration for a Transit ISP

BGP Event-Based VPN Import

Brocade 5600 vrouter Routing Policies Configuration Guide

Configuring MSDP. Overview. How MSDP operates. MSDP peers

Table of Contents. BGP Configuration 1

Implementing BGP. BGP Functional Overview. Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) that allows you to create loop-free

Operation Manual IPv4 Routing H3C S3610&S5510 Series Ethernet Switches. Table of Contents

Chapter 21 RIP Configuration Guidelines

I Commands. Send comments to

Brocade Vyatta Network OS Routing Policies Configuration Guide, 5.2R1

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Example: Conditionally Generating Static Routes

Preventing Traffic with Spoofed Source IP Addresses in MikroTik

BGP Graceful Shutdown

Table of Contents 1 MSDP Configuration 1-1

RIP Commands. output-delay, page 32 passive-interface (RIP), page 33 poison-reverse, page 35 receive version, page 37 redistribute (RIP), page 39

PART III. Implementing Inter-Network Relationships with BGP

Configuring OSPF with CLI

Lab Guide 2 - BGP Configuration

BGP Protocol & Configuration. Scalable Infrastructure Workshop AfNOG2008

FiberstoreOS IP Routing Configuration Guide

TDC 375 Network Protocols TDC 563 P&T for Data Networks

Table of Contents 1 BGP Configuration 1-1

Router Lab Reference

ibgp Multipath Load Sharing

Keychain Management Commands

Deploy MPLS L3 VPN. APNIC Technical Workshop October 23 to 25, Selangor, Malaysia Hosted by:

Routing Implementation

Chapter 4: outline. Network Layer 4-1

CertifyMe. CertifyMe

BGP Scaling (RR & Peer Group)

Hierarchical Routing. Our routing study thus far - idealization all routers identical network flat not true in practice

Route Policy Language. Set Object

Transcription:

R&E ROUTING SECURITY BEST PRACTICES Grover Browning Karl Newell

RFC 7454 BGP Operations & Security Feb, 2015 https://tools.ietf.org/html/rfc7454 [ 2 ]

Agenda Background / Community Development Overview of the RFC ACL s on BGP Sessions Rate Limiters on BGP MD5/TCP-AO Internal Spoof Blocking GTSM To Dampen or not to Dampen Max-Prefixes AS-PATH Filtering Private AS Rejection First AS Rejection Advertising Private ASN s Next Hop Filters Community Scrubbing In/Out Customer/Peer Filters [ 3 ]

And most importantly Keeping Things Up to Date! [ 4 ]

Community & Internet2 Backoffice and Community [ 5 ]

ACL s on BGP Sessions filter TCP/179 Good Peer Bad Guy Good Peer My Router Bad Guy

ACL s on BGP Sessions JunOS Example Lo0 { unit 0 { family inet { filter { input input-strict-in }}}}!!Don t Forget!! INET6! Routing Instances! term allow-bgp { from { source-prefix-list {BGP-PEERS; } protocol tcp; port 179;} then { accept;} prefix-list BGP-PEERS-ROUTING-INSTANCE { apply-path "protocols bgp group <*> neighbor <*>"; [ 7 ]

ACL s on BGP Sessions Cisco IOS XR ipv4 access-list input-strict-in remark Only permit BGP session for peers permit tcp host 192.0.3.1 eq bgp any permit tcp host 192.0.3.1 any eq bgp deny tcp any eq bgp any deny tcp any any eq bgp deny any any interface type interface-path-id ipv4 access-group input-strict-in ingress [ 8 ]

Rate Limiters for BGP Neighbor Router My Routers RE 20 mbit TCP/179 Raubritter

Rate Limiters for BGP JunOS Example term limit-tcp-syn { from { source-prefix-list { BGP-PEERS; MSDP-PEERS;} protocol tcp; tcp-flags "(syn &!ack) fin rst ;} then { policer 500K-drop; next term;} policer 500K-drop { if-exceeding { bandwidth-limit 500k; burst-size-limit 62k;} then discard;} [ 10 ]

Rate Limiters for BGP Cisco IOS XR lpts pifib hardware police flow bgp-cfg-peer 2000 flow bgp-default 2500 flow bgp-known 1500 [ 11 ]

MD5/TCP-AO Secure Neighbor Router 7deca1987c2a945a a39067d476d2e353 My Router Neighbor Router IXP HEY look at all my routes and communities

MD5/TCP-AO JunOS Example bgp { group ext { type external; peer-as 65530; neighbor 172.16.2.1; authentication-key-chain bgp-auth; authentication-algorithm md5; authentication-key-chains { key-chain bgp-auth { tolerance 30; key 0 { secret "$9$5TJDi.F6A"; ## SECRET-DATA start-time 2011-6-23.20:19:33-0700 ; } key 1 { secret "$9JGDiqW.puh."; ## SECRET-DATA start-time 2012-6-23.20:19:33-0700 ; [ 13 ]

MD5/TCP-AO Cisco IOS XR MD5 router bgp 65500 neighbor 192.0.2.1 remote-as 65555 password encrypted 123abc TCP-AO router bgp 65500 neighbor 192.0.2.1 remote-as 65555 keychain bgp-auth key chain bgp-auth key 0 key-string $9$5TJDi.F6A cryptographic-algorithm [HMAC-MD5 HMAC-SHA1-12] send-lifetime 20:19:33 june 23 2012 infinite accept-lifetime 20:19:33 june 23 2012 infinite [ 14 ]

Spoof Blocking Bad Guy TCP RST Src: 192.0.2.140 My Router 192.0.2.0/24 for ibgp TCP RST Src: 192.0.2.23 Bad Guy

Internal Spoof Blocking filter connector-in { interface-specific; term border-exceptions { from { source-prefix-list { border-subnets;}} then { accept;}} term border-discard { from { source-prefix-list { INTERNAL;}} then { syslog; next term;}} JunOS Example prefix-list border-subnets { apply-path "interfaces <*> unit <*> family inet address <*>";} [ 16 ]

Spoof Blocking Cisco IOS XR ipv4 access-list input-strict-in remark Deny internal ibgp spoofed sources deny ip 192.0.2.0/24 any permit tcp host 192.0.3.1 eq bgp any permit tcp host 192.0.3.1 any eq bgp deny tcp any eq bgp any deny tcp any any eq bgp deny any any interface type interface-path-id ipv4 access-group input-strict-in ingress [ 17 ]

GTSM IP TTL 255 Bad Guy IP TTL 254 Intermediate Router X My Router

GTSM bgp { group toas2 { type external; peer-as 2; ttl 255; neighbor 10.1.2.3; JunOS Example filter ttl-security { term gtsm { from { source-address { 10.1.2.3/32; } protocol tcp; ttl-except 255; port 179; } then { discard; }} term else { then { accept; [ 19 ]

GTSM Cisco IOS XR router bgp 65500 neighbor 192.0.2.1 ttl-security hops 1 [ 20 ]

To Dampen or not to Dampen RFC 7196 Flaky Route I M HERE My Router Flaky Route I M NOT HERE My Router Flaky Route I M HERE My Router Flaky Route I M NOT HERE My Router Flaky Route My Router I ll ignore you for a while

Damping JunOS Example bgp { damping; group ext { type external; import damp; export send-direct; neighbor 10.0.0.1 { peer-as 100; damping aggressive { half-life 15; suppress 6000;} damping timid { half-life 15; suppress 12000;} damping dry { disable; } policy-statement damp { term 1 { from { Route-filter 10.128.0.0/9 exact damping dry; route-filter 0.0.0.0/0 prefix-length-range /0-/8 damping timid; route-filter 0.0.0.0/0 prefix-length-range /17-/32 damping aggressive; [ 22 ]

To Dampen or not to Dampen Cisco IOS XR bgp dampening [ half-life [ reuse suppress max-suppress-time ] ] router bgp 65500 remote-as 65555 address-family ipv4 unicast bgp dampening 15 750 6000 60 [ 23 ]

Max-Prefixes Neighbor Router 18 IPv4 prefixes X My Router Small neighbor that decides to transit for the Internet 628,332 IPv4 prefixes

Max-Prefixes JunOS Example Protocols { bgp { group CONNECTORS6 { type external; metric-out igp; family inet6 { unicast { prefix-limit { maximum 50; teardown 90; [ 25 ]

Max Prefixes Cisco IOS XR maximum prefix maximum [ threshold ] router bgp 65500 neighbor 192.0.2.1 remote-as 65555 address-family ipv4 unicast maximum prefix 1000 90 [ 26 ]

First AS Rejection Destination AS Path AS 65555 192.168.0.0/16 65555 65000 AS 65000 Destination AS Path 192.168.0.0/16 65000 X My Router AS 65222 Destination AS Path 192.168.0.0/16 65000

First AS Rejection JunOS Example set protocols bgp enforce-first-as [ 28 ]

First AS Rejection Cisco IOS XR Cisco supports this by default. It can be disabled. router bgp 65500 bgp enforce-first-as disable [ 29 ]

Advertising Private ASN AS 65500 Destination AS Path 192.0.2.0/24 65500 X My Router AS 209 Destination AS Path 192.0.2.0/24 209 65500 [ 30 ]

Private ASNs policy-statement SANITY-IN { term block-private-asn { from as-path PRIVATE; then reject; JunOS Example!!Don t Forget!! 32bit AS as-path PRIVATE ".* (64512-65535).*"; [ 31 ]

Reject Routes with Private ASNs Cisco IOS XR route-policy check-as-private if as-path passes-through (ios-regex.* (64512-65535).* ) then drop else pass endif end-policy router bgp 65500 neighbor 192.0.2.1 address-family ipv4 unicast route-policy check-as-private in [ 32 ]

Remove Private ASNs Outbound bgp { group ext { type external; neighbor 192.168.20.1 { remove-private; peer-as 200;}}} JunOS Example!!Don t Forget!! 32bit AS

Remove Private ASNs Outbound Cisco IOS XR router bgp 65500 neighbor 192.0.2.1 remove-private-as [ 34 ]

Next Hop Filters Set the Next Hop to that of the peer ignore the advertised Next Hop (unless IXP or Blackhole injector) AS 65500 192.0.2.1 Destination Next Hop AS Path 192.0.2.0/24 192.0.2.222 65500 My Router [ 35 ]

Next Hop Filters Protocols { bgp { neighbor 1.2.3.4 { IMPORT NEXT-HOP-CHECK; JunOS Example policy-statement NEXT-HOP-CHECK { from protocol bgp; then { next-hop 1.2.3.4; [ 36 ]

Next Hop Filters Cisco IOS XR route-policy NEXT-HOP-CHECK ($nexthop) set next-hop $nexthop end-policy router bgp 65500 neighbor 192.0.2.1 address-family ipv4 unicast route-policy NEXT-HOP-CHECK(192.0.2.1) in [ 37 ]

Community Scrubbing AS 65555 Destination AS Path Communities 1192.168.0.0/16 65555 65000 11537:260 1234:200 AS 11537 Destination AS Path Communities 192.168.0.0/16 11537 65555 65000 1234:200 Internet

Community Scrubbing JunOS Example policy-statement REMOVE-COMMS-OUT { term remove { then { community delete DISCARD;} group FEDNET { type external; metric-out igp; export [REMOVE-COMMS-OUT]; community DISCARD members 11537:911; [ 39 ]

Community Scrubbing Cisco IOS XR community-set DISCARD 11537:911 end-set route-policy REMOVE-COMMS-OUT delete community in DISCARD end-policy router bgp 11537 neighbor 192.0.2.1 address-family ipv4 unicast route-policy REMOVE-COMMS-OUT out [ 40 ]

Inbound Customer Filters AS 65500 192.0.2.1 Destination AS Path 192.0.2.0/24 65500 8.8.8.0/24 65500 X My Router

Inbound Customer Filters JunOS Example neighbor 205.233.255.32 { description "[RE] UNY I2-S1234"; import [ SANITY-IN SET-PREF UNY-IN CONNECTOR-IN ]; peer-as 1234; policy-statement UNY { term participant { from { protocol bgp; prefix-list-filter UNY-PARTICIPANT orlonger; } then next policy; } then reject; } } prefix-list UNY-PARTICIPANT { 130.18.0.0/16; 130.74.0.0/16; [ 42 ]

Inbound Customer Filters Cisco IOS XR prefix-set MY-NEIGHBOR 10.0.0.0/8 le 24, 192.168.0.0/16 le 24 end-set route-policy NEIGHBOR-PREFIX ($list) if destination in $list then pass else drop endif end-policy router bgp 65500 neighbor 192.0.2.1 address-family ipv4 unicast route-policy NEIGHBOR-PREFIX(MY-NEIGHBOR) in

In/Out Filtering AS 65500 192.0.2.1 Destination AS Path 192.0.2.0/24 65500 10.0.0.0/8 65500 X My Router

In/out Filtering route-filter 0.0.0.0/0 prefix-length-range /28-/32; policy-statement SANITY-OUT { term block-martians { from { route-filter 0.0.0.0/0 exact; route-filter 10.0.0.0/8 orlonger; route-filter 127.0.0.0/8 orlonger; route-filter 169.254.0.0/16 orlonger; route-filter 172.16.0.0/12 orlonger; route-filter 192.0.2.0/24 orlonger; route-filter 192.88.99.1/32 exact; route-filter 192.168.0.0/16 orlonger; route-filter 198.18.0.0/15 orlonger; route-filter 224.0.0.0/4 orlonger; route-filter 240.0.0.0/4 orlonger; } then reject; } export [ SANITY-OUT etc] JunOS Example [ 45 ]

In/Out Filtering Cisco IOS XR prefix-set BOGONS 0.0.0.0/0, 0.0.0.0/8 le 32, 10.0.0.0/8 le 32, 127.0.0.0/8 le 32, 169.254.0.0/16 le 32, 172.16.0.0/12 le 32, 192.0.0.0/24 le 32, 192.0.2.0/24 le 32, 192.168.0.0/16 le 32, 198.18.0.0/15 le 32, 198.51.100.0/24 le 32, 203.0.113.0/24 le 32, 224.0.0.0/4 le 32 end-set route-policy Deny-Bogons if destination in BOGONS then drop else pass endif end-policy router bgp 65500 neighbor 192.0.2.1 address-family ipv4 unicast route-policy Deny-Bogons [ 46 ]

Keeping Things up to Date You MUST keep the filters up to date! Or else don t do it! [ 47 ]

Recent Updates to BGP https://www.youtube.com/watch?v=v6wsq66-f40&feature=youtu.be https://pc.nanog.org/static/published/meetings/nanog71/1425/20171003_snijders_recent_bgp_i nnovations_v1.pdf RFC 7999 - BLACKHOLE Community, 65535:666 RFC 8212 - Default External BGP (EBGP) Route Propagation Behavior without Policies RFC 8092 - BGP Large Communities Attribute RFC 8203 - BGP Administrative Shutdown Communication [ 48 ]

The Internet2 Process Security did an initial evaluation and prepared a paper. Architecture recommended which to implement Operations interpreted the recommendation & implemented. [ 49 ]

RPKI Resource Public Key Infrastructure https://tools.ietf.org/html/rfc6480 Interactive tutorials - http://www.securerouting.net/ RPKI Session [ 50 ]

Mind your MANRS Mutually Agreed Norms for Routing Security https://www.routingmanifesto.org/ 1. Prevent propagation of incorrect routing information 2. Prevent traffic with spoofed source IP addresses 3. Facilitate global operational communication and coordination between network operators 4. Facilitate validation of routing information on a global scale [ 51 ]

BCP 38 & 84 BCP 38 Network Ingress Filtering https://tools.ietf.org/html/rfc2827 BCP 84 Ingress Filtering for Multihomed Networks https://tools.ietf.org/html/rfc3704 [ 52 ]

urpf unicast Reverse Path Forwarding Strict each incoming packet is tested against the FIB and if the incoming interface is not the best reverse path the packet check will fail Feasible the FIB maintains alternate routes to a given ip address. If the incoming interface matches with any of the routes associated with the ip address, then the packet is forwarded Loose - each incoming packet's source address is tested against the FIB. The packet is dropped only if the source address is not reachable via any interface on that router [ 53 ]

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback