A Survey of BGP Security Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka November 16, 2011 1 Introduction to the topic and the reason for the topic being interesting Border Gateway protocol(bgp) is a routing protocol used for exchanging routing information among Autonomous Systems. A single organization is responsible for managing its autonomous system. BGP is one of the most widely used protocol. However security issues have not been sufficiently dealt with in Border Gateway Protocol which at times leads to serious failures. The topic is interesting as this topic discusses the security issues pertaining to Border Gateway Protocol, which is critical for the smooth functioning of internet. 2 Questions that the paper asks and how are those questions interesting The paper discusses the weaknesses of Border Gateway Protocol and explores the various solutions proposed. The question is interesting as considering the importance of Border Gateway protocol for the smooth functioning of internet, the proposed solutions for providing security must be examined and compared. 3 How does it answer the questions In order to answer the question the author first explains the mechanism of interdomain routing. Border Gateway protocol(bgp) is a routing protocol used for exchanging routing information among Autonomous Systems. Autonomous systems are of three types, namely: 1. Stub Autonomous Systems: Stub AS is the system which is connected to only one other AS. 2. Multihomed Autonomous System: Multihomed Autonomous System is similar to Stub Autonomous System but it is connected to many other ASs. 3. Transit Autonomous System: Transit AS allow routing through itself to other ASs. The routers which exchange routing information with their peer Autonomous Systems using BGP is called BGP speaker. BGP uses TCP protocol for exchanging this information. Each AS consists of hosts whose information is exchanged by the routers using UPDATE messages which contain the prefixes and paths. Since BGP uses the advertised paths to make routing decisions, hence it is known as a path vector protocol. The Autonomous System numbers and IP addresses is assigned to Autonomous Systems by ICANN. Each Autonomous System follows a routing policy used for filtering, based on the quality of service that it intends to provide and its business strategy. The threat model used in the paper is discussed below: 1
1. One of the routers which is exchanging malicious information may be malicious. This case is discussed below: (a) Let us assume the two routers which are communicating be Alice and Bob. And a passive adversary eavesdrops on the channel over which they are communicating, due to this the communication between Alice and Bob is no longer confidential. (b) Between the two communicating routers an active adversary may either add messages, delete messages or may change the content of the messages. Also an active adversary may replay the packets in order to confuse the routers. (c) The adversary may send malicious messages to either of the communicating routers in order to terminate the session. They may be achieved by sending OPEN or NOTIFI- CATION messages between an established session. 2. An adversary may carry out an attack which affects routers separated by a huge distance. This kind of attack is discussed below: (a) An attacker owning an Autonomous System may attack by prefix hijacking, that is the attacker may advertise that it is responsible for managing the advertised prefixes, and hence route the packets destined for the honest Autonomous System through it. If the attacker owned malicious system absorbs the packets, then this is called Black Hole. Another method to spread false routing information is known as prefix hijacking. In this the attacker advertises a longer prefix than the prefix advertised by the honest Autonomous System. In this way it exploits the longest prefix matching property of BGP, this in turn introduces wrong routes in the network. (b) Since BGP protocol uses path vectors for routing, hence a malicious adversary may change these stored path vectors by advertising wrong PATHS in the UPDATE messages. (c) The adversary may also launch a denial of service attack. This an be accomplished by either absorbing the packets destined for a particular Autonomous System. Also since BGP uses TCP hence it is also vulnerable to the denial of service attacks which are caused due to the vulnerabilities in TCP. This an attacker may exploit by flooding the network with synchronization packets, and thus causing the attacked router to either run out of state or crash. Once a router crashes and comes back online again, it has to configure its routing tables again. This is accomplished by the neighboring routers sending routing information to the crashed routers, this and the attackers packets overloads the routers, which may crash again. If this happens again and again then the routes that it manages will continue appearing and disappearing in the routing tables. This is called route flapping. If route flapping occurs again and again then the routes advertised by the router are dropped by the other routers for a particular period of time. This is called route dampening. BGP is also vulnerable to smurf attacks, which are caused due the network being flooded with ICMP echo messages. (d) Also an attacker may misconfigure a router in order to launch an attack. This may be accomplished in the following ways: i. By allowing external routes to be directed to the internal routers, this causes the internal routers to be flooded. ii. By advertising a longer prefix, in order to redirect the packets towards itself. BGP is prone to attack because of the below mentioned weaknesses in the BGP protocol: 1. BGP does not check to see that the message has not been modified, the receiver has received the recently sent message and not a replay of the message, and that the message has been sent by an honest autonomous system. 2. BGP does not check that the routing information has been sent by an authorized autonomous system. 2
3. BGP does not check the path attribute in the UPDATE messages. As a result of the attack, an attacker may successfully absorb the packets destined for a particular Autonomous system, or an attacker may route the packets destined for an honest autonomous system through itself, hence capturing sensitive information like passwords. Also an attacker may cripple a major part of the internet for a few hours by launching denial of service attacks. In order to prevent these attacks some of the protection mechanisms are described below: 1. Current protection mechanism employed in BGP: Since BGP uses TCP. Hence the MAC of the BGP data, can be used to ensure authenticity and integrity of the message. The disadvantage of using MACs is the requirement of sharing a secret key between two communicating hosts. Since the complexity required for this is O(n 2 ), hence this is not an efficient method. Some of the other methods employed are discussed below: (a) In order to prevent the attacks IPsec may be employed, which encrypts and authenticates the headers and data for providing security. In order to manage keys it employs IPsec Internet Security Association and Key Management, which employs Diffie-Hillman protocol using RSA. (b) In order to prevent the attacks Generalized TTL security mechanism may be employed. This mechanism makes use of the fact that the routing information is primarily exchanged between routers which are located nearby. Hence it sets the TTL field to 255, it checks the TTL field value again at the destination router, if this value comes out to be lesser than 254, then the packet is discarded as it violates the hypothesis of the protocol. (c) The destination router may employ policies to filter out malicious routing information. But filtering the malicious routes in this way is build by learning from the previous attacks, hence new attacks may go unnoticed. (d) The routers maintain routing repositories containing the routing strategy. In order to verify the received routing information, the routers send their route related questions to the sending routers routing repository. However since it gives the routers the ability to query the sending routers, hence by repeatedly querying the sending routers, the other routers may get to know about its configuration, which may be against the routing policies of the sending router. 2. In order to provide security for routers employing BGP, the following proposed architectures may be employed: (a) Secure BGP architecture: In secure BGP architecture the routing information is signed with the private key of the sending router and the receiving router verifies this information by using the public key of the sending router. Secure BGP employs public key infrastructure in the below mentioned scenarios: i. For verifying the allocated addresses. ii. For associating the autonomous systems and routers to a particular organization. Since in secure BGP the routing information is verified between the senders and the receivers, and taking into consideration the number of routers and data which needs to be transmitted, the complexity of employing this type of technique is high. There are two types of attestations which are used in BGP, they are mentioned below: i. Address attestation: When a router advertises its set of prefixes, these prefixes are verified, that they are indeed being advertised honest autonomous systems. ii. Route Attestations: In route attestations the path values set in UPDATE messages are verified. (b) Secure Origin BGP: Secure origin BGP the routing information is signed with the private key of the sending router and the receiving router verifies this information with this information with the public key of the sending router. Secure Origin BGP uses the below mentioned types of certificates: 3
i. A certificate associating public key with that of the router. ii. A certificate containing the routing strategy. iii. A certificate for verifying the addresses allocated to a particular router. In order to verify the routes contained in the UPDATE messages, the certificate containing the routing strategy is employed. In order to reduce the complexity of verifying the certificates, the routers before starting the BGP session store the authenticated routing information. (c) Interdomain Route Validation: In order to verify the received information, the interdomain route validation servers of the sending Autonomous Systems are queried. In order to secure the information which is communicated between the received routers and the interdomain route validation servers secure protocols like IPSec are employed. In order to reduce the time to query the information, caching of the previously received information may be employed. 3. Some of the approaches which can be used to provide security in BGP are mentioned below: (a) One of the previous work in order to provide security was done by Smith and Garcia- Luna-Aceves. Their approach comprised of the following two ideas: i. The BGP data is encrypted and sequence number is given to it. ii. The UPDATE messages in the BGP protocol are allocated a sequence number and are digitally signed. (b) IDRP Countermeasures: Some of the protection mechanism which were employed in the previously proposed IDRP protocol can be employed in BGP. Some of them being, including a checksum of the routing information and encrypting it before transmitting it. (c) Hop Integrity Protocols: Gouda et. al proposed protocols for ensuring hop integrity, these protocols employ sequence numbers and MACs, where keys are exchanged using Diffie-Hellman protocol. (d) MOAS Detection and Mitigation: In case of multiple origin Autonomous Systems, the set of authorized ASs is attached to community attribute. Now when a prefix is advertised by an Autonomous System, this list can be consulted to verify its validity. (e) Origin Authentication: In order to verify that the prefix advertised by a particular Autonomous System is valid, cryptographic validation is employed. Pretty Secure BGP verifies the advertised prefixes using digital certificates and verifying the the certificates with the help of public keys. In this the certificates are verified in a distributed manner by making prefix assertion lists (PALs), containing the neighboring systems and their prefixes. And in order to perform authentication these PALs are consulted. The author mentions the below mentioned ways of assessing BGP security: 1. Providing protection for peer attacks: Since peers attack by changing BGP messages, such an attack can be avoided by performing encryption by employing IPSEC. Among the protocols discussed above IPSEC protection is provided by S-BGP, sobgp and IRV. IPSEC authentication header protects against Replay of packets, denial of service prevention and also helps preserve integrity of the message. The protection measure proposed by Smith et, al. performs encryption and use sequence numbers to provide authentication, it also protects the integrity, confidentiality and also protects from replay of packets, but does not protect from denial of service attacks. The protection provided by GTSM is effective against attackers who are not immediate peers of the current host. However, GTSM s measure is not effective to preserve the integrity and confidentiality of the message and also does not offer protection from replay attacks and denial of service attacks. 2. The ways for providing protection from wide reaching attacks is given below: 4
(a) Protection from an attacker who fakes the origin of the message, is provided in Secure- BGP, as it employs a public key infrastructure to provide address authentication. In order to authenticate the address the receiving host follows the chain of the certificates up to ICANN. An optimized scheme of address attestation for Secure BGP and Secure origin BGP was given by Aiello et. al. Two main features unveiled by his scheme are given below: i. 70-90% of the address prefixes were observed to remain stable for six months. ii. Only few organizations are responsible for delegating the address space. (b) Since BGP is a path vector protocol so the ways of protecting the path vector field are given below: i. The path vector protection offered by Secure Border Gateway Protocol incurs a lot of time and space complexity. ii. In order to verify the path vectors from autonomous systems IRV server, IRV protocol needs proper network connectivity. This presents problems in case of interruption of service, this problem can be done away with by employing optimistic routing. iii. Secure origin protocol verifies the received routes from the network topology databases. iv. The authentication procedure proposed by Hu et. al. employs the notion that a malicious autonomous system can not manipulate the path vectors included by the previous autonomous systems, thus it promises path vector integrity. 3. Assessment of the methods for providing security are given below: (a) Assessment of Secure Border Gateway Protocol: Secure border gateway protocol provides the an almost complete security solution. Its drawbacks include its increased space and time complexity. (b) Secure origin Border Gateway Protocol verifies the received path vectors from the network topology database, it is more flexible than secure border gateway protocol. However secure origin border gateway protocol is not robust against manipulations caused by hosts sitting in the middle. Expected paths in Border Gateway Protocol security research are given below: 1. The author suggests that selecting the correct implementation method for any protocol is important for its success. For this Pei et.al. suggested a scheme for performing routing within autonomous systems and between autonomous systems. Here routing is performed by first verifying the meaning of the fields and by applying cryptographic protection. 2. Cryptographic techniques like digital signatures can be used to securely perform Border Gateway Protocol routing. 3. It becomes important in routing protocols to identify attacking hosts. The author suggests that the best way is to detect attacks before they can happen. 4 Methodology used to investigate the paper The author investigates the paper by first enlisting the vulnerabilities of BGP and then exploring and comparing various BGP security solutions. 5 What I learned from the paper From this paper I learned the various solutions proposed for providing security in Border Gateway Protocol. 5
6 How the paper relates to previous work The paper relates to various BGP security solutions, these solutions have been discussed in the answers section. 7 Strengths of the paper I liked the following points in the paper: I liked the suggestion of the author that cryptographic techniques like digital signatures should be employed for improving BGP security. As techniques like digital signatures are helpful in authenticating the sender of the message, thus they greatly aid in improving network security. 8 Weaknesses of the paper I found the following weaknesses in the paper: In this paper the author merely compares the various BGP security solutions and finds that there is no solution which can perfectly eliminate the vulnerabilities present in BGP. But this conclusion of the author does not provide a solution for BGP security vulnerabilities. I think the author should have focused more on providing solution to the security need, rather than comparing them. 9 Results In this paper the author explores and compares various BGP security solutions, and finds that there is no solution which can perfectly eliminate the vulnerabilities present in BGP. 6