BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security...
Transcript of BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security...
7 STEPS TO SHORE UP BGP
2
BORDER GATEWAY PROTOCOL
3
Chapter 1
BGP has serious security vulnerabilities
• No authentication or protection of integrity of messages
• No verification of the authority to announce routes
• This allows internet traffic hijacking
BGP hijacks continue to happen
• January 2019 hijack of prefixes of the US energy regulator, by China telecom
• November 2018 hijack of US domestic internet traffic, via Russia, into China
• April 2018 hijack of Amazon EC2 traffic to steal Ethereum bitcoins
• December 2017 hijack of internet traffic to US webites, into Russia
BGP SECURITY
4
Survey across the EU telecom sector
64 responses from experts working at providers
ENISA BGP SECURITY SURVEY
45%
30%
25%
In your experience, what is the impact of BGP incidents?
major impact
medium impact
small impact
5
BASIC, EFFICIENT, EFFECTIVE MEASURES
1. BGP Monitoring and routing anomaly detection
2. BGP coordination:
• Describe and publish your policy using RPSL
• Partake in registers like PeeringDB
3. Prefix filtering
4. BGP AS Path filtering
5. Bogon filtering
6. TTL Security (GTSM)
7. RPKI
RECOMMENDATIONS: 7 STEPS
6
BGP CHECKLIST FOR NRAS
CHECKLIST
General Information
Provider name Hint: company name
Contact point Hint: contact name, email for further questions on this
AS Hint: Yes, please specify the AS number, or N/A if no AS, in that case skip the rest of this form
BGP Security measure Implementation status Explanation
1. BGP Monitoring & Routing Anomaly Detection
Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
2. BGP Coordination Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
3. Prefix Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
4. BGP AS Path Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
5. Bogon Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
6. TTL Security (GTSM) Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
7. RPKI Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
7
Annual telecom security incidents report 2018
• https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/visual-tool
• Already contains data over 2018
SS7 cheatsheet
Preparing for the EECC
• New providers, new landscape, new threats, new industry practices
• How does security supervision work?
Power outages and telecoms
ENISA mailing lists for the sector (providers and infra)
ENISA TELECOM SECURITY WORK IN 2019
CONTACT US
+30 28 14 40 9711
www.enisa.europe.eu