CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and...
Transcript of CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and...
![Page 1: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/1.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
CNT 5410 - Computer and Network Security:
BGP Security
Professor Kevin Butler Fall 2015
![Page 2: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/2.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Internet inter-AS routing: BGP• BGP (Border Gateway Protocol): the de facto standard
• BGP provides each AS a means to:
• eBGP: Obtain subnet reachability information from neighboring Autonomous Systems (ASes).
• iBGP: Propagate reachability information to all AS-internal routers.
• Determine “good” routes to subnets based on reachability information and policy.
• allows subnet to advertise its existence to rest of Internet: “I am here”
2
![Page 3: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/3.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP basics• BGP session: two BGP routers (“peers”) exchange BGP messages:
• advertising paths to different destination network prefixes (“path vector” protocol)
• exchanged over semi-permanent TCP connections
• When AS3 advertises a prefix to AS1:
• AS3 promises it will forward datagrams towards that prefix
• AS3 can aggregate prefixes in its advertisement
3
AS3
AS2
3b 3a
AS1
1c 1a
1d 1b
2a 2c
2b other networks
other networks
eBGP session
iBGP session
![Page 4: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/4.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Prefix?• How do routers advertise sets of IP addresses?
• Having a full list of all addresses that can be reached through is wasteful - think of the memory usage?
• We instead rely on address aggregations:
4
192.168.1.0 192.168.1.1
… 192.168.1.255
192.168.1.0/24
192.168.0.0/16
![Page 5: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/5.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Distributing reachability info• Using an eBGP session between 3a and 1c, AS3 sends prefix
reachability info to AS1.
• 1c can then use iBGP to distribute this new prefix reach info to all routers in AS1
• 1b can then re-advertise new reachability info to AS2 over 1b-to-2a eBGP session
• When router learns of new prefix, creates entry for prefix in its forwarding table.
5
AS3
AS2
3b 3a
AS1
1c 1a
1d 1b
2a 2c
2b other networks
other networks
eBGP session
iBGP session
![Page 6: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/6.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Path attributes & BGP routes• When advertising a prefix, advert includes BGP attributes.
• prefix + attributes = “route”
• Two important attributes:
• AS-PATH: contains ASs through which prefix advertisement has passed: AS 67 AS 17
• NEXT-HOP: Indicates specific internal-AS router to next-hop AS. (There may be multiple links from current AS to next-hop-AS.)
• When gateway router receives route advertisement, uses import policy to accept/decline.
• e.g., never route through AS x
• policy-based routing
6
![Page 7: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/7.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP route selection• Router may learn about more than 1 route to
some prefix. Router must select route.
• Elimination rules:
• Local preference value attribute: policy decision
• Shortest AS-PATH
• Closest NEXT-HOP router : hot potato routing
• Additional criteria
7
![Page 8: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/8.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP messages• BGP messages exchanged using TCP.
• BGP messages:
• OPEN: opens TCP connection to peer and authenticates sender
• UPDATE: advertises new path (or withdraws old)
• KEEPALIVE keeps connection alive in absence of UPDATES; also ACKs OPEN request
• NOTIFICATION: reports errors in previous msg; also used to close connection
8
![Page 9: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/9.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP routing policy
• A,B,C are provider networks.
• 1,2,3 are customer (of provider networks)
• 2 is multi-homed: attached to two networks
• 2 does not want to route from B via 2 to C
• ... so 2 will not advertise to B a route to C
9
1 A
B
C
2
3
![Page 10: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/10.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP routing policy (2)
• A advertises to B the path A1
• B advertises to 2 the path BA1
• Should B advertise to C the path BA1?
• No way! 2 gets no “revenue” for routing 2BA1 since neither 1 nor C are B’s customers
• B wants to force C to route to 1 via A
• B wants to route only to/from its customers!10
1 A
B
C
2
3
![Page 11: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/11.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Security• Core Problem?
• BGP has absolutely no authentication, so…
• … anyone between two routers can inject traffic
• … anyone can claim any path
• … anyone can claim that they are any origin.
• How does this compare to the security issues we just discussed in DNS?
11
![Page 12: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/12.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Misconfiguration• There are numerous examples of BGP
misconfigurations that have lead to wide-spread traffic outages:
• AS 7007 (1997)
• Con Edison (2006)
• Pakistan Telecom (2008)
• These incidents are all confirmed to have been accidental.
12
![Page 13: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/13.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Misconfiguration?
13
November 2013
![Page 14: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/14.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Protecting Sessions• BGP Nodes use TCP connections to communicate.
• What sorts of attacks are they susceptible to?
• Solutions:
• TTL “Security”
• MD5 Digests
• IPsec
14
![Page 15: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/15.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
IPsec and the IP protocol stack
• IPsec puts the two main protocols in between IP and the other protocols
‣ AH - authentication header
‣ ESP - encapsulating security payload
• Tunnel vs. transport?
‣ Key management/authentication
‣ Policy
• Other function provided by external protocols and architectures
SMTPFTP
TCPHTTP
ESPAH
IP
UDP
15
![Page 16: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/16.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Practical Issues and Limitations
• IPsec implementations
• Large footprint
• resource poor devices are in trouble
• New standards to simplify (e.g, JFK, IKE2)
• Slow to adopt new technologies
• Issues
• IPsec tries to be “everything for everybody at all times”
• Massive, complicated, and unwieldy
• Policy infrastructure has not emerged
• Large-scale management tools are limited (e.g., CISCO)
• Often not used securely (common pre-shared keys)
16
![Page 17: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/17.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Defensive Filtering• Prevent “bad” routing updates through careful
consideration of new advertisements.
• CIDR report (for “bogons/martians”)
• Routing Registries
• Filter small subnets
• Prefix number limitations
• Limitations? Such filtering can only remove updates that are obviously bad, and will miss subtle issues/attacks
17
![Page 18: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/18.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
S-BGP• First comprehensive solution specifically targeting BGP.
• Relies on a PKI for distributing certificates to all ASes
• Origins (address ranges) are signed and distributed out-of-band.
• Routes are attested by each AS signing the BGP UPDATE message
• Pro: Comprehensive!
• Con: Heavyweight, slow!
18
![Page 19: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/19.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
… and More• S-BGP is probably too heavyweight to actually deploy.
• So-BGP allows configurable tradeoffs between security and overhead.
• IRV creates a central repository for validating routing updates.
• Others explore techniques such as signature amortization and efficient data structures to solve S-BGPs deployment problems.
• Current status: No strong BGP security solution is deployed
19
![Page 20: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/20.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Detection Mechanisms• Multiple Origin AS (MOAS) detection looks for
origins that are incorrectly advertised by multiple parties.
• Prefix Hijacking Alert System (PHAS) requires a prefix owner to be notified and approve changes.
• Pretty Good BGP (PGBGP) relies on historical data to determine which changes can be considered “normal”.
20
![Page 21: CNT 5410 - Computer and Network Security: BGP Security · Southeastern Security for Enterprise and Infrastructure (SENSEI) Center BGP basics •BGP session: two BGP routers (“peers”)](https://reader036.fdocuments.us/reader036/viewer/2022062508/60258140134982346b3e7ee5/html5/thumbnails/21.jpg)
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Importance• Without BGP, the Internet simply does not exist.
• Networks are simply isolated islands.
• If large-scale routing attacks occur, it may be a VERY long time before traffic becomes routable again.
• Bellovin argues that the Internet may actually NEVER come back up.
• Deploying some secure inter-domain routing system will be the next great challenge in Internet security.
21