SECURING BGP Matthew Nickasch [email protected] University of Wisconsin-Platteville Dept. of...
-
Upload
ira-briggs -
Category
Documents
-
view
222 -
download
2
Transcript of SECURING BGP Matthew Nickasch [email protected] University of Wisconsin-Platteville Dept. of...
SECURING BGPMatthew [email protected]
University of Wisconsin-PlattevilleDept. of Computer Science & Software Engineering
BGP – Quick Overview
•External Routing Protocol▫Interior vs. Exterior Gateway Protocols▫The Autonomous System (AS)▫Routing between ISPs
•BGP - Only EGP in use
Functions of BGP
•Shortest path not priority•Routing policy•Removal of routing loops•Broken link removal•Determine which IPs “go where”
▫Responsibility of address blocks
Basic Operation of BGP
•Connections between border routers peer with neighboring ASes
•TCP port 179•Manual session creation
▫Complete copies of routing table sent to neighbors
▫Evaluate received routes▫Better route through neighbor? UPDATE▫Only update when routes change
Intra/Inter AS Routing
AS 100
AS 200
AS 500
AS 400
AS 300
(PEERING RULES)
AS 500
LAN_CORBOR_1
BOR_2
Routing Policy•When to send routes? •Where to send routes?•Peering Responsibility
▫Accept routes from known peers▫Don’t accept routes from non-peers▫Route efficiency hampered by political
boundaries▫Route preference configuration
•ACL (Access Control Lists)•Error Checking
An ISP’s Use of BGP
•Importance of filtering•Address block size
▫Prefix “overload” (small networks/subnets)▫Delegate BGP handling to ISP
•Utilization of peering paths
BGP Looking Glass Demo•Looking Glass
▫route-views.ab.bb.telus.com•ARIN AS Whois Lookup•Prefix / AS Query
Security Considerations
•BGP – Single Point of Failure?▫Only EGP in use▫Comparison with IGPs
OSPF, RIP, IS-IS, etc.
▫EGP standardization difficult “Big” router vendors
Early Cisco stronghold Now Juniper, Nortel, etc. Different vendors want different
implementations
Security Considerations•A “trusting protocol”
▫Very little error checking Route verification requires route lookups 30,000 + ASes! * 120,000 unique routes! =
TIME Garbage in, garbage out
•Physical Infrastructure▫9/11 “Meet Me Facilities”▫Peering Points▫Physical Router Compromisation
Security Considerations• Human error
▫Human error to human intent (exploit errors)
• Remote router compromisation▫IOS vulnerabilities, etc.
• Social Engineering vulnerabilities
• BGP traffic sniffing▫Message injection / modification▫Man-in-the-middle
Security – Assembling the Risk
•SPOF•Trusting protocol + lack of error checking•Physical Infrastructure•Human Error•Router security flaws•Social Engineering•Unencrypted message transport•DoS / MIM / TCP-style attacks•Supporting entire Internet routing
structure
YouTube Route Hijacking
•Prime example of human ‘error’ ▫Illustrates violation of route trust▫Easily replicated by attacker▫Proves that attack vectors are in-place
Compromised router could cause similar results
Relatively simple attack, “invalid route announcement”
Potential large worldwide attack against many ASes
YouTube Route Hijacking•YT always announces 208.65.152.0/22•Pakistani Telecom announces
208.65.153.0/24•Routes propagate to bordering ASes
▫Traffic destined for network directed to PT•YT announces 208.65.153.0/24
• Duplicate announcement entry (shortest path)•YT announces 208.65.153.128/25
▫Longest-prefix-match-rule Most specific route
YouTube (AS 36561) Pre-Hijack
Pakistani Tel (AS 17557) Hijack
Detecting Invalid/False Routes
•Response▫“Firefighter” mentality to BGP problems▫Symptom-based response too late▫Cooperation between ASes?▫Governing ‘body’ for BGP disputes
YouTube – What We’ve Learned
•ISP Routing Policy•“Routing Registry” – RIPE •Certificate-based approvals•BGP not substitute for ACLs!•Exploitation of protocol “trust”•Rapid replication•Extreme vulnerability
Protocol Security
•MD5 & other encryption▫Hard to standardize between all ASes▫Vendor agreement issues
•“Reinventing” the protocol▫Secure BGP▫PGBGP▫Revisions to existing BGP
Secure BGP (SBGP)
•Public key infrastructure (PKI)▫Authentication/ownership of IP address
space▫AS identity verification▫Encrypting BGP Update messages
•Implementation▫Vendor support must be unanimous▫All ASes must agree to adopt SBGP, or any
other protocol-level change
Secure BGP (SBGP)
•Doesn’t prevent human error▫“Encrypting garbage”
•Origins▫NSA/DoD initial support (1997)▫DARPA
•Next Steps▫PKI infrastructure, CA▫Oversight organization for PKI? Hosting?
Pretty Good BGP (PGBGP)•Cautiously accepting/updating routes
▫Suspicious updaters▫Quarantine routes▫Time-delay updates
•Implementation – Adapt PGBGP logic?▫Vendor support could vary – depends on
route-accepting algorithms▫Introduce PGBGP logic into existing BGP
environment.
Layered Security Analysis
PHYSICAL SECURITY
SOCIAL ENGINEERING
HUMAN ERROR
INADEQUATE CORP /ORG / ISP POLICY
AVAILABLE “TCP-STYLE” VECTORS
SOURCE / SENDER AUTHENTICATION
BGP PROTOCOL WEAKNESSES
SINGLE POINT OF FAILURE (INTERNET)
Layered Solution
•Protocol level ▫SBGP (PKI) + PGBGP (update logic) = a
more secure solution▫Limits peer trust, introduces authentication
and encryption▫AS identity verification▫Slower route change replication
throughout the Internet▫Not the end-all solution!
Layered Solution
•Implement stringent ISP routing policy•Implement SBGP + PGBGP logic into
existing protocol▫Attain vendor agreement on
implementation•Reduce human error•Enforce proper-use of BGP (ACL example)•Router security / minimize vectors•Physical security, etc.
Q/A ?Matthew [email protected]