BGP Prefix Origin Validation

Slides:



Advertisements
Similar presentations
Virtual Trunk Protocol
Advertisements

Introduction to IP Routing Geoff Huston. Routing How do packets get from A to B in the Internet? A B Internet.
RPKI Standards Activity Geoff Huston APNIC February 2010.
Security Issues In Mobile IP
Multihoming and Multi-path Routing
Address-based Route Reflection Ruichuan Chen (MPI-SWS) Aman Shaikh (AT&T Labs - Research) Jia Wang (AT&T Labs - Research) Paul Francis (MPI-SWS) CoNEXT.
Chapter 1: Introduction to Scaling Networks
1 San Diego, California 25 th February BGP made easy John van Oppen Spectrum Networks / AS11404.
What is access control list (ACL)?
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing MPLS VPN Architecture.
Configuring and Troubleshooting ACLs
Route Optimisation RD-CSY3021.
BGP Overview Processing BGP Routes.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5-1 MPLS VPN Implementation Configuring BGP as the Routing Protocol Between PE and CE Routers.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA TCP/IP Protocol Suite and IP Addressing Halmstad University Olga Torstensson
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 9 TCP/IP Protocol Suite and IP Addressing.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Link-State Routing Protocols Routing Protocols and Concepts – Chapter.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Diverse Paths draft-ietf-grow-diverse-bgp-paths-dist-02 Keyur Patel.
1 Copyright  1999, Cisco Systems, Inc. Module10.ppt10/7/1999 8:27 AM BGP — Border Gateway Protocol Routing Protocol used between AS’s Currently Version.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 Module Summary BGP has reliable transport provided by TCP, a rich set of metrics called BGP.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
Interdomain Routing and The Border Gateway Protocol (BGP) Courtesy of Timothy G. Griffin Intel Research, Cambridge UK
The Border Gateway Protocol (BGP) Sharad Jaiswal.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Configuring Basic BGP BSCI Module 6.
© 2009 Cisco Systems, Inc. All rights reserved.ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Configuring and Verifying Basic BGP Operations.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
BGP Attributes and Path Selections
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 i2rs Usecases for BGP draft-keyupate-i2rs-bgp-usecases-01.txt Keyur Patel,
Introduction to BGP 1. Border Gateway Protocol A Routing Protocol used to exchange routing information between different networks – Exterior gateway protocol.
APNIC eLearning: Intro to RPKI 10 December :30 PM AEST Brisbane (UTC+10)
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.
Chapter 9. Implementing Scalability Features in Your Internetwork.
© Synergon Informatika Rt., 1999 Chapter 12 Connecting Enterprises to an Internet Service Provider.
Border Gateway Protocol
© 2001, Cisco Systems, Inc. A_BGP_Confed BGP Confederations.
BGP4 - Border Gateway Protocol. Autonomous Systems Routers under a single administrative control are grouped into autonomous systems Identified by a 16.
Border Gateway Protocol (BGP) W.lilakiatsakun. BGP Basics (1) BGP is the protocol which is used to make core routing decisions on the Internet It involves.
More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.
Secure Origin BGP: What is (and isn't) in a name? Dan Wendlandt Princeton Routing Security Reading Group.
BGPSEC Router Key Roll-over draft-rogaglia-sidr-bgpsec-rollover-00 Roque Gagliano Keyur Patel Brian Weis.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicBSCI Module 6 1 Configuring Basic BGP BSCI Module 6.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 BGP Prefix Origin Validation State Extended Community draft-pmohapat-sidr-origin-validation-signaling-00.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Scaling IGP and BGP in Service Provider Networks.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
Route Selection Using Policy Controls
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
BGP and ICMP. Exterior Gateway Protocol (EGP) Like RIP, but no metrics. Just if reachable. Rtr inside a domain collects reachability information and informs.
BGP Basics BGP uses TCP (port 179) BGP Established unicast-based connection to each of its BGP- speaking peers. BGP allowing the TCP layer to handle such.
Route Selection Using Attributes
Text BGP Basics. Document Name CONFIDENTIAL Border Gateway Protocol (BGP) Introduction to BGP BGP Neighbor Establishment Process BGP Message Types BGP.
Michael Schapira, Princeton University Fall 2010 (TTh 1:30-2:50 in COS 302) COS 561: Advanced Computer Networks
Doing Don’ts: Modifying BGP Attributes within an Autonomous System Luca Cittadini, Stefano Vissicchio, Giuseppe Di Battista Università degli Studi RomaTre.
Connecting an Enterprise Network to an ISP Network
Boarder Gateway Protocol (BGP)
BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.
Border Gateway Protocol
Goals of soBGP Verify the origin of advertisements
BGP supplement Abhigyan Sharma.
Lixin Gao ECE Dept. UMASS, Amherst
Module Summary BGP is a path-vector routing protocol that allows routing policy decisions at the AS level to be enforced. BGP is a policy-based routing.
COS 561: Advanced Computer Networks
COS 561: Advanced Computer Networks
BGP Instability Jennifer Rexford
Presentation transcript:

BGP Prefix Origin Validation Keyur Patel (keyupate@cisco.com) May, 2011

Security issues with sourcing of BGP Routes Any AS can source/announce incorrect prefixes within BGP Either by mistake (most cases) Or with a malicious intent In either case, AS can hijack prefixes owned by other AS Has an impact on end-to-end data forwarding BGP prefixes can be hijacked by Sourcing a prefix (with better BGP metrics) that is owned by some other AS Sourcing a more specific for a prefix that is owned by some other AS The main motivation behind using BGP Prefix Origin Validation is …..

Prefix hijacking using same prefix with a shorter AS_PATH Source: nanog 46 preso

Prefix hijacking using a more specific prefix length Source: nanog 46 preso

BGP Prefix Origin Validation Mechanism within BGP to identify incorrectly sourced prefixes and prevent them from being selected as BGP Bestpaths Provides Origin AS Validation for BGP prefixes Solution for You Tube accident 7007 accident (MAI) that affected SPRINT, UUNET and others Any kind of accidental announcements due to incorrect sourcing of BGP prefixes (99% of mis-announcements fall under this category) Does NOT solve BGP path hijacking related issues Origin validation does not provide assurance of BGP aspath received in an update message The main motivation behind using BGP Prefix Origin Validation is …..

Router Modifications for BGP Prefix Origin Validation Router Modifications involves implementation of 3 SIDR drafts Draft1: RPKI Router protocol defined in the ietf draft-sidr-rpki-rtr-protocol12.txt Means of communication between a trusted Cache and BGP routers Helps create and maintain within BGP a new address-family specific digested RPKI database in form of {IP prefixes, Origin AS} tuples Edge routers *do NOT* deal with RPKI complexity. It instead uses digested RPKI information to do Origin validation Draft2: Origin Validation related BGP protocol modifications defined in the IETF draft-ietf-sidr-pfx-validate-01.txt Perform Origin AS validation on ASPATHS of received EBGP prefixes Invalidate prefixes with incorrect origin AS Router Modifications for BGP Prefix Origin Validation Involves *Implementing* RPKI Router Protocol as defined….. First draft involves implementing RPKI Router protocol defined in …. This protocol helps create and maintain within BGP …..

Router Modifications (Cont’d) Draft3: BGP RPKI origin validation state announcement defined in the ietf draft-ietf-sidr-origin-validation-signaling-00.txt Announce path validation state within an IBGP network Using new extended community defined in draft-ietf-sidr-origin-validation-signaling-00.txt Alternate approach to using path validation state community Implementations could translate path validation state into appropriate IBGP parameters that influence BGP Bestpath processing using route policies The 3rd draft provides a means to communicate path validation state information with an IBGP network

RPKI Origin Validation Architecture IR Back End [Hardware] Signing Module Priv Keys RPKI Private Keys ROAs Issued Options Config My Misc Public ID=Me Engine Resource PKI Route Origin Attestations IP Resource Certs ASN Resource Certs CA Data Internal XML Object Transport & Handler Business Key/Cert Management Private IR Anchor Biz Trust Public Keys Up/Down EE IR BackEnd Talking to Keys for DownStreams Issued to Certs My Resources My RightsToRoute Repo Mgt Up / Down Protocol Publication Key(s) Signing Biz EE 8 RCynic Gatherer to Rtr Near/In PoP Cache / Server Provisioning GUI BGP Speaker

Large ISP deployment for Trusted Caches Global RPKI Asia Cache NoAm Euro in-PoP Cust Facing

BGP RPKI Router Protocol Client-Server protocol used between trusted RPKI Caches and BGP Routers having EBGP internet peering Has TCP or SSHv2 as its transport Announces digested RPKI Prefix Origin information in form of protocol IPvx PDUs Has an ability: to request/announce entire record table at any time during the lifetime of the session Can do Incremental re-sync or Full announcement of prefix records on session re-establishment Initial Cisco IOS release plans to: Run TCP as a transport on its BGP Routers Implement Client side functionality of RPKI router protocol

RPKI Router Protocol PDUs Serial Notify Local Cache informs router about new data Serial Query Router requests Cache for updates Reset Query Router requests Cache to send its entire database Cache Response Cache replies to Reset Query by announcing its entire database End of Data PDU Cache signals end of database announcements

RPKI Router Protocol PDU (cont’d) Cache Reset Local Cache informs router about its inability to provide an incremental update for a particular Serial Query Error Report Use to signal errors detected while parsing PDUs Internal Errors: memory exhaustion, code assertion failures, etc No Data Available: Cache cannot provide an incremental update to a particular Serial Query IPV4 Prefix Use to announce IPV4 Prefix IPV6 Prefix Use to announce IPV6 Prefix

RPKI Router Protocol Typical Exchange Validator Cache Router ~ ~ | <----- Reset Query -------- | R requests data | | | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial 13

RPKI Router Protocol Incremental Exchange (cont’d) Validator Cache Router ~ ~ | -------- Notify ----------> | (optional) | | | <----- Serial Query ------- | R requests data | ----- Cache Response -----> | C confirms request | ------- IPvX Prefix ------> | C sends zero or more | ------- IPvX Prefix ------> | IPv4 and IPv6 Prefix | ------- IPvX Prefix ------> | Payload PDUs | ------ End of Data ------> | C sends End of Data | | and sends new serial 14

RPKI Router Protocol and BGP Interaction ee Receives prefixes from ibgp & ebgp peers Does Inline prefix validation Does Event-based validation on cache updates BGP Border Router iBGP peering AF specific Prefix Validation database AF Specific BGP tables iBGP Neighbor Router (ex. Route Reflector) eBGP peering RPKI Router Protocol (TCP based) Client RPKI Router protocol RPKI Validator Cache eBGP Neighbor Router

BGP Modifications - High Level Code Flow Process received EBGP update messages Set Validation State for BGP NLRIs and origin AS received in an update message Apply any inbound policies if configured may use path validation state computed by Prefix origin validation to set different policies Store the path in Adj-Rib-In Run Modified BGP Bestpath Evaluate the prefix for update generation to ibgp peers outbound policies may use path validation state to manipulate different BGP attributes Use a well-known extended community to announce path validation state 16

Prefix Validation Logic 1. query key = <BGP prefix, masklen>, data = origin AS 2. result = BGP_PFXV_STATE_NOT_FOUND 3. walk prefix validation table to look for the query key 4. for each matched “entry” node in prefix validation table, 5. prefix_exists = TRUE 6. walk all records with different maxLength values 7. for each “record” within range (query masklen <= maxLength) 8. if query origin AS == record origin AS 9. result = BGP_PFXV_STATE_VALID 10. return (result) 11. endif 12. endfor 13. endfor 14. if prefix_exists == TRUE, 15. result = BGP_PFXV_STATE_INVALID 16. endif 17. return (result)

BGP Bestpath Selection Modifications Path Validation States (in order of preference) BGP_FXV_STATE_VALID (Lookup Successful) BGP_PFX_STATE_NOT_FOUND (Not in the table) BGP_PFX_STATE_INVALID (Lookup invalid - different origin AS or masklen not in the range) BGP Bestpath Modifications Input: Received Path, Current Bestpath If Received Path is an ibgp learnt path without path validation state, then skip the Prefix Origination check If Received Path’s Prefix Origination Check state is BGP_PFX_STATE_INVALID then prefer the Current Bestpath else If Received Path’s Prefix Origination Check state > Current Bestpath Prefix Origination Check state, then prefer the Current Bestpath else (they are equal) proceed to next Bestpath check step Rest of the BGP Bestpath Steps Normal Bestpath computation to follow if the path validation state is converted into BGP parameters as part of policy change

Policy and Path Validation State Route-maps extended to modify policies based on path validation state Effective way of tweaking bestpath selection for ibgp paths based on its path validation state Route-map example: route-map rpki permit 10 match rpki invalid set local-preference 50 route-map rpki permit 20 match rpki incomplete set local-preference 100 route-map rpki permit 30 match rpki valid set local-preference 200 19

BGP CLI Modifications Global CLI to [de-]configure the cache server AF specific BGP Bestpath CLI Changes Disable Prefix Validation Globally Allow paths with an invalid rpki state for Bestpath computation iBGP Neighbor CLI Changes Announcement of Prefix Validation State using a well-known extended community Route-map policy knob to filter on path validation state

IOS Show commands uut1# show ip bgp rpki-table 12 BGP sovc network entries using 1056 bytes of memory 13 BGP sovc record entries using 208 bytes of memory Network Maxlen Origin -AS Color Source 1.1.0.0/16 24 1 3.0.0.0/24 2 4.0.0.0/24 3 4.0.0.0/8 8 5.0.0.0/24 4 8.0.0.0/4 6 200 8.2.0.0/8 36394 9.2.0.0/16 34000 10.0.0.0/6 100 11.0.0.0/16 12.0.0.0/8 16 13979 7018 20.137.0.0/21 21 4237

IOS Show Commands - Valid IPv4 Prefix uut1# show ip bgp 1.1.0.0/16 BGP routing table entry for 1.1.0.0/16, version 19 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 2 1 20.0.101.1 from 20.0.101.1 (20.0.101.1) Origin IGP, localpref 100, valid, external, best RPKI State valid 22

IOS Show Commands - Invalid IPv4 Prefix uut1#show ip bgp 8.0.0.0/6 BGP routing table entry for 8.0.0.0/6, version 25 Paths: (1 available, no best path) Not advertised to any peer 100 20.0.101.4 from 20.0.101.4 (20.0.101.4) Origin IGP, localpref 100, valid, external RPKI State invalid 23

IOS Show Commands - Not Found IPv4 Prefix uut1#show ip bgp 8.0.0.0 BGP routing table entry for 8.0.0.0/8, version 10 Paths: (1 available, best #1, table default) Advertised to update-groups: 1 2 65000 20.0.101.10 from 20.0.101.10 (20.0.101.10) Origin IGP, localpref 100, valid, external, best RPKI State not found 24

Code Status Remember: Please generate your Certificates and ROAs! Prototype code for BGP Origin Validation available for IOS (7200s) and IOS-XR IOS Marketing Roadmap has it for RLS12 in 2011. Similar Roadmap for IOS-XR. Contact Ed Kern (ejk@cisco.com) or Bertrand Duvivier (bduvivie@cisco.com) if interested Remember: Please generate your Certificates and ROAs! 25

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.