Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak.

Published byArline Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak."— Presentation transcript:

1 BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak

2 Goals Describe BGP security best practices for the Internet Synthesis of many existing pieces available (Cymru, RIPE, many IETF docs, some well known pages…) Help smaller AS’es build secure and stable BGP networks Have consistent recommendations / best practices IP version agnostic (IPv4 and IPv6)

3 What’s covered: the basics Control-plane protection (ACL or CoPP) BGP session protection (TTL, MD5, TCP-AO)

4 What’s covered: prefix filters Default routes Special addresses per RFC 5735 (ex: RFC 1918) and IPv6 registry Unallocated addresses (IANA and RIR-based) RPKI Too specific prefixes (descriptive) IXP subnets (with examples)

5 IXP LAN: don’t accept more specifics More-specific IXP prefixes misdirect traffic and destroy EBGP sessions A router MUST NOT accept more specific prefixes for IXP LAN prefix IXP: A.B.C.0/22 R1R2.1.2.3 X.Z.Y.0 from A.B.C.1 A.B.C.0/24 from A.B.C.2

6 Transit ASLow-MTU AS IXP LAN prefix with pMTUd and uRPF ICMP packet sourced from IXP LAN address uRPF check might drop ICMP packet  IXP LAN prefix SHOULD be advertised Downstream AS might perform strict RIR filter  IXP prefix SHOULD pass RIR filter Solution: IXP AS advertises IXP LAN prefix IXP ICMP PTB 3 rd party AS RX Loose uRPF check

7 What’s covered: prefix use cases Use cases Full routing networks: filters with peers, upstreams and customers Leaf networks Filters described: Inbound and outbound filters Loose or strict filters

8 What’s covered: AOB BGP Route Flap Dampening (don’t) Maximum prefixes per peering/BGP neighbor AS-path filters (including customer-facing filters) Next-hop filters (or next-hop enforcement) BGP community scrubbing

9 BGP next hop filters BGP updates can have 3 rd party next hop Good for optimal traffic flow, bad on IXP LAN – Problem#1 – Traffic redirection – Problem#2 – Blackholing (invalid next hop) Solution: change BGP next-hop to peer’s IP address with inbound policy IXP: A.B.C.0/22 R1R2.1.2.3 Some.net from A.B.C.2 Other.net from A.B.C.42 3 rd party next hopInvalid next hop

10 Changes between -02 and -01 Prefixes were removed from the document and replaced with references to existing registries TCP security section now includes TCP-AO New section on control-plane protection Reworded text about acceptable prefix specificity in former section 4.1.3 to explain this doc does not try to make recommendations Remove any reference to anti-spoofing in former section 4.1.4 Clarification for IXP LAN prefix and pMTUd problem in former section 4.1.5

11 Changes between -02 and -01 Replace RIR database with IRR. A definition of IRR is added in former section 4.1.2.2 6to4 exception described (only more specifics must be filtered) should -> MUST for the prefixes an ISP needs to filter from its customers in former section 4.2.2.1 Added "plus some headroom to permit growth" in maximum prefix per peering section Added new section on Next-Hop filtering Rewording (ex: Ingress/Egress replaced by Inbound/Outbound), fixing typos, updated RFC references, and editing changes

12 Changes between -01 and -00 Add normative reference for RFC5082 in former section 3.2  TTL "Non routable" changed in title of former section 4.1.1  Prefixes that MUST not be routed by definition Correction of typo for IPv4 loopback prefix in former section 4.1.1.1 Added shared transition space 100.64.0.0/10 in former section 4.1.1.1 Clarification that 2002::/16 6to4 prefix can cross network boundaries in former section 4.1.1.2 Rationale of 2000::/3 explained in former section 4.1.1.2  In order to build simplified prefix filters Added 3FFE::/16 prefix forgotten initially in the simplified list of prefixes that MUST not be routed by definition in former section 4.1.1.2 Warn that filters for prefixes not allocated by IANA must only be done if regular refresh is guaranteed, with some words about the IPv4 experience, in former section 4.1.2.1

13 Changes between -01 and -00 Replace RIR database with IRR. A definition of IRR is added in former section 4.1.2.2 Remove any reference to anti-spoofing in former section 4.1.4  Not anti-spoofing as not dataplane! Clarification for IXP LAN prefix and pMTUd problem in former section 4.1.5  Using long discussions outcomes on RIPE ML "Autonomous filters" typo (instead of Autonomous systems) corrected in the former section 4.2 Removal of an example for manual address validation in former section 4.2.2.1 RFC5735 obsoletes RFC3300 Ingress/Egress replaced by Inbound/Outbound in all the document

14 Conclusion Great feedback received so far! – Lot of support and many contributions received – Read, Review & Comment! Read the document @ https://datatracker.ietf.org/doc/draft-jdurand-bgp-security/ Discuss on IETF OPSEC WG mailing list @ https://www.ietf.org/mailman/listinfo/opsec  Time for IETF OPSEC WG adoption (support)  Questions ?

Download ppt "BGP operations and security draft-jdurand-bgp-security-02.txt Jerome Durand Gert Doering Ivan Pepelnjak."

Similar presentations

An Operational Perspective on BGP Security Geoff Huston February 2005.

An Operational Perspective on BGP Security Geoff Huston February 2005.
BGP Unallocated Address Route Server Geoff Huston March 2002.

BGP Unallocated Address Route Server Geoff Huston March 2002.
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.

Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines-01 Philip Matthews Alcatel-Lucent.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Introduction to IPv4 Introduction to Networks.
Chapter 22 IPv6 (Based on material from Markus Hidell, KTH)

Chapter 22 IPv6 (Based on material from Markus Hidell, KTH)
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
BGP.

BGP.
Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.

Border Gateway Protocol Ankit Agarwal Dashang Trivedi Kirti Tiwari.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Swinog-7, 22nd october 2003 BGP filtering André Chapuis,

Swinog-7, 22nd october 2003 BGP filtering André Chapuis,
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.
Www.huawei.com BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)

BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.

1 Network Architecture and Design Routing: Exterior Gateway Protocols and Autonomous Systems Border Gateway Protocol (BGP) Reference D. E. Comer, Internetworking.
Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.
CSE5803 Advanced Internet Protocols and Applications (7) 1 7.1 Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.

CSE5803 Advanced Internet Protocols and Applications (7) Introduction The IP addressing scheme discussed in Chapter 2 are classful and can be summarised.
Extending Networks. Three Levels of Extension Physical Layer –Repeaters Link Layer –Bridges –Switches Network –Routers: “Connecting networks”

Extending Networks. Three Levels of Extension Physical Layer –Repeaters Link Layer –Bridges –Switches Network –Routers: “Connecting networks”

Similar presentations

Ads by Google