Download presentation
Presentation is loading. Please wait.
Published byAngel Sullivan Modified over 8 years ago
1
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005
2
ECE 4112 - Internetwork Security 2 Agenda BGP Overview Security Issues of BGP Proposed Security Solutions for BGP Introduction to the Lab
3
ECE 4112 - Internetwork Security 3 BGP Overview Border Gateway Protocol (BGP) Provides inter-domain routing between Autonomous Systems (ASes) BGP Neighbors exchange Reachability information by using Route Advertisements Uses Path Vector Routing to prevent loops – Route Advertisements include the AS-Path – BGP routers will not forward a received advertisement if their AS number is in the AS-Path Application layer protocol that relies on TCP to provide reliable transport layer services Supports Policy Based Routing
4
ECE 4112 - Internetwork Security 4 BGP Overview Autonomous Systems A set of routers that fall under a single management authority Can use various interior routing systems Develop relationships with other Autonomous Systems – Peering Connections and Transit Connections Have at least one BGP router (or BGP Speaker) which serves as the gateway to the internet
5
ECE 4112 - Internetwork Security 5 BGP Overview Autonomous Systems Tiers and Connections BIG ISP Transit Connection Peer Connection Transit Connection Tier 1 Tier 2
6
ECE 4112 - Internetwork Security 6 BGP Overview Exterior Border Gateway Protocol (EBGP) Used between BGP Speakers in separate ASes EBGP Routers exchange reach-ability information only with neighbor ASes with whom they are willing to carry traffic Interior BGP (IBGP) Used between BGP speakers in ASes which have multiple BGP routers (gateways to other ASes) Purpose is to maintain a common view of current reach- ability information
7
ECE 4112 - Internetwork Security 7 BGP Overview BGP Message Types OPEN—sent immediately after a TCP session is initiated UPDATE—used to exchange routing information – Route Advertisements – Route Withdrawals KEEPALIVE—used to maintain the TCP Connection NOTIFICATION—used to report errors (closes the connection)
8
ECE 4112 - Internetwork Security 8 BGP Overview BGP Path Selection Process Supports Policy Based Routing Algorithm includes the following attributes (in relative order) 1.Weight 2.Local Preference 3.Use route originated by current router 4.Shortest AS_Path 5.Lowest Origin type (internal, external, incomplete) 6.Multi-Exit Discriminator Many other BGP Attributes
9
ECE 4112 - Internetwork Security 9
10
10
11
ECE 4112 - Internetwork Security 11 BGP Overview
12
ECE 4112 - Internetwork Security 12 BGP Overview BGP is the only protocol that provides inter-domain routing for the internet It is a critical piece of the Internet’s infrastructure
13
ECE 4112 - Internetwork Security 13 Security Issues of BGP Communication between peers is not protected from eavesdropping Modification can be prevented by using TCP MD5 “signatures” Subject to all lower layer vulnerabilities DOS/DDOS Attacks Can be used to target TCP Port 179 used by BGP Potential to close connections Potential to result in dropped Update messages Attacks may come from trusted routers that have been compromised Smaller ISPs with poor security provide good targets Mesh connected design means gaining access to any BGP speaker can have a significant impact on the Internet
14
ECE 4112 - Internetwork Security 14 Security Issues of BGP Easy to Inject False Advertisements Bad Configuration (BGP is hard!) Malicious Attacks – TCP Spoofing (Can be used to close TCP connection) – Hijack TCP Sesssion – Can result in a Denial of Service Attack based on flood of BGP Update messages to withdraw routes and then advertise new routes No authentication within BGP
15
ECE 4112 - Internetwork Security 15 Proposed Security Solutions for BGP Secure-BGP and Secure Origin BGP Both use PKI (public-key cryptography) to verify the source of advertisements – Verify that the originating AS has the authority to advertise certain IP networks – Limit the effects of a compromise to one AS
16
ECE 4112 - Internetwork Security 16 Proposed Security Solutions for BGP Secure-BGP Uses out of band certificates Each AS on the path must go to a certificate site to verify the source of the route Secure Origin BGP Uses in band certificates Each AS along the path adds its signature to the update message
17
ECE 4112 - Internetwork Security 17 Proposed Security Solutions for BGP Secure-BGP and Secure Origin BGP Both have severe routing overheads – May increase routing overhead by 800% For either protocol to be effective, every AS must adopt it No consensus, so neither protocol has experienced widespread adoption
18
ECE 4112 - Internetwork Security 18 Introduction to the Lab Introduction to BGP Provide opportunity to get hands on BGP Observe BGP traffic Observe BGP configurations Configure a BGP router Conduct 2 Practical Exercises
19
ECE 4112 - Internetwork Security 19 Introduction to the Lab
20
ECE 4112 - Internetwork Security 20 Introduction to the Lab
21
ECE 4112 - Internetwork Security 21 Screenshot#1
22
ECE 4112 - Internetwork Security 22 Introduction to the Lab Observe BGP Router Information using the show ip bgp command BGP table version is 80, local router ID is 199.110.254.41 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 57.35.5.0/24 199.110.254.42 0 0 64700 i *> 57.35.6.0/24 199.110.254.42 0 0 64700 i *> 57.35.7.0/24 199.110.254.42 0 0 64700 i *> 57.35.10.0/24 199.110.254.42 0 0 64700 i * 62.7.200.32/30 199.77.33.2 0 0 64900 i *> 199.77.250.241 0 0 64514 i * i 199.77.31.1 0 100 0 64514 i
23
ECE 4112 - Internetwork Security 23 Introduction to the Lab Observe BGP Neighbor information using the Show BGP Neighbors command BGP neighbor is 199.77.30.18, remote AS 64515, internal link BGP version 4, remote router ID 199.107.254.253 BGP state = Established, up for 11w2d Last read 00:00:14, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(new) Address family IPv4 Unicast: advertised and received Received 113822 messages, 0 notifications, 0 in queue Sent 113853 messages, 0 notifications, 0 in queue Route refresh request: received 0, sent 0 Default minimum time between advertisement runs is 5 seconds
24
ECE 4112 - Internetwork Security 24 Introduction to the Lab Section 1.5 Scenario
25
ECE 4112 - Internetwork Security 25 Introduction to the Lab Section 3 Scenario
26
ECE 4112 - Internetwork Security 26 Questions?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.