34
BGP Security Update Is the Sky Falling?

BGP Security Update

  • Upload
    others

  • View
    9

  • Download
    0

Embed Size (px)

Citation preview

Page 1: BGP Security Update

BGP Security Update

Is the Sky Falling?

Page 2: BGP Security Update

Is the Sky is Falling

n Post 9/11 – lots or people looking at “critical infrastructure”

n Lots of people see the Internet as “critical infrastructure”

n What’s critical to the operations of the Internet:n BGPn DNSn Caffeine

n Is there a security problem with BGP?n There is S-BGP, hence there must be a problem.

Page 3: BGP Security Update

Background

n Perception that we have a big BGP security problem.

n Comparison of CERT, FIRST, and Cisco PSIRT data was not demonstrating the evidence.

n US Government Pressure – Secure BGP (not the same as S-BGP)

n Answer – lets do some work and really evaluate the risk.

Page 4: BGP Security Update

The Good News

n Our Luck still hold outs.n BGP Security is a by-product from our hard

learned operational lessons:n CIDRn Dampeningn Ingress/Egress Filtering

n BCP Principles for how you configure BGP in an ISP builds a lot of resistance into the Network.

Page 5: BGP Security Update

Guarded Trust

n ISP A trust ISP B to send X prefixes from the Global Internet Route Table.

n ISP B Creates a egress filter to insure only X prefixes are sent to ISP A.

n ISP A creates a mirror image ingress filter to insure ISP B only sends X prefixes.

n ISP A’s ingress filter reinforces ISP B’s egress filter.

ISP A ISP B

Prefixes

Prefixes

Ingress FilterEgress Filter

Page 6: BGP Security Update

What are we trying to achieve?

n Walk through the perceived risk.n Remind people what we should be doing

(BCPs).n Encourage participate in the “what’s next”

efforts.

Page 7: BGP Security Update

Spoofing Risk

n “It is really easy to send a TCP RST and drop the BGP session.”

n Harder than you think.n Successful Spoof may require:

n Match source addressn Match source portn Match destination portn Match TTLn Match Sequence Number

Page 8: BGP Security Update

Spoofing Risk

n Multiple items need to be spoofed. Take time, takes some crafting, and may need direct access to the L1/L2 medium.

n Still can be done, but it is not something you will find in a script kiddy tool.

n And then there is MD5 – adding more resistance.

Page 9: BGP Security Update

Hijacking Risk

n “Hey, I can spoof and insert a BGP update into the router.”

n Successful spoof is required.n Update has to match the ISP’s ingress policy (if

iBGP)n If successful, some interesting things might

happen.n See work by Sandra Murphy in the references section.

Page 10: BGP Security Update

Route Flapping Risk

n Route Flapping is an operational risk that could be turned into a security risk ….. If you ignore the BCPs.

n RIPE-229 - RIPE Routing-WG Recommendations for Coordinated Route-flap Damping Parameters

Page 11: BGP Security Update

De-Aggregation Risk

n AS 7007 incident used as an attack. n Multihomed CPE router is violated and

used to “de-aggregate” large blocks of the Internet.

n Evidence collected by several CERTs that hundreds of CPEs are violated.

Page 12: BGP Security Update

Garbage in – Garbage Out: What is it?

AS 200

AS 400

DD

CC

EE

BBAS 100

AS 300

AS XYZ

AS 500

NN

XX

AA

Lets advertise the entire Internet with /24 more

specifics

I accept the entire Internet with /24 more

specifics and sent them on.

I accept the entire Internet with /24 more specifics and sent them on.

Page 13: BGP Security Update

Garbage in – Garbage Out: Results

UnstableUnstable

UnstableUnstable

DURESSDURESS

DURESSDURESS

DURESSDURESS

The rest of the

Internet

The rest of the

InternetDD

CC

EE

BBAS 100

AS 300

AS XYZ

AS 500

NN

XX

AA

Lets advertise the entire

Internet with /24 more specifics

Page 14: BGP Security Update

Garbage in – Garbage Out: Impactn Garbage in – Garbage

out does happen on the Net

n AS 7007 Incident (1997) was the most visible case of this problem.

n Key damage are to those ISPs who pass on the garbage.

n Disruption, Duress, and Instability has been an Internet wide effect of Garbage in – Garbage out.

UnstableUnstable

UnstableUnstable

DURESSDURESS

DURESSDURESS

DURESSDURESS

The rest of the

Internet

The rest of the

InternetDD

CC

EE

BBAS 100

AS 300

AS XYZ

AS 500

NN

XX

AA

Lets advertise the entire

Internet with /24 more specifics

Page 15: BGP Security Update

Garbage in – Garbage Out: What to do?

n Take care of your own Network.n Filter your customersn Filter you

advertisements

n Net Police Filteringn Mitigate the impact

when it happens

n Prefix Filtering and Max Prefix Limits

UnstableUnstable

UnstableUnstable

DURESSDURESS

DURESSDURESS

DURESSDURESS

The rest of the

Internet

The rest of the

InternetDD

CC

EE

BBAS 100

AS 300

AS XYZ

AS 500

NN

XX

AA

Lets advertise the entire

Internet with /24 more specifics

Page 16: BGP Security Update

Ideal Customer Ingress/Egress Route Filtering ….

n Ingress Customer – Allow only what their allocated

n Egress Customer – Allow only what you are allocated

ISP

Customer

Customer

Customer

IXP

Peer

Upstream

Allow only the specific prefix allocated to the

customer

Allow only the specific prefix allocated to the ISP

+ specific exceptions

Advertisements

Page 17: BGP Security Update

DUSA Route Injection

n Documenting Special Use Addresses (DUSA)n IANA has reserved several blocks of IPv4 address

for special use. n http://www.iana.org/assignments/ipv4-address-space

n These blocks of IPv4 addresses should never be advertised into the global Internet Route Table.

n Filters should be applied on the AS border for all inbound and outbound advertisements.

Page 18: BGP Security Update

Documenting Special Use Addresses (DUSA)

n Details are highlighted in a IETF Internet Draft:n http://www.ietf.org/internet-drafts/draft-

manning-dsua-07.txtn http://search.ietf.org/internet-drafts/draft-iana-

special-ipv4-03.txt

n Short cut – Rob Thomas’s Templates:n http://www.cymru.com/Documents/

Page 19: BGP Security Update

Un-Authorized Route Injection

n “What would happen if I advertised a more specific prefix for content provider abc.com?”

n This has and will happen.n Might turn into a double DOS – more

specific shuts down traffic to “target prime” while it also sucks in traffic to the CPE.

Page 20: BGP Security Update

Un-Authorized Route Injection

n Ingress Customer – Allow only what their allocated

n Egress Customer – Allow only what you are allocated

ISP

Customer

Customer

Customer

IXP

Peer

Upstream

Allow only the specific prefixes allocated to the ISP + specific exceptions

Allow only the specific prefixes allocated to

the customer

Advertisements

Page 21: BGP Security Update

Un-Allocated (Bogon) Route Injection Risk

n “What will happen if I advertise a big block of bogons?”

n One big Backscatter Collector!n Put bogon filtering into your

ingress/egress prefix filtering scheme.

Page 22: BGP Security Update

Direct DOS/DDOS Against the Router

n “Lets syn flood a router on port 179.” n Not really a “BGP” attack. Really a resource

saturation attack.n Saturating input queues will have a side effect of

knocking off the routing protocols.n Most common form of “BGP Attack.”n Every network vendor should now be putting

mitigation techniques all the way into the forwarding/feature ASIC.

Page 23: BGP Security Update

Risk related to ISP’s Architecture

n Summer of 2001 - ISP Routers advertising default became Code Red and Nimda magnets.

n ISP architecture does effect security.n Plan where you drop the garbage, so

when the garbage piles up it doesn’t bury your network.

Page 24: BGP Security Update

Risk related to BGP Bugs

n BGP Bugs have caused operation issues on the Net, but are caught and fixed before they can be used as a security exploit.

n Some vendor interaction bugs have been scary.

n Providers need to push inter-vendor compatibility/interaction testing.

Page 25: BGP Security Update

BGP Community Attribute Risk

n “What would happen if I started poking around with all those community attributes?”

n Un-explored exploit vector.n Community filtering equivalent to prefix

filtering. n Not perceived to be a problem, but

something to think about.

Page 26: BGP Security Update

What’s Next?

n BGP over IPSECn S-BGPn Ptomainen RPSECn Router Security Requirements

Page 27: BGP Security Update

BGP over IPSEC

n “If I put BGP over IPSEC, I’ll be secure.” n Why?n Remember the difficulty spoofing BGP –

especially with MD5.n Wait – if most ISPs do not turn on MD5,

how will IPSEC get turned on?n Think about the problem your trying to

solve.

Page 28: BGP Security Update

S-BGP

n Time to re-visit S-BGPn Everyone one should read (or re-read) the

work:n http://www.net-tech.bbn.com/sbgp/

n As a minimum, it covers in detail problems we have with prefix authentication.

Page 29: BGP Security Update

Ptomaine

n Ptomaine and BGP Security?n Yep – it is all about prefix filtering techniques.

We know effective prefix filtering techniques help the BGP Security.

n Prefix Taxonomy Ongoing Measurement & Inter Network Experiment (Ptomaine)n General Discussion:[email protected] n To Subscribe: [email protected] n In Body: subscribe ptomaine n Archive: http://www.shrubbery.net/ptomaine

Page 30: BGP Security Update

RPSEC

n Routing Protocol Security Requirements Working Group (rpsec)

n Mailing Lists:n General Discussion: [email protected]

n To Subscribe: [email protected]

Page 31: BGP Security Update

Router Security Requirements

n Network Security Requirements for Devices Implementing Internet Protocol by George Jones ([email protected])

n Work from UUNET that supplements RFC 1918. n Preliminary work that will be taken to IETF

(informational RFC or WG – not sure yet).n Objective – RFC to whack Vendors with. n Active Participation welcome:

n General Discussion: [email protected] To Subscribe: [email protected]

Page 32: BGP Security Update

Acknowledgements

n Rob Thomas [[email protected]]n Daniel P (Dan) Koller [[email protected]]n Stephen Kent [[email protected]]n Ross Callon [[email protected]]n Russ White [[email protected]]n Alvaro Retana [[email protected]]n John G. Scudder [[email protected]]n Barry Friedman [[email protected]]n Anantha Ramaiah [[email protected]]n Satish Mynam [[email protected]]n Chris M. Lonvick [[email protected]]n Paul Donner [[email protected]]

Page 33: BGP Security Update

References

n Secure BGP Template Version 2.1 n http://www.cymru.com/Documents/secure-bgp-

template.html

n Bogon List v1.0 04 June 2002n http://www.cymru.com/Documents/bogon-list.html

n BGP Security Protectionsn draft-murphy-bgp-protect-00.txt

n BGP Security Vulnerabilities Analysisn draft-murphy-bgp-vuln-00.txt

n Cisco ISP Essentialsn http://www.ciscopress.comn http://www.ispbook.com

Page 34: BGP Security Update

Updates

n Check for updates at:n http://www.cisco.com/public/cons/isp/security/n http://www.ispbook.com