cnt 5410 - computer and network security: bgp security · southeastern security for enterprise and...
TRANSCRIPT
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
CNT 5410 - Computer and Network Security:
BGP Security
Professor Kevin Butler Fall 2015
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Internet inter-AS routing: BGP• BGP (Border Gateway Protocol): the de facto standard
• BGP provides each AS a means to:
• eBGP: Obtain subnet reachability information from neighboring Autonomous Systems (ASes).
• iBGP: Propagate reachability information to all AS-internal routers.
• Determine “good” routes to subnets based on reachability information and policy.
• allows subnet to advertise its existence to rest of Internet: “I am here”
2
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP basics• BGP session: two BGP routers (“peers”) exchange BGP messages:
• advertising paths to different destination network prefixes (“path vector” protocol)
• exchanged over semi-permanent TCP connections
• When AS3 advertises a prefix to AS1:
• AS3 promises it will forward datagrams towards that prefix
• AS3 can aggregate prefixes in its advertisement
3
AS3
AS2
3b 3a
AS1
1c 1a
1d 1b
2a 2c
2b other networks
other networks
eBGP session
iBGP session
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Prefix?• How do routers advertise sets of IP addresses?
• Having a full list of all addresses that can be reached through is wasteful - think of the memory usage?
• We instead rely on address aggregations:
4
192.168.1.0 192.168.1.1
… 192.168.1.255
192.168.1.0/24
192.168.0.0/16
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Distributing reachability info• Using an eBGP session between 3a and 1c, AS3 sends prefix
reachability info to AS1.
• 1c can then use iBGP to distribute this new prefix reach info to all routers in AS1
• 1b can then re-advertise new reachability info to AS2 over 1b-to-2a eBGP session
• When router learns of new prefix, creates entry for prefix in its forwarding table.
5
AS3
AS2
3b 3a
AS1
1c 1a
1d 1b
2a 2c
2b other networks
other networks
eBGP session
iBGP session
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Path attributes & BGP routes• When advertising a prefix, advert includes BGP attributes.
• prefix + attributes = “route”
• Two important attributes:
• AS-PATH: contains ASs through which prefix advertisement has passed: AS 67 AS 17
• NEXT-HOP: Indicates specific internal-AS router to next-hop AS. (There may be multiple links from current AS to next-hop-AS.)
• When gateway router receives route advertisement, uses import policy to accept/decline.
• e.g., never route through AS x
• policy-based routing
6
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP route selection• Router may learn about more than 1 route to
some prefix. Router must select route.
• Elimination rules:
• Local preference value attribute: policy decision
• Shortest AS-PATH
• Closest NEXT-HOP router : hot potato routing
• Additional criteria
7
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP messages• BGP messages exchanged using TCP.
• BGP messages:
• OPEN: opens TCP connection to peer and authenticates sender
• UPDATE: advertises new path (or withdraws old)
• KEEPALIVE keeps connection alive in absence of UPDATES; also ACKs OPEN request
• NOTIFICATION: reports errors in previous msg; also used to close connection
8
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP routing policy
• A,B,C are provider networks.
• 1,2,3 are customer (of provider networks)
• 2 is multi-homed: attached to two networks
• 2 does not want to route from B via 2 to C
• ... so 2 will not advertise to B a route to C
9
1 A
B
C
2
3
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP routing policy (2)
• A advertises to B the path A1
• B advertises to 2 the path BA1
• Should B advertise to C the path BA1?
• No way! 2 gets no “revenue” for routing 2BA1 since neither 1 nor C are B’s customers
• B wants to force C to route to 1 via A
• B wants to route only to/from its customers!10
1 A
B
C
2
3
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Security• Core Problem?
• BGP has absolutely no authentication, so…
• … anyone between two routers can inject traffic
• … anyone can claim any path
• … anyone can claim that they are any origin.
• How does this compare to the security issues we just discussed in DNS?
11
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Misconfiguration• There are numerous examples of BGP
misconfigurations that have lead to wide-spread traffic outages:
• AS 7007 (1997)
• Con Edison (2006)
• Pakistan Telecom (2008)
• These incidents are all confirmed to have been accidental.
12
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
BGP Misconfiguration?
13
November 2013
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Protecting Sessions• BGP Nodes use TCP connections to communicate.
• What sorts of attacks are they susceptible to?
• Solutions:
• TTL “Security”
• MD5 Digests
• IPsec
14
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
IPsec and the IP protocol stack
• IPsec puts the two main protocols in between IP and the other protocols
‣ AH - authentication header
‣ ESP - encapsulating security payload
• Tunnel vs. transport?
‣ Key management/authentication
‣ Policy
• Other function provided by external protocols and architectures
SMTPFTP
TCPHTTP
ESPAH
IP
UDP
15
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Practical Issues and Limitations
• IPsec implementations
• Large footprint
• resource poor devices are in trouble
• New standards to simplify (e.g, JFK, IKE2)
• Slow to adopt new technologies
• Issues
• IPsec tries to be “everything for everybody at all times”
• Massive, complicated, and unwieldy
• Policy infrastructure has not emerged
• Large-scale management tools are limited (e.g., CISCO)
• Often not used securely (common pre-shared keys)
16
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Defensive Filtering• Prevent “bad” routing updates through careful
consideration of new advertisements.
• CIDR report (for “bogons/martians”)
• Routing Registries
• Filter small subnets
• Prefix number limitations
• Limitations? Such filtering can only remove updates that are obviously bad, and will miss subtle issues/attacks
17
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
S-BGP• First comprehensive solution specifically targeting BGP.
• Relies on a PKI for distributing certificates to all ASes
• Origins (address ranges) are signed and distributed out-of-band.
• Routes are attested by each AS signing the BGP UPDATE message
• Pro: Comprehensive!
• Con: Heavyweight, slow!
18
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
… and More• S-BGP is probably too heavyweight to actually deploy.
• So-BGP allows configurable tradeoffs between security and overhead.
• IRV creates a central repository for validating routing updates.
• Others explore techniques such as signature amortization and efficient data structures to solve S-BGPs deployment problems.
• Current status: No strong BGP security solution is deployed
19
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Detection Mechanisms• Multiple Origin AS (MOAS) detection looks for
origins that are incorrectly advertised by multiple parties.
• Prefix Hijacking Alert System (PHAS) requires a prefix owner to be notified and approve changes.
• Pretty Good BGP (PGBGP) relies on historical data to determine which changes can be considered “normal”.
20
Southeastern Security for Enterprise and Infrastructure (SENSEI) Center
Importance• Without BGP, the Internet simply does not exist.
• Networks are simply isolated islands.
• If large-scale routing attacks occur, it may be a VERY long time before traffic becomes routable again.
• Bellovin argues that the Internet may actually NEVER come back up.
• Deploying some secure inter-domain routing system will be the next great challenge in Internet security.
21