Securing Routing Infrastructure: Challenges and Solutions in BGP Operations
This presentation by Sandra Murphy from Sparta, Inc. explores the intricacies of securing routing infrastructure, particularly focusing on BGP operations within Internet2. It highlights historical misconfigurations and the resulting consequences, such as the infamous AS7007 incident, which led to widespread routing anomalies. Murphy outlines various protection mechanisms including peer-to-peer connection security, prefix and AS-path filtering, and origination protection. The discussion emphasizes the need for more than just local operational efficiency to maintain robust connectivity across the internet.
Securing Routing Infrastructure: Challenges and Solutions in BGP Operations
E N D
Presentation Transcript
Securing the Routing Infrastructure Sandra Murphy Sparta, Inc sandy@tislabs.com, sandy@sparta.com Internet2
BGP Operation AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 ASPATH=22,20,10, NLRI=12/8 Internet2
BGP Operation – More specific prefixes AS 10 ASPATH=10, NLRI=12/8 AS 20 ASPATH=20,10, NLRI=12/8 Net 12/8 ASPATH=30,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 AS 30 ASPATH=20,10, NLRI=12/8 AS 22 Net 12.12/16 ASPATH=22,20,10, NLRI=12/8 ASPATH=22, NLRI=12.12/16 Internet2
Misconfiguration (we hope) Attacks • Apr 1997 AS7007 announces classful addresses for the whole world • Feb/Apr/Aug 2001 Abovenet/Quest/Digex announces routes with private AS numbers in them • Typical consequences: • Dec 1999 a mis-origination by a downstream takes out ATT’s dial-up net – WSJ notices • Apr/May 2003 Trafalgar House/LA County space hijacked by registry spoof • Side effect on operation • Covad does not aggregate their prefix announcements because they tried it and someone announced more specific prefixes Internet2
Think we’re past all that? • Dec 24, 2004 – AS9121 (TTNet) announced 100K+ routes for 1hr20min (shorter event later) • According to May 2005 NANOG presentation, 1/3 of Rensys’s 100 peers saw the bad routes within 3 min • The bad routes spread far and wide • Affected networks included (from NANOG slide): • Blue Cross Blue Shield of Iowa - Thomson Financial Services - Citicorp Global Information Network -MetLife Capital Corp - Pitney Bowes Credit Corporation - Brown Brothers Harriman & Company - LaSalle Partners - Kuwait Fund for Arab Economic Development Internet2
And recently… • Sep 9, 9:29-10:47, 26210, a Bolivian ISP, announced 12/8, 64/8 and 65/8. • 12/8, 3549 1239 12956 26210 • GX-Sprint-Telefonica-AES Comm (Bolivia) • On Sep 10, another anomaly • 12/8, 3549 1299 12676 (GX-TeliaNet-NCORE) • “FYI, happened again this morning for (at least) 12/8 duration approx 30 minutes starting at 5:45 AM PDT. Notice that AT&T is no longer taking chances, and is announcing 2 /9s. Internet2
Consequences • Note to NANOG Sep 9: “And wouldn't you know it, we have an application that needs to reach servers in 12/8 and 65/8, and someone just came over to me asking for help in figuring out why that application isn't working. I guess I should have checked my NANOG mail before I told them I had no idea what was going on. :)” Internet2
Moral of the Story • Your network operation may be an inspiration to us all, but: • The other parts of the Internet hold your fate: • Your users may not be able to reach the sites they want to reach • Your users’s remote users may not be able to reach your users • Need more than effective local operation Internet2
A Sequence of Solutions Increasingly stringent – increasing cost: • Peer-peer Connection Protection • Filters – prefix filters and AS-path filters • Origination Protection • Origination and AS_PATH Adjacency Protection • Origination and AS_PATH Route Protection • Origination, Transit and Policy Protection • “Freshness” Internet2
In Common Use • Peer-Peer protection methods • TCP MD5, IPSEC, TLS, GTSM, (BTNS?) • For crypto techniques, management the biggest problem • Managing keys for many, many peers, key rollover, hash algorithm rollover • Performance scale comes up frequently as well Internet2
In Common Use (2) • Filters – prefix filters and AS-PATH filters • Requires transitive trust • “Transitively trusting all peers’ on-net customers: fundamentally unsafe” (NANOG Renesys presentation) • Management hard (particularly at large AS’s) – keeping filter lists current • Manual configuration • Authority based • Team Cymru Bogon Route Server Project for VIP, bogon and martians; IRR based filter generators • OTOH: Mar 2003 - 69/8 allocated; Jan 2004 – 83/8 and 84/8 allocated – installed filters did not keep up • For large ISP’s – filter lists stress hardware Internet2
Requirements for Authorities • Must scale to Internet size and routing dynamics • Design issues: • Non-hierarchical, singly rooted, multiply rooted? • Centralized, replicated, or distributed? • Client/server vs peer-peer? • Query/response vs wholesale download? • Event based vs periodic download? • ISP distaste for relying on external info for configuration of their routing; chicken and egg Internet2
Origination Protection • Authorization only (AS is authorized address) • Authorization and Authentication (AS is also currently announcing address) protects that “17%” unannounced but allocated • Need authority (not necessarily central) that: • Stores info completely, accurately and securely • Accepts changes securely – model for authorization • Need architecture and mechanisms for communication with “authority” • Need procedures and tools for putting info into use Internet2
Origination and AS_PATH Adjacency Protection • Checks that adjacent AS’s in AS_PATH have peering • SoBGP, Garcia-Lunes-Aceves/Smith • Need way to securely transmit adjacency – inline or query/download from database • Processing demands (crypto stuff) • Residual vulnerabilities • existence of peering adjacency gives no assurance AS’s will transit traffic • does not assure loop freedom Internet2
Origination and AS_PATH Route Protection • Protection to show update propagating through AS’s AS_PATH • indicates each AS in path has willingness and capability to forward traffic toward the stated route • SBGP; SPV • Protection may or may not be passed inline • Processing demands – crypto and storage • Residual vulnerabilities • Freshness; policy compliance Internet2
Origination, Route and Policy Protection • Policy protection – e.g., AS A has a peering relationship with B, not transit – B should not announce A’s addresses • Need to express and communicate policy • That means expose policy – anathema to many • Policy is specific to one AS • But may target remote AS • No current mechanisms to express, communicate or ensure policies (caveat: SoBGP) Internet2
Freshness • Receive replacement route, send replacement route – then send original route again • BGP has no features that would facilitate discerning maintenance of update ordering Internet2
Current Activity • Concerned community working on this • ISP’s, Registry, Security, Router Vendor folk • Consensus is that the most pressing need is: • Registration database integrity improved • Authenticated list of AS-prefix origination authorizations • Useful in many ways: • Operational debugging • Customer care • Security protection • Fundamental basis for ANY security solution Internet2
Query • Anyone interested in participating in discussion? • In putting this to a trial? • Start with AS->prefix mapping for Internet2 • See how difficult it is to include in operational procedures • Sponsor - DHS S&T, SPRI program (Secure Protocols for the Routing Infrastructure) Internet2
