The [Real] State of BGP Security Alexander Azimov Artyom Gavrichenkov 

Who is mr. BGP? 

•  Administra*ve en*ty •  Owners of address space •  BGP – de-facto standard rou*ng protocol between AS Autonomous systems 

Internet was born in… 

Tier-1 operators 

Regional Networks 

Tier-3+ networks 

Internet Exchange (IX) 

Protocol of business relaLonships IX TierN+1 TierN+1 TierN+1 TierN-1 +$$$ -$ 0$ IAMOPERATOR 

•  Link-state rou*ng protocols •  Distance vector rou*ng protocols •  Money vector protocol! What is the type of BGP rouLng protocol? 

BGP Decision process •  Local Preference (random digit) •  AS Path length (a sequence of AS Numbers, may be random) •  Origin •  MED •  EBGP > iBGP •  Router Id 

BGP Traffic Control Local_pref – priority for incoming traffic Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL 

BGP Traffic Control Local_pref – priority for incoming traffic Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend AS Path +N Announce only customers Announce only customers Announce ALL 

BGP Traffic Control Local_pref – priority for incoming traffic Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend AS Path +N Announce only customers Announce only customers Announce ALL 

BGP Flexibility 

PROBLEMS OFFICER? 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation: easy 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation: easy The trick is to topologically isolate a hijacked route 

Example 1: Certificate Authority Hijacking •  How to obtain a TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed 

Example 1: Certificate Authority Hijacking •  How to obtain a TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed 

Example 1: Certificate Authority Hijacking •  How to obtain a TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed ⇒  Heavily relies on trusted routing 

Example 2: Spoofing TCP source •  Antispam block lists •  Access control via whitelists •  IP reputation 

Example 2: Spoofing TCP source •  Antispam block lists •  Access control via whitelists •  IP reputation ⇒  Heavily relies on trusted routing 

Example 2: Spoofing TCP source •  Antispam block lists •  Access control via whitelists •  IP reputation ⇒  Heavily relies on trusted routing Already in the wild 

PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. 

PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of. 

PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of. 

PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of. 

Example 3: The Day the Earth Stood Still AS 3549 AS 32934 AS 4788 

Example 3: The Day the Earth Stood Still AS 3549 AS 32934 AS 4788 

Example 3: The Day the Earth Stood Still AS 3549 AS 32934 AS 4788 

No content

Cost of a human error: Leaks’2015 per month 0 100000 200000 300000 400000 500000 600000 August September October November* 

BGP Security Problems •  Origin valida*on •  Announce vector valida*on 

Origin ValidaLon: Route Objects % Informa*on related to '178.248.232.0/23AS197068' route: 178.248.232.0/23 descr: "HLL" LLC origin: AS197068 mnt-by: MNT-QRATOR created: 2012-11-22T21:07:45Z last-modified: 2012-11-22T21:07:45Z source: RIPE # Filtered 

Origin ValidaLon: Route Objects Local_pref – priority for incoming traffic Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Route Objects for Origin valida*on Local_pref 50 Community: p2c Local Pref 150 Community c2p Check if prefix has appropriate origin Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL 

Different IRRs – different rules and objects No unique objects! No cross-IRR authoriza*on 

Origin ValidaLon: RPKI 

BGP Flexibility wins! 

BGP Decision process •  Local Preference (random digit) •  AS Path length (a sequence of AS Numbers, may be random) •  Origin •  MED •  EBGP > iBGP •  Route Id Prepend with valid origin! Makes RPKI useless. 

BGP Security Problems •  Origin valida*on •  AS Path Valida*on •  Announce vector valida*on 

AS Path validaLon: BGPSec 

SLll dra\… Last update 06.07.2015; v13! hpps://datatracker.ieq.org/doc/drar-ieq-sidr-bgpsec-protocol/ 

BGP Security Problems •  Origin valida*on •  AS Path Valida*on (BGPSec… someday) •  Announce vector valida*on 

Announce vector validaLon: CommuniLes Local_pref – priority for incoming traffic Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL 

Announce vector validaLon: CommuniLes It works! RFC Standard since 1996 hpps://tools.ieq.org/html/rfc1997 

BGP Flexibility wins! 

Announce vector validaLon 4 Roles: customer, provider, peer, internal Op*onal non-transit apribute – Role Marker Role Import Marker Internal Session No role marker change Role Export Filter 

Idle state: No role set 

NoLficaLon: The Wrong Role OPEN with customer role OPEN with peer role Capabili*es No*fica*on No*fica*on 3 pairs of non-conflict roles: 1.  Peer <---> Peer 2.  Customer <---> Provider 3.  Internal <---> Internal 

Strict Mode OPEN with no role OPEN with peer role No*fica*on No5fica5on if the role is not set in OPEN from the neighbor 

A Simple Config protocol bgp IAMOPERATOR { local as MY_AS; neighbor X.X.X.X as AS_PROVIDER; role provider } 

Benefits Backward compa*bility •  Unknown op*onal non-transit apributes are just ignored •  Unknown capabili*es should be just ignored! Route leak ex*nc*on: •  No mistake leaks •  Opportunity to control neighbor configura*on 

Useful Links Overview of protocol change: radar.qrator.net/tools/simple-bgp/ Fork of BIRD routing daemon: github.com/QratorLabs/bird/ 

Questions? Contact us: Alexander Azimov Artyom Gavrichenkov