The [Real] State of BGP Security

Transcript

1. The [Real] State of BGP Security Alexander Azimov <[email protected]> Artyom

   Gavrichenkov <[email protected]>

2. Who is mr. BGP?

3. •  Administra*ve en*ty •  Owners of address space •  BGP

   – de-facto standard rou*ng protocol between AS Autonomous systems

4. Internet was born in…

5. Tier-1 operators

6. Regional Networks

7. Tier-3+ networks

8. Internet Exchange (IX)

9. Protocol of business relaLonships IX TierN+1 TierN+1 TierN+1 TierN-1 +$$$

   -$ 0$ IAMOPERATOR

10. •  Link-state rou*ng protocols •  Distance vector rou*ng protocols • 

    Money vector protocol! What is the type of BGP rouLng protocol?

11. BGP Decision process •  Local Preference (random digit) •  AS

    Path length (a sequence of AS Numbers, may be random) •  Origin •  MED •  EBGP > iBGP •  Router Id

12. BGP Traffic Control Local_pref – priority for incoming traffic Prepend

    – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL

13. BGP Traffic Control Local_pref – priority for incoming traffic Prepend

    – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend AS Path +N Announce only customers Announce only customers Announce ALL

14. BGP Traffic Control Local_pref – priority for incoming traffic Prepend

    – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend AS Path +N Announce only customers Announce only customers Announce ALL

15. BGP Flexibility

16. PROBLEMS OFFICER?

17. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN.

18. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN.

19. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service

20. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable

21. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation

22. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation: easy

23. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN. • L3 Denial of service: improbable • L3 Repudiation: easy The trick is to topologically isolate a hijacked route

24. Example 1: Certificate Authority Hijacking •  How to obtain a

    TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed

25. Example 1: Certificate Authority Hijacking •  How to obtain a

    TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed

26. Example 1: Certificate Authority Hijacking •  How to obtain a

    TLS certificate: 1.  An account is created at the CA website 2.  A CSR is created and uploaded 3.  Options to verify domain ownership: •  WHOIS records •  A specific HTML page under a specific URL •  Custom token in DNS TXT Record •  … 4.  Ownership is verified => TLS certificate is signed ⇒  Heavily relies on trusted routing

27. Example 2: Spoofing TCP source •  Antispam block lists • 

    Access control via whitelists •  IP reputation

28. Example 2: Spoofing TCP source •  Antispam block lists • 

    Access control via whitelists •  IP reputation ⇒  Heavily relies on trusted routing

29. Example 2: Spoofing TCP source •  Antispam block lists • 

    Access control via whitelists •  IP reputation ⇒  Heavily relies on trusted routing Already in the wild

30. PROBLEMS OFFICER? 1) Hijacking Hijacked Route: A route which has

    been originated by a party other than the owner of the prefix. This could be via a forged ASN, or from another ASN.

31. PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH

    (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of.

32. PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH

    (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of.

33. PROBLEMS OFFICER? 2) Route Leaking Path: Also known as AS_PATH

    (or optionally AS4_PATH), the sequence of ASNs through which a route has passed from Originator to recipient. Link Classification: The "intent" of a given BGP peering session, which addresses only the categories of route announced and accepted, and which is further modified by Local Policy. A Link may be classified as: •  Customer: The Customer sends us only their own (locally originated) Routes, and the Customer's Customer's Routes (and Customer^Nth Routes). The Customer relationship is transitive. •  Transit: The Transit provider sends all Routes. This include the Transit Provider's Customers, the Transit Provider's Peers, and if there are any, the Transit Provider's Transit Provider's Routes. The Transit Provider relationship is also transitive. •  Peer: a Link over which the two parties send ONLY their respective Customer Routes (and their Customer's Routes, and so on). A Link which is classified as a Peer, will see us as a Peer Classification as well. The relationship is symmetric in nature. •  Special (which includes Mutual Transit, Sibling, and other non-trivial arrangements) Route Leak: any Route where, somewhere in the Path, a Non-Customer Route was received over a Peer or Customer Link. It should be observed that a route which is not a route leak, has an as-path that matches the following pattern: {C|S}*P?{T|S}* Where C is Customer, T is Transit, P is Peer, and S is Special, and "{ | }" denotes either/or, "*" means zero or more occurrences of, and "?" means zero or one occurrences of.

34. Example 3: The Day the Earth Stood Still AS 3549

    AS 32934 AS 4788

35. Example 3: The Day the Earth Stood Still AS 3549

    AS 32934 AS 4788

36. Example 3: The Day the Earth Stood Still AS 3549

    AS 32934 AS 4788
37. None

38. Cost of a human error: Leaks’2015 per month 0 100000

    200000 300000 400000 500000 600000 August September October November*

39. BGP Security Problems •  Origin valida*on •  Announce vector valida*on

40. Origin ValidaLon: Route Objects % Informa*on related to '178.248.232.0/23AS197068' route:

    178.248.232.0/23 descr: "HLL" LLC origin: AS197068 mnt-by: MNT-QRATOR created: 2012-11-22T21:07:45Z last-modified: 2012-11-22T21:07:45Z source: RIPE # Filtered

41. Origin ValidaLon: Route Objects Local_pref – priority for incoming traffic

    Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Route Objects for Origin valida*on Local_pref 50 Community: p2c Local Pref 150 Community c2p Check if prefix has appropriate origin Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL

42. Different IRRs – different rules and objects No unique objects!

    No cross-IRR authoriza*on

43. Origin ValidaLon: RPKI

44. BGP Flexibility wins!

45. BGP Decision process •  Local Preference (random digit) •  AS

    Path length (a sequence of AS Numbers, may be random) •  Origin •  MED •  EBGP > iBGP •  Route Id Prepend with valid origin! Makes RPKI useless.

46. BGP Security Problems •  Origin valida*on •  AS Path Valida*on

    •  Announce vector valida*on

47. AS Path validaLon: BGPSec

48. SLll dra\… Last update 06.07.2015; v13! hpps://datatracker.ieq.org/doc/drar-ieq-sidr-bgpsec-protocol/

49. BGP Security Problems •  Origin valida*on •  AS Path Valida*on

    (BGPSec… someday) •  Announce vector valida*on

50. Announce vector validaLon: CommuniLes Local_pref – priority for incoming traffic

    Prepend – DE priori*za*on of incoming traffic Communi*es – vector of announces Local_pref 50 Community: p2c Local Pref 150 Community c2p Local Pref 100 Customers Providers Peers Prepend +N Announce only customers Announce only customers Announce ALL

51. Announce vector validaLon: CommuniLes It works! RFC Standard since 1996

    hpps://tools.ieq.org/html/rfc1997

52. BGP Flexibility wins!

53. Announce vector validaLon 4 Roles: customer, provider, peer, internal Op*onal

    non-transit apribute – Role Marker Role Import Marker Internal Session No role marker change Role Export Filter

54. Idle state: No role set

55. NoLficaLon: The Wrong Role OPEN with customer role OPEN with

    peer role Capabili*es No*fica*on No*fica*on 3 pairs of non-conflict roles: 1.  Peer <---> Peer 2.  Customer <---> Provider 3.  Internal <---> Internal

56. Strict Mode OPEN with no role OPEN with peer role

    No*fica*on No5fica5on if the role is not set in OPEN from the neighbor

57. A Simple Config protocol bgp IAMOPERATOR { local as MY_AS;

    neighbor X.X.X.X as AS_PROVIDER; role provider }

58. Benefits Backward compa*bility •  Unknown op*onal non-transit apributes are just

    ignored •  Unknown capabili*es should be just ignored! Route leak ex*nc*on: •  No mistake leaks •  Opportunity to control neighbor configura*on

59. Useful Links Overview of protocol change: radar.qrator.net/tools/simple-bgp/ Fork of BIRD

    routing daemon: github.com/QratorLabs/bird/

60. Questions? Contact us: Alexander Azimov <[email protected]> Artyom Gavrichenkov <[email protected]>