Practical BGP Security

The vulnerabilities in the Border Gateway Protocol (BGP) have been widely known for many years now. The threats range from attacking the TCP port 179 connections between peers, injecting false information into the global routing database, trying to create a Denial of Service (DoS) condition, or reroute traffic to perform a Man-in-the-Middle (MITM) attack.

If you saw the cover of the recent Network World magazine on January 19th then you saw the story about the U.S. governments working toward securing their BGP connections. The Department of Homeland Security (DHS) recognizes these threats and what the consequences mean for the U.S. government. They are looking toward BGPSEC to help solve the problem.

Unfortunately, BGP suffers from the same problem as IPv6 adoption. You can’t change the routed protocol or the routing protocol of the Internet over an evening. Therefore you must have flexible transition mechanisms and there will not be any “flag day” in which to accomplish the migration. Therefore, with constrained budgets there needs to be a strong ROI in order to put in the substantial effort required to change BGP. That is also true for any adjustment of BGP such as moving to 4-byte AS Numbers. To learn more about BGP’s new 4-byte ASN check out Jeff Doyle’s Cisco Subnet Blog. Therefore, if you are going to make a change to BGP you basically have one shot at it and it better be right the first time – no do-overs.

Unfortunately it will take substantial time to do it correctly on the first attempt. It will also take time to develop and implement BGPSEC into all the network equipment you use. The IETF has been working on the problem of BGP Security since about 2002. The IETF Inter-Domain Routing (IDR) working group and the Routing Protocol Security (RPSEC) working group have been working on the vulnerabilities, requirements and changes to BGP but no RFP has been finalized. Once the RFC is finalized it will take time for manufacturers to implement the standard. Therefore, it will be several years from now will be the earliest we will see BGPSEC.

While you wait for the slow-moving big wheels of the Internet to move you need to have some way of protecting ourselves from the current set of threats. Fortunately, In the meantime there are many things you can do to secure your BGP connections. Below is a list of BGP best practices for Cisco router configuring BGP for maximum security and stability.

BGP passwords can be used with MD5 to secure the information exchanged between peers.

neighbor password P@ssw0rd

TTL security (GTSM or TTL-Hack) to restrict the TTL in packets to restrict peering with directly connected neighbors.

neighbor ttl-security hops 1

ACLs for filtering BGP communications on external interfaces. Use the external interface ACLs to only permit BGP (TCP port 179) from the directly-connected ISP router and then in the next ACL entry deny all BGP packets on the outside interface.

interface Serial 1/0 description Connection to external BGP peer ip address ip access-group 110 in ! access-list 110 … access-list 110 permit tcp host host eq bgp access-list 110 permit tcp host eq bgp host access-list 110 deny tcp any any eq bgp access-list 110 deny tcp any eq bgp any access-list 110 …

Preventing long AS paths from causing problems for our routers. Use this command to restrict the maximum length of the AS paths received.

bgp maxas-limit 50

Limiting number of prefixes received from Internet neighbor to prevent overload conditions.

neighbor maximum-prefix 350000

Preventing updates that contain private AS numbers (64512 to 65535).

neighbor remove-private-as

Enable BGP graceful restart.

bgp graceful-restart

Disable BGP route flap dampening. Sometimes it causes more problems than it prevents.

no bgp dampening

Enable BGP soft reconfiguration.

bgp soft-reconfig-backup neighbor soft-reconfiguration inbound

Logging BGP neighbor activity to track down any problems you may encounter.

bgp log-neighbor-changes

These techniques in addition to all the typical Internet router hardening techniques can be used to help make your Internet routers strong in the meantime while we wait for BGPSEC.


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.