Securing BGP Sessions
The Border Gateway Protocol version 4 (BGP4) protocol has been in existence since 1994 and has been updated several times over the past 15 years. BGP4, defined in RFC 4271, is the routing protocol used between autonomous systems that make up the Internet. External BGP (EBGP) is used between autonomous systems, and Internal BGP (IBGP) is used within an autonomous system. BGP is a path-vector routing protocol, where the paths are the list of autonomous systems that must be traversed to reach the destination prefix. Through the years, BGP has been extended to carry different types of routing information. RFC 4760, "Multiprotocol Extensions for BGP-4," allows BGP to operate over IPv4 or IPv6 and carry either type of routing information.
BGP is the central nervous system with which virtually all service providers are wired. Because BGP is the critical routing protocol of the Internet, it is a target of attacks. Attackers know that if they can find a weakness in BGP and exploit it, they could potentially destabilize the entire Internet. RFC 4272, "BGP Security Vulnerabilities Analysis," showed the weaknesses in BGP that service providers should try to prevent. Therefore, it is important that you work to secure BGP by focusing on the following areas:
- Authentication: Who are you talking to?
- Confidentiality: How do we communicate?
- Integrity: What is being said?
- Availability: Are you there?
Conventionally there are several approaches to securing BGP sessions, including the following:
- Explicitly configured BGP peers
- Using BGP session shared secrets
- Leveraging an IPsec tunnel
- Using loopback addresses on BGP peers
- Controlling the Time-to-Live (TTL) on BGP packets
- Filtering on the peering interface
- Using link-local peering
- Preventing long AS paths
- Limiting the number of prefixes received
- Preventing BGP updates that contain private AS numbers
- Maximizing BGP peer availability
- Logging BGP neighbor activity
- Securing IGP
- Extreme measures for securing communications between BGP peers
The following sections briefly describe each of these methods. More extreme measures that are not frequently used are also briefly mentioned later in this chapter.
Explicitly Configured BGP Peers
One technique for securing BGP sessions is the concept that BGP sessions must be configured on each peering router. Peering is done explicitly by both BGP speakers. Therefore, a router will not form a peering session with another router that it has not been configured to peer with, and both peers mutually agree upon the BGP settings. A BGP peering session is not established if only one router is configured. There must be complementary configurations on each side for communications to take place. BGP communications take place over TCP, so the protocol must rely on a properly configured IP-layer foundation. BGP uses TCP port 179, so it has some inherent security in the fact that it is a connection-oriented protocol. TCP session state is maintained between the two peers.
The fact that BGP is a stateful transport layer routing protocol would normally provide some level of security, but it is also one of BGP's weaknesses. Attackers can spoof BGP packets and send them toward one of the BGP routers, or they could attack the TCP peering session between two BGP routers. Threats against long-lived TCP sessions involve TCP session hijacking using sequence number predication to reset one of the peers. One solution to this problem is to have BGP implementations use strong sequence number randomization. Therefore guessing the next sequence number or acknowledgment (ACK) number would be difficult and improbable.
Using BGP Session Shared Secrets
One of the most widely used methods of securing BGP communications is to use a shared secret (password). RFC 2385, "Protection of BGP Sessions via the TCP MD5 Signature Option," defines how a simple password can be used with a message digest algorithm 5 (MD5) digest inserted into the BGP packets. This digest adds authentication to BGP and helps prevent an attacker from spoofing a BGP peer.
Even though it is a best practice to use a different password for every peering session, this can be difficult to maintain. Regardless, it is unwise to use the same secret password for all peering sessions. As they say, it is not a secret if you tell a bunch of people. RFC 3562, "Key Management Considerations for the TCP MD5 Signature Option," defines how a centralized system can maintain the security of the keys for all organizations. On a Cisco router, the password is assigned at the time that the neighbor is configured. Following is the router configuration command to enable MD5 authentication for a BGP peer:
neighbor neighbor-ipv6-address password P@ssw0rd
Leveraging an IPsec Tunnel
Another technique for securing BGP communications is to leverage the security of an IPsec tunnel. IPsec is a strong way to secure BGP peers, protect the integrity of updates, and assist in preventing DoS attacks that target BGP peers. Using IPsec is better than MD5 because it keeps the keys refreshed over time. Because BGP is a TCP protocol, it can use IPsec with no modification. However, an IPsec connection must be created for the peering to form. This can add significant overhead to the routers, so it might be prohibitive in terms of CPU resources. Configuring and troubleshooting the IPsec tunnel can add significant burden to maintaining a service provider network. Furthermore, the IPsec tunnel that is used for sending routing information is thus used to forward traffic. The added packet-size overhead that IPsec adds would negatively impact throughput performance. Even though using IPsec is a secure method, it is not widely used.
Even still, an attacker who knows that a router is using authentication can simply create a large number of spoofed packets with fake authentication parameters and send them toward that router. This would cause the router to process these fake packets (even if they are quickly rejected) and artificially consume router resources. The CPU spike on the target router could delay legitimate routing traffic, thus accomplishing the attacker's goal of disrupting a network. Attackers could launch many authentication failures at the BGP router to potentially crash it. Therefore, authentication cannot be the only method of securing BGP communications.
Other methods of preventing unwanted traffic coming toward a router from causing problems involves filtering with access control lists (ACL). Control Plane Policing (CoPP) or Control Plane Protection (CPPr) can filter packets on the control plane of the router. Infrastructure ACLs (iACL) and receive ACLs can prevent the undesirable packets from reaching the router in the first place. Both of these concepts are covered fully in Chapter 6, "Hardening IPv6 Network Devices."
Using Loopback Addresses on BGP Peers
By using loopback addresses to peer BGP routers, it is more difficult for an attacker to know the source address of the TCP 179 peering session if the IP address could not be determined through the use of traceroute. Because loopbacks are logical interfaces, peering with loopbacks makes the BGP peers less physically connected and requires an Interior Gateway Protocol (IGP). Loopback interfaces are always up and operational, so they are very stable interfaces for the router to source many types of communications such as authentication, authorization, and accounting (AAA) or management traffic. Peering between loopback addresses is more popular on IBGP peers than EBGP peers because IBGP connections rely on an IGP. EBGP peers typically use the directly connected IP addresses on each end of the physical link, but these addresses can be easily discovered by attackers. Regardless, having a loopback IPv4 address as the router ID (RID) for the BGP process is a best practice.
Controlling the Time-to-Live (TTL) on BGP Packets
Another technique involves controlling the TTL value that is set in the IP header on the TCP port 179 packets. EBGP routers send updates with a TTL typically set to 255, and EBGP routers typically accept packets that have a TTL set to 0 or greater. The problem is that an EBGP router can accept BGP packets that could have surreptitiously come from a network many hops away. If the TTL is constrained so that the TCP packets cannot travel beyond the direct physical connection between two peers, some security is gained. IBGP routers typically peer over many physical hops, so this technique is not necessarily applicable in all situations.
To secure EBGP peers and create a better TTL algorithm, the Internet Engineering Task Force (IETF) devised BGP TTL Security Hack (BTSH), which is also known as the Generalized TTL-based Security Mechanism (GTSM) (RFC 3682). This technique makes the EBGP router send TCP 179 packets to its peer with the TTL set to 255. The remote peer receives the BGP packet, and the router decrements the TTL to 254. That remote EBGP peer can then only accept BGP packets that have a TTL set to 254 or higher. This enforces the rule that EBGP peers only accept BGP packets from the directly connected peers that are only one hop away. If a spoofed BGP peer sending BGP packets comes from two hops away, the targeted router receives a TTL of 253. Because this TTL value of the forged packet is not greater than 254, that packet fails the test and is silently discarded. Therefore, packets with TTL values lower than 254 have originated more than one hop away. The TTL settings need to be configured on both peers to be effective. BTSH was first available in Cisco IOS Releases 12.0(27)S, 12.3(7)T, and 12.2(25)S. This technique is also affectionately referred to as the TTL-Hack. Following is the command that is used on each neighbor:
neighbor neighbor-ipv6-address ttl-security hops 1
BTSH helps with attacks against BGP, but it is not a complete solution within itself. For example, BTSH is not available to use on IBGP sessions. In addition to several other combinations, the TTL-Hack is a stronger strategy. It should also be mentioned that MD5 passwords and the TTL checking are both handled by the router CPU. These might be stronger techniques if routers start to support these security measures in hardware.
You can configure a reasonably secure IPv6 EBGP router with several of these techniques configured together. Figure 3-3 shows an example of two ISP routers that are peering with each other. Both ISPs have customer connections and their own backbone connections. The routers peer with both IPv4 and IPv6.
Figure 3-3 IPv6 EBGP Peering Session
Example 3-5 shows the configuration of ISP1's R1 in this scenario. Router R1 peers with R2 over its Serial 1/0 interface. Each BGP speaker expects the TTL value in the IPv6 header to be 254. The multiprotocol BGP configuration uses the TTL-Hack and uses different passwords for the IPv4 peer and the IPv6 peer. R1 connects to the Customer 1 router over its Serial 1/1 interface. R1 uses prefix filters to limit what it learns from the customer network and what it sends and receives from the other ISP. The goal of the customer prefix list is to only allow the customer to advertise its own /48. The ISP prefix lists restrict routes more specific than a /48 and permits Teredo and 6to4 routes. Teredo and 6to4 are IPv6 transition mechanisms that are covered in more detail in Chapter 10, "Securing the Transition Mechanisms."
Example 3-5. Sample EBGP Router Configuration
hostname R1 ! interface Loopback0 ip address 220.127.116.11 255.255.255.255 ipv6 address 2001:DB8::1:1:1:1/128 ! interface FastEthernet0/0 ip address 18.104.22.168 255.255.255.0 ipv6 address 2001:DB8:100::1/64 ! interface Serial1/0 description ISP interconnect ip address 192.168.12.1 255.255.255.0 ip access-group 100 in ipv6 address 2001:DB8:12::1/64 ipv6 traffic-filter ALLOWBGP in ! interface Serial1/1 description Customer 1 ip address 22.214.171.124 255.255.255.0 ipv6 address 2001:DB8:1:1::1/64 ! router bgp 100 bgp router-id 126.96.36.199 no bgp fast-external-fallover bgp log-neighbor-changes bgp graceful-restart restart-time 120 bgp graceful-restart stalepath-time 360 bgp graceful-restart bgp maxas-limit 50 neighbor 188.8.131.52 remote-as 1000 neighbor 184.108.40.206 ttl-security hops 1 neighbor 220.127.116.11 password cisco321 neighbor 2001:DB8:1:1::11 remote-as 1000 neighbor 2001:DB8:1:1::11 ttl-security hops 1 neighbor 2001:DB8:1:1::11 password cisco123 neighbor 2001:DB8:12::2 remote-as 200 neighbor 2001:DB8:12::2 ttl-security hops 1 neighbor 2001:DB8:12::2 password cisco123 neighbor 192.168.12.2 remote-as 200 neighbor 192.168.12.2 ttl-security hops 1 neighbor 192.168.12.2 password cisco321 ! address-family ipv4 neighbor 18.104.22.168 activate neighbor 22.214.171.124 maximum-prefix 250000 no neighbor 2001:DB8:1:1::11 activate no neighbor 2001:DB8:12::2 activate neighbor 192.168.12.2 activate neighbor 192.168.12.2 maximum-prefix 250000 no auto-summary no synchronization network 126.96.36.199 mask 255.255.255.0 exit-address-family ! address-family ipv6 neighbor 2001:DB8:1:1::11 activate neighbor 2001:DB8:1:1::11 remove-private-as neighbor 2001:DB8:1:1::11 prefix-list FILTERV6CUSTIN in neighbor 2001:DB8:1:1::11 maximum-prefix 250000 neighbor 2001:DB8:12::2 activate neighbor 2001:DB8:12::2 remove-private-as neighbor 2001:DB8:12::2 prefix-list FILTERV6ISPIN in neighbor 2001:DB8:12::2 prefix-list FILTERV6ISPOUT out neighbor 2001:DB8:12::2 maximum-prefix 250000 network 2001:DB8:1::/48 network 2001:DB8:1:1::/64 no synchronization exit-address-family ! access-list 100 permit tcp host 192.168.12.2 host 192.168.12.1 eq bgp access-list 100 deny tcp any any eq bgp access-list 100 permit ip any any ! ipv6 route 2001:DB8:1::/48 Null0 ! ipv6 prefix-list FILTERV6CUSTIN seq 10 permit 2001:DB8:11::/48 ipv6 prefix-list FILTERV6CUSTIN seq 20 deny ::/0 le 128 ! ipv6 prefix-list FILTERV6ISPIN seq 10 deny 2001:DB8:1::/48 ipv6 prefix-list FILTERV6ISPIN seq 20 permit 2001:DB8::/32 le 64 ipv6 prefix-list FILTERV6ISPIN seq 30 permit 2002::/16 ipv6 prefix-list FILTERV6ISPIN seq 40 permit 2001::/32 ipv6 prefix-list FILTERV6ISPIN seq 50 deny ::/0 le 128 ! ipv6 prefix-list FILTERV6ISPOUT seq 10 deny 2001:DB8::/32 ge 49 ipv6 prefix-list FILTERV6ISPOUT seq 20 permit ::/0 le 128 ! ipv6 access-list ALLOWBGP permit tcp host 2001:DB8:12::2 host 2001:DB8:12::1 eq bgp deny tcp any any eq bgp permit ipv6 any any
Filtering on the Peering Interface
It is a best practice to perform filtering on the interface that is used to form a BGP peering relationship. In addition to permitting transit IPv6 traffic, you should permit the BGP (TCP port 179) packets that are sourced from the directly connected BGP neighbor's address. As shown earlier in Example 3-5, both routers use ACLs to permit TCP port 179 peers from only those addresses desired. The Serial 1/0 interface has an IPv4 access list and IPv6 traffic filter that permit only BGP communications with the peer R2.
Using Link-Local Peering
You have already seen a secure BGP peering configuration using unicast addresses in Example 3-5. You can also configure BGP peers to use link-local addresses, but there are both benefits and drawbacks. The concept of link-local peering involves using the link-local address of the directly connected neighbor router as the IPv6 address configured for the BGP neighbor. The concept is that if link-local addresses are used, there would be no way for any other attacker to try to create a peering session with the routers. The attacker could not communicate with either peer in the first place. Furthermore, the attacker would not know the IPv6 addresses of either peer and, as shown in Chapter 2, the reconnaissance of these addresses would not be feasible. Because many organizations might question whether to use global addresses or link-local addresses for BGP peering, it is important to cover this in more detail. The following sections review the positive and negative aspects of using link-local addresses instead of global addresses.
When using link-local addresses for BGP peers, you must explicitly configure the link-local address of the neighbor. Because DNS is not used for link-local addresses, you must manually enter these addresses. As a result, you could easily make a mistake that might take some time to troubleshoot.
Also be aware that the link-local address of a router can be shared among multiple interfaces. Therefore, you must configure the router for the neighbor's link-local address and specify the interface that is being used for the directly connected addresses. There are two ways of doing this. In earlier software versions, you would specify the interface identifier following the link-local address (for example, FE80::C800:17FF:FE88:0%Serial1/0). Another newer technique uses the update-source neighbor parameter to specify the interface. Example 3-6 shows how this configuration can appear.
Example 3-6. BGP Peering Using Link-Local Addresses
hostname R1 ! interface Serial1/0 description ISP interconnect ipv6 address 2001:DB8:12::1/64 ipv6 traffic-filter ALLOWBGP in ! router bgp 100 bgp router-id 188.8.131.52 neighbor FE80::C801:15FF:FE44:0 remote-as 200 neighbor FE80::C801:15FF:FE44:0 ttl-security hops 1 neighbor FE80::C801:15FF:FE44:0 password cisco123 neighbor FE80::C801:15FF:FE44:0 update-source Serial1/0 ! address-family ipv4 no neighbor FE80::C801:15FF:FE44:0 activate exit-address-family ! address-family ipv6 neighbor FE80::C801:15FF:FE44:0 activate neighbor FE80::C801:15FF:FE44:0 prefix-list FILTERV6ISPIN in neighbor FE80::C801:15FF:FE44:0 prefix-list FILTERV6ISPOUT out neighbor FE80::C801:15FF:FE44:0 route-map SETNEXTHOP out neighbor FE80::C801:15FF:FE44:0 maximum-prefix 250000 network 2001:DB8:1::/48 network 2001:DB8:1:1::/64 no synchronization exit-address-family ! route-map SETNEXTHOP permit 10 set ipv6 next-hop 2001:DB8:12::1 ! ipv6 access-list ALLOWBGP permit tcp host FE80::C801:15FF:FE44:0 host FE80::C800:15FF:FE44:0 eq bgp deny tcp any any eq bgp permit ipv6 any any
In Example 3-6, the EBGP neighbor is configured using the link-local address of the peer. The traffic filter ALLOWBGP permits communication between the peers. The interface name/number is required to be added to link-local neighbor commands because the link-local addresses are not necessarily unique to each router interface. This example uses the update-source method of configuring the interface for the peering session. The interface that is used is the physical serial interface that the two routers share. You should not use the loopback's link-local address as the update source when using link-local peering. This can cause confusion when troubleshooting because many of a router's interfaces share the same link-local address.
Link-Local Addresses and the BGP Next-Hop Address
Another consideration is how BGP routers use the link-local addresses as the next hop address. A good description of how this is done is contained in the RFC 2545, "Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing." Section 3 of this RFC states that a global IPv6 address should be used as the next-hop address even though the peer can be configured to use a link-local address. This is important to consider because link-local addresses could be used on any interface and are not deterministic on which interface should be used for the communications. Because link-local addresses are local only to that subnet, they can be used across multiple interfaces without issue. However, for BGP routing, there needs to be a valid global IPv6 address that can be used for the BGP next-hop verification process.
There are situations where the next-hop attribute (MP_REACH_NLRI) can contain a single global IPv6 address or both a global address and a link-local address. The latter occurs when the two BGP peers share a common subnet, which is typically the case in EBGP. However, for IBGP, peers that might not share interfaces on a common subnet should use a global IPv6 address for their next-hop attribute.
For these reasons, a route map is required to set the next-hop address as a global address so that other routers can reach the next hop and keep this route valid. If the route map is not configured, the router will advertise one of its own global addresses as the next-hop address. If this is not reachable by the peer, the routes will be invalid and will be dropped. Most ISPs set the next hop manually to help speed convergence, so this should be an easy practice to maintain. Example 3-6 shows the configuration of the route map to explicitly set the next address.
Example 3-7 shows what the routes look like on the other EBGP router R2. The IPv6 routing table shows the route learned from R1 and the interface that the route came across on. You can also see the next-hop address in the BGP IPv6 unicast table. When you look explicitly at the route, you see the peer router's global and link-local addresses.
Example 3-7. Next-Hop Address for Link-Local Peers
R2# show ipv6 route IPv6 Routing Table - 12 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP U - Per-user Static route, M - MIPv6 I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 D - EIGRP, EX - EIGRP external LC 2001:DB8::2:2:2:2/128 [0/0] via ::, Loopback0 B 2001:DB8:1::/48 [20/0] via FE80::C800:15FF:FE44:0, Serial1/0 S 2001:DB8:2::/48 [1/0] via ::, Null0 C 2001:DB8:2:2::/64 [0/0] via ::, Serial1/1 L 2001:DB8:2:2::1/128 [0/0] via ::, Serial1/1 B 2001:DB8:11::/48 [20/0] via FE80::C800:15FF:FE44:0, Serial1/0 C 2001:DB8:12::/64 [0/0] via ::, Serial1/0 L 2001:DB8:12::2/128 [0/0] via ::, Serial1/0 B 2001:DB8:22::/48 [20/0] via 2001:DB8:2:2::22 C 2001:DB8:100::/64 [0/0] via ::, FastEthernet0/0 L 2001:DB8:100::2/128 [0/0] via ::, FastEthernet0/0 L FF00::/8 [0/0] via ::, Null0 R2# show bgp ipv6 unicast BGP table version is 6, local router ID is 184.108.40.206 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 2001:DB8:1::/48 2001:DB8:12::1 0 0 100 i *> 2001:DB8:2::/48 :: 0 32768 i *> 2001:DB8:2:2::/64 :: 0 32768 i *> 2001:DB8:11::/48 2001:DB8:12::1 0 100 1000 i *> 2001:DB8:22::/48 2001:DB8:2:2::22 0 0 2000 i R2# show bgp ipv6 unicast 2001:db8:11::/48 BGP routing table entry for 2001:DB8:11::/48, version 2 Paths: (1 available, best #1, table Global-IPv6-Table) Advertised to update-groups: 2 100 1000 2001:DB8:12::1 (FE80::C800:15FF:FE44:0) from FE80::C800:15FF:FE44:0 (220.127.116.11 ) Origin IGP, localpref 100, valid, external, best R2#
Drawbacks of Using Link-Local Addresses
As you can see, there are several security benefits of using link-local addresses for BGP peering. However, there are also some drawbacks. It is important to have identical configurations on both BGP peers, and if a change is made on one peer, the peering session can fail, causing routes to flap. If the global address changes on the interface of the EBGP peer, the BGP configuration of the EBGP peer also needs to change. As mentioned previously, BGP can carry both the link-local and global addresses in updates, so if two BGP peers share a common subnet, the MP_REACH_NLRI attribute contains both the link-local and global address. The global address is used to readvertise to other peers so that the next-hop test passes.
If the hardware changes on either BGP peer router, the corresponding addresses used in the configuration must change. The MAC address of the router's interface would be different, and the link-local address is derived partly from the MAC address. This could be a latent problem that could be difficult to troubleshoot, and it would take a small amount of effort to correct. Ironing out the details of exactly what IPv6 addresses are to be used for the BGP peer should be performed during the turn-up and provisioning procedures and also as part of the procedures for hardware replacement because of an upgrade or a failure.
It can be common practice to filter link-local addresses at the network's perimeter because link-local addresses should not be used as either the source or destination address for Internet traffic. However, filtering these packets could adversely affect EBGP, depending on how it is configured. Because there are plenty of global addresses, there is no need for peering using link-local addresses to conserve addresses.
The use of global addresses for peering keeps the configuration pretty simple. The next-hop address is simplified and global addresses are required for IBGP and EBGP multihop. There is a consistency of configuration if global addresses are used. Access lists should be used to filter BGP speakers, BTSH (TTL Hack) should be used to check the TTL value in the IP header, and the TCP MD5 signature option should be enabled. These techniques will mitigate the risk of spoofed BGP packets affecting the peering session. Therefore, these techniques can achieve the same security that using link-local addresses for peering provides.
For many, the use of link-local addresses can be overly complex. Therefore, many organizations might prefer to use global unicast addresses for EBGP peering rather than link-local addresses. Depending on your preferences, the additional work to use link-local addresses might not yield sufficient security to make it worthwhile.
Preventing Long AS Paths
Another technique that an attacker might use against BGP is to create updates that contain unusually long AS paths. These falsified updates could put a burden on the router receiving such an update. It is not typical to have an AS path that is longer than a specific size. To prevent these paths, you can use the following BGP configuration command to limit the number of AS path hops:
bgp maxas-limit number-of-AS-Hops
This command limits the number of autonomous system (AS) numbers listed in the path of a BGP message. Typically the length of the AS path should not be more than 50 hops.
On IOS XR, you can use a configuration like the one shown in Example 3-8 to limit the number of ASNs in the path.
Example 3-8. IOS XR BGP Policy to Limit the AS Path Length
(config)# route-policy STOPLONGPATHS (config-rpl)# if as-path length ge 50 then (config-rpl-if)# drop (config-rpl-if)# endif (config-rpl)# exit (config)# router bgp 100 (config-bgp)# neighbor 2001:db8:100:100::1 (config-bgp-nbr)# address-family ipv6 unicast (config-bgp-nbr-af)# route-policy STOPLONGPATHS in
Limiting the Number of Prefixes Received
A similar type of attack would involve sending an extremely large number of prefixes to a peer in an effort to consume excessive amounts of memory and cause the BGP router harm. Thankfully, there are options that allow you to prevent this from happening. The following command limits the number of prefixes learned from a neighbor. This command would not only restrict the number of prefixes received from a peer, but it would also shut down the BGP peering session as a defensive mechanism if the peer sends more than 250,000 prefixes. This command was also used in Example 3-5, earlier in this chapter.
neighbor neighbor-ipv6-address maximum-prefix 250000
Preventing BGP Updates Containing Private AS Numbers
The AS numbers in the range of 64512 to 65534 have been set aside by the IANA for private use. Therefore, these private AS numbers should not be used on the Internet or within any Internet BGP update. Therefore, you should filter any bogus paths that contain a private AS number. This is difficult to achieve using the ip as-path access-list commands. The following command helps make the configuration simpler and works to prevent BGP updates containing private AS numbers:
neighbor neighbor-ipv6-address remove-private-as
This command can be used on EBGP peers. This command causes the BGP router to filter out any update that has only private AS numbers. However, if the update has a mix of both private and public AS numbers, the update is allowed. Furthermore, if the update contains a list of confederated AS numbers, the private AS numbers that appear after the confederation part of the AS path list will be removed.
Maximizing BGP Peer Availability
BGP is used as the foundation routing protocol for the Internet. Because so many organizations worldwide rely on the stability of Internet routes, attackers would want to destabilize BGP routing if possible. BGP has several techniques to help provide stability for the Internet and help prevent attacks. However, attackers might want to get around these or even use these BGP techniques against the routers themselves to cause a DoS condition. Therefore, you should maximize the availability of your BGP peers by using these techniques.
Disabling Route-Flap Dampening
There are attacks that target the BGP connections between peers. Even if an attacker cannot falsely inject updates, he could cause a disruption between two peers. BGP route-flap dampening was defined in IETF RFC 2439 as a way to disconnect routers from the Internet if they flapped too many times over a given period. If a router had faulty hardware, it could cause many Internet routers to add/remove routes and consume resources. An attacker can use the fact that a router is using BGP route-flap dampening against itself. Even just a few flaps could cause a neighbor to be dampened and cause an even larger outage. Some organizations can elect to not use route-flap dampening because of the DoS risks. Therefore, if you are going to use route-flap dampening, you should use the recommended parameters (RFC 2439 and RIPE-229). If you want to disable route-flap dampening, use the no bgp dampening BGP configuration command to turn it off.
Disabling Fast External Fallover
One BGP optimization technique involves resetting the peer if the physical link used for that peering session failed. This is an attempt to prevent the peer from remaining up if there is an alternate path that would allow the TCP port 179 connection to remain active. Even though this feature is enabled by default, the command used to enable this feature is bgp fast-external-fallover. Many feel that this technique is too harsh and could cause more damage than it prevents during BGP attacks. An attack could affect the directly connected link between two peers and cause the session to fail if those routers did not have another path for communicating BGP. Therefore, you might want to disable this feature with the no bgp fast-external-fallover command. Disabling fast fallover means that the peer waits for the hold timer to expire before resetting the peer. You can also disable this feature on an interface basis with the ip bgp fast-external-fallover command. By disabling this feature, the routers are more forgiving of small outages because of an attack to prevent the BGP peering session from failing and causing a reconvergence event.
Enabling Graceful Restart and Route Refresh or Soft Reconfiguration
If the peer does fail, you should have BGP Graceful Restart configured to speed the recovery of the peer. Graceful Restart capabilities are exchanged between peers during the OPEN message exchange. If both routers support Graceful Restart and one router comes under a short-duration attack, the other router does not discard all the routes associated with the peer but waits for the peer to recover. If the peering session is reestablished quickly, no packets are lost during the failure event. Therefore BGP Graceful Restart has security and performance benefits, but both sides of the BGP peering session must support this feature. To enable this feature, you can enter the following command within the BGP configuration block:
BGP Connection Resets
If the BGP peering session fails between two routers, the routes each router has for the neighbor are eliminated. BGP peering connection resets can occur as part of standard configuration maintenance or as a result of a hardware failure or even a targeted BGP attack. You should understand the ways that the BGP routers recover from a failure.
There are two types of failures that can occur between BGP peers:
- A hard reset is when there is a complete failure, the entire TCP session is taken down, and all the routes are removed for that peer.
- A soft reset is gentler, and the peer stores prefix information until the peer is restored.
RFC 2918, "Route Refresh Capability for BGP-4," adds a route refresh capability that is exchanged when the peer is formed. Routes can be dynamically updated without having to store the updates. If you are performing normal BGP maintenance and need to reset a peer, it is better to do it with a soft reset to aid in recovery. You can see whether the BGP neighbor supports the route refresh capability by looking at the output of the show bgp ipv6 unicast neighbor command. Example 3-9 shows the route refresh status and the Graceful Restart capability.
Example 3-9. Viewing the BGP Peer Status
R1# show bgp ipv6 unicast neighbor BGP neighbor is 2001:DB8:12::2, remote AS 200, external link BGP version 4, remote router ID 18.104.22.168 BGP state = Established, up for 00:02:11 Last read 00:00:11, last write 00:00:11, hold time is 180, keepalive interval is 60 seconds Neighbor capabilities: Route refresh: advertised and received(old & new) Address family IPv6 Unicast: advertised and received Graceful Restart Capability: advertised and received Remote Restart timer is 120 seconds Address families preserved by peer: none ...
If the route refresh capability is not available on either peer, you can configure soft reconfiguration. This can be done with the following two commands:
bgp soft-reconfig-backup neighbor neighbor-ipv6-address soft-reconfiguration [inbound]
Logging BGP Neighbor Activity
It is also a best practice to log all BGP neighbor activity. If an attacker is targeting your BGP routers, you should log all BGP neighbor changes. This is a good practice for typical operational reasons besides the security-monitoring aspects. Following is the command that needs to be configured under the router bgp stanza:
Because BGP is a TCP layer routing protocol, it relies on a stable IP foundation. In fact, BGP oftentimes relies on a stable IGP to be able to reach the next hop or a distant IBGP peer. Therefore, the security of the IGP routing protocol is important. Chapter 6 shows several configurations on how to secure various IGPs. If you are using Intermediate System–to–Intermediate System (IS-IS) as your IGP, be sure to use the optional password-protected checksums defined in RFC 3358. Within the service provider's network, use Open Shortest Path First version 3 (OSPFv3) with IPsec instead of just MD5 authentication. These practices can help prevent attackers from making your BGP architecture fail.
Extreme Measures for Securing Communications Between BGP Peers
Other techniques for securing communications between BGP peers are outside the configuration of BGP but can help support the security of the BGP communications. Drastic measures for securing peering can include turning off the Neighbor Discovery Protocols (NDP). Because of the IPv6 risks on LANs that are similar to the risks found in IPv4 Address Resolution Protocol (ARP), you can elect to statically define the IPv6 addresses on the interfaces.
If there are no hosts on the Ethernet interface between the two BGP routers, there is little use for NDP to operate. Disabling NDP would be synonymous with using static ARP entries in an IPv4 LAN for Ethernet peering. On IPv6 networks, this means configuring static MAC addresses and binding them manually to link-local addresses, thereby creating static neighbor cache entries. This would take the guesswork out of configuration of the neighbor, and the NDP would not be required for normal operations. Furthermore, you could consider using static content-addressable memory (CAM) entries in any Ethernet switches between the BGP peers. These techniques are only for the extremely paranoid and for those network administrators with lots of time on their hands. These techniques could have additional side effects that require more configuration commands, additional troubleshooting, and higher operational costs that do not justify a small gain in additional security.