What security mechanisms are used in BGP and why do they fail?
A word on BGP
BGP is the routing protocol that makes the internet work. The current revision is BGP v4, and has been in use since 1995. Internet Service Providers (ISPs) are in control of one or many networks, and they use BGP to advertise their networks to their peers by exchanging routing information (internet routes) about the network they control. Those networks are independent routing domains called Autonomous Systems (AS). Each AS is attributed a unique identifier (AS Number, or ASN), and there are about 40'000 ASN allocated today. The process of routing between those ASes is called interdomain routing, and BGP is the protocol used to achieve this.
Each BGP router contains a Routing Information Base (RIB) which stores the routing information. When a router decides to update its RIB, it will subsequently propagate this information to all of the other neighboring BGP routers to which it is connected by saying "Hey, I can route to network 1.2.3.0/12 via AS numbers X,Y,Z". They will in turn decide whether to update their own tables and propagate the information further.
Note that there is no automatic peers discovery in BGP, instead peers have to be manually configured to exchange routing information.
BGP exposure to attacks
The BGP protocol itself doesn't provide many security mechanisms.
BGP design did not include specific protections against attacks or deliberate errors coming from peers or outsiders that could cause disruptions of routing behavior. Examples of such attacks include:
- As stated in BGP-VULN (RFC4272), there are no mechanisms internal to BGP that protect against attacks that modify, delete, forge, or replay data, any of which has the potential to disrupt overall network routing behavior. As a TCP/IP protocol, BGP is subject to all TCP/IP attacks, e.g., IP spoofing, session stealing, etc. Any outsider can inject believable BGP messages into the communication between BGP peers, and thereby inject bogus routing information;
- When a router advertise new routing information, BGP does not ensure that it uses the AS number it has been allocated, which means a BGP router can advertise routes with any AS number;
- An AS can advertise a prefix from address space unassigned by or belonging to another AS. This is called prefix hijacking and it can be used to perform man-in-the-middle attack which was initially demonstrated at DefCon 16 by Alex Pilosov and Anton "Tony" Kapela;
- BGP does not provide a shared, global view of correct routing information that would make it much easier to detect invalid or malicious routes.
In short, BGP is highly exposed to false route advertisements and there is no plan today to remediate this situation.
BGP Security protections
So it looks pretty bad on a security standpoint. But on the other hand, there are also some positive security aspects in BGP:
- BGP peering associations tend to be long-lived and static. This means that those associations between peers and route advertisment can be monitored efficiently, and allows for a quick reaction from the various stakeholders in case of an internet hijacking. There are a lot of services providing BGP monitoring (some free and open-source and commercial products);
- BGP routers can implement route filtering, which allows to perform inbound announcement selection, although there is no largely deployed standard for that and this is up to each ISP to decide if and how they want to implement it;
- BGP implements a TCP MD5 signature option (a MAC, as defined in RFC 2385) to protect BGP sessions against TCP Reset (RST) Dos attacks. It is currently supported by most router manufacturers (e.g. Cisco) and open-source OSes (e.g. FreeBSD). But this protection only cover a limited number of attacks, and relies on weak technologies;
- The lack of cumbersome security protection measures also allows quick reactions against DDoS and malware spreading via sinkholes and blackhole routing.
Future improvements
Recent efforts within the standards bodies and in the research community have attempted to provide new architectures for BGP security. This includes:
- Using Public Key Infrastructure to share public cryptographic keys between peers and allow routers to establish the integrity of BGP announcements on a global scale, as well as attesting that an entity is authorized to advertise a particular resource;
- Using IPsec to secure the BGP session and messages passed between peers;
- Establishing an independent authority for validating interdomain route information. This third-party authority would be used by BGP routers to verify the announcements they receive.
A major update to BGP would be required to remediate those issues and offer an adequate level of protection against sophisticated BGP attacks. RFC 4278, a maturity study of BGP security mechanisms, considers the marginal benefit of such schemes in this situation would be low, and not worth the transition effort.
Additional resources you might find interesting:
Implementing the TCP authentication option TCP-AO and The TCP Authentication Option RFC
What is the purpose of BGP TTL security?
BGP Looking Glass: As per their website:
BGP Looking Glass servers are servers on Internet which can be accessed remotely for the purpose of viewing routing info. Essentially, the server acts as a limited, read-only portal to routers of whatever organization is running the Looking Glass server. Typically, publicly accessible looking glass servers are run by ISPs or NOCs.
I think the article "A Survey of BGP Security Issues and Solutions" is very useful to answer your question.
BGP is especially vulnerable to routing-related attacks especially when ISPs misconfigure their route advertisement. Notable incidents which are not of malicious intents include Pakistan Telecom blocks YouTube, Malaysian ISP blocks Yahoo or Turkish ISP takes over the Internet, etc. Such incidents could potentially crippled the entire Internet and may be used by attackers to cause harm.
Therefore, the security guys are well aware of BGP's vulnerabilites and are working of a solution. For example, according to the survey, the United States government cites BGP security as part of the national strategy to secure cyberspace. In addition, the Internet Engineering Task Force (IETF) are working on a new draft for securing BGP.
In BGP, a router (or BGP speaker) sends an route advertisement when a new route is available, and a withdrawal message when the route no longer exists. Each Autonomous System (AS) adds its AS number to the beginning of the AS path before advertising the route to the next AS. In other words, BGP is a path-vector protocol which advertises the possible routes to reach certain destinations.
To decide the forwarding path, each IP router will give priority to the longest (and more specific) prefix that matches the destination IP address. For example, a route advertisement of 211.120.132.0/22 is more specific than 211.120.0.0/12. Hence, if I want traffic to pass through my router for some reasons then I can advertise hundreds of more specific routes. Filtering of such suspicious BGP announcements is one simple way to prevent such routing attacks. ISPs may filter routes from customers for prefixes that the customer does not own, limit the number of prefixes that each neighboring router can announce or bogons etc. But filtering alone is insufficient as not all ISPs will apply "best common practices" for filtering routes. So, you can still receive false routes from other ISPs which unknowingly forward them.
Secure BGP (S-BGP) is one of the notable solutions to the current routing problems but it is not widely deployed due to its heavy cryptographic computation overheads and cooperation of the internet registries. In S-BGP, PKI and certificates are used to authenticate the ownership of the specified prefixes and path information. This essentially prevents an ISP from spoofing a route advertisement that it does not owns. Therefore, more incentives should be given to promote the deployment of S-BGP into the Internet.
I have only focused on routing related attacks. However, there still exist other attacks against confidentiality, message integrity or DoS which can be found in the survey.
There are two potential security issues with BGP: you may be talking to the wrong device, or the right device may be saying the wrong thing.
Talking BGP to the wrong device can be as dramatic as someone rerouting the cable towards your BGP neighbor towards a different router, and then having that router impersonate your BGP neighbor. The more mundane risk consists of TCP reset attacks. TCP sessions can remain active indefinitely, and can also be idle for long periods of time. So it’s far from inconceivable that when systems A and B have a TCP session and system A reboots, A receives TCP packets from B after the reboot. Obviously, A then no longer has an active TCP session. So it sends B a “TCP reset” packet, which prompts B to tear down the session.
As TCP has no strong security features, a third party can send a spoofed TCP reset to A that seems to come from B. A will then tear down its TCP session and thus the BGP session running over that TCP session, interrupting the traffic flow between A and B until a new session can be set up. The attacker needs to send a packet with the right IP addresses, port numbers and TCP sequence number. The IP addresses are usually not too hard to find out and one port number is 179 (the BGP port number). So the attacker simply sends packets with all possible remaining port and sequence numbers, and within a minute or so they’ll hit the right combination and you can say goodbye to that BGP session.
There are three security mechanisms that can protect against this: the BGP TCP MD5 password, BGPsec and the Generalized TTL Security Mechanism (GTSM).
The BGP TCP MD5 password system is described in RFC 2385, published in 1998. At only six pages, it’s a very short RFC, so if you have never read an RFC before, 2385 is a good one to start with.