BGP 4 security

BGP is used for inter-domain routing, so it is a critical service for the Internet infrastructure. Therefore security aspect of BGP, with valid routing advertisement, is a high issue and the current system is highly vulnerable to human errors, as well as a wide range of attacks.

Filtering is currently the most used mechanism. Nevertheless complementary security features may be used to add security with BGP. Thus, in some cases MD5 authentication may be used to control BGP routing information advertisement, as described for RIP and OSPF.

BGP 4 filtering

Two types of BGP-4 filtering method exist:

Distribute-list
Allows filtering on prefix basis,
AS-PATH access-list
Filters all networks in relation with a particular ASN.

Configuring a BGP-4 distribute list

  1. Configure the IPv4 access-list

    router{conf:myconfig-rtg}ip access-list ACCESS-LIST-NAME {permit|deny} A.B.C.D/M
    
  2. Apply this access-list to a neighbor:

    router{conf:myconfig-rtg-bgp}neighbor A.B.C.D distribute-list ACCESS-LIST-NAME {in|out}
    

Note

The below IPv4 prefix-list should be preferred to the IPv4 access-lists.

Distribute-list configuration example

You can give a description to your access list by typing the command

router{conf:myconfig-rtg}ip access-list remark description

If we consider two BGP peers rt1 and rt2.

rt1 is advertising two networks 10.1.1.0/28 and 192.168.1.0/24

  1. Filter the advertisement of 192.168.1.0/24 on the rt1 router:

    rt1{myconfig-rtg}display
      ip access-list MY-LIST deny 192.168.1.0/24
      ip access-list MY-LIST permit any
    #
    router bgp 65510
      neighbor 10.1.1.2 remote-as 65520
      neighbor 10.1.1.2 distribute-list MY-LIST out
      network 10.1.1.0/28
      network 192.168.1.0/24
    
  2. Check the BGP table on rt2 router:

    rt2{}show routing ip bgp
    BGP table version is 0, local router ID is 192.168.2.1
    Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
    Origin codes: i -IGP, e - EGP, ? - incomplete
    
       Network      Next Hop  Metric  LocPrf  Weight  Path
    *> 10.1.1.0/28  10.1.1.1       0               0  65510 i
    
    Total number of prefixes 1
    

    rt2 doesn’t see the 192.168.1.0 prefix because it is filtered by rt1.

Introduction to the IPv4 prefix-lists

A prefix filter is more powerful than an access-list filter to process the network prefixes.

In comparison to access-list prefix-list have the following advantages:

  • Can process a range of values
  • Performance improvement in prefix lookup of large lists
  • More flexible

Prefix List Rules

Filtering by prefix list involves the following rules :

  • An empty prefix list permits all prefixes.
  • An implicit deny is assumed if a given prefix does not match any entries of a prefix list.
  • When multiple entries of a prefix list match a given prefix, the longest match is chosen.
  • The router prefix-list lookup begins at the top woth sequence number 1, if a match occurs then the router do not go through the rest of the prefix list.

The syntax to define a prefix filter is:

router{conf:myconfig-rtg}ip prefix-list BGP-FILTER-NAME seq N {permit|deny} PREFIX/M [ge A] [le B]
N
Sequence of the rule named BGP-FILTER-NAME.
PREFIX/M
Network prefix and M the length of the mask.
A and B

Optional integers up to 32 that can be used to form a block of prefixes. A, B and M are such as:

M < A

M < B

A ( B

M < A ( B ( 32

Example

Let P1/m be a network prefix that matches PREFIX/M. For example PREFIX/M could be 192.168.0.0/16 and P1/m could be 192.168.10.0/24.

Moreover, if A and B are defined, P1/M matches this rule if M is greater or equal than A and if M is less or equal to B (A ( M ( B). For example 192.168.10.0/24 matches the rule 5, however it does not match the rule 10.

rt2{myconfig-rtg}ip prefix-list PREFIX-FILTER-NAME seq 5 permit 192.168.0.0/16 ge 17 le 25
rt2{myconfig-rtg}ip prefix-list PREFIX-FILTER-NAME seq 10 permit 192.168.0.0/16 le 23

The IPv4 prefix lists can be used in many cases:

neighbor configuration:
         neighbor A.B.C.D prefix-list FILTER-NAME {in|out}
route-map:
         match ip address prefix-list FILTER-NAME [2]_
display bgp (with filters):
         show ip bgp filter-list FILTER-NAME

Note

  • The last command will be fully operational with the support of BGP 4 VPN and BGMP.
  • The command ‘match ip address’ can be used with an access-list too. However, you can check that the syntax is not exactly the same: match ip address prefix-list FILTER-NAME vs. match ip address ACCESS-LIST-NAME

Configuring a BGP-4 prefix list

  1. Define the prefix-list rule.

  2. Apply the prefix list rule to a neighbor:

    router{conf:myconfig-rtg-bgp}neighbor A.B.C.D prefix-list PREFIX-LIST-NAME {in|out}
    

Prefix-list configuration example

In this example we will configure prefix-list to allow an aggregate route while blocking the most specific route and vice versa i.e., allow the most specific route and block the aggregate route.

For example, let rt2 aggregate the prefixes to 192.168.0.0/22. Moreover let’s block the prefixes that are longer than 25 bits.

../../../../../_images/aggregation-with-suppressed-prefixes.png

Aggregation with suppressed prefixes, without the flag summary-only

In this example, router rt2 announces the prefixes 192.168.0.0/24, 192.168.1.0/24, 192.168.2.0/24, and 192.168.3.0/24. Router rt1 is configured to receive only the aggregated prefix 192.168.0.0/22.

rt2

router bgp 65520
  neighbor 10.1.1.1 remote-as 65510
  aggregate-address 192.168.2.0/24
  network 10.1.1.0/28
  network 192.168.0.0/24
  network 192.168.1.0/24
  network 192.168.2.0/24
  network 192.168.3.0/24

We configure router rt1 to accept only the aggregate prefix

rt1

rt1{myconfig-rtg}display
ip prefix-list aggregate seq 5 permit 192.168.0.0/22
router bgp 65510
  neighbor 10.1.1.2 remote-as 65520
  neighbor 10.1.1.2 prefix-list aggregate in

If we look at the rt1 BGP table, there is only the aggregate network 192.168.2.0/24.

rt1{}show routing ip bgp
BGP table version is 0, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i -IGP, e - EGP, ? - incomplete

    Network         Next Hop  Metric  LocPrf  Weight  Path
*>  192.168.0.0/22  10.1.1.2                       0  65520 i

Total number of prefixes 1

We can also check on rt1 the the prefix list called aggregate is applied on incoming updates

rt1{}show routing ip bgp neighbor

....output omitted

Incoming update prefix filter list is *aggregate
  1 accepted prefixes
...

If we suppose now that rt1 filters only the aggregate prefix, and let the specific prefixes, then the prefix list to configure is:

rt1{myconfig-rtg}display
[...]
ip prefix-list specific seq 5 permit 192.168.0.0/22 ge 23

We can check that only the specific routes are accepted:

rt1{}show routing ip bgp
BGP table version is 0, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal
Origin codes: i -IGP, e - EGP, ? - incomplete

    Network      Next Hop  Metric  LocPrf  Weight  Path
*>  192.168.0.0  10.1.1.2       0               0 65520 i
*>  192.168.1.0  10.1.1.2       0               0 65520 i
*>  192.168.2.0  10.1.1.2       0               0 65520 i
*>  192.168.3.0  10.1.1.2       0               0 65520 i

Total number of prefixes 4

Introduction to the communities filters

The attribute community permits to group destinations in a community and apply routing decisions. It is an optional, global transitive attribute in the numerical range of 1 to 4,294,967,200. Based on the community, you can control the routing information. In BGP there are some predefined well known communities which are:

no-export
The routes of this community must not be advertised to external peer.
no-advertise
The routes must not be advertised to any peer.
internet
The routes may be advertised to any peer.
local-as
Used in confederation to avoid sending packets outside the local AS.

Note

To set a community attribute it is recommended to use route-maps. In general, BGP community has the form of AS:NN where AS is the autonomous system number, and NN is a number.

The community attribute is sent to neighbors by default with the option both (standard and extended commnunity):

router{conf:myconfig-rtg-bgp}neighbor A.B.C.D send-community {both|extended|standard}
A.B.C.D
IP address of the remote BGP peer.
both
Send Standard and Extended Community attributes.
extended
Send Standard Community attributes.
standard
Send Extended Community attributes.
  • Check the community parameters:

    router{conf:myconfig-rtg-bgp}neighbor 10.23.7.207 send-community
    router{}show routing ip bgp neighbors
      BGP neighbor is 10.23.7.207, remote AS 2, local AS 1, external link
      BGP version 4, remote router ID 2.2.2.2
      BGP state = Established, up for 00:00:09
      Last read 00:00:09, hold time is 180, keepalive interval is 60 seconds
      Neighbor capabilities:
        Route refresh: advertised and received(old & new)
        Address family IPv4 Unicast: advertised and received
      Message statistics:
        Inq depth is 0
        Outq depth is 0
                             Sent       Rcvd
        Opens:                  1          0
        Notifications:          0          0
        Updates:                1          0
        Keepalives:             2          1
        Route Refresh:          0          0
        Capability:             0          0
        Total:                  4          1
      Minimum time between advertisement runs is 30 seconds
    
    For address family: IPv4 Unicast
     Community attribute sent to this neighbor(both) <====="send-community both"
     0 accepted prefixes
    
  • Delete the community parameters:

    router{conf:myconfig-rtg-bgp}delete neighbor A.B.C.D send-community {both|extended|standard}
    

Community list

A community list is a group of rules which permit to filter or set attributes based on different lists of community numbers.

A community list is used in a match clause of a route map.

The syntax of community list is:

router{conf:myconfig-rtg}ip community-list community-list-number {permit|deny} community-number

BGP 4 Authentication

BGP 4 authentication is using MD5. This feature relies on the Operating System support for the TCP MD5 signature option as proposed in the RFC 2385. This OS option is used with the BSD-like configuration API.

The command format for BGP 4 MD5 is as follows:

router{conf:myconfig-rtg-bgp}neighbor A.B.C.D remote-as ASN
router{conf:myconfig-rtg-bgp}neighbor A.B.C.D password my-secret
A.B.C.D
IPv4 address of the remote BGP router.
ASN
ASN of the remote BGP router.
my-secret
Password shared with the remote BGP router.

For information, when analyzing the BGP packets with the sniffer tethereal, it is possible to verify that the option is taken in account:

Host# tethereal -r bgpmd5.pcap -V
(...)
Transmission Control Protocol, Src Port: 32770 (32770), Dst Port: bgp
(179), Seq: 4043121790, Ack: 1396620414, Len: 19
                Source port: 32770 (32770)
                Destination port: bgp (179)
                Sequence number: 4043121790
                Next sequence number: 4043121809
                Acknowledgement number: 1396620414
                Header length: 52 bytes
                Flags: 0x0018 (PSH, ACK)
                    0... .... = Congestion Window Reduced (CWR): Not set
                    .0.. .... = ECN-Echo: Not set
                    ..0. .... = Urgent: Not set
                    ...1 .... = Acknowledgment: Set
                    .... 1... = Push: Set
                    .... .0.. = Reset: Not set
                    .... ..0. = Syn: Not set
                    .... ...0 = Fin: Not set
                Window size: 1460
                Checksum: 0x2cbe (correct)
                Options: (32 bytes)
                NOP
                NOP
                Time stamp: tsval 77100, tsecr 70634
                NOP
                NOP
                TCP MD5 signature
                Border Gateway Protocol
                KEEPALIVE Message
                Marker: 16 bytes
                Length: 19 bytes
                Type: KEEPALIVE Message (4)
                (...)