Border Gateway Protocol (BGP)
BGP, an important piece of the larger Internet’s architecture, is a protocol that enables the setting up of routing and exchange of reachability information between large networks (Autonomous Systems). It’s the protocol used to develop routes between these Autonomous Systems (ASes), routing to destinations via IP prefixes. BGP makes announcements that the ASes use to discover routes to these IP prefixes.
BGP is important to the business of the Internet, advertising routes, routing based on business relationships. ASes usually make sure that it’s in their “best” interest before routing traffic and there is a rule-of-thumb that seems to be generally followed:
An AS will advertise a route to a neighboring AS if:
- The neighbor is a customer, or
- The route is for a prefix originated by the advertising AS, or
- The route is through a customer of the advertising AS
BGP was originally introduced, like many of the protocols in use in the Internet, in the early days, when the Internet was more innocent. So, issues with security persist surrounding the protocol.
BGP Security Risks
Hijacks
BGP doesn’t have in place any mechanism to properly authenticate allocations of IP prefixes to ASes, so as a result entire IP prefix blocks can be hijacked fairly easily, either accidently or purposefully. There are two main types of hijacks: Prefix and subprefix.
Prefix:
The hijacker AS originates and announces the exact same prefix as a legitimate AS that has the IP allocation. The announcement gets propogated through the system and other ASes begin chosing their routes for that IP prefix and some will chose to go through the bogus AS, others won’t, given route length.
Subprefix:
The hijacker AS can potentially intercept 100% of the network traffic. Here the hijacker originates a prefix that is covered by the victim IP prefix. BGP uses longest-prefix match (LPM), so if a hijacker were to advertise a prefix that was LPM, then traffic would redirect to the hijacker AS.
Route Leaks
This isn’t a bogus route, but instead the leaker announces a legitimate route, but does it to too many of its neighbors. So, then the leaker is overwhelmed by traffic from its neighbors that are now utilizing the leaked route. This can be disastrous if the leaker is not designed to handle high levels of traffic.
Path-Shortening Attack
An attacker announces a short bogus path to a prefix that terminates at an authorized origin AS.
Protocol downgrade attack
ASes that have, for instance, deployed BGPSEC can be convinced by an attacker to select a bogus path instead of the secured route because it’s cheaper.
Incident Impact
Blackhole:
Network traffic stops at the perpetrator AS and goes no further.
Interception:
Perpetrator AS invisibly intercepts traffic and the traffic also continues onto it’s intended destination.
BGP Defense Mechanisms
Prefix filtering
A whitelisting technique used to filter out bad BGP announcements. It works by using the AS rule-of-thumb and keeping a prefix list of IP prefixes of customers and ignoring any announcement from a customer not on the list. This defense has been used since the 1990s.
Upsides:
- It is simple and effective mechanism and if all ASes deployed it, a large portion of routing leaks and hijacks would be prevented.
Downsides:
- The downside is that it only works on customer leaks.
- ASes also aren’t necessarily incentivized to deploy this filtering outside of good Internet citzenship.
RPKI
Resource Public Key Infrastructure (RPKI) is another defense method that provides a trusted mapping from allocated IP prefixes to BGP authorized ASes for origination. It creates a cryptographic hierarchy of authorities, which is rooted at the regional Internet registries (i.e. ARIN, RIPE, AfriNIC, etc.). The holder of the certificate for a prefix can then sign an authorization allowing a prefix to be originated via BGP.
Upsides:
- Does not require any modification to current BGP message formats
- Cryptography can be performed offline
- As opposed to Prefix Filtering, it doesn’t tie itself to potential political/business conflict of interests as it can be used to filter BGP announcements made by any neighbor.
Downsides:
- Potential for abuse of the RPKI, i.e. RPKI being attacked, misconfigured, or abused in some other way in which trust is lost in the protocol.
- Cannot prevent route leaking attacks as it’s purpose is to prevent unauthorized messages, whereas route leaks come from authorized origins.
- Cannot prevent path-shortening attack as the origin is legitimate and shortest path takes precedence.
BGPSEC
BGPSEC, currently in standardization process by the IETF, builds on RPKI, adding crypto signatures to BCP messages. Each AS must sign a BGP message upon announcement. The signature includes the prefix and AS-level path, the AS number of the AS receiving the message, and all the previous signed messages received from previous ASes on the path.
Upsides:
- No path-shortening attacks are possible because a shortened path would not pass the signature checks required as the origin would be checked against neighbor signatures.
Downsides:
- Unlike RPKI, BGPSEC is online crypto as routers sign and verify the BGP messages. This has a higher computational load, requiring the routers to be designed and built with that in mind.
- To gain the full benefits of BGPSEC, every AS needs to deploy it. This requires that the already decentralized ASes, who have their own political and business objectives, to agree to use this protocol.
- To remedy this, one way is to gain traction via early adoption by some of the ASes
- ASes tend to prioritize economic demands over those of security demands and given that BGPSEC only provides some small benefits over RPKI, ASes are not as incentivized.
- Suffers from protocol downgrade attacks.
[1] Goldberg, 2014. Why is it taking so long to secure internet routing