Why would you need security in BGP?
To protect yourself against man-in-the-middle attacks and prevent illicit routes from being artificially inserted into your tables for nefarious purposes. By using several security features added to BGP, you can greatly reduce the vulnerability of BGP to attack by malicious attackers.
- Challenge-Handshake Authentication Protocol
This is your last alternative. Use Message Digest 5 if you canand combine that with effective route policies. This uses a pre-arranged value on both routers to authenticate the sender and receiver when establishing a connection. However, CHAP is sent in cleartext. It won't stop a man-in-the-middle attack because they can see the CHAP exchange. - MESSAGE DIGEST v5
Configuring a Message Digest key on neighboring routers enables you to authenticate the BGP messages as coming from a valid source. An MD5 hash key is difficult to break and nearly impossible to forge in real time with current technology. Enable MD5 on your BGP route announcements. Routers must be pre-configured with the correct hash and key values, however this makes a network far more safe against malicious route insertion as the keys are never passed over the network. - Establish an Effective Route Policy
Establishing a route policy goes a long way towards defeating external threats in addition to preventing congestion, routing loops and other network anomolies.- Build good ingress and egress filters (especially if you are an ISP)
- Block non-routable addresses (Loopback and private addresses)
- Block the 'special/experimental use' IP addresses
- Blockcertain known troublemakers
- Block any packets sourcing your IP addresses from outside your network
- Residential dial-up, cable and DSL modem addresses
- Some foreign addresses in certain countries
- Configure null routes within your network that dump traffic bound for unreachable destinations into the bit bucket.
Best Option
Your best option to protect your BGP session is to:
- Configure an effective Route Policy
(e.g.: Cisco route maps)
- Sane inbound and outbound prefix lists and route filters
- Set a limit on the maximum number of BGP prefixes accepted from each peer
- Use MD5 keys
- Enable route dampening properly
- Set a limit on the maximum number of prefixes accepted from each peer.
- Place null routes in strategically distributed locations so that bad traffic is dumped as soon as it enters the network.
Bookmark this page and SHARE: