• 02/26/2015
    8:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

BGP Security: No Quick Fix

The routing protocol is plagued by multiple security vulnerabilities, which attackers are exploiting. However, securing BGP is no small feat.

How SDN can help

Software-defined-networking (SDN) can help by making routing configuration changes automatically in near-real time, reducing the need for maintenance windows. This addresses the constantly changing routing policy shortcoming of RPSL.

For example, when an enterprise changes its service provider, some service providers may only accept routes from the old one until their routers are reconfigured. In an SDN world, a controller can read and revalidate these policies as fast as changes happen and configure routers in real time without causing an operational hardship.

In addition, support for NETCONF/YANG  in routers and controllers can simplify configuring these policies, which is why it's good to see NETCONF/YANG support in the OpenDaylight controller.

Route analytics  

Route analytics can help with the two occurrences of route hijacking that need detecting: When an organization’s routes are being hijacked and when an operator is unwittingly the carrier of hijacked routes.

When routes are being hijacked, the data needed for detection is typically unavailable in that organization’s BGP routers. Because of the way BGP AS_path attribute works, these routes will contain the organization’s autonomous system (AS) number and therefore -- to avoid loops -- BGP will not pass them back to the routers of the organization. However, with access to external BGP sessions or to the BGP data typically found in the Route Views or RIPE/RIS projects, it's possible to monitor an organization’s own routes and be alerted when suspicious deviations are found.

When an organization is being passed hijacked routes, data from the routers can detect it in two ways. One technique to do this is BGP route baselining. This tracks what routes are typically received and detects when these routes are missing or when new non-baselined routes pop up. Organizations can baseline BGP routes with respect to their origin AS, the neighbor AS, the BGP next hop router, the border router, and various BGP route targets.

The second technique is BGP route visualization. For a given BGP prefix, or a set of prefixes specified using a filter, BGP route visualization can draw a picture of the route’s traversal across the Internet. This includes the border router in the organization’s AS, the next hop router in the next AS, neighbor, transit and origin AS. It can draw a comparative picture to contrast the picture between two different times as well as animate the changes over this time period. 

Ultimately, we need a permanent solution to secure BGP. Whether it is RPSL or SIDR, we must act with urgency to secure BGP and protect networks from malicious attacks. Both solutions require registration of policy objects. Until this is done on a broad scale, we need to closely monitor BGP for evidence of route hijacking as well as explore new technologies such as SDN that can help.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.