BGP Security: No Quick Fix: Page 2 of 2
How SDN can help
Software-defined-networking (SDN) can help by making routing configuration changes automatically in near-real time, reducing the need for maintenance windows. This addresses the constantly changing routing policy shortcoming of RPSL.
For example, when an enterprise changes its service provider, some service providers may only accept routes from the old one until their routers are reconfigured. In an SDN world, a controller can read and revalidate these policies as fast as changes happen and configure routers in real time without causing an operational hardship.
In addition, support for NETCONF/YANG in routers and controllers can simplify configuring these policies, which is why it's good to see NETCONF/YANG support in the OpenDaylight controller.
Route analytics can help with the two occurrences of route hijacking that need detecting: When an organization’s routes are being hijacked and when an operator is unwittingly the carrier of hijacked routes.
When routes are being hijacked, the data needed for detection is typically unavailable in that organization’s BGP routers. Because of the way BGP AS_path attribute works, these routes will contain the organization’s autonomous system (AS) number and therefore -- to avoid loops -- BGP will not pass them back to the routers of the organization. However, with access to external BGP sessions or to the BGP data typically found in the Route Views or RIPE/RIS projects, it's possible to monitor an organization’s own routes and be alerted when suspicious deviations are found.
When an organization is being passed hijacked routes, data from the routers can detect it in two ways. One technique to do this is BGP route baselining. This tracks what routes are typically received and detects when these routes are missing or when new non-baselined routes pop up. Organizations can baseline BGP routes with respect to their origin AS, the neighbor AS, the BGP next hop router, the border router, and various BGP route targets.
The second technique is BGP route visualization. For a given BGP prefix, or a set of prefixes specified using a filter, BGP route visualization can draw a picture of the route’s traversal across the Internet. This includes the border router in the organization’s AS, the next hop router in the next AS, neighbor, transit and origin AS. It can draw a comparative picture to contrast the picture between two different times as well as animate the changes over this time period.
Ultimately, we need a permanent solution to secure BGP. Whether it is RPSL or SIDR, we must act with urgency to secure BGP and protect networks from malicious attacks. Both solutions require registration of policy objects. Until this is done on a broad scale, we need to closely monitor BGP for evidence of route hijacking as well as explore new technologies such as SDN that can help.
Recommended For You
Continuous monitoring and baselining of net performance monitoring metrics can reveal problems before users do and prevent complaints on performance degradation.
It's time to move past some common misconceptions and fears about SD-WAN. Here are three common myths you can ignore.
As the routing protocol that runs the Internet, BGP is a key piece of the puzzle that helps you understand how your customers get to you.
From a network planning and design perspective, manually created diagrams drawn by a human architect will continue to be the go-to method for years to come.
As companies adopt the latest technologies and networks continue to grow and become more complex, it’s clear automation is no longer a luxury, it’s a necessity.