What's BGP got to do with Internet security?

by Marcia J. Wilson, CCSP Staff Writer
March 30, 2004

"Reprinted from April 23, 2K3" The Internet wasn't built with security in mind; it was built with communication in mind. In the same way Tina Turner wailed that love is nothing but "a secondhand emotion," security is an Internet afterthought.

The issues with the Border Gateway Protocol (BGP) are a case in point.



BGP is the interdomain routing protocol of the Internet. Its primary purpose is to route Internet traffic, not to ensure the secure delivery of thattraffic. Accidental misconfigurations of BGP can interrupt Internet connectivity and create havoc. It's conceivable that BGP could become the target of attacks that could disrupt Internet services on a large scale. Think globally in terms of bank databases, telephone networks, defense systems and the like. Once you understand how BGP works, you can begin to understand the security issues, what can be done and what experts are proposing as possible solutions. Let's take a closer look.

A primer

BGP is a path-vector routing protocol than runs between autonomous systems on the Internet. Instead of keeping track of the Internet's entire topology, BGP routers receive information (known as reachability information) from neighbor routers and then choose the route with the shortest path for inclusion in the routing table. Each router will then announce the path to other neighbors if its routing policy permits that.

The path is a list of every autonomous system (AS) between the router and the destination. BGP groups networks together within autonomous systems so they may be seen as single entities. It doesn't matter whether there is a single BGP-speaking router within the AS or hundreds of BGP-speaking and non-BGP-speaking routers within the AS. An AS is sometimes described as a "single administrative domain," which makes one think that each business entity on the Internet has its own administrative domain. That isn't correct. An AS can and does include more than one organization.

As a business connected to the Internet, you pay for the services of an Internet service provider and therefore become part of the ISP's administrative domain. Basically, your organization's Internet-bound traffic routes through its ISP, which in turn routes traffic through its upstream ISP and so on.

Without getting into too much technical detail, understand that routing policies take precedence over reachability information for the simple reason that transit services aren't free. An ISP will receive routes from its upstream ISPs and announce all routes to its customers. Announcing a route is an invitation to route through the announcer, so the basic rule of thumb is "send routes only to paying customers." If a customer has two or more ISPs, it gets a little trickier -- but that's another conversation altogether. I won't get into peering and exchange points here. The point is that systems grouped together can be targeted together.

Security issues

Here's the basic issue with the current BGP setup: BGP routers trust one another. There aren't any true authentication mechanisms built in, and there's no such thing as a BGP digital signature. Cryptographic authentication isn't mandated.

There are basically two ways someone can harm a BGP session. The first is to masquerade as a peer router, taking over the IP address of that peer. The attacker can then propagate bad information into the routing tables unless filters are strict or, conversely, the attacker can garner information. The attacker might even route some of your address space to himself and appear to the world as you. That's a little scary.

The other form of attack is to force a reset of your BGP session, which is more than annoyingly disruptive. BGP is subject to the same kinds of attacks at TCP/IP: IP spoofing, session stealing, denial of service and the like. When we talk about routing, we are talking about the path that data takes. An attacker can reroute traffic down a path that will enable him to view the data along that path, or he can send the data into a black hole. In any case, there is too much risk with the current setup to not pay attention to what needs to happen next to solve the problems. For a complete description of the security vulnerabilities of BGP, read the Internet Engineering Task Force's Network Working Group's Internet draft on the subject.

Can we get to the solution?

The scientific Internet community has long been working on solutions for securing BGP. Many ideas and possible solutions have been offered. Everyone agrees that the idea of trusted systems has to go. This implies the use of cryptographic authentication of some kind. As we know, encryption carries with it high demands in terms of hardware and bandwidth.

The segue is Secure-Border Gateway Protocol, or S-BGP. S-BGP makes use of IPsec encryption to secure transmissions, PKI to take care of the authorization requirements, and attestations -- a big word for digitally signed data. The problem isn't that we don't know what to do. We do. It's deployment that's the issue. Here are some of the challenges:

• We need router software that implements IPsec, public-key infrastructure and digital signatures.
  
  
• We need router hardware that can handle the load.
  
  
• Regional registries have to assume certificate authority responsibilities for address prefixes and AS number assignment/location.
  
  
• ISPs and subscribers have to upgrade routers, act as certificate authorities and handle the PKI exchanges with repositories.
  
  
• Deployment has to be handled carefully and incrementally.

In this economy, no one is going to support a technology refresh of this kind across the entire global Internet. So, there you have it. It's not that it can't be done -- it's a huge task with global implications, not only in terms of cost, but also in terms of global cooperation, and we don't have much of that going around lately.

What can be done?

Often, little things are overlooked when big things get in the way. Here's a list of router management do's and don'ts:

• Use secure passwords.
  
  
• Set up local admin accounts with appropriate access rights.
  
  
• Change passwords often, and don't use centralized authorization -- as tempting as it is to do so.
  
  
• Put someone in charge of passwords.
  
  
• Use Secure Shell to access your routers, not Telnet, which transmits passwords in clear text.
  
  
• Use stable releases of router software. Bleeding edge is just that: bleeding.
  
  
• Implement MD5. MD5 is a cryptographic checksum mechanism that replaces the usual TCP checksum in BGP packets. It's good for link integrity, but not much more.

The critical idea to take away is that BGP, which drives the Internet, isn't inherently secure. Here is a link to a secure BGP template, last updated April 8, 2003. There are things you can do to better secure your implementation of BGP. It's better to do something than nothing at all.

---

*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson holds the CISSP designation and is the founder and CEO of Wilson Secure LLC , a company focused on providing independent network security auditing and risk analysis. She can be reached at .