Professional Documents
Culture Documents
BGP Security
1 v1.2
BGP Security
BGP Authentication
2 v1.2
BGP Authentication
• BGP supports authentication.
– MD5 authentication using TCP option 19
• RFC2385: Protection of BGP Sessions via the TCP MD5 Signature Option
• TCP option 19 is a TCP extension for carrying an MD5 digest in a TCP segment
3 v1.2
How BGP Authentication Works?
• Every segment sent contains a 16-byte MD5 digest.
– Produced by applying MD5 algorithm to:
• TCP pseudo-header in the order:
1. Source IP address
2. Destination IP address
3. Zero-padded protocol number
4. Segment length
• TCP header, excluding options, and assuming a checksum of zero
• TCP segment data (If any)
• Independently-specified key or password
NOTE: Header and pseudo-header are in network byte order
4 v1.2
How BGP Authentication Works?
• BGP validates every incoming segment.
– Calculates own MD5 digest from the same data:
• TCP pseudo-header in the order:
1. Source IP address
2. Destination IP address
3. Zero-padded protocol number
4. Segment length
• TCP header, excluding options, and assuming a checksum of zero
• TCP segment data (If any)
• Independently-specified key or password
NOTE: Header and pseudo-header are in network byte order
– Compares own MD5 digest against the received MD5 digest
– Silently drops the segment if comparison failed
5 v1.2
Configuring BGP Authentication
• BGP Authentication can be enabled by configuring a
password for:
– Individual BGP peer
– A group of BGP peers
6 v1.2
Example: BGP Authentication (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
7 v1.2
Example: BGP Authentication (Cisco IOS)
Cisco IOS R1’s configuration
router bgp 64512
! Enable BGP Authentication and set TCP MD5 Key
neighbor EBGP-AS65000-IPV4 password 0 IW0ntTe11U!!
! Enable BGP Authentication and set TCP MD5 Key
neighbor EBGP-AS65000-IPV6 password 0 IW0ntTe11U!!
Administrator -- OR --
8 v1.2
Example: BGP Authentication (Cisco IOS)
Cisco IOS R101’s configuration
router bgp 65000
! Enable BGP Authentication and set TCP MD5 Key
neighbor EBGP-AS64512-IPV4 password 0 IW0ntTe11U!!
! Enable BGP Authentication and set TCP MD5 Key
neighbor EBGP-AS64512-IPV6 password 0 IW0ntTe11U!!
Administrator -- OR --
9 v1.2
Example: BGP Authentication (Cisco IOS)
• Verification commands:
– Showing BGP peers
• show bgp ipv4 unicast summary
• show bgp ipv6 unicast summary
– Showing detail information of specific peer
• show bgp ipv4 unicast neighbors [peer-address]
• show bgp ipv6 unicast neighbors [peer-address]
10 v1.2
Example: BGP Authentication (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
11 v1.2
Example: BGP Authentication (Juniper Junos OS)
Juniper Junos OS R1’s configuration
# Enable BGP Authentication and set TCP MD5 Key
top set protocols bgp group EBGP-AS65000-IPV4 authentication-key IW0ntTe11U!!
12 v1.2
Example: BGP Authentication (Juniper Junos OS)
• Verification commands:
– Showing BGP peers
• show bgp summary
– Showing detail information of specific peer
• show bgp neighbor [peer-address]
13 v1.2
Example: BGP Authentication (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101
14 v1.2
Example: BGP Authentication (MikroTik RouterOS)
MikroTik RouterOS R1’s configuration
# Enable BGP Authentication and set TCP MD5 Key
/routing bgp peer set EBGP-AS65000-IPV4 tcp-md5-key=IW0ntTe11U!!
15 v1.2
Example: BGP Authentication (MikroTik RouterOS)
• Verification commands:
– Showing BGP peers
• /routing bgp peer print status
16 v1.2
BGP Security
17 v1.2
Generalized TTL Security Mechanism (GTSM)
• Data transfer security method designed to protect IP-based
control plane from CPU-utilization-based attacks.
– RFC3682: The Generalized TTL Security Mechanism (GTSM)
• GTSM Implementation:
– Sets TTL (or IPv6 Hop Limit) to 255 on outbound packets
– Expected minimum TTL on inbound packets:
• Directly connected peers: 255
• Multi-hop peers: (255 – range of acceptable hops)
– Silently discards packets with lower TTL
• Recommended to implement GTSM on EBGP sessions.
18 v1.2
Configuring GTSM
• GTSM configuration for directly connected peers:
– Cisco IOS
• Enable “TTL Security” feature and set hop count to 1
– BGP outbound TTL will be automatically set to 255
– Inbound BGP packets with TTL < (255 – 1) will be discarded
– Juniper Junos OS
• Set BGP outbound TTL to 255
• Use Firewall Filter to discard inbound BGP packets with TTL other than 255
– MikroTik RouterOS
• Set BGP outbound TTL to 255
• Use Firewall Filter to discard inbound BGP packets with TTL other than 255
19 v1.2
Configuring GTSM
• GTSM configuration for multi-hop peers:
– Cisco IOS
• Enable “TTL Security” feature and set hop count to range of acceptable hops
– BGP outbound TTL will be automatically set to 255
– Inbound BGP packets with TTL < (255 – range of acceptable hops) will be discarded
– Juniper Junos OS
• Set BGP outbound TTL to 255
• Use Firewall Filter to discard inbound BGP packets with TTL < (255 - range of
acceptable hops)
– MikroTik RouterOS
• Set BGP outbound TTL to 255
• Use Firewall Filter to discard inbound BGP packets with TTL < (255 - range of
acceptable hops)
20 v1.2
Example: Implementing GTSM (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
21 v1.2
Example: Implementing GTSM (Cisco IOS)
Cisco IOS R1’s configuration
router bgp 64512
! Enable TTL Security and set hop count to 1 (Out TTL: 255, Minimum In TTL: 255 - 1)
neighbor EBGP-AS65000-IPV4 ttl-security hops 1
! Enable TTL Security and set hop count to 1 (Out TTL: 255, Minimum In TTL: 255 - 1)
neighbor EBGP-AS65000-IPV6 ttl-security hops 1
Administrator -- OR --
22 v1.2
Example: Implementing GTSM (Cisco IOS)
Cisco IOS R101’s configuration
router bgp 65000
! Enable TTL Security and set hop count to 1 (Out TTL: 255, Minimum In TTL: 255 - 1)
neighbor EBGP-AS64512-IPV4 ttl-security hops 1
! Enable TTL Security and set hop count to 1 (Out TTL: 255, Minimum In TTL: 255 - 1)
neighbor EBGP-AS64512-IPV6 ttl-security hops 1
Administrator -- OR --
23 v1.2
Example: Implementing GTSM (Cisco IOS)
• Verification commands:
– Showing BGP peers
• show bgp ipv4 unicast summary
• show bgp ipv6 unicast summary
– Showing detail information of specific peer
• show bgp ipv4 unicast neighbors [peer-address]
• show bgp ipv6 unicast neighbors [peer-address]
24 v1.2
Example: Implementing GTSM (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
25 v1.2
Example: Implementing GTSM (Juniper Junos OS)
Juniper Junos OS R1’s configuration
# Set BGP outbound TTL to 255
top set protocols bgp group EBGP-AS65000-IPV4 ttl 255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets
top edit firewall family inet filter BGP-GTSM-IPV4
Administrator # Match TCP protocol, BGP port, and TTL other than 255
set term 10 from protocol tcp port bgp ttl-except 255
# Silently discard the matched packets
set term 10 then discard
# Accept other packets
set term 1000 then accept
# Apply Firewall Filter as IPv4 inbound filter on the interface facing to peer
top set interfaces ge-0/0/5.0 family inet filter input-list BGP-GTSM-IPV4
26 v1.2
Example: Implementing GTSM (Juniper Junos OS)
Juniper Junos OS R1’s configuration
# Set BGP outbound TTL to 255
top set protocols bgp group EBGP-AS65000-IPV6 ttl 255
# Create IPv6 Firewall Filter for implementing GTSM on inbound BGP packets
top edit firewall family inet6 filter BGP-GTSM-IPV6
Administrator # Match TCP protocol, BGP port, and TTL other than 255
set term 10 from next-header tcp port bgp hop-limit-except 255
# Silently discard the matched packets
set term 10 then discard
# Accept other packets
set term 1000 then accept
# Apply Firewall Filter as IPv6 inbound filter on the interface facing to peer
top set interfaces ge-0/0/5.0 family inet6 filter input-list BGP-GTSM-IPV6
27 v1.2
Example: Implementing GTSM (Juniper Junos OS)
Juniper Junos OS R101’s configuration
# Set BGP outbound TTL to 255
top set protocols bgp group EBGP-AS64512-IPV4 ttl 255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets
top edit firewall family inet filter BGP-GTSM-IPV4
Administrator # Match TCP protocol, BGP port, and TTL other than 255
set term 10 from protocol tcp port bgp ttl-except 255
# Silently discard the matched packets
set term 10 then discard
# Accept other packets
set term 1000 then accept
# Apply Firewall Filter as IPv4 inbound filter on the interface facing to peer
top set interfaces ge-0/0/5.0 family inet filter input-list BGP-GTSM-IPV4
28 v1.2
Example: Implementing GTSM (Juniper Junos OS)
Juniper Junos OS R101’s configuration
# Set BGP outbound TTL to 255
top set protocols bgp group EBGP-AS64512-IPV6 ttl 255
# Create IPv6 Firewall Filter for implementing GTSM on inbound BGP packets
top edit firewall family inet6 filter BGP-GTSM-IPV6
Administrator # Match TCP protocol, BGP port, and TTL other than 255
set term 10 from next-header tcp port bgp hop-limit-except 255
# Silently discard the matched packets
set term 10 then discard
# Accept other packets
set term 1000 then accept
# Apply Firewall Filter as IPv6 inbound filter on the interface facing to peer
top set interfaces ge-0/0/5.0 family inet6 filter input-list BGP-GTSM-IPV6
29 v1.2
Example: Implementing GTSM (Juniper Junos OS)
• Verification commands:
– Showing BGP peers
• show bgp summary
– Showing detail information of specific peer
• show bgp neighbor [peer-address]
– Monitoring BGP traffic
• monitor traffic detail interface [interface-name] no-resolve no-timestamp matching ip
count [packet-count]
• monitor traffic detail interface [interface-name] no-resolve no-timestamp matching ip6
count [packet-count]
30 v1.2
Example: Implementing GTSM (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101
31 v1.2
Example: Implementing GTSM (MikroTik RouterOS)
MikroTik RouterOS R1’s configuration
# Set BGP outbound TTL to 255
/routing bgp peer set EBGP-AS65000-IPV4 ttl=255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets,
# match TCP protocol, BGP port, and TTL other than 255,
Administrator # silently discard the matched packets
/ip firewall filter add \
chain=input in-interface=ether6 \
protocol=tcp port=179 ipv4-options=any ttl=not-equal:255 \
action=drop
# Create IPv6 Firewall Filter for implementing GTSM on inbound BGP packets,
# match TCP protocol, BGP port, and TTL other than 255,
# silently discard the matched packets
/ipv6 firewall filter add \
chain=input in-interface=ether6 \
protocol=tcp port=179 hop-limit=not-equal:255 \
action=drop
32 v1.2
Example: Implementing GTSM (MikroTik RouterOS)
MikroTik RouterOS R101’s configuration
# Set BGP outbound TTL to 255
/routing bgp peer set EBGP-AS64512-IPV4 ttl=255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets,
# match TCP protocol, BGP port, and TTL other than 255,
Administrator # silently discard the matched packets
/ip firewall filter add \
chain=input in-interface=ether6 \
protocol=tcp port=179 ipv4-options=any ttl=not-equal:255 \
action=drop
# Create IPv6 Firewall Filter for implementing GTSM on inbound BGP packets,
# match TCP protocol, BGP port, and TTL other than 255,
# silently discard the matched packets
/ipv6 firewall filter add \
chain=input in-interface=ether6 \
protocol=tcp port=179 hop-limit=not-equal:255 \
action=drop
33 v1.2
Example: Implementing GTSM (MikroTik RouterOS)
• Verification commands:
– Showing BGP peers
• /routing bgp peer print status
– Monitoring BGP traffic
• /tool sniffer set filter-interface=[interface-name] filter-ip-protocol=tcp filter-port=bgp
• /tool sniffer start
• /tool sniffer stop
• /tool sniffer packet print detail where protocol=ip
• /tool sniffer packet print detail where protocol=ipv6
34 v1.2
BGP Security
35 v1.2
Maximum Prefix Limit
• Prevents exhaustion of control plane resource.
• Limits maximum number of prefixes to be received from peer.
– Logs warning messages on a configured threshold
– Clears BGP session when prefixes exceeded the limit
37 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
• Set Maximum Prefix Limit for both IPv4 and IPv6 EBGP
sessions between AS64512 (R1) and AS65000 (R101).
– Maximum Prefix Limit: 5
– Warning Threshold: 60%
– Clear BGP session when limit is reached
– Restart Interval: 30 minutes
38 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
Cisco IOS R1’s configuration
router bgp 64512
address-family ipv4 unicast
! Set maximum prefix limit to 5,
! clear BGP session when the limit is reached,
! log warning message when exceeded 60% threshold,
Administrator ! re-establish BGP session 30 minutes after cleared
neighbor EBGP-AS65000-IPV4 maximum-prefix 5 60 restart 30
exit-address-family
!
address-family ipv6 unicast
! Set maximum prefix limit to 5,
! clear BGP session when the limit is reached,
! log warning message when exceeded 60% threshold,
! re-establish BGP session 30 minutes after cleared
neighbor EBGP-AS65000-IPV6 maximum-prefix 5 60 restart 30
exit-address-family
-- OR --
-- (To be continued) --
39 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
Cisco IOS R1’s configuration
-- (Continued) --
40 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
Cisco IOS R101’s configuration
router bgp 65000
address-family ipv4 unicast
! Set maximum prefix limit to 5,
! clear BGP session when the limit is reached,
! log warning message when exceeded 60% threshold,
Administrator ! re-establish BGP session 30 minutes after cleared
neighbor EBGP-AS64512-IPV4 maximum-prefix 5 60 restart 30
exit-address-family
!
address-family ipv6 unicast
! Set maximum prefix limit to 5,
! clear BGP session when the limit is reached,
! log warning message when exceeded 60% threshold,
! re-establish BGP session 30 minutes after cleared
neighbor EBGP-AS64512-IPV6 maximum-prefix 5 60 restart 30
exit-address-family
-- OR --
-- (To be continued) --
41 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
Cisco IOS R101’s configuration
-- (Continued) --
42 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
• Verification commands:
– Showing BGP peers
• show bgp ipv4 unicast summary
• show bgp ipv6 unicast summary
– Showing detail information of specific peer
• show bgp ipv4 unicast neighbors [peer-address]
• show bgp ipv6 unicast neighbors [peer-address]
43 v1.2
Example: Maximum Prefix Limit (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
• Set Maximum Prefix Limit for both IPv4 and IPv6 EBGP
sessions between AS64512 (R1) and AS65000 (R101).
– Maximum Prefix Limit: 5
– Warning Threshold: 60%
– Clear BGP session when limit is reached
– Idle Timeout: 30 minutes
44 v1.2
Example: Maximum Prefix Limit (Juniper Junos OS)
Juniper Junos OS R1’s configuration
# Move to BGP group IPv4 Unicast prefix limit configuration sub-element
top edit protocols bgp group EBGP-AS65000-IPV4 family inet unicast prefix-limit
# Set maximum prefix limit to 5
set maximum 5
# Clear BGP session when the limit is reached,
Administrator # log warning message when exceeded 60% threshold,
# re-establish BGP session 30 minutes after cleared
set teardown 60 idle-timeout 30
45 v1.2
Example: Maximum Prefix Limit (Juniper Junos OS)
Juniper Junos OS R101’s configuration
# Move to BGP group IPv4 Unicast prefix limit configuration sub-element
top edit protocols bgp group EBGP-AS64512-IPV4 family inet unicast prefix-limit
# Set maximum prefix limit to 5
set maximum 5
# Clear BGP session when the limit is reached,
Administrator # log warning message when exceeded 60% threshold,
# re-establish BGP session 30 minutes after cleared
set teardown 60 idle-timeout 30
46 v1.2
Example: Maximum Prefix Limit (Juniper Junos OS)
• Verification commands:
– Showing BGP peers
• show bgp summary
– Showing detail information of specific peer
• show bgp neighbor [peer-address]
– Monitoring system log or trace file
• monitor start [file-name]
• monitor stop [file-name]
47 v1.2
Example: Maximum Prefix Limit (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101
• Set Maximum Prefix Limit for both IPv4 and IPv6 EBGP
sessions between AS64512 (R1) and AS65000 (R101).
– Maximum Prefix Limit: 5
– Clear BGP session when limit is reached
– Restart Time: 30 minutes
48 v1.2
Example: Maximum Prefix Limit (MikroTik RouterOS)
MikroTik RouterOS R1’s configuration
# Set maximum prefix limit to 5,
# clear BGP session when the limit is reached,
# re-establish BGP session 30 minutes after cleared
/routing bgp peer set EBGP-AS65000-IPV4 max-prefix-limit=5 max-prefix-restart-time=30m
49 v1.2
Example: Maximum Prefix Limit (MikroTik RouterOS)
• Verification commands:
– Showing BGP peers
• /routing bgp peer print status
– Showing BGP error logs
• /log print where topics ~ "bgp" and topics ~ "error"
50 v1.2