d1 s4 BGP Security

Border Gateway Protocol (BGP)
BGP Security
1 v1.2
BGP Security
BGP Authentication
2 v1.2
BGP Authentication
• BGP supports authentication.
– MD5 authentication using TCP option 19
• RFC2385: Protection of BGP Sessions via the TCP MD5 Signature Option
• TCP option 19 is a TCP extension for carrying an MD5 digest in a TCP segment
• A shared password (also known as “TCP MD5 Key”) must be

configured at both ends of the BGP session.
• Peers calculate own MD5 digest and compare it against the
received MD5 digest.
– No password is sent over the link
• Recommended to authenticate all EBGP peers.
3 v1.2
How BGP Authentication Works?
• Every segment sent contains a 16-byte MD5 digest.
– Produced by applying MD5 algorithm to:
• TCP pseudo-header in the order:
1. Source IP address
2. Destination IP address
3. Zero-padded protocol number
4. Segment length
• TCP header, excluding options, and assuming a checksum of zero
• TCP segment data (If any)
• Independently-specified key or password
NOTE: Header and pseudo-header are in network byte order
4 v1.2
How BGP Authentication Works?
• BGP validates every incoming segment.
– Calculates own MD5 digest from the same data:
• TCP pseudo-header in the order:
1. Source IP address
2. Destination IP address
3. Zero-padded protocol number
4. Segment length
• TCP header, excluding options, and assuming a checksum of zero
• TCP segment data (If any)
• Independently-specified key or password
NOTE: Header and pseudo-header are in network byte order
– Compares own MD5 digest against the received MD5 digest
– Silently drops the segment if comparison failed
5 v1.2
Configuring BGP Authentication
• BGP Authentication can be enabled by configuring a
password for:
– Individual BGP peer
– A group of BGP peers
6 v1.2
Example: BGP Authentication (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
• Configure BGP Authentication for both IPv4 and IPv6 EBGP

sessions between AS64512 (R1) and AS65000 (R101).
– TCP MD5 Key: IW0ntTe11U!!
7 v1.2
Cisco IOS R1’s configuration
router bgp 64512
! Enable BGP Authentication and set TCP MD5 Key
neighbor EBGP-AS65000-IPV4 password 0 IW0ntTe11U!!
Administrator -- OR --
router bgp 64512

neighbor 172.20.0.1 password 0 IW0ntTe11U!!
neighbor 2406:6400:4:: password 0 IW0ntTe11U!!
8 v1.2
router bgp 65000
router bgp 65000

neighbor 172.20.0.2 password 0 IW0ntTe11U!!
neighbor 2406:6400:4::1 password 0 IW0ntTe11U!!
9 v1.2
• Verification commands:
– Showing BGP peers
• show bgp ipv4 unicast summary
– Showing detail information of specific peer
• show bgp ipv4 unicast neighbors [peer-address]
10 v1.2
Example: BGP Authentication (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101

11 v1.2
Juniper Junos OS R1’s configuration
# Enable BGP Authentication and set TCP MD5 Key
top set protocols bgp group EBGP-AS65000-IPV4 authentication-key IW0ntTe11U!!

Administrator


12 v1.2
• show bgp summary
• show bgp neighbor [peer-address]
13 v1.2
Example: BGP Authentication (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101

14 v1.2
MikroTik RouterOS R1’s configuration
/routing bgp peer set EBGP-AS65000-IPV4 tcp-md5-key=IW0ntTe11U!!

Administrator


15 v1.2
• /routing bgp peer print status
16 v1.2
BGP Security
Generalized TTL Security

Mechanism (GTSM)
17 v1.2
Generalized TTL Security Mechanism (GTSM)
• Data transfer security method designed to protect IP-based
control plane from CPU-utilization-based attacks.
– RFC3682: The Generalized TTL Security Mechanism (GTSM)
• GTSM Implementation:
– Sets TTL (or IPv6 Hop Limit) to 255 on outbound packets
– Expected minimum TTL on inbound packets:
• Directly connected peers: 255
• Multi-hop peers: (255 – range of acceptable hops)
– Silently discards packets with lower TTL
• Recommended to implement GTSM on EBGP sessions.
18 v1.2
Configuring GTSM
• GTSM configuration for directly connected peers:
– Cisco IOS
• Enable “TTL Security” feature and set hop count to 1
– BGP outbound TTL will be automatically set to 255
– Inbound BGP packets with TTL < (255 – 1) will be discarded
– Juniper Junos OS
• Set BGP outbound TTL to 255
• Use Firewall Filter to discard inbound BGP packets with TTL other than 255
– MikroTik RouterOS
• Use Firewall Filter to discard inbound BGP packets with TTL other than 255
19 v1.2
Configuring GTSM
• GTSM configuration for multi-hop peers:
– Cisco IOS
• Enable “TTL Security” feature and set hop count to range of acceptable hops
– BGP outbound TTL will be automatically set to 255
– Inbound BGP packets with TTL < (255 – range of acceptable hops) will be discarded
– Juniper Junos OS
• Use Firewall Filter to discard inbound BGP packets with TTL < (255 - range of
acceptable hops)
– MikroTik RouterOS
• Use Firewall Filter to discard inbound BGP packets with TTL < (255 - range of
acceptable hops)
20 v1.2
Example: Implementing GTSM (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
• Implement GTSM for both IPv4 and IPv6 EBGP sessions

between AS64512 (R1) and AS65000 (R101).
– Directly connected peers
– Hop Count: 1
• Outbound TTL will be 255
• Minimum Inbound TTL will be 255 - 1
21 v1.2
router bgp 64512
! Enable TTL Security and set hop count to 1 (Out TTL: 255, Minimum In TTL: 255 - 1)
neighbor EBGP-AS65000-IPV4 ttl-security hops 1
router bgp 64512

neighbor 172.20.0.1 ttl-security hops 1
neighbor 2406:6400:4:: ttl-security hops 1
22 v1.2
router bgp 65000
router bgp 65000

neighbor 172.20.0.2 ttl-security hops 1
neighbor 2406:6400:4::1 ttl-security hops 1
23 v1.2
24 v1.2
Example: Implementing GTSM (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101

– Outbound TTL: 255
– Minimum Inbound TTL: 255
25 v1.2
# Set BGP outbound TTL to 255
top set protocols bgp group EBGP-AS65000-IPV4 ttl 255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets
top edit firewall family inet filter BGP-GTSM-IPV4
Administrator # Match TCP protocol, BGP port, and TTL other than 255
set term 10 from protocol tcp port bgp ttl-except 255
# Silently discard the matched packets
set term 10 then discard
# Accept other packets
set term 1000 then accept
# Apply Firewall Filter as IPv4 inbound filter on the interface facing to peer
top set interfaces ge-0/0/5.0 family inet filter input-list BGP-GTSM-IPV4
26 v1.2
top edit firewall family inet6 filter BGP-GTSM-IPV6
set term 10 from next-header tcp port bgp hop-limit-except 255
top set interfaces ge-0/0/5.0 family inet6 filter input-list BGP-GTSM-IPV6
27 v1.2
top edit firewall family inet filter BGP-GTSM-IPV4
set term 10 from protocol tcp port bgp ttl-except 255
top set interfaces ge-0/0/5.0 family inet filter input-list BGP-GTSM-IPV4
28 v1.2
top edit firewall family inet6 filter BGP-GTSM-IPV6
set term 10 from next-header tcp port bgp hop-limit-except 255
top set interfaces ge-0/0/5.0 family inet6 filter input-list BGP-GTSM-IPV6
29 v1.2
– Monitoring BGP traffic
• monitor traffic detail interface [interface-name] no-resolve no-timestamp matching ip
count [packet-count]
• monitor traffic detail interface [interface-name] no-resolve no-timestamp matching ip6
count [packet-count]
30 v1.2
Example: Implementing GTSM (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101

– Outbound TTL: 255
– Minimum Inbound TTL: 255
31 v1.2
/routing bgp peer set EBGP-AS65000-IPV4 ttl=255
# Create IPv4 Firewall Filter for implementing GTSM on inbound BGP packets,
# match TCP protocol, BGP port, and TTL other than 255,
Administrator # silently discard the matched packets
/ip firewall filter add \
chain=input in-interface=ether6 \
protocol=tcp port=179 ipv4-options=any ttl=not-equal:255 \
action=drop

# silently discard the matched packets
/ipv6 firewall filter add \
protocol=tcp port=179 hop-limit=not-equal:255 \
action=drop
32 v1.2
Administrator # silently discard the matched packets
/ip firewall filter add \
protocol=tcp port=179 ipv4-options=any ttl=not-equal:255 \
action=drop

# silently discard the matched packets
/ipv6 firewall filter add \
protocol=tcp port=179 hop-limit=not-equal:255 \
action=drop
33 v1.2
– Monitoring BGP traffic
• /tool sniffer set filter-interface=[interface-name] filter-ip-protocol=tcp filter-port=bgp
• /tool sniffer start
• /tool sniffer stop
• /tool sniffer packet print detail where protocol=ip
• /tool sniffer packet print detail where protocol=ipv6
34 v1.2
BGP Security
Maximum Prefix Limit
35 v1.2
Maximum Prefix Limit
• Prevents exhaustion of control plane resource.
• Limits maximum number of prefixes to be received from peer.
– Logs warning messages on a configured threshold
– Clears BGP session when prefixes exceeded the limit
• Defined based on:

– Internet Routing Registry (IRR)
– Peering information (PeeringDB)
– Negotiation with peer
• Regular monitoring and adjustment may be required.

36 v1.2
Configuring Maximum Prefix Limit
• Configurable per Address Family of peer or group of peers.
– Maximum Prefix Limit
• Maximum limit on number of prefixes expected to receive
• Option to clear BGP session when the maximum limit is reached
– Warning Threshold
• Threshold = Certain percentage of the maximum limit
• Logs warning messages when prefixes exceeded this threshold
– Restart Interval / Idle Timeout / Restart Time
• Time to wait before BGP session re-establishment if the session was cleared due to
exceeding the maximum limit
37 v1.2
Example: Maximum Prefix Limit (Cisco IOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
• Set Maximum Prefix Limit for both IPv4 and IPv6 EBGP
– Maximum Prefix Limit: 5
– Warning Threshold: 60%
– Clear BGP session when limit is reached
– Restart Interval: 30 minutes
38 v1.2
router bgp 64512
address-family ipv4 unicast
! Set maximum prefix limit to 5,
! clear BGP session when the limit is reached,
! log warning message when exceeded 60% threshold,
Administrator ! re-establish BGP session 30 minutes after cleared
neighbor EBGP-AS65000-IPV4 maximum-prefix 5 60 restart 30
exit-address-family
!
! re-establish BGP session 30 minutes after cleared
exit-address-family
-- OR --
-- (To be continued) --
39 v1.2
-- (Continued) --
router bgp 64512

Administrator ! clear BGP session when the limit is reached,
neighbor 172.20.0.1 maximum-prefix 5 60 restart 30
exit-address-family
!
neighbor 2406:6400:4:: maximum-prefix 5 60 restart 30
exit-address-family
40 v1.2
router bgp 65000
Administrator ! re-establish BGP session 30 minutes after cleared
exit-address-family
!
exit-address-family
-- OR --
-- (To be continued) --
41 v1.2
-- (Continued) --
router bgp 65000

Administrator ! clear BGP session when the limit is reached,
neighbor 172.20.0.2 maximum-prefix 5 60 restart 30
exit-address-family
!
neighbor 2406:6400:4::1 maximum-prefix 5 60 restart 30
exit-address-family
42 v1.2
43 v1.2
Example: Maximum Prefix Limit (Juniper Junos OS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::1 2406:6400:4::/127 ::0
EBGP
R1 R101
– Warning Threshold: 60%
– Idle Timeout: 30 minutes
44 v1.2
# Move to BGP group IPv4 Unicast prefix limit configuration sub-element
top edit protocols bgp group EBGP-AS65000-IPV4 family inet unicast prefix-limit
# Set maximum prefix limit to 5
set maximum 5
# Clear BGP session when the limit is reached,
Administrator # log warning message when exceeded 60% threshold,
# re-establish BGP session 30 minutes after cleared
set teardown 60 idle-timeout 30

top edit protocols bgp group EBGP-AS65000-IPV6 family inet6 unicast prefix-limit
set maximum 5
# log warning message when exceeded 60% threshold,
45 v1.2
top edit protocols bgp group EBGP-AS64512-IPV4 family inet unicast prefix-limit
set maximum 5
Administrator # log warning message when exceeded 60% threshold,

top edit protocols bgp group EBGP-AS64512-IPV6 family inet6 unicast prefix-limit
set maximum 5
# log warning message when exceeded 60% threshold,
46 v1.2
– Monitoring system log or trace file
• monitor start [file-name]
• monitor stop [file-name]
47 v1.2
Example: Maximum Prefix Limit (MikroTik RouterOS)
.2 172.20.0.0/30 .1
AS64512 AS65000
::2 2406:6400:4::/126 ::1
EBGP
R1 R101
– Restart Time: 30 minutes
48 v1.2
# Set maximum prefix limit to 5,
# clear BGP session when the limit is reached,
/routing bgp peer set EBGP-AS65000-IPV4 max-prefix-limit=5 max-prefix-restart-time=30m
Administrator # Set maximum prefix limit to 5,



49 v1.2
– Showing BGP error logs
• /log print where topics ~ "bgp" and topics ~ "error"
50 v1.2

d1 s4 BGP Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

d1 s4 BGP Security

Uploaded by

Copyright:

Available Formats

Border Gateway Protocol (BGP)

• A shared password (also known as “TCP MD5 Key”) must be

• Configure BGP Authentication for both IPv4 and IPv6 EBGP

router bgp 64512

router bgp 65000

• Configure BGP Authentication for both IPv4 and IPv6 EBGP

# Enable BGP Authentication and set TCP MD5 Key

Juniper Junos OS R101’s configuration

# Enable BGP Authentication and set TCP MD5 Key

• Configure BGP Authentication for both IPv4 and IPv6 EBGP

# Enable BGP Authentication and set TCP MD5 Key

MikroTik RouterOS R101’s configuration

# Enable BGP Authentication and set TCP MD5 Key

Generalized TTL Security

• Implement GTSM for both IPv4 and IPv6 EBGP sessions

router bgp 64512

router bgp 65000

• Implement GTSM for both IPv4 and IPv6 EBGP sessions

• Implement GTSM for both IPv4 and IPv6 EBGP sessions

# Set BGP outbound TTL to 255

# Set BGP outbound TTL to 255

Maximum Prefix Limit

• Defined based on:

• Regular monitoring and adjustment may be required.

router bgp 64512

router bgp 65000

# Move to BGP group IPv6 Unicast prefix limit configuration sub-element

# Move to BGP group IPv6 Unicast prefix limit configuration sub-element

Administrator # Set maximum prefix limit to 5,

MikroTik RouterOS R101’s configuration

# Set maximum prefix limit to 5,

You might also like