Wednesday, July 6, 2011

BGP Security

BGP Security




Etibar Taghiyev
Betreuer: Dr. Ali Fessi
Seminar Innovative Internet Technologien und Mobilkommunikation SS2010
Lehrstuhl Netzarchitekturen und Netzdienste
Fakultät für Informatik, Technische Universität München                                                                                                    
Email: etibar_taghiyev@hotmail.com





ABSTRACT
        The inter-domain routing protocol BGP was created when the Internet environment had not yet reached the present, contentious state. Consequently, the BGP design did not include protections against deliberate or accidental errors that could cause disruptions of routing behavior.
        In this paper, we describe interdomain routing protocol – BGP, its properties, working mechanism and vulnerabilities. Moreover, we will look at several problems which sourced misconfiguration of routing protocols and attacks, which is trying to manage the  traffic. And, several security mechanisms and protocols that, targeted to prevent the network from such kind of attacks.
Keywords
Network, interdomain routing, intradomain routing, Autonomous Systems(AS), BGP, soBGP, S-BGP, RIP, OSPF, IS-IS, IGRP, vulnerability, security issue, security protocols, attack, integrity, confidentiality, authentication, authorization, validation, cryptography.

1.     INTRODUCTION

        The Internet is a network of networks. A network, which is controlled by a single organization, is called Autonomous Systems (AS).  The information travels from one point to another by a routing process, that is done by routing protocols. Routing protocols are responsible to find short paths.
                There are two types of routing in the Internet:
1.        Intradomain routing which is the routing within an AS. Also known as Interior Gateway Protocol(IGR). Most common Intra-AS routing protocols are:
o   RIP – Routing Information Protocols
o   OSPF – Open Shortest Path Firs
o   IS-IS – Intermediate system to Intermediate system
o   IGRP – Interior Gateway Routing Procols
2.     Interdomain routing which is routing between ASs.
o   BGP – Border Gateway Protocol
    This paper explores BGP – AS interdomain routing procotol (BGP), its work principles, vulnerabilities and security issues and solving methods.
        Border Gateway Protocol (BGP) is the de facto interdomain routing protocol. With its operational simplicity and resilience functions, it has a fundamental role within the global Internet. However, this protocol is poor to provide performance and security guarantees.
        These weak sides of the protocol sometimes cause serious problems. There are four kinds of sources for causing a problem:
1.        Design – does what it is supposed to do
2.         Implementation – bug based on coding error
3.         Misconfiguration – weak passwords, failure to use security features, block admin ports, etc.
4.        Attacks
        One of the big problem of misconfigured router had lived in 1998. Such as, Pakistan Telecom, in response to the government order to block access to YouTube. It advertised a route for 208.65.153.0/24 to its provider. For this misconfiguration of BGP, the most routers in the Internet choose to send traffic to Pakistan Telecom. And it caused a black hole in the Internet for a couple of hours.  However, there are a lot of smarter attacks against the interdomain routing in respect to their damage than, this misconfiguration problem.
        Nowadays most applications run over the Internet. Online banking, trading and telemedicine have critical priority. These two main problems, namely misconfiguration and attack can cause a big problem. That is why, most great establishments, US Government, IETF, NANOG work on the security of BGP. The research focuses on two issues:
-          - Operational concern: scalability, convergence delay, routing stability and performance
-          - Security concern:  integrity, confidentiality, authentication, authorization and validation

2.     INTERDOMAIN ROUTING - BGP

There are thousands of AS in the Internet. Not every networks connected to each others. As said in the previous section, these ASs exchange information with the help of BGP. BGP is a path-vector protocol and works with IP prefixes. According the path-vector protocol, each AS adds its AS number to the beginning of the AS path before advertising the route to the next AS.
        We said that, routers work with IP prefixes (e.g. 154.0.2.0/24), rather than with IP addresses. IP prefixes are blocks of the IP addresses. In the network router need to know how to direct traffic toward the block of addresses, rather than storing separate routing information for every IP address.
        Each Autonomous System has AS numbers (ASN) which assigned by IANA. The numbers from 1 to 64511 are assigned to the public and from 64511 to 65535 for private AS. These AS numbers can be written to the AS-path attribute of BGP advertisements.
        In the global routing system, an AS can advertise some AS’s prefix to its neighbors. Such kind of AS called originating AS. In the figure 1, we can see that, AS 1 originates 156.26.32.0/24 prefix to its neighbors: to AS 2 and AS 5. In this case, AS_PATH = 1. It means that, 156.26.32.0/24 prefix can be reachable via AS 1. When, AS 2 and AS 5 received this advertisement, then, they can also advertise this prefix to their neighbors. In our example, both ASes have advertised it. Finally, AS 4 obtained these announcements, which can reach the 156.26.32.0/24 prefix in two ways:
1st AS_PATH = 5 1 -> via AS 5 via AS 1
2nd AS_PATH = 3 2 1 -> via AS 3 via AS 2 via AS 1




Figure1. Prefix advertisement

        However, a BGP-speaking router of an AS, does not know if the other side router really originated this prefix or not. Because, the router can be configured that, it advertises the prefixes, which are not originated. This is one the big vulnerabilities of the interdomain routing and makes it attractive for attackers. This is called prefix hijacking.

3.     VULNERABILITIES AND ATTACKS

There are three main vulnerabilities which make risks for BGP:

1.        BGP has no internal mechanism that provides strong protection of the integrity, freshness, and peer entity authenticity of the messages in peer-peer BGP communications.

2.        No mechanism has been specified within BGP to validate the authority of an AS to announce NLRI information.

3.        No mechanism has been specified within BGP to ensure the authenticity of the path attributes announced by an AS.

 

3.1     Attack strategy

This is the set of routing announcements and forwarding choices that deviates from the normal routing policies. Some of them are:

o    Announcing an unavailable or non-existent path
o    Announcing an legitimate available path that is different from the normal path
o    Exporting a path to a neighbor to which no path should be announced to according the normal export policies.

3.2     TCP and DoS attack

        BGP routers speak to each other with the TCP protocol for announcement or withdrawal message. Because, TCP provides an ordered stream of bytes and reliable delivery. However, it brings also some vulnerability. Namely, attacker can gain access to the channel between BGP-speaking routers.
      TCP does not provide confidentiality, data integrity and protection from DoS attack. In this case, third parties can access the channel between BGP-speaking routers and easily eavesdrop, insert forged messages and modify, replay or delete message. Deleting a message could cause teardown the BGP connection between them. Because, these routers send keep-alive messages to each other periodically. If these messages does not come the routers think that communication has broken.
        TCP uses three way handshake for establishing connection and finish FIN message. Attacker  can use SYN flooding attack and could cause the resource limitation or it can be send FIN finish message can finish the connection which should not be finish.

3.3     Attraction Attack

        The main purpose of the attacker it to attract as much as possible traffics. He does it by announcing non-real shortest path to its neighbors as shown Figure 2. Namely, he convinces the maximum number of ASes in the graph to forward traffic that is destined to the victim via the manipulator’s own network. While secure routing protocols can blunt traffic attraction attacks, however, export policies are very effective attack vectors.


Figure 2: BGP Peer Hijack

3.4     Interception Attack

Thes malicious AS can read, change the information before the sending to the destination. This attack against the privacy and called interception attack. The manipulator can creates a black hole by drop the packets also here.

3.5     The result of attacks

These attacks could be causes these kinds of damages:
-          Blackhole: Large amounts of traffic are directed to be forwarded through one router that cannot handle the increased level of traffic and drop many/most/all packets.
-          Delay: Data traffic destined for a node is forwarded along a path that is in some way inferior to the path it would otherwise take.
-          looping: Data traffic is forwarded along a path that loops, so  that the data is never delivered.
-          eavesdrop: Data traffic is forwarded through some router or network that would otherwise not see the traffic, affording an opportunity to see the data.
-          partition: Some portion of the network believes that it is partitioned from the rest of the network, when, in fact, it is  not.
-          cut: Some portion of the network believes that it has no route to  some network to which it is, in fact, connected.
-          churn: The forwarding in the network changes at a rapid pace, resulting in large variations in the data delivery patterns (and adversely affecting congestion control techniques).
-          instability: BGP becomes unstable in such a way that convergence  on a global forwarding state is not achieved.
-          overload: The BGP messages themselves become a significant portion  of the traffic the network carries.
-          resource exhaustion: The BGP messages themselves cause exhaustion  of critical router resources, such as table space.
-          address-spoofing: Data traffic is forwarded through some router or network that is spoofing the legitimate address, thus enabling an  active attack by affording the opportunity to modify the data.

4.     BGP SECURITY MECHANISMS AND SECURITY PROTOCOLS


4.1     Cryptographic Techniques

There are several cryptographic techniques for providing BGP security. Each one has own advantages for providing security mechanism and disadvantages for implementing to real systems. These are:
o    Pairwise Keying: based on shared key between peers. Used for message authentication code. Difficult to implement between many peers.
o    Cryptographic Hash Functions: it calculates hash value from an input text and this value used for MAC and digital signature. Most common used hash functions are MD5 (128 bit length) and SHA1 (160 bit length). According the cryptography 160 bit length could be break for 2 power 80 steps. However, in 2009 the SHA1 broke for 2 power 52 steps.
o    Message Authentication Codes (MAC): provides message integrity and peer authentication. It based on secret key. So, if third party knows this secret key, he also can produce MAC value. Therefore, we can use HMAC which we used cryptographic hash function for generation of MAC value.
o    Diffie-Helman Key Negotiation: This is public key cryptography, used for secure sharing the key. This is shared using a public channel (e.g. Internet). It has two disadvantages: works slowly than has function and use more resource. The reason is that, it uses big key value than cryptographic hash functions.
o    Public Key Infrastructure (PKI): based on public key cryptography. Each AS has a public key, which is know by other ASs in the Internet and a private key which is know just by owner AS. This key distributed in a hierarchical manner.

                                  

Figure 2: PKI Hierarchy

        As shown in Figure 2, IANA as root of hierarchy tree. APNIC can retrieve public key of LACNIC from the IANA. This is a good solution for providing BGP Security. However, such infrastructure does not exist yet.
o    IPSec: for protection of BGP session. It can provide data authentication, integrity, replay protection and confidentiality. Moreover, it has also key management properties for providing long term sessions. It can also protect BGP Session from DoS attacks. The problematic side of IPSec is a difficult to implement and high cost.

4.2     BGP Security Protocols

          Four most comprehensive BGP security approaches: Origin Authentication, S-BGP, soBGP, IRV.
1.        Origin Authentication: uses trusted database to guarantee that an AS cannot falsely claim to be the rightful owner for an IP prefix.
2.        S-BGP (Secure BGP): notions come from PKI. It uses digital signature and public key certificate for Update message exchange between ASs. This Update message used for validating path attributes. PKI used to authenticate address allocations. Organizations AS number is bound to the a public key via certificate and AS signs statements by using its own private key. Namely, all information exchanged in S-BGP is validated using the certificates in the PKI. However, this validation is costly.
        It provides full origin and path authentications. However, it has deployment issues. Moreover, it uses more hardware recourse. For this reasons, this service has not been used more in the Internet as a BGP security solutions.
        In addition to origin authentication, Secure BGP also uses cryptographically-signed routing announcements to provide a property called path verification.
        S-BGP does not prevent shortest path attack. Namely, S-BGP is not much more effective in preventing “Shortest-Path Export-All” attack strategies than so-BGP.
               
3.        soBGP (Secure Origin BGP): Also uses PKI for authentication and authorizing entities and organizations. It has 3 certificate types:
-          ­1st certificate: binds a public key to soBGP-speaking router.
-          2nd certificate: defines policy – protocol parameters, network topology
-          3rd certificate: used for address attestations.
        soBGP uses SECURITY message for exchanging security information. It guarantees that, any announced path physically exists. However, manipulator can still announce a path which exists, but unavailable.

S-BGP vs. soBGP: S-BGP route attestations are dynamic. They are sent with every BGP UPDATE message. By contrast, soBGP is static. Namely, topology will change when new policy certificate is issued. One of the disadvantages of S-BGP is a computational overhead of validating signature. soBGP tries to avoid it with long-term authentication. Authenticated data is signed, validated and stored and this can be used for multiple BGP session. The deployment of soBGP is much easier than S-BGP. But its certificate is non-standard.

4.        Interdomain Route Validaiton (IRV): This is the most decentralized solution.
                                
Figure 3: Interdomain Route Validation

        In this solution, each AS has own IRV server. When BGP speaker router in the AS receives UPDATE message, it can check its correctness by this IRV server. This IRV server check it directly querying the relevant AS’s IRV server.
        With caching previous queries we can obtain some performance and with the storing it, we can use it for debugging and failure detection.
        For security communication of the IRV servers, we can use IPSec or TLS technologies.

4.3     Defensive Filtering

Orthogonal security mechanism. In this mechanism, BGP announcements made by stubs, which does not have a customer. Each provider keeps a prefix list of the IP prefixes owned by its direct customers that are stubs. This is one of the best solution methods for BGP security.
        According to the simulative test that, defensive filtering is a crucial part of any Internet security solution.
       

Figure: 4 With and without Defensive filtering

        We can see several security protocols in Figure 3. As seen from this figure, in the network which there is not defensive filtering, attacker is much more successful. This defensive filtering also useful for applying some security protocols together:  defensive filtering to eliminate attacks by stub ASes, and secure routing protocols such as so-BGP, S-BGP to blunt attacks launched by larger ASes.
        While defensive filtering is considered a best common practice on the Internet, its implementation is far from perfect. First its implementation is unbalanced. Namely, provider just cares about itself and its customer. It does not care about the
security of the Internet. Moreover, there is no known way for an AS to validate that another AS has implemented defensive filtering properly.

5.      CONCLUSION

        As we see that, BGP has a crucial role for reliable, useful Internet. And it’s security one of the most important challenge nowadays. We also saw that, there are several solution methods for providing secure BGP. According the simulative test, if the attacker uses   simple method for bogus path announcement, such as announcing short path, it is surprisingly effective, even if we use advanced security solutions. However, with more clever attack, attacker could cause much more damage of the inter domain routing. Although, these security solutions for BGP protections are limited in their effectiveness, their adoption is difficult and have not been implemented yet in practice but these are also good progress.

6.     REFERENCES

[1]     Kevin Butler, Toni R. Farley, Patrick McDaniel and Jennifer Rexford. 2009
A Survey of BGP Security Issues and Solutions, 0018-9219
        http://www.cs.princeton.edu/~jrex/papers/pieee09.pdf
[2]     Sharon Goldberg, Michael Schapira, Peter Hummon and Jennifer Rexford 2010
How Secure are Secure Interdomain Routing Protocols?

[3]      Network Working Group – RFC 4272

BGP Security Vulnerabilities Analysis , January 2006


[4]     Sean Convery and Matthew Franz – Cisco Systems
BGP Vulnerability Testing: Separating Fact from FUD v1.1





Sunday, February 20, 2011

To Study M.Sc Informatics at TU Munchen


     According to the World Raking of Top Universities , TU Munchen is placed on 36th in the World and 1st place in Germany for the Informatics.
If you want to study Master Program of Informatics at TUM, you need to choose one of specialize area as a major subject. This areas are:
- Software engineering
- Databases and information systems
- Artificial intelligence and robotics
- Computer graphics and image processing
- Computer architecture
- Distributed systems and computer network *
- Formal methods and their applications
- Algorithms and scientific computing

Each area is belongs to one Chair. And each Chairs has a responsible professor, which is every research project is done under the control of this person. Moreover, this each chairs also divided into several sub researching area. For example: 
Networking Chair:
- Routing
- Switching
- Network Security
- Nat
- Network Measurement
- P2P
...

The program is a 2 years. But actually this is min. time. However, average time is 5 semester :). Because, it is difficult to finish this program in 4 semester.
There is Master Thesis for a last semester. And you can take your favorite area as a researching thesis.

For more info:  www.in.tum.de