Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

and BGP Security Lab

advertisement 
ECE4112 Lab X
Border Gateway Protocol (BGP) and BGP Security
Group Number: _________
Member Names: ___________________
_______________________
Date Assigned: XX XX, XX
Date Due: XX XX, XX
Last Edited: XX XX, XX
Lab Authored by: Jeff Gribschaw and Sai Thwin
Please read the entire lab and any extra materials carefully before starting. Be sure to start early
enough so that you will have time to complete the lab. Answer ALL questions in the Answer
Sheet and be sure you turn in ALL materials listed in the Turn-in Checklist on or before the
Date Due.
Goal: This lab will introduce you to the Border Gateway Protocol (BGP) version 4, which is
the current standard for inter-domain routing in the Internet. It will also introduce you to the
security issues associated with BGPv4.
Summary: This lab consists of four sections. The background and theory will provide
an introduction to BGPv4. In Section 1 you will observe BGP traffic, examine the information
maintained in BGP routers, and configure a BGP router to enforce policy. Section 2 will
introduce you to the security issues of BGPv4. In Section 3, you will make a change in the BGP
router configuration to demonstrate one potentially malicious option available to someone who
can gain access to a BGP router. Finally, Section 4 will introduce you to the proposed solutions
to improve the security of BGPv4.
Equipment Required for the Lab:
You will use your hard drive (RedHat 8.0) and one of your virtual machines (RedHat7.2).
You will need your ECE account to access the digiconsole to configure the BGP router.
Lab Station set up by TAs (will include machine with 3 network cards and machine with ECE
access.)
Background and Theory:
Recommended Reading:
 “Using the Border Gateway Protocol for Interdomain Routing” (Cisco whitepaper
available at: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm ) [1]
 “Introduction to the Border Gateway Protocol (BGP)” (website:
http://www.academ.com/nanog/feb1997/BGPTutorial/index.htm ) [2]
1
Overview of BGP:
BGP version 4 (BGPv4) is the current protocol governing routing between Autonomous Systems
in the internet. It is defined in RFC 1771 [3].
The following introduction to BGP is from “Using the Border Gateway Protocol for Interdomain
Routing” which is a Cisco whitepaper available at:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm . (You are highly encouraged
to read the rest of the whitepaper; this excerpt will provide the minimum information required to
complete the lab.)
Do not execute the commands from this excerpt—we will provide the specific commands to use
for this lab in Sections 1-3.
--Cisco Excerpt 1-----------------------------------------------------------------------------------------------
Using the Border Gateway Protocol for Interdomain Routing
The Border Gateway Protocol (BGP), defined in RFC 1771, provides loop-free interdomain
routing between autonomous systems. (An autonomous system [AS] is a set of routers that
operate under the same administration.) BGP is often run among the networks of Internet service
providers (ISPs). This case study examines how BGP works and how you can use it to
participate in routing with other networks that run BGP. The following topics are covered:
•
BGP Fundamentals
•
BGP Decision Algorithm
•
Controlling the Flow of BGP Updates
•
Practical Design Example
Note The version of BGP described in this case study is BGP Version 4.
BGP Fundamentals
This section presents fundamental information about BGP, including the following topics:
•
Internal BGP
•
External BGP
2
•
BGP and Route Maps
•
Advertising Networks
Routers that belong to the same AS and exchange BGP updates are said to be running internal
BGP (IBGP), and routers that belong to different ASs and exchange BGP updates are said to be
running external BGP (EBGP). With the exception of the neighbor ebgp-multihop router
configuration command (described in the section " External BGP" later in this chapter), the
commands for configuring EBGP and IBGP are the same. This case study uses the terms EBGP
and IBGP as a reminder that, for any particular context, routing updates are being exchanged
between ASs (EBGP) or within an AS (IBGP).
shows a network that demonstrates the difference between EBGP and IBGP.
Figure 12-1 EBGP, IBGP, and Multiple ASs
Before it exchanges information with an external AS, BGP ensures that networks within the AS
are reachable. This is done by a combination of internal BGP peering among routers within the
AS and by redistributing BGP routing information to Interior Gateway Protocols (IGPs) that run
within the AS, such as Interior Gateway Routing Protocol (IGRP), Intermediate System-toIntermediate System (IS-IS), Routing Information Protocol (RIP), and Open Shortest Path First
(OSPF).
BGP uses the Transmission Control Protocol (TCP) as its transport protocol (specifically port
179). Any two routers that have opened a TCP connection to each other for the purpose of
exchanging routing information are known as peers or neighbors. In , Routers A and B are BGP
peers, as are Routers B and C, and Routers C and D. The routing information consists of a series
of AS numbers that describe the full path to the destination network. BGP uses this information
to construct a loop-free map of ASs. Note that within an AS, BGP peers do not have to be
directly connected.
3
BGP peers initially exchange their full BGP routing tables. Thereafter, BGP peers send
incremental updates only. BGP peers also exchange keepalive messages (to ensure that the
connection is up) and notification messages (in response to errors or special conditions).
In , the following commands configure BGP on Router A:
router bgp 100
neighbor 129.213.1.1 remote-as 200
The following commands configure BGP on Router B:
router bgp 200
neighbor 129.213.1.2 remote-as 100
neighbor 175.220.1.2 remote-as 200
The following commands configure BGP on Router C:
router bgp 200
neighbor 175.220.212.1 remote-as 200
neighbor 192.208.10.1 remote-as 300
The following commands configure BGP on Router D:
router bgp 300
neighbor 192.208.10.2 remote-as 200
The router bgp global configuration command enables a BGP routing process and assigns to it
an AS number.
The neighbor remote-as router configuration command adds an entry to the BGP neighbor table
specifying that the peer identified by a particular IP address belongs to the specified AS. For
routers that run EBGP, neighbors are usually directly connected, and the IP address is usually the
IP address of the interface at the other end of the connection. (For the exception to this rule, see
the section " EBGP Multihop," later in this chapter.) For routers that run IBGP, the IP address
can be the IP address of any of the router's interfaces.
Note the following about the ASs shown in :
• Routers A and B are running EBGP, and Routers B and C are running IBGP. Note that the
EBGP peers are directly connected and that the IBGP peers are not. As long as there is an IGP
running that allows the two neighbors to reach one another, IBGP peers do not have to be
directly connected.
• All BGP speakers within an AS must establish a peer relationship with each other. That is,
the BGP speakers within an AS must be fully meshed logically. BGP4 provides two techniques
4
that alleviate the requirement for a logical full mesh: confederations and route reflectors. For
information about these techniques, see the sections " Confederations" and " Route Reflectors,"
later in this chapter.
• AS 200 is a transit AS for AS 100 and AS 300—that is, AS 200 is used to transfer packets
between AS 100 and AS 300.
To verify that BGP peers are up, use the show ip bgp neighbors EXEC command. Following is
the output of this command on Router A:
RouterA# show ip bgp neighbors
BGP neighbor is 129.213.1.1, remote AS 200, external link
BGP version 4, remote router ID 175.220.212.1
BGP state = established, table version = 3, up for 0:10:59
Last read 0:00:29, hold time is 180, keepalive interval is 60 seconds
Minimum time between advertisement runs is 30 seconds
Received 2828 messages, 0 notifications, 0 in queue
Sent 2826 messages, 0 notifications, 0 in queue
Connections established 11; dropped 10
Anything other than state = established indicates that the peers are not up. The remote router ID
is the highest IP address on that router (or the highest loopback interface, if there is one). Notice
the table version number: each time the table is updated by new incoming information, the table
version number increments. A table version number that continually increments is an indication
that a route is flapping, thereby causing routes to be updated continually.
Note When you make a configuration change with respect to a neighbor for which a peer
relationship has been established, be sure to reset the BGP session with that neighbor. To reset
the session, at the system prompt, issue the clear ip bgp EXEC command specifying the IP
address of that neighbor.
--End Cisco Excerpt 1-----------------------------------------------------------------------------------------This lab will not focus on Internal BGP (IBGP). All you need to know about IBGP is that it is
used between BGP routers within the same AS to ensure they have the same view of their routint
options outside of their AS (and inside of their AS). Note on the diagram that “Tier 1 –Sigma
(UUNE)” has two BGP routers that communicate using IBGP.
The following excerpt defines BGP Attributes and then describes how paths are selected by
BGP. [we have removed extra verbage including useful examples to minimize the size of this
document and the length of the overall lab—for more detailed information, view the entire
document on the web.]
5
--Cisco Excerpt 2-----------------------------------------------------------------------------------------------
BGP Decision Algorithm
When a BGP speaker receives updates from multiple ASs that describe different paths to the
same destination, it must choose the single best path for reaching that destination. Once chosen,
BGP propagates the best path to its neighbors. The decision is based on the value of attributes
(such as next hop, administrative weights, local preference, the origin of the route, and path
length) that the update contains and other BGP-configurable factors. This section describes the
following attributes and factors that BGP uses in the decision-making process:
•
AS_path Attribute
•
Origin Attribute
•
Next Hop Attribute
•
Weight Attribute
•
Local Preference Attribute
•
Multi-Exit Discriminator Attribute
•
Community Attribute
AS_path Attribute
Whenever an update passes through an AS, BGP prepends its AS number to the update. The
AS_path attribute is the list of AS numbers that an update has traversed in order to reach a
destination. An AS-SET is a mathematical set of all the ASs that have been traversed.
[Example Removed]
Origin Attribute
The origin attribute provides information about the origin of the route. The origin of a route can
be one of three values:
• IGP—The route is interior to the originating AS. This value is set when the network router
configuration command is used to inject the route into BGP. The IGP origin type is represented
by the letter i in the output of the show ip bgp EXEC command.
• EGP—The route is learned via the Exterior Gateway Protocol (EGP). The EGP origin type is
represented by the letter e in the output of the show ip bgp EXEC command.
6
• Incomplete—The origin of the route is unknown or learned in some other way. An origin of
Incomplete occurs when a route is redistributed into BGP. The Incomplete origin type is
represented by the ? symbol in the output of the show ip bgp EXEC command.
[Example Removed]
Next Hop Attribute
The BGP next hop attribute is the IP address of the next hop that is going to be used to reach a
certain destination.
[Example and other material Removed]
Weight Attribute
The weight attribute is a special Cisco attribute that is used in the path selection process when
there is more than one route to the same destination. The weight attribute is local to the router on
which it is assigned, and it is not propagated in routing updates. By default, the weight attribute
is 32768 for paths that the router originates and zero for other paths. Routes with a higher weight
are preferred when there are multiple routes to the same destination.
[Example and methods for setting the weight attribute Removed]
Local Preference Attribute
When there are multiple paths to the same destination, the local preference attribute indicates the
preferred path. The path with the higher preference is preferred (the default value of the local
preference attribute is 100). Unlike the weight attribute, which is only relevant to the local router,
the local preference attribute is part of the routing update and is exchanged among routers in the
same AS.
[Example and methods for setting the local preference attribute Removed]
Multi-Exit Discriminator Attribute
The multi-exit discriminator (MED) attribute is a hint to external neighbors about the preferred
path into an AS when there are multiple entry points into the AS. A lower MED value is
preferred over a higher MED value. The default value of the MED attribute is 0.
Note In BGP Version 3, MED is known as Inter-AS_Metric.
7
Unlike local preference, the MED attribute is exchanged between ASs, but a MED attribute that
comes into an AS does not leave the AS. When an update enters the AS with a certain MED
value, that value is used for decision making within the AS. When BGP sends that update to
another AS, the MED is reset to 0.
Unless otherwise specified, the router compares MED attributes for paths from external
neighbors that are in the same AS. If you want MED attributes from neighbors in other ASs to be
compared, you must configure the bgp always-compare-med command.
[Example Removed]
Community Attribute
The community attribute provides a way of grouping destinations (called communities) to which
routing decisions (such as acceptance, preference, and redistribution) can be applied.
[Example and other description material Removed—we will not use the community attribute.]
Summary of the BGP Path Selection Process
BGP selects only one path as the best path. When the path is selected, BGP puts the selected path
in its routing table and propagates the path to its neighbors. BGP uses the following criteria, in
the order presented, to select a path for a destination:
1 If the path specifies a next hop that is inaccessible, drop the update.
2 Prefer the path with the largest weight.
3 If the weights are the same, prefer the path with the largest local preference.
4 If the local preferences are the same, prefer the path that was originated by BGP running on
this router.
5 If no route was originated, prefer the route that has the shortest AS_path.
6 If all paths have the same AS_path length, prefer the path with the lowest origin type (where
IGP is lower than EGP, and EGP is lower than Incomplete).
7 If the origin codes are the same, prefer the path with the lowest MED attribute.
8 If the paths have the same MED, prefer the external path over the internal path.
9 If the paths are still the same, prefer the path through the closest IGP neighbor.
10 Prefer the path with the lowest IP address, as specified by the BGP router ID.
--End Cisco Excerpt 2------------------------------------------------------------------------------------------
Prelab Questions:
Q.P.1: Why is an inter-domain routing protocol required? (In other words, why can’t we
use RIP or OSPF for inter-domain routing?)
Q.P.2. How does BGP interact with local routing protocols?
8
Section 1
Goal: Configure a BGP router and test the configuration.
1.1 Setup of your hard drive for the lab.
In this section, you will configure a BGP router and test the configuration.
The first step is to configure your hard drive
Figure 1—Lab Setup
Set up your three Ethernet connections:
Go to the RedHat IconSystem ToolsNetwork Device Control
This will open a new window.
If you do not see four devices, you will have to add a new device.
To add a new device:
RedHat IconSystem ToolsInternet Configuration
This will open a new window.
Select the device type as “Ethernet Connection” and click on “Forward”
You will see four devices listed, but not all of them will be labeled with “(ethx)” where x is the
number of the interface
Single Click on one listing (without an interface assigned) and click “forward”
In the hostname block, enter “ethx” where x is the number of the interface
Deselect the automatic DNS option
Select “Statically Set IP Address”.
Enter the IP addresses, subnet masks and gateways listed in the table below.
Click Forward.
Click Apply.
Click Finished.
9
Switch Interface (port) Interface IP Address
Subnet Mask
Default
#
Gateway
*
*
eth0
57.35.6.X+0
255.255.255.0 57.35.6.1
4
FastEthernet0/1 eth1
57.35.6.X+2
255.255.255.0 57.35.6.1
4
FastEthernet0/2 eth2
57.35.6.X+3
255.255.255.0 57.35.6.1
* the eth0 interface will be connected to the mini-net as has been done for all other labs.
Do this for all three interfaces listed in the table.
Note: Make sure you configure and activate the network card in order (eth0, eth1, eth2).
If you already have an interface listed under Network Device Control:
Choose one and select “Configure”
A new window will open
In this window, under the device tab, choose one of the cards and click “Edit”
Enter the Nickname as “ethx” if not already present
Deselect the automatic IP option
Select “Statically Set IP Address”.
Enter the IP addresses, subnet masks and gateways listed in the table above.
Click OK.
Click Apply.
Click Close
If prompted to save your changes, click “Yes.”
Click “Close” for the Network Device Control” window.
To make sure eth0 is used for default gateway, type “route” in shell prompt.
If your default gateway does not used eth0 as the interface, try the following commands.
#ifconfig eth0 down
#ifconfig eth1 down
#ifconfig eth2 down
#ifconfig eth0 up
#ifconfig eth1 up
#ifconfig eth2 up
#route add default gw 57.35.6.1
If you don’t have your default gateway setup, then do the followings:
#route del default
#route add default gw 57.35.6.1
You have now set up your hard drive.
10
1.2. Monitor Traffic Between BGP Routers
Open Ethereal. Select Capture menu and then Start.
Choose “any” from the ‘Interface’ dropdown window in the Capture Options window.
Select update list of packets in real time.
Do not select automatic scolling in live capture.
Click OK to start the capture.
(Capturing data from “any” interface is critical for you to be able to observe the backbone
traffic between BGP routers. The GTISC Mini-Net lab is set up using Virtual Local Area
Networks (VLANs). There are five Cisco 3550 switches in the lab; all of these switches are
connected using a ‘trunk’ which allows each switch to communicate with any other switch. The
network (as pictured in Appendix A) is created using many VLANs. To allow you to observe
the BGP backbone traffic, we have used the SPAN switch command to forward all traffic from
specific VLANs and from a specific interface (the main trunk connecting all five switches) to the
eth1 and eth2 interfaces on your machine. These packets are not specifically forwarded to your
machine; each packet associated with a SPAN monitoring session is copied, and the copied
packet is sent out an interface (port) on the switch. The copied packets are simply placed on the
Ethernet cable—your computer is not configured to receive any of this traffic, but by using
“any,” you can capture these packets for later analysis. Because we have one SPAN session
running on the main trunk, you will be able to observe almost all (not quite, as we’ll explain
later) traffic on every subnet in the lab (regardless of AS). If you would like more detailed
information about the Cisco 3550 switches and their SPAN, VLAN, etc capabilities, the manual
for the 3550s is located at:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book0
9186a008011591c.html . ) [4]
One side note: if there is too much traffic on the network interfaces Ethereal is monitoring (like
there may be if several groups are in the lab generating traffic), Ethereal will monitor packets on
the local broadcast network only. [5] This means you will not see the trunk traffic, so you most
likely will not be able to see the BGP traffic. If this is the case while you are conducting the lab,
Select Interface “eth1.” This will allow you to observe most of the pertinent BGP traffic.
Capture 3-5 minutes of network traffic. While you are capturing traffic, set up a filter in Ethereal
to remove most of the extraneous traffic using the following steps:
Click on “Filter” in the lower left-hand corner of Ethereal—the Filter dialogue box will open.
Give your filter a name in the appropriate box (eg. Filter out junk)
Enter the following in the Filter String Box:
!llc.pid && !(ospf.msg.hello) && !(ipxrip) && !(ipxsap) && !(udp) && !(nbns) &&
!(ospf.msg.lsack) && !(stp)
Click “new.” Click “save.” Click “Apply.”
You can begin to observe the captured packets while you wait to collect 3-5 minutes of data.
Once you have enough data, Go to the capture window and Click “Stop.”
Save your file at this point (you may want to review it for a later question).
11
Because of the way the monitoring sessions have been set up, there is some BGP traffic you can
not observe, and there is some traffic you will see double packets for. The diagram below
annotates the paths you can observe with a green arrow in that direction. (These arrows are
shaded and smaller than the BGP arrows). A line with arrows on both ends means you can see
traffic in both directions. A one-way arrow means you can only observe ½ of the connection (in
the direction specified). We do not indicate which sections you will see double copies of each
packet on because it varies based on the source address; double packets are created when each of
the monitoring sessions creates a copy; one sends the copy to eth1 and the other sends it to eth2.
Figure 2—BGP Monitoring Capabilities for ‘any’ interface.
12
Figure 3—BGP Monitoring Capabilities for ‘eth1’ interface.
Q.1.2.1. What port does BGP use?
Q.1.2.2. What type of traffic to you see between BGP speakers?
Q.1.2.3. How often do you see the traffic between a given set of BGP routers?
Follow the TCP stream between 199.77.33.1 and 199.77.33.2. Observe the Hex dump of the
TCP stream. Close the TCP stream window. You can now observe the packets that are part of
the TCP stream between these two BGP routers.
Screenshot #1: Take a screenshot of this TCP stream with a KEEPALIVE message
highlighted and the BGP Field fully expanded in the lower screen.
Q.1.2.4. What do you notice about the sequence numbers between the KEEPALIVE
messages? (Hint: What is the length of the KEEPALIVE message?)
Q1.2.5. What is the purpose of this traffic (KEEPALIVE messages)?
13
1.3. BGP Update Messages and Route Convergence.
We will now log into a router and reset a session between BGP routers. This will allow us to
observe the dynamic updating of BGP routers.
To log into the digiconsole:
Log into your ece account
Ssh to firewall@digiconsole.ece_int.gatech.edu
When prompted, enter the password: secure_class
At the prompt, type
#telnet digi
Login# firewall
Password# secure_class
The digiconsole port menu will be displayed
To select port 4, type 4 and then hit enter twice
enter the Privilege EXEC mode by typing
Tier1-swch>enable
[note: you can use ‘en’ for short]
Password: THE TA WILL NEED TO UPDATE THIS BEFORE PASSING OUT
THE LAB.
Start a new Capture session in Ethereal, once again ensuring you have selected the option for
“any” interface.
At the prompt, enter:
Tier1-swch#clear ip bgp 199.77.33.2
Examine the capture log—allow this log to run long enough to answer Q.1.3.2.
Q.1.3.1. What does this command do? (Hint: use [6]
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d027.html#wp1037037 )
Q.1.3.2. How long does it take for the system to become stable again (after resetting only
one session between two BGP neighbors)?
Start a new Ehtereal Capture session (or continue to monitor your current session).
Enter the following command:
Tier1-swch#clear ip bgp *
Q.1.3.3. How long does it take for the system to become stable again (after resetting two
sessions between BGP neighbors)?
1.4. Information maintained in BGP Routers.
We will start this subsection by analyzing the show ip bgp output from the University Gateway2rtr displayed below. (We are using this table first because it only has EBGP data.)
14
University-swch>show ip bgp
BGP table version is 66, local router ID is 199.77.33.2
Status codes: s suppressed, d damped, h history, * valid, > best, i internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
* 57.35.0.0/30
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.0.16/30
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.0.128/30
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.1.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.2.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.3.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.4.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.5.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.6.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 57.35.7.0/24
62.7.200.33
64700 i
Network
Next Hop
*>
199.77.33.1
* 57.35.10.0/24
62.7.200.33
64700 i
*>
199.77.33.1
* 62.7.200.32/30
62.7.200.33
*
199.77.33.1
*>
0.0.0.0
*> 62.7.245.252/30 62.7.200.33
*
199.77.33.1
*> 138.210.0.0
0.0.0.0
* 199.77.30.16/30 62.7.200.33
*>
199.77.33.1
* 199.77.31.0/30
62.7.200.33
*>
199.77.33.1
* 199.77.33.0/30
62.7.200.33
*
199.77.33.1
*>
0.0.0.0
* 199.77.250.240/30
62.7.200.33
*>
199.77.33.1
Metric LocPrf Weight Path
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
0 64515 64700 i
0 64514 64515
Metric LocPrf Weight Path
0 64515 64700 i
0 64514 64515
0
0
0
0
0
0
0
0
0
0
0
0
0
32768
0
0
32768
0
0
0
0
0
0
32768
64515
64514
64515
i
64514
64515
?
64514
64515
64514
64515
64514
64515
i
64700 i
i
64514 i
i
64514 i
64515 i
i
i
i
64515 i
i
0 64514 i
0 64515 i
15
* 199.107.12.0
62.7.200.33
*>
199.77.33.1
* 199.107.254.252/30
Network
Next Hop
62.7.200.33
*>
199.77.33.1
* 199.110.254.40/30
62.7.200.33
*>
199.77.33.1
*> 212.43.0.0
62.7.200.33
*
199.77.33.1
64800 i
0 64514 64515 i
0 64515 i
Metric LocPrf Weight Path
0 64514 64515 i
0 64515 i
0
0
0
0
0
64514
64515
64514
64515
64515 i
i
64800 i
64514
Use the output listed above for the University Gateway2-rtr to answer the following questions:
Q.1.4.1. For the first network listed in the table (57.35.0.0/30), why is the next hop
199.77.33.1 considered the best (annotated by ‘>’)? (Hint: look at the BGP Path Selection
Process presented in the background and theory section.)
Q.1.4.2. For the 199.77.33.0/30 network, why is the next hop 0.0.0.0 considered the best?
Q.1.4.3. What is the significance of the weight value 32768 for this AS Path?
Q.1.4.4. Why is the weight value have a higher priority than AS-Path length in the BGP
Path Selection Process?
We will now use the digiconsole to explore some of the information maintained by each BGP
router. You should still be in the Tier1-swch EXEC mode. Since we don’t need to be in the
EXEC mode, enter
Tier1-swch#exit
To get the following prompt:
Tier1-swch>
Now, enter the following commands:
Tier1-swch>show ip bgp
Tier1-swch>show ip bgp neighbors
Attachment#1: Copy the output from these commands and paste it into a text
editor of your choice. Save the file and transfer it to a computer (using
email, flash drive, etc) and print the output. Turn in this output as
Attachment #1.
Q.1.4.5. How many neighbors does Sigma2-rtr (Tier1-swch) have?
Q.1.4.6. What is the keepalive interval for this router’s bgp neighbors? How does this
compare to your answer in Question 1.2.3?
16
1.5. Configure BGP to enforce policy
Before we configure the BGP router, let’s use traceroute to determine how packets are sent from
our RH8.0 in AS 64700 to a webserver in AS64900 (that provides the Georgia Tech home page).
[root@group37-4112-191 root]# traceroute 138.210.240.151
Screenshot#2:
Take a screenshot of this output and turn it in with your lab.
We will now configure our BGP router to enforce a specific policy. Consider the following
scenario:
You work for the Tier-1 Company Sigma and are responsible for maintaining the BGP routers.
Your company has a peering agreement (worked out by the thousands of lawyers your company
can afford to maintain) with Tier-1 Provider Omega. Omega will transport your traffic for a very
minimal charge (and Sigma does the same for Omega). Your company has established an
alternate provider relationship with “University” AS 64900. Because your company (Sigma) is
going to charge “University” five times as much as Omega charges them, your company has
agreed to provide credit to the University for any traffic you send to them directly.
In order to help the company get more money from the University, your boss tells you to
configure the gateway to always use the “Omega” connection if it is available. You can’t totally
remove the University connection, because you don’t want to loose access to the university if
something happens to your Omega connection. BGP allows you to implement policy based
routing to handle this issue. We will use the weight attribute to configure the router, but there
are many other methods you can use in BGP to enforce policy based routing.
Figure 4—Diagram for Section 1.5
17
You should still have access to the sigma2-rtr (Tier1-swch). If you do not, follow the
instructions in Section 1.3 to get access.
Tier1-swch>enable
Password: [same as above]
Tier1-swch#config term
Enter configuration commands, one per line. End with CNTL/Z.
Tier1-swch(config)#router bgp 64515
Tier1-swch(config-router)#neighbor 199.77.250.241 weight 200
Tier1-swch(config-router)#end
Tier1-swch#clear ip bgp 199.77.250.241
Tier1-swch#show ip bgp
Attachment #2: Print this output and submit it with your Lab as Attachment #2.
Q.1.5.1. What are the changes to the routing table caused by this configuration?
Network
Old Best Next Hop
New Best Next Hop
Q.1.5.3. What other attribute can you use to implement the policy based routing for this
scenerio?
Now that we have changed the configuration of our router, let’s use traceroute to determine how
packets are sent from our RH8.0 in AS 64700 to a webserver in AS64900 (that provides the
Georgia Tech home page).
[root@group37-4112-191 root]# traceroute 138.210.240.151
Screenshot#3:
Take a screenshot of this output and turn it in with your lab.
Section 2
Goal: Provide an introduction to the security issues of BGPv4.
The following excerpt is from “The Evolution of Inter-Domain Routing” by J. Gribschaw, E.
Paradise, J. Soria, and R. Wilson which is a report written for CS7260: Internetworking
Architecture and Protocols, Spring 2004. [7]
---------------------------------------------------------------------------------------------------Current Issues with Boarder Gateway Protocol version 4 (BGPv4)
BGPv4 has become the standard protocol for inter-domain routing today. By 1997, the Internet
was comprised of over 20 million hosts (1 million domains) and it became evident that it was
infeasible to replace BGP. Even more so when by 2001, there existed over 100 million hosts.
BGP is so ensconced that any conversion to another protocol for inter-domain routing would
18
require global changes to routers, ISP management and all applications integrated with BGP.
Such an undertaking is not possible with the size of the Internet today.
But is it necessary to replace BGP? Not really. The main issues facing BGP are occurring as
newer hardware and physical layer technologies emerge and as needs for such things as
streaming, QoS, and security arise. Some problems with BGP are:
1. Routing is based primarily on policy (and route availability) and not on network load.
2. Congestion - because the Internet is so large, it can take a long time to converge to stable
routes when a change occurs. There also is no method to mark routing updates as critical,
so when there is a lot of congestion, routing updates can be dropped. This causes it to
take even longer to converge to stable routes.
3. There still is a requirement for a large amount of manual configuration with BGPv4.
4. BGPv4 also has no way to prevent false or malicious advertisements whether caused by
configuration mistakes or intentionally induced.
Security Issues BGPv4
BGPv4’s widespread use has rendered it a critical service of the Internet. Without it, interdomain routing could not occur. However, BGP is very lacking in security mechanisms to
protect it from malicious attacks or bad configurations.
BGP uses TCP as its transport layer to obtain a reliable transport medium. However, the layers
underneath BGP (i.e. TCP, IP) are subject to fabrication attacks, replay attacks, and modification
attacks. It is relatively trivial for an attacker to spoof an IP packet. It is less trivial to spoof a TCP
packet. However, a recently released (April 20, 2004) vulnerability shows that spoofing a TCP
packet to close a TCP connection is much easier than previously thought [8]. This particular
attack can result in a denial of service in BGP and without BGP, inter-domain routing in portions
of the Internet may fail. In recognition of this and similar attacks, a proposal was made to add an
option to TCP to authenticate the sender of a particular packet using an MD5 signature. Such an
option requires two parties communicating via TCP to share a secret. While such a proposal
could be used with any arbitrary TCP connection on the Internet, the authors proposed this
security mechanism as an effort to protect BGP connections (whose TCP connections remain up
for longs periods of time). Actively using such a signature mechanism ensures that a given
packet does indeed come from the alleged source thus mitigating the previously mentioned
vulnerability and other similar attacks [9].
Although a BGP connection can now be protected from attack, the data (routing advertisements)
are still unprotected. Because of the way BGP is structured, it is easy to inject false
advertisements, either by accident, through configuration error (BGP is difficult to configure), or
with malicious intent. BGP provides no means by which to detect such false advertisements and
will thus believe them blindly. BGP-4 also provides no way to ensure that a trusted BGP speaker
has not become compromised [10].
--End of Exceprt from [7]--------------------------------------------------------------------------------------
19
Border Gateway Protocol version 4 (BGPv4) was created in early days of the Internet when the
security risks were not as intense. As the threats in today’s internet increase, BGP need to be
refined with added security features. The security features are added to BGP as a fix to a
perceived vulnerability or through operational experiences. However, some BGP are still open to
malicious attacks since not all BGP routers are equipped with enough security features.
Moreover, there are some possible security holes in BGP implementation.
The following are the overviews of some security threats to BGPv4 extracts from BGPv4
Security Essentials Version 5 published by Cisco. The original white paper is located at
ftp://ftp-eng.cisco.com/cons/isp/security/BGP-Risk-Assesment-v.pdf. [11]
---Begin Excerpts from Cisco Whitepaper ---------------------------------------------------------------Spoofing
BGP spoofing attacks are the TCP based spoofing targeting the BGP port of the router or
spoofed BGP packets. BGP spoofing attacks are not as easy as people think, however experience
attacker can accomplish these attacks. In order to successfully spoof a TCP session supporting
BGP peers,
1. Source IP address must be spoofed,
2. Source Port must be spoofed,
3. TCP Sequence Number must match, and
4. IP’s TTL must match during the initial TCP session start.
A TCP Reset (RST) attack is an attack profile frequently referenced for an attacker who has no
direct access to the link. The TCP RST is a packet that will reset the TCP session supporting
BGP. Tearing down the TCP session also tears down the BGP session, flushing the routes for
that peer.
Hijacking
BGP Hijacking requires a success BGP Spoof. These attacks masquerade BGP status packets as
coming from the neighbor. The packets would look legitimate, but would carry malicious BGP
status updates. The updates could be tearing down the BGP session, inserting routing
information, or withdrawing valid routing information. While sounding dangerous, effective
BGP Hijacking requires additional knowledge of the current BGP interaction between the peers.
For example, if a BGP Update message is sent attempting to inject a new prefix into the BGP
Table, specific knowledge of the peering connection is required. Next-hop, BGP communities,
prefix filters, and other details on how the peering is configured add to the difficulty of a
successful BGP Hijack.
Route Injection
Advertisement of routes in which the network does not have allocation authority pulls traffic
away from the authorized network. This causes a DOS on the network who allocated the block of
addresses and may cause a DOS on the network in which it re-advertised. The opportunity of
malicious abuse presents itself when you combine the industry trends of multiple links to the
Internet (referred to as multihomed customers) combined with inadequate security practices in
20
these networks. The address spaces of these multihomed customers are frequently scanned and
the routers potentially violated. These violated multihomed routers speaking BGP with their
upstream ISP are now potential platforms for BGP attacks. The easiest attack vector being
advertisement of someone else’s IP address block.
Most ISPs do not filter Bogons – the term used to describe the IANA reserved address space. A
malicious attack might use a violated BGP speaking router to start advertising large ranges of
Bogon space – with the objective of overloading BGP and forwarding tables in routers.
Bogon advertisement could feasible turn the advertising router into an Internet Sink Hole. Many
spoof DOS/DDOS attacks use the unallocated addresses as their source addresses. When these
DOS/DDOS attack hit a target, the target normally responds with ICMP Unreachable messages
back to the source address. These ICMP Unreachable messages echoing from a target are called
the backscatter of an attack.
Direct DOS/DDOS Attacks
DOS/DDOS Attacks directly against the BGP protocol port (port 179) are perceived to be an
easily executable attack vector. These attacks (like a TCP syn flood against port 179) attempt to
flood the application port. In reality, they end up flooding a resource like the input queue, forcing
the router’s processors to work over time with queue maintenance.
At times, queue and processor resources can reach the point where control plane packets are
dropped. When control plane traffic is dropped, the routing protocol sessions drop resulting in a
router flap.
Risk Related to an ISP’s Routing Architecture
The way the network is designed effect how it responds to attack. As seen with the 2001 Code
Red and Nimda incidence, ISPs who advertise a default route on one or more of their routers turn
those routers in to magnets for malicious traffic with no path in the forward table. Routers under
direct attack, which flap under an attack, do not stop the attack. The traffic of the attack still has
to go somewhere, which means another router can be affected by the attack. Security is an
essential part of ISP network design. Those ISPs who do not know about these security
architecture principles tend to have networks that experience more attack stress than is necessary.
---End Cisco Whitepaper -------------------------------------------------------------------------------------
Section 3
Goal: Demonstrate one potential malicious configuration of a BGP router.
In this section, you will make a change in the BGP router configuration to demonstrate one
potentially malicious option available to someone who can gain access to a BGP router. We will
assume that you have already gained access to the router; we specifically assume that the
malicious configuration is accomplished by a person (you) who is authorized to access the BGP
21
Router. It is also possible (although unlikely if proper security measures are in place) for an
attacker can gain access to a BGP router.
What we will do is assume that you have gained access to a BGP router and want to make a
subtle change that won’t crash the system, but will have a negative impact. Let’s revisit our
scenario from Section 1.5:
Your boss told you to configure the BGP router to send all traffic to Omega AS to help the
company get more money out of the University. You are a disgruntled employee, and are about
ready to drop your 2 week notice. You know the company just paid the monthly bill to the
University AS, and now have the perfect opportunity to take one last stab at Sigma. What are the
chances that anyone realizes you made a mistake before you are gone…they probably won’t
realize anything is wrong until the next bill and you’ll be long gone by then; and even if they do
realize it, you’ll just say that it was an honest mistake.
Use the commands below to configure your router to send its traffic to the University AS instead
of the Omega AS based on the weight attribute.
Figure 5—Diagram for Section 3
Log into the digiconsole on port #4 in EXEC privilege mode (if you are not already there). Enter
the command:
Tier1-swch#config term
Enter configuration commands, one per line. End with CNTL/Z.
Tier1-swch(config)#router bgp 64515
Tier1-swch(config-router)#neighbor 199.77.33.2 weight 201
Tier1-swch(config-router)#end
Tier1-swch#clear ip bgp 199.77.33.2
Tier1-swch#show ip bgp
22
Attachment #3: Print this output and submit it with your Lab as Attachment #3.
Q.3.1. What are the changes to the routing table caused by this configuration?
Network
Old Best Next Hop
New Best Next Hop
Q.3.2. How would an administrator identify that the weight value has been changed?
One of the concepts worth highlighting here is that BGP is very complicated. We have only
scratched the surface of possible configurations and we have not addressed peering versus transit
and connections. Problems with BGP can be caused by well-intentioned people making
configuration mistakes, in addition to attackers working to gain access and exploit the
vulnerabilities of BGP.
To exit from any port on the digiconsole type:
#exit at the EXEC privilege prompt
Press CNTL-Z
Your screen will clear and you will have three options.
Select ‘x’ to close the current port
You will now be back in the digiconsole. Press any key other than a number
and press enter. You have closed the digiconsole.
Section 4
Goal: Provide an introduction to the current proposals to improve the security of BGPv4.
The following excerpt is also from [7].
---------------------------------------------------------------------------------------------------Two solutions currently exist to address [the] vulnerabilities in [BGPv4]: Secure-BGP (S-BGP)
and Secure Origin BGP (soBGP). Both proposals accomplish virtually the same end (verifying
advertisements) through different means. These solutions rely on the existence of a public-key
infrastructure that can supply certificates to Autonomous Systems verifying which IP address
ranges they are responsible for. This ties a particular IP address through a digital certificate to a
given Autonomous System. When an AS advertises a route for its own networks, it signs the
advertisement with its private key allowing other autonomous systems to verify that it indeed can
reach those networks [10]. In addition, both proposals provide for means of verifying that the
entire AS path in a message is indeed a valid path to reach the advertised network [12].
A BGP speaker, when it receives a secured advertisement, must have a means of obtaining the
certificates used to sign the advertisement so it can verify the authenticity of the advertisement.
S-BGP and soBGP use different means to accomplish this. S-BGP assumes that each BGP
speaker will retain a large directory of all the certificates for every Autonomous System that gets
23
updated often from a central site (Kent, 2003). Secure Origin BGP provides a new BGP message
(a SECURITY message) to send certificates alongside of advertisements [12].
While these protocols have some obvious advantages to correct the security deficiencies of BGP,
there are several reasons these protocols have not experienced widespread adoption of these
solutions. Both proposals have severe routing overheads--an encrypted signature must be added
for every AS in the path of an advertisement. This could increase routing overhead by 800%.
Deployment of these protocols is also problematic: it requires either complex configurations or
contiguous groups of users of a given protocol [10]. In addition, the two protocols are
incompatible with each other and will require that a standard method be settled upon. Because
BGP provides such a critical service to the Internet today, security is clearly an area that must be
addressed in the future.
Another security solution for a company split between two locations is to create a Virtual Private
Network (VPN) using Multi-protocol Label Switching (MPLS). MPLS establishes a virtual
switched circuit or a label switched path. Once established, packets are routed based on labels
only (instead of IP addresses). The only way to trace the packet to the source or destination from
within the network is using labels. This provides a private network within a larger one (of course
for better security, you would also need to encrypt the packets). MPLS can also be used to help
achieve quality of service (QoS), but it does not provide QoS on its own. BGP provides the
ability to use multi-protocol extensions that can be used to advertise MPLS routes. Policies
would be established to publish the label switching route information only to the appropriate
neighbors using the communities attribute.
--End of Excerpt from [7]---------------------------------------------------------------------
Summary:
In this lab you have been introduced to the Border Gateway Protocol version
4 (BGPv4), which supports inter-domain routing in the Internet. You been introduced to the
complications involved in configuring BGP, and you have conducted a practical exercise to
highlight the capabilities available to a malicious person who can gain access to a BGP router.
You have learned that BGPv4 is a critical portion of the Internet’s infrastructure and that any
significant disruption to the services provided by BGPv4 will severely affect the network
performance. You have also been introduced to the issues and proposed solutions for securing
BGPv4.
References:
[1] “Using the Border Gateway Protocol for Interdomain Routing.” Cisco whitepaper.
Retrieved from: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/icsbgp4.htm
[2] “Introduction to the Border Gateway Protocol (BGP).” Retrieved from:
http://www.academ.com/nanog/feb1997/BGPTutorial/index.htm
[3] (RFC 1771) Rekhter, Y., Li, T. (1995, March). Border Gateway Protocol 4 (BGP-4).
24
[4] Cisco 3550 Multilayer Switch Software Configuration Guide, 12.1(12c)EA1. Retrieved
from:
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_book0
9186a008011591c.html
[5] Ethereal Home Page. Retrieved from: www.ethereal.com
[6] Cisco IOS IP Command Reference, Volume 2 of 4: Routing Protocols, Release 12.3.
Retrieved from:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapte
r09186a008017d02f.html#wp1011064
[7] J. Gribschaw, E. Paradise, J. Soria, and R. Wilson. “The Evolution of Inter-Domain
Routing.” Report written for CS7260: Internetworking Architecture and Protocols, Spring 2004.
[8] Roberts, P. (2004). Experts warn of TCP vulnerability. IDG News Service. Retrieved from:
http://www.infoworld.com/article/04/04/20/HNtcpwarning_1.html
[9] (RFC 2285) Heffernan, A. (1998, August). Protection of BGP Sessions via the TCP MD5
Signature Option.
[10] Kent, S.T. (2003). Securing the Border Gateway Protocol. The Internet Protocol Journal.
[11] “BGPv4 Security Essentials Version 5” Cisco white paper. Retrieved from:
ftp://ftp-eng.cisco.com/cons/isp/security/BGP-Risk-Assesment-v.pdf.
[12] White, R. (2003). Securing BGP Through Secure Origin BGP. The Internet Protocol
Journal.
Other RFCs that relate to BGP:
(RFC 1772) Rekhter, Y., Gross, P. (1995, March). Application of the Border Gateway Protocol
in the Internet. T.J. Watson Research Center, IBM Corp., MCI.
(RFC 1773) Traina, P. (1995, March). Experience with the BGP-4 Protocol.
(RFC 1774) Traina, P. (1995, March). BGP-4 Protocol Analysis.
(RFC 2285) Heffernan, A. (1998, August). Protection of BGP Sessions via the TCP MD5
Signature Option.
Note: Current Requests for Comments (RFCs) can be at http://www.faqs.org/rfcs/ .
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? Please be very specific and if
you add new material give the exact wording and instructions you would give to future students
25
in the new lab handout. You may cross out and edit the text of the lab on previous pages to make
corrections/suggestions. Note that part of your lab grade is what improvements you make to this
lab. You may want to search the World Wide Web for other tools/techniques. Are there any
additional tools should we add to this lab that teaches something new? You need to be very
specific and provide details. Caution as usual: only extract and use the tools you downloaded in
the safe and approved environment of the network security laboratory.
General suggestions like add tool xyz to do more capable password cracking will not be awarded
extras points even if the statement is totally true. Specific text that could be cut and pasted into
this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if
tool xyx adds a capability or additional or better learning experience for future students, you
may add that tool to the lab by writing new detailed lab instructions on where to get the tool, how
to install it, how to run it, what exactly to do with it in our lab, example outputs, etc.
Turn-in Checklist
1.
2.
3.
3.
Filled in Answer sheet.
Screenshots 1-3.
Attachments 1-3.
Laboratory improvements in detail.
26
Appendix A—GTISC Mini-Net Diagram
27
Lab # Answer Sheet
BGP and BGP Security
Group Number: _________
Member Names: ___________________
_______________________
Section 1
Q.1.2.1. What port does BGP use?
Q.1.2.2. What type of traffic to you see between BGP speakers?
Q.1.2.3. How often do you see the traffic between a given set of BGP routers?
Q.1.2.4. What do you notice about the sequence numbers between the KEEPALIVE
messages? (Hint: What is the length of the KEEPALIVE message?)
Q1.2.5. What is the purpose of this traffic (KEEPALIVE messages)?
Q.1.3.1. What does this command do? (Hint: use [6]
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d027.html#wp1037037 )
28
Q.1.3.2. How long does it take for the system to become stable again (after resetting only
one session between two BGP neighbors)?
Q.1.3.3. How long does it take for the system to become stable again (after resetting two
sessions between BGP neighbors)?
Q.1.4.1. For the first network listed in the table (57.35.0.0/30), why is the next hop
199.77.33.1 considered the best (annotated by ‘>’)? (Hint: look at the BGP Path Selection
Process presented in the background and theory section.)
Q.1.4.2. For the 199.77.33.0/30 network, why is the next hop 0.0.0.0 considered the best?
Q.1.4.3. What is the significance of the weight value 32768 for this AS Path?
Q.1.4.4. Why is the weight value have a higher priority than AS-Path length in the BGP
Path Selection Process?
Q.1.4.5. How many neighbors does Sigma2-rtr (Tier1-swch) have?
29
Q.1.4.6. What is the keepalive interval for this router’s bgp neighbors? How does this
compare to your answer in Question 1.2.3?
Q.1.5.1. What are the changes to the routing table caused by this configuration?
Network
Old Best Next Hop
New Best Next Hop
Q.1.5.3. What other attribute can you use to implement the policy based routing for this
scenerio?
Section 3
Q.3.1. What are the changes to the routing table caused by this configuration?
Network
Old Best Next Hop
New Best Next Hop
Q.3.2. How would an administrator identify that the weight value has been changed?
30
General Questions
How long did it take you to complete this lab? Was it an appropriate length lab?
What corrections and or improvements do you suggest for this lab? Please be very specific and if
you add new material give the exact wording and instructions you would give to future students
in the new lab handout. You may cross out and edit the text of the lab on previous pages to make
corrections/suggestions. Note that part of your lab grade is what improvements you make to this
lab. You may want to search the World Wide Web for other tools/techniques. Are there any
additional tools should we add to this lab that teaches something new? You need to be very
specific and provide details. Caution as usual: only extract and use the tools you downloaded in
the safe and approved environment of the network security laboratory.
General suggestions like add tool xyz to do more capable password cracking will not be awarded
extras points even if the statement is totally true. Specific text that could be cut and pasted into
this lab, completed exercises, and completed solutions may be awarded additional credit. Thus if
tool xyx adds a capability or additional or better learning experience for future students, you
may add that tool to the lab by writing new detailed lab instructions on where to get the tool, how
to install it, how to run it, what exactly to do with it in our lab, example outputs, etc.
Turn-in Checklist
Filled in Answer sheet.
Screenshots 1-3.
Attachments 1-3.
Laboratory improvements in detail.
31
Related documents
ALTO Service based on BGP Routing Information
ALTO Service based on BGP Routing Information
NetworkDesign...cont
NetworkDesign...cont
BGP Confederations - J-Net Community
BGP Confederations - J-Net Community
514-21-BGP
514-21-BGP
Linx 51 - Mangin - Cisco To Juniper
Linx 51 - Mangin - Cisco To Juniper
A Financial Services Company Employs FatPipe WARP to Backup
A Financial Services Company Employs FatPipe WARP to Backup
Some Open Questions on the Borderline of Distributed
Some Open Questions on the Borderline of Distributed
bgpc`s 2005-2006 annual report
bgpc`s 2005-2006 annual report
Networking Software Development Engineer
Networking Software Development Engineer
Download
advertisement