The Internet’s Border Gateway Protocol (BGP) is one of the most critical components of today’s Internet. It’s the engine that ensures that when your application passes a packet into the network, the network is able to pass it onward to its intended destination. This routing protocol is the glue that binds a large collection of packet switches into a coherent system that functions as the Internet. However, it does not just work all by itself, and within each network the configuration and operation of the routing system are of critical importance.
The BGP routing domain is an example of a distributed system, where there is no overarching control, but instead a diverse collection of routing elements, each of which relies on the correct operation of all the other elements in order to function. To complicate this is the consideration that the Internet can be a hostile place, and vulnerabilities are exploited in various ways. Corrupting the operation of routing is one of the more insidious forms of attack. The edge device and its applications may be operating exactly as intended, but with a corrupted routing environment your packets may be sent to unintended places, where your communications may be examined, or even altered. So how can we secure this routing system, and make a system that is resilient to various forms of attack?
In managing the routing system, each network administrator should configure their local routing environment according to two tenets: “say no evil” and “hear no evil”. It’s necessary to configure the routing system to take care and attention in what routes a BGP speaker passes to its adjacent BGP-speaking peers to ensure accuracy and aligning policy intent to the content of the stream of routing advertisements that are propagated into the Internet. It’s also necessary to be adequately dubious about what a BGP speaker is told by its neighbours, and care and attention must be exercised in examining what a BGP peer passes to the local BGP speaker. Obviously this is not a process of manually inspecting every routing update before accepting it, and the network manager must configure the local routing environment and the associated routing support systems to perform this task automatically.
But to do so is not simple, and working through the published material on what constitutes good routing security practice can be a confusing task with a myriad of sources and often conflicting items of advice. In the IETF there is a publication series of documents that are classified as “Best Current Practice†(BCP). These documents are not technical standards per se, but at the same time that are not just random snippets of potentially useful items of data. These BCP documents are intended to carefully document our current understanding of what it entails to perform a task in the best possible manner. So when the IETF publishes a BCP on BGP Operations and Security, network administrators, and in particular routing managers, should use this as a useful opportunity to check their own network’s setup to ensure that they are up to date with what we understand as best current operational practices.
The publication process for this document is in its final phases, but you can read the final draft of this BCP document at draft-ietf-opsec-bgp-security.
The document contains some useful items about the management of IP addresses and routing, including considerations of prefix filtering through the use of Internet Route Registries (IRRs), the use of digitally signed route origination attestations (ROAs) to protect the integrity of originating address reachability advertisements in routing.
At APNIC we are supporting this ongoing effort to secure our common routing infrastructure through the operation of a routing registry and the more recent addition of resource certification services and training programs in routing and security.