Securing routing: challenges and solutions in BGP

Posted date 23/11/2023
Autor
INCIBE (INCIBE)
Securing routing BGP

The Border Gateway Protocol (BGP) has been fundamental in the expansion of the Internet due to its flexibility and scalability since it was born in the 90s to connect autonomous systems (AS), that is, a large network or group of networks managed by a single organization.

It is a dynamic routing protocol, which allows routes between nodes to be effectively computed and adapted on demand, unlike link-state protocols, which require prior and complete knowledge of the network topology. This means that BGP can efficiently respond to changes in the network topology, adapting routes, as needed, to ensure connectivity. 

BGP operates in two distinct modalities: on one hand, External BGP (eBGP) handles the routing of information between different autonomous systems, on the other hand internal BGP (iBGP) handles the exchange of information between eBGP routers  within the same autonomous system. In fact, iBGP can be integrated with OSPF and MPLS to deploy advanced network solutions such as BGP-signaled VPLS (Virtual Private LAN Service) tunnels and VRF (Virtual Routing and Forwarding) quickly within enterprise networks. This duality allows BGP to manage information more effectively, ensuring smoother and more secure communication between the different nodes in the network.

Escenario de usos de iBGP y eBGP

- Scenario of iBGP and eBGP uses. -

In addition, its design focuses on identifying only the shortest path, without taking into consideration the internal structure of individual networks. This means that BGP does not care about the intrinsic details, nor the configuration of the individual networks through which the information passes, its main goal is to find the most efficient path between two autonomous systems. 

Because of these characteristics, BGP has ideal properties for handling large networks, as it can handle an enormous number of routes and adapt to the diverse and extensive topology of the global Internet network, enabling effective communication and data transfer between a vast variety of interconnected networks around the world.

Despite its critical importance and pervasiveness in global network operations, BGP was conceived at a time when security was not a priority concern, so it has weaknesses susceptible to several types of attacks, including route leaks  or hijacking, which can lead to  service disruptions.  data loss or man-in-the-middle attacks. 
 

The threat of route Hijacking

The main weakness of BGP is that it is based on the principle of absolute trust, assuming that routers  in interconnected networks never lie when advertising the IP address pools, they have. This makes it possible for cybercriminals to compromise a  legitimate BGP router and make fake route announcements, which can lead to internet traffic being diverted along sub-optimal and possibly malicious routes.

For example, let us imagine that AS1 has the legitimate authorization to originate the prefix 207.50.100.0/22, and in parallel, AS3 – without authorization – maliciously announces the same prefix. Neighboring autonomous systems, such as AS2, would receive both routes and should select one of them, based on their BGP route tables and routing policies. If an autonomous system decides that the route through AS3 is the best, then traffic destined for the prefix 207.50.100.0/22 would be diverted to AS3, instead of its rightful destination, AS1. 

Escenario de secuestro de rutas BGP por parte de AS3

- Scenario of BGP route hijacking by AS3. -

Not only could this bypass increase latency and degrade the user experience, but it also allows attackers to monitor, intercept, or manipulate data traffic passing through compromised paths. In addition, they can direct users to malicious websites or intercept and disrupt communication between the user and legitimate websites. The attacker, in order to avoid detection, may choose to hijack IP prefixes that are not in use, as these can go unnoticed for a longer time.

Detecting these hijacks is complicated, but constantly monitoring traffic paths for significant increases in latency or changes in routes can be indications of this malicious activity, allowing organizations to take action to mitigate the risks.
 

Towards secure addressing

Understanding and countering BGP threats is a considerable challenge, requiring permanent alertness and collaboration between multiple actors in cyberspace. MANRS (Mutually Agreed Standards for Routing Security) is an open, global initiative supported by  the Internet Society that ANs can join, which seeks to implement vital measures to minimize the most prevalent routing threats. Some of the best practices they enact to strengthen routing security include:

  • Filtering: This  involves making sure that routing ads  are correct, stopping false path ads that can distort the routing structure of the Internet. By implementing effective filtering policies, the propagation of incorrect routing information can be prevented.
  • Anti-spoofing: Source address validation is enabled to prevent packets with  spoofed IP addresses from entering or leaving a network. This helps reduce the amount of malicious traffic and spoofing on the Internet.
  • Coordination: Refers  to  keeping contact information globally accessible and proactively responding to routing security incidents. Cooperation and effective communication between network operators are vital to quickly resolve potential security issues.
  • Routing information: Network operators and owners of Internet resources must publish their routing policies and the prefixes they intend to advertise, allowing such information to be validated by third parties. 

In addition to these best practices, there are additional mechanisms that contribute to the security of Internet routing and protection against possible attacks:

  • Routing Public Key Infrastructure (RPKI) is a layer of security that works to ensure that only authorized autonomous systems (ASs) have the ability to advertise specific routes. This reinforces the authenticity and validity of advertised routes, restricting the ability of unauthorized entities to advertise illegitimate routes.
  • Route Authorization Objects (ROAs) are  part of the RPKI system and allow IP address owners to specify which autonomous systems are authorized to advertise their network prefixes. In this way, they facilitate the validation of routes by other network operators, allowing greater control and security in the announcement of routes on the network.
  • The Internet Routing Registry (IRR): Provides databases containing correct and secure routing information, acting as a trusted reference for network operators in configuring routing policies and making forwarding decisions.

In addition, the BGPsec, security component, an extension of BGP that adds an extra layer of security, allows eBGP routers to  digitally sign their route update announcements, significantly complicating the task of rogue systems trying to improperly advertise non-legitimate routes to AS, as fake ads can be easily identified and dismissed. The global rollout of BGPsec is underway; however, its global adoption will be a gradual process due to the extensive number and variety of AS in the world.

Finally, and regardless of previous approaches, it is always good practice for AS administrators to take a more conscious and restrictive approach to IP prefix declarations. Limiting the declaration of IP prefixes to specific networks and  accepting ads that come only from trusted networks will help minimize exposure to malicious actors and strengthen the security of routes, thus contributing to the overall integrity and stability of the Internet.

Conclusion

Ensuring the security of routing protocols on the Internet is crucial to maintaining and strengthening the trust of users and businesses in the digital services that make use of the global network. Given the ever-increasing threats and vulnerabilities, the development and implementation of robust security mechanisms, such as BGPsec, RPKI, IRR, and ROA, is imperative to building and preserving a secure and trustworthy online environment.

While implementing and enforcing these security mechanisms present significant and often complex challenges, from technical adaptation to financial investment, these obstacles should not prevent their adoption. It is crucial to overcome them in order to strengthen the security and resilience of the Internet against intentional attacks and human error, which can compromise the integrity and availability of online services.

Investment in such security measures should not be seen as an unnecessary expense or operational burden, but rather as  a shared responsibility among all actors involved (internet service providers, enterprises, governments, and end-users) to ensure a resilient and secure digital future for all. Proactively adopting these measures will help create an Internet ecosystem where trust and security are the norm.