Understanding BGP and How it Works for Security

BGP is the optimized postal service of the Internet, ensuring data packets find their way from your device to its destination. However, router misconfigurations, malicious actors attempting to divert traffic, and other events can cause traffic to follow incorrect paths, leading to low network performance or higher-than-necessary latency.

Path Selection

How does BGP work? BGP allows logically connected networks to form peering relationships and share routing information. This sharing makes the Internet more efficient and reduces bandwidth usage, making it a key technology for many of today’s large enterprises, ISPs, and other networking companies. A network must have an autonomous system number (ASN) to share route information, which serves as its unique identifier within the global routing table. ASNs are assigned by the Internet Assigned Numbers Authority (IANA) to regional registries, which in turn distribute them to ISPs and other network operators. Once an ASN is registered, the routers within that network can then begin to exchange route announcements with each other through BGP. Each router considers the routes published by its peers and selects the one to install in its routing table, considering various path metrics such as local preference or maximum entropy distribution. However, because routing tables are adjusted continuously as links fail and routers come up, sometimes a route will be rapidly withdrawn and then re-announced multiple times, which is known as route flapping. This can cause excessive activity in other routers that know about the route, leading to overall network instability. To address this issue, a new security framework called Resource Public Key Infrastructure (RPKI) was introduced that uses cryptographically signed records to verify the legitimacy of routing information, thereby preventing hijacking and other malicious actions.

Border Gateway Protocol
Border Gateway Protocol

Path Leakage

The Internet is not run by one company; it comprises thousands of smaller networks, known in networking-speak as autonomous systems. Each autonomous system shares routing information with its neighbors via BGP messages. As the Internet grows, so does this routing data. The more routes the Internet has to route packets, the higher the chance of failure or latency. In networking, path leakage refers to the ability of a malicious actor to advertise routes they shouldn’t be able to. If BGP is not configured correctly and monitored, attackers can use this flaw to redirect traffic to a malicious destination or cause other issues with the routing data. To prevent this, network administrators must set up peering relationships between routers to communicate with each other over BGP. The routers must have the same policies to ensure they only communicate routing updates that match. This is accomplished by setting BGP community tags, which control the behavior of each router. These tags communicate the preferred routes for each network, including internal and external paths. BGP uses this information to build a route map or routing information base (RIB). The routers also use a process called convergence, which is used to stabilize the RIB after significant connectivity changes. This process installs the new routes in the RIB, removing the old routes.

Route Injection

BGP routers share route information, sharing details about network paths and reachability among Autonomous Systems (AS) on the Internet. This allows routers to find the quickest and most efficient routes for data packets. The most significant security issue with BGP is that it relies on trust. Because routers trust that their peers will not lie about route information, they do not check to ensure the routes are valid before advertising them. This means that if a peer advertises routes it is not supposed to, then routers will forward traffic along that path. This is known as route leakage and is often done intentionally by attackers, but it can also happen accidentally due to misconfiguration. Some ISPs use BGP features like exist-map and bgp inject-map to conditionally advertise routes to mitigate route leakage. Using these tools, you can prevent a neighbor from advertising routes it is not supposed to. For example, by specifying a filter on the existing map, you can prevent a peer from advertising routes that overlap with your own.

Similarly, you can inject a specific subnet into an aggregate by creating a BGP inject-map. You can then use the BGP inject-map to conditionally advertise the aggregate route, suppressing the individual subnets from being advertised. In this way, you can limit the route leakage to only the necessary routes.

Route Flapping

The Internet is not run by one company but by thousands of networks known as autonomous systems that connect in a massive graph. BGP is a protocol that lets these autonomous systems exchange routing information and use it to route packets from one network to another. Unfortunately, BGP does not embed any security protocols and thus leaves it up to each autonomous system to filter out routing announcements. This can lead to route leaks or even hijacking, where routers publish incorrect routing information and cause traffic to be sent along the wrong paths.

This can slow down the Internet or redirect traffic to malicious networks that can eavesdrop on your traffic. Route flap dampening is a technique to reduce the impact of flapping routes and prevent them from spreading instability throughout a network. It automatically suppresses routes with a flap history until they are stable again.

Leave a Comment