After 20 years, BGP still lacks security foundation

After 20 years, it's time for a BGP makeover to provide security validation capabilities to prevent the next hijack.

It's time for the Border Gateway Protocol (BGP), the foundational protocol of the Internet, to be rethought and recrafted.

Everyone recognizes the key role BGP plays. It allows autonomous networks to communicate, and it also permits those networks to find the best paths for data to travel based on routes exchanged and reachability information. It is the underlying protocol that underpins today's Internet.

Yet the current version, BGP 4, is celebrating its 20th birthday this year and despite enhancements, the protocol still lacks a viable and scalable security foundation.

There is, for example, no validation mechanism for exchanged data and it's largely dependent on filtering best practices that are, in many surprisingly high-profile cases, either unknown, unimplemented or just flatly ignored.

Because the nature of BGP is largely based on the honor system, there is a large, easily exercised window for foul play.

And plugging BGP's vulnerabilities is easier said than done. It is difficult to gain experience in large-scale production BGP implementation. Although documentation is vast, the protocol is fairly simple to implement, and it is easy to forget about due to its stability and unique function. This dichotomy makes engineers and operators complacent about the very real need to provide it care and feeding. It also creates a knowledge gap in those charged with maintaining the policies involved with running it: Because the nature of BGP is largely based on the honor system, there is a large, easily exercised window for foul play.

BGP exploits and vulnerabilities reflect need for checks and balances

In fact, there have been a number of large-scale and high-visibility instances of BGP route hijacking in the last few years. A prime example is what occurred last month, when Indonesian telecommunications company Indosat originated roughly 400,000 prefixes that weren't allocated to it.

In 2008, Pakistan Telecommunication Co. Ltd. blackholed YouTube in an attempt to restrict local access. A misconfiguration error, however, led to an inadvertent denial of service (DoS), preventing other peer ISP customers from accessing YouTube's resources. This maintenance window gone awry could have been easily avoided if upstream providers appropriately filtered accepted routes.

The real issue, though, is not DoS. That's only the low-hanging fruit and a side effect of a mechanism in need of checks and balances. The rerouting of information via a route injection or a bad actor originating network routes it has no authority over; these are the wolves in sheeps' clothing. The resulting behavior is the moving and diverting of traffic paths via false BGP advertisements. These attacks were able to exploit the soft underbelly of BGP configuration -- the lack of appropriate filtering.

And that is the real thorn of BGP. What does it mean to average users? Their connection to their banking site, for example, could be potentially funneled into a third party for inspection.

BGP an artifact of a simpler networking time

Imagine your banking transactions being rerouted through a third party -- perhaps one based in a foreign country -- which then intercepts the credentials. Secure sockets layer (SSL) protection can help, but with the recent Heartbleed exploit, even the trust that SSL provides can be called into question. SSL fears notwithstanding, how often do regular users just click through SSL warnings? The average user will likely simply click through certificate pop-ups.

Worse yet, perhaps your transactions or other communications are not encrypted at all. Financial data could be potentially harvested -- and at an extremely high rate -- if enough resources were provided by the bad actors. This scenario is just the tip of the iceberg; there are so many applications for controlling the IPv4 or IPv6 address space that the possibilities for damage are pretty limitless.

BGP is an artifact of a more simple time, when the notions of personal and financial data on the network and a connection in every home were still well down the road. There are projects attempting to make headway and change the way the routing exchanges are being built. BGP Resource Public Key Infrastructure (RPKI) is arguably the most important of them. BGP RPKI uses well-understood and widely deployed public key infrastructure (PKI) to sign and validate routes. Using cryptographic digital certificates, PKI enables secure communication over insecure networks and permits the reliable verification of users and resources. The notion of BGP RPKI is important and it has real merit. Unfortunately, like so many undertakings that are actually needed (IPv6, domain name system security extensions), it requires both a critical mass and a desire to do it.

Network architects, engineers and operators need a way to programmatically validate and distinguish a valid route announcement from a non-authorized route announcement. In an ideal world this would already be the case, but as it stands today, we're just waiting for the next hijack.

About the author:
Nick Buraglio is a network engineer for a nationwide research network and has more than 16 years of networking experience. Read more of Buraglio's opinions here.

This was last published in May 2014

Dig Deeper on Network Security Monitoring and Analysis

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What is your greatest fear about the BGP?