BGP. Border Gateway Protocol. The de-facto standard routing protocol of the Internet. The nervous system of the Internet. I don’t think I can overstate the importance, the criticality of BGP to the operation of the modern Internet. BGP is the glue that holds the Internet together at its core. And like so many integral pieces of the Internet, it, too, is designed and built on the principle of trust. That trust has largely been justified. The folks who operate the individual networks that make up the Internet are generally interested in keeping the Internet operating, in keeping the packets flowing. And they do a great job, for the most part.
However, as the scope, scale, and importance of the Internet have grown, so has the risk. Accidents happen, and there are nefarious people out there.
Luckily the industry has taken note in recent years. Ongoing work in the IETF’s Secure InterDomain Routing (SIDR) working group is creating solutions. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol.
We need to pause here for a moment though. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. A fairly recent IETF Internet-Draft on BGP operations and security describes these:
…measures to protect the BGP sessions itself (like TTL, MD5, control plane filtering) and to better control the flow of routing information, using prefix filtering and automatization of prefix filters, max-prefix filtering, AS path filtering, route flap dampening and BGP community scrubbing.
Of course, if every network engineer knew how to deploy all of the available mechanisms for securing BGP, the core of the Internet would be a much safer, more secure and resilient place. That’s where Deploy360’s newest topic “Securing BGP” comes in!
The Internet Society Deploy360 Programme is designed to put practical information grounded in real-world experiences and case studies into the hands of network operators who need to deploy key Internet technologies. Because we believe that securing its core is key to the future of a free and open Internet, we’ve launched a new topic on Securing BGP:
This section of our site on “Securing BGP” is focused on providing the information that network operators need to understand in order to secure their routers and ensure that they are doing their part for the security and resiliency of the overall Internet routing infrastructure. We are not focused here on a specific approach but rather outlining the different approaches and tools that are available to help secure your routing systems.
The new Securing BGP topic will collect, curate, and create documentation to help network operators deploy the full range of BGP security mechanisms. From adding MD5 to your peering sessions, to proper prefix filtering, and on to RPKI and BGPSEC when the time is right.
You can help!
We need your help Securing BGP! As was noted in the topic launch announcement, there are several ways for you to get involved:
1. Read through our pages and content roadmap – Please take a look through our “Securing BPG” set of pages, and also please take a look at our content roadmap for [Securing] BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?
2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.
3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.
4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.
What are you waiting for? Let’s secure BGP together!
This post originally appeared on CircleID.
[…] Securing the Core is a post from don't panic – One Network Technologist's View of Life, the Internet, and Everything. […]