Introducing RFC 7454: BGP Operations and Security
Today I’m re-reading an IETF RFC that was published just this month. RFC 7454 is titled “BGP Operations and Security” and that’s exactly what it’s about. The documents’ abstract does a great job of summarizing the content:
This document describes measures to protect the BGP sessions itself such as Time to Live (TTL), the TCP Authentication Option (TCP-AO), and control-plane filtering. It also describes measures to better control the flow of routing information, using prefix filtering and automation of prefix filters, max-prefix filtering, Autonomous System (AS) path filtering, route flap dampening, and BGP community scrubbing.
We often get excited about shiny new technologies or protocols. Sometimes it’s better to be well grounded in the fundamentals. This RFC is one great example of that.
As you’ve probably heard, the IETF’s Secure InterDomain Routing (SIDR) working group is engaged in increasing the security of BGP. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. Things exactly like what’s covered in RFC 7454.
If you haven’t yet taken the time, I highly recommend that you give RFC 7454 a read. Once you have, we could use your help spreading this knowledge.
As I mentioned when I first wrote about this document; there are several ways that you can help us secure the core of the Internet:
1. Read through our pages and content roadmap – Please take a look through our “Securing BPG” set of pages, and also please take a look at our content roadmap for BGP. Are the current resources listed helpful? Is the way we have structured the information helpful? Will the resources we list on our roadmap help you make your routers more secure?
2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.
3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.
4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.
This post also appears on the Deploy360 blog.