Border Gateway Protocol (BGP) is one of many dynamic routing protocols. And Internet formed by BGP routing. This routing protocol is designed to exchange routing and reachability information between autonomous systems (AS) on the Internet. BGP also has capability to carrying information about diverse routed protocols (ipv4, ipv6, l2vpn, vpnv4).

Full trust between BGP peers is one of the weaknesses of the protocol.

See the following cases, when the BGP misconfiguration by a network engineer in Indonesia could lead to giant Google down for 30 minutes:

http://arstechnica.com/information-technology/2012/11/how-an-indonesian-isp-took-down-the-mighty-google-for-30-minutes/

Take a look when hacker redirects traffic from 19 Internet Providers to steal $83,000 from Bitcoins:

http://www.zdnet.com/article/hacker-hijacks-isps-steals-83000-from-bitcoin-mining-pools/

And still so many case called internet disaster because BGP routing protocol. BGP routers are used by service providers to announce which Internet Protocol addresses they can easily deliver traffic to so other providers know which traffic to send them. Networks continuously update and broadcast these announcements, but the accuracy of the information provided by BGP routers means anyone who can gain access to one can redirect some part of online traffic.

What We Can Do to Securing BGP Peering?

  • Advertise your prefixes only
  • Don’t accept your own prefixes
  • Don’t accept RFC 1918 (private IP address) and other reserved ones (RFC 5735)
  • Don’t accept default route (unless you need it)
  • Don’t accept prefixes longer than /24
  • Don’t accept BOGONS prefixes
  • Limit your Max Prefix
  • Limit AS_ Path
  • Detect routes flapping
  • Use remote triggered blackhole
  • RPKI implementation

For all above method, we need configure manually on our BGP router. But there is one method that become new hope in BGP technology, that is RPKI (Resource Public Key Infrastructure). The facts about RPKI and can we implement in RouterOS?

  • RPKI is a first step to secure BGP
  • It allows to certify (and verify) that a prefix is advertised by original AS (in other words that an IP points to its legitimate owner)
  • Not yet support by MikroTik RouterOS 6
  • Will be included in RouterOS V7 ???

Author: admin

Leave a Reply