Overview
ABSTRACT
The Border Gateway Protocol is the only protocol interconnecting all IP networks composing the Internet. Hence Internet interconnection security and robustness depend exclusively on the security of BGP. This article presents some weaknesses of this protocol, such as the ability to spoof a BGP peer, global incidents due to malformed messages or human errors, BGP route injection and traffic hijacking. After discussing the risks, this article presents all the countermeasures available for the operators such as inherent security mechanisms and operational best practices that aim to build a more reliable and resilient Internet.
Read this article from a comprehensive knowledge base, updated and supplemented with articles reviewed by scientific committees.
Read the articleAUTHOR
-
Sarah NATAF: Network Architect, Orange, Paris, France
INTRODUCTION
The Internet is a network made up of tens of thousands of IP networks interconnected in pairs. These interconnections are based on a single communications protocol: BGP, or Border Gateway Protocol, which dynamically calculates and propagates the best paths to a destination. Version 4 of this protocol appeared in the mid-1990s, 1995 to be exact, at a time when the number of Internet operators and players was limited, as was the number of IP address blocks advertised on the network. In the wake of the Internet bubble in the 2000s, the explosion in the size of the routing table, the introduction of a new version of IP and the arrival of a large number of new participants in the global network, the architecture of the protocol itself has changed only slightly: BGP has undergone only minor changes to date, its structuring principles remaining unchanged.
Yet the Internet's entire reliability and resilience to outages depend on this BGP technology. The first major incident on the Internet took place in the late 1990s, when an operator inadvertently propagated incorrect routes across the entire network, causing it to collapse (this event is analyzed in the course of the article, along with a number of others). With the emergence of services that are an integral part of the daily lives of millions of people, network robustness has become a major issue: people and services need to be connected and reachable without interruption. On the other hand, while data security is always paramount, more and more attention is being paid to the way in which it is routed between sender and destination; the risks of interception for eavesdropping are growing, and particular attention is being paid to the paths taken by this data.
Traffic detour, destination unreachability, spoofing, fault propagation, isolation of all or part of the network: in this article, we list the various security risks applicable to network interconnections. We will then explain the countermeasures available, both at protocol level and in terms of the operations to be implemented by the various network operators and players. Finally, we will detail the new mechanisms available to operators to improve Internet security and combat threats such as ad spoofing and packet hijacking.
Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference
KEYWORDS
IP | network security | internet | telecommunications | security | BGP | IP
This article is included in
Networks and Telecommunications
This offer includes:
Knowledge Base
Updated and enriched with articles validated by our scientific committees
Services
A set of exclusive tools to complement the resources
Practical Path
Operational and didactic, to guarantee the acquisition of transversal skills
Doc & Quiz
Interactive articles with quizzes, for constructive reading
BGP and IP interconnection security on the Internet
Bibliography
Websites
ANSSI (Agence nationale de la sécurité des systèmes d'information). – "Recommendations and guides" portal: BGP configuration best practice guide. http://www.ssi.gouv.fr/fr/guides-et-bonnes-pratiques/recommandations-et-guides/securite-des-reseaux/le-guide-des-bonnes-pratiques-de-configuration-de-bgp.html
...Standards and norms
- A border gateway protocol 4 (BGP-4), IETF request for comments - RFC 4271 - 2006
- Transmission control protocol, IETF request for comments. - RFC 793 - 1981
- BGP support for four-octet AS number space, IETF request for comments - RFC 4893 - 2007
- Stealing the internet, an internet-scale man in the middle attack, Defcon 16 http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf...
Directory
Organizations – Federations – Associations (non-exhaustive list)
Center for Applied Internet Data Analysis (CAIDA) is a collaborative initiative between commercial, governmental and research entities to promote cooperation in the design of network infrastructures and the maintenance of a robust global Internet. http://www.caida.org/home/
...Exclusive to subscribers. 97% yet to be discovered!
You do not have access to this resource.
Click here to request your free trial access!
Already subscribed? Log in!
The Ultimate Scientific and Technical Reference