SlideShare a Scribd company logo

BGP Security Best Practices that Matter, presented at PHNOG 2025

APNIC, profile picture
APNIC

Shane Hermoso, Manager - Development at APNIC, delivered a presentation on 'BGP Security Best Practices that Matter' at PHNOG 2025 held in Manila, Philippines from 07 to 11 July 2025.

Internet
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
1 v1.1 Don’t Break the Internet: BGP Security Best Practices that Matter S heryl (S hane) Hermos o Ju ly 2025
2 v1.1 BGP in a nutshell
3 v1.1 Interconnect Networks or ASes AS100 AS200 AS300
4 v1.1 Autonomous System (AS) AS100 Definition: A network (or group of networks) under a single administrative control with uniform routing policies. AS100 AS100 iBGP eBGP AS200 AS100 BGP between Same ASN BGP between Different ASN
5 v1.1 • An Exterior Gateway Protocol (EGP). • Designed for exchanging routing information between different Autonomous Systems. Border Gateway Protocol (BGP) AS65000 AS65001 Exterior Gateway Protocol (EGP) Border Gateway Protocol (BGP)
6 v1.1 BGP Security Best Practices
7 v1.1 • Misconfigurations or attacks can cause large-scale disruptions. • Prefix hijacking, route leaks, lack of filters, BGP session hijacking are some ways to break the Internet • BGP security practices: o Prevent service outages o Enhances global routing security o Protect your network … and OTHERS too o Ensure routing stability and trust Why BGP Best Practices Matter
8 v1.1 • Routing works by RUMOUR o It is only based on trust, no built-in security • Assumes everyone is correct (and honest) o No verification of the correctness of prefixes or AS paths • No protection for message integrity or authenticity • No validation of AS authority to announce routes • No verification of path attribute authenticity. BGP Built-in Problem
9 v1.1 According to RFC 7454 and supporting best practices: • Protect BGP Speakers - Apply data-plane filters (e.g., uRPF) to block spoofed packets - Use control-plane ACLs to block unauthorized access to TCP port 179 • Secure BGP Sessions - Use MD5 (RFC 2385) or TCP-AO (RFC 5925) for peer authentication - Prefer TCP-AO over MD5 for stronger algorithms (e.g., HMAC-SHA1) and key rotation without session disruption BCP to address Vulnerabilities
10 v1.1 • Route Filtering - Implement prefix/AS-path filters (deny bogons routes) - Set max-prefix limits to prevent route floods • IRR Registration - Maintain accurate routing data in IRR databases to support automated filtering (aut-num) • RPKI Validation - Register routes in RPKI (ROA) to validate origin authenticity - Deploy ROV (Route Origin Validation) to reject invalid routes BCP to address Vulnerabilities
11 v1.1 • Use MD5 or TTL security to protect BGP sessions. • Prevents spoofing or session hijacking. • Configure MD5 authentication or TTL hop limits. #1 BGP Session Security
12 v1.1 Strict Mode (for single-homed interfaces) Cisco interface GigabitEthernet0/0 ip verify unicast source reachable-via rx Juniper set interfaces ge-0/0/0 unit 0 family inet rpf-check Loose Mode (for multi-homed interfaces): Cisco interface GigabitEthernet0/0 ip verify unicast source reachable-via any Juniper set interfaces ge-0/0/0 unit 0 family inet rpf-check mode loose Config Example – Block Spoofing (uRPF)
13 v1.1 Cisco ip access-list extended CoPP permit tcp host 10.10.10.2 host 192.168.1.1 eq 179 # Allow trusted peer deny tcp any any eq 179 # Block others # Apply ACL to Control-Plane ! control-plane service-policy input CoPP Config Example – Protect TCP-179 Juniper firewall { family inet { filter BGP-CONTROL-PLANE { term ALLOW-BGP-PEERS { from { source-address { 10.10.10.2/32; # Trusted peer } destination-port bgp; } then accept; } term BLOCK-OTHERS { then discard; } } } } apply: set interfaces lo0 unit 0 family inet filter input BGP-CONTROL-PLANE
14 v1.1 Config Example – TCP-AO Cisco key chain BGP-TCPAO tcp key 1 send-id 10 recv-id 20 cryptographic-algorithm aes-128-cmac key-string encrypted 066A0D020D1C470B1E send-lifetime 12:00:00 Mar 18 2025 infinite ! ! router bgp 65001 neighbor 203.0.113.2 remote-as 65002 ao BGP-TCPAO include-tcp-options address-family ipv4 unicast ! ! Juniper security { authentication-key-chains { key-chain BGP-TCPAO { key 1 { secret "$9$Hsd4QbvfhT6m"; # AES-128-CMAC-96 encrypted start-time "2025-03-18.12:00:00 +0000"; algorithm ao; ao-attribute { send-id 20; # Matches Cisco's recv-id recv-id 10; # Matches Cisco's send-id tcp-ao-option enabled; cryptographic-algorithm aes-128-cmac-96; } protocols { bgp { group EBGP { neighbor 203.0.113.1 { authentication-algorithm ao; authentication-key-chain BGP-TCPAO; } } * If TCP-AO is not supported, use MD5 *
15 v1.1 • Route filtering policies control which prefixes are advertised to or received from BGP peers • RFC 2827/BCP 38 Ingress Packet Filtering • Prefix filters only allow known, legitimate prefixes from peers/customers o This helps prevent route hijacks and leaks. • AS-path filters restrict route advertisement using AS-PATH and BGP communities. o This helps avoid route leaks and policy violations. #2 Prefix and AS-Path Filtering
16 v1.1 Config Example - Filtering Drop bogons when receiving and advertising IPv4 & IPv6 Bogon IPv4 Prefixes: 0.0.0.0/8 (This network) 10.0.0.0/8 (Private-use networks) 100.64.0.0/10 (Carrier-grade NAT) 127.0.0.0/8 (Loopback) 169.254.0.0/16 (Link-local) 172.16.0.0/12 (Private-use networks) 192.0.0.0/24 (IETF Protocol Assignments) 192.0.2.0/24 (TEST-NET-1) 192.168.0.0/16 (Private-use networks) 198.18.0.0/15 (Benchmarking) 198.51.100.0/24 (TEST-NET-2) 203.0.113.0/24 (TEST-NET-3) 224.0.0.0/4 (Multicast) 240.0.0.0/4 (Reserved for future use) 255.255.255.255/32 (Limited broadcast) Additional considerations: • Filter prefixes longer than /24 (0.0.0.0/0 ge 25) • Include your own network ranges • Regularly update this list as allocations change
17 v1.1 Cisco ! Create inbound prefix list for IPv4 Unicast EBGP with AS65000 ip prefix-list AS65000-IN seq 10 permit 0.0.0.0/0 le 24 ip prefix-list AS65000-IN seq 1000 deny 0.0.0.0/0 le 32 ! Create outbound prefix list for IPv4 Unicast EBGP with AS65000 ip prefix-list, AS65000-OUT seq 10 permit 10.0.0.0/8 ip prefix-list AS65000-OUT seq 1000 deny 0.0.0.0/0 le 32 ! Apply prefix filters to respective BGP peer router bgp 64512 address-family ipv4 unicast ! Keep a copy of original received prefixes neighbor EBGP-AS65000-IPV4 soft-reconfiguration inbound neighbor EBGP-AS65000-IPV4 prefix-list AS65000-IN in neighbor EBGP-AS65000-IPV4 prefix-list AS65000-OUT out exit-address-family Config Example – Prefix Filters Juniper # Create inbound policy for IPv4 Unicast EBGP with AS65000 top edit policy-options policy-statement EBGP-AS65000-IPV4-IN set term 10 from route-filter 0.0.0.0/0 upto /24 set term 10 then accept set term 1000 then reject # Re-create outbound policy for IPv4 Unicast EBGP with AS65000 top delete policy-options policy-statement EBGP-AS65000-IPV4-OUT top edit policy-options policy-statement EBGP-AS65000-IPV4-OUT set term 10 from route-filter 10.0.0.0/8 exact set term 10 then accept set term 1000 then reject # Apply routing policies to respective BGP peer top edit protocols bgp set group EBGP-AS65000-IPV4 import EBGP-AS65000-IPV4-IN set group EBGP-AS65000-IPV4 export EBGP-AS65000-IPV4-OUT
18 v1.1 Cisco ! Create inbound AS Path filter for ! IPv4 Unicast EBGP with AS65001 ip as-path access-list 101 permit ^65001(_65001)*$ ip as-path access-list 101 deny .* ! Create outbound AS Path filter for ! IPv4 Unicast EBGP with AS65001 ip as-path access-list 102 permit ^$ ip as-path access-list 102 permit ^64512(_64512)*$ ip as-path access-list 102 deny .* ! Apply AS Path filters to respective BGP peer router bgp 65000 address-family ipv4 unicast ! Keep a copy of original received prefixes neighbor EBGP-AS65001-IPV4 soft-reconfiguration inbound neighbor EBGP-AS65001-IPV4 filter-list 101 in neighbor EBGP-AS65001-IPV4 filter-list 102 out exit-address-family Config Example – AS-Path Filters Juniper # Create AS Path group for AS65001’s IPv4 Unicast paths top edit policy-options as-path-group AS65001-IPV4 set as-path 10 "^65001(65001)*$" # Create AS Path group for locally originated IPv4 Unicast paths top edit policy-options as-path-group LOCAL-IPV4 set as-path 10 "^$" # Create AS Path group for customer’s IPv4 Unicast paths top edit policy-options as-path-group CUSTOMER-IPV4 set as-path 10 "^64512(64512)*$"
19 v1.1 • Set limits on the number of accepted prefixes per peer. o Logs warning messages on a configured threshold o Clears BGP session when prefixes exceeded the limit • This helps prevents router overload from misconfigurations. • Regular monitoring and adjustment may be required. #3 Max Prefixes on a Peering
20 v1.1 Cisco router bgp 65001 neighbor 192.0.2.1 remote-as 65002 neighbor 192.0.2.1 maximum-prefix 1000 80 60 Config Example – Maximum-Prefix Juniper set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 1000 set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 2000 warning-only set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 5000 threshold 80 restart-interval 5
21 v1.1 • IRR is a globally distributed routing information database • Policies are stored using the routing policy specification language (RPSL) • Filter out route advertisements not described in the registry #4 Internet Routing Registry (IRR) aut-num: AS17821 as-name: APNICTRAINING-ISP descr: ASN for APNICTRAINING LAB ISP country: AU mp-import: afi ipv6.unicast from AS65001 2406:6400:10::2 at 2406:6400:10::1 action community.append(17821:65001); pref=200; accept <^AS65001+$> AND RS-APNICTRAINING:AS65001 mp-import: afi ipv6.unicast from AS65002 2406:6400:14::2 at 2406:6400:14::1 action community.append(17821:65002); pref=200; accept <^AS65002+$> AND RS-APNICTRAINING:AS65002 mp-export: afi ipv6.unicast to AS65001 2406:6400:10::2 at 2406:6400:10::1 action aspath.prepend (AS17821,AS17821); announce ANY AND NOT FLTR-MARTIAN-V6 mp-export: afi ipv6.unicast to AS65002 2406:6400:14::2 at 2406:6400:14::1 announce ANY AND NOT FLTR-MARTIAN-V6 org: ORG-ATU1-AP admin-c: AT480-AP tech-c: AT480-AP abuse-c: AA2310-AP mnt-lower: MAINT-AU-APNICTRAINING mnt-lower: MAINT-AU-APNICTRAINING mnt-routes: MAINT-AU-APNICTRAINING mnt-by: APNIC-HM mnt-irt: IRT-APNICTRAINING-AU mnt-irt: IRT-APNICTRAINING-AU last-modified: 2021-01-26T23:58:34Z source: APNIC Mp-import/export attribute contains inbound/outbound IPv4 or IPv6 routing policy of the AS.
22 v1.1 • BGP filter generator • Can generate configurations such as prefix-lists, extended access- lists, policy-statement terms and as-path lists based on IRR data Tools – bgpq4 https://github.com/bgp/bgpq4 Cisco # bgpq4 –l APNIC-IN AS4608 no ip prefix-list APNIC-IN ip prefix-list APNIC-IN permit 103.0.0.0/16; ip prefix-list APNIC-IN permit 103.246.136.0/22; ip prefix-list APNIC-IN permit 110.76.136.0/22; ip prefix-list APNIC-IN permit 202.12.29.0/24; ip prefix-list APNIC-IN permit 203.30.127.0/24; ip prefix-list APNIC-IN permit 203.30.127.0/24; ip prefix-list APNIC-IN permit 203.119.76.0/23; ip prefix-list APNIC-IN permit 203.119.92.0/23; Juniper # bgpq4 –Jl APNIC-IN AS4608 Policy-options { Replace: prefix-list APNIC-IN { 103.0.0.0/16; 103.246.136.0/22; 110.76.136.0/22; 202.12.29.0/24; 203.30.127.0/24; 203.119.76.0/23; 203.119.92.0/23; } }
23 v1.1 • the ultimate regular expression tester Tools – Regex101 https://regex101.com/
24 v1.1 • Validate that routes come from authorized ASN. • This helps prevent prefix hijacking. #5 Route Origin Validation (ROV) Filtering Phase 1: ROA (Signing origin) Resource holders must create their ROA objects, which gets published to the RPKI repo Phase 2: ROV (Validating origin) Routers are validating route entries against the RPKI cache RPKI robust security framework for verifying the association between resource holders and their Internet number resources
25 v1.1 Route Origin Validation (ROV) 17821 65550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 65552 65553 2406:6400::/48 2406:6400::/48 65553 65552 i Validator Global (RPKI) Repository RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid Apply rules based on the validation state
26 v1.1 • Filter! Filter! Filter! • Review your prefix and AS-path filters. • Set max-prefix limits. • Deploy RPKI validation. • Secure your BGP sessions. • Monitor BGP announcements. Secure your BGP now!
27 v1.1
28 v1.1

More Related Content

PDF
BGP Best Practices, presented by Imtiaz Sajid
APNIC
 
PDF
Protecting Your Internet Route Integrity
Jie Liau
 
PPT
bgp1 cryptogrphy and network security.ppt
NithyasriA2
 
PDF
07.bgp
Juan Carlos Añazco Millar
 
PDF
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
legasu zemene
 
PDF
Bgp
Golak Nayak
 
PDF
Border Gateway Protocol (BGP) Security, LKNOG 8
APNIC
 
PDF
Bgp tutorial for ISP
Wahyu Nasution
 
BGP Best Practices, presented by Imtiaz Sajid
APNIC
 
Protecting Your Internet Route Integrity
Jie Liau
 
bgp1 cryptogrphy and network security.ppt
NithyasriA2
 
07.bgp
Juan Carlos Añazco Millar
 
08 ip oc304 2_e1_1 zxr10 m6000 bgp configuration 24
legasu zemene
 
Bgp
Golak Nayak
 
Border Gateway Protocol (BGP) Security, LKNOG 8
APNIC
 
Bgp tutorial for ISP
Wahyu Nasution
 

Similar to BGP Security Best Practices that Matter, presented at PHNOG 2025 (20)

PDF
Redes Avanzado Sdwan proyecto autoestudio
ssuser5e5938
 
PPTX
ENCOR_Chapter_11 - ‌BGP implementation.pptx
nshg93
 
PDF
Bgpeuro
gigicaltea
 
PDF
Halabi Bgp4 Case Studies Tutorial
Hussein Elmenshawy
 
PDF
SANOG23-BGP-Techniques.pdf
GhulamIbneGhulam
 
PDF
BGP (border gateway routing protocol)
Netwax Lab
 
PDF
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
PDF
Naked BGP
Thomas Mangin
 
PDF
NANOG50.Talk33.NANOG50-BGP-Techniques.pdf
AntonioIsipJr1
 
PDF
Apnic_bgp_training_cisco_ciscosaicoc.pdf
PCCW GLOBAL
 
PDF
BGP Techniques for Network Operators
APNIC
 
PDF
bgp features presentation routing protocle
Badr Belhajja
 
PPTX
Implementing Internet and MPLS BGP
Private
 
PPT
Bgp For Presentation
Alp isik
 
PDF
PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
PROIDEA
 
PPT
BGP
Reza Farahani
 
PDF
Computer network (14)
NYversity
 
PPTX
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
PPTX
Border Gateway Protocol (BGP)
Nutan Singh
 
PDF
Inter as vpn option c
Goerge Micheal Gerges
 
Redes Avanzado Sdwan proyecto autoestudio
ssuser5e5938
 
ENCOR_Chapter_11 - ‌BGP implementation.pptx
nshg93
 
Bgpeuro
gigicaltea
 
Halabi Bgp4 Case Studies Tutorial
Hussein Elmenshawy
 
SANOG23-BGP-Techniques.pdf
GhulamIbneGhulam
 
BGP (border gateway routing protocol)
Netwax Lab
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
Naked BGP
Thomas Mangin
 
NANOG50.Talk33.NANOG50-BGP-Techniques.pdf
AntonioIsipJr1
 
Apnic_bgp_training_cisco_ciscosaicoc.pdf
PCCW GLOBAL
 
BGP Techniques for Network Operators
APNIC
 
bgp features presentation routing protocle
Badr Belhajja
 
Implementing Internet and MPLS BGP
Private
 
Bgp For Presentation
Alp isik
 
PLNOG15: BGP New Advanced Features - Piotr Wojciechowski
PROIDEA
 
BGP
Reza Farahani
 
Computer network (14)
NYversity
 
CCCNP ROUTE v6_ch06
Licenciatura en Redes y Sistemas Operativos
 
Border Gateway Protocol (BGP)
Nutan Singh
 
Inter as vpn option c
Goerge Micheal Gerges
 
Ad

More from APNIC (20)

PPTX
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
PDF
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PDF
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
PDF
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
PDF
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
PDF
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
PDF
The Internet - By the numbers, presented at npNOG 11
APNIC
 
PDF
Transmission Control Protocol (TCP) and Starlink
APNIC
 
PDF
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
PDF
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
PDF
Make DDoS expensive for the threat actors
APNIC
 
PDF
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
PDF
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
PDF
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
PDF
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
PDF
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
PDF
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 
APNIC Report, presented at APAN 60 by Thy Boskovic
APNIC
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
RPKI Status Update, presented by Makito Lay at IDNOG 10
APNIC
 
The Internet -By the Numbers, Sri Lanka Edition
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
DNSSEC Made Easy, presented at PHNOG 2025
APNIC
 
APNIC's Role in the Pacific Islands, presented at Pacific IGF 2205
APNIC
 
IPv6 Deployment and Best Practices, presented by Makito Lay
APNIC
 
Cleaning up your RPKI invalids, presented at PacNOG 35
APNIC
 
The Internet - By the numbers, presented at npNOG 11
APNIC
 
Transmission Control Protocol (TCP) and Starlink
APNIC
 
DDoS in India, presented at INNOG 8 by Dave Phelan
APNIC
 
Global Networking Trends, presented at the India ISP Conclave 2025
APNIC
 
Make DDoS expensive for the threat actors
APNIC
 
Fast Reroute in SR-MPLS, presented at bdNOG 19
APNIC
 
DDos Mitigation Strategie, presented at bdNOG 19
APNIC
 
ICP -2 Review – What It Is, and How to Participate and Provide Your Feedback
APNIC
 
APNIC Update - Global Synergy among the RIRs: Connecting the Regions
APNIC
 
Measuring Starlink Protocol Performance, presented at LACNIC 43
APNIC
 
Prop-154: Resizing of IPv4 assignments for IXPs
APNIC
 
Ad

Recently uploaded (20)

PDF
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
PPTX
artificial intelligence overview of it and more
yafotin445
 
PDF
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
PPTX
CSharp_Syntax_Basics.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
nhdqw45qfd
 
PPTX
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PDF
“Google Algorithm Updates in 2025 Guide”
soohhhnah
 
PPTX
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
PPTX
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
PDF
Behind the Smile Unmasking Ken Childs and the Quiet Trail of Deceit Left in H...
Kenneth Childs Exposed
 
PDF
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PPTX
Internet___Basics___Styled_ presentation
poonam62133
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PDF
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
PPTX
Introduction to Information and Communication Technology
AkmadArzieAyao1
 
Vigrab.top – Online Tool for Downloading and Converting Social Media Videos a...
Vigrab Top
 
artificial intelligence overview of it and more
yafotin445
 
💰 𝐔𝐊𝐓𝐈 𝐊𝐄𝐌𝐄𝐍𝐀𝐍𝐆𝐀𝐍 𝐊𝐈𝐏𝐄𝐑𝟒𝐃 𝐇𝐀𝐑𝐈 𝐈𝐍𝐈 𝟐𝟎𝟐𝟓 💰
GRAB
 
CSharp_Syntax_Basics.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxx
nhdqw45qfd
 
SAP Ariba Sourcing PPT for learning material
NKKumar16
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
“Google Algorithm Updates in 2025 Guide”
soohhhnah
 
QR Codes Qr codecodecodecodecocodedecodecode
SRMediaZone
 
522797556-Unit-2-Temperature-measurement-1-1.pptx
msar8888
 
Behind the Smile Unmasking Ken Childs and the Quiet Trail of Deceit Left in H...
Kenneth Childs Exposed
 
Sims 4 Historia para lo sims 4 para jugar
lolpopy34
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Internet___Basics___Styled_ presentation
poonam62133
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
LABUAN4D EXCLUSIVE SERVER STAR GAMING ASIA NO.1
LABUAN 4D
 
Introduction to Information and Communication Technology
AkmadArzieAyao1
 

BGP Security Best Practices that Matter, presented at PHNOG 2025

  • 1. 1 v1.1 Don’t Break the Internet: BGP Security Best Practices that Matter S heryl (S hane) Hermos o Ju ly 2025
  • 2. 2 v1.1 BGP in a nutshell
  • 3. 3 v1.1 Interconnect Networks or ASes AS100 AS200 AS300
  • 4. 4 v1.1 Autonomous System (AS) AS100 Definition: A network (or group of networks) under a single administrative control with uniform routing policies. AS100 AS100 iBGP eBGP AS200 AS100 BGP between Same ASN BGP between Different ASN
  • 5. 5 v1.1 • An Exterior Gateway Protocol (EGP). • Designed for exchanging routing information between different Autonomous Systems. Border Gateway Protocol (BGP) AS65000 AS65001 Exterior Gateway Protocol (EGP) Border Gateway Protocol (BGP)
  • 6. 6 v1.1 BGP Security Best Practices
  • 7. 7 v1.1 • Misconfigurations or attacks can cause large-scale disruptions. • Prefix hijacking, route leaks, lack of filters, BGP session hijacking are some ways to break the Internet • BGP security practices: o Prevent service outages o Enhances global routing security o Protect your network … and OTHERS too o Ensure routing stability and trust Why BGP Best Practices Matter
  • 8. 8 v1.1 • Routing works by RUMOUR o It is only based on trust, no built-in security • Assumes everyone is correct (and honest) o No verification of the correctness of prefixes or AS paths • No protection for message integrity or authenticity • No validation of AS authority to announce routes • No verification of path attribute authenticity. BGP Built-in Problem
  • 9. 9 v1.1 According to RFC 7454 and supporting best practices: • Protect BGP Speakers - Apply data-plane filters (e.g., uRPF) to block spoofed packets - Use control-plane ACLs to block unauthorized access to TCP port 179 • Secure BGP Sessions - Use MD5 (RFC 2385) or TCP-AO (RFC 5925) for peer authentication - Prefer TCP-AO over MD5 for stronger algorithms (e.g., HMAC-SHA1) and key rotation without session disruption BCP to address Vulnerabilities
  • 10. 10 v1.1 • Route Filtering - Implement prefix/AS-path filters (deny bogons routes) - Set max-prefix limits to prevent route floods • IRR Registration - Maintain accurate routing data in IRR databases to support automated filtering (aut-num) • RPKI Validation - Register routes in RPKI (ROA) to validate origin authenticity - Deploy ROV (Route Origin Validation) to reject invalid routes BCP to address Vulnerabilities
  • 11. 11 v1.1 • Use MD5 or TTL security to protect BGP sessions. • Prevents spoofing or session hijacking. • Configure MD5 authentication or TTL hop limits. #1 BGP Session Security
  • 12. 12 v1.1 Strict Mode (for single-homed interfaces) Cisco interface GigabitEthernet0/0 ip verify unicast source reachable-via rx Juniper set interfaces ge-0/0/0 unit 0 family inet rpf-check Loose Mode (for multi-homed interfaces): Cisco interface GigabitEthernet0/0 ip verify unicast source reachable-via any Juniper set interfaces ge-0/0/0 unit 0 family inet rpf-check mode loose Config Example – Block Spoofing (uRPF)
  • 13. 13 v1.1 Cisco ip access-list extended CoPP permit tcp host 10.10.10.2 host 192.168.1.1 eq 179 # Allow trusted peer deny tcp any any eq 179 # Block others # Apply ACL to Control-Plane ! control-plane service-policy input CoPP Config Example – Protect TCP-179 Juniper firewall { family inet { filter BGP-CONTROL-PLANE { term ALLOW-BGP-PEERS { from { source-address { 10.10.10.2/32; # Trusted peer } destination-port bgp; } then accept; } term BLOCK-OTHERS { then discard; } } } } apply: set interfaces lo0 unit 0 family inet filter input BGP-CONTROL-PLANE
  • 14. 14 v1.1 Config Example – TCP-AO Cisco key chain BGP-TCPAO tcp key 1 send-id 10 recv-id 20 cryptographic-algorithm aes-128-cmac key-string encrypted 066A0D020D1C470B1E send-lifetime 12:00:00 Mar 18 2025 infinite ! ! router bgp 65001 neighbor 203.0.113.2 remote-as 65002 ao BGP-TCPAO include-tcp-options address-family ipv4 unicast ! ! Juniper security { authentication-key-chains { key-chain BGP-TCPAO { key 1 { secret "$9$Hsd4QbvfhT6m"; # AES-128-CMAC-96 encrypted start-time "2025-03-18.12:00:00 +0000"; algorithm ao; ao-attribute { send-id 20; # Matches Cisco's recv-id recv-id 10; # Matches Cisco's send-id tcp-ao-option enabled; cryptographic-algorithm aes-128-cmac-96; } protocols { bgp { group EBGP { neighbor 203.0.113.1 { authentication-algorithm ao; authentication-key-chain BGP-TCPAO; } } * If TCP-AO is not supported, use MD5 *
  • 15. 15 v1.1 • Route filtering policies control which prefixes are advertised to or received from BGP peers • RFC 2827/BCP 38 Ingress Packet Filtering • Prefix filters only allow known, legitimate prefixes from peers/customers o This helps prevent route hijacks and leaks. • AS-path filters restrict route advertisement using AS-PATH and BGP communities. o This helps avoid route leaks and policy violations. #2 Prefix and AS-Path Filtering
  • 16. 16 v1.1 Config Example - Filtering Drop bogons when receiving and advertising IPv4 & IPv6 Bogon IPv4 Prefixes: 0.0.0.0/8 (This network) 10.0.0.0/8 (Private-use networks) 100.64.0.0/10 (Carrier-grade NAT) 127.0.0.0/8 (Loopback) 169.254.0.0/16 (Link-local) 172.16.0.0/12 (Private-use networks) 192.0.0.0/24 (IETF Protocol Assignments) 192.0.2.0/24 (TEST-NET-1) 192.168.0.0/16 (Private-use networks) 198.18.0.0/15 (Benchmarking) 198.51.100.0/24 (TEST-NET-2) 203.0.113.0/24 (TEST-NET-3) 224.0.0.0/4 (Multicast) 240.0.0.0/4 (Reserved for future use) 255.255.255.255/32 (Limited broadcast) Additional considerations: • Filter prefixes longer than /24 (0.0.0.0/0 ge 25) • Include your own network ranges • Regularly update this list as allocations change
  • 17. 17 v1.1 Cisco ! Create inbound prefix list for IPv4 Unicast EBGP with AS65000 ip prefix-list AS65000-IN seq 10 permit 0.0.0.0/0 le 24 ip prefix-list AS65000-IN seq 1000 deny 0.0.0.0/0 le 32 ! Create outbound prefix list for IPv4 Unicast EBGP with AS65000 ip prefix-list, AS65000-OUT seq 10 permit 10.0.0.0/8 ip prefix-list AS65000-OUT seq 1000 deny 0.0.0.0/0 le 32 ! Apply prefix filters to respective BGP peer router bgp 64512 address-family ipv4 unicast ! Keep a copy of original received prefixes neighbor EBGP-AS65000-IPV4 soft-reconfiguration inbound neighbor EBGP-AS65000-IPV4 prefix-list AS65000-IN in neighbor EBGP-AS65000-IPV4 prefix-list AS65000-OUT out exit-address-family Config Example – Prefix Filters Juniper # Create inbound policy for IPv4 Unicast EBGP with AS65000 top edit policy-options policy-statement EBGP-AS65000-IPV4-IN set term 10 from route-filter 0.0.0.0/0 upto /24 set term 10 then accept set term 1000 then reject # Re-create outbound policy for IPv4 Unicast EBGP with AS65000 top delete policy-options policy-statement EBGP-AS65000-IPV4-OUT top edit policy-options policy-statement EBGP-AS65000-IPV4-OUT set term 10 from route-filter 10.0.0.0/8 exact set term 10 then accept set term 1000 then reject # Apply routing policies to respective BGP peer top edit protocols bgp set group EBGP-AS65000-IPV4 import EBGP-AS65000-IPV4-IN set group EBGP-AS65000-IPV4 export EBGP-AS65000-IPV4-OUT
  • 18. 18 v1.1 Cisco ! Create inbound AS Path filter for ! IPv4 Unicast EBGP with AS65001 ip as-path access-list 101 permit ^65001(_65001)*$ ip as-path access-list 101 deny .* ! Create outbound AS Path filter for ! IPv4 Unicast EBGP with AS65001 ip as-path access-list 102 permit ^$ ip as-path access-list 102 permit ^64512(_64512)*$ ip as-path access-list 102 deny .* ! Apply AS Path filters to respective BGP peer router bgp 65000 address-family ipv4 unicast ! Keep a copy of original received prefixes neighbor EBGP-AS65001-IPV4 soft-reconfiguration inbound neighbor EBGP-AS65001-IPV4 filter-list 101 in neighbor EBGP-AS65001-IPV4 filter-list 102 out exit-address-family Config Example – AS-Path Filters Juniper # Create AS Path group for AS65001’s IPv4 Unicast paths top edit policy-options as-path-group AS65001-IPV4 set as-path 10 "^65001(65001)*$" # Create AS Path group for locally originated IPv4 Unicast paths top edit policy-options as-path-group LOCAL-IPV4 set as-path 10 "^$" # Create AS Path group for customer’s IPv4 Unicast paths top edit policy-options as-path-group CUSTOMER-IPV4 set as-path 10 "^64512(64512)*$"
  • 19. 19 v1.1 • Set limits on the number of accepted prefixes per peer. o Logs warning messages on a configured threshold o Clears BGP session when prefixes exceeded the limit • This helps prevents router overload from misconfigurations. • Regular monitoring and adjustment may be required. #3 Max Prefixes on a Peering
  • 20. 20 v1.1 Cisco router bgp 65001 neighbor 192.0.2.1 remote-as 65002 neighbor 192.0.2.1 maximum-prefix 1000 80 60 Config Example – Maximum-Prefix Juniper set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 1000 set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 2000 warning-only set protocols bgp group bgp-peer-in family inet unicast prefix-limit maximum 5000 threshold 80 restart-interval 5
  • 21. 21 v1.1 • IRR is a globally distributed routing information database • Policies are stored using the routing policy specification language (RPSL) • Filter out route advertisements not described in the registry #4 Internet Routing Registry (IRR) aut-num: AS17821 as-name: APNICTRAINING-ISP descr: ASN for APNICTRAINING LAB ISP country: AU mp-import: afi ipv6.unicast from AS65001 2406:6400:10::2 at 2406:6400:10::1 action community.append(17821:65001); pref=200; accept <^AS65001+$> AND RS-APNICTRAINING:AS65001 mp-import: afi ipv6.unicast from AS65002 2406:6400:14::2 at 2406:6400:14::1 action community.append(17821:65002); pref=200; accept <^AS65002+$> AND RS-APNICTRAINING:AS65002 mp-export: afi ipv6.unicast to AS65001 2406:6400:10::2 at 2406:6400:10::1 action aspath.prepend (AS17821,AS17821); announce ANY AND NOT FLTR-MARTIAN-V6 mp-export: afi ipv6.unicast to AS65002 2406:6400:14::2 at 2406:6400:14::1 announce ANY AND NOT FLTR-MARTIAN-V6 org: ORG-ATU1-AP admin-c: AT480-AP tech-c: AT480-AP abuse-c: AA2310-AP mnt-lower: MAINT-AU-APNICTRAINING mnt-lower: MAINT-AU-APNICTRAINING mnt-routes: MAINT-AU-APNICTRAINING mnt-by: APNIC-HM mnt-irt: IRT-APNICTRAINING-AU mnt-irt: IRT-APNICTRAINING-AU last-modified: 2021-01-26T23:58:34Z source: APNIC Mp-import/export attribute contains inbound/outbound IPv4 or IPv6 routing policy of the AS.
  • 22. 22 v1.1 • BGP filter generator • Can generate configurations such as prefix-lists, extended access- lists, policy-statement terms and as-path lists based on IRR data Tools – bgpq4 https://github.com/bgp/bgpq4 Cisco # bgpq4 –l APNIC-IN AS4608 no ip prefix-list APNIC-IN ip prefix-list APNIC-IN permit 103.0.0.0/16; ip prefix-list APNIC-IN permit 103.246.136.0/22; ip prefix-list APNIC-IN permit 110.76.136.0/22; ip prefix-list APNIC-IN permit 202.12.29.0/24; ip prefix-list APNIC-IN permit 203.30.127.0/24; ip prefix-list APNIC-IN permit 203.30.127.0/24; ip prefix-list APNIC-IN permit 203.119.76.0/23; ip prefix-list APNIC-IN permit 203.119.92.0/23; Juniper # bgpq4 –Jl APNIC-IN AS4608 Policy-options { Replace: prefix-list APNIC-IN { 103.0.0.0/16; 103.246.136.0/22; 110.76.136.0/22; 202.12.29.0/24; 203.30.127.0/24; 203.119.76.0/23; 203.119.92.0/23; } }
  • 23. 23 v1.1 • the ultimate regular expression tester Tools – Regex101 https://regex101.com/
  • 24. 24 v1.1 • Validate that routes come from authorized ASN. • This helps prevent prefix hijacking. #5 Route Origin Validation (ROV) Filtering Phase 1: ROA (Signing origin) Resource holders must create their ROA objects, which gets published to the RPKI repo Phase 2: ROV (Validating origin) Routers are validating route entries against the RPKI cache RPKI robust security framework for verifying the association between resource holders and their Internet number resources
  • 25. 25 v1.1 Route Origin Validation (ROV) 17821 65550 2406:6400::/48 65551 2406:6400::/48 65551 65550 17821 i 65552 65553 2406:6400::/48 2406:6400::/48 65553 65552 i Validator Global (RPKI) Repository RPKI-to-Router (RTR) 2406:6400::/32-48 17821 ROA 2406:6400::/32-48 17821 Invalid Valid Apply rules based on the validation state
  • 26. 26 v1.1 • Filter! Filter! Filter! • Review your prefix and AS-path filters. • Set max-prefix limits. • Deploy RPKI validation. • Secure your BGP sessions. • Monitor BGP announcements. Secure your BGP now!