BORDER GATEWAY PROTOCOL SECURITY
Table of Contents
1. Introduction ......................................................................................................................1-1
1.1 Authority...................................................................................................................1-1
1.2 Document Scope and Purpose................................................................................1-2
1.3 Audience and Assumptions .....................................................................................1-2
1.4 Document Organization ...........................................................................................1-2
2. Border Gateway Protocol Overview ...............................................................................2-1
2.1 Review of Router Operation.....................................................................................2-1
2.2 Review of IP Addressing Notation ...........................................................................2-1
2.3 How BGP Works......................................................................................................2-2
2.3.1 Path Attributes ..............................................................................................2-5
2.3.2 Finding Paths – the BGP Decision Algorithm ...............................................2-7
2.4 BGP Standards........................................................................................................2-8
3. BGP Risks and Threats ...................................................................................................3-1
3.1 Generic Attacks........................................................................................................3-1
3.2 Potential Attacks on BGP.........................................................................................3-3
3.2.1 Peer Spoofing and TCP Resets ...................................................................3-3
3.2.2 TCP Resets Using ICMP ..............................................................................3-4
3.2.3 Session Hijacking .........................................................................................3-4
3.2.4 Route Flapping .............................................................................................3-5
3.2.5 Route Deaggregation ...................................................................................3-7
3.2.6 Malicious Route Injection..............................................................................3-8
3.2.7 Unallocated Route Injection..........................................................................3-8
3.2.8 Denial of Service via Resource Exhaustion..................................................3-9
3.2.9 Link Cutting Attack......................................................................................3-10
4. Countermeasures and Security Mechanisms ...............................................................4-1
4.1 The Secure BGP Template......................................................................................4-1
4.2 Prefix Filtering..........................................................................................................4-2
4.2.1 Special Use Addresses ................................................................................4-3
4.2.2 “Bogon” Addresses.......................................................................................4-4
4.2.3 IPv4 Filtering Guidelines...............................................................................4-5
4.2.4 Access Control Lists.....................................................................................4-5
4.2.5 Peripheral Traffic Filtering ............................................................................4-6
4.2.6 Reverse Path Source Address Validation ....................................................
4-7
4.3 Sequence Number Randomization ..........................................................................4-7
4.4 Generalized TTL Security Mechanism (TTL Hack)..................................................4-8
4.5 MD5 Signature Option .............................................................................................4-9
4.6 IPsec......................................................................................................................4-10
4.7 BGP Protocol Variations and Configuration...........................................................4-10
4.8 Router Protection and Physical Security................................................................4-11
5. Recovery and Restart ......................................................................................................5-1
5.1 Graceful Restart Mechanism for BGP......................................................................5-1
5.2 Virtual Router Redundancy Protocol........................................................................5-4
3
评论0
最新资源