BGP operational security best practices
BGP operational security best practices Jérôme Durand – Consulting Systems Engineer BRKRST-2045
Agenda • • • •
Why ? Protect your router and sessions Basic policies IXP specifics
•
IRR lockdown RPKI and route origin validation
•
BGPsec
•
Usual best practices
For IPv4 and IPv6 Focus of this session
2
There is an RFC now
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
IPv4 address exhaustion
Datacenter
IPv6
Cloud and IXP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Protect your routers and TCP sessions •
TTL Security (GTSM) •
TTL 1 by default for EBGP – Send with TTL 255 and deny anything with TTL < 254
•
MD5 peers authentication
•
Infrastructure ACL •
•
Control traffic to your own infrastructure
COPP / LPTS •
Policy traffic reaching your control plane
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic policies
Martians • Maximum prefixes limit • Prefix length • First AS in AS-Path • Route Flap Dampening •
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
IPv6 specifics
• What •
is same
IPv6 is IP – same kind of procedures
• What
is different
•
Different address types
•
Registries
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Closer look on IXPs
• The
IXP LAN prefix • pMTUd and uRPF • Next-hop enforcement • Deal with BGP route servers © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
IRR lockdown •
Tie rules to IRR objects •
•
IRR accuracy •
•
AS-SET è AUT-NUM è ROUTE(6) è INETNUM(6)
IRRexplorer
Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
RPKI / ROA and BGPsec •
RPKI / ROA principles • • •
Validators RTR protocol Policy definitions
•
Demo
•
Future work: BGPsec © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Thank You
Agenda • • • •
Why ? Protect your router and sessions Basic policies IXP specifics
•
IRR lockdown RPKI and route origin validation
•
BGPsec
•
Usual best practices
For IPv4 and IPv6 Focus of this session
2
There is an RFC now
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
3
IPv4 address exhaustion
Datacenter
IPv6
Cloud and IXP
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
4
Protect your routers and TCP sessions •
TTL Security (GTSM) •
TTL 1 by default for EBGP – Send with TTL 255 and deny anything with TTL < 254
•
MD5 peers authentication
•
Infrastructure ACL •
•
Control traffic to your own infrastructure
COPP / LPTS •
Policy traffic reaching your control plane
5
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Basic policies
Martians • Maximum prefixes limit • Prefix length • First AS in AS-Path • Route Flap Dampening •
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
IPv6 specifics
• What •
is same
IPv6 is IP – same kind of procedures
• What
is different
•
Different address types
•
Registries
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
7
Closer look on IXPs
• The
IXP LAN prefix • pMTUd and uRPF • Next-hop enforcement • Deal with BGP route servers © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
8
IRR lockdown •
Tie rules to IRR objects •
•
IRR accuracy •
•
AS-SET è AUT-NUM è ROUTE(6) è INETNUM(6)
IRRexplorer
Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
9
RPKI / ROA and BGPsec •
RPKI / ROA principles • • •
Validators RTR protocol Policy definitions
•
Demo
•
Future work: BGPsec © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
10
Thank You
