]> BGP Operations and Security Max-Planck-Institut fuer Informatik
Campus E14 Saarbruecken 66123 Germany +49 681 9325 3527 tfiebig@mpi-inf.mpg.de
Internet Neutral Exchange Association
4027 Kingswood Road Citywest, Dublin D24 AX96 Ireland +353 1 433 205 2 nick@inex.ie
ops Global Routing Operations The Border Gateway Protocol (BGP) is a critical component in the Internet to exchange routing information between network domains. Due to this central nature, it is important to understand the security and reliability requirements that can and should be met to prevent accidental or intentional routing disturbances. Previously, security considerations for BGP have been described in RFC7454 / BCP194. Since the publications of RFC7454, several developments and changes in operational practice took place that warrant an update of these best current practices. This document obsoletes RFC7454, focusing on the overall goals, and providing a less implementation centric set of best practices. This document describes security requirements and goals when operating BGP for exchanging routing information with other networks, and explicitly does not focus on specific technical implementations and requirements.
Introduction The Border Gateway Protocol (BGP), specified in , is the protocol used in the Internet to exchange routing information between network domains. BGP does not directly include mechanisms that control whether the routes exchanged conform to the various guidelines defined by the Internet community. Furthermore, the BGP protocol itself, by its design, does not have any direct way to protect itself against threats to confidentiality, integrity, and availability. This document summarizes security properties and requirements when operating BGP for securing the infrastructure as well as for security considerations regarding the exchanged routing information. The document explicitly does not focus on specific technical implementations and requirements. Operators are advised to consult documentation and contemporary informational documents concerning methods to ensure that these properties are sufficiently ensured in their network.
Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Scope of the Document The guidelines defined in this document are intended for BGP when used to exchange generic Internet routing information within the Default-Free Zone (DFZ). It specifically does not cover other uses of BGP, e.g., when using BGP for NLRI exchange in a data-center context, or other use-cases when using BGP without globally unique identifiers between networks. This document does not specify how the outlined requirements and properties can be technically realized at a specific point in time. Instead, operators are advised to consult applicable documentation and contemporary informational documents describing implementation specifics (e.g., and ).
Protection of the BGP Speaker and Session The BGP speaker, i.e., the node running BGP to exchange routing information, needs to be protected from external attempts to taint integrity or availability of the BGP session and node alike.
BGP Session Protection To protect a BGP speaker on the network layer, an operator MUST ensure the following properties using technical or organizational measures:
  • Prevent off-path attackers from injecting BGP messages into existing sessions.
  • Prevent off-path attackers from interrupting existing sessions.
  • Prevent off-path attackers from preventing the establishment of new sessions.
  • Prevent remote systems from overwhelming the BGP speaker by sending large volumes of unsolicited packets or BGP messages.
  • Ensure that unstable sessions do not threaten the availability of BGP speakers within the network.
Example technologies to accomplish this include GTSM/TTL-security , BGP-MD5 / TCP-AO , limiting traffic to the control plane via Control Plane Policing (CoPP), and setting maximum prefix limits for the number of prefixes a neighbor may send. Please note, though, that limiting the number of permissible prefixes a neighbor may send may also introduce stability issues, if that number is set too low for the corresponding neighbor.
BGP Speaker Management Interface Protection In addition to the control plane / exchange of BGP protocol messages, the management plane of BGP speakers must be appropriately secured. Hence, operators MUST ensure that:
  • No unauthorized third-parties can obtain access or connect to the management interface of a BGP speaker in a way that allows tainting confidentiality, integrity, or availability.
  • External activity towards the management interface does not interfere with the integrity or availability of BGP sessions.
NLRI Filtering The purpose of BGP is exchanging routing information, i.e., NLRI. Importing or exporting incorrect or malicious NLRI is a security risk for networks themselves, but may also form a threat for connected and/or remote networks. As such, operators MUST ensure the following properties when importing or exporting routing information from their neighbors.
Importing NLRI When importing NLRI from a neighbor, an operator MUST ensure that all imported NLRI conform to the following properties by implementing technical or organizational measures:
  • The AS originating NLRI for a prefix MUST be globally authorized to originate that prefix. Operators MAY deviate from this for default routes (::/0 and 0.0.0.0/0), if they granted the specific neighbor permission to announce default routes towards them. Operaters are cautioned to evaluate carefully how accepting a default route affects their network, as this occludes limitations in forwarding coverage by the upstream from which the default route was received.
  • For received NLRI with an AS_PATH = {AS1, AS2, ..., ASn}, where AS1 is the neighbor that sent the UPDATE and ASn is the originator, for each k in 1..n−1, AS(k+1) MUST be authorized to export the NLRI to ASk according to their bilateral routing policy (e.g., provider–customer, peer, or lateral-peer).
  • The AS_PATH MUST NOT contain AS numbers reserved for private or special-use cases, except for those AS numbers explicitly dedicated to a special-use that requires their presence in the global routing table .
  • The AS_PATH for a received NLRI MUST NOT exceed the maximum length supported by the local router.
  • The number of transitive BGP attributes, e.g., BGP communities , extended BGP communities , or Large BGP communities attached to a received NLRI MUST NOT exceed the maximum supported by the local router.
  • The number of NLRI received from a neighbor MUST NOT exceed the resources of the local router.
Originating and Redistributing NLRI When originating NLRI or redistributing NLRI received from a neighbor, an operator MUST ensure that all NLRI they export conform to the following properties by implementing technical or organizational measures:
  • The redistributing AS MUST be authorized to redistribute NLRI for the specific prefix when received from the AS directly to its right in the AS_PATH. Additionally, each AS in the AS_PATH not originating the prefix MUST be authorized to redistribute the prefix when receiving it from the next AS to its right.
  • The AS originating NLRI for a prefix MUST be globally authorized to originate that prefix. Operators MAY deviate from this for default routes (::/0 and 0.0.0.0/0), if they originate the default route and the specific neighbor granted them permission to announce default routes towards them.
  • The AS_PATH MUST NOT contain AS numbers reserved for private or special-use cases, except for those AS numbers explicitly dedicated to a special-use that requires their presence in the global routing table .
Altering NLRI When processing NLRI, an operator MUST ensure that basic properties of these NLRI are not altered:
  • An operator SHOULD NOT change or remove immutable transitive BGP attributes, e.g., ORIGIN as per . In selected cases, if a specific attribute is known to be malicious, an operator MAY either temporarily remove that specific attribute from NLRI when importing them or filter NLRI carrying the attribute. If an attribute is unknown to the operator it MUST be considered immutable.
  • NLRI carried on BGP MUST NOT be enriched with transitive attributes subject to change independent of the underlying NLRI, e.g., encoding RPKI validation state in transitive attributes .
IANA Considerations This document does not require any IANA actions.
Security Considerations This document is entirely about BGP operational security. It lists requirements and properties operators MUST ensure using technical or organizational measures when operating BGP routers in the DFZ.
References Normative References Special-Purpose Autonomous System (AS) Numbers IANA Informative References Current Options for Securing Global Routing Max-Planck-Institut fuer Informatik Currently Used Terminology in Global Routing Operations Max-Planck-Institut fuer Informatik Guidance to Avoid Carrying RPKI Validation States in Transitive BGP Path Attributes Fastly MPI-INF AS58280.net
Acknowledgements This document has been originally based on and we thank the original authors for their work. We thank the following people for reviewing this draft and suggesting changes:
  • Gert Doerring
  • Jeff Haas
  • Geng Nan
  • Martin Pels
  • Job Snijders
  • Berislav Todorovic
  • Linda Dunbar
  • Wolfgang Tremmel
  • Florian Obser
  • Ben Maddison
  • Mohamed Boucadair