BGP - Security

zaheernew · Created Oct 6, 2021 07:14:24

Hi Hi @BAZ

This is really a very good practical question and my solution was given blow.

The Border Gateway Protocol is the default routing protocol used by routers to communicate with other routers about the best way to reach Internet domains. Organizations publish information about the fastest—most efficient—route to take to reach their network, and routers use BGP to find this information. If something goes wrong along that route, the router can publish alternate information so that traffic flow is not disrupted.

BGP was written under the assumption that no one would lie about the routes, so there’s no process for verifying the published announcements. If someone publishes incorrect route information, routers move traffic along that route. Users don’t know they are being sent to the wrong server, or that their information passed through hostile networks (or countries) that can eavesdrop on their activities.

BGP is fairly noisy, and configuration mistakes happen pretty regularly, with the correct information published within minutes. This makes it difficult to tell when announcements are malicious and when they aren’t.

For users, just the fact that they used an affected DNS resolver would have exposed them to this attack. One good thing is that the increased use of HTTPS and the fact that browsers now warn users when a certificate is signed by an unknown authority or if one is missing means users may be able to avoid becoming victims even if they get rerouted to suspicious sites.

If you were using HTTPS, the fake website would display a TLS certificate signed by an unknown authority (the domain listed in the certificate was correct but it was self-signed). The only way for this attack to work would be to continue and accept the wrong certificate. From that point on, everything you send would be encrypted but the attacker had the keys.

Furthermore, Anyone who paid attention to the browser alert would have known something weird was happening and would have been able to back out. This attack highlights why it is so important to train users to heed the certificate warnings. Too many times, users are told to ignore warnings because the certificate expired or because it was a self-signed cert.

I hope my answer will help you.

Thanks

umaryaqub · Created Oct 6, 2021 07:36:14

Hi,

Normally what we suggest is a 2-stage authentication when it comes to any configuration changes. with Huawei iMaster - Fabric Insight you can check the configuration before actually committing so it will intelligently check what issues can arise by implementing these changes. So, if you have to revert later, you can do that too.

Second method is when SE commits any changes, these changes go to their superior officer to verify. After verifying, the manager approves the changes. So, in this way if even a rogue user tries to sabotage a network, there is a at least one level that is stoping them from doing so.

SamB · Created Oct 6, 2021 04:50:26

The issue was due to “faulty configuration change”. So in that case, such changes should be verified before implementation

zaheernew · Created Oct 6, 2021 07:14:24

Hi Hi @BAZ

This is really a very good practical question and my solution was given blow.

The Border Gateway Protocol is the default routing protocol used by routers to communicate with other routers about the best way to reach Internet domains. Organizations publish information about the fastest—most efficient—route to take to reach their network, and routers use BGP to find this information. If something goes wrong along that route, the router can publish alternate information so that traffic flow is not disrupted.

BGP was written under the assumption that no one would lie about the routes, so there’s no process for verifying the published announcements. If someone publishes incorrect route information, routers move traffic along that route. Users don’t know they are being sent to the wrong server, or that their information passed through hostile networks (or countries) that can eavesdrop on their activities.

BGP is fairly noisy, and configuration mistakes happen pretty regularly, with the correct information published within minutes. This makes it difficult to tell when announcements are malicious and when they aren’t.

For users, just the fact that they used an affected DNS resolver would have exposed them to this attack. One good thing is that the increased use of HTTPS and the fact that browsers now warn users when a certificate is signed by an unknown authority or if one is missing means users may be able to avoid becoming victims even if they get rerouted to suspicious sites.

If you were using HTTPS, the fake website would display a TLS certificate signed by an unknown authority (the domain listed in the certificate was correct but it was self-signed). The only way for this attack to work would be to continue and accept the wrong certificate. From that point on, everything you send would be encrypted but the attacker had the keys.

Furthermore, Anyone who paid attention to the browser alert would have known something weird was happening and would have been able to back out. This attack highlights why it is so important to train users to heed the certificate warnings. Too many times, users are told to ignore warnings because the certificate expired or because it was a self-signed cert.

I hope my answer will help you.

Thanks

umaryaqub · Created Oct 6, 2021 07:36:14

Hi,

Normally what we suggest is a 2-stage authentication when it comes to any configuration changes. with Huawei iMaster - Fabric Insight you can check the configuration before actually committing so it will intelligently check what issues can arise by implementing these changes. So, if you have to revert later, you can do that too.

Second method is when SE commits any changes, these changes go to their superior officer to verify. After verifying, the manager approves the changes. So, in this way if even a rogue user tries to sabotage a network, there is a at least one level that is stoping them from doing so.

faysalji · Created Oct 6, 2021 10:19:59

With the deployment of Secure Border Gateway Protocol (S-BGP). It is crucial that S-BGP be 'scalable' & incrementally 'deployable'.

• Scalability – The impact of S-BGP on a router’s CPU and storage utilization, and on network bandwidth must be within acceptable limits.

• Deployability – For successfully deployment of S-BGP, two major issues need to be addressed. First, S-BGP countermeasure information must be forwarded between S-BGP routers in the same AS.
Also, since S-BGP introduces a new BGP path attribute, one must provide backward compatibility between S-BGP and BGP-4 so that it is possible to incrementally deploy these countermeasures.

BGP - Security

Best answer

Recommended answer

Third Party’s Trade Secret

My Followers

Enterprise

Consumer

Corporate

Carriers

BGP - Security

Best answer

Recommended answer

Third Party’s Trade Secret

My Followers