Computer Networking Help - Advice From Experts - Methods of securing (BGP) Border Gateway Protocol

Methods of securing (BGP) Border Gateway Protocol

Who's Online
We have 2 guests online

Main Menu

Advertisment

Latest News
Configuring Windows Server 2003 for a Small Business Network, Part 2 Digg News Configuring Windows Server 2003 for a Small Business Network, Part 1 New Redesign and Content Designing a secure DMZ What is a DMZ?

Popular News
Configuring a free VPN solution in your home Using the capture command in a Cisco Systems PIX firewall. Speed up your Internet with TCP/IP "tweaking", fact or fiction? So you're ready to build a wireless LAN in your home? What is a DMZ? What is a VPN?

RSS Syndication

Methods of securing (BGP) Border Gateway Protocol

Written by CCIE9277

Thursday, 09 February 2006

Article Index
Methods of securing (BGP) Border Gateway Protocol
Page 2

Page 2 of 2

Setting a maximum prefix amount: With the size of Internet routing tables these days lots of CPU horsepower and memory are required to handle them. Depending on the situation route summarization can be used to cut down on the hardware requirements. In a situation like this there is always the possibility of an attacker injecting a large number of valid more specific routes into the router causing it to slow down and or crash completely due to lack of available resources. If you already know the amount of routes that your upstream neighbor will be sending you via BGP you can use the maximum-prefix command in your neighbor statement to thwart this type of attack. In this example we will set the maximum amount of prefixes that our neighboring peer can send to us at 3000.

BGP route dampening: Route flapping can severely degrade network convergence times, specifically on heavily burdened routers. DoS attacks on neighboring networks can lead to this type of route flapping. Route dampening can be used to limit route instability throughout your network by means of suppressing flapping routes. There are many methods to apply route dampening in BGP. It can be done with default global settings, specific global settings or tied to route maps. Below are the options for the route-dampening command and a simple example of turning on route dampening with the default settings:

bgp dampening [route-map map-name] [half-life-time | reuse-value | suppress-value | maximum-suppress-time]

[map-name] Name of route map that controls where BGP route dampening is enabled. Default: disabled.
[half-life-time] Defines the amount of time in minutes after which a penalty is reduced by half. Valid values are 10 - 45 minutes. Default: 15 minutes.
[reuse-value] Defines the accumulated penalty amount at which the route is re-advertised. Valid values are 500 - 20000. Default: 750.
[suppress-value] Defines the accumulated penalty amount at which the route is suppressed. Valid values are 500 - 20000. Default: 2000.
[maximum-suppress-time] Defines the maximum time in minutes that a route is suppressed. Valid values are 1 - 90. Default: 60 or 4 times the value of half-life time.

        Example:
        router bgp 510
        neighbor 132.45.78.3 remote-as 320
        neighbor 132.45.78.3 password SecureMyBGP123
        neighbor 132.45.78.3 version 4
        neighbor 132.45.78.3 distribute-list netpolicefilter in
        neighbor 132.45.78.3 log-neighbor-changes
        neighbor 132.45.78.3 maximum-prefix 3000
        bgp dampening
        !
        !
        ip prefix-list netpolicefilter seq 10 permit 0.0.0.0/0 ge 8 le 16
        !
        !
        ip route 131.50.24.0 255.255.255.0 null 0

Note: All of these methods can be right for some networks and wrong for others. You should never implement security enhancements without a good understanding of the protocol operation first.

Note: All addressing and autonomous system numbers used in this document have no relevancy to the subject specifically and are only used purely as examples.

<< Prev - Next

< Prev		Next >

[ Back ]