The BGP protocol has been developed by the IWG/BGP Working Group of the Internet Engineering Task Force. The Border Gateway Protocol routes traffic between autonomous systems. An autonomous system is a network or group of networks under common administration and with common routing policies. BGP exchanges routing information for the Internet and is the protocol used between ISPs. Customer networks, such as universities and corporations, usually employ an Interior Gateway Protocol (IGP) like RIP or OSPF to exchange routing information within their networks. Customers connect to ISPs, and ISPs use BGP to exchange customer and ISP routes. When BGP is used between autonomous systems, the protocol is referred to as External BGP (EBGP). If a service provider is using BGP to exchange routes within an autonomous system, the protocol is referred to as Interior BGP (IBGP).
BGP is a very robust and scalable routing protocol, as evidenced by the fact that it is the routing protocol employed on the Internet. To achieve scalability at this level, BGP uses many route parameters, called attributes, to define routing policies and maintain a stable routing environment. BGP neighbors exchange full routing information when the TCP connection between neighbors is first established. When changes to the routing table are detected, the BGP routers send to their neighbors only those routes that have changed. BGP routers do not send periodic routing updates, and BGP routing updates advertise only the optimal path to a destination network.
How BGP works? When a BGP router first comes up on the Internet, either for the first time or after being turned off, it establishes connections with the other BGP routers with which it directly communicates. In addition, BGP is based on a distance vector approach in that each router computes its own routing table based on the routing tables it receives from its direct neighbors. After that it only exchanges much shorter update messages with other routers.
BGP routers send and receive update messages to indicate a change in the preferred path to reach a computer with a given IP address. If the router decides to update its own routing tables because this new path is better, then it will subsequently propagate this information to all of the other neighboring BGP routers to which it is connected, and they will in turn decide whether to update their own tables and propagate the information further.
BGP uses the TCP/IP protocol on port 179 to establish connections. It has strong security features, including the incorporation of a digital signature in all communications between BGP routers. Each BGP router contains a Routing Information Base (RIB) that contains the routing information maintained by that router. The RIB contains three types of information:
Adj-RIBs-In. The unedited routing information sent by neighboring routers.
Loc-RIB. The actual routing information the router uses, developed from Adj-RIBs-In.
Adj-RIBs-Out. The information the router chooses to send to neighboring routers.
Figure 1: How BGP works
BGP OPERATION
Interautonomous system routing
Occurs between two or more BGP routers in different autonomous systems. Peer routers in these systems use BGP to maintain a consistent view of the internetwork topology. BGP neighbors communicating between autonomous systems must reside on the same physical network. The Internet serves as an example of an entity that uses this type of routing because it is comprised of autonomous systems or administrative domains. Many of these domains represent the various institutions, corporations, and entities that make up the Internet. BGP is frequently used to provide path determination to provide optimal routing within the Internet.
Intra-autonomous system routing
Occurs between two or more BGP routers located within the same autonomous system. Peer routers within the same autonomous system use BGP to maintain a consistent view of the system topology. BGP also is used to determine which router will serve as the connection point for specific external autonomous systems. Once again, the Internet provides an example of interautonomous system routing. An organization, such as a university, could make use of BGP to provide optimal routing within its own administrative domain or autonomous system. The BGP protocol can provide both inter- and intra-autonomous system routing services.
Pass-through autonomous system routing
Occurs between two or more BGP peer routers that exchange traffic across an autonomous system that does not run BGP. In a pass-through autonomous system environment, the BGP traffic did not originate within the autonomous system in question and is not destined for a node in the autonomous system. BGP must interact with whatever intra-autonomous system routing protocol is being used to successfully transport BGP traffic through that autonomous system.
BGP ALGORITHM
The BGP algorithm is run after a BGP router receives an update message from a neighboring router, and consists of the following three steps performed for each IP address sent from the neighbor:
Update
If the path information for an IP address in the update message is different from the information previously received from that router, then the Adj-RIBs-In database is updated with the newest information.
Decision
If it was new information, then a decision process is run that determines which BGP router, of all those presently recorded in the Adj-RIBs-In database, has the best routing path for the IP address in the update message. The algorithm is not mandated, and BGP administrators can set local policy criteria for the decision process such as how long it takes to communicate with each neighboring router, and how long each neighboring router takes to communicate with the next router in the path. If the best path chosen as a result of this decision process is different from the one currently recorded in the Loc-RIB database, then the database is updated.
Propagation
If the decision process found a better path, then the Adj-RIBs-Out database is updated as well, and the router sends out update messages to all of its neighboring BGP routers to tell them about the better path. Each neighboring router then runs their own BGP algorithm in turn, decides whether or not to update their routing databases, and then propagates any new and improved paths to neighboring routers in turn.
One of the other important functions performed by the BGP algorithm is to eliminate loops from routing information. For example, a routing loop would occur when router A thinks that router B has the best path to send messages for some computer and B thinks the best path is through C, but C thinks the best path is back through A. If these sort of routing loops were allowed to happen, then any message to that computer that passed through routers A, B, or C would circulate among them forever, failing to deliver the message and using up increasing amounts of network resources. The BGP algorithm traps and stops any such loops.
BGP MESSAGE TYPES
Four BGP message types are specified in RFC 1771:
Open message
Opens a BGP communications session between peers and is the first message sent
by each side after a transport-protocol connection is established. Open messages are confirmed using a keep-alive message sent by the peer device and must be confirmed before updates, notifications, and keep-alives can be exchanged.
Update message
Used to provide routing updates to other BGP systems, allowing routers to construct a consistent view of the network topology. Updates are sent using the Transmission-Control Protocol (TCP) to ensure reliable delivery. Update messages can withdraw
one or more unfeasible routes from the routing table and simultaneously can advertise a route while withdrawing others.
Notification message
Sent when an error condition is detected. Notifications are used to close an active session and to inform any connected routers of why the session is being closed.
Keep-alive message
Notifies BGP peers that a device is active. Keep-alives are sent often enough to keep the
sessions from expiring.
POSSIBLE SECURITY ATTACK
The communication channel between two BGP-speaking routers is vulnerable to attacks. To simplify the discussion of possible attacks, we consider two BGP-speaking routers Alice and Bob, and a malicious third-party, who we call Charlie.
Attacks against confidentiality
Two routers communicating over a channel may be assumed to have a modicum of confidentiality; that is, they may expect that messages they send to each other would not be seen by any other party. However, Charlie could eavesdrop on the message stream between Alice and Bob, in an attempt to learn policy and routing information from the two parties. While this information is not necessarily sensitive, many service providers have business relationships that can be inferred from the BGP data. Allowing Charlie to infer these business relationships may be highly undesirable to Alice and Bob. These passive attacks are not unique to BGP, as they apply to any protocol that uses TCP for the underlying transport of messages without any additional security infrastructure.
Attacks against message integrity
Charlie can become a man in the middle between Alice and Bob, and tamper with the BGP messages. For example, BGP speakers exchange periodic keep-alive messages to test that they can still communicate; deleting these messages would cause Alice and/or Bob to think the connection is broken, causing them to tear down the BGP session. Charlie could also modify the messages between Alice and Bob, leading them to have inconsistent views of the routing information. Finally, Charlie can launch a replay attack, where he records messages between Alice and Bob and resends them at a later time. This allows Charlie to re-assert withdrawn routes or withdraw valid ones and force traffic to routes he defines.
Denial-of-service attack
The TCP connection between Alice and Bob may itself be the object of a denial-of service attack, even from a remote adversary that does not have direct access to the link(s) between Alice and Bob. Denial of service be attacks may be implemented by attacking the physical infrastructure on which the network itself runs, and such attacks may successfully cause changes in BGP routing. In addition, the ability of Charlie to force a BGP session reset can allow the configuration of Alice or Bob to transition into a stable but undesired forwarding state. If these undesired states occur, manual intervention by network operators becomes necessary to change the state. These may require co-operation of network operators across several ASes, as it is often the case that no single group of operators has a sufficiently global view of the network to implement a correct solution.
BGP SECURITY SOLUTIONS
BGP Security Architectures
Each architecture provides an explicit threat model and suite of security services. Three most comprehensive approaches to BGP security in terms of the increasing flexibility afforded to the user: S-BGP, soBGP, and IRV.
S-BGP: The S-BGP architecture employs three security mechanisms. First, a Public Key Infrastructure (PKI) is used to support the authentication of ownership of IP address blocks, ownership of Autonomous System (AS) numbers, an AS's identity, and a BGP router's identity and its authorization to represent an AS. This PKI parallels the IP address and AS number assignment system and takes advantage of the existing infrastructure. Second, a new, optional, BGP transitive path attribute is employed to carry digital signatures covering the routing information in a BGP UPDATE. These signatures along with certificates from the S-BGP PKI enable the receiver of a BGP routing UPDATE to verify the address prefixes and path information that it contains. Third, IPsec is used to provide data and partial sequence integrity, and to enable BGP routers to authenticate each other for exchanges of BGP control traffic.
Secure Origin BGP: Secure origin BGP (soBGP) seeks flexibility by allowing administrators to trade off security and protocol overhead, depending on how it is configured. In a similar manner to S-BGP, soBGP defines a PKI for authenticating and authorizing entities and organizations. The PKI manages three types of certificates. The first certificate type binds a public key to each soBGP-speaking router. A second certificate type provides details on policy, including the configured protocol parameters and local network topology. This information is stored by the soBGP router receiving the certificate, which uses the information to construct a topology database reflecting the router's view of the network. A third certificate is similar to S-BGP's address attestations in that it embodies address ownership or delegation.
Interdomain Routing Validation : Unlike the previous protocols, IRV operates independently of the routing protocol. The key idea of IRV is that each data item can be validated by directly querying the AS from whence it came. Every AS in IRV contains an IRV server that can be directly queried by other ASes' IRV servers in order to verify data. Since an AS can verify information by directly communicating with any other AS, IRV trivially enables both Route Verification and Topology Validation. The fact that IRV is independent of the routing protocol has the advantage of making its incremental deployment in the Internet possible (unlikeS-BGP and soBGP that require ASes to switch to a somewhat different routing protocol).
ADVANTAGES OF BGP
The scenarios where BGP is the best match for network requirements:
Increasing network stability
Any decent BGP design should depend on another faster routing protocol (OSPF, EIGRP or IS-IS) to provide core routing in the network, with BGP responsible for the edge/customer routing. With the separation of core and edge routing into two routing protocols, the network core becomes more stable, as the edge problems cannot disrupt the core. This design has been used very successfully in large enterprise networks with haphazard addressing schemes that defied attempts at route summarization. It should also be used in almost all service provider environments.
Automatic response to denial-of-service attacks
BGP can specify any IP address as the next-hop for an IP prefix. This property is most-often used to ensure optimum routing across a BGP autonomous system. User can also use it to implement network-wide sinkholes and remote blackholes to quickly stop worms and denial-of-service attacks on your network.
To implement remote blackholes, it's enough that to deploy BGP on strategic points in network and link them via BGP sessions with a central router through which you'll insert the IP addresses to block.
Large-scale QOS or web caching deployment
It allows to add extra baggage to every IP route it advertises in the form of BGP communities that are totally transparent to BGP but propagated throughout the network. Quality-of-Service Policy Propagation with BGP (QPPB) allows to set QoS bits for specific BGP destinations based on BGP communities and other BGP attributes. User can control the Web Cache Communication Protocol (WCCP)-based web caching policy with BGP.
LIMITATIONS 0F BGP
BGP does not protect the integrity, freshness and origin authentication of messages. Integrity ensures that a message has not been tampered with, freshness ensures that the recipient has actually received a new message, not one that has been replayed, and origin authentication refers to the verification that the originator of the update message is not fraudulent.
BGP does not validate an AS's authority to announce reachability information. This is related to path subversion, as an AS can currently announce that it has the shortest path to a destination by forging the path vector, even if it is not part of the destination path at all. BGP does not ensure the authenticity of the path attributes announced by an AS. Altering the path attributes is another way that a malicious AS can impair or manipulate the routing infrastructure.
CONCLUSION
BGP has been quite successful in providing stable interdomain routing, and is surprisingly robust. It was originally thought in many circles that the ISO's Interdomain Routing Protocol (IDRP) would be the successor to BGP, but because of diminishing interest in network protocols other than IP, BGP is the only interdomain routing protocol in wide use. Moreover, because of its huge installed base, BGP will continue to play a crucial role in Internet routing. As such, BGP will adapt to changing needs of its constituency. In the end, a methodology to securing BGP may be one of the best way to ensure that the Internet remains a reliable and useful vehicle for private and public communication. The BGP protocol provides a high degree of control and flexibility for doing interdomain routing while enforcing policy and performance constrains and avoiding routing loops
