Reducing the BGP Hijacking risk reduction is a layered solution. Organizations cannot jump into RPKI BGP Security if they have not established the basics for BGP Security. It must be remembered that projecting against BGP Hijacks is not a “one tool” approach. All the BGP Security techniques work together. Organizations should view this as a layered approach. Start with the essentials. Then move to tighter peering agreements. Once those tighter peering arrangements are set up, you move to a Peerlock model. This builds an island or resiliency around your ASN. Once all of that is done, the organization would be ready to move to BGPSEC.
Layer 1 – The BGP Peering Essentials
Many of the most critical BGP Route Hijack issues are minimized through BGP Peering Essentials. These essentials are provided by the router vendors and provide a guideline of what needs to be filtered where. Much of the BGP Security risk can be reduced if Telcos, ISPs, and other large networks just deploy this first layer. The problem is that as of Sept 2018, most do not deploy these basics.
There is no point pushing for BGPSEC RPKI Route Validation deployments when the basics are not deployed. The good news is the vast library of materials to help organizations deploy these essentials. The reference guide BGP Route Hijack – What can be done Today? Is a place to start, but a search for “BGP Security BCPs” will point out a range of materials can organizations can tap into.
Layer 2 – Mutually Agreed Norms for Routing Security (MANRS)
The second layer is the core principles outlined in Mutually Agreed Norms on Routing Security (MANRS). MANRS is a collection of best practices agreed to by major Operators around the world. MANRS is a commitment to each other that a signatory will deploy core security essentials which include BGP Routing Security. While the first layer would also include BGP security principles, MANRS take the practice several steps further – including Source Address Validation, Human Coordination, and Global Validation.
“Are you a MANRS Signatory?” “Why are you not a MANRS Signatory?” “If you have committed MANRS, can you walk through how you are protecting my organization from BGP Hijacks?
These are all questions all organization should be asking their Internet and Telecom providers.
For those interested, the Internet Society has provided everyone on the Internet a MANRS online tutorial. https://www.internetsociety.org/tutorials/manrs/
Layer 3 – Build a BGP Island of Resilience with Peer-Lock
Job Snijders <email@example.com> is leading the Internet community to deploy BGP Security resiliency with the tools available today. BPG Peer-Lock is an evolution of how we set up a BGP Peering session. We use BGP Peer-Lock to lock down “known” peering relationships from all of your peers. For example, we know PCCW is not upstream Operator for AT&T. We also know AT&T is not upstream Operator for PCCW. In other words, AT&T and PCCW are Tier 1 peers who will never provide transit to each other. That means when we see this AS_Path in a BGP prefix advertisement AS_PATH 2914_3491_7018 we would not it is garbage! (NTT_PCCW_AT&T).
BGP Peer-Lock requires people to take more time with their peers and transit operators. With that time, you can build an island of BGP Security Resiliency by more robust AS Path Filters which Whitelist KNOWN GOOD BEHAVIOR.
Layer 4 – RPKI Route Origin Validation
Resource Public Key Infrastructure (RPKI) is a public security key infrastructure that we use to validate who is authorized to advertise which routes from where. It has taken decades of work on the BGPSEC architecture, but as of mid-2018, we have our first production deployments of ASNs who have RPKI Route Origin Validation turned on. That means Layers 1 – 3 are critical to preparing for the key objective, large-scale deployment of RPKI Route Origin Validation.
Looking for details on RPKI deployment?
We have a Resource Public Key Infrastructure (RPKI) community FAQ. This is a community GITHUB project where multiple experts are collaborating together to list out the why and how for RPKI deployment. You can find out more as well as contribute here: https://github.com/NLnetLabs/rpki-faq/blob/master/faq.rst#why-do-i-need-rsync-on-my-system-to-use-a-validator
Remember – All BGP Security Layers!
Remember, BGP Hijacking Risk Reduction is a Layered Solution! There are cases with routing mistakes where RPKI would not have prevented the problem. There are cases where BGP Peerlock would not prevent the problem. There are many cases where the deployment of BGP peering basics would have prevented major mistakes. Simple things like a written organizational policy on BGP with a review process for all changes help mitigate innocent human error.
Back to the main guide BGP Route Hijacks & Routing Mistakes – What can be done Today?
These BGP security materials are provided to help people around the Internet understand how do their part to deploy a more resilient BGP infrastructure. Seek out more information on www.senki.org via the Operators Security Toolkit. You can also subscribe to the Senki update mailing list here: Stay Connected with Senki’s Updates