BGP I

Top PDF BGP I:

It bends but would it break?:topological analysis of BGP infrastructures in Europe

It bends but would it break?:topological analysis of BGP infrastructures in Europe

Abstract—The Internet is often thought to be a model of re- silience, due to a decentralised, organically-grown architecture. This paper puts this perception into perspective through the results of a security analysis of the Border Gateway Protocol (BGP) routing infrastructure. BGP is a fundamental Internet protocol and its intrinsic fragilities have been highlighted extensively in the literature. A seldom studied aspect is how robust the BGP infrastructure actually is as a result of nearly three decades of perpetual growth. Although global black-outs seem unlikely, local security events raise growing concerns on the robustness of the backbone. In order to better protect this critical infrastructure, it is crucial to understand its topology in the context of the weaknesses of BGP and to identify possible security scenarios. Firstly, we establish a comprehensive threat model that classifies main attack vec- tors, including but non limited to BGP vulnerabilities. We then construct maps of the European BGP backbone based on publicly available routing data. We analyse the topology of the backbone and establish several disruption scenarios that highlight the possible consequences of different types of attacks, for different attack capabilities. We also discuss existing mitigation and recovery strategies, and we propose improvements to enhance the robustness and resilience of the backbone. To our knowledge, this study is the first to combine a comprehensive threat analysis of BGP infrastructures with advanced network topology considerations. We find that the BGP infrastructure is at higher risk than already understood, due to topologies that remain vulnerable to certain targeted attacks as a result of organic deployment over the years. Significant parts of the system are still uncharted territory, which warrants further investigation in this direction.
Show more

16 Read more

BGP Intro

BGP Intro

BGP is considered a “Path Vector” routing protocol. BGP was not built to route within an Autonomous System (AS), but rather to route between AS’s. BGP maintains a separate routing table based on shortest AS Path and various other attributes, as opposed to IGP metrics like distance or cost.

30 Read more

Approaches to Avoid Routing Disruptions with BGP in Autonomous System

Approaches to Avoid Routing Disruptions with BGP in Autonomous System

The Internet, initially developed as an interconnection of small number of networks has become essential in globe with advancements like Broadcast services, faster communication, IPTV etc. Routers the backbone components in the Internet works based on the different Routing protocols which guarantee communication between different networks [1]. A routing table is the memory of router that keeps track of the routing information. The techniques which are using in the routing process are compared with the help of convergence comparison [2]. BGP is the protocol which is used to interconnect different autonomous systems is the key in Internet world. The importance of BGP is clear and operates in robust state and many of its behaviors are essential in Internet connectivity [3]. IPv4 address allocation of BGP on the routers for their identification on Internet will affects the BGP table growth, and the address policies have better controlled with BGP table growth [4]. The routers which are directly connected in BGP for the traffic transmission between autonomous systems are peer routers. The optimal path selection between routers which are peers is with the help of optimal path selection [5]. There will be link failures between routers which are caused by the disruptions in networks like Looping, link failures occur [6]. The disruptions will be eliminated by the technique of the full mesh connectivity, this cause scalability increases different type of failures [7]. This link failure problems increases poor convergence behaviour problems cause end-to-end packet loss in Internet paths [8]. In this paper we proposed two methods as alternatives to full mesh connectivity, and also compare the performances of two methods.
Show more

6 Read more

— BGP, IGRP, EGP, HSRP, GLBP, GNS3,

— BGP, IGRP, EGP, HSRP, GLBP, GNS3,

Since each protocol has a unique set of features, it’s very important to choose an ideal combination of protocols for a reliable, fast and secure network communication. The right choice in the selection of routing protocols depends on the network parameters and requirements. Related works [2] has shown EIGRP to be a better choice when dealing with real time applications within the network like instant-messaging and video-conferencing; whereas OSPF and IS-IS are better suited for scalable and service provider networks. In the following [3] paper combination of multiple protocols was suggested to achieve a fast, convergence and secure communication platform. EGP was used to interconnect different autonomous systems in treelike topologies [4]. Later on, Border Gateway Protocol (BGP) was introduced as a successor to EGP, which allows fully decentralized management of the network. Unlike the IGPs, BGP is a path vector protocol; it selects the best path through the Internet by choosing the route that has to traverse the fewest number of AS.
Show more

6 Read more

Loop-freeness in multipath BGP through propagating the longest path

Loop-freeness in multipath BGP through propagating the longest path

(eBGP) sessions are configured between routers located at each side of the border between two ASes, while BGP routers within an AS communicate through iBGP sessions. BGP is much like a distance vector routing protocol, but rather than using a simple hop count or cost metric, it uses a list of the AS numbers of all the ASes between the local AS and a destination (stored in the AS_PATH attribute) to suppress loops. Potentially, for every possible destination, a router learns a path to that destination from several neighbouring BGP routers. The BGP protocol then selects a best path by computing a degree of preference for all paths to a given destination received from BGP speakers in neighbouring routing domains, and then selects the path with the highest degree of preference (expressed in the LOCAL_PREF attribute). BGP specifically employs seven tie breaking rules to end up with a single path towards each destination when there are multiple paths with a same LOCAL_PREF value.
Show more

6 Read more

Source Address Validation Implementation by Using BGP

Source Address Validation Implementation by Using BGP

Assistant Professor, Department of Computer Science and Engineering, SRM University, Ramapuram Campus, Chennai, India Abstract: The persistent evolution of the Internet continues to transform the way individuals, as well as businesses, educational institutions, and government organizations access, share, and communicate information. Convergence of digital voice, video, and data, is further consolidating the Internet as a critical infrastructure. One of the main routing protocols in the Internet and current de facto standard is the Border Gateway Protocol (BGP). Presently ubiquitous, BGP is a critical component of the exponentially growing network of routers that constitutes our contemporary Internet. Carrier networks, as well as most large enterprise organizations with multiple links to one or more service providers use BGP. The Distributed Denial-of-Service (DDoS) attack is a serious threat to the legitimate use of the Internet. Prevention mechanisms are thwarted by the ability of attackers to forge or spoof the source addresses in IP packets. By employing IP spoofing, attackers can evade detection and put a substantial burden on the destination network for policing attack packets. In this paper, we propose Source Address Validation Implementation (SAVI) that can mitigate the level of IP spoofing on the Internet. A key feature of our scheme is that it does not require global routing information. SAVIs are constructed from the information implicit in Border Gateway Protocol (BGP) route updates and are deployed in network border routers. We establish the conditions under which the SAVI correctly works in that it does not discard packets with valid source addresses. Based on extensive simulation studies, we show that, even with partial deployment on the Internet, SAVIs can proactively limit the spoofing capability of attackers. In addition, they can help localize the origin of an attack packet to a small number of candidate networks.
Show more

7 Read more

Assigned BGP extended communities

Assigned BGP extended communities

implementations. New communities can be registered in the IANA "BGP Well-known Communities" registry but it can’t be assumed anymore that they will be known by all BGP implementations. Implementations or BGP policies which recognize them will behave as specified in the IANA registry. Implementations which do not recognize those new IANA assigned communities will propagate them from BGP neighbor to BGP neighbor and from AS to AS with an unlimited scope.

6 Read more

Graceful BGP session shutdown

Graceful BGP session shutdown

On the g-shut initiator, upon maintenance time, it is required to: o apply an outbound BGP route policy on the maintained eBGP session to tag the paths propagated over the session with the g-shut community. This will trigger the BGP implementation to re- advertise all active routes previously advertised, and tag them with the g-shut community.

12 Read more

BGP Anomaly Detection using Decision Tree Based Machine Learning Classifiers

BGP Anomaly Detection using Decision Tree Based Machine Learning Classifiers

Abstract: Border Gateway Protocol (BGP) is utilized to send and receive data packets over the internet. Over the years, this protocol has suffered from some massive hits, caused by worms, such as Nimda, Slammer, Code Red etc., hardware failures, and/or prefix hijacking. This caused obstruction of services to many. However, Identification of anomalous messages traversing over BGP allows discovering of such attacks in time. In this paper, a Machine Learning approach has been applied to identify such BGP messages. Principal Component Analysis technique was applied for reducing dimensionality up to 2 components, followed by generation of Decision Tree, Random Forest, AdaBoost and GradientBoosting classifiers. On fine tuning the parameters, the random forest classifier generated an accuracy of 97.84%, the decision tree classifier followed closely with an accuracy of 97.38%. The GradientBoosting Classifier gave an accuracy of 95.41% and the AdaBoost Classifier gave an accuracy of 94.43%. Keywords: Anomalies, Border Gateway Protocol (BGP), Decision Trees, Machine Learning (ML)
Show more

6 Read more

Assigned BGP extended communities

Assigned BGP extended communities

implementations. New communities can be registered in the IANA "BGP Well-known Communities" registry but it can’t be assumed anymore that they will be known by all BGP implementations. Implementations or BGP policies which recognize them will behave as specified in the IANA registry. Implementations which do not recognize those new IANA assigned communities will propagate them from BGP neighbor to BGP neighbor and from AS to AS with an unlimited scope.

7 Read more

Securing Routing Protocol BGP

Securing Routing Protocol BGP

Secure Border Gateway Protocol (S-BGP) is the initial platform to secure BGP. Due to significant use of asymmetric cryptography and certificates, S-BGP becomes more expensive in storage, computation and time taken for key generation and verification. S-BGP also has higher cost for storing the detailed topology information [1]. Pretty Secure BGP (psBGP) signifies a new alternative for prefix authentication through the decentralized authentication system. Every autonomous system keeps a new prefix assertion list (PAL), which include the address ownership declaration in the local autonomous systems and its neighbors. Prefix information is verified by checking regularity of prefix assertion list around its source [4].
Show more

7 Read more

Structural analysis of the biliary glycoprotein (BGP) binding site

Structural analysis of the biliary glycoprotein (BGP) binding site

The existence of several BGP isoform s, including one consisting of only the N -term inal dom ain followed by the transm em brane an d cytoplasmic dom ains, BGPx and BGPx' for the short cytoplasm ic tail, (Barnett et al. 1993) lead to the idea that it m ight be possible to test the possibility of a N -N interaction for the BGP hom ophilic adhesion. C onstruction of a BGPx' splice variant equivalent w as achieved by using a tw o step PCR based procedure. The resulting cDNA com prises the Leader sequence, N -term inal dom ain, 9 base pairs of the A l dom ain (thought to code for the am ino acids in the hinge betw een th e N an d A l dom ains), the transm em brane and the cytoplasm ic coding sequences. The predicted cDNA w as confirm ed by sequencing w ith no am ino acid substitutions th at m ig h t resu lt from nucleotide m isin co rp o ratio n d u rin g the PCR process being detected. F urtherm ore u p o n electroporation into CHO cells a recognisable protein was being expressed on the CHO cytoplasmic m em brane. A ntibody staining confirm ed th at the protein obtained seem ed to have the correct three dim ensional folding and th at the A l, B1 and A2 dom ains w ere no longer there. A ntibodies know n to react w ith the BGP N -term inal dom ain (C hapter III, Table 3.1) still stained the chim eric p ro tein w hile antibodies against the other BGP extracellular dom ains w ere now negative (Fig.4.4). W estern blot analysis show ed a significant decrease in size for the BGPx' w hen com pared to the BGPc isoform , confirm ing th at the BGPx' isoform was a m uch sm aller protein w ith a m olecular w eight (less than 30 kDa) consistent w ith the deletion of the three IgC2-like constant dom ains present on the BGPa and c isoforms. Confocal analysis of the staining of the new CHO-BGPx' cell line show ed a rem arkable sim ilarity to the patern obtained for the CHO-BGPc cell line w ith the BGPx' m olecule concentrating m ostly on the cell surface and particularly on the sites of cell to cell contact.
Show more

256 Read more

Inferring BGP blackholing activity in the Internet

Inferring BGP blackholing activity in the Internet

Public BGP Data: We analyze widely-used public datasets from the route collectors of the (i) RIPE Routing Information Service (RIS) [60], (ii) Route Views (RV) [69], and (iii) Packet Clearing House (PCH) [55]. All of these platforms consist of several routers that col- lect default-free BGP routing information from a multitude of BGP peers. Some BGP peers send full routing tables, others partial views, and even others only their customer routes. The platforms then pub- licly offer full BGP routing updates. Many IXPs offer route servers as a free value-added service to simplify BGP session management for their members. Route servers collect routing information at the IXP in a centralized manner and redistribute them to connected member routers. As such, they offer BGP routing information for most of the IXP members [58]. PCH maintains route collectors at 111 different IXPs (March 2017) [56] and makes the data available. Private BGP Data: While the above datasets cover a significant part of the Internet, their scope is biased by where the collectors are placed, which networks participate, e.g., RIS and RV are biased to what is announced by large transit providers in the core of In- ternet [62], and if a direct peering feed via BGP is available. To overcome some of these limitations we augment the publicly avail- able datasets with BGP updates from a large CDN which receives BGP feeds from about 3,350 BGP peers in about 1,300 networks. The CDN BGP dataset is unique because the CDN collectors also receive customer-specific and internal BGP announcements as the CDN deploys network equipment within many ISPs. This unique view of the CDN is the reason why it receives multiple times more unique prefixes than the collectors of the public datasets. Note that the CDN itself does not offer a BGP blackholing service.
Show more

14 Read more

A System for the Detection of Limited Visibility in BGP

A System for the Detection of Limited Visibility in BGP

Traffic engineering with BGP is performed through a series of methods which allows for a better control on the traffic flow both inside and outside a network [], providing operators with the means to optimize the use of their networks. Within the traffic engineering toolbox, the injection of artificially deaggregated prefixes through BGP offers a fine- grained method to control the interdomain ingress traffic. When combined with routing policies in the form of selective advertisements [69], prefix deaggregation enables operators to control how the traffic enters their network, which is one of the most challenging task to be achieved in traffic engineering with BGP. Prefix deaggregation is recognized as a steady long-lived phenomenon at the interdomain level, despite the negative overtone surrounding this approach [11,25]. The most important negative side-effect of the widespread adoption of this technique is the artificial inflation of the BGP routing table, which can affect the scalability of the global routing system. This issue has become an important concern of the entire Internet community over the past years [10]. From this perspective, this type of behaviour is considered to be harmful, as it heavily impacts the global routing table and it acts counter to the goals of the Classless Inter Domain Routing (CIDR) architecture, which encourages aggressive address aggregation.
Show more

120 Read more

Best Practices for Advertisement of Multiple Paths in BGP

Best Practices for Advertisement of Multiple Paths in BGP

Another solution is for a router to advertise a maximum of N paths to iBGP peers. Here, the computational cost is the selection of the N paths. Indeed, there must be a ranking of the paths in order to advertise the most interesting ones. A way for a router to select N paths is to run N times its decision process. At each iteration of the process only those paths not selected during a previous iteration and those with a different NEXT_HOP and BGP Identifier (or Originator ID) combination from previously-selected paths are eligible for

24 Read more

OmniSwitch 6800 Series OmniSwitch 6850 Series OmniSwitch 9000 Series Advanced Routing Configuration Guide

OmniSwitch 6800 Series OmniSwitch 6850 Series OmniSwitch 9000 Series Advanced Routing Configuration Guide

BGP is a distance vector protocol, like the Routing Information Protocol (RIP). It does not require peri- odic refresh of its entire routing table, but messages are sent between BGP peers to ensure a connection is active. A BGP speaker must retain the current routing table of its peers during the life of a connection. Hosts using BGP communicate using the Transmission Control Protocol (TCP) on port 179. On connec- tion start, BGP peers exchange complete copies of their routing tables, which can be quite large. However, only changes are exchanged after startup, which makes long running BGP sessions more efficient than shorter ones. BGP-4 lets administrators configure cost metrics based on policy statements.
Show more

296 Read more

Detecting peering infrastructure outages in the wild

Detecting peering infrastructure outages in the wild

Dictionary Statistics: As of December 2016, our community dic- tionary includes 5,284 communities by 468 ASes and 48 route servers, and covers 288 cities in 72 countries, 172 IXPs, and 103 facilities. While 468 ASes is a small fraction of the ASes, it includes all but two Tier-1 ASes and most major peering ASes. Note that for the two Tier-1 ASes (XO Communications and Verizon) missing from our dictionary we observed less than 20 different community values in the public BGP data, which indicates that they either do not use communities to annotate their PoPs, or they do not prop- agate such communities outside their domain and do not provide publicly accessible community documentations. Figure 5 shows the geographical coverage of locations we extract from the com- munities. The majority of the communities (66%) tag a location in Europe, followed by North America (24.5%), while only 2% of the communities cover locations in Africa and South America. Al- though the interconnection ecosystem in these regions is indeed relatively underdeveloped [55, 71], the difference in coverage can be also explained by biases in the underlay documentation sources, such as the completeness of the different Internet Routing Reg- istries [6], and the fact that our natural language parser works only with English text. As we elaborate in Section 5.2, location BGP Communities included in our dictionary are present in about half of all BGP IPv4 updates. To ensure freshness we recompute our dictionary every two weeks and always use the dictionary from the corresponding time period for route processing. To validate the correctness of our automatically-generated community dictionary, we compared it against a manually-constructed dictionary. Due to the overhead of manually parsing community documentations, we limited the validation to the 25 ASes in our dictionary with the highest number of BGP paths annotated. We did neither find a false positive nor a false negative.
Show more

14 Read more

Cost efficient overflow routing for outbound ISP traffic

Cost efficient overflow routing for outbound ISP traffic

(BGP) [2] is the de facto inter-domain routing standard on the Internet. In BGP jargon, domains are called Au- tonomous Systems (ASs). BGP is a path vector protocol that propagates reachability information of networks and distributes paths to all reachable ASs. Due to the massive growth of the Internet, BGP faces a number of known prob- lems: Route instabilities, convergence, scalability and rout- ing inefficiencies. These issues are well known by the re- search community and are not the immediate focus of this work. However, in this paper, it is assumed that gateway routers use BGP.
Show more

7 Read more

The Strategic Justification for BGP

The Strategic Justification for BGP

ASes are self-interested and might be willing to manipulate BGP for their benefit. In this paper we present the strategic justification for using BGP for interdomain routing in today’s Internet: We show that, in the realistic Gao-Rexford setting, BGP is immune to almost all forms of rational manipulation by single ASes, and can easily be made immune to all such manipulations. The Gao-Rexford setting is said to accurately depict the current commercial relations between ASes in the Internet. Formally, we model interdomain routing as a game and prove that a slight modification of BGP is incentive-compatible in ex- post Nash equilibrium. Moreover, we show that, if a certain reasonable condition holds, then this slightly modified BGP is also collusion-proof in ex-post Nash – i.e., immune to rational manipulations even by coalitions of any size. Unlike most previous works on achieving incentive-compatibility in interdomain routing, our results do not require any monetary transfer between ASes (as is the case in practice). Our results help explain why BGP is, in practice, resilient to rational manipulation (even without changes).
Show more

17 Read more

B. BGP Threats

B. BGP Threats

Abstract—The Border Gateway Protocol (BGP) is the critical routing protocol in the Internet infrastructure. However, there is no security concern in the original design of BGP, which suffers from various kinds of threats for attacks. To secure the BGP operation, this paper proposes an algorithm called consistent check. The algorithm is to verify the correctness of AS path in an incoming BGP update message by consulting the knowledge of other autonomous systems in the network. Unlike existing solution, this proposed algorithm does not require the need of cryptography calculation.
Show more

5 Read more

Show all 10000 documents...