< Home

BGP/BGP4+

Overview

The main BGP/BGP4+ security hardening policies are as follows:

  • BGP/BGP4+ MD5 authentication

    BGP/BGP4+ uses TCP as its transport layer protocol and considers a TCP packet valid as long as its source and destination IP addresses, source and destination port numbers, and TCP sequence number are correct. However, it is relatively easy for attackers to obtain most parameters in a TCP packet. To protect BGP/BGP4+ from attacks, you can configure TCP MD5 authentication for BGP/BGP4+ peers. For security purposes, you are advised to periodically change MD5 passwords configured for BGP/BGP4+ peers.

    As MD5 is insecure, you are advised to use keychain authentication, which is more secure.

  • Keychain authentication

    A keychain consists of multiple authentication keys, each of which contains an ID and a password. Each key in a keychain has a lifecycle, based on which keys are dynamically selected. After a keychain with the same rules is configured on the two ends of a BGP/BGP4+ session, authentication keys are dynamically selected to enhance BGP/BGP4+ attack defense.

  • CPCAR

    For enabled services and protocols, a device can limit the rate at which packets are sent to the CPU. This helps protect the CPU from attacks and ensures the network operates as expected.

  • Route threshold-crossing control

    In most cases, a BGP/BGP4+ routing table contains a large number of routes. However, excessive system resources may be consumed if a device receives many routes from a peer. To prevent this issue, you can set the maximum number of routes that the local BGP/BGP4+ device accepts from the peer.

    You can also use the BGP/BGP4+ PAF file to limit the maximum number of routes that the device accepts from all BGP peers. This prevents the device from consuming excessive memory resources to process a large number of received routes, which would otherwise cause the device to restart.

  • Limitation on the number of AS numbers that can be contained in the AS_Path attribute

    When a BGP/BGP4+ device receives a route, the device checks whether the number of AS numbers in the AS_Path attribute exceeds a specified threshold. If the number exceeds the threshold, the device discards the route. The device also performs this check before advertising a route, and does not advertise the route if the number exceeds the threshold. This prevents attacks initiated using maliciously constructed error messages with an extra-long AS_Path attribute.

Common attack methods are as follows:

  • Denial of service (DoS) attacks

    To attack devices, attackers can send various types of packets. If the packets are anycast protocol packets or the destination IP address is the IP address of an interface (including a loopback interface) on a device, the device sends these packets to the CPU for processing. The processing consumes CPU and system resources, resulting in DoS. To address this problem, you can configure the whitelist function. When this function is enabled, the system delivers a whitelist after a BGP/BGP4+ session is created. For protocol packets that match the whitelist, the application-layer association module sends them to the CPU at a high bandwidth and rate; for those that do not match the whitelist, the module sends them to the CPU at the default bandwidth and rate. You can also limit the rate at which BGP/BGP4+ messages are sent to the CPU by configuring CPCAR for interfaces. This helps protect the CPU from attacks and ensures the network operates as expected.

  • Injection of numerous BGP/BGP4+ routes

    BGP/BGP4+ runs on various types of devices, and the number of BGP/BGP4+ routes that a device supports depends on its CPU and memory resources. If a device receives more BGP/BGP4+ routes than it supports, the device will operate abnormally and fail to process services due to memory resource exhaustion. To prevent this issue, you can set a PAF-based route limit for the device or set the maximum number of BGP/BGP4+ routes that the device accepts from a single peer. With this configuration, the device discards routes that exceed the limit, preventing resource exhaustion if attackers inject large numbers of routes.

  • Construction of error BGP/BGP4+ messages

    Attackers may initiate an attack on a device by constructing various types of error messages, such as messages with extra-long AS_Path attributes, with incorrect headers, with incorrect lengths, or with invalid next hops. To defend against such attacks, BGP/BGP4+ implements a policy of easy-in and difficult-out. This allows a device to discard error messages it receives without disconnecting peer relationships, ensuring service continuity. In addition, you can set the maximum number of AS numbers allowed in the AS_Path attribute of each message. This ensures that the device does not advertise or accept a route whose AS_Path attribute contains more than the maximum number of AS numbers, reducing the possibility of attacks.

  • Network packet attacks

    It is relatively easy for attackers to obtain the majority of parameters in the 5-tuple of a packet. To protect BGP/BGP4+ from network packet attacks, take the following measures:

    • Use TCP MD5 authentication between BGP/BGP4+ peers to reduce the possibility of attacks.

    • Configure keychain authentication for BGP/BGP4+ sessions to enhance BGP/BGP4+ attack defense.

Impact on the System

None

Procedure

  • Configure MD5 authentication.

    You can set an MD5 authentication password for a TCP connection so that TCP implements MD5 authentication for BGP/BGP4+. If authentication fails, no TCP connection can be established.

    1. Enter the system view.

      system-view

    2. Enter the BGP view.

      bgp { as-number-plain | as-number-dot }

    3. Configure an MD5 authentication password.

      peer { ipv4-address | ipv6-address | group-name } password { cipher cipher-password | simple simple-password }

      An MD5 authentication password can be set in either ciphertext or cleartext:

      • cipher cipher-password indicates that a password is set using a ciphertext string.

      • simple simple-password indicates that a password is set using a cleartext string.

      • For security purposes, you are advised to specify the ciphertext mode and change the password periodically.

      • If MD5 authentication is configured in the BGP view, the configuration also takes effect in the BGP-VPNv4 address family view because they use the same TCP connection.

      • BGP/BGP4+ MD5 authentication and BGP/BGP4+ keychain authentication are mutually exclusive.

  • Configure keychain authentication.
    1. Enter the system view.

      system-view

    2. Enter the BGP view.

      bgp { as-number-plain | as-number-dot }

    3. Configure keychain authentication.

      peer { ipv4-address | ipv6-address | group-name } keychain keychain-name

      Keychain authentication must be configured for TCP-based applications on both BGP/BGP4+ peers, and the encryption algorithms and passwords used by keychain authentication on both peers must be the same; otherwise, a TCP connection cannot be set up between BGP/BGP4+ peers and BGP/BGP4+ messages cannot be exchanged.

      The keychain specified by keychain-name must exist; otherwise, the TCP connection cannot be established.

      • If keychain authentication is configured in the BGP view, the configuration also takes effect in the BGP-VPNv4 address family view because they use the same TCP connection.

      • BGP/BGP4+ MD5 authentication and BGP/BGP4+ keychain authentication are mutually exclusive.

  • Configure the maximum number of AS numbers in the AS_Path attribute.
    1. Enter the system view.

      system-view

    2. Enter the BGP view.

      bgp { as-number-plain | as-number-dot }

    3. Configure the maximum number of AS numbers in the AS_Path attribute.

      as-path-limiter as-path-limit-num

      • By default, the maximum number of AS numbers in the AS_Path attribute is 255.

      • After the as-path-limit command is configured, a router checks whether the number of AS numbers in the AS-Path attribute of the incoming route exceeds the maximum value. If the number of AS numbers exceeds the maximum value, the local router discards the route. Therefore, if the maximum number of AS numbers in the AS-Path attribute is set too small, routes are lost.

  • Limit the number of routes received by a peer.
    1. Enter the system view.

      system-view

    2. Enter the BGP view.

      bgp { as-number-plain | as-number-dot }

    3. Configure the number of routes received by a peer or peer group.

      peer { group-name | ipv4-address } route-limitlimit [ percentage ] [ alert-only | idle-forever | idle-timeouttimes ]

      If the number of routes received by the local router exceeds the upper limit and the peer route-limit command is used for the first time, the local router and its peer reestablish the peer relationship, regardless of whether alert-only is set.

Checking the Security Hardening Result

Run the display bgp peer [ { group-name | ipv4-address } log-info | [ ipv4-address ] verbose ] command to check BGP/BGP4+ peer authentication information.

Parent Topic: Routing Protocol Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >