Doubts raised about security of BGP

Security personnel have raised questions over the vulnerabilities of the border gateway protocol (BGP) and the speed with which vendors and regulatory bodies are pushing through specifications for Secure BGP.

  • E-Mail
By  Zoe Moleshead Published  March 26, 2003

Security personnel have raised questions over the vulnerabilities of the border gateway protocol (BGP) and the speed with which vendors and regulatory bodies are pushing through specifications for Secure BGP.

With estimates that the BGP protocol is used by some 12,000 routers, which in turn serve 130,000 networks, any vulnerabilities or poorly configured routers can cause major problems on the internet, including misdirected traffic or forgery.

“The BGP is the control plane that involves the communication of routing information between all the different ISPs, service providers and other entities that are involved in providing the internet infrastructure in the world today,” says Stefan Olofsson, consulting engineer, Cisco Systems, Middle East.

“The major vulnerability in BGP involves sending bogus or spoof routing information into an enterprise, or a service provider to either misdirect traffic into a black hole or redirect traffic through your network so it could be sniffed,” he adds.

Many of these problems are caused by the fact that routers implicitly trust their neighbours or peers and therefore do not check the integrity of traffic and information.
As such, a number of initiatives are underway to create digital signatures that would enable routers to determine and identify where exactly a piece of information has come from and also to add encryption in the transport layer to prevent people from sniffing traffic.

The projects are being led by a number of bodies including two internet communities, SBGP (Secure Border Gateway Protocol) and SOBGP (Secure Origin Border Gateway Protocol), as well as the IETF (Internet Engineering Task Force).

“These projects... are trying to implement a system where upon receiving routing information from a peer you will immediately be able to confirm that this particular element or piece of information is coming from the origin that has been assigned to manage this particular address space,” says Olofsson.

“They are trying to address secure transport by adding encryption elements to BGP so that people won’t actually be able to hijack information in transit between point A and point B,” he adds.

Some of these functionalities are already included in the existing BGP implementation, for example, packets can be assigned signatures and routers contain policy functions that users can configure to improve security. However, some sources suggest that improvements to BGP have been slowed by the potential costs involved with using digital signatures and upgrading hardware, which in turn raises the cost of the internet.

Cisco’s Olofsson, however, contends that Secure BGP is a priority for the IETF and its member parties, but that awareness further down the chain is still limited. “In an enterprise BGP only serves a very specific purpose and that is managing the routing connection between the enterprise and the internet. IT staff are probably not aware of what it is, how it works and what precautions to take to secure the vulnerabilities,” he says.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code