Sie sind auf Seite 1von 37

Peering Security

DKNOG, March 14-15, 2019

Susan Forney and Walt Wollny


Hurricane Electric AS6939
The Most Peering Exchanges

Hurricane Electric - Massive Peering!


Why worry about peering security?

 A peering connection not much safer than the


ports you expose to the Internet.
 A peering port can be a back door to your
network.
 As the Internet as a whole is getting very serious
about security, it’s probably time to take a very
critical look at your peering sessions.
 Let’s start by reviewing the basics.

Hurricane Electric - Massive Peering!


Defending your network

The basic defenses for an exchange port are:


 Logical Port Security
 Routing Security
 Best practices

Hurricane Electric - Massive Peering!


Port Security

Your IX port exposes your network to security risks that


are inherent to a layer 2 port.
 Don’t connect an interface with a default configuration
to an IX Port. Dozens, sometimes hundreds, of other
networks are directly connected.
 Many IXPs will post their recommended port
configuration (HKIX, AMS-IX, etc ).
 Most IXs allow only unicast traffic. (IPv6 neighbor
discovery uses multicast, which is the exception.)

Hurricane Electric - Massive Peering!


Port Security

Configure IPv4 and IPv6 ACLs for your interfaces:

 Permit traffic from the IX subnet to the IX subnet.


 Deny traffic from any other IPs to the IX subnet .
 Permit any any at the end of the ACL.

Many exchanges have suggested port configurations.

Hurricane Electric - Massive Peering!


interface ethernet 0/1
no cdp enable
no lldp transmit
no mop enable
udld port disable
no ip directed-broadcast
no ip redirects
no ip proxy-arp
ipv6 nd suppress-ra [if ra suppress does not work]
ipv6 nd ra suppress [if suppress-ra does not work]
no ipv6 mfib forwarding
no ipv6 mld router
no ipv6 pim
no ipv6 redirects

Hurricane Electric - Massive Peering!


Routing Security

Routing security is important in two directions:

• The routes you receive


• The routes you announce

We will start with the routes you receive.

Hurricane Electric - Massive Peering!


Routing Security

The IXP is responsible for protecting the infrastructure,


but only you can prevent route leaks.

The IX LAN is not Internet-routed IP space and should


not be advertised by anyone and least of all, accepted by
you.

Hurricane Electric - Massive Peering!


Routing Security

Hurricane Electric - Massive Peering!


Hurricane Electric - Massive Peering!
Routing Security
Take control of the routes you receive:

• Install prefix filters


• Use AS-path filters to prevent leaks—not sure who
they are?
• Limit peers to a maximum number of prefixes

Hurricane Electric - Massive Peering!


Routing Security

Most networks don’t filter their peers. This is behavior


hurts both the network that doesn’t filter and its peers.

Filters that only allow routes with valid origins and


authorized advertisements should be on every peer.

You can automate filter generation to make it easier. Free


tools like bgpq3 can do most of the work for you.

When you create a filter, you should be checking services


like Spamhaus to prevent acceptance of blocked prefixes.
Routing Security: Why it matters
On 28 December 2018 China Telecom hijacked a US
Department of Energy prefix (192.208.19.0/24) and did not
correct the problem for 6 days.

Hurricane Electric - Massive Peering!


Hurricane Electric - Massive Peering!
Routing Security
route: 192.208.18.0/23
descr: Western Area Power Administration
Lakewood, CO 80228
origin: AS36404
notify: ITNetwork@wapa.gov
notify: nguyen@wapa.gov
notify: gdharmon@wapa.gov
mnt-by: MAINT-AS36404
changed: nguyen@wapa.gov 20160401 #12:56:20Z
source: RADB

Hurricane Electric - Massive Peering!


Routing Security

AS-path filters can help you prevent leaks and other


routing issues.

In most cases, you should not be accepting routes


from your peers that have major ISPs in their paths.
Hurricane Electric - Massive Peering!
Routing Security

Maximum prefix limits are another tool to help you


prevent route leaks into your network. Put them in place.
 Most of your peers will specify their suggested prefix
limits on peeringdb.com.
 If you do not have your prefix limits documented on
peeringdb.com, today would be a great day to do that.

Hurricane Electric - Massive Peering!


Routing Security

The next task is to secure the routes you announce.


 Leaks are easy to prevent. Create prefix lists or use
communities to manage your advertisements.
 A best practice is to announce only directly learned
routes to your peers.
 Be sure you are advertising routes with valid IRR
records. If you don’t know, bgp.he.net is a quick and
easy way to check.

Hurricane Electric - Massive Peering!


Hurricane Electric - Massive Peering!
Routing Security

Appearances matter. Check your route


announcements.
 Do not advertise prefixes smaller than a /24.
 Do not advertise bogons.
 Do not leak your private (RFC 1918) IP space.
 Advertise all of the IP space that you are
allocated, even if you currently don’t use it.

Hurricane Electric - Massive Peering!


Routing Security

Your peering connection is a target for DDoS Attacks.


 Set your blackhole communities up in advance.

 Applying the best security practices will help keep


your network online during attacks.

Hurricane Electric - Massive Peering!


Routing Security

Validate that your routes are being advertised to your


peers as expected.
 Looking glasses and route servers can provide you
with visibility.
 Contact peers when you think there may be an issue.

 For Hurricane Electric peers, routing.he.net will help


you if your prefixes are being denied.

Hurricane Electric - Massive Peering!


In the Wild
In the Wild
http://routing.he.net
Routing Security
susan$ whois -h whois.radb.net 66.235.200.0/24
route: 66.235.200.0/24
descr: CMI (Customer Route)
origin: AS38082
mnt-by: MAINT-AS58453
changed: qas_support@cmi.chinamobile.com 20180906
source: RADB

route: 66.235.200.0/24
descr: CMI IP Transit
origin: AS38082
admin-c: MAINT-CMI-INT-HK
tech-c: MAINT-CMI-INT-HK
mnt-by: MAINT-CMI-INT-HK
changed: qas_support@cmi.chinamobile.com 20180906
source: NTTCOM
Hurricane Electric
Route Filtering Algorithm
 Read more here
http://routing.he.net/algorithm.html

Example:
xx.7.224.0/24,rejected,does not strictly match IRR policy or RIR handles
xx.10.254.0/23,accepted,strictly matched IRR policy
xx.17.248.0/24,accepted,strictly matched IRR policy
xx.26.36.0/22,rejected,does not strictly match IRR policy or RIR handles
xx.26.39.0/24,rejected,does not strictly match IRR policy or RIR handles

Hurricane Electric - Massive Peering!


Routing Security

Only you can ensure that route registries


correctly reflect your network.
 Please check your IRR records and correct

anything that is not valid.


 If you peer with Hurricane Electric, check
your routing here:
http://routing.he.net/

Hurricane Electric - Massive Peering!


Best Practices
External monitors can help you detect leaks or
hijacks. They can monitor how your prefixes are
routed your prefixes and let you know if paths
change in a way you were not expecting.

An example of a free one is bgpmon.net. You can


get monitoring and notification of when errors
occur for up to five prefixes per month free.

Hurricane Electric - Massive Peering!


Basics - Routing Security

Hurricane Electric - Massive Peering!


Best Practices
Other good security habits that your network
can adopt are found in MANRS:

• Coordination
• Global validation in terms of IRR records and
RPKI.
• Anti-spoofing
• Get it from the source: https://www.manrs.org
Best Practices
Lastly, protect what you have worked so hard
to achieve.

• Put processes in place to ensure that all of


your deployments are secure.
• Guard against social engineering.
Thanks!

Susan Forney
Hurricane Electric AS6939
susan@he.net
Resources and Acknowledgements

Links to resources used in this presentation or as source material:

 https://www.seattleix.net/faq
 https://blogs.cisco.com/security/router_spring_cleaning_-_no_mop_required
 https://twitter.com/bgpstream/status/1078584924364595202?lang=en
 https://bgp.he.net
 https://github.com/snar/bgpq3
 https://bgpmon.net/
 https://www.manrs.org
 DYN

Thanks to Tom Paseka of Cloudflare.

Hurricane Electric - Massive Peering!