Deploy360 25 February 2015

Introducing RFC 7454: BGP Operations and Security

Chris Grundemann
By Chris GrundemannGuest Author

Securing BGPToday I’m re-reading an IETF RFC that was published just this month. RFC 7454 is titled “BGP Operations and Security” and that’s exactly what it’s about. The documents’ abstract does a great job of summarizing the content:

This document describes measures to protect the BGP sessions itself such as Time to Live (TTL), the TCP Authentication Option (TCP-AO), and control-plane filtering. It also describes measures to better control the flow of routing information, using prefix filtering and automation of prefix filters, max-prefix filtering, Autonomous System (AS) path filtering, route flap dampening, and BGP community scrubbing.

We often get excited about shiny new technologies or protocols. Sometimes it’s better to be well grounded in the fundamentals. This RFC is one great example of that.

As you’ve probably heard, the IETF’s Secure InterDomain Routing (SIDR) working group is engaged in increasing the security of BGP. Specifically, the group is focused on ensuring proper route origination through the development of a Resource Public Key Infrastructure (RPKI) and on ensuring AS path validity through the development of the BGPSEC protocol. These newer efforts to secure BGP, and with it the core of the Internet, are absolutely laudable, and much good will come from them. But there are some other, perhaps simpler, perhaps older techniques to secure BGP that are too often overlooked by network operators today. Things like prefix filters, max-prefix limits, and setting a TTL with your peer. Things exactly like what’s covered in RFC 7454.

If you haven’t yet taken the time, I highly recommend that you give RFC 7454 a read. Once you have, we could use your help spreading this knowledge.

Securing BGP

As I mentioned when I first wrote about this document; there are several ways that you can help us secure the core of the Internet:

1. Read through our pages and content roadmap – Please take a look through our “Securing BGP” set of pages, and also please take a look at our content roadmap for BGP.  Are the current resources listed helpful?  Is the way we have structured the information helpful?  Will the resources we list on our roadmap help you make your routers more secure?

2. Send us suggestions – If you know of a report, whitepaper, tutorial, video, case study, site or other resource we should consider adding to the site, please let us know. We have a list of many resources that we are considering, but we are always looking for more.

3. Volunteer – If you are very interested in this topic and would like to actively help us on an ongoing basis, please fill out our volunteer form and we’ll get you connected to what we are doing.

4. Help us spread the word – As we publish resources and blog posts relating to securing BGP, please help us spread those links through social networks so that more people can learn about the topic.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...