Life in the Control Plane: Mitigating BGP Security Risks

Packet Design’s use by many of the world’s largest service providers and network operators gives us the opportunity to see how they operate. We get to witness the sort of issues they deal with during their everyday operations. We thought we would share some of these stories periodically through Life in the Control Plane blog series. After all, life in the control plane is never dull!

The following use case, shared by our sales engineering team, is about a network provider whose very large financial services customers demanded 100% uptime and bulletproof network security. In particular, they were concerned about risks from BGP route leaks and the potential for malicious attacks.

Mitigating BGP Security Risks for a European Mobile Operator

One of Europe’s largest mobile network operators owns multiple AS’s and each has operating units that cater to different customers. The operator was concerned about BGP security, since any site could announce a prefix belonging to another and divert customer traffic to the wrong site.

This type of incident can be the result of unintentional configuration errors that lead to route leaks. It could also be triggered by malicious DoS or man in the middle attacks via BGP route hijacking. The security issues concerning BGP are well known and cannot be fixed, and thus the operator had to consider workarounds. Route hijacking or unintentional leaks both can result in serious consequences such as SLA penalties, damage to reputation, or even loss of business.

The operator did use route filters, but considering the huge number of IP blocks they had and the updates they dealt with every day, there was a high risk of error and shutting out their own customers. Remember, we are talking about a network operator covering all of Europe. The operator also considered other solutions such as digitally signing route updates, or using only a set of known routes, both of which were eliminated because they were not scalable. During a BGP hijack, they also could not check their own BGP router’s routing table. This is because, to avoid routing loops, BGP would not add routes set with the local AS in the AS_Path attribute back to that same router.

The network operator required a solution that could alert them in real time to possible BGP security incidents without adding network overhead. They implemented Packet Design Route Explorer. Its BGP baselining capability keeps track of the normal/expected BGP routes and alerts the operator immediately when a route goes missing or a new route appears. This baselining is done for all the BGP border routers. Thus, when an AS announces a new prefix, the operator is alerted and can verify if the prefix change is genuine or a possible attack.

With Route Explorer in place to monitor IGP as well as BGP, the operator is able to quickly respond to route hijacks, leaks and various BGP issues, helping solve routing issues even before their customers start complaining. The service provider also uses route analytics to make informed decisions about optimizing their routing and peering.

Stay tuned for other use cases. Meanwhile, please tell us about your own network challenges and troubles.