North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

2006.06.05 NANOG-NOTES Pretty Good BGP Josh Karlin

  • From: Matthew Petach
  • Date: Tue Jun 06 05:49:41 2006
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta;; h=received:message-id:date:from:sender:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition:x-google-sender-auth; b=daNpr173yTXRqExW3NE2NwRVhcUAujy8MOPde0oM/M4jznZ5iI45GyCwlQ8jeuurg9iaLbowSrxZyHTQV2+d07L/7wGYsj48zleG9eDTmDCPmyJrib5Qt0LvWDluzd0GAko78P1BBqhQI1CvqB1a3vP4AO2dUASpHjZr1dySEh4=

2006.06.05 Pretty Good BGP
Josh Karlin, Stephanie Forrest, Jennifer Rexford
slides are at:

Main idea: delay suspicious routes
lower the preference of suspicious routes for 24 hrs
network has a chance to stop the attack before it
accidental short-term routes do no harm
no loss of reachability

monitor BGP update messages
treat origin AS for prefix seen in past few days as normal
new origin AS treated with suspicion for 24 hours.
treat new sub-prefixes as suspicious for 24 hours.
suspicious prefixes given low localpref, not used or
suspicious sub-prefixes are temporarily ignored

Example prefix hijack (without PGBGP)
same specificity

Example sub-prefix hijack (without PGBGP)
two /9's cut from a /8

In these examples, AS 5 acted in its own self interest,
but it helped protect the rest of the net beyond it.

Simulations of two deployment strategies
Random, and core+random.
Random, with 0 deployed, half the network will
be affected, better solution as higher fraction
of ASes deploying it.
If core of network deploys
(core ASes have at least 15 peer-to-peer links)
only 62 out of the 20,000 ASes.
All but 2% of network protected with that.

Sub-prefix hijack suppression a bit tougher,
but still good results as core implements it.

hijacks in the wild
1997, AS 7007 sub-prefix hijacked most of the internet
for over 2 hours
Dec 2005 26-95 hijackings during month
jan 2006, panix's /16 stolen by conEd
Feb 26, 2006, sprint and verio carried TTNET
as origin AS for 4/8, 8/8, and 12/8

IAR: internet alert registry
IAR verifies hijack attempts
a near realtime database of suspicious routes
email alerts are sent to those who opt-in for
the ASes they choose to recieve alerts for
 operators recieve alerts only when their AS has
 caused the hijack or is the victim
Tier1 ASs receive one hijack alert per day typically
working prototype

Solutions with guarantees (and lots of overhead)
Anomaly dectors
MOAS lists
Geographic based
Good Practice
proper route filters

Route filters protect the internet from you and
your customers, not vice versa.

Why pretty good BGP?
maintains autonomy
incrementally deployable
no flag day
no change to the BGP protocol
Effective with a small deployment
only requires a software upgrade or change in config
Most important, requires minimum operator intervention

Q: (someone)? from UCLA--if you delay the route for
24 hours, if the original AS withdraws it, what happens?
A: you'll still end up using the new route, as it just
has a lower localpref, so moves will still work.

Q: Danny McPherson -- what if origin AS is spoofed
to match the origin AS by the hijacker--does this
stop it?
A: No, that's a man-in-the-middle, or at
least it looks like it, and this can't handle
that, so it's only pretty good; that would be
a later phase.
Q: He also notes if your prefix is hijacked,
your email alert is likely to get jacked
as well.
A: True--subscribe from multiple prefixes/domains
to be safe!

Q: Phil Rosenthal, ISPrime.  What happens when a
small ISP in south america leaks the internet
to an upstream that doesn't filter them?
A: Yes, those leaks suck up a lot of memory; this
doesn't help because the origin AS is still
correct, but the intervening paths are bogus.
If the route for a sub-prefix is seen with the
origin AS along the path, not seen as a hijack.

Q: Jared Mauch, NTT america; follow-on point, you
just have a strange AS along the path, but the
rest of the origin is correct.
A: No, they don't look at the whole path yet;
maybe in the future

Q: Sandy Murphy, Sparta--thinking of statement at
the end, it handles backup routes ok.
it works best where operational changes of the
origin happen at a human-paced interval.
There are some prefixes which seem to oscillate
at a much more rapid pace.  What about studying
prefix behaviour over a longer period of time?
Is it locked into 24 hours, or can be adjusted
to match better frequency?
A: Not locked at 24 hours, could be adjusted to
different 'sensitivity' as needed.

Q: Randy Bush, IIJ: The internet is not static, those
things which relay on viewing it as static like
route flap dampening can bite us.  We need to enable
more and more dynamic behaviour, not less, and Randy
thinks this is going the wrong direction.
A: That's nice, but presenter disagrees and thinks this
is a helpful step in the right direction.