2006.06.05 NANOG-NOTES Pretty Good BGP Josh Karlin

Tue Jun 6 09:47:39 UTC 2006

2006.06.05 Pretty Good BGP
Josh Karlin, Stephanie Forrest, Jennifer Rexford
slides are at:
http://www.nanog.org/mtg-0606/pdf/josh-karlin.pdf

Main idea: delay suspicious routes
 lower the preference of suspicious routes for 24 hrs
Benefits:
 network has a chance to stop the attack before it
  spreads
 accidental short-term routes do no harm
 no loss of reachability
 adaptive
 simple

Algorithm
Detection:
 monitor BGP update messages
 treat origin AS for prefix seen in past few days as normal
 new origin AS treated with suspicion for 24 hours.
 treat new sub-prefixes as suspicious for 24 hours.
Response:
 suspicious prefixes given low localpref, not used or
  propagated
 suspicious sub-prefixes are temporarily ignored

Example prefix hijack (without PGBGP)
same specificity

Example sub-prefix hijack (without PGBGP)
two /9's cut from a /8

In these examples, AS 5 acted in its own self interest,
but it helped protect the rest of the net beyond it.

Simulations of two deployment strategies
Random, and core+random.
Random, with 0 deployed, half the network will
be affected, better solution as higher fraction
of ASes deploying it.
If core of network deploys
(core ASes have at least 15 peer-to-peer links)
only 62 out of the 20,000 ASes.
All but 2% of network protected with that.

Sub-prefix hijack suppression a bit tougher,
but still good results as core implements it.

hijacks in the wild
1997, AS 7007 sub-prefix hijacked most of the internet
 for over 2 hours
Dec 2005 26-95 hijackings during month
jan 2006, panix's /16 stolen by conEd
Feb 26, 2006, sprint and verio carried TTNET
as origin AS for 4/8, 8/8, and 12/8

IAR: internet alert registry
IAR verifies hijack attempts
 a near realtime database of suspicious routes
 email alerts are sent to those who opt-in for
 the ASes they choose to recieve alerts for
  operators recieve alerts only when their AS has
  caused the hijack or is the victim
Tier1 ASs receive one hijack alert per day typically
working prototype

Solutions with guarantees (and lots of overhead)
 sBGP
 soBGP
 psBGP
Anomaly dectors
 Whisper
 MOAS lists
 Geographic based
Good Practice
 proper route filters

Route filters protect the internet from you and
 your customers, not vice versa.

Why pretty good BGP?
maintains autonomy
incrementally deployable
 no flag day
 no change to the BGP protocol
 Effective with a small deployment
 only requires a software upgrade or change in config
generation.
Most important, requires minimum operator intervention

http://cs.unm.edu/~karlinjf/pgbgp/

Q: (someone)? from UCLA--if you delay the route for
24 hours, if the original AS withdraws it, what happens?
A: you'll still end up using the new route, as it just
has a lower localpref, so moves will still work.

Q: Danny McPherson -- what if origin AS is spoofed
to match the origin AS by the hijacker--does this
stop it?
A: No, that's a man-in-the-middle, or at
least it looks like it, and this can't handle
that, so it's only pretty good; that would be
a later phase.
Q: He also notes if your prefix is hijacked,
your email alert is likely to get jacked
as well.
A: True--subscribe from multiple prefixes/domains
to be safe!

Q: Phil Rosenthal, ISPrime.  What happens when a
small ISP in south america leaks the internet
to an upstream that doesn't filter them?
A: Yes, those leaks suck up a lot of memory; this
doesn't help because the origin AS is still
correct, but the intervening paths are bogus.
If the route for a sub-prefix is seen with the
origin AS along the path, not seen as a hijack.

Q: Jared Mauch, NTT america; follow-on point, you
just have a strange AS along the path, but the
rest of the origin is correct.
A: No, they don't look at the whole path yet;
maybe in the future

Q: Sandy Murphy, Sparta--thinking of statement at
the end, it handles backup routes ok.
it works best where operational changes of the
origin happen at a human-paced interval.
There are some prefixes which seem to oscillate
at a much more rapid pace.  What about studying
prefix behaviour over a longer period of time?
Is it locked into 24 hours, or can be adjusted
to match better frequency?
A: Not locked at 24 hours, could be adjusted to
different 'sensitivity' as needed.

Q: Randy Bush, IIJ: The internet is not static, those
things which relay on viewing it as static like
route flap dampening can bite us.  We need to enable
more and more dynamic behaviour, not less, and Randy
thinks this is going the wrong direction.
A: That's nice, but presenter disagrees and thinks this
is a helpful step in the right direction.