border gateway protocol - europa · border gateway protocol. 3 chapter 1 bgp has serious security...
TRANSCRIPT
![Page 1: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/1.jpg)
7 STEPS TO SHORE UP BGP
![Page 2: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/2.jpg)
2
BORDER GATEWAY PROTOCOL
![Page 3: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/3.jpg)
3
Chapter 1
BGP has serious security vulnerabilities
• No authentication or protection of integrity of messages
• No verification of the authority to announce routes
• This allows internet traffic hijacking
BGP hijacks continue to happen
• January 2019 hijack of prefixes of the US energy regulator, by China telecom
• November 2018 hijack of US domestic internet traffic, via Russia, into China
• April 2018 hijack of Amazon EC2 traffic to steal Ethereum bitcoins
• December 2017 hijack of internet traffic to US webites, into Russia
BGP SECURITY
![Page 4: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/4.jpg)
4
Survey across the EU telecom sector
64 responses from experts working at providers
ENISA BGP SECURITY SURVEY
45%
30%
25%
In your experience, what is the impact of BGP incidents?
major impact
medium impact
small impact
![Page 5: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/5.jpg)
5
BASIC, EFFICIENT, EFFECTIVE MEASURES
1. BGP Monitoring and routing anomaly detection
2. BGP coordination:
• Describe and publish your policy using RPSL
• Partake in registers like PeeringDB
3. Prefix filtering
4. BGP AS Path filtering
5. Bogon filtering
6. TTL Security (GTSM)
7. RPKI
RECOMMENDATIONS: 7 STEPS
![Page 6: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/6.jpg)
6
BGP CHECKLIST FOR NRAS
CHECKLIST
General Information
Provider name Hint: company name
Contact point Hint: contact name, email for further questions on this
AS Hint: Yes, please specify the AS number, or N/A if no AS, in that case skip the rest of this form
BGP Security measure Implementation status Explanation
1. BGP Monitoring & Routing Anomaly Detection
Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
2. BGP Coordination Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
3. Prefix Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
4. BGP AS Path Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
5. Bogon Filtering Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
6. TTL Security (GTSM) Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
7. RPKI Hint: Yes, No, Partially Hint: pls explain - in case you do not implement, or only partially, which parts, why not, if you plan to implement.
![Page 7: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/7.jpg)
7
Annual telecom security incidents report 2018
• https://www.enisa.europa.eu/topics/incident-reporting/for-telcos/visual-tool
• Already contains data over 2018
SS7 cheatsheet
Preparing for the EECC
• New providers, new landscape, new threats, new industry practices
• How does security supervision work?
Power outages and telecoms
ENISA mailing lists for the sector (providers and infra)
ENISA TELECOM SECURITY WORK IN 2019
![Page 8: BORDER GATEWAY PROTOCOL - Europa · BORDER GATEWAY PROTOCOL. 3 Chapter 1 BGP has serious security vulnerabilities •No authentication or protection of integrity of messages •No](https://reader030.vdocuments.mx/reader030/viewer/2022040307/5ed074657daef56ff129b88a/html5/thumbnails/8.jpg)
CONTACT US
+30 28 14 40 9711
www.enisa.europe.eu