SlideShare a Scribd company logo

Secure BGP and Operational Report of Bangladesh

Bangladesh Network Operators Group
Bangladesh Network Operators Group

Secure BGP and Operational Report of Bangladesh

Internet
1 of 16
Download to read offline
www.internetsociety.org Secure BGP and Operational Report of Bangladesh ION Bangladesh and bdNOG 5 Md. Jahangir Hossain Vice Chair, ISOC Bangladesh Chapter EC member, bdNOG
The Internet Society Key Areas  Prefix Filtering  Next-Hop Filtering  BGP TTL security (GTSM)  AS-path filtering  BGP community scrubbing  BGP route flap dampening  Control Plan Protection  Remotely-Triggered Black Hole (RTBH)  Go with ROA in Resource Public Key Infrastructure (RPKI)  RPKI development status in Bangladesh
The Internet Society Prefix Filtering  Filters with customers  Filters with Internet peers  Filters with upstream providers  Bogon prefix ---defined as Martians
The Internet Society Next-Hop Filtering = If we peering on a shared network, like an IXP, BGP can advertise prefixes with a 3rd-party next-hop, thus directing packets not to the peer announcing the prefix but somewhere else. = In direct peerings between ISPs, this is undesirable, as one of the peers could trick the other one to send packets into a black hole (unreachable next-hop) or to an unsuspecting 3rd party who would then have to carry the traffic. = Especially for black-holing, the root cause of the problem is hard to see without inspecting BGP prefixes at the receiving router at the IXP. Therefore, an inbound route policy SHOULD be applied on IXP peerings in order to set the next-hop for accepted prefixes to the BGP peer IP address (belonging to the IXP LAN) that sent the prefix (which is what "next-hop-self" would enforce on the sending side).
The Internet Society BGP TTL security (GTSM) = BGP sessions can be made harder to spoof with the Generalized TTL Security Mechanisms (GTSM, aka TTL security), defined in . Instead of sending TCP packets with TTL value of 1, the BGP speakers send the TCP packets with TTL value of 255 and the receiver checks that the TTL value equals 255. = Since it's impossible to send an IP packet with TTL of 255 to a non-directly- connected IP host, BGP TTL security effectively prevents all spoofing attacks coming from third parties not directly connected to the same subnet as the BGP speaking routers. = Network administrators SHOULD implement TTL security on directly connected BGP peerings. = GTSM could also be applied to multi-hop BGP peering as well.
The Internet Society AS-path filtering = Network administrators SHOULD NOT advertise prefixes with non- empty AS- path unless they intend to be transit for these prefixes. = Network administrators SHOULD NOT accept prefixes with private AS numbers in the AS-path except from customers. Exception: an upstream offering some particular service like black-hole origination based on a private AS number. = Customers should be informed by their upstream in order to put in place ad-hoc policy to use such services. = Network administrators SHOULD NOT accept prefixes when the first AS number in the AS-path is not the one of the peer unless the peering is done toward a BGP route-server (for example on an IXP) with transparent AS path handling. In that case this verification needs to be de-activated as the first AS number will be the one of an IXP member whereas the peer AS number will be the one of the BGP route-server.
The Internet Society BGP community scrubbing = Network administrators SHOULD scrub inbound communities with their number in the high-order bits, and allow only those communities that customers/peers can use as a signaling mechanism. = Networks administrators SHOULD NOT remove other communities applied on received routes (communities not removed after application of previous statement). In particular they SHOULD keep original communities when they apply a community. Customers might need them to communicate with upstream providers. In particular network administrators SHOULD NOT (generally) remove the no-export community as it is usually announced by their peer for a certain purpose.
The Internet Society BGP route flap dampening = The BGP route flap dampening mechanism makes it possible to give penalties to routes each time they change in the BGP routing table. Initially this mechanism was created to protect the entire Internet from multiple events impacting a single network.  Studies have shown that implementations of BGP route flap dampening could cause more harm than they solve problems and therefore RIPE community has in the past recommended not using BGP route flap dampening .  Studies have then been conducted to propose new route flap dampening thresholds in order to make the solution "usable", see RFC 7196
The Internet Society Protection of the BGP Speaker by Control Panel filtering Help to minimize DDOS attack
The Internet Society Remote Triggered Black Hole (RTBH) Remotely-Triggered Black Hole (RTBH) routing is an interesting application of BGP as a security tool within service provider networks. One common use is mitigation of distributed denial of service (DDoS) attacks. http://tools.ietf.org/html/rfc5635
The Internet Society SIDR - Secure Inter-Domain Routing An infrastructure called SIDR (Secure Inter-Domain Routing),has been designed to secure Internet advertisements. = Origin validation, described in seeks to make sure that attributes associated with routes are correct. = Path validation provided by BGPsec seeks to make sure that no one announces fake/wrong BGP paths that would attract traffic for a given destination. Implementing SIDR mechanisms is expected to solve many of the BGP routing security problems in the long term, but it may take time for deployments to be made and objects to become signed. Also, note that the SIDR infrastructure is complementing (not replacing) the security best practices .
The Internet Society Go with ROA ! A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI. • Verify whether an AS is authorized to announce a specific IP prefix • Minimize common routing errors • Prevent most accidental hijacks http://www.apnic.net/roa
The Internet Society ROA Example
The Internet Society RPKI Adoption rate in BD
The Internet Society Special Thanks to BCP: 194 J. Durand ,Cisco Systems, Inc. G. Doering ,SpaceNet https://tools.ietf.org/html/bcp194 Jac Kloots SURFnetJac Kloots ,SURFnet http://rpki.surfnet.nl/index.html Internet Society Deploy360 Programme Team http://www.internetsociety.org/deploy360/securing-bgp/ Fakrul Alam APNIC https://www.apnic.net/
www.internetsociety.org Join us today ! Global membership is FREE http://www.internetsociety.org/deploy360/ http://www.isoc.org.bd/dhaka/

Recommended

Application of local Internet content
Application of local Internet content Application of local Internet content
Application of local Internet content Bangladesh Network Operators Group
 
BDIX BOF
BDIX BOFBDIX BOF
BDIX BOFBangladesh Network Operators Group
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
 
Software Defined Networking: Primer
Software Defined Networking: Primer Software Defined Networking: Primer
Software Defined Networking: Primer Bangladesh Network Operators Group
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
DPI BOX: deep packet inspection for ISP traffic management
DPI BOX: deep packet inspection for ISP traffic managementDPI BOX: deep packet inspection for ISP traffic management
DPI BOX: deep packet inspection for ISP traffic managementIlya Mikov
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsMyNOG
 
Social CDN Business : Paid or Free - bdNOG12 Panel Discussion
Social CDN Business : Paid or Free - bdNOG12 Panel DiscussionSocial CDN Business : Paid or Free - bdNOG12 Panel Discussion
Social CDN Business : Paid or Free - bdNOG12 Panel DiscussionBangladesh Network Operators Group
 

Recommended

Application of local Internet content
Application of local Internet content Application of local Internet content
Application of local Internet content Bangladesh Network Operators Group
 
BDIX BOF
BDIX BOFBDIX BOF
BDIX BOFBangladesh Network Operators Group
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoSFakrul Alam
 
Software Defined Networking: Primer
Software Defined Networking: Primer Software Defined Networking: Primer
Software Defined Networking: Primer Bangladesh Network Operators Group
 
MyIX Updates
MyIX UpdatesMyIX Updates
MyIX UpdatesMyNOG
 
DPI BOX: deep packet inspection for ISP traffic management
DPI BOX: deep packet inspection for ISP traffic managementDPI BOX: deep packet inspection for ISP traffic management
DPI BOX: deep packet inspection for ISP traffic managementIlya Mikov
 
Traffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsTraffic Insight Using Netflow and Deepfield Systems
Traffic Insight Using Netflow and Deepfield SystemsMyNOG
 
Social CDN Business : Paid or Free - bdNOG12 Panel Discussion
Social CDN Business : Paid or Free - bdNOG12 Panel DiscussionSocial CDN Business : Paid or Free - bdNOG12 Panel Discussion
Social CDN Business : Paid or Free - bdNOG12 Panel DiscussionBangladesh Network Operators Group
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDaniel Vinyar
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpiMohammed Abdallah
 
Protocols for IoT
Protocols for IoTProtocols for IoT
Protocols for IoTAravindhan G K
 
IoT Communication Protocols
IoT Communication ProtocolsIoT Communication Protocols
IoT Communication ProtocolsPradeep Kumar TS
 
Next Gen Monitoring with INT
Next Gen Monitoring with INTNext Gen Monitoring with INT
Next Gen Monitoring with INTMyNOG
 
Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRBangladesh Network Operators Group
 
Introduction to BRAS
Introduction to BRASIntroduction to BRAS
Introduction to BRASKHNOG
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMOpen Networking Summit
 
Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012Faisal Reza
 
Protocols for internet of things
Protocols for internet of thingsProtocols for internet of things
Protocols for internet of thingsCharles Gibbons
 
Introduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogiIntroduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogiSenthil Kanth
 
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PROIDEA
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Wireless Application Protocol ppt
Wireless Application Protocol pptWireless Application Protocol ppt
Wireless Application Protocol pptgo2project
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)Jeff Green
 
Misused top ASNs
Misused top ASNsMisused top ASNs
Misused top ASNsBangladesh Network Operators Group
 
Local Solution with Global Potential
Local Solution with Global PotentialLocal Solution with Global Potential
Local Solution with Global PotentialBangladesh Network Operators Group
 

More Related Content

What's hot

Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDaniel Vinyar
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27APNIC
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpiMohammed Abdallah
 
IoT Communication Protocols
IoT Communication ProtocolsIoT Communication Protocols
IoT Communication ProtocolsPradeep Kumar TS
 
Next Gen Monitoring with INT
Next Gen Monitoring with INTNext Gen Monitoring with INT
Next Gen Monitoring with INTMyNOG
 
Introduction to BRAS
Introduction to BRASIntroduction to BRAS
Introduction to BRASKHNOG
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSAPNIC
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMOpen Networking Summit
 
Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012Faisal Reza
 
Protocols for internet of things
Protocols for internet of thingsProtocols for internet of things
Protocols for internet of thingsCharles Gibbons
 
Introduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogiIntroduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogiSenthil Kanth
 
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PROIDEA
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...SolarWinds
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec APNIC
 
Wireless Application Protocol ppt
Wireless Application Protocol pptWireless Application Protocol ppt
Wireless Application Protocol pptgo2project
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & TroubleshootingAPNIC
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)Jeff Green
 

What's hot (20)

Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
 
Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27Community tools to fight against DDoS, SANOG 27
Community tools to fight against DDoS, SANOG 27
 
Introduction to sandvine dpi
Introduction to sandvine dpiIntroduction to sandvine dpi
Introduction to sandvine dpi
 
Protocols for IoT
Protocols for IoTProtocols for IoT
Protocols for IoT
 
IoT Communication Protocols
IoT Communication ProtocolsIoT Communication Protocols
IoT Communication Protocols
 
Next Gen Monitoring with INT
Next Gen Monitoring with INTNext Gen Monitoring with INT
Next Gen Monitoring with INT
 
Netflow slides
Netflow slidesNetflow slides
Netflow slides
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
Introduction to BRAS
Introduction to BRASIntroduction to BRAS
Introduction to BRAS
 
BKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoSBKNIX Peering Forum 2017: Community tools to fight DDoS
BKNIX Peering Forum 2017: Community tools to fight DDoS
 
Next-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAMNext-gen Network Telemetry is Within Your Packets: In-band OAM
Next-gen Network Telemetry is Within Your Packets: In-band OAM
 
Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012Low Sost Secure VPN SSTP - MUM ID 2012
Low Sost Secure VPN SSTP - MUM ID 2012
 
Protocols for internet of things
Protocols for internet of thingsProtocols for internet of things
Protocols for internet of things
 
Introduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogiIntroduction to wireless application protocol (wap)ogi
Introduction to wireless application protocol (wap)ogi
 
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
PLNOG16: Public IX is the tip of the Internet Iceberg. The 9:1 PNI rule, Mart...
 
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
NetFlow Best Practices - Tips and Tricks to Get the Most Out of Your Network ...
 
DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec DDoS Mitigation using BGP Flowspec
DDoS Mitigation using BGP Flowspec
 
Wireless Application Protocol ppt
Wireless Application Protocol pptWireless Application Protocol ppt
Wireless Application Protocol ppt
 
Network State Awareness & Troubleshooting
Network State Awareness & TroubleshootingNetwork State Awareness & Troubleshooting
Network State Awareness & Troubleshooting
 
15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)15.) cloud (opex, capex or hybrid)
15.) cloud (opex, capex or hybrid)
 

Viewers also liked

বাংলায় নেটওয়ার্কিং স্বাদ!
বাংলায় নেটওয়ার্কিং স্বাদ!বাংলায় নেটওয়ার্কিং স্বাদ!
বাংলায় নেটওয়ার্কিং স্বাদ!Bangladesh Network Operators Group
 

Viewers also liked (20)

Misused top ASNs
Misused top ASNsMisused top ASNs
Misused top ASNs
 
Local Solution with Global Potential
Local Solution with Global PotentialLocal Solution with Global Potential
Local Solution with Global Potential
 
Responsible Disclosure Program: Why and How
Responsible Disclosure Program: Why and How Responsible Disclosure Program: Why and How
Responsible Disclosure Program: Why and How
 
APNIC Service Improvements 2015
APNIC Service Improvements 2015APNIC Service Improvements 2015
APNIC Service Improvements 2015
 
Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment Case study of Bangladesh IPv6 deployment
Case study of Bangladesh IPv6 deployment
 
Go with the Flow
Go with the Flow Go with the Flow
Go with the Flow
 
Apnic update
Apnic updateApnic update
Apnic update
 
bdNOG Report
bdNOG ReportbdNOG Report
bdNOG Report
 
VoLTE: New horizon for voice revenue
VoLTE: New horizon for voice revenueVoLTE: New horizon for voice revenue
VoLTE: New horizon for voice revenue
 
RTT matters
RTT mattersRTT matters
RTT matters
 
বাংলায় নেটওয়ার্কিং স্বাদ!
বাংলায় নেটওয়ার্কিং স্বাদ!বাংলায় নেটওয়ার্কিং স্বাদ!
বাংলায় নেটওয়ার্কিং স্বাদ!
 
The Future of SIP in WebRTC
The Future of SIP in WebRTCThe Future of SIP in WebRTC
The Future of SIP in WebRTC
 
ISP status in Bangladesh 2016
ISP status in Bangladesh 2016ISP status in Bangladesh 2016
ISP status in Bangladesh 2016
 
Onboard Automation with EEM
Onboard Automation with EEM Onboard Automation with EEM
Onboard Automation with EEM
 
Mobile Internet Optimization: An effective tool for operators
Mobile Internet Optimization: An effective tool for operatorsMobile Internet Optimization: An effective tool for operators
Mobile Internet Optimization: An effective tool for operators
 
Holistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimizationHolistic view of 802.1x integration & optimization
Holistic view of 802.1x integration & optimization
 
PKI Industry growth in Bangladesh
PKI Industry growth in BangladeshPKI Industry growth in Bangladesh
PKI Industry growth in Bangladesh
 
Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet? Darknet - Is this the future of Internet?
Darknet - Is this the future of Internet?
 
History and Evolution of Bangladesh Internet
History and Evolution of Bangladesh Internet History and Evolution of Bangladesh Internet
History and Evolution of Bangladesh Internet
 
Building REN in BD
Building REN in BD Building REN in BD
Building REN in BD
 

Similar to Secure BGP and Operational Report of Bangladesh

BGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkBGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkIT Tech
 
Securing Routing Protocol BGP
Securing Routing Protocol BGPSecuring Routing Protocol BGP
Securing Routing Protocol BGPIRJET Journal
 
T4 Handout3
T4 Handout3T4 Handout3
T4 Handout3gobed
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesiaNaveenLakshman
 
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYA NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYIJNSA Journal
 
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYA NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYIJNSA Journal
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaAPNIC
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-KeynoteLKNOG
 
routing Protocols and Virtual private network
routing Protocols and Virtual private networkrouting Protocols and Virtual private network
routing Protocols and Virtual private networkhayenas
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway ProtocolKashif Latif
 
Routing Protocols
Routing ProtocolsRouting Protocols
Routing Protocolselgraini
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service providerThomas Mangin
 

Similar to Secure BGP and Operational Report of Bangladesh (20)

Part1
Part1Part1
Part1
 
BGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet WorkBGP Protocol Makes the Internet Work
BGP Protocol Makes the Internet Work
 
Securing Routing Protocol BGP
Securing Routing Protocol BGPSecuring Routing Protocol BGP
Securing Routing Protocol BGP
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Bigbgp
BigbgpBigbgp
Bigbgp
 
T4 Handout3
T4 Handout3T4 Handout3
T4 Handout3
 
BGP Overview
BGP OverviewBGP Overview
BGP Overview
 
Presentation1
Presentation1Presentation1
Presentation1
 
Manrs 7_sept__indonesia
Manrs 7_sept__indonesiaManrs 7_sept__indonesia
Manrs 7_sept__indonesia
 
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYA NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
 
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEYA NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
A NOVEL APPROACH FOR SECURE ROUTING THROUGH BGP USING SYMMETRIC KEY
 
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri LankaLkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
LkNOG 3: Strengthening the Internet infrastructure in Sri Lanka
 
LKNOG3-Keynote
LKNOG3-KeynoteLKNOG3-Keynote
LKNOG3-Keynote
 
routing Protocols and Virtual private network
routing Protocols and Virtual private networkrouting Protocols and Virtual private network
routing Protocols and Virtual private network
 
Border Gateway Protocol
Border Gateway ProtocolBorder Gateway Protocol
Border Gateway Protocol
 
bgp protocol
bgp protocol bgp protocol
bgp protocol
 
Routing Protocols
Routing ProtocolsRouting Protocols
Routing Protocols
 
Arun project-Final
Arun project-FinalArun project-Final
Arun project-Final
 
The benefit of BGP for every service provider
The benefit of BGP for every service providerThe benefit of BGP for every service provider
The benefit of BGP for every service provider
 
PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006PACE-IT: Introduction to Routing Protocols - N10 006
PACE-IT: Introduction to Routing Protocols - N10 006
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
BdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptxBdNOG-20220625-MT-v6.0.pptx
BdNOG-20220625-MT-v6.0.pptx
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 

Recently uploaded (11)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 

Secure BGP and Operational Report of Bangladesh

  • 1. www.internetsociety.org Secure BGP and Operational Report of Bangladesh ION Bangladesh and bdNOG 5 Md. Jahangir Hossain Vice Chair, ISOC Bangladesh Chapter EC member, bdNOG
  • 2. The Internet Society Key Areas  Prefix Filtering  Next-Hop Filtering  BGP TTL security (GTSM)  AS-path filtering  BGP community scrubbing  BGP route flap dampening  Control Plan Protection  Remotely-Triggered Black Hole (RTBH)  Go with ROA in Resource Public Key Infrastructure (RPKI)  RPKI development status in Bangladesh
  • 3. The Internet Society Prefix Filtering  Filters with customers  Filters with Internet peers  Filters with upstream providers  Bogon prefix ---defined as Martians
  • 4. The Internet Society Next-Hop Filtering = If we peering on a shared network, like an IXP, BGP can advertise prefixes with a 3rd-party next-hop, thus directing packets not to the peer announcing the prefix but somewhere else. = In direct peerings between ISPs, this is undesirable, as one of the peers could trick the other one to send packets into a black hole (unreachable next-hop) or to an unsuspecting 3rd party who would then have to carry the traffic. = Especially for black-holing, the root cause of the problem is hard to see without inspecting BGP prefixes at the receiving router at the IXP. Therefore, an inbound route policy SHOULD be applied on IXP peerings in order to set the next-hop for accepted prefixes to the BGP peer IP address (belonging to the IXP LAN) that sent the prefix (which is what "next-hop-self" would enforce on the sending side).
  • 5. The Internet Society BGP TTL security (GTSM) = BGP sessions can be made harder to spoof with the Generalized TTL Security Mechanisms (GTSM, aka TTL security), defined in . Instead of sending TCP packets with TTL value of 1, the BGP speakers send the TCP packets with TTL value of 255 and the receiver checks that the TTL value equals 255. = Since it's impossible to send an IP packet with TTL of 255 to a non-directly- connected IP host, BGP TTL security effectively prevents all spoofing attacks coming from third parties not directly connected to the same subnet as the BGP speaking routers. = Network administrators SHOULD implement TTL security on directly connected BGP peerings. = GTSM could also be applied to multi-hop BGP peering as well.
  • 6. The Internet Society AS-path filtering = Network administrators SHOULD NOT advertise prefixes with non- empty AS- path unless they intend to be transit for these prefixes. = Network administrators SHOULD NOT accept prefixes with private AS numbers in the AS-path except from customers. Exception: an upstream offering some particular service like black-hole origination based on a private AS number. = Customers should be informed by their upstream in order to put in place ad-hoc policy to use such services. = Network administrators SHOULD NOT accept prefixes when the first AS number in the AS-path is not the one of the peer unless the peering is done toward a BGP route-server (for example on an IXP) with transparent AS path handling. In that case this verification needs to be de-activated as the first AS number will be the one of an IXP member whereas the peer AS number will be the one of the BGP route-server.
  • 7. The Internet Society BGP community scrubbing = Network administrators SHOULD scrub inbound communities with their number in the high-order bits, and allow only those communities that customers/peers can use as a signaling mechanism. = Networks administrators SHOULD NOT remove other communities applied on received routes (communities not removed after application of previous statement). In particular they SHOULD keep original communities when they apply a community. Customers might need them to communicate with upstream providers. In particular network administrators SHOULD NOT (generally) remove the no-export community as it is usually announced by their peer for a certain purpose.
  • 8. The Internet Society BGP route flap dampening = The BGP route flap dampening mechanism makes it possible to give penalties to routes each time they change in the BGP routing table. Initially this mechanism was created to protect the entire Internet from multiple events impacting a single network.  Studies have shown that implementations of BGP route flap dampening could cause more harm than they solve problems and therefore RIPE community has in the past recommended not using BGP route flap dampening .  Studies have then been conducted to propose new route flap dampening thresholds in order to make the solution "usable", see RFC 7196
  • 9. The Internet Society Protection of the BGP Speaker by Control Panel filtering Help to minimize DDOS attack
  • 10. The Internet Society Remote Triggered Black Hole (RTBH) Remotely-Triggered Black Hole (RTBH) routing is an interesting application of BGP as a security tool within service provider networks. One common use is mitigation of distributed denial of service (DDoS) attacks. http://tools.ietf.org/html/rfc5635
  • 11. The Internet Society SIDR - Secure Inter-Domain Routing An infrastructure called SIDR (Secure Inter-Domain Routing),has been designed to secure Internet advertisements. = Origin validation, described in seeks to make sure that attributes associated with routes are correct. = Path validation provided by BGPsec seeks to make sure that no one announces fake/wrong BGP paths that would attract traffic for a given destination. Implementing SIDR mechanisms is expected to solve many of the BGP routing security problems in the long term, but it may take time for deployments to be made and objects to become signed. Also, note that the SIDR infrastructure is complementing (not replacing) the security best practices .
  • 12. The Internet Society Go with ROA ! A ROA or Route Origin Authorization is an attestation of a BGP route announcement. It attests that the origin AS number is authorized to announce the prefix(es). The attestation can be verified cryptographically using RPKI. • Verify whether an AS is authorized to announce a specific IP prefix • Minimize common routing errors • Prevent most accidental hijacks http://www.apnic.net/roa
  • 14. The Internet Society RPKI Adoption rate in BD
  • 15. The Internet Society Special Thanks to BCP: 194 J. Durand ,Cisco Systems, Inc. G. Doering ,SpaceNet https://tools.ietf.org/html/bcp194 Jac Kloots SURFnetJac Kloots ,SURFnet http://rpki.surfnet.nl/index.html Internet Society Deploy360 Programme Team http://www.internetsociety.org/deploy360/securing-bgp/ Fakrul Alam APNIC https://www.apnic.net/
  • 16. www.internetsociety.org Join us today ! Global membership is FREE http://www.internetsociety.org/deploy360/ http://www.isoc.org.bd/dhaka/