{"title":"Mitigating BGP Route Leaks With Attributes and Communities: A Stopgap Solution for Path Plausibility","authors":"Nils Höger, Nils Rodday, Gabi Dreo Rodosek","doi":"10.1002/nem.70002","DOIUrl":null,"url":null,"abstract":"<p>The Border Gateway Protocol (BGP) is known to have serious security vulnerabilities. One of these vulnerabilities is BGP route leaks. A BGP route leak describes the propagation of route announcements beyond their intended scope, violating the Gao-Rexford model. Route leaks may lead to traffic misdirection, causing performance issues and potential security risks, often due to mistakes and misconfiguration. Several potential solutions have been published and are currently greatly discussed within the Internet Engineering Task Force (IETF) but have yet to be widely implemented. One approach is the Autonomous System Provider Authorization (ASPA). In addition to these new approaches, there are also efforts to use existing BGP functionalities to detect and prevent route leaks. In this paper, we implement the Down Only (DO) Community and Only to Customer (OTC) Attribute approaches, using them isolated and in conjunction with ASPA. Our research indicates that implementing a DO/OTC deployment strategy focusing on well-interconnected ASes could significantly reduce route leaks. Specifically, we observed mitigation of over 98% of all route leaks when DO and OTC were deployed by the top 5% of the most connected ASes. We show that combining DO/OTC and ASPA can greatly enhance ASPA's route leak prevention capabilities.</p>","PeriodicalId":14154,"journal":{"name":"International Journal of Network Management","volume":"35 2","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2025-01-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://onlinelibrary.wiley.com/doi/epdf/10.1002/nem.70002","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Network Management","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/nem.70002","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
The Border Gateway Protocol (BGP) is known to have serious security vulnerabilities. One of these vulnerabilities is BGP route leaks. A BGP route leak describes the propagation of route announcements beyond their intended scope, violating the Gao-Rexford model. Route leaks may lead to traffic misdirection, causing performance issues and potential security risks, often due to mistakes and misconfiguration. Several potential solutions have been published and are currently greatly discussed within the Internet Engineering Task Force (IETF) but have yet to be widely implemented. One approach is the Autonomous System Provider Authorization (ASPA). In addition to these new approaches, there are also efforts to use existing BGP functionalities to detect and prevent route leaks. In this paper, we implement the Down Only (DO) Community and Only to Customer (OTC) Attribute approaches, using them isolated and in conjunction with ASPA. Our research indicates that implementing a DO/OTC deployment strategy focusing on well-interconnected ASes could significantly reduce route leaks. Specifically, we observed mitigation of over 98% of all route leaks when DO and OTC were deployed by the top 5% of the most connected ASes. We show that combining DO/OTC and ASPA can greatly enhance ASPA's route leak prevention capabilities.
众所周知,边界网关协议BGP (Border Gateway Protocol)存在严重的安全漏洞。其中一个漏洞是BGP路由泄漏。BGP路由泄漏描述了路由公告超出其预期范围的传播,违反了Gao-Rexford模型。路由泄漏可能导致流量方向错误,从而导致性能问题和潜在的安全风险,通常是由于错误和错误配置造成的。一些潜在的解决方案已经发表,并且目前在互联网工程任务组(IETF)内部进行了大量讨论,但尚未得到广泛实施。一种方法是自治系统提供者授权(ASPA)。除了这些新方法之外,也有人努力使用现有的BGP功能来检测和防止路由泄漏。在本文中,我们实现了Down Only (DO)社区和Only to Customer (OTC)属性方法,将它们与ASPA分离并结合使用。我们的研究表明,实施DO/OTC部署策略,重点关注互连良好的as,可以显著减少路由泄漏。具体来说,我们观察到,当连接最多的前5%的ase部署DO和OTC时,超过98%的路由泄漏得到缓解。研究表明,将DO/OTC与ASPA相结合可以大大提高ASPA的路由泄漏防护能力。
期刊介绍:
Modern computer networks and communication systems are increasing in size, scope, and heterogeneity. The promise of a single end-to-end technology has not been realized and likely never will occur. The decreasing cost of bandwidth is increasing the possible applications of computer networks and communication systems to entirely new domains. Problems in integrating heterogeneous wired and wireless technologies, ensuring security and quality of service, and reliably operating large-scale systems including the inclusion of cloud computing have all emerged as important topics. The one constant is the need for network management. Challenges in network management have never been greater than they are today. The International Journal of Network Management is the forum for researchers, developers, and practitioners in network management to present their work to an international audience. The journal is dedicated to the dissemination of information, which will enable improved management, operation, and maintenance of computer networks and communication systems. The journal is peer reviewed and publishes original papers (both theoretical and experimental) by leading researchers, practitioners, and consultants from universities, research laboratories, and companies around the world. Issues with thematic or guest-edited special topics typically occur several times per year. Topic areas for the journal are largely defined by the taxonomy for network and service management developed by IFIP WG6.6, together with IEEE-CNOM, the IRTF-NMRG and the Emanics Network of Excellence.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
