IPv6 Security

Securing BGP Sessions 93Leveraging an IPsec TunnelAnother technique for securing BGP communications is to leverage the security of an IPsectunnel. IPsec is a strong way to secure BGP peers, protect the integrity of updates, and assistin preventing DoS attacks that target BGP peers. Using IPsec is better than MD5 becauseit keeps the keys refreshed over time. Because BGP is a TCP protocol, it can use IPsec withno modification. However, an IPsec connection must be created for the peering to form.This can add significant overhead to the routers, so it might be prohibitive in terms of CPUresources. Configuring and troubleshooting the IPsec tunnel can add significant burden tomaintaining a service provider network. Furthermore, the IPsec tunnel that is used forsending routing information is thus used to forward traffic. The added packet-size overheadthat IPsec adds would negatively impact throughput performance. Even though using IPsecis a secure method, it is not widely used.Even still, an attacker who knows that a router is using authentication can simply create alarge number of spoofed packets with fake authentication parameters and send them towardthat router. This would cause the router to process these fake packets (even if they arequickly rejected) and artificially consume router resources. The CPU spike on the targetrouter could delay legitimate routing traffic, thus accomplishing the attacker’s goal ofdisrupting a network. Attackers could launch many authentication failures at the BGProuter to potentially crash it. Therefore, authentication cannot be the only method ofsecuring BGP communications.Other methods of preventing unwanted traffic coming toward a router from causingproblems involves filtering with access control lists (ACL). Control Plane Policing (CoPP)or Control Plane Protection (CPPr) can filter packets on the control plane of the router.Infrastructure ACLs (iACL) and receive ACLs can prevent the undesirable packets fromreaching the router in the first place. Both of these concepts are covered fully in Chapter 6,“Hardening IPv6 Network Devices. ”Using Loopback Addresses on BGP PeersBy using loopback addresses to peer BGP routers, it is more difficult for an attacker to knowthe source address of the TCP 179 peering session if the IP address could not be determinedthrough the use of traceroute. Because loopbacks are logical interfaces, peering withloopbacks makes the BGP peers less physically connected and requires an Interior GatewayProtocol (IGP). Loopback interfaces are always up and operational, so they are very stableinterfaces for the router to source many types of communications such as authentication,authorization, and accounting (AAA) or management traffic. Peering between loopbackaddresses is more popular on IBGP peers than EBGP peers because IBGP connections relyon an IGP. EBGP peers typically use the directly connected IP addresses on each end of thephysical link, but these addresses can be easily discovered by attackers. Regardless, havinga loopback IPv4 address as the router ID (RID) for the BGP process is a best practice.