Chapter 9

Security

While the use of BGP for delivering services within an Autonomous System has increased, it remains the de facto protocol for inter-AS route exchange, and as such BGP must run on routers that are at the extremity of an Autonomous System or administrative domain.

The point where the Autonomous System connects externally is frequently considered the security perimeter. Regardless of whether that external connection is a customer, a peering partner, a content provider, or something else, securing that perimeter against potential threats or attacks is of paramount importance. A number of mechanisms are in use today to implement security measures at the Autonomous System boundary, some simple and some a little more complex. This chapter looks at how BGP can be used both proactively and reactively to help secure the perimeter.

FlowSpec

BGP Flow Specification (FlowSpec) (RFC 5575) allows for encoding of flow specification information into Multi-Protocol BGP NLRI. A flow specification is an n-tuple consisting of several matching criteria such as source prefix, destination prefix, protocol, or ports that can be applied to IP traffic. Coupled with the flow specification information NLRI, Extended Community attributes provide the capability to define traffic filtering rules for the specified flow specification. The intention is to allow for automated creation of IP Filters to prevent intra-AS and inter-AS DDoS attacks, and to allow for redirection of traffic to other routing ...