bgp hints - internet routing news, hints and tips

Posted: 2004-04-20

Category: News

Vulnerability issues in TCP affect BGP

As reported in an earlier article, since BGP uses TCP as its transport protocol, it is vulnerable to the same issues as TCP itself. One such vulnerability is the possibility of resetting a TCP connection by an attacker. In an advisory released today (2004-04-20), this problem is once again brought to the attention. The advisory claims that resetting a TCP session requires far fewer attack packets than previously was assumed, thus making an attack more feasible.

Long lived TCP connections are especially at risk for this vulnerability. Frequent resets of a BGP session will cause route flapping, causing the routing information to be damped. In addition, the ports used by a BGP session can often be determined easily using a looking glass, making the attack even easier.

The previous article also described the most common method operators can employ to protect against this vulnerability: the TCP MD5 signature option (as described in RFC 2385). Other solutions include running BGP over IPsec and the Generalized TTL Security Mechanism (GTSM, described in RFC 3682). These methods are not widely deployed, although the latter method was recently implemented in Cisco IOS. These 3 methods require implementations on both sides of the BGP session and coordinated changeover, something which is not always easy for peering sessions on public exchanges.

Router vendors can do their part by making their TCP implementations more robust. By using a smaller receive window, the range of valid sequence numbers is reduced. Similarly, the local ports used for the BGP sessions could be chosen more randomly, making them harder to guess. Also, internet draft draft-ietf-tcpm-tcpsecure-00 describes a modification to the TCP protocol in which sequence numbers must be checked more strictly. TCP implementations which follow this draft are far less vulnerable because the sequence number must be guessed exactly.

If you have any questions or comments regarding this article, please contact bgp@ruud.org.