summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc7454.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc7454.txt')
-rw-r--r--doc/rfc/rfc7454.txt1459
1 files changed, 1459 insertions, 0 deletions
diff --git a/doc/rfc/rfc7454.txt b/doc/rfc/rfc7454.txt
new file mode 100644
index 0000000..5ed133b
--- /dev/null
+++ b/doc/rfc/rfc7454.txt
@@ -0,0 +1,1459 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) J. Durand
+Request for Comments: 7454 Cisco Systems, Inc.
+BCP: 194 I. Pepelnjak
+Category: Best Current Practice NIL
+ISSN: 2070-1721 G. Doering
+ SpaceNet
+ February 2015
+
+
+ BGP Operations and Security
+
+Abstract
+
+ The Border Gateway Protocol (BGP) is the protocol almost exclusively
+ used in the Internet to exchange routing information between network
+ domains. Due to this central nature, it is important to understand
+ the security measures that can and should be deployed to prevent
+ accidental or intentional routing disturbances.
+
+ This document describes measures to protect the BGP sessions itself
+ such as Time to Live (TTL), the TCP Authentication Option (TCP-AO),
+ and control-plane filtering. It also describes measures to better
+ control the flow of routing information, using prefix filtering and
+ automation of prefix filters, max-prefix filtering, Autonomous System
+ (AS) path filtering, route flap dampening, and BGP community
+ scrubbing.
+
+Status of This Memo
+
+ This memo documents an Internet Best Current Practice.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Further information on
+ BCPs is available in Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc7454.
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 1]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+Copyright Notice
+
+ Copyright (c) 2015 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 2]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
+ 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4
+ 2. Scope of the Document . . . . . . . . . . . . . . . . . . . . 4
+ 3. Definitions and Acronyms . . . . . . . . . . . . . . . . . . 4
+ 4. Protection of the BGP Speaker . . . . . . . . . . . . . . . . 5
+ 5. Protection of BGP Sessions . . . . . . . . . . . . . . . . . 6
+ 5.1. Protection of TCP Sessions Used by BGP . . . . . . . . . 6
+ 5.2. BGP TTL Security (GTSM) . . . . . . . . . . . . . . . . . 6
+ 6. Prefix Filtering . . . . . . . . . . . . . . . . . . . . . . 7
+ 6.1. Definition of Prefix Filters . . . . . . . . . . . . . . 7
+ 6.1.1. Special-Purpose Prefixes . . . . . . . . . . . . . . 7
+ 6.1.2. Unallocated Prefixes . . . . . . . . . . . . . . . . 8
+ 6.1.3. Prefixes That Are Too Specific . . . . . . . . . . . 12
+ 6.1.4. Filtering Prefixes Belonging to the Local AS and
+ Downstreams . . . . . . . . . . . . . . . . . . . . . 12
+ 6.1.5. IXP LAN Prefixes . . . . . . . . . . . . . . . . . . 12
+ 6.1.6. The Default Route . . . . . . . . . . . . . . . . . . 13
+ 6.2. Prefix Filtering Recommendations in Full Routing Networks 14
+ 6.2.1. Filters with Internet Peers . . . . . . . . . . . . . 14
+ 6.2.2. Filters with Customers . . . . . . . . . . . . . . . 16
+ 6.2.3. Filters with Upstream Providers . . . . . . . . . . . 16
+ 6.3. Prefix Filtering Recommendations for Leaf Networks . . . 17
+ 6.3.1. Inbound Filtering . . . . . . . . . . . . . . . . . . 17
+ 6.3.2. Outbound Filtering . . . . . . . . . . . . . . . . . 17
+ 7. BGP Route Flap Dampening . . . . . . . . . . . . . . . . . . 17
+ 8. Maximum Prefixes on a Peering . . . . . . . . . . . . . . . . 18
+ 9. AS Path Filtering . . . . . . . . . . . . . . . . . . . . . . 18
+ 10. Next-Hop Filtering . . . . . . . . . . . . . . . . . . . . . 20
+ 11. BGP Community Scrubbing . . . . . . . . . . . . . . . . . . . 21
+ 12. Security Considerations . . . . . . . . . . . . . . . . . . . 21
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . 21
+ 13.2. Informative References . . . . . . . . . . . . . . . . . 22
+ Appendix A. IXP LAN Prefix Filtering - Example . . . . . . . . . 25
+ Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 25
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 3]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+1. Introduction
+
+ The Border Gateway Protocol (BGP), specified in RFC 4271 [2], is the
+ protocol used in the Internet to exchange routing information between
+ network domains. BGP does not directly include mechanisms that
+ control whether the routes exchanged conform to the various
+ guidelines defined by the Internet community. This document intends
+ to both summarize common existing guidelines and help network
+ administrators apply coherent BGP policies.
+
+1.1. Requirements Language
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [1].
+
+2. Scope of the Document
+
+ The guidelines defined in this document are intended for generic
+ Internet BGP peerings. The nature of the Internet is such that
+ Autonomous Systems can always agree on exceptions to a common
+ framework for relevant local needs, and therefore configure a BGP
+ session in a manner that may differ from the recommendations provided
+ in this document. While this is perfectly acceptable, every
+ configured exception might have an impact on the entire inter-domain
+ routing environment, and network administrators SHOULD carefully
+ appraise this impact before implementation.
+
+3. Definitions and Acronyms
+
+ o ACL: Access Control List
+
+ o ASN: Autonomous System Number
+
+ o IRR: Internet Routing Registry
+
+ o IXP: Internet Exchange Point
+
+ o LIR: Local Internet Registry
+
+ o PMTUD: Path MTU Discovery
+
+ o RIR: Regional Internet Registry
+
+ o Tier 1 transit provider: an IP transit provider that can reach any
+ network on the Internet without purchasing transit services.
+
+ o uRPF: Unicast Reverse Path Forwarding
+
+
+
+Durand, et al. Best Current Practice [Page 4]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ In addition to the list above, the following terms are used with a
+ specific meaning.
+
+ o Downstream: any network that is downstream; it can be a provider
+ or a customer network.
+
+ o Upstream: any network that is upstream.
+
+4. Protection of the BGP Speaker
+
+ The BGP speaker needs to be protected from attempts to subvert the
+ BGP session. This protection SHOULD be achieved by an Access Control
+ List (ACL) that would discard all packets directed to TCP port 179 on
+ the local device and sourced from an address not known or permitted
+ to become a BGP neighbor. Experience has shown that the natural
+ protection TCP should offer is not always sufficient, as it is
+ sometimes run in control-plane software. In the absence of ACLs, it
+ is possible to attack a BGP speaker by simply sending a high volume
+ of connection requests to it.
+
+ If supported, an ACL specific to the control plane of the router
+ SHOULD be used (receive-ACL, control-plane policing, etc.), to avoid
+ configuration of data-plane filters for packets transiting through
+ the router (and therefore not reaching the control plane). If the
+ hardware cannot do that, interface ACLs can be used to block packets
+ addressed to the local router.
+
+ Some routers automatically program such an ACL upon BGP
+ configuration. On other devices, this ACL should be configured and
+ maintained manually or using scripts.
+
+ In addition to strict filtering, rate-limiting MAY be configured for
+ accepted BGP traffic. Rate-limiting BGP traffic consists in
+ permitting only a certain quantity of bits per second (or packets per
+ second) of BGP traffic to the control plane. This protects the BGP
+ router control plane in case the amount of BGP traffic surpasses
+ platform capabilities.
+
+ Filtering and rate-limiting of control-plane traffic is a wider topic
+ than "just for BGP". (If a network administrator brings down a
+ router by overloading one of the other protocols remotely, BGP is
+ harmed as well.) For a more detailed recommendation on how to
+ protect the router's control plane, see RFC 6192 [11].
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 5]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+5. Protection of BGP Sessions
+
+ Current security issues of TCP-based protocols (therefore including
+ BGP) have been documented in RFC 6952 [14]. The following
+ subsections list the major points raised in this RFC and give the
+ best practices related to TCP session protection for BGP operation.
+
+5.1. Protection of TCP Sessions Used by BGP
+
+ Attacks on TCP sessions used by BGP (aka BGP sessions), for example,
+ sending spoofed TCP RST packets, could bring down a BGP peering.
+ Following a successful ARP spoofing attack (or other similar man-in-
+ the-middle attack), the attacker might even be able to inject packets
+ into the TCP stream (routing attacks).
+
+ BGP sessions can be secured with a variety of mechanisms. MD5
+ protection of the TCP session header, described in RFC 2385 [7], was
+ the first such mechanism. It has been obsoleted by the TCP
+ Authentication Option (TCP-AO; RFC 5925 [4]), which offers stronger
+ protection. While MD5 is still the most used mechanism due to its
+ availability in vendors' equipment, TCP-AO SHOULD be preferred when
+ implemented.
+
+ IPsec could also be used for session protection. At the time of
+ publication, there is not enough experience of the impact of using
+ IPsec for BGP peerings, and further analysis is required to define
+ guidelines.
+
+ The drawback of TCP session protection is additional configuration
+ and management overhead for the maintenance of authentication
+ information (for example, MD5 passwords). Protection of TCP sessions
+ used by BGP is thus NOT REQUIRED even when peerings are established
+ over shared networks where spoofing can be done (like IXPs), but
+ operators are RECOMMENDED to consider the trade-offs and to apply TCP
+ session protection where appropriate.
+
+ Furthermore, network administrators SHOULD block spoofed packets
+ (packets with a source IP address belonging to their IP address
+ space) at all edges of their network (see RFC 2827 [8] and RFC 3704
+ [9]). This protects the TCP session used by Internal BGP (IBGP) from
+ attackers outside the Autonomous System.
+
+5.2. BGP TTL Security (GTSM)
+
+ BGP sessions can be made harder to spoof with the Generalized TTL
+ Security Mechanisms (GTSM aka TTL security), defined in RFC 5082 [3].
+ Instead of sending TCP packets with TTL value of 1, the BGP speakers
+ send the TCP packets with TTL value of 255, and the receiver checks
+
+
+
+Durand, et al. Best Current Practice [Page 6]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ that the TTL value equals 255. Since it's impossible to send an IP
+ packet with TTL of 255 to an IP host that is not directly connected,
+ BGP TTL security effectively prevents all spoofing attacks coming
+ from third parties not directly connected to the same subnet as the
+ BGP-speaking routers. Network administrators SHOULD implement TTL
+ security on directly connected BGP peerings.
+
+ GTSM could also be applied to multi-hop BGP peering as well. To
+ achieve this, TTL needs to be configured with a proper value
+ depending on the distance between BGP speakers (using the principle
+ described above). Nevertheless, it is not as effective because
+ anyone inside the TTL diameter could spoof the TTL.
+
+ Like MD5 protection, TTL security has to be configured on both ends
+ of a BGP session.
+
+6. Prefix Filtering
+
+ The main aspect of securing BGP resides in controlling the prefixes
+ that are received and advertised on the BGP peerings. Prefixes
+ exchanged between BGP peers are controlled with inbound and outbound
+ filters that can match on IP prefixes (as described in this section),
+ AS paths (as described in Section 9) or any other attributes of a BGP
+ prefix (for example, BGP communities, as described in Section 11).
+
+6.1. Definition of Prefix Filters
+
+ This section lists the most commonly used prefix filters. The
+ following sections will clarify where these filters should be
+ applied.
+
+6.1.1. Special-Purpose Prefixes
+
+6.1.1.1. IPv4 Special-Purpose Prefixes
+
+ The IANA IPv4 Special-Purpose Address Registry [23] maintains the
+ list of IPv4 special-purpose prefixes and their routing scope, and it
+ SHOULD be used for prefix-filter configuration. Prefixes with value
+ "False" in column "Global" SHOULD be discarded on Internet BGP
+ peerings.
+
+6.1.1.2. IPv6 Special-Purpose Prefixes
+
+ The IANA IPv6 Special-Purpose Address Registry [24] maintains the
+ list of IPv6 special-purpose prefixes and their routing scope, and it
+ SHOULD be used for prefix-filter configuration. Only prefixes with
+ value "False" in column "Global" SHOULD be discarded on Internet BGP
+ peerings.
+
+
+
+Durand, et al. Best Current Practice [Page 7]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+6.1.2. Unallocated Prefixes
+
+ IANA allocates prefixes to RIRs that in turn allocate prefixes to
+ LIRs (Local Internet Registries). It is wise not to accept routing
+ table prefixes that are not allocated by IANA and/or RIRs. This
+ section details the options for building a list of allocated prefixes
+ at every level. It is important to understand that filtering
+ unallocated prefixes requires constant updates, as prefixes are
+ continually allocated. Therefore, automation of such prefix filters
+ is key for the success of this approach. Network administrators
+ SHOULD NOT consider solutions described in this section if they are
+ not capable of maintaining updated prefix filters: the damage would
+ probably be worse than the intended security policy.
+
+6.1.2.1. IANA-Allocated Prefix Filters
+
+ IANA has allocated all the IPv4 available space. Therefore, there is
+ no reason why network administrators would keep checking that
+ prefixes they receive from BGP peers are in the IANA-allocated IPv4
+ address space [25]. No specific filters need to be put in place by
+ administrators who want to make sure that IPv4 prefixes they receive
+ in BGP updates have been allocated by IANA.
+
+ For IPv6, given the size of the address space, it can be seen as wise
+ to accept only prefixes derived from those allocated by IANA.
+ Administrators can dynamically build this list from the IANA-
+ allocated IPv6 space [26]. As IANA keeps allocating prefixes to
+ RIRs, the aforementioned list should be checked regularly against
+ changes, and if they occur, prefix filters should be computed and
+ pushed on network devices. The list could also be pulled directly by
+ routers when they implement such mechanisms. As there is delay
+ between the time a RIR receives a new prefix and the moment it starts
+ allocating portions of it to its LIRs, there is no need for doing
+ this step quickly and frequently. However, network administrators
+ SHOULD ensure that all IPv6 prefix filters are updated within a
+ maximum of one month after any change in the list of IPv6 prefixes
+ allocated by IANA.
+
+ If the process in place (whether manual or automatic) cannot
+ guarantee that the list is updated regularly, then it's better not to
+ configure any filters based on allocated networks. The IPv4
+ experience has shown that many network operators implemented filters
+ for prefixes not allocated by IANA but did not update them on a
+ regular basis. This created problems for the latest allocations, and
+ required extra work for RIRs that had to "de-bogonize" the newly
+ allocated prefixes. (See [18] for information on de-bogonizing.)
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 8]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+6.1.2.2. RIR-Allocated Prefix Filters
+
+ A more precise check can be performed when one would like to make
+ sure that prefixes they receive are being originated or transited by
+ Autonomous Systems (ASes) entitled to do so. It has been observed in
+ the past that an AS could easily advertise someone else's prefix (or
+ more specific prefixes) and create black holes or security threats.
+ To partially mitigate this risk, administrators would need to make
+ sure BGP advertisements correspond to information located in the
+ existing registries. At this stage, two options can be considered:
+ short- and long-term options. They are described in the following
+ subsections.
+
+6.1.2.2.1. Prefix Filters Created from Internet Routing Registries
+ (IRRs)
+
+ An Internet Routing Registry (IRR) is a database containing Internet
+ routing information, described using Routing Policy Specification
+ Language objects as described in RFC 4012 [10]. Network
+ administrators are given privileges to describe routing policies of
+ their own networks in the IRR, and that information is published,
+ usually publicly. A majority of Regional Internet Registries do also
+ operate an IRR and can control whether registered routes conform to
+ the prefixes that are allocated or directly assigned. However, it
+ should be noted that the list of such prefixes is not necessarily a
+ complete list, and as such the list of routes in an IRR is not the
+ same as the set of RIR-allocated prefixes.
+
+ It is possible to use the IRR information to build, for a given
+ neighbor AS, a list of originated or transited prefixes that one may
+ accept. This can be done relatively easily using scripts and
+ existing tools capable of retrieving this information from the
+ registries. This approach is exactly the same for both IPv4 and
+ IPv6.
+
+ The macro-algorithm for the script is as follows. For the peer that
+ is considered, the distant network administrator has provided the AS
+ and may be able to provide an AS-SET object (aka AS-MACRO). An
+ AS-SET is an object that contains AS numbers or other AS-SETs. An
+ operator may create an AS-SET defining all the AS numbers of its
+ customers. A Tier 1 transit provider might create an AS-SET
+ describing the AS-SET of connected operators, which in turn describe
+ the AS numbers of their customers. Using recursion, it is possible
+ to retrieve from an AS-SET the complete list of AS numbers that the
+ peer is likely to announce. For each of these AS numbers, it is also
+ easy to look in the corresponding IRR for all associated prefixes.
+ With these two mechanisms, a script can build, for a given peer, the
+
+
+
+
+Durand, et al. Best Current Practice [Page 9]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ list of allowed prefixes and the AS number from which they should be
+ originated. One could decide not use the origin information and only
+ build monolithic prefix filters from fetched data.
+
+ As prefixes, AS numbers, and AS-SETs may not all be under the same
+ RIR authority, it is difficult to choose for each object the
+ appropriate IRR to poll. Some IRRs have been created and are not
+ restricted to a given region or authoritative RIR. They allow RIRs
+ to publish information contained in their IRR in a common place.
+ They also make it possible for any subscriber (probably under
+ contract) to publish information too. When doing requests inside
+ such an IRR, it is possible to specify the source of information in
+ order to have the most reliable data. One could check a popular IRR
+ containing many sources (such as RADb [27], the Routing Assets
+ Database) and only select as sources some desired RIRs and trusted
+ major ISPs (Internet Service Providers).
+
+ As objects in IRRs may frequently vary over time, it is important
+ that prefix filters computed using this mechanism are refreshed
+ regularly. Refreshing the filters on a daily basis SHOULD be
+ considered because routing changes must sometimes be done in an
+ emergency and registries may be updated at the very last moment.
+ Note that this approach significantly increases the complexity of the
+ router configurations, as it can quickly add tens of thousands of
+ configuration lines for some important peers. To manage this
+ complexity, network administrators could use, for example, IRRToolSet
+ [30], a set of tools making it possible to simplify the creation of
+ automated filter configuration from policies stored in an IRR.
+
+ Last but not least, network administrators SHOULD publish and
+ maintain their resources properly in the IRR database maintained by
+ their RIR, when available.
+
+6.1.2.2.2. SIDR - Secure Inter-Domain Routing
+
+ An infrastructure called SIDR (Secure Inter-Domain Routing),
+ described in RFC 6480 [12], has been designed to secure Internet
+ advertisements. At the time of writing this document, many documents
+ have been published and a framework with a complete set of protocols
+ is proposed so that advertisements can be checked against signed
+ routing objects in RIRs. There are basically two services that SIDR
+ offers:
+
+ o Origin validation, described in RFC 6811 [5], seeks to make sure
+ that attributes associated with routes are correct. (The major
+ point is the validation of the AS number originating a given
+ route.) Origin validation is now operational (Internet
+
+
+
+
+Durand, et al. Best Current Practice [Page 10]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ registries, protocols, implementations on some routers), and in
+ theory it can be implemented knowing that the number of signed
+ resources is still low at the time of writing this document.
+
+ o Path validation provided by BGPsec [29] seeks to make sure that no
+ one announces fake/wrong BGP paths that would attract traffic for
+ a given destination; see RFC 7132 [16]. BGPsec is still an
+ ongoing work item at the time of writing this document and
+ therefore cannot be implemented.
+
+ Implementing SIDR mechanisms is expected to solve many of the BGP
+ routing security problems in the long term, but it may take time for
+ deployments to be made and objects to become signed. Also, note that
+ the SIDR infrastructure is complementing (not replacing) the security
+ best practices listed in this document. Therefore, network
+ administrators SHOULD implement any SIDR proposed mechanism (for
+ example, route origin validation) on top of the other existing
+ mechanisms even if they could sometimes appear to be targeting the
+ same goal.
+
+ If route origin validation is implemented, the reader SHOULD refer to
+ the rules described in RFC 7115 [15]. In short, each external route
+ received on a router SHOULD be checked against the Resource Public
+ Key Infrastructure (RPKI) data set:
+
+ o If a corresponding ROA (Route Origin Authorization) is found and
+ is valid, then the prefix SHOULD be accepted.
+
+ o If the ROA is found and is INVALID, then the prefix SHOULD be
+ discarded.
+
+ o If a ROA is not found, then the prefix SHOULD be accepted, but the
+ corresponding route SHOULD be given a low preference.
+
+ In addition to this, network administrators SHOULD sign their routing
+ objects so their routes can be validated by other networks running
+ origin validation.
+
+ One should understand that the RPKI model brings new, interesting
+ challenges. The paper "On the Risk of Misbehaving RPKI Authorities"
+ [31] explains how the RPKI model can impact the Internet if
+ authorities don't behave as they are supposed to. Further analysis
+ is certainly required on RPKI, which carries part of BGP security.
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 11]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+6.1.3. Prefixes That Are Too Specific
+
+ Most ISPs will not accept advertisements beyond a certain level of
+ specificity (and in return, they do not announce prefixes they
+ consider to be too specific). That acceptable specificity is decided
+ for each peering between the two BGP peers. Some ISP communities
+ have tried to document acceptable specificity. This document does
+ not make any judgement on what the best approach is, it just notes
+ that there are existing practices on the Internet and recommends that
+ the reader refer to them. As an example, the RIPE community has
+ documented that, at the time of writing of this document, IPv4
+ prefixes longer than /24 and IPv6 prefixes longer than /48 are
+ generally neither announced nor accepted in the Internet [20] [21].
+ These values may change in the future.
+
+6.1.4. Filtering Prefixes Belonging to the Local AS and Downstreams
+
+ A network SHOULD filter its own prefixes on peerings with all its
+ peers (inbound direction). This prevents local traffic (from a local
+ source to a local destination) from leaking over an external peering,
+ in case someone else is announcing the prefix over the Internet.
+ This also protects the infrastructure that may directly suffer if the
+ backbone's prefix is suddenly preferred over the Internet.
+
+ In some cases, for example, multihoming scenarios, such filters
+ SHOULD NOT be applied, as this would break the desired redundancy.
+
+ To an extent, such filters can also be configured on a network for
+ the prefixes of its downstreams in order to protect them, too. Such
+ filters must be defined with caution as they can break existing
+ redundancy mechanisms. For example, when an operator has a
+ multihomed customer, it should keep accepting the customer prefix
+ from its peers and upstreams. This will make it possible for the
+ customer to keep accessing its operator network (and other customers)
+ via the Internet even if the BGP peering between the customer and the
+ operator is down.
+
+6.1.5. IXP LAN Prefixes
+
+6.1.5.1. Network Security
+
+ When a network is present on an IXP and peers with other IXP members
+ over a common subnet (IXP LAN prefix), it SHOULD NOT accept more-
+ specific prefixes for the IXP LAN prefix from any of its external BGP
+ peers. Accepting these routes may create a black hole for
+ connectivity to the IXP LAN.
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 12]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ If the IXP LAN prefix is accepted as an "exact match", care needs to
+ be taken to prevent other routers in the network from sending IXP
+ traffic towards the externally learned IXP LAN prefix (recursive
+ route lookup pointing into the wrong direction). This can be
+ achieved by preferring IGP routes over External BGP (EBGP), or by
+ using "BGP next-hop-self" on all routes learned on that IXP.
+
+ If the IXP LAN prefix is accepted at all, it SHOULD only be accepted
+ from the ASes that the IXP authorizes to announce it -- this will
+ usually be automatically achieved by filtering announcements using
+ the IRR database.
+
+6.1.5.2. PMTUD and the Loose uRPF Problem
+
+ In order to have PMTUD working in the presence of loose uRPF, it is
+ necessary that all the networks that may source traffic that could
+ flow through the IXP (i.e., IXP members and their downstreams) have a
+ route for the IXP LAN prefix. This is necessary as "packet too big"
+ ICMP messages sent by IXP members' routers may be sourced using an
+ address of the IXP LAN prefix. In the presence of loose uRPF, this
+ ICMP packet is dropped if there is no route for the IXP LAN prefix or
+ a less specific route covering IXP LAN prefix.
+
+ In that case, any IXP member SHOULD make sure it has a route for the
+ IXP LAN prefix or a less specific prefix on all its routers and that
+ it announces the IXP LAN prefix or the less specific route (up to a
+ default route) to its downstreams. The announcements done for this
+ purpose SHOULD pass IRR-generated filters described in
+ Section 6.1.2.2.1 as well as "prefixes that are too specific" filters
+ described in Section 6.1.3. The easiest way to implement this is for
+ the IXP itself to take care of the origination of its prefix and
+ advertise it to all IXP members through a BGP peering. Most likely,
+ the BGP route servers would be used for this, and the IXP would send
+ its entire prefix, which would be equal to or less specific than the
+ IXP LAN prefix.
+
+ Appendix A gives an example of guidelines regarding IXP LAN prefix.
+
+6.1.6. The Default Route
+
+6.1.6.1. IPv4
+
+ Typically, the 0.0.0.0/0 prefix is not intended to be accepted or
+ advertised except in specific customer/provider configurations;
+ general filtering outside of these is RECOMMENDED.
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 13]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+6.1.6.2. IPv6
+
+ Typically, the ::/0 prefix is not intended to be accepted or
+ advertised except in specific customer/provider configurations;
+ general filtering outside of these is RECOMMENDED.
+
+6.2. Prefix Filtering Recommendations in Full Routing Networks
+
+ For networks that have the full Internet BGP table, some policies
+ should be applied on each BGP peer for received and advertised
+ routes. It is RECOMMENDED that each Autonomous System configures
+ rules for advertised and received routes at all its borders, as this
+ will protect the network and its peer even in case of
+ misconfiguration. The most commonly used filtering policy is
+ proposed in this section and uses prefix filters defined in
+ Section 6.1.
+
+6.2.1. Filters with Internet Peers
+
+6.2.1.1. Inbound Filtering
+
+ There are basically two options -- the loose one where no check will
+ be done against RIR allocations and the strict one where it will be
+ verified that announcements strictly conform to what is declared in
+ routing registries.
+
+6.2.1.1.1. Inbound Filtering Loose Option
+
+ In this case, the following prefixes received from a BGP peer will be
+ filtered:
+
+ o prefixes that are not globally routable (Section 6.1.1)
+
+ o prefixes not allocated by IANA (IPv6 only) (Section 6.1.2.1)
+
+ o routes that are too specific (Section 6.1.3)
+
+ o prefixes belonging to the local AS (Section 6.1.4)
+
+ o IXP LAN prefixes (Section 6.1.5)
+
+ o the default route (Section 6.1.6)
+
+6.2.1.1.2. Inbound Filtering Strict Option
+
+ In this case, filters are applied to make sure advertisements
+ strictly conform to what is declared in routing registries
+ (Section 6.1.2.2). Warning is given as registries are not always
+
+
+
+Durand, et al. Best Current Practice [Page 14]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ accurate (prefixes missing, wrong information, etc.). This varies
+ across the registries and regions of the Internet. Before applying a
+ strict policy, the reader SHOULD check the impact on the filter and
+ make sure the solution is not worse than the problem.
+
+ Also, in case of script failure, each administrator may decide if all
+ routes are accepted or rejected depending on routing policy. While
+ accepting the routes during that time frame could break the BGP
+ routing security, rejecting them might re-route too much traffic on
+ transit peers, and could cause more harm than what a loose policy
+ would have done.
+
+ In addition to this, network administrators could apply the following
+ filters beforehand in case the routing registry that's used as the
+ source of information by the script is not fully trusted:
+
+ o prefixes that are not globally routable (Section 6.1.1)
+
+ o routes that are too specific (Section 6.1.3)
+
+ o prefixes belonging to the local AS (Section 6.1.4)
+
+ o IXP LAN prefixes (Section 6.1.5)
+
+ o the default route (Section 6.1.6)
+
+6.2.1.2. Outbound Filtering
+
+ The configuration should ensure that only appropriate prefixes are
+ sent. These can be, for example, prefixes belonging to both the
+ network in question and its downstreams. This can be achieved by
+ using BGP communities, AS paths, or both. Also, it may be desirable
+ to add the following filters before any policy to avoid unwanted
+ route announcements due to bad configuration:
+
+ o Prefixes that are not globally routable (Section 6.1.1)
+
+ o Routes that are too specific (Section 6.1.3)
+
+ o IXP LAN prefixes (Section 6.1.5)
+
+ o The default route (Section 6.1.6)
+
+ If it is possible to list the prefixes to be advertised, then just
+ configuring the list of allowed prefixes and denying the rest is
+ sufficient.
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 15]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+6.2.2. Filters with Customers
+
+6.2.2.1. Inbound Filtering
+
+ The inbound policy with end customers is pretty straightforward: only
+ customer prefixes SHOULD be accepted, all others SHOULD be discarded.
+ The list of accepted prefixes can be manually specified, after having
+ verified that they are valid. This validation can be done with the
+ appropriate IP address management authorities.
+
+ The same rules apply when the customer is a network connecting other
+ customers (for example, a Tier 1 transit provider connecting service
+ providers). An exception is when the customer network applies strict
+ inbound/outbound prefix filtering, and there are too many prefixes
+ announced by that network to list them in the router configuration.
+ In that case, filters as in Section 6.2.1.1 can be applied.
+
+6.2.2.2. Outbound Filtering
+
+ The outbound policy with customers may vary according to the routes
+ the customer wants to receive. In the simplest possible scenario,
+ the customer may want to receive only the default route; this can be
+ done easily by applying a filter with the default route only.
+
+ In case the customer wants to receive the full routing (if it is
+ multihomed or if it wants to have a view of the Internet table), the
+ following filters can be applied on the BGP peering:
+
+ o prefixes that are not globally routable (Section 6.1.1)
+
+ o routes that are too specific (Section 6.1.3)
+
+ o the default route (Section 6.1.6)
+
+ In some cases, the customer may desire to receive the default route
+ in addition to the full BGP table. This can be done by the provider
+ simply by removing the filter for the default route. As the default
+ route may not be present in the routing table, network administrators
+ may decide to originate it only for peerings where it has to be
+ advertised.
+
+6.2.3. Filters with Upstream Providers
+
+6.2.3.1. Inbound Filtering
+
+ If the full routing table is desired from the upstream, the prefix
+ filtering to apply is the same as the one for peers Section 6.2.1.1
+ with the exception of the default route. Sometimes, the default
+
+
+
+Durand, et al. Best Current Practice [Page 16]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ route (in addition to the full BGP table) can be desired from an
+ upstream provider. If the upstream provider is supposed to announce
+ only the default route, a simple filter will be applied to accept
+ only the default prefix and nothing else.
+
+6.2.3.2. Outbound Filtering
+
+ The filters to be applied would most likely not differ much from the
+ ones applied for Internet peers (Section 6.2.1.2). However,
+ different policies could be applied if a particular upstream should
+ not provide transit to all the prefixes.
+
+6.3. Prefix Filtering Recommendations for Leaf Networks
+
+6.3.1. Inbound Filtering
+
+ The leaf network will deploy the filters corresponding to the routes
+ it is requesting from its upstream. If a default route is requested,
+ a simple inbound filter can be applied to accept only the default
+ route (Section 6.1.6). If the leaf network is not capable of listing
+ the prefixes because there are too many (for example, if it requires
+ the full Internet routing table), then it should configure the
+ following filters to avoid receiving bad announcements from its
+ upstream:
+
+ o prefixes not routable (Section 6.1.1)
+
+ o routes that are too specific (Section 6.1.3)
+
+ o prefixes belonging to local AS (Section 6.1.4)
+
+ o the default route (Section 6.1.6) depending on whether or not the
+ route is requested
+
+6.3.2. Outbound Filtering
+
+ A leaf network will most likely have a very straightforward policy:
+ it will only announce its local routes. It can also configure the
+ prefix filters described in Section 6.2.1.2 to avoid announcing
+ invalid routes to its upstream provider.
+
+7. BGP Route Flap Dampening
+
+ The BGP route flap dampening mechanism makes it possible to give
+ penalties to routes each time they change in the BGP routing table.
+ Initially, this mechanism was created to protect the entire Internet
+ from multiple events that impact a single network. Studies have
+ shown that implementations of BGP route flap dampening could cause
+
+
+
+Durand, et al. Best Current Practice [Page 17]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ more harm than benefit; therefore, in the past, the RIPE community
+ has recommended against using BGP route flap dampening [19]. Later,
+ studies were conducted to propose new route flap dampening thresholds
+ in order to make the solution "usable"; see RFC 7196 [6] and [22] (in
+ which RIPE reviewed its recommendations). This document RECOMMENDS
+ following IETF and RIPE recommendations and using BGP route flap
+ dampening with the adjusted configured thresholds.
+
+8. Maximum Prefixes on a Peering
+
+ It is RECOMMENDED to configure a limit on the number of routes to be
+ accepted from a peer. The following rules are generally RECOMMENDED:
+
+ o From peers, it is RECOMMENDED to have a limit lower than the
+ number of routes in the Internet. This will shut down the BGP
+ peering if the peer suddenly advertises the full table. Network
+ administrators can also configure different limits for each peer,
+ according to the number of routes they are supposed to advertise,
+ plus some headroom to permit growth.
+
+ o From upstreams that provide full routing, it is RECOMMENDED to
+ have a limit higher than the number of routes in the Internet. A
+ limit is still useful in order to protect the network (and in
+ particular, the routers' memory) if too many routes are sent by
+ the upstream. The limit should be chosen according to the number
+ of routes that can actually be handled by routers.
+
+ It is important to regularly review the limits that are configured as
+ the Internet can quickly change over time. Some vendors propose
+ mechanisms to have two thresholds: while the higher number specified
+ will shut down the peering, the first threshold will only trigger a
+ log and can be used to passively adjust limits based on observations
+ made on the network.
+
+9. AS Path Filtering
+
+ This section lists the RECOMMENDED practices when processing BGP AS
+ paths.
+
+ o Network administrators SHOULD accept from customers only 2-byte or
+ 4-byte AS paths containing ASNs belonging to (or authorized to
+ transit through) the customer. If network administrators cannot
+ build and generate filtering expressions to implement this, they
+ SHOULD consider accepting only path lengths relevant to the type
+ of customer they have (as in, if these customers are a leaf or
+ have customers of their own) and SHOULD try to discourage
+ excessive prepending in such paths. This loose policy could be
+
+
+
+
+Durand, et al. Best Current Practice [Page 18]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ combined with filters for specific 2-byte or 4-byte AS paths that
+ must not be accepted if advertised by the customer, such as
+ upstream transit providers or peer ASNs.
+
+ o Network administrators SHOULD NOT accept prefixes with private AS
+ numbers in the AS path unless the prefixes are from customers. An
+ exception could occur when an upstream is offering some particular
+ service like black-hole origination based on a private AS number:
+ in that case, prefixes SHOULD be accepted. Customers should be
+ informed by their upstream in order to put in place ad hoc policy
+ to use such services.
+
+ o Network administrators SHOULD NOT accept prefixes when the first
+ AS number in the AS path is not the one of the peer's unless the
+ peering is done toward a BGP route server [17] (for example, on an
+ IXP) with transparent AS path handling. In that case, this
+ verification needs to be deactivated, as the first AS number will
+ be the one of an IXP member, whereas the peer AS number will be
+ the one of the BGP route server.
+
+ o Network administrators SHOULD NOT advertise prefixes with a
+ nonempty AS path unless they intend to provide transit for these
+ prefixes.
+
+ o Network administrators SHOULD NOT advertise prefixes with upstream
+ AS numbers in the AS path to their peering AS unless they intend
+ to provide transit for these prefixes.
+
+ o Private AS numbers are conventionally used in contexts that are
+ "private" and SHOULD NOT be used in advertisements to BGP peers
+ that are not party to such private arrangements, and they SHOULD
+ be stripped when received from BGP peers that are not party to
+ such private arrangements.
+
+ o Network administrators SHOULD NOT override BGP's default behavior,
+ i.e., they should not accept their own AS number in the AS path.
+ When considering an exception, the impact (which may be severe on
+ routing) should be studied carefully.
+
+ AS path filtering should be further analyzed when ASN renumbering is
+ done. Such an operation is common, and mechanisms exist to allow
+ smooth ASN migration [28]. The usual migration technique, local to a
+ router, consists in modifying the AS path so it is presented to a
+ peer with the previous ASN, as if no renumbering was done. This
+ makes it possible to change the ASN of a router without reconfiguring
+ all EBGP peers at the same time (as that operation would require
+ synchronization with all peers attached to that router). During this
+ renumbering operation, the rules described above may be adjusted.
+
+
+
+Durand, et al. Best Current Practice [Page 19]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+10. Next-Hop Filtering
+
+ If peering on a shared network, like an IXP, BGP can advertise
+ prefixes with a third-party next hop, thus directing packets not to
+ the peer announcing the prefix but somewhere else.
+
+ This is a desirable property for BGP route-server setups [17], where
+ the route server will relay routing information but has neither the
+ capacity nor the desire to receive the actual data packets. So, the
+ BGP route server will announce prefixes with a next-hop setting
+ pointing to the router that originally announced the prefix to the
+ route server.
+
+ In direct peerings between ISPs, this is undesirable, as one of the
+ peers could trick the other one into sending packets into a black
+ hole (unreachable next hop) or to an unsuspecting third party who
+ would then have to carry the traffic. Especially for black-holing,
+ the root cause of the problem is hard to see without inspecting BGP
+ prefixes at the receiving router of the IXP.
+
+ Therefore, an inbound route policy SHOULD be applied on IXP peerings
+ in order to set the next hop for accepted prefixes to the BGP peer IP
+ address (belonging to the IXP LAN) that sent the prefix (which is
+ what "next-hop-self" would enforce on the sending side).
+
+ This policy SHOULD NOT be used on route-server peerings or on
+ peerings where network administrators intentionally permit the other
+ side to send third-party next hops.
+
+ This policy also SHOULD be adjusted if the best practice of Remote
+ Triggered Black Holing (aka RTBH as described in RFC 6666 [13]) is
+ implemented. In that case, network administrators would apply a
+ well-known BGP next hop for routes they want to filter (if an
+ Internet threat is observed from/to this route, for example). This
+ well-known next hop will be statically routed to a null interface.
+ In combination with a unicast RPF check, this will discard traffic
+ from and toward this prefix. Peers can exchange information about
+ black holes using, for example, particular BGP communities. Network
+ administrators could propagate black-hole information to their peers
+ using an agreed-upon BGP community: when receiving a route with that
+ community, a configured policy could change the next hop in order to
+ create the black hole.
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 20]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+11. BGP Community Scrubbing
+
+ Optionally, we can consider the following rules on BGP AS paths:
+
+ o Network administrators SHOULD scrub inbound communities with their
+ number in the high-order bits, and allow only those communities
+ that customers/peers can use as a signaling mechanism
+
+ o Networks administrators SHOULD NOT remove other communities
+ applied on received routes (communities not removed after
+ application of the previous statement). In particular, they
+ SHOULD keep original communities when they apply a community.
+ Customers might need them to communicate with upstream providers.
+ In particular, network administrators SHOULD NOT (generally)
+ remove the no-export community, as it is usually announced by
+ their peer for a certain purpose.
+
+12. Security Considerations
+
+ This document is entirely about BGP operational security. It depicts
+ best practices that one should adopt to secure BGP infrastructure:
+ protecting BGP router and BGP sessions, adopting consistent BGP
+ prefix and AS path filters, and configuring other options to secure
+ the BGP network.
+
+ This document does not aim to describe existing BGP implementations,
+ their potential vulnerabilities, or ways they handle errors. It does
+ not detail how protection could be enforced against attack techniques
+ using crafted packets.
+
+13. References
+
+13.1. Normative References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", RFC 2119, March 1997,
+ <http://www.rfc-editor.org/info/rfc2119>.
+
+ [2] Rekhter,, Y., Li,, T., and S. Hares,, "A Border Gateway
+ Protocol 4 (BGP-4)", RFC 4271, January 2006,
+ <http://www.rfc-editor.org/info/rfc4271>.
+
+ [3] Gill, V., Heasley, J., Meyer, D., Savola,, P., and C.
+ Pignataro, "The Generalized TTL Security Mechanism (GTSM)", RFC
+ 5082, October 2007, <http://www.rfc-editor.org/info/rfc5082>.
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 21]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ [4] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication
+ Option", RFC 5925, June 2010,
+ <http://www.rfc-editor.org/info/rfc5925>.
+
+ [5] Mohapatra, P., Scudder, J., Ward, D., Bush, R., and R.
+ Austein, "BGP Prefix Origin Validation", RFC 6811, January
+ 2013, <http://www.rfc-editor.org/info/rfc6811>.
+
+ [6] Pelsser, C., Bush, R., Patel, K., Mohapatra, P., and O.
+ Maennel, "Making Route Flap Damping Usable", RFC 7196, May
+ 2014, <http://www.rfc-editor.org/info/rfc7196>.
+
+13.2. Informative References
+
+ [7] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
+ Signature Option", RFC 2385, August 1998,
+ <http://www.rfc-editor.org/info/rfc2385>.
+
+ [8] Ferguson, P. and D. Senie, "Network Ingress Filtering:
+ Defeating Denial of Service Attacks which employ IP Source
+ Address Spoofing", RFC 2827, May 2000,
+ <http://www.rfc-editor.org/info/rfc2827>.
+
+ [9] Baker, F. and P. Savola, "Ingress Filtering for Multihomed
+ Networks", RFC 3704, March 2004,
+ <http://www.rfc-editor.org/info/rfc3704>.
+
+ [10] Blunk, L., Damas, J., Parent, F., and A. Robachevsky, "Routing
+ Policy Specification Language next generation (RPSLng)", RFC
+ 4012, March 2005, <http://www.rfc-editor.org/info/rfc4012>.
+
+ [11] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the Router
+ Control Plane", RFC 6192, March 2011,
+ <http://www.rfc-editor.org/info/rfc6192>.
+
+ [12] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure
+ Internet Routing", RFC 6480, February 2012,
+ <http://www.rfc-editor.org/info/rfc6480>.
+
+ [13] Hilliard, N. and D. Freedman, "A Discard Prefix for IPv6", RFC
+ 6666, August 2012, <http://www.rfc-editor.org/info/rfc6666>.
+
+ [14] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of BGP,
+ LDP, PCEP, and MSDP Issues According to the Keying and
+ Authentication for Routing Protocols (KARP) Design Guide", RFC
+ 6952, May 2013, <http://www.rfc-editor.org/info/rfc6952>.
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 22]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ [15] Bush, R., "Origin Validation Operation Based on the Resource
+ Public Key Infrastructure (RPKI)", RFC 7115, January 2014,
+ <http://www.rfc-editor.org/info/rfc7115>.
+
+ [16] Kent, S. and A. Chi, "Threat Model for BGP Path Security", RFC
+ 7132, February 2014, <http://www.rfc-editor.org/info/rfc7132>.
+
+ [17] Jasinska, E., Hilliard, N., Raszuk, R., and N. Bakker,
+ "Internet Exchange Route Server", Work in Progress,
+ draft-ietf-idr-ix-bgp-route-server-06, December 2014.
+
+ [18] Karrenberg, D., "RIPE-351 - De-Bogonising New Address Blocks",
+ October 2005.
+
+ [19] Smith, P. and C. Panigl, "RIPE-378 - RIPE Routing Working Group
+ Recommendations On Route-flap Damping", May 2006.
+
+ [20] Smith, P., Evans, R., and M. Hughes, "RIPE-399 - RIPE Routing
+ Working Group Recommendations on Route Aggregation", December
+ 2006.
+
+ [21] Smith, P. and R. Evans, "RIPE-532 - RIPE Routing Working Group
+ Recommendations on IPv6 Route Aggregation", November 2011.
+
+ [22] Smith, P., Bush, R., Kuhne, M., Pelsser, C., Maennel, O.,
+ Patel, K., Mohapatra, P., and R. Evans, "RIPE-580 - RIPE
+ Routing Working Group Recommendations On Route-flap Damping",
+ January 2013.
+
+ [23] IANA, "IANA IPv4 Special-Purpose Address Registry",
+ <http://www.iana.org/assignments/iana-ipv4-special-registry>.
+
+ [24] IANA, "IANA IPv6 Special-Purpose Address Registry",
+ <http://www.iana.org/assignments/iana-ipv6-special-registry>.
+
+ [25] IANA, "IANA IPv4 Address Space Registry",
+ <http://www.iana.org/assignments/ipv4-address-space>.
+
+ [26] IANA, "Internet Protocol Version 6 Address Space",
+ <http://www.iana.org/assignments/ipv6-address-space>.
+
+ [27] Merit Network Inc., "Merit RADb", <http://www.radb.net>.
+
+ [28] George, W. and S. Amante, "Autonomous System (AS) Migration
+ Features and Their Effects on the BGP AS_PATH Attribute", Work
+ in Progress, draft-ga-idr-as-migration-03, January 2014.
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 23]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+ [29] Bellovin, S., Bush, R., and D. Ward, "Security Requirements for
+ BGP Path Validation", RFC 7353, August 2014,
+ <http://www.rfc-editor.org/info/rfc7353>.
+
+ [30] "IRRToolSet project page", <http://irrtoolset.isc.org>.
+
+ [31] Cooper, D., Heilman, E., Brogle, K., Reyzin, L., and S.
+ Goldberg, "On the Risk of Misbehaving RPKI Authorities",
+ <http://www.cs.bu.edu/~goldbe/papers/hotRPKI.pdf>.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 24]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+Appendix A. IXP LAN Prefix Filtering - Example
+
+ An IXP in the RIPE region is allocated an IPv4 /22 prefix by RIPE NCC
+ (X.Y.0.0/22 in this example) and uses a /23 of this /22 for the IXP
+ LAN (let say X.Y.0.0/23). This IXP LAN prefix is the one used by IXP
+ members to configure EBGP peerings. The IXP could also be allocated
+ an AS number (AS64496 in our example).
+
+ Any IXP member SHOULD make sure it filters prefixes more specific
+ than X.Y.0.0/23 from all its EBGP peers. If it received X.Y.0.0/24
+ or X.Y.1.0/24 this could seriously impact its routing.
+
+ The IXP SHOULD originate X.Y.0.0/22 and advertise it to its members
+ through an EBGP peering (most likely from its BGP route servers,
+ configured with AS64496).
+
+ The IXP members SHOULD accept the IXP prefix only if it passes the
+ IRR generated filters (see Section 6.1.2.2.1)
+
+ IXP members SHOULD then advertise X.Y.0.0/22 prefix to their
+ downstreams. This announce would pass IRR based filters as it is
+ originated by the IXP.
+
+Acknowledgements
+
+ The authors would like to thank the following people for their
+ comments and support: Marc Blanchet, Ron Bonica, Randy Bush, David
+ Freedman, Wesley George, Daniel Ginsburg, David Groves, Mike Hugues,
+ Joel Jaeggli, Tim Kleefass, Warren Kumari, Jacques Latour, Lionel
+ Morand, Jerome Nicolle, Hagen Paul Pfeifer, Thomas Pinaud, Carlos
+ Pignataro, Jean Rebiffe, Donald Smith, Kotikalapudi Sriram, Matjaz
+ Straus, Tony Tauber, Gunter Van de Velde, Sebastian Wiesinger, and
+ Matsuzaki Yoshinobu.
+
+ The authors would like to thank once again Gunter Van de Velde for
+ presenting the document at several IETF meetings in various working
+ groups, indeed helping dissemination of this document and gathering
+ of precious feedback.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 25]
+
+RFC 7454 BGP OPSEC February 2015
+
+
+Authors' Addresses
+
+ Jerome Durand
+ Cisco Systems, Inc.
+ 11 rue Camille Desmoulins
+ Issy-les-Moulineaux 92782 CEDEX
+ France
+
+ EMail: jerduran@cisco.com
+
+
+ Ivan Pepelnjak
+ NIL Data Communications
+ Tivolska 48
+ Ljubljana 1000
+ Slovenia
+
+ EMail: ip@ipspace.net
+
+
+ Gert Doering
+ SpaceNet AG
+ Joseph-Dollinger-Bogen 14
+ Muenchen D-80807
+ Germany
+
+ EMail: gert@space.net
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Durand, et al. Best Current Practice [Page 26]
+