Do you filter all the networks that are being announced by your routing protocols? The consequences are known, but yet there is another one that often goes unnoticed: the potential impact on you other peerings introduced by unfiltered peering IP prefixes.
In a network lacking proper network security measures, any router within the network, whether due to malicious intent or human error, can disrupt an entire network.
Imagine the following scenario where we have three routers peering with each other using eBGP:
Three routers are peering with each other :
One unsecured router announces a more specific route of peering subnet :
Now imagine that the RED router announce a more specific route belonging to another peering
When a router receives a more specific network route, it will prefer it over less specific routes, including connected routes. This preference may cause the router to bring down its existing peering sessions. Subsequently, it will attempt to establish an eBGP peering with the new /32 network that has been received. Even if the establishment of this peering may fail (because the default TTL) , yet the real peer will goes and stays down
How can this case be secured ? :
To prevent such cases, it is essential to implement network filtering in BGP peering to protect the infrastructure IP subnet from potential compromise.
Now, imagine a large network with multiple routers peering with each other, but lacking prefix filtering. With just one router, the entire network (at least the “VRF” or Global routing table impacted by this attack/error) may face total disruption as a consequence.
In conclusion :
- As network engineers, it is our duty to consider routing security to prevent such incidents. Ensure that you filter the prefixes you receive and protect all your IP infrastructure addresses. Ideally, you should have a specific range that will be simple to filter.
- In iBGP, the same principle applies, where loopback IP addresses used for peering, generally learned through an IGP, are also received in eBGP, and can be preferred. This preference is due to the fact that eBGP routes have an Administrative Distance (AD) of 20 by default, which is lower than the AD of OSPF/IS-IS.
- Beyond the scope of peering and interconnection, network filtering is crucial. Accepting all networks without filtering can lead to various impacts and potential attacks such as route hijacking, IP address spoofing, distributed denial-of-service (DDoS) attacks, unauthorized access to sensitive network resources, etc.
While these cases may not have occurred frequently, remember that just one occurrence can have a catastrophic outcome, depending on the sensitivity and criticality of the network. Security in Depth is also vital here. Even if one or some routers are not secure, implementing IP address filtering for the infrastructure can help contain the consequences and prevent global disruption. It’s essential to have a well-designed IP address subnetting scheme in place to mitigate potential risks.