BGP Filtering Best practices for fun and security

BGP Filtering Best practices for fun and security

Border Gateway Protocol (BGP) filtering is critical for securing and optimizing internet routing. Improper BGP configuration can lead to serious issues like route leaks, hijacks, or suboptimal routing. Here are the most effective best practices for BGP filtering:

1. Prefix Filtering

Objective: Ensure only authorized prefixes are advertised or accepted.

  • Outbound Filtering: Only advertise prefixes your AS owns or is authorized to originate.
    • Use prefix-lists or route-maps. In mikrotik land use address lists in V7.
    • Implement max-prefix limits per neighbor to prevent accidental route leaks.
  • Inbound Filtering: Accept only valid prefixes from your peers or upstream providers.
    • Validate against IRR/RPKI.
    • Reject bogons (e.g., 0.0.0.0/8, 127.0.0.0/8).
    • Limit accepted prefix lengths (e.g., /24 for IPv4, /48 for IPv6).

2. AS-PATH Filtering

Objective: Prevent propagation of incorrect or malicious AS paths.

  • Reject prefixes with:
    • Your own AS in the path (to avoid loops).
    • Private AS numbers (unless explicitly needed).
    • Excessively long AS paths (e.g., to avoid path poisoning).
  • Use as-path access-lists or regex matching to define rules.

3. Max-Prefix Limits

Objective: Avoid route table overflow or misconfigurations from neighbors.

  • Set max-prefix limits on both eBGP and iBGP sessions.
  • Include warning-only thresholds and shutdown actions.

4. Use RPKI Validation

Objective: Cryptographically validate route origin.

  • Deploy RPKI (Resource Public Key Infrastructure):
    • Validate Route Origin Authorizations (ROAs).
    • Reject Invalid routes.
    • Prefer Valid over NotFound.
    • Some RPKI resources https://blog.j2sw.com/?s=rpki

5. Implement BGP Session Security

Objective: Prevent unauthorized BGP session establishment or manipulation.

  • Use TCP MD5 authentication or TTL security (GTSM).
  • Filter inbound TCP connections to port 179.

Not everyone is a fan of MD5 on BGP sessions. I have found several of the CDNs and content companies do not do MD5.

6. Route Flap Damping

Objective: Stabilize the routing table by penalizing flapping prefixes.

  • Be conservative with damping to avoid blackholing valid prefixes. Too aggressive causes more support tickets.
  • Use vendor-recommended or community-tuned settings.

7. Monitoring and Logging

Objective: Maintain situational awareness and facilitate troubleshooting.

  • Use tools like:
    • BGP monitoring tools (e.g., BGPMon, RIPE RIS, RouteViews).
    • Flow analysis tools to verify traffic patterns.
    • Syslog, SNMP, or NetFlow for event tracking.

8. Filter Bogon Prefixes

Objective: Block illegitimate IP address space.

  • Use up-to-date bogon lists (e.g., from Team Cymru).
  • Apply to both egress and ingress filters.

9. Filter Martian and Reserved IPs

Objective: Prevent misuse of special-use IP ranges.

  • Examples:
    • 0.0.0.0/8
    • 127.0.0.0/8
    • 169.254.0.0/16
    • 224.0.0.0/4 (Multicast)
    • ::/128 (IPv6 unspecified)

10. Maintain Clean BGP Communities

Objective: Enable policy control and route tagging.

  • Define and document community policies clearly.
  • Strip or rewrite communities as needed before advertising to peers.

Summary:

PracticePurpose
Prefix FilteringAvoid leaking or accepting invalid routes
AS-PATH FilteringPrevent loops, hijacks, and poisoning
Max-Prefix LimitsProtect router resources
RPKIEnsure route origin authenticity
Session Security (MD5, GTSM)Prevent session hijacking
Route Flap DampingImprove stability
Monitoring & LoggingImprove visibility and auditing
Bogon/Martian FilteringDrop invalid or reserved IPs
Community ManagementPolicy control and route tagging
j2networks family of sites
https://j2sw.com
https://startawisp.info
https://indycolo.net
#packetsdownrange #routethelight

Leave a Reply

Terms and Conditions - Privacy Policy