Patent Application
20230396624
The present disclosure is related to network communications, and specifically to various systems and methods for extending BGP flow specification (FlowSpec) origination authorization using path attributes.
Modem Internet Protocol (IP) routers have the capability to forward traffic and to classify, shape, rate limit, filter, or redirect packets based on administratively defined policies.
A first aspect relates to a method performed by a first node/network node of a first/receiving autonomous system (AS) for verifying that a second/sending AS is authorized to issue a BGP FlowSpec. The method includes the first node receiving from a third node of a third AS, a first BGP update message that includes a FlowSpec AS authorization list indicating autonomous systems (ASes) that are authorized to issue a FlowSpec for the prefix of the third AS. The first node receives a second BGP update message from the second node of the second AS. The second BGP update message includes a FlowSpec associated with the prefix of the third AS. The first node determines that the second AS is authorized to issue the FlowSpec when the FlowSpec AS authorization list includes the second AS. The first node determines whether the second AS is a closest neighboring AS to the first AS along a best-match unicast route for a destination prefix. The first node accepts the FlowSpec when the second AS is the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix and the second AS is authorized to issue the FlowSpec. The first node performs a flow traffic action associated with the FlowSpec when the first node receives traffic that matches a set of traffic parameters specified by the FlowSpec.
In a first implementation form of the method according to the first aspect, the first node rejects the FlowSpec when the FlowSpec AS authorization list does not include the second AS.
In a second implementation form of the first aspect as such or any preceding implementation form of the first aspect, the network node rejects the FlowSpec when the second AS is not the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix.
In a third implementation form of the first aspect as such or any preceding implementation form of the first aspect, the FlowSpec AS authorization list is specified in a BGP FlowSpec trust list path attribute included in a path attributes portion of the first BGP update message.
In a fourth implementation form of the first aspect as such or any preceding implementation form of the first aspect, the BGP FlowSpec trust list path attribute is an optional transitive BGP path attribute.
In a fifth implementation form of the first aspect as such or any preceding implementation form of the first aspect, the BGP FlowSpec trust list path attribute is encoded using a Flowspec Trust List Type-Length-Value (TLV) encoding format, and wherein a value field of the Flowspec Trust List TLV specifies a list of autonomous systems (ASes) that are authorized to issue the FlowSpec.
In a sixth implementation form of the first aspect as such or any preceding implementation form of the first aspect, wherein determining that the second AS is the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix includes using a secured AS path list that is part of a routing table of the network node.
In a seventh implementation form of the first aspect as such or any preceding implementation form of the first aspect, the method includes obtaining the secured AS path list using BGP security (BGPsec).
A second aspect relates to a network node of a first AS for verifying that a second AS is authorized to issue a BGP FlowSpec. The network node includes a memory storing instructions; a processor coupled to the memory, the processor configured to execute the instructions to cause the network node to receive a first BGP update message from a third AS. The first BGP update message includes a FlowSpec AS authorization list indicating ASes that are authorized to issue a FlowSpec for the prefix of the third AS. The processor further executes the instructions to cause the network node to receive a second BGP update message from the second AS. The second BGP update message includes a FlowSpec associated with the prefix of the third AS. The processor executes the instructions to determine that the second AS is authorized to issue the FlowSpec when the FlowSpec AS authorization list includes the second AS. The processor executes the instructions to determine whether the second AS is a closest neighboring AS to the first AS along a best-match unicast route for a destination prefix. The processor executes the instructions to accept the FlowSpec when the second AS is the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix and the second AS is authorized to issue the FlowSpec. The processor executes the instructions to perform a flow traffic action associated with the FlowSpec when the network node receives traffic that matches a set of traffic parameters specified by the FlowSpec.
In a first implementation form of the network node according to the second aspect, the processor executes the instructions to reject the FlowSpec when the FlowSpec AS authorization list does not include the second AS.
In a second implementation form of the second aspect as such or any preceding implementation form of the second aspect, the processor executes the instructions to reject the FlowSpec when the second AS is not the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix.
In a third implementation form of the second aspect as such or any preceding implementation form of the second aspect, the FlowSpec AS authorization list is specified in a BGP FlowSpec trust list path attribute included in a path attributes portion of the first BGP update message.
In a fourth implementation form of the second aspect as such or any preceding implementation form of the second aspect, the BGP FlowSpec trust list path attribute is an optional transitive BGP path attribute.
In a fifth implementation form of the second aspect as such or any preceding implementation form of the second aspect, the BGP FlowSpec trust list path attribute is encoded using a Flowspec Trust List TLV encoding format, and wherein a value field of the Flowspec Trust List TLV specifies a list of ASes that are authorized to issue the FlowSpec.
In a sixth implementation form of the second aspect as such or any preceding implementation form of the second aspect, the processor executes the instructions to determine that the second AS is the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix using a secured AS path list that is part of a routing table of the network node.
In a seventh implementation form of the second aspect as such or any preceding implementation form of the second aspect, the processor executes the instructions to obtain the secured AS path list using BGPsec.
A third aspect relates to a method performed by a network node of a first AS for verifying that a second AS is authorized to issue a BGP FlowSpec. The network node receives a first BGP update message from a third AS. The first BGP update message includes a FlowSpec AS authorization list indicating ASes that are authorized to issue a FlowSpec for the prefix of the third AS. The network node receives a second BGP update message from second node of the second AS. The second BGP update message includes a FlowSpec associated with the prefix of the third AS. The network node determines whether the FlowSpec AS authorization list includes the second AS. The network node rejects the FlowSpec when the FlowSpec AS authorization list does not include the second AS.
In a first implementation form according to the third aspect, the FlowSpec AS authorization list is specified in a BGP FlowSpec trust list path attribute included in a path attributes portion of the first BGP update message.
For the purpose of clarity, any one of the foregoing implementation forms may be combined with any one or more of the other foregoing implementations to create a new embodiment within the scope of the present disclosure. These embodiments and other features will be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings and claims.
For a more complete understanding of this disclosure, reference is now made to the following brief description, taken in connection with the accompanying drawings and detailed description, wherein like reference numerals represent like parts.
It should be understood at the outset that although an illustrative implementation of one or more embodiments are provided below, the disclosed systems and/or methods may be implemented using any number of techniques, whether currently known or in existence. The disclosure should in no way be limited to the illustrative implementations, drawings, and techniques illustrated below, including the exemplary designs and implementations illustrated and described herein, but may be modified within the scope of the appended claims along with their full scope of equivalents.
BGP is a standardized exterior gateway protocol designed to exchange routing and reachability information between ASes on the Internet (i.e., an inter-AS routing protocol). The primary function of a BGP speaking system is to exchange Network Layer Reachability Information (NLRI) with other BGP systems. NLRI includes information on the list of ASes that reachability information traverses. BGP FlowSpec is a BGP extension that includes a new NLRI. The new NLRI collects 12 types of Layer 3 and Layer 4 details that are used to define a Flowspec. The Flowspec can be distributed to border or edge routers of a network to filter traffic that matches the criteria specified in the Flowspec (e.g., to prevent or stop a distributed denial-of-service (DDoS) attack). As will described herein, while BGP Flowspec can be used to prevent malicious attacks, BGP Flowspec can also be used to maliciously filter authorized/normal traffic when originated by an unauthorized AS.
The disclosed embodiments provide several technical improvements over existing techniques including extending BGP to include a BGP FlowSpec trust list path attribute that carries a FlowSpec AS authorization list indicating ASes that are authorized to send a Flowspec for a particular prefix. The disclosed embodiments reduce or eliminate the probability of BGP Flowspec being accepted when originated by an unauthorized AS. Thus, the disclosed embodiments increase network security by reducing malicious activities from occurring on the network.
In
Currently, in the absence of explicit configuration, an AS that receives the BGP update message containing a Flowspec NLRI must validate the Flowspec NLRI. The Flowspec NLRI is considered feasible when and only when all of the three following conditions are true: (1) a destination prefix component is embedded in the Flowspec; (2) the originator of the Flowspec matches the originator of the best-match unicast route for the destination prefix embedded in the Flowspec (i.e., the unicast route with the longest possible prefix length covering the destination prefix embedded in the Flowspec), and (3) there are no “more-specific” unicast routes, when compared with the flow destination prefix, that have been received from a different neighboring AS than the best-match unicast route. The underlying concept is that the neighboring AS that advertises the best unicast route for a destination is allowed to advertise Flowspec information that conveys a destination prefix that is more or equally specific. Thus, if there are no “more-specific” unicast routes received from a different neighboring AS, which would be affected by that Flowspec, the Flowspec is validated successfully.
Additionally, the BGP Flowspec implementation must also enforce that the AS in the left-most position of the AS_PATH attribute of a Flowspec route received via the External Border Gateway Protocol (eBGP) matches the AS in the left-most position of the AS_PATH attribute of the best-match unicast route for the destination prefix embedded in the Flowspec NLRI. The AS in the left-most position of the AS_PATH attribute means the AS that was last added to the AS_SEQUENCE. The AS_SEQUENCE is a component of the AS_PATH attribute. The AS_SEQUENCE is an ordered set of ASes indicating a route that the BGP update message has traversed. The above requirement enables the exchange of BGP Flowspec NLRIs at Internet exchanges with BGP route servers while at the same time, for security reasons, prevents an eBGP peer from advertising an inter-domain Flow Specification for a destination prefix that it does not provide reachability information for. Comparing only the last AS added is sufficient for eBGP learned Flowspec NLRIs. Requiring a full AS_PATH match would limit origination of inter-domain Flowspec to the origin AS of the best-match unicast route for the destination prefix embedded in the Flow Specification only. As such, a full AS_PATH validity check may prevent transit ASes from originating inter-domain Flowspecs, which is not desirable.
However, as shown in
To reduce or eliminate the probability of a node in an unauthorized AS originates a BGP Flowspec, the disclosed embodiments provide various systems and methods for extending BGP Flowspec origination authorization using path attributes. Path attributes are characteristics, features, or qualities of a path that are included in a BGP update message. The path attributes can be used to determine a best routing path.
The BGP update message 300 includes an unfeasible routes section that includes a 2-byte withdrawn routes length field 310 and a variable-size withdrawn routes field 320. The BGP update message 300 also include a path attributes section that includes a 2-byte total path attribute length field 330 and a variable-size path attributes field 340. The BGP update message 300 also includes a variable-size network layer reachability information (NLRI) field 350.
The withdrawn routes length field 310 indicates the total length of the withdrawn routes field 320 in bytes. Withdrawn routes are routes that are down or no longer reachable. When there are no withdrawn routes, the withdrawn routes length field 310 is set to zero. The withdrawn routes field 320 contains all the prefixes that should be removed from the BGP routing table.
The total path attribute length field 330 indicates the total length of the path attributes field 340. AS path attributes are used to provide route metrics. Path attributes allow BGP to determine the best path. The path attributes are stored in Type, Length, Value (TLV)-format. Each of the path attributes can also have an attribute flag that informs the BGP router about how to treat the attribute.
The path attributes field 340 indicates the BGP attributes for the prefixes. All BGP path attributes fall into one of four main categories: well-known mandatory path attributes, well-known discretionary path attributes, optional transitive path attributes, and optional non-transitive path attributes. Well-known means that all routers must recognize this path attribute. Optional means that the BGP implementation on the device does not have to recognize that path attribute at all. Mandatory means that the update must contain that attribute. If the attribute does not exist, a notification error message will result, and the peering will be torn down. Discretionary, of course, would mean the attribute does not have to be in the update. Transitive means the BGP routers need to pass that path attribute on toward its next neighbor. Non-transitive means the BGP routers can just ignore that attribute value.
Thus, well-known mandatory path attributes must be recognized by all BGP routers and must be included in every BGP update message. Examples of well-known mandatory path attributes include ORIGIN, AS_PATH, and NEXT_HOP path attributes. Routing information errors occur without these attributes. Well-known discretionary path attributes can be recognized by all BGP routers and can be included in every update message as needed. Examples of well-known discretionary path attributes include LOCAL_PREF and ATOMIC_AGGREGATE path attributes. Optional transitive path attributes are transitive attribute between ASs. A BGP router not supporting this attribute can still receive routes with this attribute and advertise them to other peers. An example of an optional transitive path attributes is the COMMUNITY path attribute. For optional non-transitive path attributes, when a BGP router does not support this attribute, the BGP router will not advertise routes with this attribute. Examples of optional non-transitive path attributes include MULTI_EXIT_DISC (MED), ORIGINATOR_ID, and CLUSTER_LIST path attributes.
The Flowspec Trust List TLV 500 includes a Type field 510, a Length field 520, and a Value field 530. The Type field 510 has a size of a single octet or eight bits. The Type field 510 specifies an attribute type code to indicate that the TLV is a Flowspec Trust List TLV 500. The Internet Assigned Numbers Authority (IANA) will assign the attribute type code (e.g., type 1) for the Type field 510. The Length field 520 has a size of two octets or 16 bits. The Length field 520 indicates the size of the Value field 530 (typically in bytes). The Value field 530 contains zero or more octets specifying the list of allowed ASes, as depicted in
In an embodiment, the Flowspec Trust List TLV 500 is not encrypted (i.e., basic form). Alternatively, in some embodiments the Flowspec Trust List TLV 500 is encrypted with the Resource Public Key Infrastructure (RPKI) private key of the owner AS (i.e., the AS generating the Flowspec Trust List TLV 500).
At step 604, the network node receives a second a BGP update message from second AS or sending AS. The second BGP update message include a Flowspec associated with the prefix of the owner AS. The network node, at step 606, determines whether the Flowspec AS authorization List includes the sending AS. If the Flowspec AS authorization List does not include the sending AS, the network node, at step 620, rejects the BGP Flowspec in the BGP update message (i.e., does not filter traffic according to the received Flowspec).
At step 608, the network node determines whether the second/sending AS is the left-most or closest neighboring AS to the first AS along the best-match unicast route for the destination prefix. In an embodiment, the network node determines whether the sending AS is both in the left-most position of the AS_PATH attribute of a Flowspec route received via the eBGP and in the left-most position of the AS_PATH attribute of the best-match unicast route for the destination prefix embedded in the Flowspec NLRI. As stated above, the AS in the left-most position of the AS_PATH attribute is the AS that was last added to the AS_PATH attribute, which indicates the AS that last transmitted the BGP update message. In an embodiment, the first AS determines whether the second/sending AS is the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix using a secured AS path list that is part of a routing table of the first AS. In an embodiment, each BGP router or node on the secured AS path list is encrypted to ensure the validity of the secured AS path list. For example, in an embodiment, the first node obtains the secured AS path list using BGP Security (BGPsec). BGPsec is an extension to BGP that provides to receivers of valid BGPsec update messages cryptographic verification of the routes they advertise. BGPsec can be used to verify that the second/sending AS is in the path to the prefix received. BGPsec replaces the BGP AS_PATH attribute with a new BGPsec_Path attribute. In an embodiment, the BGPsec_Path attribute is an optional non-transitive BGP path attribute. For example, any AS that supports BGPsec has a private key associated with a RPKI router certificate. An originating AS can generate a signature using the RPKI private key of the originating AS. The signature of the originating AS is then included in the BGPsec_Path attribute of a BGPsec update message advertised by the originating AS. Any BGP router along the path that forwards the BGPsec update message adds its signature using its private key to the BGPsec_Path attribute of the BGPsec update message. An AS that receives the BGPsec update message uses the public keys of the BGP routers to verify the signatures. The digital signatures provide confidence that every AS on the path of ASes listed in the BGPsec update message has explicitly authorized the advertisement of the route. Thus, BGPsec can provide full path validation and protect against the man in the middle attack. In an embodiment, to verify that a receiving BGP router has this security capability, BGP capability can be negotiated between BGP routers prior to sending a FlowSpec AS authorization list. When the second AS is not the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix, the network node, at step 620, rejects the BGP Flowspec in the BGP update message. When the second AS is both the closest neighboring AS to the first AS along the best-match unicast route for the destination prefix and is in the Flowspec AS authorization List, the network node, at step 610, accepts the BGP Flowspec in the BGP update message.
At step 612, the network node receives network traffic. The network node determines, at step 614, whether the network traffic matches the criteria of the Flowspec specified in the BGP update message. At step 616, when the network traffic matches the criteria of the Flowspec, the network node performs the action associated with the Flowspec on network traffic (e.g., drops the packet). In an embodiment, the action associated with the Flowspec is specified in the BGP update message using a BGP Extended Community encoding format. Community information is included as a path attribute in BGP update message.
When the network traffic does not match the criteria of the Flowspec, the network node, at step 618, processes the network traffic as normal (e.g., forwarding the packets to the destination node).
The system 700 includes a memory 760 or data storing means for storing the instructions and various data. The memory 760 can be any type of or combination of memory components capable of storing data and/or instructions. For example, the memory 760 can include volatile and/or non-volatile memory such as read-only memory (ROM), random access memory (RAM), ternary content-addressable memory (TCAM), and/or static random-access memory (SRAM). The memory 760 can also include one or more disks, tape drives, and solid-state drives. In some embodiments, the memory 760 can be used as an over-flow data storage device or buffer to store programs when such programs are selected for execution, and to store instructions and data that are read during program execution.
The system 700 has one or more processors 730 or other processing means to process instructions. In some embodiments, the processor 730 may be a central processing unit (CPU) chip having one or more processing cores, a field-programmable gate array (FPGA), an application specific integrated circuit (ASIC), and/or a digital signal processor (DSP). The processor 730 is communicatively coupled via a system bus with the ingress ports 710, RX 720, TX 740, egress ports 750, and memory 760. The processor 730 can be configured to execute instructions stored in the memory 760. Thus, the processor 730 provides a means for performing any computational, comparison, determination, initiation, or configuration steps, or any other action, corresponding to the claims or disclosure when the appropriate instruction is executed by the processor. In some embodiments, the memory 760 can be memory that is integrated with the processor 730.
In one embodiment, the memory 760 stores an AS Flowspec authorization module 770. The AS Flowspec authorization module 770 includes data and executable instructions for implementing the disclosed embodiments. For instance, the AS Flowspec authorization module 770 can include instructions for implementing the method described in
In some embodiments, the system 700 may include additional modules for performing any one of or combination of steps described in the embodiments. A module may include a particular set of functions, software instructions, or circuitry that is configured to perform a specific task. Further, any of the additional or alternative embodiments or aspects of the method, as shown in any of the figures or recited in any of the claims, are also contemplated to include similar modules.
Certain embodiments may be implemented as a system, an apparatus, a method, and/or a computer program product. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present disclosure. The computer readable storage medium may be a tangible device that can retain and store instructions for use by an instruction execution device.
While several embodiments have been provided in the present disclosure, the disclosed systems and methods might be embodied in many other specific forms without departing from the spirit or scope of the present disclosure. The present examples are to be considered as illustrative and not restrictive, and the intention is not to be limited to the details given herein. For example, the various elements or components may be combined or integrated in another system or certain features may be omitted, or not implemented.
In addition, techniques, systems, subsystems, and methods described and illustrated in the various embodiments as discrete or separate may be combined or integrated with other systems, modules, techniques, or methods without departing from the scope of the present disclosure. Other items shown or discussed as coupled or directly coupled or communicating with each other may be indirectly coupled or communicating through some interface, device, or intermediate component whether electrically, mechanically, or otherwise. Other examples of changes, substitutions, and alterations are ascertainable by one skilled in the art and could be made without departing from the spirit and scope disclosed herein.
This application is a continuation of International Patent Application No. PCT/US2021/038878 filed on Jun. 24, 2021, by Futurewei Technologies, Inc., and titled “Extending Border Gateway Protocol (BGP) Flowspec Origination Authorization Using Path Attributes,” which is hereby incorporated by reference in its entirety.
| Number | Date | Country | |
|---|---|---|---|
| Parent | PCT/US2021/038878 | Jun 2021 | US |
| Child | 18454448 | US |
