BGP Route Security, BGP Route Leak

In the lab setup above, Google has a prefix 192.168.2.0/24. MainOne has a peering relationship with both Google and China Telecom. China has BGP peering with Russia which has another peering relationship with RANDOM. Google also peers with RANDOM. MainOne is configured to only advertise routes that originate within its own AS i.e. 192.168.1.0/24.

The configuration on the devices is as shown below

hostname MAINONE
!
interface FastEthernet0/0
ip address 10.1.12.1 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.1.13.1 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
no shutdown
!
router bgp 1
network 192.168.1.0
neighbor 10.1.12.2 remote-as 2
neighbor 10.1.12.2 filter-list 1 out
neighbor 10.1.13.3 remote-as 3
neighbor 10.1.13.3 filter-list 1 out
no auto-summary
!
ip as-path access-list 1 permit ^$
!
hostname GOOGLE
!
interface Loopback0
ip address 192.168.2.2 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.12.2 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.1.25.2 255.255.255.0
no shutdown
!
router bgp 2
network 192.168.2.0
neighbor 10.1.12.1 remote-as 1
neighbor 10.1.25.5 remote-as 5
no auto-summary
!
hostname CHINA
!
interface FastEthernet0/0
ip address 10.1.13.3 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.1.34.3 255.255.255.0
no shutdown
!
router bgp 3
neighbor 10.1.13.1 remote-as 1
neighbor 10.1.34.4 remote-as 4
no auto-summary
!
hostname RUSSIA
!
interface FastEthernet0/0
ip address 10.1.34.4 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.1.45.4 255.255.255.0
no shutdown
!
interface FastEthernet1/0
ip address 192.168.4.4 255.255.255.0
no shutdown
!
router bgp 4
network 192.168.4.0
neighbor 10.1.34.3 remote-as 3
neighbor 10.1.34.3 weight 100
neighbor 10.1.45.5 remote-as 5
no auto-summary
!
hostname RANDOM
!
interface FastEthernet0/0
ip address 10.1.45.5 255.255.255.0
no shutdown
!
interface FastEthernet0/1
ip address 10.1.25.5 255.255.255.0
no shutdown
!
router bgp 5
neighbor 10.1.25.2 remote-as 2
neighbor 10.1.45.4 remote-as 4
no auto-summary
!

BGP table of MainOne:

the Google prefix (192.168.2.0/24) from two paths (directly from Google and through China > Russia > Random), it is using the shortest AS path which is through Google.On the other hand, China will only see the Google prefix from Russia because we have configured MainOne not to advertise that Google prefix to China.

Looking at Russia, the Google prefix is seen through RANDOM:

Based on this, traffic from VPCS-1 to 192.168.2.2 will flow through MainOne > Google:

On the other hand, traffic from VPCS-2 to 192.168.2.2 will flow through Russia > RANDOM > Google:

what happens when there’s a configuration error on MainOne and the Google Prefix is leaked to China:

Looking at MainOne’s BGP table, things still look relatively okay:

However, if we look at China, things have changed – China now sees that route through MainOne:

Because of the better weight (100) that Russia uses for China, Russia will now use China to reach the Google Prefix (even though the path through RANDOM is shorter):

This means VPCS-2 will now go through Russia > China > MainOne > Google:

Now, what if China is blocking Google services (like it currently does)? The configuration on China to achieve this will be:

ip route 192.168.2.0 255.255.255.0 null0

With this configuration, if VPCS-2 tries to ping 192.168.2.2, it will fail:

BGP Prefix Hijacking

Using the same lab, we can simulate BGP hijacking. Let’s restore the AS path filter on MainOne:

With this, Russia is back to using RANDOM:

Let’s assume China wants to hijack some of Google’s services. One thing it can do is to advertise a more specific route for the 192.168.2.0 network e.g. /25

With this configuration, even though Russia still sees 192.168.2.0/24 via RANDOM, it will also have 192.168.2.0/25 through China:

so if VPCS-2 ping 192.168.2.2, it will actually go to China and not Google:

The solution to this issue cumming soon

https://bgpmon.net/

this site given most recent BGP hijacking

monitoring service offers a detailed look at the BGP leaks and hijacks