From: Rob Thomas <robt@cymru.com>
Subject: [Cisco] Безопасность и BGP (Secure BGP Template) (eng)
Secure BGP Template Version 2.3
By Rob Thomas <robt@cymru.com> 07 AUG 2002
Introduction
BGP is the routing protocal that drives the Internet. Proper
configuration of BGP is critical, as mistakes in BGP can result in
disaster for both local and remote networks. Further, without a few
additional steps to increase the security and defense of BGP, it is
possible for miscreants to cause havoc with the BGP and, by extension,
routing tables.
This document includes a template configuration for BGP. As with all
such templates, this one must be modified to fit the specific
requirements of the local network(s). It is not wise to simply cut and
paste without a thorough understanding of each command. Comments are
included with each command. A more thorough understanding of BGP can
be obtained from:
o Internet Routing Architectures
, by Bassam Halabi, published by Cisco Press.
o BGP4, by John W. Stewart III, published by Addison-Wesley.
As an aside, debugging BGP issues can be difficult without an external
view. To see how the rest of the Internet views my prefix
announcements, I use the route servers. Simply telnet to these route
servers and issue commands such as sh ip bgp NETBLOCK or sh ip route
NETBLOCK. Here is a partial list:
It may also be helpful to receive the bgp-stats report, either daily
or weekly. This will help you to size your maximum-prefix statements,
as well as maintaining accurate bogon filters. You may subscribe to
the bgp-stats report by sending a note to majordomo@lists.apnic.net
with the message text of "subscribe bgp-stats".
While I list the bogon ranges on /8 boundaries, you may prefer a
greater level of aggregation. For this I recommend consulting my
Bogon List (http://www.cymru.com/Documents/bogon-list.html).
Barry Greene and Philip Smith, both of Cisco, have recently released a
book entitled Cisco ISP Essentials. This is an excellent collection of
clue. You can learn more about it at http://www.ispbook.com.
Barry also keeps a nice collection of Cisco security documents
here (http://www.cisco.com/public/cons/isp/security).
Credits
My thanks to the following folks for providing input and suggestions!
Roy Arends
Larry Bishop
Oded Comay
Hank Nussbacher
James A. T. Rice
Mike Tancsa
David Wolsefer
As always, the FIRST community http://www.first.org/
Assumptions
* IOS 12.0.X or higher.
* Understanding of BGP and the Cisco IOS.
* This template is used by a non-transit network.
* The local ASN is 111, the remote ASNs are 222 and 333.
* The local netblock is 1.88.0.0/19.
* The router has already been secured. For details on a secure IOS
configuration template, please consult my Secure IOS Template.
http://www.cymru.com/Documents/secure-ios-template.html
* This template was crafted for a network that would be dual-homed
and BGP peered to two Tier One ISPs.
* The IP address of the router used in this template is 172.17.70.1.
Questions, Comments, Suggestions
Feedback is both welcome and encouraged! This document is a
work-in-progress as changes to the Cisco IOS, BGP, or corrections to
this document appear. Please send any questions along to
robt@cymru.com.
Template
The actual commands are in BOLD text so that they stand out from the
comment blocks.
! Our ASN is 111
router bgp 111
!
! Don't wait for the IGP to catch up.
no synchronization
!
! Be a little more forgiving of an occasional missed keepalive.
no bgp fast-external-fallover
!
! Track and punt, via syslog, all interesting observations about our
! neighbors.
bgp log-neighbor-changes
!
! Enable our dampening parameters. See the route map and prefix-lists
! below.
bgp dampening route-map graded-flap-dampening
!
! Announce our netblock(s) in a manner that does not increase CPU
! utilization. Redistributing from an IGP is dangerous as it increases
! the likelihood of flapping and instability. Redistributing static is
! more stable, but requires the CPU to peruse the routing table at a
set
! interval to capture any changes. The network statement, combined
with
! a null route, is the least expensive (in terms of CPU utilization)
and
! most reliable (in terms of stability) option.
network 1.88.0.0 mask 255.255.224.0
!
! Our first neighbor, 10.10.5.1, is an eBGP peer with the ASN of 333.
neighbor 10.10.5.1 remote-as 333
!
! Set for soft reconfiguration, thus preventing a complete withdrawal
! of all announced prefixes when clear ip bgp x.x.x.x is typed.
neighbor 10.10.5.1 soft-reconfiguration inbound
!
! Type in a description for future reference. Not everyone memorizes
! ASNs. :-)
neighbor 10.10.5.1 description eBGP with ISP333
!
! Set up a password for authentication.
neighbor 10.10.5.1 password bgpwith333
!
! Hard-set for version 4. Disabled BGP version negotiation, thus
! bringing the peering session on-line more quickly.
neighbor 10.10.5.1 version 4
!
! Block any inbound announcments that include bogon networks. A prefix
! list is used because it is:
! 1) Easier on the CPU than ACLs, and
! 2) Easier to modify.
! See the actual bogons prefix-list below.
neighbor 10.10.5.1 prefix-list bogons in
!
! Announce only those networks we specifically list. This also
prevents
! the network from becoming a transit provider. An added bit of
protection
! and good netizenship. See the announce prefix-list below.
neighbor 10.10.5.1 prefix-list announce out
!
! Prevent a mistake or mishap by our peer (or someone with whom our
peer
! has a peering agreement) from causing router meltdown by filling the
! routing and BGP tables. This is a hard limit. At 75% of this limit,
! the IOS will issue log messages warning that the neighbor is
approaching
! the limit. All log messages should be sent to a remote syslog host.
! The warning water mark can be modified by placing a value after the
! maximum prefix value, e.g. maximum-prefix 125000 50. This will set
the
! IOS to issue warning messages when the neighbor reaches 50% of the
limit.
neighbor 10.10.5.1 maximum-prefix 125000
!
! Our next neighbor is 10.10.10.1, an eBGP peer with the ASN of 222.
neighbor 10.10.10.1 remote-as 222
neighbor 10.10.10.1 soft-reconfiguration inbound
neighbor 10.10.10.1 description eBGP with ISP222
neighbor 10.10.10.1 password bgpwith222
neighbor 10.10.10.1 version 4
neighbor 10.10.10.1 prefix-list bogons in
neighbor 10.10.10.1 prefix-list announce out
neighbor 10.10.10.1 maximum-prefix 125000
!
! This is our iBGP peer, 172.17.70.2.
neighbor 172.17.70.2 remote-as 111
!
neighbor 172.17.70.2 soft-reconfiguration inbound
!
! Again, a handy description.
neighbor 172.17.70.2 description iBGP with our other router
!
neighbor 172.17.70.2 password bgpwith111
! Use the loopback interface for iBGP announcements. This increases
the
! stability of iBGP.
neighbor 172.17.70.2 update-source Loopback0
neighbor 172.17.70.2 version 4
neighbor 172.17.70.2 next-hop-self
neighbor 172.17.70.2 prefix-list bogons in
neighbor 172.17.70.2 maximum-prefix 125000
!
! Do not automatically summarize our announcements.
no auto-summary
! If we have multiple links on the same router to the same AS, we like
to
! put them to good use. Load balance, per destination, with
maximum-paths.
! The limit is six. For our example, we will assume two equal size
pipes
! to the same AS.
maximum-paths 2
!
! Now add our null route and the loopback/iBGP route. Remember to add
! more specific non-null routes so that the packets travel to their
! intended destination!
ip route 1.88.0.0 255.255.224.0 Null0
ip route 1.88.50.0 255.255.255.0 192.168.50.5
ip route 1.88.55.0 255.255.255.0 192.168.50.8
ip route 1.88.75.128 255.255.255.128 192.168.50.10
ip route 172.17.70.2 255.255.255.255 192.168.50.2
!
! We protect TCP port 179 (BGP port) from miscreants by limiting
! access. Allow our peers to connect and log all other attempts.
! Remember to apply this ACL to the interfaces of the router or
! add it to existing ACLs.
access-list 185 permit tcp host 10.10.5.1 host 172.17.70.1 eq 179
access-list 185 permit tcp host 10.10.5.1 eq bgp host 172.17.70.1
access-list 185 permit tcp host 10.10.10.1 host 172.17.70.1 eq 179
access-list 185 permit tcp host 10.10.10.1 eq bgp host 172.17.70.1
access-list 185 permit tcp host 172.17.70.2 host 172.17.70.1 eq 179
access-list 185 permit tcp host 172.17.70.2 eq bgp host 172.17.70.1
access-list 185 deny tcp any any eq 179 log-input
!
! The announce prefix list prevents us from announcing anything beyond
! our aggregated netblock(s).
ip prefix-list announce description Our allowed routing announcements
ip prefix-list announce seq 5 permit 1.88.0.0/19
ip prefix-list announce seq 10 deny 0.0.0.0/0 le 32
!
! The bogons prefix list prevents the acceptance of obviously bogus
! routing updates. This can be modified to fit local requirements.
! While aggregation is possible - certainly desirable - IANA tends
! to allocate netblocks on a /8 boundary. For this reason, I have
! listed the bogons largely as /8 netblocks. This will make changes
! to the bogons prefix-list easier to accomplish and less intrusive.
! I have listed more specific netblocks when documentation, such as
! RFC1918, is more granular.
! Please see the IANA IPv4 netblock assignment document at the
! following URL:
! http://www.isi.edu/in-notes/iana/assignments/ipv4-address-space
ip prefix-list bogons description Bogon networks we won't accept.
ip prefix-list bogons seq 5 deny 0.0.0.0/8 le 32
ip prefix-list bogons seq 10 deny 1.0.0.0/8 le 32
ip prefix-list bogons seq 15 deny 2.0.0.0/8 le 32
ip prefix-list bogons seq 20 deny 5.0.0.0/8 le 32
ip prefix-list bogons seq 25 deny 7.0.0.0/8 le 32
ip prefix-list bogons seq 30 deny 10.0.0.0/8 le 32
ip prefix-list bogons seq 35 deny 23.0.0.0/8 le 32
ip prefix-list bogons seq 40 deny 27.0.0.0/8 le 32
ip prefix-list bogons seq 45 deny 31.0.0.0/8 le 32
ip prefix-list bogons seq 50 deny 36.0.0.0/8 le 32
ip prefix-list bogons seq 55 deny 37.0.0.0/8 le 32
ip prefix-list bogons seq 60 deny 39.0.0.0/8 le 32
ip prefix-list bogons seq 65 deny 41.0.0.0/8 le 32
ip prefix-list bogons seq 70 deny 42.0.0.0/8 le 32
ip prefix-list bogons seq 75 deny 49.0.0.0/8 le 32
ip prefix-list bogons seq 80 deny 50.0.0.0/8 le 32
ip prefix-list bogons seq 85 deny 58.0.0.0/8 le 32
ip prefix-list bogons seq 90 deny 59.0.0.0/8 le 32
ip prefix-list bogons seq 95 deny 60.0.0.0/8 le 32
ip prefix-list bogons seq 115 deny 70.0.0.0/8 le 32
ip prefix-list bogons seq 120 deny 71.0.0.0/8 le 32
ip prefix-list bogons seq 125 deny 72.0.0.0/8 le 32
ip prefix-list bogons seq 130 deny 73.0.0.0/8 le 32
ip prefix-list bogons seq 135 deny 74.0.0.0/8 le 32
ip prefix-list bogons seq 140 deny 75.0.0.0/8 le 32
ip prefix-list bogons seq 145 deny 76.0.0.0/8 le 32
ip prefix-list bogons seq 150 deny 77.0.0.0/8 le 32
ip prefix-list bogons seq 155 deny 78.0.0.0/8 le 32
ip prefix-list bogons seq 160 deny 79.0.0.0/8 le 32
ip prefix-list bogons seq 165 deny 82.0.0.0/8 le 32
ip prefix-list bogons seq 170 deny 83.0.0.0/8 le 32
ip prefix-list bogons seq 175 deny 84.0.0.0/8 le 32
ip prefix-list bogons seq 180 deny 85.0.0.0/8 le 32
ip prefix-list bogons seq 185 deny 86.0.0.0/8 le 32
ip prefix-list bogons seq 190 deny 87.0.0.0/8 le 32
ip prefix-list bogons seq 195 deny 88.0.0.0/8 le 32
ip prefix-list bogons seq 200 deny 89.0.0.0/8 le 32
ip prefix-list bogons seq 205 deny 90.0.0.0/8 le 32
ip prefix-list bogons seq 210 deny 91.0.0.0/8 le 32
ip prefix-list bogons seq 215 deny 92.0.0.0/8 le 32
ip prefix-list bogons seq 220 deny 93.0.0.0/8 le 32
ip prefix-list bogons seq 225 deny 94.0.0.0/8 le 32
ip prefix-list bogons seq 230 deny 95.0.0.0/8 le 32
ip prefix-list bogons seq 235 deny 96.0.0.0/8 le 32
ip prefix-list bogons seq 240 deny 97.0.0.0/8 le 32
ip prefix-list bogons seq 245 deny 98.0.0.0/8 le 32
ip prefix-list bogons seq 250 deny 99.0.0.0/8 le 32
ip prefix-list bogons seq 255 deny 100.0.0.0/8 le 32
ip prefix-list bogons seq 260 deny 101.0.0.0/8 le 32
ip prefix-list bogons seq 265 deny 102.0.0.0/8 le 32
ip prefix-list bogons seq 270 deny 103.0.0.0/8 le 32
ip prefix-list bogons seq 275 deny 104.0.0.0/8 le 32
ip prefix-list bogons seq 280 deny 105.0.0.0/8 le 32
ip prefix-list bogons seq 285 deny 106.0.0.0/8 le 32
ip prefix-list bogons seq 290 deny 107.0.0.0/8 le 32
ip prefix-list bogons seq 295 deny 108.0.0.0/8 le 32
ip prefix-list bogons seq 300 deny 109.0.0.0/8 le 32
ip prefix-list bogons seq 305 deny 110.0.0.0/8 le 32
ip prefix-list bogons seq 310 deny 111.0.0.0/8 le 32
ip prefix-list bogons seq 315 deny 112.0.0.0/8 le 32
ip prefix-list bogons seq 320 deny 113.0.0.0/8 le 32
ip prefix-list bogons seq 325 deny 114.0.0.0/8 le 32
ip prefix-list bogons seq 330 deny 115.0.0.0/8 le 32
ip prefix-list bogons seq 335 deny 116.0.0.0/8 le 32
ip prefix-list bogons seq 340 deny 117.0.0.0/8 le 32
ip prefix-list bogons seq 345 deny 118.0.0.0/8 le 32
ip prefix-list bogons seq 350 deny 119.0.0.0/8 le 32
ip prefix-list bogons seq 355 deny 120.0.0.0/8 le 32
ip prefix-list bogons seq 360 deny 121.0.0.0/8 le 32
ip prefix-list bogons seq 365 deny 122.0.0.0/8 le 32
ip prefix-list bogons seq 370 deny 123.0.0.0/8 le 32
ip prefix-list bogons seq 375 deny 124.0.0.0/8 le 32
ip prefix-list bogons seq 380 deny 125.0.0.0/8 le 32
ip prefix-list bogons seq 385 deny 126.0.0.0/8 le 32
ip prefix-list bogons seq 390 deny 127.0.0.0/8 le 32
ip prefix-list bogons seq 395 deny 169.254.0.0/16 le 32
ip prefix-list bogons seq 400 deny 172.16.0.0/12 le 32
ip prefix-list bogons seq 405 deny 192.0.2.0/24 le 32
ip prefix-list bogons seq 410 deny 192.168.0.0/16 le 32
ip prefix-list bogons seq 415 deny 197.0.0.0/8 le 32
ip prefix-list bogons seq 420 deny 201.0.0.0/8 le 32
ip prefix-list bogons seq 440 deny 222.0.0.0/8 le 32
ip prefix-list bogons seq 445 deny 223.0.0.0/8 le 32
ip prefix-list bogons seq 450 deny 224.0.0.0/3 le 32
! Allow all prefixes up to /27. Your mileage may vary,
! so adjust this to fit your specific requirements.
ip prefix-list bogons seq 455 permit 0.0.0.0/0 le 27
!
! Now we configure our prefix lists for our dampening requirements.
! These are configured along the lines of the recommendations made
! by RIPE. The goal is to minimalize the effect of dampening on
! the shorter and historically more stable prefixes as well as the
! netblocks that contain DNS root servers. The longer prefixes
! are dampened for longer periods of time, as these have been the
! the source of a greater percentage of the instability in the
! global routing table.
! Note that a longer prefix equates to a less-aggregated and smaller
! netblock.
!
! The damplongprefixes list is for prefixes of /24 and longer.
ip prefix-list damplongprefixes description Prefixes of /24 and
longer.
ip prefix-list damplongprefixes seq 5 permit 0.0.0.0/0 ge 24
!
! The dampmediumprefixes list is for prefixes of /22 and /23.
ip prefix-list dampmediumprefixes description Prefixes of /22 and /23.
ip prefix-list dampmediumprefixes seq 5 permit 0.0.0.0/0 ge 22 le 23
!
! The dampshortprefixes list is for prefixes of /21 and shorter.
ip prefix-list dampshortprefixes description Prefixes of /21 and
shorter.
ip prefix-list dampshortprefixes seq 5 permit 0.0.0.0/0 le 21
!
! The rootservers prefix list is to prevent dampening of
! the root DNS server netblocks.
ip prefix-list rootservers description DNS root server netblocks.
ip prefix-list rootservers seq 5 permit 198.41.0.0/24
ip prefix-list rootservers seq 10 permit 128.9.0.0/16
ip prefix-list rootservers seq 15 permit 192.33.4.0/24
ip prefix-list rootservers seq 20 permit 128.8.0.0/16
ip prefix-list rootservers seq 25 permit 192.203.230.0/24
ip prefix-list rootservers seq 30 permit 192.5.4.0/23
ip prefix-list rootservers seq 35 permit 192.112.36.0/24
ip prefix-list rootservers seq 40 permit 128.63.0.0/16
ip prefix-list rootservers seq 45 permit 192.36.148.0/24
ip prefix-list rootservers seq 50 permit 193.0.14.0/24
ip prefix-list rootservers seq 55 permit 198.32.64.0/24
ip prefix-list rootservers seq 60 permit 202.12.27.0/24
!
! We apply our dampening prefix-lists with our route-map entries.
! Don't dampen the rootservers prefix-list.
route-map graded-flap-dampening deny 10
match ip address prefix-list rootservers
! Dampen the /24 and greater prefixes for a maximum of 60 minutes.
route-map graded-flap-dampening permit 20
match ip address prefix-list damplongprefixes
set dampening 30 750 3000 60
! Dampen the /22 to /23 prefixes for a maximum of 45 minutes.
route-map graded-flap-dampening permit 30
match ip address prefix-list dampmediumprefixes
set dampening 15 750 3000 45
! Dampen the /21 and shorter prefixes for a maximum of 30 minutes.
route-map graded-flap-dampening permit 40
match ip address prefix-list dampshortprefixes
set dampening 10 1500 3000 30
!
! END