Border Gateway Protocol Complexity

What is BGP Protocol in Networking

Border Gateway Protocol Complexity

 

What is BGP Protocol in Networking

In the vast interconnected network of the internet, Border Gateway Protocol (BGP) plays a crucial role in ensuring efficient and reliable routing. As the primary protocol for exchanging routing information between internet service providers (ISPs) and networks, BGP serves as the backbone of the internet. In this blog post, we will delve into BGP’s functionalities, benefits, and challenges, shedding light on its significance in today’s digital landscape.

Border Gateway Protocol, commonly known as BGP, is an exterior gateway protocol that facilitates the exchange of routing information between different autonomous systems (AS). An autonomous system represents a collection of networks under a single administrative domain. BGP is responsible for determining the best path for data packets to traverse between ASes, allowing efficient communication across the internet.

 

Highlights: BGP Protocol in Networking

  • Decrease Complexity

When considering what is BGP protocol in networking, we must first highlight a common misconception that Border Gateway Protocol ( BGP ) is used solely for network scalability, replacing Interior Gateway Protocol ( IGP ) once a specific prefix or router count has been reached. Although BGP does form the base for large networks, an adequately designed IGP can scale tens of thousands of routers.BGP is not just used for scalability; it is used to decrease the complexity of networking rather than size.

  • Split into smaller pieces.

The key to efficient routing protocol design is to start with business design principles and break failure domains into small pieces. Keeping things simple with BGP is critical to stabilizing large networks. What usually begins as a single network quickly becomes multiple networks as the business grows. Easier to split networks into small pieces and to “aggregate” the information as much as possible. Aggregating routing information hides parts of the network and speeds up link/node failure convergence.

 

You may find the following posts useful for pre-information:

  1. Port 179
  2. SDN Traffic Optimizations
  3. What does SDN mean? This post uses a BGP SDN approach to networking.
  4. BGP SDN
  5. Segment routing
  6. Merchant Silicon

 



What is BGP Protocol in Networking

Key What is BGP Discussion Points:


  • Introduction to BGP protocol and what is involved.

  • Highlighting the details on BGP scalability.

  • Critical points on BGP protocol and the use of policy.

  • Technical details on traffic engineering with BGP.

  • A final note on IGPs.

 

Back to basics with BGP

BGP is mature and powers the internet. Many mature implementations of BGP exist, including in the open-source networking world. A considerable benefit to BGP is that it is less chatty than its link state and supports multi protocols (i.e., it supports advertising IPv4, IPv6, Multiprotocol Label Switching (MPLS), and VPNs natively). Remember that BGP has been understood for decades for helping internet-connected systems find one another. However, it is helpful within a single data center, as well. In addition, BGP is standards-based and supported by many free and open-source software packages.

How does BGP work?

BGP operates on a distributed architecture, where routers exchange routing information using rules and policies. It uses a path-vector algorithm to select the best path based on various attributes, such as the number of AS hops and the quality of the network links. BGP relies on the concept of peering, where routers establish connections with each other to exchange routing updates.

  • A key point: Lab on BGP Dampening

In the following sample, we have two routers with BGP configured. Each BGP peer is in its own AS, and BGP dampening is configured on R2 only. Notice the output of the debug ip bgp dampening on R2 once the loopback on R1 is shut down.

The concept behind BGP dampening is relatively simple. When a router detects a route flapping, it assigns a penalty to that route. The penalty is based on the number of consecutive flaps and the configured dampening parameters. As the penalty accumulates, the route’s desirability decreases, making it less likely to be advertised to other routers.

The purpose of BGP dampening is to discourage the propagation of unstable routes and prevent them from spreading throughout the network. By penalizing flapping routes, BGP dampening helps to stabilize the network by reducing the number of updates sent and minimizing the impact of routing instability.

BGP dampening
Diagram: BGP Dampening

The Significance of BGP:

Scalability: BGP’s hierarchical structure enables it to handle the massive scale of the global internet. By dividing the internet into smaller autonomous systems, BGP efficiently manages routing information, reducing the burden on individual routers and improving scalability.

Path Selection: BGP allows network administrators to define policies for path selection, giving them control over traffic flow. This flexibility enables organizations to optimize network performance, direct traffic through preferred paths, and ensure efficient resource utilization.

Internet Resilience: BGP’s ability to dynamically adapt to changes in network topology is crucial for ensuring internet resilience. If a network or path becomes unavailable, BGP can quickly reroute traffic through alternative paths, minimizing disruptions and maintaining connectivity.

Challenges and Security Concerns:

BGP Hijacking: BGP’s reliance on trust-based peering relationships makes it susceptible to hijacking. Malicious actors can attempt to divert traffic by announcing false routing information, potentially leading to traffic interception or disruption. Initiatives like Resource Public Key Infrastructure (RPKI) aim to mitigate these risks by introducing cryptographic validation mechanisms.

Route Flapping: Unstable network connections or misconfigurations can cause routes to appear and disappear, causing route flapping frequently. This can lead to increased network congestion, suboptimal routing, and unnecessary router strain. Network administrators need to monitor and address route flapping issues carefully.

 

Policy-oriented control plane reduces network complexity.

BGP is a policy-oriented control plane-routing protocol used to create islands of networks that match business requirements to administrative domains. When multiple business units present unique needs, designing all those special requirements using a single set of routing policies is hard. BGP can decrease policy complexity and divide the complexity into a manageable aggregation of policies.

When considering what is BGP protocol in networking
Diagram: When considering what is BGP protocol in networking

 

Two business units, for example, HR, represented by a router on the left, and the Sales department, represented by a router on the right. The middle networks form a private WAN, used simply as transit. However, the business has decided that these networks should be treated differently and have different traffic paths. For example, HR must pass through the top section of routers, and Sales must pass through the bottom half of routers. With an Interior Gateway Protocol ( IGP ), such as OSPF, traffic engineering can be accomplished by manipulating the cost of the links to influence the traffic path.

However, the metrics on the links must be managed on a per-destination basis. If you have to configure individual links per destination, it will become almost impossible to do with a link-state IGP. If BGP is used, this logic can be encoded using Local Preference or Multiple Exit Discriminator. Local preference is used for a single AS design, and MED is used for multiple AS. Local preference is local and does not traverse multiple AS.

 

  • A final note: When considering what is BGP protocol in networking

Networks grow and should be allowed to grow organically. Each business unit may require several different topologies and design patterns. Trying to design all these additional requirements would increase network complexity. In the context of a single IGP, it may add too many layers of complexity. BGP provides a manageable approach to policy abstraction by controlling specific network traffic patterns within and between Autonomous Systems.

 

Conclusion:

Border Gateway Protocol (BGP) plays a vital role in ensuring the smooth functioning of the internet by facilitating efficient routing between autonomous systems. Its scalability, flexibility in path selection, and ability to adapt to network changes contribute to the overall resilience and reliability of the internet. However, challenges such as BGP hijacking and route flapping require ongoing attention and mitigation efforts to maintain the security and stability of BGP-based networks. By understanding the intricacies of BGP, network administrators can effectively manage their networks and contribute to a robust and interconnected internet ecosystem.

 

Border Gateway Protocol Complexity

 

Server room, modern data center. 3D illustration

Technology Insight For Microsegmentation

 

IPv6 Microsegmentation

 

Technology Insight For Microsegmentation

In today’s digital landscape, cybersecurity has become a critical concern for organizations. With the ever-evolving threat landscape, traditional security measures are no longer sufficient to protect sensitive data and systems. Enter microsegmentation – a cutting-edge security technique that offers granular control and enhanced protection. This blog post will explore microsegmentation and its benefits for modern businesses.

Microsegmentation is a security strategy that divides a network into small, isolated segments, allowing for more refined control over data traffic and access privileges. Unlike traditional network security approaches that rely on perimeter defenses, microsegmentation focuses on securing each segment within a network. By implementing this technique, organizations can establish strict security policies and reduce the risk of lateral movement within their networks.

 

Highlights: Microsegmentation

  • IPv6 Data Center Microsegmentation

When examining a technology insight for microsegmentation, we can consider using IPv6 for the data center network microsegmentation. Datacenter micro-segmentation techniques vary depending on the data center design requirements. However, the result will be more or less the same with your technique. Network microsegmentation is a network security technique that enables security architects to logically divide the data center into distinct security segments down to the individual workload level, then define security controls and deliver services for each segment. In this technology insight for microsegmentation, we will address IPv6 micro-segmentation. 

  • Layer-2 Security Issues

When discussing our journey on IPv6 data center network microsegmentation, we must consider that Layer-2 security mechanisms for IPv6 are still as complicated as with IPv4. Nothing has changed. We are still building the foundation of our IPv6 and IPv4 networks on the same forwarding paradigm, relying on old technologies that emulate thick coaxial cable, known as Ethernet. Ethernet should be limited to where Ethernet was designed: the data link layer between adjacent devices. Unfortunately, the IP+Ethernet mentality is tightly coupled with every engineer’s mind.

 

Before you proceed, you may find the following helpful post for pre-information.

  1. Zero Trust Security Strategy
  2. Zero Trust Networking
  3. IPv6 Attacks
  4. IPv6 RA
  5. IPv6 Host Exposure
  6. Computer Networking
  7. Segment Routing

 



Technology Insight For Microsegmentation

Key Technology Insight For Microsegmentation Discussion Points:


  • Introduction to network microsegmentation and what is involved.

  • Highlighting the details of this type of segmentation and the benefits it offers.

  • Critical points on microsegmentation and IPv6.

  • Technical details on IPv6 security.

  • Technical solutions for IPv6 in the data center with IPv6 micro-segmentation.

 

Back to basics with network security

Securing network access and data center devices has always been a challenging task. The new network security module is Zero Trust (ZT); it is a guiding concept that indicates the network is always assumed to be hostile and external and internal threats always exist. As a result, the perimeter has been moved closer to the workload. Zero Trust mandates a “never trust, always verify, enforce least privilege” approach, granting least privilege access based on a dynamic evaluation of the trustworthiness of users and their devices and any transaction risk before they can connect to network resources. A core technology for zero Trust is the use of microsegmentation.

Enhanced Security

One of the key benefits of microsegmentation is its ability to enhance network security. Organizations can isolate critical data and applications by segmenting the network into smaller parts, limiting their exposure to potential threats. In a security breach, microsegmentation prevents lateral movement, containing the attack and minimizing the potential impact. This fine-grained control significantly reduces the attack surface, making it harder for cybercriminals to infiltrate and compromise sensitive information.

Improved Compliance

Compliance with industry standards and regulations is a top priority for organizations operating in heavily regulated industries. Microsegmentation plays a crucial role in achieving and maintaining compliance. By isolating sensitive data, organizations can ensure that only authorized individuals have access to it, meeting the requirements of various regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA). Microsegmentation provides the necessary controls to enforce compliance policies and protect customer data.

Efficient Resource Utilization

Another advantage of microsegmentation is its ability to optimize resource utilization. Organizations can allocate resources more efficiently based on specific requirements by segmenting the network. For example, critical applications can be assigned dedicated resources, ensuring their availability and performance. Additionally, microsegmentation allows organizations to prioritize network traffic, ensuring mission-critical applications receive the necessary bandwidth while less critical traffic is appropriately managed. This efficient resource allocation leads to improved performance and reduced latency.

Simplified Security Management

Contrary to what one might expect, microsegmentation can actually simplify security management for organizations. With a traditional security approach, managing complex network policies and access controls can be challenging, especially as networks grow in size and complexity. Microsegmentation simplifies this process by breaking the network into smaller, more manageable segments. Security policies can be easily defined and enforced at the segment level, reducing the complexity of managing security across the entire network.

 

Network Microsegmentation

Data Center Micro Segmentation

What is Layer 2? And why do we need it? Layer 2 is the layer that allows adjacent network devices to exchange frames. Every layer 2 technology has at least three components:

  1. Start-of-frame indication.
  2. End-of-frame indication.
  3. Error correction mechanism in case the physical layer cannot guarantee the error-free transmission of zeroes and ones.
data center network microsegmentation
Diagram: Starting the journey to data center network micro segmentation.

 

  • A key point: Layer 2 MAC address

You may have realized that I haven’t mentioned the layer 2 MAC address as a required component. MAC addresses are required when more than two devices are attached to the same physical network. MAC addresses are in Ethernet frames because the original Ethernet standard used a coax cable with multiple nodes connected to the same physical medium.

Therefore, layer 2 addressing on point-to-point Fiber Channel networks is not required, while you need layer 2 addressing on shared cable-based Ethernet networks. One of the main reasons for the continuation of MAC addresses in Ethernet frames is backward compatibility. More importantly, no one wants to change device drivers in every host deployed in a data center or Internet.

 

Technology Insight for Microsegmentation and IPv6

 “IPv6 microsegmentation is an approach used to solve security challenges in IPv6.”

Firstly, when discussing data center network microsegmentation, with IPv6 micro-segmentation, we have many layer-2 security challenges. Similar to the IPv4 world, the assumption is one subnet is one security zone. This can be represented as a traditional VLAN with a corresponding VLAN ID or a more recent technology of VXLAN with a corresponding VXLAN ID.

Devices in that domain are in one security domain, and all enjoy the same level of trust, representing several IPv6 security challenges. If intruders break into that segment, they can take advantage of that implicit trust between all devices. The main disadvantage is that intra-subnet communication is not secured, and multiple IPv6 first-hop vulnerabilities ( RA and NA spoofing, DHCPv6 spoofing, DAD DoS attack, and ND DoS attacks) exist.

 

IPv6 security
Diagram: IPv6 security.

 

A review of IPv6 security

The attacker can spoof the neighbor advertisement messages and affect the ND cache on the host. Thus, take over and intercept traffic sent to other hosts. It can also intercept DHCP requests and pretend to be a DHCP server, redirecting traffic to itself or DoS attacks with incorrect DNS records. The root cause is that everything we operate on today simulates the thick coaxial cable we use for Ethernet. In the early days, Ethernet segments had one coaxial cable segment, and all stations could attach to this segment, resulting in one large security domain. Networks evolved, and new technologies were introduced. 

The coaxial cable was later replaced with thin cable and hubs to switches. Unfortunately, we haven’t changed the basic forwarding paradigm we used 40 years ago. We are still emulating thick coaxial cable while relying on the same traditional basic forwarding paradigm. The networking industry is trying to fix the problem without addressing and resolving the actual source of the problem.

The networking industry is retaining the existing forwarding paradigm while implementing a layer-2 security mechanism to overcome its limitations. All these layer-2 security measures ( first-hop security ) lead to complex networks both from design and operational aspects. They are adding more kludges; hence, every technology tries to fix the shortcomings when they should be addressing the actual source of the problem.

data center micro segmentation

In the layer 2 world, everyone tries to retain the existing forwarding paradigm, even with the most recent data center overlay technologies. For example, they are still trying to emulate the thick coaxial cable over the VXLAN segment over IP. VXLAN uses historic flooding behavior. In the IPv6 world, to overcome shortcomings with layer 2, vendors started implementing a list of first-hop layer-2 security mechanisms. Implementing these to secure the layer 2 IPv6 domain would be best.

All these features are complicated technologies to implement. They are used solely to fix the broken forwarding paradigm of layer 2—recent issues with MLD ( multicast listener discovery protocol ), which is part of IPv6. MLD can break into multicast streams on Local Area Networks ( LAN ) and gain control of first-hop router communication. So, in the future, we will need to implement MLD guard as a new first-hop security mechanism. The list goes on and on—a constant cat-and-mouse game. So, we need to ask ourselves whether we can do better than that. And what can we implement or design to overcome these shortcomings? Just get rid of layer 2? :

We can remove layer 2 from “some” networks. If the first-hop router is a layer 3 device, we don’t need to implement all the security kludges mentioned above. We would still need Ethernet between the end host and router as end hosts have Ethernet cards. Using a layer 3 device as the first hop, we immediately remove all IPv6 spoofing attacks.

For example, RA Gaurd is unnecessary as the router will not listen to RA messages. ND spoofing is impossible as you can’t bridge ND across segments. However, DoS attacks are still possible. This type of layer 3-only design is implemented on xDSL and Mobile networks—designed by putting every host in a /64 subnet. But; now, we are returning to 64-bit segments to implement security between segments.

 

  • Is this possible to use in the data center when moving VMs across mobility domains?

 

Technology Insight For Microsegmentation

IPv6 micro-segmentation for the data center

In data centers, we have issues with live VM migration. We must move VMs between servers while retaining IPv6 addresses to keep all Transmission Control Protocol ( TCP ) sessions intact. Layer 3 solutions exist but are much slower ( as layer 3 routing protocol convergence is slower than layer 2 convergence ) than we can get with simple flooding of MAC address with reverse Address Resolution Protocol ( ARP ) and gratuitous ARP.

We usually have some VLAN that spans the domain with an actual VLAN or VXLAN segment. VLANs must span the entire mobility domain, expanding the broadcast domain throughout the network. Expanding the broadcast domain also broadens the scope of layer 2 security attacks. Private VLANs exist, but on a large-scale private VLANs are messy and complex.

You can use one VLAN per VM, which would cause an explosion of VLAN numbers. You still need to terminate layer 3 on Core switches, meaning all traffic between two VM must traverse to Core. Inter-VLAN communication is sent to Core ( layer 3 devices) even when VM sits on the same hypervisor. Not a good design.

Also, if you want mobility across multiple core switches, you can’t aggregate traffic and must pass the IPv6 prefixes to support VM mobility. Now, we have loads of /64 prefixes in the IPv6 forwarding table when using one prefix per VM. Vendors like Brocade only support 3k IPv6 prefixes, and Juniper supports up to 1k. In the future, this scale limitation will represent design problems. So, do we need some other type of design? We need to change the forwarding paradigm. In an ideal world, use layer-3 only networks, layer-3 devices as first-hop devices, and still support VM mobility. At the same time not generate not than many IPv6 prefixes.

 

Intra-subnet ( host route ) layer 3 forwarding

Is it possible to design and build layer-3-only IPv6 networks without assigning a /64 prefix to every host?

Intra-subnet layer 3 forwarding implements /128 for hosts, which is propagated with updates across the network. At a host level, nothing changes. It can use DHCP or other mechanisms to get its address. Now that we are using /128, we don’t need to use the IPv6 forwarding table for this prefix. Instead, we can put the /128 into IPv6 Neighbor Discovery ( ND ) entries.

This is how the ND cache is implemented on hardware-based platforms. There is no difference between ND entities and 128-host routes in the IPv6 routing table. The Important point is that you can use ND entries instead of the IPv6 forwarding table, which by default in most platforms has small table sizes.

For example, the Juniper EX series can have 32k ND entities but only 1K IPv6 entries. This design trick can significantly increase the number of hosts under an IPv6 microsegmentation design.

 

Data center network microsegmentation

Cisco dynamic fabric automation ( DFA )

Virtual Machine microsegmentation with Cisco DFA allows you to implement a VLAN per VM addressing scheme without worrying about VLAN sprawl and all those problems experienced with provisioning. More importantly, all layer 3 traffic is not terminated on the core switch but on the leaf switch. 

 

Technology Insight For Microsegmentation