Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

This guide provides technical guidelines and recommendations for deploying protocols and technologies that improve the security of interdomain traffic exchange. These recommendations reduce the risk of accidental attacks (caused by misconfiguration) and malicious attacks in the routing control plane, and they help detect and prevent IP address spoofing and resulting DoS/DDoS attacks. These recommendations primarily cover protocols and techniques to be used in BGP routers. However, they also extend, in part, to other systems that support reachability on the internet (e.g., RPKI repositories, DNS, and other open internet services).

Technologies recommended in this document for securing interdomain routing control traffic include RPKI, BGP origin validation (BGP-OV), and prefix filtering. Additionally, technologies recommended for mitigating DoS/DDoS attacks include prevention of IP address spoofing using source address validation (SAV) with access control lists (ACLs) and unicast Reverse Path Forwarding (uRPF). Other technologies (including some application plane methods) such as remotely triggered black hole (RTBH) filtering, flow specification (Flowspec), and response rate limiting (RRL) are also recommended as part of the overall security mechanisms.

This document addresses many of the same concerns as highlighted in [CSRIC6-WG3] regarding BGP vulnerabilities and DoS/DDoS attacks but goes into greater technical depth in describing standards-based security mechanisms and providing specific security recommendations.