Routing

Expand all | Collapse all

Configure BGP to only be allowed from specific peers

Jump to Best Answer
  • 1.  Configure BGP to only be allowed from specific peers

     
    Posted 04-16-2018 06:47

    Hi,

     

    Couple of questions:

     

    1: Could someone let me know how I can configure BGP to only allow updates from specified peers please?

    2: Is "Graceful restart" a good option to configure?

     

    Thanks



  • 2.  RE: Configure BGP to only be allowed from specific peers

    Posted 04-16-2018 06:58
    1: Could someone let me know how I can configure BGP to only allow updates from specified peers please?
    Yes, You can apply import-policy and accept update from specific peer only.

    2: Is "Graceful restart" a good option to configure?
    Yes, it helps retains the forwarding plane working while control plane (protocol) restart and sync the previous control plane info from it’s peers.


  • 3.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 04-16-2018 08:28

    So, to help others, I will configure the following:

     

    set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required>  

    set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required> - if more than 1 peer

    set firewall family inet filter bgpfilter_179 term 1 from destination-port bgp

    set firewall family inet filter bgpfilter_179 term 1 then accept

    set firewall family inet filter bgpfilter_179 tem 2 then reject

    set interfaces lo0 unit 2 family inet filter input bgpfilter_179

     

    Thanks for the help Kingsman

     



  • 4.  RE: Configure BGP to only be allowed from specific peers

    Posted 04-16-2018 21:43

    Hello,


    @adgwytc wrote:

    So, to help others, I will configure the following:

     

    set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required>  

    set firewall family inet filter bgpfilter_179 term 1 from source-address <peer address required> - if more than 1 peer

    set firewall family inet filter bgpfilter_179 term 1 from destination-port bgp

    set firewall family inet filter bgpfilter_179 term 1 then accept

    set firewall family inet filter bgpfilter_179 tem 2 then reject

    set protocols bgp group external-peers import bgpfilter_179

     

     

     


    This config won't commit.

    One cannot assign firewall filters to BGP peers, You have to use a policy:

     

    set policy-options policy-statement deny-all then reject
    set protocols bgp group BLAH neighbor 203.0.113.1 import deny-all

    HTH

    Thx
    Alex

     



  • 5.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 04-17-2018 01:44

    Well, that's rather confusing from the Juniper documentation then.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-flood-prevention-block-tcp-port-access.html

     

    As a quick question then (given that the firewall option is the documentation I can find) how do I only allow from specified peers and deny all others. The policy you have written seems to deny all... or is the following line saying deny-all except from this peer:

     

    set protocols bgp group BLAH neighbor 203.0.113.1 import deny-all

     

    Apologies if this sounds like a silly question.

     

     



  • 6.  RE: Configure BGP to only be allowed from specific peers

    Posted 04-17-2018 01:59
    You apply the policy to the neighbor.. the policy will reject all the routes received from that particular peer.


  • 7.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 04-17-2018 02:04

    Hi Kingsman,

     

    Sorry, I probably need to reword the question:

     

    I do not know what addresses will be trying to compromise the BGP port 179, so, I need to accept from 1 peer and block all other possible peers. How can I achieve this?

     

    The documentation states to use the firewall filter and apply to the group and the loopback interface, but I am now being informed this will not work. 



  • 8.  RE: Configure BGP to only be allowed from specific peers

    Posted 04-17-2018 02:09

    Here’s the confusion:

    Do you want to receive the update from a specific peer? or want to form a BGP neighborship/peering with a specific peer only?

     

    If you have let's say 3 bgp neighbor ( A,B,C) and want to receive the update from peer A only, you can apply a deny-all import policy to peer B and peer C which will cause BGP to accept routes from A only.

     

    to allow port 179 for specific source/destination, you need to create a firewall filter and apply it on lo0.

     

     



  • 9.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 04-17-2018 02:21

    Hi Kingsman,

     

    We already have the peer relationship as "Established"..... what I need to ensure is that we only receive advertised routes from that particular peer. 

     

    The peer is an upstream PE device from another ISP and is the only "trusted" peer we want to connect to port 179 and send advertisements of the Internet Routing table. We do not want any other, probable compromising device, attempting to connect to port 179 and send rogue routes that could lead to DoS attacks.

     

    Your line that states:

    to allow port 179 for specific source/destination, you need to create a firewall filter and apply it on lo0.

     

    Is what I have written above and then informed it won't work.

     

    Thanks



  • 10.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 04-17-2018 02:32

    Thanks Kingsman and aarseniev for the help. Very much appreciated.....

     

    My apologies aaarseniev, I mis-read your response. You merely stated it would not commit because I wrote the line wrong. I meant to state the loopback but instead stated assigning to the peer group.... my bad.

     

    I'll configure both options and test and see which suits our situation best.

     

     



  • 11.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 08-21-2018 09:10

    Apologies gentlemen.

     

    I am re-opening this because I cannot get anything to work. A scan will still connect from another "fabricated" peer.

     

    Again, to summarise:

     

    I have "one" upstream peer only that I have in an "established state". This is the ONLY peer I want to be able to peer with or appear to peer with. If I do not know addresses of anyone else trying to compromise the peering address how can I stop everyone else from trying to peer?

     

    I have tried Policy and Firewall and neither work (by the way, the peering is with the physical interface and not the loopback as per the upstream peers request).

     

    I understand the advice of "if you have 3 peers and want to block 2 of them".... but this is not the case. I simply want allow bgp peering to "1" address only and block any other possible connection attempts. 

     



  • 12.  RE: Configure BGP to only be allowed from specific peers

    Posted 08-21-2018 13:41

    Hello there,


    @adgwytc wrote:

     

    Again, to summarise:

     

    I have "one" upstream peer only that I have in an "established state". This is the ONLY peer I want to be able to peer with or appear to peer with. If I do not know addresses of anyone else trying to compromise the peering address how can I stop everyone else from trying to peer?

     

     


    If You define only 1 BGP peer then absent the loopback filter all other attempts to connect to tcp/179 will be dropped & logged. Is it not enough for You then?

     

     


    @adgwytc wrote:

     

    I have tried Policy and Firewall and neither work (by the way, the peering is with the physical interface and not the loopback as per the upstream peers request).

     

     


     Please show us then what exactly is not working and how You tested it.

    Generally speaking, Your options are (in order of increased security):

    1/ define only 1 peer without authentication - all connection attempts to tcp/179 will be dropped & logged by RPD EXCEPT for from spoofed src IP == Your peer IP

    2/ define only 1 peer WITH authentication - all connection attempts to tcp/179 will be dropped & logged  by RPD INCLUDING  from spoofed src IP == Your peer IP if that spoofed IP uses wrong password or no password

    3/  define only 1 peer with authentication & adjust loopback filter to allow tcp/179 ONLY from Your peer src ip - all connection attempts to tcp/179 will be dropped & optionally logged by that filter and connection attempts  from spoofed src IP == Your peer IP && wrong password will be logged by RPD. You have to exercise caution with this filter since BGP connection can be initiated from either side unless one side is configured as passive.

    4/ most secure - define only 1 peer with authentication & use GTSM (if Your peer supports it) & adjust loopback filter as above. 

    JUNOS BGP GTSM reading:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/ttl-edit-protocols-bgp-mulithop.html

    HTH

    Thx

    Alex



  • 13.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 08-22-2018 01:13

    Thanks Alex. I'll give this a try, but for info here is the configuration and result (IP's Changed):

     

    set firewall family inet filter bgpfilter-179 term 1 from source-address 10.10.10.10/32
    set firewall family inet filter bgpfilter-179 term 1 from destination-address 10.10.10.11/32
    set firewall family inet filter bgpfilter-179 term 1 from destination-port bgp
    set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
    set firewall family inet filter bgpfilter-179 term 1 then accept
    set firewall family inet filter bgpfilter-179 term 2 then discard

    set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

     

    I would expect, with this filter applied to the interface that, for example, the Cymru Bogon peering would drop, but it does not, as is shown below:

     

    Peer: 38.229.6.20+41099 AS 15895 Local: 10.10.10.11+179 AS 111111
      Description: cymru fullbogon bgp feed (ipv4 + 6)
      Group: cymru-bogons          Routing-Instance: master
      Forwarding routing-instance: master
      Type: External    State: Established    Flags: <Sync RSync>

     

    As can be seen, it is still in established. So the firewall filter does not work. 

     

    If I place the "deny-all" policy statement in the group, will that not stop the actual peer too?



  • 14.  RE: Configure BGP to only be allowed from specific peers

    Posted 08-22-2018 01:57

    Hello,


    @adgwytc wrote:

     <skip>

     

    set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

     

    <skip>

     

    I would expect, with this filter applied to the interface that, for example, the Cymru Bogon peering would drop, but it does not, as is shown below:

     

    Peer: 38.229.6.20+41099 AS 15895 Local: 10.10.10.11+179 AS 111111
    <skip>

     

    As can be seen, it is still in established. So the firewall filter does not work. 

     

     


    Are You sure the Team Cymru tcp/179 connection arrives into Your router via interface xe-1/2/5 .0?

    Please share the printout:

     

    monitor traffic interface xe-1/2/5.0 no-resolve size 9999 matching tcp

     

    Also, did You wait long enough after applying the filter? The BGP holdtime is usually 180 secs/3 mins.

    HTH

    Thx

    Alex



  • 15.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 08-22-2018 02:20

    Hi Alex,


    We only have the one outbound connection via upstream ISP and all peers come in on that interface. If they come in anywhere else then some form of "Harry Potter" is occurring 🙂

     

    Here is Cymru Bogon peering still established and still receiving updates:

    Listening on xe-1/2/5.0, capture size 9999 bytes

    09:13:57.004970 In IP 38.229.6.20.41099 > 10.10.10.10: P 3549443539:3549443558(19)

    09:13:57.105476 Out IP 10.10.10.10 > 38.229.6.20.41099: . ack 19 win 16384

     

    The filter is still applied to the interface as follows (we tried different methods and none were successful):

    set firewall family inet filter bgpfilter-179 term 1 from source-address 10.10.10.10/32
    set firewall family inet filter bgpfilter-179 term 1 from destination-address 10.10.10.11/32
    set firewall family inet filter bgpfilter-179 term 1 from destination-port bgp
    set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
    set firewall family inet filter bgpfilter-179 term 1 then accept
    set firewall family inet filter bgpfilter-179 term 2 from source-address 0.0.0.0/0
    set firewall family inet filter bgpfilter-179 term 2 from destination-address 11.11.11.11/32
    set firewall family inet filter bgpfilter-179 term 2 from destination-port bgp
    set firewall family inet filter bgpfilter-179 term 2 from destination-port 179
    set firewall family inet filter bgpfilter-179 term 2 then discard

    set interfaces xe-1/2/5 unit 0 family inet filter input-list bgpfilter-179

     

    Not sure why it is not working



  • 16.  RE: Configure BGP to only be allowed from specific peers
    Best Answer

    Posted 08-22-2018 02:41

    Hello,

    I see You have input-list, are there any other filters there before bgpfilter-179? Please make sure bgpfilter-179 is the leftmost in this input-list.

    If there is only 1 filter in the input-list, then please reconfigure Your filter as follows, re-test and report back:

    set firewall family inet filter bgpfilter-179 term 1 from source-address <your peer IP address>
    set firewall family inet filter bgpfilter-179 term 1 from destination-address <your own peering IP>
    set firewall family inet filter bgpfilter-179 term 1 from protocol tcp
    set firewall family inet filter bgpfilter-179 term 1 from destination-port 179
    set firewall family inet filter bgpfilter-179 term 1 then accept
    set firewall family inet filter bgpfilter-179 term 1 then count peer-pkts
    set firewall family inet filter bgpfilter-179 term 2 from source-address 0.0.0.0/0
    set firewall family inet filter bgpfilter-179 term 2 from destination-address <your own peering IP>
    set firewall family inet filter bgpfilter-179 term 2 from protocol tcp
    set firewall family inet filter bgpfilter-179 term 2 from destination-port 179
    set firewall family inet filter bgpfilter-179 term 2 then discard
    set firewall family inet filter bgpfilter-179 term 2 then log
    set firewall family inet filter bgpfilter-179 term 3 then accept
    set interfaces xe-1/2/5 unit 0 family inet filter input bgpfilter-179

     

    HTH

    Thx
    Alex



  • 17.  RE: Configure BGP to only be allowed from specific peers

     
    Posted 08-22-2018 03:50

    Hi Alex,

     

    I did not know that input-lists for filters were order prevailant. Now I know (this is the first input-list I have needed)... 🙂

     

    I kept the original configuration and changed the order of the filters as per your recommendation and now the scan appears as "Filtered" rather than "open"....  I am happy with this. Thank you.

     

    Unfortunately I could not use your configuration because it allowed the second filter for SSH to suddenly show as "open" on a scan.... possibly because the position was moved within the list. 

     

    I could, theoretically, just create one long filter including both the bgp and the SSH and apply it to the interface, but I think we are happy keeping them separate.

     

    Again, thank you for your help.



  • 18.  RE: Configure BGP to only be allowed from specific peers

    Posted 04-16-2018 07:57

    Hello,


    @adgwytc wrote:

    Hi,

     

     

    2: Is "Graceful restart" a good option to configure?

     

    Thanks


    Yes if You have no better choice (i.e. SRX cluster where NSR is not supported).

    No, if You use BFD - BGP GR is aborted if BFD times out as per RFC 4724 section 4.2

    HTH

    Thx

    Alex