HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY VIET NAM NATIONAL UNIVERSITY, HO CHI MINH CITY HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY FACULTY OF COMPUTER SCIENCE & ENGINEERING THESIS BUILIDING MONITORING TOOL FOR CORE NETWORK USING BGP PROTOCOL MAJOR: COMPUTER ENGINEERING INSTRUCTOR: PhD NGUYEN LE DUY LAI REVIEWER: PhD NGUYEN DUC THAI STUDENT : NGUYEN DINH TUAN 1552411 VO NAM HAI - 1652178 HO CHI MINH City, December 2021 Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY I H C QU C GIA TP.HCM C NG HÒA XÃ H I CH T NAM c l p - T - H nh phúc I H C BÁCH KHOA NHI M V LU N ÁN T T NGHI P KHOA: Khoa h c K thu t Máy tính B MÔN: H th ng M ng Chú ý: Sinh viên ph i dán t vào trang nh t c a b n thuy t trình H VÀ TÊN: Võ Nam H i MSSV: 1652178 NGÀNH: Khoa h c Máy tính L P: _ lu n án: (Ti ng Vi t): Xây d ng công c giám sát m ng lõi s d ng giao th c BGP (English): Building monitoring tool for the core network using BGP protocol Nhi m v (yêu c u v n i dung s li u): Objectives: The BGP protocol has become a fundamental part of the operation and performance of the Internet As the de facto Internet inter domain routing protocol, the BGP protocol has a number of vulnerabilities and weaknesses Monitoring BGP is an effective way to improve the security of inter domain routing In addition, SoftwareDefined Networking (SDN) appears with the idea to decouple the vertically coupled architecture and reconstruct the Internet as a modular structure and Border Gateway Protocol (BGP) participates in transitioning the existing networks to SDN Therefore, it is obvious that we should undertake the BGP monitoring process when monitoring applications or those services that are offered being Internet the basis of its communication Tasks: Get the background by studying the BGP protocol List main challenges as far as BGP monitoring is concerned Raise problems that can be evaluated according to the fundamental processes of the BGP protocol Define the monitoring metrics and functionality to monitor BGP routing information on the routing device Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY Propose a monitoring platform and build a monitoring tool for the BGP network Evaluate the real need for a possible monitoring scheme Required results: Report and demo of monitoring tool operations Ngày giao nhi m v lu n án: _/ _/ _ Ngày hoàn thành nhi m v : _/ _/ _ H tên gi ng viên h ng d n: Ph 1) T.S Nguy n Lê Duy Lai N i dung yêu c ng d n: 100% c thông qua B mơn CH NHI M B MƠN GI (Ký ghi rõ h tên) NG D N CHÍNH (Ký ghi rõ h tên) Nguy n Lê Duy Lai PH N DÀNH CHO KHOA, B MÔN: i t (ch ): : _ Ngày b o v : m t ng k t: _ lu n án: _ Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY I H C QU C GIA TP.HCM C NG HÒA XÃ H I CH T NAM c l p - T - H nh phúc I H C BÁCH KHOA NHI M V LU N ÁN T T NGHI P KHOA: Khoa h c K thu t Máy tính B MƠN: H th ng M ng Chú ý: Sinh viên ph i dán t vào trang nh t c a b n thuy t trình H VÀ TÊN: Nguy n MSSV: 1552411 NGÀNH: Khoa h c Máy tính L P: _ lu n án: (Ti ng Vi t): Xây d ng công c giám sát m ng lõi s d ng giao th c BGP (English): Building monitoring tool for the core network using BGP protocol Nhi m v (yêu c u v n i dung s li u): Objectives: The BGP protocol has become a fundamental part of the operation and performance of the Internet As the de facto Internet inter domain routing protocol, the BGP protocol has a number of vulnerabilities and weaknesses Monitoring BGP is an effective way to improve the security of inter domain routing In addition, SoftwareDefined Networking (SDN) appears with the idea to decouple the vertically coupled architecture and reconstruct the Internet as a modular structure and Border Gateway Protocol (BGP) participates in transitioning the existing networks to SDN Therefore, it is obvious that we should undertake the BGP monitoring process when monitoring applications or those services that are offered being Internet the basis of its communication Tasks: Get the background by studying the BGP protocol List main challenges as far as BGP monitoring is concerned Raise problems that can be evaluated according to the fundamental processes of the BGP protocol Define the monitoring metrics and functionality to monitor BGP routing information on the routing device Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY Propose a monitoring platform and build a monitoring tool for the BGP network Evaluate the real need for a possible monitoring scheme Required results: Report and demo of monitoring tool operations Ngày giao nhi m v lu n án: _/ _/ _ Ngày hoàn thành nhi m v : _/ _/ _ H tên gi ng viên h ng d n: Ph 2) T.S Nguy n Lê Duy Lai N i dung yêu c ng d n: 100% c thông qua B mơn CH NHI M B MƠN GI (Ký ghi rõ h tên) NG D N CHÍNH (Ký ghi rõ h tên) Nguy n Lê Duy Lai PH N DÀNH CHO KHOA, B MÔN: i t (ch ): : _ Ngày b o v : m t ng k t: _ lu n án: _ Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY I H C BÁCH KHOA C NG HÒA XÃ H I CH KHOA KH & KT MÁY TÍNH T NAM c l p - T - H nh phúc -Ngày 24 tháng 12 2021 PHI U CH M B O V LVTN ng d n/ph n bi n) H tên SV: i - MSSV: 1652178 n - MSSV: 1552411 Ngành (chuyên ngành): tài: BUILIDING MONITORING TOOL FOR CORE NETWORK USING BGP PROTOCOL H ng d n/ph n bi n: Nguy n Lê Duy Lai T ng quát v b n thuy t minh: S trang: 64 S S b ng s li u: S hình v : 53 S tài li u tham kh o: 13 Ph n m m tính tốn: Hi n v t (s n ph m) T ng quát v b n v : -S b nv : B n A1: - S b n v v tay Nh B n A2: Kh khác: S b n v máy tính: m c a LVTN: In this dissertation, the thesis has been studying the BGP as well as the challenges of BGP monitoring Some monitoring metrics and functionality to monitor BGP routing information on the routing devices are raised in such as peer_as, peer_ip, as_path, asn The thesis presented how to design and build a monitoring tool for the BGP network following the Cooperative Information Sharing Model (CoISM) The implementation of the BGP Monitor tool helps in the identification of BGP IP prefix disputes and their categorization as BGP hijacking incidents BGP Monitor then analyses BGP communications that have been Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY archived in MRT files This tool is evaluated with the number of prefix counts and elapsed time for processing file dumps Nh ng thi u sót c a LVTN: However, the presented topic is still limited including the inability to support more issues such as BGP Route Misconfigurations, Route Flapping, Infrastructure Failures, DDoS Attacks The tool built based on CoISM missed the real-time processing The thesis needs a more thorough survey on some most common BGP Monitoring tools that deliver frequent updates, as often as each minute, giving users the most up-to-date information quickly and minimizing the delay needed to identify and respond to issues ngh cb ov câu h i SV ph i tr l B cH b ov cb ov ng: a Why BGP problems occur? Give some examples on BGP issues if someone starts to broadcast a duplicate address or simply one that overlaps with an existing subnet? b In which ways a route hijacking can occur deliberately or by accident? c How a serious hijack case can affect the entire Internet? (consequences of route hijacking) ng ch : gi i, khá, TB): m: 7.5 /10 Ký tên (ghi rõ h tên) Nguy n Lê Duy Lai Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY C NG HÒA XÃ H I CH NGH A VI T NAM KHOA KH & KT MÁY TÍNH c l p - T - H nh phúc PHI U CH M B O V LVTN H tên SV: Nguy n ình Tu n MSSV: 1552411 Võ Nam H i MSSV: 1652178 Ngành (chuyên ngành): Computer Engineering tài: Building Monitoring Tool For Core Network Using BGP Protocol H tên ng i ph n bi n: Nguy n c Thái T ng quát v b n thuy t minh: S trang: S ch ng: S b ng s li u S hình v : S tài li u tham kh o: Ph n m m tính tốn: Hi n v t (s n ph m) T ng quát v b n v : -S b nv : B n A1: B n A2: Kh khác: - S b n v v tay S b n v máy tính: Nh ng u i m c a LVTN: Students completed a monitoring tool and demonstrated it Nh ng thi u sót c a LVTN: Thesis organization: o Chapter and section numbering problem, spelling problem o Section titles not Introduction chapter does not contain any aim and objectives Students focused on building a monitoring tool (a software), but did not follow software development life cycle (Requirement analysis, Design, Development, Testing, Students did not evaluate the built monitoring tool ngh : c b o v R B sung thêm b o v o Không cb ov o câu h i SV ph i tr l i tr c H i ng: a Briefly describe BGP protocol, and provide the contribution of your work b Show functionalities of the your software (monitoring tool) and describe them c Prove that the your software works properly Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY 10 ánh giá chung (b ng ch : gi i, khá, TB): TB i m: 5/10 Ký tên (ghi rõ h tên) Nguy n Monitoring tool for BGP Protocol c Thái Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY COMMITMENT The team warrants that everything presented in the report is the work of the team itself - except for the cited reference knowledge as well as the sample source code provided by the manufacturer itself, completely not copied from any other source If the commitment is contrary to the truth, the group would like to take all responsibility before the Dean of the Faculty and the School Rector Nguyen Dinh Tuan, Vo Nam Hai Monitoring tool for BGP Protocol Page HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY o BGP4MP_MESSAGE_AS4 o BGP4MP_STATE_CHANGE_AS4 o BGP4MP_MESSAGE_LOCAL o BGP4MP_MESSAGE_AS4_LOCAL 4.4.1 BGP4MP_STATE_CHANGE Subtype: The BGP finite state machine uses this message to encode changes in state (FSM) To identify the prior and current state of the BGP FSM, the Old State and New State variables are encoded The Peer AS Number may be ambiguous in some circumstances This field's value MAY be set to in certain circumstances Below is an example of the format: Figure 18 BGP4MP_STATE_CHANGE Subtype The Old State and New State values are both encoded as 2-octet numbers The state values are numerically specified as follows: o Idle o Connect o Active o OpenSent o OpenConfirm o Established The Interface Index and Address Family data are likewise included in the BGP4MP STATE CHANGE message The peering session's interface number is provided via the Interface Index If unknown or unsupported, the index value is OPTIONAL and may be zero The Address Family identifies the many sorts of Monitoring tool for BGP Protocol Page 58 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY addresses that may be found in the address fields The following AFI Types are now supported: o AFI_IPv4 o AFI_IPv6 4.4.2 BGP4MP_MESSAGE Subtype: BGP communications are encoded using this subtype Any type of BGP communication can be encoded using it The complete BGP message, including the 16octet marker, 2-octet length, and 1-octet type data, is wrapped in the BGP Message field 4-byte AS numbers are not supported by the BGP4MP MESSAGE Subtype Only 2byte AS numbers may be used in the AS PATH in these messages The BGP4MP MESSAGE AS4 Subtype adds support for 4-byte AS numbers to the BGP4MP MESSAGE Subtype The following are the BGP4MP MESSAGE fields: Figure 19 BGP4MP_MESSAGE Subtype The peering session's interface number is provided via the Interface Index If unknown or unsupported, the index value is OPTIONAL and may be zero The Address Family specifies the sorts of addresses that will appear in the following address fields The following AFI Types are now supported: o AFI_IPv4 o AFI_IPv6 Only the IP addresses in the MRT header are affected by the Address Family value The contents of the actual message, which may contain any acceptable AFI/SAFI values, are otherwise transparent to the BGP4MP MESSAGE Subtype In the BGP4MP MESSAGE Subtype, just one BGP message MUST be encoded Monitoring tool for BGP Protocol Page 59 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY 4.4.3 BGP4MP_MESSAGE_AS4 Subtype: This subtype adds support for 4-byte AS numbers to the BGP4MP MESSAGE Subtype The BGP4MP MESSAGE AS4 Subtype is similar to the BGP4MP MESSAGE Subtype in all other respects These messages' AS PATH must only include 4-byte AS numbers The following are the BGP4MP MESSAGE AS4 fields: Figure 20 BGP4MP_MESSAGE_AS4 Subtype 4.4.4 BGP4MP_STATE_CHANGE_AS4 Subtype: This subtype adds support for 4-byte AS numbers to the BGP4MP STATE CHANGE Subtype The BGP FSM states are encoded in the Old State and New State fields, just as the BGP4MP STATE CHANGE Subtype, to denote the prior and current state This subtype is similar to the BGP4MP STATE CHANGE Subtype except for the addition of four bytes to the Peer and Local AS Number fields The following are the BGP4MP STATE CHANGE AS4 fields: Figure 21 BGP4MP_STATE_CHANGE_AS4 Subtype Monitoring tool for BGP Protocol Page 60 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY 4.4.5 BGP4MP_MESSAGE_LOCAL Subtype: In a passive route collector role, MRT implementations have mostly focused on collecting remotely produced BGP messages However, in active BGP systems, archiving locally generated BGP messages in addition to distant messages might be beneficial This subtype was added to signify a BGP message that was created locally The Peer and Local IP and AS values, as well as the Peer and Local AS fields, are similar to the BGP4MP MESSAGE type The Peer IP and AS elements correspond to the recipient of the produced BGP messages, while the Local fields refer to the collector's local IP and AS number 4.4.6 BGP4MP_MESSAGE_AS4_LOCAL Subtype: This type, like the BGP4MP MESSAGE LOCAL type, denotes locally created messages The BGP4MP MESSAGE AS4 message type has the same fields as the BGP4MP MESSAGE AS4 message type 4.5 ISIS type: The ISIS Type does not have a Type-specific header This type's Subtype code is undefined The MRT Common Header fields are directly followed by the ISIS PDU 4.6 OSPFv3 Type: For the OSPFv3 protocol, the OSPFv3 Type expands the original OSPFv2 Type to include IPv6 addresses The MRT Message field for the OSPFv3 Type has the following format: Figure 22 OSPFv3 Type Monitoring tool for BGP Protocol Page 61 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY IANA Considerations: Type Codes and Subtype Codes are the two name spaces that have been recorded in MRT Each Type Code and Subtype Code is 16 bits long MRT is not meant to be a general-purpose protocol information export standard, and no allocations should be made for reasons other than routing protocol information export The terms "Specification Required," "IETF Consensus," "Experimental Use," and "First Come First Served" are used here with the definitions described in "IETF Consensus," "Experimental Use," and "First Come First Served." Assignments are made up of two parts: a name and a value Security Considerations: The MRT Format makes use of a structure for storing routing protocol data The fields given in the MRT standard are descriptive in nature and provide information that can help with routing data analysis As a result, the fields as described in the MRT standard not pose any extra security risks since they are not utilized to cause the recipient application to behave in a certain way Some of the data in an MRT data structure may be deemed confidential or sensitive A BGP peer sending a message to an MRT-enabled router, for example, would not anticipate the message to be shared outside of the AS to which it was delivered BGP peer IP addresses, BGP Next Hop IP addresses, and BGP Path Attributes are examples of sensitive information This data might be used to launch attacks on the BGP protocol and routing infrastructure An organization that wishes to utilize the MRT structure to export routing information outside of the domain where it is ordinarily available (e.g., publishing MRT dumps for researchers) should check with any peers whose information could be included, and potentially delete sensitive fields The proposed MRT geolocation extension might expose the whereabouts of MRT router peers Monitoring tool for BGP Protocol Page 62 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY II Implementation: BGP Monitor is a tool that aids in the identification of BGP IP prefix disputes and their categorization as BGP hijacking incidents The phrase prefix hijacking refers to an incident in which an AS, known as the hijacking AS, advertises illegitimately a prefix that is equivalent to or more specific than a prefix allocated to another AS, known as the hijacked AS Typically, BGP monitor analyses BGP communications that have been archived in MRT files The MRT files used in the whole demonstration process is acquired by RIPE RIS, a center data archive project that also has focus on BGP data collection These files are produced periodically, giving latest data about BGP traffic that the project has in cover In order to use these data, a MRT parser must also be installed; some examples are bgpreader, pyBGPdump, and pyRT parser toolkit BGP Monitor has MRT parser internally built in, and also covers demonstration in form of JSON tables Additionally, BGP monitor converts BGP messages into its own form Here is the initial interface of BGP monitor: Monitoring tool for BGP Protocol Page 63 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY The analyzer has the following additional options: log: Messages (normally presented in the output area) are written to a log file, located at results/results/output.log disable: Disable checks of the filenames RIS format When we click on this option, the program will skip checking if the file follows the RIS filename format help: Display information about options provided by the program jobs: Number of jobs that will process the MRT file This can accelerate the analyzing process Monitoring tool for BGP Protocol Page 64 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY To start analyzing, firstly choose Next, choose Monitoring tool for BGP Protocol to complete: Page 65 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY jobs will start altogether to process the file There will be multiple lines of the same content implying that the multiprocessing is being in progress: Monitoring tool for BGP Protocol Page 66 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY At the bottom of the app, we have three options to show the results: - Routes: Shows the route table information from BGP collector: Monitoring tool for BGP Protocol Page 67 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY timestamp: when the announce was received (UTC timestamp) collector: which BGP collector received the announce peer_as and peer_ip: which BGP peer received the announce action: status of BGP peer (A active; W waiting) as_path: AS areas that BGP peer has traversed asn: AS number of BGP peer - Detected Hijacking: show the potential conflicts that have been detected by the monitor: timestamp: when the announce was received (UTC timestamp) collector: which BGP collector received the announce peer_as and peer_ip: which BGP peer received the announce announce: information about the announce o type: either U if the announce was received from a BGP update or F if it was from a BGP full view conflict_with: information about the RIB entry conflicting with the announce o valid: route objects or ROA on the couple prefix & asn Monitoring tool for BGP Protocol Page 68 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY - Go to result folder: It shows the location of the resulting file: Monitoring tool for BGP Protocol Page 69 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY CHAPTER V: CONCLUSION Contents I Conclusion 63 II Reference 64 Monitoring tool for BGP Protocol Page 70 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY I Conclusion: In this work, we aim to get a deep understanding of how the BGP protocol works so that we can provide detailed monitoring information Besides, we have also learned more about BGP monitoring tools This research has helped us understand the importance of teamwork, improve thinking ability and coding skills During development of this project, we have encountered several drawbacks We not have access to sufficient network system to test our program's performance Most of our test data comes from the net which, after being processed, may provide not very useful information overall The monitoring tool may also encounter bugs that we did not have enough time to test out Also because of COVID-19, teamwork efficiency was not good as we had expected, therefore the program still lacks many features that we had planned for The analyzer also cannot run in real time as it requires MRT files to perform Future updates of the monitor will hopefully be able to alleviate aforementioned problems, including testing with other data from other collectors, performing in semi real time or real time, a better presentation of the analyzed data using diagrams along with tables, and fixing potential bugs Also, we hope to be able to develop the application to add an automatic blocking feature for bogus BGP based on the data being analyzed Monitoring tool for BGP Protocol Page 71 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY II Reference: [1] - (Draft Standard), Jan 2006 [2] Julian, Zach (2015-08-17) "An Overview of BGP Hijacking - Bishop Fox" Bishop Fox Retrieved 2018-04-25 [3] [4] "Problem Definition and Classification of BGP Route Leaks" June 2016 Retrieved 27 May 2021 [6] He Yan, Ricardo Oliveira, Kevin Burnett, David C [7] - , P, Rubin A Working around BGP: an incremental approach to improving security and accuracy of interdomain routing, Proceedings of the 10th Annual Network and Distributed System Security Symposium, Catamaran Resort Hotel, San Diego, California, 2003 -05-15 [9] Casella G, Berger RL Statistical Inference Duxbury Press, 1990 [10] GalOr E, Ghose A The economic incentives for sharing security information Information Systems Research 2006; 16(2): 186 208 [11] AS65000 BGP routing table analysis report [EB/OL] AS65000, 2013 [12] Gao L, Rexford J Stable internet routing without global coordination IEEE/ACM Transactions on Networking 2001; 9(6): 681 692 -Threaded Routing Toolkit (MRT) Routing Monitoring tool for BGP Protocol Page 72 ... Department as well as Office for International Study Program - OISP of Ho Chi Minh City University of Technology Monitoring tool for BGP Protocol Page 10 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY ABSTRACT... HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY The algorithm for processing request of validation is illustrated in Algorithm Monitoring tool for BGP Protocol Page 42 HO CHI MINH CITY UNIVERSITY OF. .. applications or those services that are offered being Internet the basis of its communication TABLE OF CONTENT Monitoring tool for BGP Protocol Page 11 HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY CHAPTER