IXPs Operational Security

IXPs Operational Security

Back to Publications and Presentations

  1. Operational Security of Internet Exchange Points (IXPs)
  2. Overview
  3. Core Infrastructure
  4. IXP Customer Connectivity
  5. References
  6. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

Operational Security of Internet Exchange Points (IXPs)

Overview

Internet Exchange Points (IXPs) are important elements for the overall Internet operational infrastructure. They are the fundament, allowing shortest path routing, network latency limitation and flexible peering in regional areas. An IXP includes a significant number of network components which interact with users who have different levels of trust. Ensuring an adequate operational security allows the IXP to provide stable, efficient and secure services to their users.

Core Infrastructure

BGP Operational Security

BGP Border Gateway Protocol is the protocol used to exchange Internet routing information. RFC 7454 (BGP Operations and Security) provides an overview of measures to implement in order to better control the flow control of routing information. As BGP is the core protocol used by the IXPs and their members, a strict application of RFC 7454 (BGP Operations and Security) is recommended.

In addition, application of RFC 6192 (Protecting the Router Control Plane) is highly recommended for all (unicast and non-unicast) traffic destined to the core routers of the IXP infrastructure.

Network Management

Routers and switches are core components of IXP networks. Their security is also key to maintain a good level of security within the IXP platform. The following recommendations should be considered:

  • Storing and automatically keeping track of configuration changes of the routers and switches (e.g. rancid).
  • Ensuring integrity of firmwares (e.g. ROMMON images, routers and switches images) especially at the acquisition/procurement process, download of new images and upgrade process.
  • In-band (and out-band) management must be properly filtered and restricted to a bastion host with additional authentication and encryption capabilities at the transport layer (e.g. Even if you have SSH access with key authentications, we recommend to use a dedicated encrypted tunnel).
  • Authentication, Authorization and Accounting is a critical and important combination in your equipment configuration and how the access management is controlled. We strongly recommend to have an extensive auditing mechanism to keep a history of the commands executed within all IXP equipment.

Logging and Auditing

In the network management aspect of the IXP network, logging is a critical factor in case of incident or debugging. An IXP should have a secure logging infrastructure to keep securely all the logging activities sent by the various network equipments (routers, switches).

IXP Customer Connectivity

Layer-2 security

Members of an IXP usually have access in layer-2 to a switching component in order to access the IXP service. Layer-2 connectivity introduces some significant security risks that need to be evaluated before connecting members equipment. A clear separation between the core infrastructure and the layer-2 customer infrastructure can offer an additional layer of segregation.

The traffic in an IXP switched environment is mainly composed of unicast packets that are exchanged between members and some additional elements of the IXPs (e.g. BGP route servers).

Adequate filtering on the members’ port and switching backplane is required in order to allow only the layer-2 traffic required for the unicast packets to be routed according the peering policies. Everything else should be dropped including automatic assignment protocol (SLAAC, DHCP), layer-2 routing/topology protocol (STP, VTP, BPDU), network discovery protocol (CDP, EDP), layer-2 flow control (Ethernet PAUSE frame).

BGP Route Server and Reflector Security

BGP route servers are usually deployed within an IXP infrastructure to reduce configuration complexity and operational overhead of maintaining peering agreements. Standard BGP security practices apply to BGP route servers deployed within the IXP infrastructure. Additional recommendations should be considered as the Internet-Draft Internet Exchange BGP Route Server and especially their security consideration.

BGP route servers often are commodity servers and Unix-like operating systems. Standard hardening practices must be strictly applied to those servers and management interfaces should be considered as part of the core infrastructure security.

References

Revision

  • version 0.1 (DRAFT) - 20160823 - CIRCL Computer Incident Response Center Luxembourg