How to Secure Routing Header for Segment Routing?

Slides:

Advertisements

Similar presentations

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

Advertisements

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

Lesson 4 The IPv6 Header.

Network Layer Packet Forwarding IS250 Spring 2010

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

1 Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header.

Oct 19, 2004CS573: Network Protocols and Standards1 IP: Datagram and Addressing Network Protocols and Standards Autumn

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.

Internet Protocol (IP)

TELE202 Lecture 9 Internet Protocols (1) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Congestion control »Source: chapter 12 ¥This Lecture »Internet.

ROUTER Routers have the following components: CPU NVRAM RAM ROM (FLASH) IOS Cisco 2800 Series Router.

Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.

Segment Routing with IPv6 Eric Vyncke Distinguished Engineer – Cisco Systems September, 2014 Leveraging IPv6 extension header for traffic.

© 2009 Pearson Education Inc., Upper Saddle River, NJ. All rights reserved. © The McGraw-Hill Companies, Inc. IP version 6 Asst. Prof. Chaiporn Jaikaeo,

Lecture 4: BGP Presentations Lab information H/W update.

Topic of Presentation IPv6 Presented by: Mahwish Chaudhary Roll No 08TL01.

TCP/IP Protocols Contains Five Layers

Universal, Ubiquitous, Unfettered Internet © ui.com Pte Ltd Mobile Internet Protocol under IPv6 Amlan Saha 3UI.COM Global IPv6 Summit,

CCNP Network Route IPV-6 Part-I IPV6 Addressing: IPV-4 is 32-BIT, IPV-6 is 128-BIT IPV-6 are divided into 8 groups. Each is 4 Hex characters. Each group.

CSC 600 Internetworking with TCP/IP Unit 7: IPv6 (ch. 33) Dr. Cheer-Sun Yang Spring 2001.

Network Layer by peterl. forwarding table routing protocols path selection RIP, OSPF, BGP IP protocol addressing conventions datagram format packet handling.

Encapsulated Security Payload Header ● RFC 2406 ● Services – Confidentiality ● Plus – Connectionless integrity – Data origin authentication – Replay protection.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.

Authentication Header ● RFC 2402 ● Services – Connectionless integrity – Data origin authentication – Replay protection – As much header authentication.

Data Communications and Computer Networks Chapter 4 CS 3830 Lecture 19 Omar Meqdadi Department of Computer Science and Software Engineering University.

CSE5803 Advanced Internet Protocols and Applications (13) Introduction Existing IP (v4) was developed in late 1970’s, when computer memory was about.

Segment Routing: An Architecture build with SDN in mind and addressing the evolving network requirements Brian Meaney Cisco SP Consulting Team.

IPv6 Internet Protocol, Version 6 Yen-Cheng Chen NCNU

Understand IPv6 Part 2 LESSON 3.3_B Networking Fundamentals.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

UNIT 7- IP Security 1.IP SEC 2.IP Security Architecture

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Introduction to TCP/IP networking

IP Version 6 (IPv6).

CSE 4905 IPsec.

Encryption and Network Security

IPv6 Outline Background Structure Deployment Fall 2001 CS 640.

100% Exam Passing Guarantee & Money Back Assurance

Next Generation: Internet Protocol, Version 6 (IPv6) RFC 2460

IPv6 / IP Next Generation

IPSec IPSec is communication security provided at the network layer.

Internet Protocol (IP)

Guide to TCP/IP Fourth Edition

IP : Internet Protocol Surasak Sanguanpong

Virtual Private Networks (VPNs)

ISIS extensions for SRv6 draft-bashandy-isis-srv6-extensions-02

ISIS extensions for SRv6 draft-bashandy-isis-srv6-extensions-00

Segment Routing.

Net 323 D: Networks Protocols

Chapter 15. Internet Protocol

Virtual Private Networks (VPNs)

Get Ready for the New Internet: IPv.6

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

Session 20 INST 346 Technologies, Infrastructure and Architecture

draft-guichard-sfc-nsh-sr-02

IPv6 Outline Background Structure Deployment CS 640.

Internet Protocol version 6 (IPv6)

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

How to Secure Routing Header for Segment Routing? Eric Vyncke, Distinguished Engineer evyncke@cisco.com Eric.vyncke@ipv6council.be @evyncke

Agenda Special use case Security of Routing Header & RFC 5095 Segment Routing Security Packets with Extension Headers are lost?

Special Use Case

“Extreme Traffic Engineering” from CPE/Set-up Box? What about mobile node away from SP network? I’m a dumb stateless router but not stupid!!!!Let’s check authorization PE3 PE1 A -> B Via .... SR-IPv6 core I’m a dumb stateless router I’m a dumb stateless router A -> B Via .... A -> B Via .... (SDN) controller Image source wikimedia PE4 PE2

Huh??? Source Routing Security? What about RFC 5095?

IPv6 Routing Header Next Header = 43 Routing Header IPv6 Basic Header An extension header, processed by intermediate routers Three types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6 Type 3: RPL (Routing Protocol for Low-Power and Lossy Networks) Next Header = 43 Routing Header IPv6 Basic Header Routing Header Routing Header Next Header Ext Hdr Length RH Type Routing Type Segments Left Routing Header Data

RH0: Amplification Attack What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A .... Packet will loop multiple time on the link A-B An amplification attack! B A

Deprecation of Type 0 Routing Headers in IPv6 What RFC 5095 Says J. Abley Afilias P. Savola CSC/FUNET G. Neville-Neil Neville-Neil Consulting December 2007 Deprecation of Type 0 Routing Headers in IPv6 RFC 5095 “The severity of this threat is considered to be sufficient to warrant deprecation of RH0 entirely. A side effect is that this also eliminates benign RH0 use- cases; however, such applications may be facilitated by future Routing Header specifications.”

Source: Clipartpanda.com Type 1: NIMROD A 1994 project funded by DARPA Mobility Hierarchy of routing (kind of LISP) Type 1 was deprecated in 2009 not because of security but project was defunct and AFAIK not a single NIMROD packet was sent over IPv6... Source: Clipartpanda.com

IPv6 Type 2 Routing Header: no problem Rebound/amplification attacks impossible Only one intermediate router: the mobile node home address Next Header = 43 Routing Header IPv6 Basic Header Routing Header Routing Header Next Header Ext Hdr Length RH Type= 2 Routing Type Segments Left= 1 Mobile Node Home Address

RH-3 for RPL: no problem Used by Routing Protocol for Low-Power and Lossy Networks But only within a single trusted network (strong authentication of node), never over a public untrusted network Damage is limited to this RPL network If attacker was inside the RPL network, then he/she could do more damage anyway

Segment Routing Security draft-vyncke-6man-segment-routing-security

SRH: identical to RFC 2460 Next Header: 8-bit selector. Identifies the type of header immediately following the SRH Hdr Ext Len: 8-bit unsigned integer. Defines the length of the SRH header in 8-octet units, not including the first 8 octets Routing Type: TBD by IANA (SRH) Segment Left: index, in the Segment List, of the current active segment in the SRH. Decremented at each segment endpoint. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[0] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[n] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[0] (128 bits ipv6 address) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) //

SRH: New 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[0] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[n] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[0] (128 bits ipv6 address) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ... | | Policy List[2] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // First Segment: offset in the SRH, not including the first 8 octets and expressed in 16-octet units, pointing to the last element of the Segment List Flags: bit-0: cleanup bit-1: rerouted packet bits 2 and 3: reserved bits 4 to 15: policy flags Segment List[n]: 128 bit IPv6 addresses representing each segment of the path. The segment list is encoded in the reverse order of the path: the last segment is in the first position of the list and the first segment is in the last position Policy List[n] (optional): to mark ingress/ingress SR address, to remember original source address

SRH: New for Security 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[0] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[n] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[0] (128 bits ipv6 address) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ..... | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // HMAC Key-id: identifies the shared secret used by HMAC. If 0, HMAC field is not present HMAC: SRH authentication (optional)

SRH: HMAC Coverage 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | First Segment | Flags | HMAC Key ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[0] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Segment List[n] (128 bits ipv6 address) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Policy List[0] (128 bits ipv6 address) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | .... | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // Source Address (not shown): as it is immutable and to prevent SR service stealing First Segment: offset in the SRH, not including the first 8 octets and expressed in 16-octet units, pointing to the last element of the Segment List Flags: bit-0: cleanup bit-1: rerouted packet bits 2 and 3: reserved bits 4 to 15: policy flags HMAC Key ID: Segment List[n]: all segments

Segment Routing Security Addresses concerns of RFC5095 HMAC field to be used at ingress of a SR domain in order to validate/authorize the SRH Inside SR domain, each node trust its brothers (RPL model) HMAC requires a shared secret (SDN & SR ingress routers) Outside of current discussions Pretty much similar to BGP session security or OSPFv3 security

Lost of Packets with Extension Headers

Issue: Ext Hdr are dropped on the Internet draft-gont-v6ops-ipv6-ehs-in-real-world About 20-40% of packets with Ext Hdr are dropped over the Internet SRH works only within one administrative domain => not an issue as operator set the security/drop policy Test on your own: http://www.vyncke.org/sr.php And let us know !

Another View of Packet Drops Current research by Polytechnique Paris (Mehdi Kouhen) and Cisco (Eric Vyncke) And VM provided by Sander Steffann http://btv6.vyncke.org/exthdr/index.php?ds=bgp&t=rh4 (work in progress!)