SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

Slides:



Advertisements
Similar presentations
Mitigating Layer 2 Attacks
Advertisements

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.
RIP V1 W.lilakiatsakun.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Instructor & Todd Lammle
1 Inter-VLAN routing Chapter 6 CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Guide to TCP/IP Fourth Edition
© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
Chapter 4: Managing LAN Traffic
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
– Chapter 5 – Secure LAN Switching
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
Network Security1 – Chapter 5 – Secure LAN Switching Layer 2 security –Port security –IP permit lists –Protocol filtering –Controlling LAN floods (using.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
Hubs to VLANs Cisco Networking Academy Program © Cisco Systems, Inc From Hubs to VLANs.
A SAVI Solution for DHCP Draf-ietf-savi-dhcp-06 J. Bi, J. Wu, G. Yao, F. Baker IETF79, Beijing Nov. 9, 2010.
Engineering Workshops Purposes of Neighbor Solicitation.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:
The University of Bolton School of Games Computing & Creative Technologies LCT2516 Network Architecture CCNA Exploration LAN Switching and Wireless Chapter.
ICMPv6 Error Message Types Informational Message Types.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
Interconnecting Cisco Networking Devices Part 1 Pass4sureusa Pass4sure.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
IPv6 over ’s IPv6 Convergence Sublayer IPv6 over ’s IPv6 Convergence Sublayer draft-madanapalli-ipv6-over ipv6cs-00 Syam Madanapalli.
03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.
Link Layer 5.1 Introduction and services
CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College
Instructor Materials Chapter 5: Ethernet
Syam Madanapalli Basavaraj Patil Erik Nordmark JinHyeock Choi
IPv6 Autoconfiguration Plug & Play Dream or Security Nightmare
IP Forwarding Covers the principles of end-to-end datagram delivery in IP networks.
– Chapter 5 – Secure LAN Switching
Virtual LANs.
Instructor & Todd Lammle
IP Forwarding Relates to Lab 3.
IP Forwarding Relates to Lab 3.
Implement Inter-VLAN Routing
Routing and Switching Essentials v6.0
IP Forwarding Relates to Lab 3.
Chapter 3: Implementing VLAN Security
IP Forwarding Relates to Lab 3.
Implement Inter-VLAN Routing
Implement Inter-VLAN Routing
IP Forwarding Relates to Lab 3.
Implement Inter-VLAN Routing
Networking and Network Protocols (Part2)
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
IP Forwarding Relates to Lab 3.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Presentation transcript:

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker

Cases covered in the draft Draft specifies IPv6, could include IPv4 Network cases: Switched LANs and access networks Protect in switch Non-switched LANs and access networks Protect neighboring host and router from peers Upstream router Traditional ingress filtering

Premises: Addresses assigned using DHCP or SAA Multiple addresses per interface On interfaces with sub-interfaces such as VLANs, the sub-interface is under discussion Host has one interface That said, see draft-baker-6man-multiprefix-default- route Proposes separate default routes/default gateways by source address One could protect more cases with that model

What do I trust? The key is to associate an IP address with a stable lower layer entity or set of entities: –Physical or logical port – radio association –Ethernet MAC Address –Virtual circuit or other tunnel Every link layer has anchors that can be used for network layer address verification

Algorithm for switched LANs Implement in the switch Snoop Neighbor Discovery –DHCP or SAA assignment –ND or SeND negotiation –Yes, that’s a layer violation. Autoconfigure port or port+MAC filter on Solicitation/Response exchange –Discard IP traffic that doesn’t use properly negotiated addresses Routers still can’t be protected PeaceLoveJoy Don’t Ask DHCP optional solicit response

Implement in host/router Use Neighbor Discovery Tables –DHCP or SAA assignment –ND or SeND negotiation Autoconfigure address:anchor filter in hosts/routers on Solicitation/Response exchange –Discard IP traffic that doesn’t use properly negotiated addresses Routers: –Hosts still can’t be protected against routers –Routers can protect themselves from rogue hosts PeaceLoveJoy DHCP optional solicit response Don’t Ask Algorithm for non-switched LANs

Defense in Depth: Upstream Router At administrative boundaries, it is wise to verify address usage to the extent possible BCP 38/RFC 2827 ingress filtering still valuable Essential concept: –If neighbor is legitimately advertising a prefix to you, you might legitimately receive traffic from that prefix –If he’s not, you probably shouldn’t

The snaky case Hosts may have multiple interfaces without routing between them. –Hosts send “from” the IP address of the interface they request on. –Hosts respond “from” the IP address the request was sent to –Host routing may not send data back the way it came Implication: –Hosts with multiple interfaces cannot be protected under these assumptions –But see draft-baker-6man- multiprefix-default-route

Value of source address verification Removes attacks that use spoofed addresses If I have eliminated spoofed addresses, I know that remaining attackers are using their real ones If I then eliminate traffic from/to bots, I free bandwidth for useful traffic My customers are happier. –I may also gain customers if I build a reputation for having few successful attacks.

Security considerations: problem #1 Spoofed addresses generally happen on first packet attacks –SYN attacks, DDOS, etc ND/SeND triggered by first packet - sending datagram to unknown destination New attacks: –First packet attacks on hosts still work in non- switched case –Host generating large number of addresses can fill neighboring host/router/switch tables

Security considerations: solution #1 Any system MAY impose an upper bound on the number of addresses per neighbor it will store –If it does so, it SHOULD release old entries in a LRU fashion as is done with SYN attacks Any system receiving a datagram from a unknown neighbor SHOULD –Initiate ND/SeND to learn of the neighbor –Drop or queue the datagram pending ND/SeND resolution of the address –If queued, only then operate on it

Security considerations: Problem #2 Stateless Address Autoconfiguration enables a “Front-running” attack: –Alice starts Duplicate Address Detection –Bob sees her probe and immediately starts using the address without DAD - for example, sends a LAN broadcast ping “from” that address –Alice is denied the use of the address

Security Considerations: Solution #2 Don’t allow front-running attacks Presume: –Carol does not know of a system using address A –Alice initiates Duplicate Address Detection for the address –Carol receives the probe –Carol subsequently receives a datagram from Bob using the address Carol SHOULD drop Bob’s datagram with prejudice.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.