Presentation is loading. Please wait.

Presentation is loading. Please wait.

– Chapter 4 – Secure Routing

Published byWidya Gunardi Modified over 5 years ago

Similar presentations

Presentation on theme: "– Chapter 4 – Secure Routing"— Presentation transcript:

1 – Chapter 4 – Secure Routing
Build security into the design of routing router authentication route authentication control directed broadcast black hole filtering URPF Path integrity 2 Case studies Network Security

2 Design issues of secure routing
Route filtering When designing a private network, it is important to ensure that ‘route filtering’ is used to filter out any bogus or undesired routes coming into the private net. Examples: special addresses (p.82) It is equally important to ensure that the only networks advertised by the private network are those desired. To ensure that IP address blocks belonging to a private network are not allowed to be advertised back into the network from outside. ‘net police filtering’ (aka. ‘prefix filtering’) – next Network Security

3 Design issues of secure routing
Prefix Filtering No routes with prefixes more specific than /20 (or up to /24) are allowed to come in. To ensure that an attack cannot be staged on a large ISP’s router by increasing the size of its routing tables Routes more specific than /20 are often not needed by large ISPs, so those routes can be filtered out to keep its routing table from getting out of control. Example: p.93 (incoming route filtering in a BGP router), next page Network Security

4 Prefix Filtering Example: incoming route filtering in a BGP router
Router bgp 100 Network Distribute-list prefix max24 in ! Ip prefix-list max24 seq 5 permit /0 ge 8 le 24 ! The route /0 is the default route. See for command details and other examples. Another example: next Network Security

5 Prefix Filtering Example http://www. netkit
Network Security

6 Prefix Filtering Example http://www. netkit
! Configure router 1 in AS 1: router bgp 1 network /24 network /24 neighbor remote-as 2 neighbor description Router 2 of AS2 neighbor prefix-list partialOut out neighbor prefix-list partialIn in ! ! only /24 is announced to neighbor ip prefix-list partialOut permit /24 ! all, with the exception of /24, is accepted from ip prefix-list partialIn deny /24 ip prefix-list partialIn permit any Network Security

7 Design issues of secure routing
network convergence (aka. route convergence) depends on many factors complexity of the net architecture redundancy in the network route calculation algorithms and configuration loops in the network Fast convergence is desirable. Problems with a a slow-converging network can mean a considerable loss of revenue and/or productivity may be subject to DoS attacks, because it takes longer to recover from network-disrupting attacks and thus aggravates problems Network Security

8 Source: http://www.unitest.com/pdf/net_conv.pdf
Network Security

9 Design issues of secure routing
static routes discussed earlier (example 3-1) can be used to hard code information in the routing tables such that this info is unaffected by a network attack or propagated impact from other parts of the network Disadvantage? scalability Network Security

10 Authentication of Router and Routes
Rationale of authenticating routers and routes: As part of an attack, the attacker may configure his machine or router to share incorrect routing information with the attacked router (AR). Impacts? Incorrect routing, disabled router, traffic redirection Flood of routing table e.g., A rogue router may act as a BGP speaker and neighbor, and advertises lots of specific routes into a core router’s routing table. slow or disabled router Network Security

11 Authentication of Router and Routes
Solutions? Router authentication: Routers must authenticate each other before sharing information. Password-based authentication - Drawback? MD5-HMAC - Implications? Route authentication: Integrity of the exchanged routing information must be verified. Hashing-based methods, such as MD5-HMAC, can be used to authenticate routes. Figure 4-1 Examples 4-1, 4-2, 4-3 Network Security

12 Control/disable directed broadcast
‘Directed broadcast’ allows packets to be broadcast to all the machines on the subnet directly attached to a router. May be used by attackers to start attacks e.g., smurf attack A type of DoS attack Figure 21-3 An attacker sends a ping echo request to the broadcast address on a network, causing all the machines in that segment to send echo replies to the attacked router.  impact: packet flood Network Security

13 Black Hole Filtering Purpose: to filter out undesired traffic, by directing specific routes to a null interface An alternative to ACL Advantage: no access list processing  save processing time Disadvantage: Null routing is based on the packets’ destination IP addresses only, while ACL can work on source address, destination address, and layer 4 info as well. A weaker form of route filtering Example 4-5: interface null0 Network Security

14 URPF Unicast Reverse Path Forwarding
Purpose: to thwart attempts to send packets with spoofed source IP addresses A mechanism configured on a router to disable outgoing packets with source IP addresses not in the range belonging to its site Advantage: A more efficient and effective outgoing packets filtering mechanism than ACL Requirement: CEF (Cisco Express Forwarding) must be enabled on that router, because URPF looks at the FIB (forwarding information base) rather than at the routing table. Example: Figure 4-2 Network Security

15 URPF (cont.) Constraint: can not be deployed on a router that has asymmetric routes set up. In asymmetric routing, more than one interface is used (by a router or firewall) to route packets of a private network.  The interface through which the router sends return traffic for a packet may not be the same interface on which the original packet was received. In general, URPF is deployed on the edge of a network.  allowing the anti-spoofing capabilities to be effective to the entire network Example 4-6: ip verify unicast reverse-path Network Security

16 Path Integrity Rule of thumb: Routing should be performed based on the optimum paths calculated by the underlying routing protocols.  However, the routing protocols may be affected by ICMP redirects and IP source routing when making such calculations. ICMP redirects allows a router to inform another router on its local segment not to use certain hop in its path to certain host.  because including the hop will result in paths that’s not optimal ICMP redirects is the default setting on Cisco routers. Should be disabled unless absolutely necessary IP source routing: next Network Security

17 Path Integrity (cont.) IP source routing: an IP feature, allowing a user to set a field in the IP packet to specify the desired path May be used by attackers to subvert the workings of normal routing protocols Example: An attacker can specify a router (A) that is attached to both a private and the public network as an intermediate point in the source path to reach a private address (e.g., ). All intermediate routers, with IP source routing enabled, will forward the packet to router A.  causing DoS attack Advice: disable IP source routing on the router Network Security

18 Case study 1 - Securing the BGP Routing Protocol
11/30/2018 Case study 1 - Securing the BGP Routing Protocol BGP is an exterior gateway protocol Example techniques: Enable BGP peer authentication Filter incoming routes Filter outgoing routes Use the network statement to advertise the network block Disable BGP multihop feature (that is, do not allow peering between routers not directly connected to each other) Control TCP port 179 (the BGP port)  using the firewall or ACLs to do the filtering Disable BGP version negotiation (instead, hard-code the version info) Use police filters and null routes Set up BGP route flap dampening values  to prevent flapping routes Use the maximum-prefix command Logging changes in neighbor status BGP Route Flap Dampening (RFC 2349) : see “When a route is repeatedly advertised and withdrawn, it is considered to be 'flapping'. Flapping routes cause instability in the Internet routing table and Cisco routers running BGP contain an optional mechanism designed to dampen the destabilizing effect of flapping routes. When a Cisco router running BGP detects a flapping route it automatically dampens that route. The route dampening prevents routers from thrashing while trying to re-calculate a large number of route updates. The overall effect is to produce a more stable routing table. BGP routes can remain in the routing table for months.” Network Security

19 Case Study 2 - Securing the OSPF routing protocols
11/30/2018 Case Study 2 - Securing the OSPF routing protocols The Open Shortest Path First protocol is a hierarchical interior gateway protocol (IGP) for routing Example techniques: Router authentication Nonbroadcast neighbor configuration Using stub areas Using loopback interfaces as the router IDs Tweaking SPF timers Route filtering For OSPF areas, see See also for example diagrams. LSA (Link State Advertisement) is a basic communication means of the OSPF routing protocol for IP. It communicates the router's local routing topology to all other local routers in the same OSPF area. ( Network Security

20 Summary Security of routers and routes is critical for the security of the whole network. The net administrator should configure his routers and routes, not only to protect the private network, but also to help to protect the whole Internet. Next: security of LAN switching Network Security

Download ppt "– Chapter 4 – Secure Routing"

Similar presentations

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Chapter 9: Access Control Lists

Chapter 9: Access Control Lists
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—2-1 Label Assignment and Distribution Introducing Typical Label Distribution in Frame-Mode MPLS.
Chapter 5 IP Routing Routing Sending packets through network from one device to another What must routers know? – Destination address – Neighboring routers.

Chapter 5 IP Routing Routing Sending packets through network from one device to another What must routers know? – Destination address – Neighboring routers.
CCNA 2 v3.1 Module 6.

CCNA 2 v3.1 Module 6.
Routing and Routing Protocols

Routing and Routing Protocols
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen

1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
– Chapter 4 – Secure Routing

– Chapter 4 – Secure Routing
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.
Dynamic Routing Protocols  Function(s) of Dynamic Routing Protocols: – Dynamically share information between routers (Discover remote networks). – Automatically.

Dynamic Routing Protocols  Function(s) of Dynamic Routing Protocols: – Dynamically share information between routers (Discover remote networks). – Automatically.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Lecture Week 7 RIPv2 Routing Protocols and Concepts.

Lecture Week 7 RIPv2 Routing Protocols and Concepts.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network BGP Attributes and Path Selection Process.
Routing and Routing Protocols Routing Protocols Overview.

Routing and Routing Protocols Routing Protocols Overview.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.

M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
1. 2 Anatomy of an IP Packet IP packets consist of the data from upper layers plus an IP header. The IP header consists of the following:

1. 2 Anatomy of an IP Packet IP packets consist of the data from upper layers plus an IP header. The IP header consists of the following:
Page 110/27/2015 A router ‘knows’ only of networks attached to it directly – unless you configure a static route or use routing protocols Routing protocols.

Page 110/27/2015 A router ‘knows’ only of networks attached to it directly – unless you configure a static route or use routing protocols Routing protocols.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 2 Single-Area OSPF.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 2 Single-Area OSPF.

Similar presentations

Ads by Google