Presentation is loading. Please wait.

Presentation is loading. Please wait.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Similar presentations


Presentation on theme: "Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66."— Presentation transcript:

1 Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt miaofy@huawei.com OPSEC WG, IETF #66

2 Packet Filtering vs. Routing Filtering Packet filtering –Applied to network layer packets being forwarded –Based on IP and transport header usually –Out of scope of this document Routing filtering –Applied to routing packet being sent or received –Based on routing protocol along with other protocols –Fit in the scope of this document

3 Filters for External Routing Protocols Current implementation –Applied to both sent and received routing packets on per- interface basis –Outbound Route Filter (ORF), whether and which ORF, on per- interface basis –Limit the scope of route redistribution between different routing protocols Filtering Criteria –Specific route prefixes –Maximum length of route prefixes –Maximum number of route prefixes received –AS_PATH –BGP community and extended community

4 Filters for IGP Areas IGP requires same view of the topology within an area –Route should be flooded unchanged –Infeasible to implement filtering within an area Filtering between IGP areas –Router may provide the option to filter routing between IGP areas –Caution: the routing filtering may results in some address unreachable

5 Filters by TTL Accept packets from only immediate neighbor –TTL spoofing is supposed impossible –Most routing packets originate from immediate neighbor –TTL is 255 if the neighbor sets the default 255 Note: not applicable to Multi-hop IBGP

6 Route Flap Dampening Route flap is bad –How about route flap dampening? Configurable –Timer –Could be turned off »http://www.ripe.net/ripe/docs/ripe-378.html

7 Routing Authentication Key must be configurable on router System transition from one key to another based on system time Stronger algorithms than MD5 –Rescorla-Bellovin analysis Preferable key distribution/update mechanism Note: current routing protocol specification (standard track) on authentication is too weak to meet security requirement

8 What is the next step? Adopted as a working group document?

9 Thanks!


Download ppt "Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66."

Similar presentations


Ads by Google