Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

Published byBruce Norton Modified over 9 years ago

Similar presentations

Presentation on theme: "SAVI IP Source Guard draft-baker-sava- implementation Fred Baker."— Presentation transcript:

1 SAVI IP Source Guard draft-baker-sava- implementation Fred Baker

2 Cases covered in the draft Draft specifies IPv6, could include IPv4 Network cases: Switched LANs and access networks Protect in switch Non-switched LANs and access networks Protect neighboring host and router from peers Upstream router Traditional ingress filtering

3 Premises: Addresses assigned using DHCP or SAA Multiple addresses per interface On interfaces with sub-interfaces such as VLANs, the sub-interface is under discussion Host has one interface That said, see draft-baker-6man-multiprefix-default- route Proposes separate default routes/default gateways by source address One could protect more cases with that model

4 What do I trust? The key is to associate an IP address with a stable lower layer entity or set of entities: –Physical or logical port –802.11 radio association –Ethernet MAC Address –Virtual circuit or other tunnel Every link layer has anchors that can be used for network layer address verification

5 Algorithm for switched LANs Implement in the switch Snoop Neighbor Discovery –DHCP or SAA assignment –ND or SeND negotiation –Yes, that’s a layer violation. Autoconfigure port or port+MAC filter on Solicitation/Response exchange –Discard IP traffic that doesn’t use properly negotiated addresses Routers still can’t be protected PeaceLoveJoy Don’t Ask DHCP optional solicit response

6 Implement in host/router Use Neighbor Discovery Tables –DHCP or SAA assignment –ND or SeND negotiation Autoconfigure address:anchor filter in hosts/routers on Solicitation/Response exchange –Discard IP traffic that doesn’t use properly negotiated addresses Routers: –Hosts still can’t be protected against routers –Routers can protect themselves from rogue hosts PeaceLoveJoy DHCP optional solicit response Don’t Ask Algorithm for non-switched LANs

7 Defense in Depth: Upstream Router At administrative boundaries, it is wise to verify address usage to the extent possible BCP 38/RFC 2827 ingress filtering still valuable Essential concept: –If neighbor is legitimately advertising a prefix to you, you might legitimately receive traffic from that prefix –If he’s not, you probably shouldn’t

8 The snaky case Hosts may have multiple interfaces without routing between them. –Hosts send “from” the IP address of the interface they request on. –Hosts respond “from” the IP address the request was sent to –Host routing may not send data back the way it came Implication: –Hosts with multiple interfaces cannot be protected under these assumptions –But see draft-baker-6man- multiprefix-default-route

9 Value of source address verification Removes attacks that use spoofed addresses If I have eliminated spoofed addresses, I know that remaining attackers are using their real ones If I then eliminate traffic from/to bots, I free bandwidth for useful traffic My customers are happier. –I may also gain customers if I build a reputation for having few successful attacks.

10 Security considerations: problem #1 Spoofed addresses generally happen on first packet attacks –SYN attacks, DDOS, etc ND/SeND triggered by first packet - sending datagram to unknown destination New attacks: –First packet attacks on hosts still work in non- switched case –Host generating large number of addresses can fill neighboring host/router/switch tables

11 Security considerations: solution #1 Any system MAY impose an upper bound on the number of addresses per neighbor it will store –If it does so, it SHOULD release old entries in a LRU fashion as is done with SYN attacks Any system receiving a datagram from a unknown neighbor SHOULD –Initiate ND/SeND to learn of the neighbor –Drop or queue the datagram pending ND/SeND resolution of the address –If queued, only then operate on it

12 Security considerations: Problem #2 Stateless Address Autoconfiguration enables a “Front-running” attack: –Alice starts Duplicate Address Detection –Bob sees her probe and immediately starts using the address without DAD - for example, sends a LAN broadcast ping “from” that address –Alice is denied the use of the address

13 Security Considerations: Solution #2 Don’t allow front-running attacks Presume: –Carol does not know of a system using address A –Alice initiates Duplicate Address Detection for the address –Carol receives the probe –Carol subsequently receives a datagram from Bob using the address Carol SHOULD drop Bob’s datagram with prejudice.

Download ppt "SAVI IP Source Guard draft-baker-sava- implementation Fred Baker."

Similar presentations

Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.

Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
1 IPv6. 2 Problem: 32-bit address space will be completely allocated by 2008. Solution: Design a new IP with a larger address space, called the IP version.

1 IPv6. 2 Problem: 32-bit address space will be completely allocated by Solution: Design a new IP with a larger address space, called the IP version.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.

Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.

Chapter 8b Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Describe the structure of an IPv4 address.  Describe.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Instructor & Todd Lammle

Instructor & Todd Lammle
1 Inter-VLAN routing Chapter 6 CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino.

1 Inter-VLAN routing Chapter 6 CCNA Exploration Semester 3 Modified by Profs. Ward and Cappellino.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Guide to TCP/IP Fourth Edition

Guide to TCP/IP Fourth Edition
© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.

© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.

Layer 2 Security – No Longer Ignored Security Possibilities at Layer 2 Allan Alton, BSc CISA CISSP NetAnalyst UBC October 18, 2007.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.

Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
1 CMPT 471 Networking II ICMP © Janice Regan, 2012.

1 CMPT 471 Networking II ICMP © Janice Regan, 2012.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

Similar presentations

Ads by Google