Title: – Chapter 4 – Secure Routing
1 Chapter 4 Secure Routing
- Build security into the design of routing
- router authentication
- route authentication
- control directed broadcast
- black hole filtering
- URPF
- Path integrity
- 2 Case studies
2Design issues of secure routing
- Route filtering
- When designing a private network, it is important
to ensure that route filtering is used to
filter out any bogus or undesired routes coming
into the private net. - Examples special addresses (p.82)
- It is equally important to ensure that the only
networks advertised by the private network are
those desired. - To ensure that IP address blocks belonging to a
private network are not allowed to be advertised
back into the network from outside. - net police filtering (aka. prefix filtering)
next
3Design issues of secure routing
- Prefix Filtering
- No routes with prefixes more specific than /20
(or up to /24) are allowed to come in. - To ensure that an attack cannot be staged on a
large ISPs router by increasing the size of its
routing tables - Routes more specific than /20 are often not
needed by large ISPs, so those routes can be
filtered out to keep its routing table from
getting out of control. - Example p.93 (incoming route filtering in a BGP
router) - Another example next
4Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf
5Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf
- ! only 195.11.14.0/24 is announced to neighbor
193.10.11.2 - ! all, with the exception of 200.1.1.0/24, is
accepted from 193.10.11.2 - router bgp 1
- network 195.11.14.0/24
- network 195.11.15.0/24
- neighbor 193.10.11.2 remote-as 2
- neighbor 193.10.11.2 description Router 2 of AS2
- neighbor 193.10.11.2 prefix-list partialOut out
- neighbor 193.10.11.2 prefix-list partialIn in
- !
- ip prefix-list partialOut permit 195.11.14.0/24
- !
- ip prefix-list partialIn deny 200.1.1.0/24
- ip prefix-list partialIn permit any
6Design issues of secure routing
- network convergence
- depends on many factors
- complexity of the net architecture
- redundancy in the network
- route calculation algorithms and configuration
- loops in the network
- Fast convergence is desirable.
- Problems with a a slow-converging network
- can mean a considerable loss of revenue and/or
productivity - may be subject to DoS attacks, because it takes
longer to recover from network-disrupting attacks
and thus aggravates problems
7Design issues of secure routing
- static routes
- discussed earlier (example 3-1)
- can be used to hard code information in the
routing tables such that this info is unaffected
by a network attack or propagated impact from
other parts of the network - Disadvantage? scalability
8Authentication of Router and Routes
- Rationale of authenticating routers and routes
- As part of an attack, the attacker may configure
his machine or router to share incorrect routing
information with the attacked router (AR). - Impacts?
- Incorrect routing, disabled router, traffic
redirection - Flood of routing talbe
- e.g., A rogue router may act as a BGP speaker
and neighbor, and advertises lots of specific
routes into a core routers routing table. - Impacts?
- slow or disabled router
9Authentication of Router and Routes
- Solutions?
- Router authentication Routers must authenticate
each other before sharing information. - Password-based authentication - Drawback?
- MD5-HMAC - Implications?
- Route authentication Integrity of the exchanged
routing information must be verified. - Hashing-based methods, such as MD5-HMAC, can be
used to authenticate routes. - Figure 4-1
- Examples 4-1, 4-2, 4-3
10Control/disable directed broadcast
- Directed broadcast allows packets to be
broadcast to all the machines on the subnet
directly attached to a router. - May be used by attackers to start attacks
- e.g., smurf attack
- A type of DoS attack
- Figure 21-3
- An attacker sends a ping echo request to the
broadcast address on a network, causing all the
machines in that segment to send echo replies to
the attacked router. ? impact packet flood
11Black Hole Filtering
- Purpose to filter out undesired traffic, by
directing specific routes to a null interface - An alternative to ACL
- Advantage no access list processing ? save
processing time - Disadvantage Null routing is based on the
packets destination IP addresses only, while ACL
can work on source address, destination address,
and layer 4 info as well. - A weaker form of route filtering
- Example 4-5 interface null0
12URPF
- Unicast Reverse Path Forwarding
- Purpose to thwart attempts to send packets with
spoofed source IP addresses - A mechanism configured on a router to disable
outgoing packets with source IP addresses not in
the range belonging to its site - Advantage A more efficient and effective
outgoing packets filtering mechanism than ACL - Requirement CEF (Cisco Express Forwarding) must
be enabled on that router, because URPF looks at
the FIB (forwarding information base) rather than
the the routing table. - Example Figure 4-2
13URPF (cont.)
- Constraint can not be deployed on a router that
has asymmetric routes set up. - In asymmetric routing, more than one interface is
used (by a router or firewall) to route packets
of a private network. ? The interface through
which the router sends return traffic for a
packet may not be the same interface on which the
original packet was received. - In general, URPF is deployed on the edge of a
network. ? allowing the antispoofing capabilities
to be effective to the entire network - Example 4-6 ip verify unicast reverse-path
14Path Integrity
- Rule of thumb Routing should be performed based
on the optimum paths calculated by the underlying
routing protocols. ? However, the routing
protocols may be affected by ICMP redirects and
IP source routing when making such calculations. - ICMP redirects allows a router to inform another
router on its local segment not to use certain
hop in its path to certain host. ? because
including the hop will result in paths thats not
optimal - ICMP redirects is the default setting on Cisco
routers. - Should be disabled unless absolutely necessary
- IP source routing next
15Path Integrity (cont.)
- IP source routing an IP feature allowing a user
to set a field in the IP packet to specify the
desired path - May be used by attackers to subvert the workings
of normal routing protocols - Example An attacker can specify a router (A)
that is attached to both a private and the public
network as an intermediate point in the source
path to reach a private address (e.g., 10.1.1.1).
- All intermediate routers, with IP source routing
enabled, will forward the packet to router A. ?
causing DoS attack - Advice disable IP source routing on the router
16Case study 1Securing the BGP Routing Protocol
- an exterior gateway protocol
- Example techniques
- Enable BGP peer authentication
- Filter incoming routes
- Filter outgoing routes
- Use the network statement to advertise the
network block - Disable BGP multihop feature (that is, do not
allow peering between routers not directly
connected to each other) - Control TCP port 179 ? using the firewall or ACLs
to do the filtering - Disable BGP version negotiation (instead,
hard-code the version info) - Use police filters and null routes
- Set up route dampening values ? to prevent
flapping routes - Use the maximum-prefix command
- Logging changes in neighbor status
17Case Study 2 Securing the OSPF routing protocols
- an interior gateway protocol
- Example techniques
- Router authentication
- Nonbroadcast neighbor configuration
- Using stub areas
- Using loopback interfaces as the router Ids
- Tweaking SPF timers
- Route filtering
18Summary
- Security of routers and routes is critical for
the security of the whole network. - The net administrator should configure his
routers and routes, not only to protect the
private network, but also to help to protect the
whole Internet. - Next security of LAN switching