Secure Routing

flutteringevergreenNetworking and Communications

Oct 29, 2013 (4 years and 2 months ago)

67 views

Network Security

1



Chapter 4



Secure Routing


Build security into the design of routing


router authentication


route authentication


control directed broadcast


black hole filtering


URPF


Path integrity


2 Case studies

Network Security

2

Design issues of secure routing


Route filtering


When designing a private network, it is important to
ensure that ‘route filtering’ is used to filter out any
bogus or undesired routes coming into the private net.


Examples: special addresses (p.82)


It is equally important to ensure that the only networks
advertised by the private network are those desired.


To ensure that IP address blocks belonging to a
private network are not allowed to be advertised back
into the network from outside.


‘net police filtering’ (aka. ‘prefix filtering’)


next

Network Security

3

Design issues of secure routing


Prefix Filtering


No routes with prefixes more specific than /20 (or up
to /24) are allowed to come in.


To ensure that an attack cannot be staged on a large
ISP’s router by increasing the size of its routing tables


Routes more specific than /20 are often not needed
by large ISPs, so those routes can be filtered out to
keep its routing table from getting out of control.


Example: p.93 (incoming route filtering in a BGP
router)


Another example: next

Network Security

4

Prefix Filtering Example

http://www.netkit.org/software/netkit_labs/bgp/lab
-
bgp
-
3
-
prefix
-
filtering/netkit
-
lab
-
bgp
-
3
-
prefix
-
filtering.pdf

Network Security

5

Prefix Filtering Example

http://www.netkit.org/software/netkit_labs/bgp/lab
-
bgp
-
3
-
prefix
-
filtering/netkit
-
lab
-
bgp
-
3
-
prefix
-
filtering.pdf


!
only
195.11.14.0/24
is announced to neighbor
193.10.11.2

! all, with the exception of
200.1.1.0/24,
is accepted from
193.10.11.2

router bgp 1

network 195.11.14.0/24

network 195.11.15.0/24

neighbor 193.10.11.2 remote
-
as 2

neighbor 193.10.11.2 description Router 2 of AS2

neighbor 193.10.11.2 prefix
-
list
partialOut
out

neighbor 193.10.11.2 prefix
-
list
partialIn
in

!

ip prefix
-
list
partialOut
permit 195.11.14.0/24

!

ip prefix
-
list
partialIn
deny 200.1.1.0/24

ip prefix
-
list
partialIn
permit any


Network Security

6

Design issues of secure routing

1.
network convergence


depends on many factors


complexity of the net architecture


redundancy in the network


route calculation algorithms and configuration


loops in the network


Fast convergence is desirable.


Problems with a a slow
-
converging network


can mean a considerable loss of revenue and/or
productivity


may be subject to DoS attacks, because it takes
longer to recover from network
-
disrupting attacks
and thus aggravates problems

Network Security

7

Design issues of secure routing

2.
static routes


discussed earlier (example 3
-
1)


can be used to hard code information in the
routing tables such that this info is
unaffected by a network attack or
propagated impact from other parts of the
network


Disadvantage? scalability

Network Security

8

Authentication of Router and Routes


Rationale of authenticating routers and routes:

1.
As part of an attack, the attacker may configure his
machine or router to share incorrect routing
information with the attacked router (AR).

Impacts?

Incorrect routing, disabled router, traffic redirection

2.
Flood of routing talbe


e.g., A
rogue

router may act as a BGP speaker and
neighbor, and advertises lots of specific routes into
a core router’s routing table.


Impacts?


slow or disabled router

Network Security

9

Authentication of Router and Routes


Solutions?

1.
Router authentication: Routers must authenticate
each other before sharing information.


Password
-
based authentication

-

Drawback?


MD5
-
HMAC

-

Implications?

2.
Route authentication: Integrity of the exchanged
routing information must be verified.


Hashing
-
based methods, such as MD5
-
HMAC, can be
used to authenticate routes.


Figure 4
-
1


Examples 4
-
1, 4
-
2, 4
-
3

Network Security

10

Control/disable
directed broadcast


‘Directed broadcast’ allows packets to be
broadcast to all the machines on the subnet
directly attached to a router.


May be used by attackers to start attacks


e.g.,
smurf attack


A type of DoS attack


Figure 21
-
3


An attacker sends a
ping echo

request to the
broadcast address on a network, causing all the
machines in that segment to send echo replies to the
attacked router.


impact: packet flood

Network Security

11

Black Hole Filtering


Purpose:

to filter out undesired traffic, by directing
specific routes to a null interface


An alternative to ACL


Advantage:

no access list processing


save
processing time


Disadvantage:

Null routing is based on the packets’
destination IP addresses only, while ACL can work on
source address, destination address, and layer 4 info as
well.


A weaker form of route filtering


Example 4
-
5:
interface null0

Network Security

12

URPF


Unicast Reverse Path Forwarding


Purpose:

to thwart attempts to send packets with
spoofed source IP addresses


A mechanism configured on a router to disable outgoing
packets with source IP addresses not in the range
belonging to its site


Advantage:

A more efficient and effective outgoing
packets filtering mechanism than ACL


Requirement:

CEF (Cisco Express Forwarding) must be
enabled on that router, because URPF looks at the FIB
(forwarding information base) rather than the the routing
table.


Example: Figure 4
-
2

Network Security

13

URPF (cont.)


Constraint:

can not be deployed on a router that has
asymmetric routes

set up.


In
asymmetric routing
, more than one interface is used
(by a router or firewall) to route packets of a private
network.


The interface through which the router sends
return traffic for a packet may not be the same interface
on which the original packet was received.


In general, URPF is deployed on the edge of a network.


allowing the
antispoofing
capabilities to be effective to
the entire network


Example 4
-
6:
ip verify unicast reverse
-
path


Network Security

14

Path Integrity


Rule of thumb: Routing should be performed based on
the optimum paths calculated by the underlying routing
protocols.


However, the routing protocols may be
affected by
ICMP redirects

and
IP source routing

when
making such calculations.


ICMP redirects

allows a router to inform another router
on its local segment not to use certain hop in its path to
certain host.


because including the hop will result in
paths that’s not optimal


ICMP redirects
is the default setting on Cisco routers.


Should be disabled unless absolutely necessary


IP source routing
: next

Network Security

15

Path Integrity (cont.)


IP source routing
: an IP feature allowing a user to set a
field in the IP packet to specify the desired path


May be used by attackers to subvert the workings of
normal routing protocols


Example: An attacker can specify a router (A) that is
attached to both a private and the public network as an
intermediate point in the source path to reach a private
address (e.g., 10.1.1.1).


All intermediate routers, with
IP source routing

enabled,
will forward the packet to router A.


causing DoS attack


Advice: disable
IP source routing

on the router

Network Security

16

Case study 1

Securing the BGP Routing Protocol


an exterior gateway protocol


Example techniques:


Enable BGP peer authentication


Filter incoming routes


Filter outgoing routes


Use the
network

statement to advertise the network block


Disable BGP multihop feature (that is, do not allow peering
between routers not directly connected to each other)


Control TCP port 179


using the firewall or ACLs to do the
filtering


Disable BGP version negotiation (instead, hard
-
code the version
info)


Use
police filters

and
null routes


Set up route dampening values


to prevent
flapping routes


Use the
maximum
-
prefix
command


Logging changes in neighbor status

Network Security

17

Case Study 2


Securing the OSPF routing protocols


an interior gateway protocol


Example techniques:


Router authentication


Nonbroadcast neighbor configuration


Using stub areas


Using loopback interfaces as the router Ids


Tweaking SPF timers


Route filtering




Network Security

18

Summary


Security of routers and routes is critical for the security of
the whole network.


The net administrator should configure his routers and
routes, not only to protect the private network, but also to
help to protect the whole Internet.


Next: security of LAN switching