– Chapter 4 – Secure RoutingDesign issues of secure routingSlide 3Prefix FilteringPrefix Filtering Example http://www.netkit.org/netkit-labs/netkit-labs_interdomain-routing/netkit-lab_bgp-prefix-filtering/netkit-lab_bgp-prefix-filtering.pdfSlide 6Slide 7Source: http://www.unitest.com/pdf/net_conv.pdfSlide 9Authentication of Router and RoutesSlide 11Control/disable directed broadcastBlack Hole FilteringURPFURPF (cont.)Path IntegrityPath Integrity (cont.)Case study 1 - Securing the BGP Routing ProtocolCase Study 2 - Securing the OSPF routing protocolsSummaryNetwork Security 1– Chapter 4 – Secure Routing•Build security into the design of routing–router authentication–route authentication–control directed broadcast–black hole filtering–URPF–Path integrity–2 Case studiesNetwork Security 2Design issues of secure routing•Route filtering–When designing a private network, it is important to ensure that ‘route filtering’ is used to filter out any bogus or undesired routes coming into the private net.•Examples: special addresses (p.82)–It is equally important to ensure that the only networks advertised by the private network are those desired.–To ensure that IP address blocks belonging to a private network are not allowed to be advertised back into the network from outside.–‘net police filtering’ (aka. ‘prefix filtering’) – nextNetwork Security 3Design issues of secure routing•Prefix Filtering–No routes with prefixes more specific than /20 (or up to /24) are allowed to come in.–To ensure that an attack cannot be staged on a large ISP’s router by increasing the size of its routing tables–Routes more specific than /20 are often not needed by large ISPs, so those routes can be filtered out to keep its routing table from getting out of control.–Example: p.93 (incoming route filtering in a BGP router), next pageNetwork Security 4Prefix Filtering–Example: incoming route filtering in a BGP routerRouter bgp 100Network 101.20.20.0Distribute-list prefix max24 in!Ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24! The route 0.0.0.0/0 is the default route.–See http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_i2gt.html#wp1112138 for command details and other examples.–Another example: nextNetwork Security 5Prefix Filtering Example http://www.netkit.org/netkit-labs/netkit-labs_interdomain-routing/netkit-lab_bgp-prefix-filtering/netkit-lab_bgp-prefix-filtering.pdfNetwork Security 6Prefix Filtering Example http://www.netkit.org/netkit-labs/netkit-labs_interdomain-routing/netkit-lab_bgp-prefix-filtering/netkit-lab_bgp-prefix-filtering.pdf ! Configure router 1 in AS 1:router bgp 1network 195.11.14.0/24network 195.11.15.0/24neighbor 193.10.11.2 remote-as 2neighbor 193.10.11.2 description Router 2 of AS2neighbor 193.10.11.2 prefix-list partialOut outneighbor 193.10.11.2 prefix-list partialIn in!! only 195.11.14.0/24 is announced to neighbor 193.10.11.2ip prefix-list partialOut permit 195.11.14.0/24!! all, with the exception of 200.1.1.0/24, is accepted from 193.10.11.2ip prefix-list partialIn deny 200.1.1.0/24ip prefix-list partialIn permit anyNetwork Security 7Design issues of secure routing1. network convergence (aka. route convergence)–depends on many factors•complexity of the net architecture•redundancy in the network•route calculation algorithms and configuration•loops in the network–Fast convergence is desirable.•Problems with a a slow-converging network –can mean a considerable loss of revenue and/or productivity–may be subject to DoS attacks, because it takes longer to recover from network-disrupting attacks and thus aggravates problemsNetwork Security 8Source: http://www.unitest.com/pdf/net_conv.pdfNetwork Security 9Design issues of secure routing2. static routes–discussed earlier (example 3-1)–can be used to hard code information in the routing tables such that this info is unaffected by a network attack or propagated impact from other parts of the network–Disadvantage? scalabilityNetwork Security 10Authentication of Router and Routes•Rationale of authenticating routers and routes:1. As part of an attack, the attacker may configure his machine or router to share incorrect routing information with the attacked router (AR).Impacts?Incorrect routing, disabled router, traffic redirection2. Flood of routing tablee.g., A rogue router may act as a BGP speaker and neighbor, and advertises lots of specific routes into a core router’s routing table.Impacts?slow or disabled routerNetwork Security 11Authentication of Router and Routes•Solutions?1. Router authentication: Routers must authenticate each other before sharing information.•Password-based authentication - Drawback?•MD5-HMAC - Implications?2. Route authentication: Integrity of the exchanged routing information must be verified.•Hashing-based methods, such as MD5-HMAC, can be used to authenticate routes.•Figure 4-1•Examples 4-1, 4-2, 4-3Network Security 12Control/disable directed broadcast•‘Directed broadcast’ allows packets to be broadcast to all the machines on the subnet directly attached to a router.•May be used by attackers to start attackse.g., smurf attack–A type of DoS attack–Figure 21-3–An attacker sends a ping echo request to the broadcast address on a network, causing all the machines in that segment to send echo replies to the attacked router.  impact: packet floodNetwork Security 13Black Hole Filtering•Purpose: to filter out undesired traffic, by directing specific routes to a null interface•An alternative to ACL•Advantage: no access list processing  save processing time•Disadvantage: Null routing is based on the packets’ destination IP addresses only, while ACL can work on source address, destination address, and layer 4 info as well.•A weaker form of route filtering•Example 4-5: interface null0Network Security 14URPF•Unicast Reverse Path Forwarding•Purpose: to thwart attempts to send packets with spoofed source IP addresses•A mechanism configured on a router to disable outgoing packets with source IP addresses not in the range belonging to its site•Advantage: A more efficient and effective outgoing packets filtering mechanism than ACL•Requirement: CEF (Cisco Express Forwarding) must be enabled on that router, because URPF looks at the FIB (forwarding information base) rather than at the routing table.•Example: Figure 4-2Network Security