Network Security 1
Secure RoutingSource: Ch. 4 of Malik. Network Security Principles and Practices (CCIE
Professional Development). Pearson Education. 2002.
• Build security into the design of routing– router authentication– route authentication– control directed broadcast– black hole filtering– URPF– Path integrity– 2 Case studies
Network Security 2
Design issues of secure routing
• Route filtering– When designing a private network, it is important to
ensure that ‘route filtering’ is used to filter out any bogus or undesired routes coming into the private net.
• Examples: special addresses– It is equally important to ensure that the only networks
advertised by the private network are those desired.– To ensure that IP address blocks belonging to a private
network are not allowed to be advertised back into the network from outside.
– ‘net police filtering’ (aka. ‘prefix filtering’) – next
Network Security 3
Design issues of secure routing
• Prefix Filtering– No routes with prefixes more specific than /20 (or up
to /24) are allowed to come in.– To ensure that an attack cannot be staged on a large
ISP’s router by increasing the size of its routing tables– Routes more specific than /20 are often not needed
by large ISPs, so those routes can be filtered out to keep its routing table from getting out of control.
– Example: incoming route filtering in a BGP router, next page
Network Security 4
Prefix Filtering– Example: incoming route filtering in a BGP router
Router bgp 100Network 101.20.20.0Distribute-list prefix max24 in!Ip prefix-list max24 seq 5 permit 0.0.0.0/0 ge 8 le 24! The route 0.0.0.0/0 is the default route.
– See http://www.cisco.com/en/US/docs/ios/12_3t/ip_route/command/reference/ip2_i2gt.html#wp1112138 for command details and other examples.
– Another example: next
Network Security 5
Prefix Filtering Example
http://www.netkit.org/netkit-labs/netkit-labs_interdomain-routing/netkit-lab_bgp-prefix-
filtering/netkit-lab_bgp-prefix-filtering.pdf
! Configure router 1 in AS 1:router bgp 1network 195.11.14.0/24network 195.11.15.0/24neighbor 193.10.11.2 remote-as 2neighbor 193.10.11.2 description Router 2 of AS2neighbor 193.10.11.2 prefix-list partialOut outneighbor 193.10.11.2 prefix-list partialIn in!! only 195.11.14.0/24 is announced to neighbor
193.10.11.2ip prefix-list partialOut permit 195.11.14.0/24!! all, with the exception of 200.1.1.0/24, is accepted from
193.10.11.2ip prefix-list partialIn deny 200.1.1.0/24ip prefix-list partialIn permit any
Network Security 6
Design issues of secure routing1. network convergence (aka. route convergence)
– depends on many factors• complexity of the net architecture• redundancy in the network• route calculation algorithms and configuration• loops in the network
– Fast convergence is desirable.
• Problems with a slow-converging network – can mean a considerable loss of revenue and/or
productivity– may be subject to DoS attacks, because it takes longer
to recover from network-disrupting attacks and thus aggravates problems
Network Security 7
Source: http://www.unitest.com/pdf/net_conv.pdf
Network Security 8
Design issues of secure routing
2. static routes– can be used to hard code information in the
routing tables such that this info is unaffected by a network attack or propagated impact from other parts of the network
– Disadvantage? scalability
Network Security 9
Authentication of Router and Routes
• Rationale of authenticating routers and routes:1. As part of an attack, the attacker may configure his
machine or router to share incorrect routing information with the attacked router (AR).
Impacts?Incorrect routing, disabled router, traffic redirection
2. Flood of routing tablee.g., A rogue router may act as a BGP speaker and neighbor, and advertises lots of specific routes into a core router’s routing table.Impacts?slow or disabled router
Network Security 10
Authentication of Router and Routes
• Solutions?1. Router authentication: Routers must authenticate
each other before sharing information.• Password-based authentication - Drawback?• MD5-HMAC - Implications?
2. Route authentication: Integrity of the exchanged routing information must be verified.
• Hashing-based methods, such as MD5-HMAC, can be used to authenticate routes.
Network Security 11
Control/disable directed broadcast
• ‘Directed broadcast’ allows packets to be broadcast to all the machines on the subnet directly attached to a router.
• May be used by attackers to start attacks
smurf attack• A type of DoS attack• An attacker sends a ping
echo request to the broadcast address on a network, causing all the machines in that segment to send echo replies to the attacked router.
impact: packet flood
Network Security 12
Black Hole Filtering• Purpose: to filter out undesired traffic, by directing
specific routes to a null interface• An alternative to ACL• Advantage: no access list processing save
processing time• Disadvantage: Null routing is based on the packets’
destination IP addresses only, while ACL can work on source address, destination address, and layer 4 info as well.
• A weaker form of route filtering• Example: interface null0
Network Security 13
URPF• Unicast Reverse Path Forwarding• Purpose: to thwart attempts to send packets with
spoofed source IP addresses• A mechanism configured on a router to disable outgoing
packets with source IP addresses not in the range belonging to its site
• Advantage: A more efficient and effective outgoing packets filtering mechanism than ACL
• Requirement: CEF (Cisco Express Forwarding) must be enabled on that router, because URPF looks at the FIB (forwarding information base) rather than at the routing table.
Network Security 14
URPF (cont.)• Constraint: can not be deployed on a router that has
asymmetric routes set up.– In asymmetric routing, more than one interface is used (by a
router or firewall) to route packets of a private network. The interface through which the router sends return traffic for a
packet may not be the same interface on which the original packet was received.
• In general, URPF is deployed on the edge of a network. allowing the anti-spoofing capabilities to be effective to the entire network
• Example: ip verify unicast reverse-path
Network Security 15
Path Integrity• Rule of thumb: Routing should be performed based on
the optimum paths calculated by the underlying routing protocols. However, the routing protocols may be affected by
ICMP redirects and IP source routing when making such calculations.
• ICMP redirects allows a router to inform another router on its local segment not to use certain hop in its path to certain host. because including the hop will result in paths that’s not optimal– ICMP redirects is the default setting on Cisco routers.– Should be disabled unless absolutely necessary
• IP source routing: next
Network Security 16
Path Integrity (cont.)
• IP source routing: an IP feature, allowing a user to set a field in the IP packet to specify the desired path
• May be used by attackers to subvert the workings of normal routing protocols
• Example: An attacker can specify a router (A) that is attached to both a private and the public network as an intermediate point in the source path to reach a private address (e.g., 10.1.1.1).
• All intermediate routers, with IP source routing enabled, will forward the packet to router A. causing DoS attack
• Advice: disable IP source routing on the router
Network Security 17
Case study 1 - Securing the BGP Routing Protocol• BGP is an exterior gateway protocol• Example techniques:
– Enable BGP peer authentication– Filter incoming routes– Filter outgoing routes– Use the network statement to advertise the network block– Disable BGP multihop feature (that is, do not allow peering between
routers not directly connected to each other)– Control TCP port 179 (the BGP port) using the firewall or ACLs to
do the filtering– Disable BGP version negotiation (instead, hard-code the version
info)– Use police filters and null routes– Set up BGP route flap dampening values to prevent flapping
routes– Use the maximum-prefix command– Logging changes in neighbor status
Network Security 18
Case Study 2 - Securing the OSPF routing protocols
• The Open Shortest Path First protocol is a hierarchical interior gateway protocol (IGP) for routing
• Example techniques:– Router authentication– Nonbroadcast neighbor configuration– Using stub areas– Using loopback interfaces as the router IDs– Tweaking SPF timers– Route filtering– …
Network Security 19
Summary
• Security of routers and routes is critical for the security of the whole network.
• The net administrator should configure his routers and routes, not only to protect the private network, but also to help to protect the whole Internet.
• A checklist for infrastructure security: http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/Baseline_Security/appendxD.html