– Chapter 4 – Secure Routing

1
Chapter 4 Secure Routing

• Build security into the design of routing
• router authentication
• route authentication
• control directed broadcast
• black hole filtering
• URPF
• Path integrity
• 2 Case studies

2
Design issues of secure routing

• Route filtering
• When designing a private network, it is important
  to ensure that route filtering is used to
  filter out any bogus or undesired routes coming
  into the private net.
• Examples special addresses (p.82)
• It is equally important to ensure that the only
  networks advertised by the private network are
  those desired.
• To ensure that IP address blocks belonging to a
  private network are not allowed to be advertised
  back into the network from outside.
• net police filtering (aka. prefix filtering)
  next

3
Design issues of secure routing

• Prefix Filtering
• No routes with prefixes more specific than /20
  (or up to /24) are allowed to come in.
• To ensure that an attack cannot be staged on a
  large ISPs router by increasing the size of its
  routing tables
• Routes more specific than /20 are often not
  needed by large ISPs, so those routes can be
  filtered out to keep its routing table from
  getting out of control.
• Example p.93 (incoming route filtering in a BGP
  router)
• Another example next

4
Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf
5
Prefix Filtering Examplehttp//www.netkit.org/sof
tware/netkit_labs/bgp/lab-bgp-3-prefix-filtering/n
etkit-lab-bgp-3-prefix-filtering.pdf

• ! only 195.11.14.0/24 is announced to neighbor
  193.10.11.2
• ! all, with the exception of 200.1.1.0/24, is
  accepted from 193.10.11.2
• router bgp 1
• network 195.11.14.0/24
• network 195.11.15.0/24
• neighbor 193.10.11.2 remote-as 2
• neighbor 193.10.11.2 description Router 2 of AS2
• neighbor 193.10.11.2 prefix-list partialOut out
• neighbor 193.10.11.2 prefix-list partialIn in
• !
• ip prefix-list partialOut permit 195.11.14.0/24
• !
• ip prefix-list partialIn deny 200.1.1.0/24
• ip prefix-list partialIn permit any

6
Design issues of secure routing

• network convergence
• depends on many factors
• complexity of the net architecture
• redundancy in the network
• route calculation algorithms and configuration
• loops in the network
• Fast convergence is desirable.
• Problems with a a slow-converging network
• can mean a considerable loss of revenue and/or
  productivity
• may be subject to DoS attacks, because it takes
  longer to recover from network-disrupting attacks
  and thus aggravates problems

7
Design issues of secure routing

• static routes
• discussed earlier (example 3-1)
• can be used to hard code information in the
  routing tables such that this info is unaffected
  by a network attack or propagated impact from
  other parts of the network
• Disadvantage? scalability

8
Authentication of Router and Routes

• Rationale of authenticating routers and routes
• As part of an attack, the attacker may configure
  his machine or router to share incorrect routing
  information with the attacked router (AR).
• Impacts?
• Incorrect routing, disabled router, traffic
  redirection
• Flood of routing talbe
• e.g., A rogue router may act as a BGP speaker
  and neighbor, and advertises lots of specific
  routes into a core routers routing table.
• Impacts?
• slow or disabled router

9
Authentication of Router and Routes

• Solutions?
• Router authentication Routers must authenticate
  each other before sharing information.
• Password-based authentication - Drawback?
• MD5-HMAC - Implications?
• Route authentication Integrity of the exchanged
  routing information must be verified.
• Hashing-based methods, such as MD5-HMAC, can be
  used to authenticate routes.
• Figure 4-1
• Examples 4-1, 4-2, 4-3

10
Control/disable directed broadcast

• Directed broadcast allows packets to be
  broadcast to all the machines on the subnet
  directly attached to a router.
• May be used by attackers to start attacks
• e.g., smurf attack
• A type of DoS attack
• Figure 21-3
• An attacker sends a ping echo request to the
  broadcast address on a network, causing all the
  machines in that segment to send echo replies to
  the attacked router. ? impact packet flood

11
Black Hole Filtering

• Purpose to filter out undesired traffic, by
  directing specific routes to a null interface
• An alternative to ACL
• Advantage no access list processing ? save
  processing time
• Disadvantage Null routing is based on the
  packets destination IP addresses only, while ACL
  can work on source address, destination address,
  and layer 4 info as well.
• A weaker form of route filtering
• Example 4-5 interface null0

12
URPF

• Unicast Reverse Path Forwarding
• Purpose to thwart attempts to send packets with
  spoofed source IP addresses
• A mechanism configured on a router to disable
  outgoing packets with source IP addresses not in
  the range belonging to its site
• Advantage A more efficient and effective
  outgoing packets filtering mechanism than ACL
• Requirement CEF (Cisco Express Forwarding) must
  be enabled on that router, because URPF looks at
  the FIB (forwarding information base) rather than
  the the routing table.
• Example Figure 4-2

13
URPF (cont.)

• Constraint can not be deployed on a router that
  has asymmetric routes set up.
• In asymmetric routing, more than one interface is
  used (by a router or firewall) to route packets
  of a private network. ? The interface through
  which the router sends return traffic for a
  packet may not be the same interface on which the
  original packet was received.
• In general, URPF is deployed on the edge of a
  network. ? allowing the antispoofing capabilities
  to be effective to the entire network
• Example 4-6 ip verify unicast reverse-path

14
Path Integrity

• Rule of thumb Routing should be performed based
  on the optimum paths calculated by the underlying
  routing protocols. ? However, the routing
  protocols may be affected by ICMP redirects and
  IP source routing when making such calculations.
• ICMP redirects allows a router to inform another
  router on its local segment not to use certain
  hop in its path to certain host. ? because
  including the hop will result in paths thats not
  optimal
• ICMP redirects is the default setting on Cisco
  routers.
• Should be disabled unless absolutely necessary
• IP source routing next

15
Path Integrity (cont.)

• IP source routing an IP feature allowing a user
  to set a field in the IP packet to specify the
  desired path
• May be used by attackers to subvert the workings
  of normal routing protocols
• Example An attacker can specify a router (A)
  that is attached to both a private and the public
  network as an intermediate point in the source
  path to reach a private address (e.g., 10.1.1.1).
  
• All intermediate routers, with IP source routing
  enabled, will forward the packet to router A. ?
  causing DoS attack
• Advice disable IP source routing on the router

16
Case study 1Securing the BGP Routing Protocol

• an exterior gateway protocol
• Example techniques
• Enable BGP peer authentication
• Filter incoming routes
• Filter outgoing routes
• Use the network statement to advertise the
  network block
• Disable BGP multihop feature (that is, do not
  allow peering between routers not directly
  connected to each other)
• Control TCP port 179 ? using the firewall or ACLs
  to do the filtering
• Disable BGP version negotiation (instead,
  hard-code the version info)
• Use police filters and null routes
• Set up route dampening values ? to prevent
  flapping routes
• Use the maximum-prefix command
• Logging changes in neighbor status

17
Case Study 2 Securing the OSPF routing protocols

• an interior gateway protocol
• Example techniques
• Router authentication
• Nonbroadcast neighbor configuration
• Using stub areas
• Using loopback interfaces as the router Ids
• Tweaking SPF timers
• Route filtering

18
Summary

• Security of routers and routes is critical for
  the security of the whole network.
• The net administrator should configure his
  routers and routes, not only to protect the
  private network, but also to help to protect the
  whole Internet.
• Next security of LAN switching