Gateway Protocols-System Security-Lecture Slides, Slides of Cryptography and System Security

This lecture was delivered by Dr. Samarendra Jeethesh at Ankit Institute of Technology and Science for System Security and Cryptography course. It includes: External, Gateway, Protocol, BGP, Internal, OSPF, ISIS, Netflow, DDoS, DNS, Domain, Name, System

Typology: Slides

2011/2012

Uploaded on 07/17/2012

pameela
pameela 🇮🇳

4.8

(5)

94 documents

1 / 52

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
© 2002 Sécurité.Org 2
Agenda
»Introduction
»External Gateway Protocol : BGP
»Internal Gateway Protocols : OSPF and ISIS
»Netflow based DDoS detection
»MPLS and IPv6
»Conclusion
docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34

Partial preview of the text

Download Gateway Protocols-System Security-Lecture Slides and more Slides Cryptography and System Security in PDF only on Docsity!

© 2002 Sécurité.Org^

Agenda »^ Introduction »^ External Gateway Protocol : BGP »^ Internal Gateway Protocols : OSPF and ISIS »^ Netflow based DDoS detection »^ MPLS and IPv6 »^ Conclusion

docsity.com

© 2002 Sécurité.Org^

What « runs » the Internet? »^ Key protocols^ > BGPv4 (Border Gateway Protocol)> DNS (Domain Name System)> A mix of BGP and DNS in all new/recent technologies- DNS to store the information in new/extended type of records- BGP to distribute the information across the network»^ A few large vendors^ > Limited range of ASIC powered devices> Some well known software release versions/trains(ie S-train)»^ Non-technical stuff : people in the NOCs & coffee :-)

docsity.com

© 2002 Sécurité.Org^

What are the risks, if any? (2) »^ Current, new and future type of attacks^ > Misconfiguration is the most common “attack”> (D)DoS with spoofed source addresses- Kill your network / (IRC) servers- Use of routers as reflectors/amplifiers- No reliable traceback> Short-lived announcements used as source of SPAM/attacks> Advanced routing protocols attacks- Make your (internal/external) routing protocol unstable- Inject new routes/prefixes : MiTM/traffic rerouting attacks> Rootkits and Loadable Kernel Modules- Take control of a device capable of generation thousands ofPPS (packets per second)- Control all the routing protocol traffic

docsity.com

© 2002 Sécurité.Org^

BGP : Protocol description »^ BGP (Border Gateway Protocol)^ > Current version : 4> Listens on port 179/tcp> Optional authentication :- MD5 : adds an option to TCP (digest based on pseudo-header+header+data+shared password)> Point-to-point over directly connected interfaces or multi-hop between (TTL > 1) non adjacent routers> Routing information is exchanged in BGP Update message :

docsity.com

© 2002 Sécurité.Org^

BGP : Risks »^ Where are the risks?^ > Internet Exchanges (“peering points”)- All providers are usually connected to the same sharedinfrastructure (a switch for example)- The filtering policy is usually more “relax” for peerings- Some major ones, no real (geo)diversity anymore> Your direct {up,down}stream(s)> Route reflectors> Multi-hop configurations (Man-in-the-middle attack)> Less likely : some backbone router “out there” in theInternet or some hops away»^ What is never “verified”^ > Origin-AS/prefix relation, “true” AS_path, sourceauthenticity, etc

docsity.com

© 2002 Sécurité.Org^

BGP : Attacks (1) »^ Information gathering^ > Find the eBGP peers :- “Forward” and “reverse” traceroute / ICMP Record Route- Public route-servers and looking glasses- Directly adjacent IPs- IPs often used for loopback interfaces (.1+, .254-)- SNMP> Session parameters may be required :- Source/destination ports (ie. which router initiated theconnection)- Right TTL

docsity.com

© 2002 Sécurité.Org^

BGP : Attacks (3) »^ Attacks against the network^ > Attacks playing with BGP parameters (local-pref, MEDs,communities) ?> Make your BGP sessions flap : make you or otherdestinations unreachable> Announce “more specific routes” of large blocks to increasethe number of prefixes in the global routing table and eat upmemory on all routers> Announce or “remove” some routes/prefixes or change theirattributes> Direct all the traffic to a blackhole, direct it to a specificnetwork (DDoS), create loops, etc.

docsity.com

© 2002 Sécurité.Org^

BGP : Sequence number prediction »^ ISN problems on Cisco routers^ Vulnerable IOS

“Less” vulnerable IOS

> “Fixed” as of 12.0(15) and 12.1(7)> ISNs are (still) time dependant^ Source : http://razor.bindview.com/publish/papers/tcpseq.html

docsity.com

© 2002 Sécurité.Org^

BGP : Filtering policy »^ Filtering recommendations^ > Don’t accept to have only /24> Never accept, announce or redistribute prefixes that arelonger than /24 or de-aggregated blocks> Usemaximum-prefix (ie “full routing table” is currently~110K-114K routes)> Only accept the customer’s allocated prefixes> Don’t filter on AS_path only, but also prefixes (customermay announce a more specific route): this the same asin/egress filtering of IP addresses !> Filter bogon and non-allocated networks> Should you really accept/announce a default route in BGP ?> Have ingress and egress filters to limit the prefixes youreceive/send

docsity.com

© 2002 Sécurité.Org^

BGP : Ingress/egress filtering (1) »^ What you should never route/see/allow through^ > RFC 1918 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)> 0.0.0.0/x, 127.0.0.0/8> 169.254.0.0/16 (auto-configuration when no DHCP)> 192.0.2.0/24 (Netname: TEST-NET, like example.com)> 192.88.99.0/24 (RFC 3048, used by 6to4 routers)> Multicast blocks (D Class) and Martian networks (E+)> “Hijacked” space by some vendors (192.0.0.192 for printers)> (ARIN) Reserved blocks (bogon networks)> Packets to broadcast addresses or where source ==destination»^ What you should route/let through^ > Your network prefixes (anti-spoofing)

docsity.com

© 2002 Sécurité.Org^

BGP : Security recommendations (1) »^ Security measures^ > Log changes (and think about using IPsec -- CPU and $)> Use MD5, but not the same password with all the peers> Filter and limit the number of prefixes, filter the AS_path> Use a “secondary” or “loopback” IP address for the eBGPsession to hide part of the eBGP session details> Protect routes towards Root Servers (.{root, gtld}-servers.net) : exclude them from the route dampening> Filtering and routing policies are important, but don’t forget:- to harden your router configuration- to use secure in and out-of-band management and monitoringtools/protocols- that physical access to the router gives “full rights” (peeringpoints/data centers)

docsity.com

© 2002 Sécurité.Org^

BGP : Security recommendations (2) »^ Security measures

router^ bgp^65000 no^ bgp^ dampeningbgp^ dampening^ route-map^ dampening-listbgp^ log-neighbor-changesnetwork^ x.x.x.xneighbor^ y.y.y.y^ remote-as^

65001 neighbor y.y.y.y password neighbor y.y.y.y version 4 neighbor y.y.y.y prefix-list^ theirnetworks^ inneighbor y.y.y.y prefix-list^ ournetworks^ outneighbor y.y.y.y maximum-prefix^120000 neighbor y.y.y.y route-map ourASpath^ out ip prefix-list ournetworks seq^5 permit^ x.x.x.x/yip prefix-list ournetworks seq^10 deny^ 0.0.0.0/0^ le^32 ip prefix-list theirnetworks seq^5 permit^ x.x.x.x/yip prefix-list protected-prefixes^ permit^ x.x.x.x/yip prefix-list ^ permit^ x.x.x.x/yip as-path access-list 99 permit^ ^(^ )*$route-map ourASpath permit 10 match as-path 99 route-map dampening-list deny^10 match ip address prefix-list^ protected-prefixesroute-map dampening-list permit^20 match ip address prefix-list^ <other^ prefix-list>set dampening <your dampening^ parameters>docsity.com

© 2002 Sécurité.Org^

BGP : Future (2) »^ Working Groups^ > IETF- rpsec (Routing Protocol Security Requirements)- ptomaine (Prefix Taxonomy Ongoing Measurement & InterNetwork Experiment)- msec (Multicast Security)> RIPE : Routing Working Group> IRTF : Group Security (GSEC, formerly Secure MulticastGroup)»^ Don’t forget router “host” security! »^ Forensics (who used to announce which prefix)^ > Route information stored inside DBs at large peering pointsor by large providers

docsity.com

© 2002 Sécurité.Org^

OSPF : Protocol description »^ OSPF (Open Shortest Path First)^ > Protocol type 89> Multicast traffic : “easy” to inject LSAs (Link StateAdvertisement)> Active adjacencies between all the routers and the (B)DRs(DR/BDR status is based on Router ID and priority)> SPF (Shortest Path First) recalculation takes time and CPU

Area 2 Backup DesignatedRouter (BDR)Designated Router(DR) Backbone area (Area 0)Network runningArea 1another IGP Area Border Router(ABR) Autonomous SystemBorder Router(ASBR)

docsity.com