Your SlideShare is downloading. ×

6.Routing

459

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
459
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Confidentiality : sự cẩn mật, sự tín mật Audit : sự kiểm toán, kiểm định Privacy : sự bí mật, sự kín đáo
  • Transcript

    • 1. Course 3: Network Security, Section 6
      • Pascal Meunier, Ph.D., M.Sc., CISSP
      • May 2004; updated July 30, 2004
      • Developed thanks to the support of Symantec Corporation,
      • NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise Center
      • Copyright (2004) Purdue Research Foundation. All rights reserved.
    • 2. Course 3 Learning Plan
      • Architecture
      • Physical and link layer
      • Network layer
      • Transport layer
      • Application layer: DNS, RPC, NFS
      • Application layer: Routing
      • Wireless networks
      • More secure protocols: DNSSEC, IPSEC, IPv6
    • 3. Learning objectives
      • Understand how routing works, and its purpose
      • Understand why the IP source routing option is dangerous
      • Understand the algorithms used by the various routing protocols
      • Understand how the algorithms can be attacked
      • Be able to discuss the advantages and disadvantages of the various algorithms
    • 4. Routing Outline
      • Distance vector algorithms
        • RIP
          • Intra-domain routing
      • Path vector protocols
        • BGP
          • Inter-domain routing
      • Link State protocols
        • OSPF
    • 5. Definitions
      • A router connects two or more networks and forwards packets at the network layer (IP)
        • Where to is based on "routes"
        • Routes can be static, or calculated by using a routing protocol
      • Router and gateway are synonyms
      • Autonomous System
        • "A set of routers under a single technical administration, using an interior gateway protocol and common metrics to route packets within the AS, and using an exterior gateway protocol to route packets to other ASs"
        • Encapsulates a set of networks as a single entity, regardless of what happens inside
    • 6. Secure Routing Requirements
      • Routing information must have:
        • Integrity
        • Authenticity
        • Authorization
        • Timeliness
          • Resist replay attacks
    • 7. Source Routing
      • IP option to specify the routes a packet should take
        • In the IP header
          • Data controlled by sender
      • Options:
        • Strict Source Route
          • Exact sequence of routers to use
        • Loose Source Route
          • Specify some routers packets should go through
        • Record Route
          • Figure out which routes a packet takes
      • Return route must be saved and used on all further communications (e.g., TCP segments)
    • 8. Source Routing Attacks
      • An attacker can send a packet specifying the return route
        • The attacker may control one of the "routers" on the return route
        • Attacker needs to send a single valid packet for that new route to be used for the entire TCP connection
          • Initial sequence number just has to be guessed correctly once
            • TCP session sniffing
            • Man-in-the-middle attack
              • On-the-fly packet modification
              • Dropping packets selectively, or all packets
        • TCP IP spoofing
          • Three-way handshake possible because the attacker gets the replies through the specified router
    • 9. Private IP addresses
      • As discussed when presenting the IP protocols, some IP addresses are supposed to be private
        • e.g., 192.168.x.y
      • Source routing could allow contacting hosts on internal networks
        • Even if they are supposedly shielded by NAT devices
    • 10. Exploit Tools
      • "lsrtunnel" allows spoofing the IP address in a TCP session
        • See http://www.synacklabs.net/projects/lsrtunnel/
      • "lsrscan" scans hosts to find out which ones do loose source routing
        • See http://www.synacklabs.net/projects/lsrscan/
    • 11. Defense
      • Most routers now have an option to disregard source routing options
        • Routers decide which route to use
      • Applications can force the overriding of source routing options
        • Good idea for secure programming
        • RFC 1122
      • Windows 98, 2000, XP respond to source route packets by reversing the route by default
        • Will forward packets if has multiple network interfaces
        • Need to edit registry (possible since Windows NT 4.0, see Microsoft knowledge base article 217336)
    • 12. ICMP Router Discovery Protocol
      • Already discussed under ICMP
      • "Trust me, I'm a gateway" messages
        • No form of authentication
        • Enabled by default on DHCP clients running Microsoft
          • Windows 95, 98, 98 SE, 2000 machines
        • By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries to a remote system
          • The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server.
          • Windows2000 is less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP
    • 13. ICMP Attacks
      • Hosts trusting ICMP messages are vulnerable to the same kinds of attack enabled by source routing
      • Exploit tool: "rdp" (L0pht)
        • See http://24.237.160.4/files/networking/rdp.txt
        • Download: http://www.zone-h.org/en/download/category=28/
    • 14. Distance Vector Protocols
      • Routers exchange distance information
      • Routers keep the least expensive routes, and share that information
      • Problems:
        • Trust and robustness issue:
          • pre-processed second-hand information is accepted
        • Distance-vector algorithms are not robust vs. unreliable (noisy) or malicious information.
        • Loops
          • See next slide
    • 15. Loops in Distance-Vector Algorithms
      • Imagine Alice, Bob and Charlie connected in a triangle
      • Alice is connected to Dean
        • Bob and Charlie record a cost of two hops to send packets to Dean
      • Alice loses the connection
        • Charlie decides to use the route to Dean through Bob
          • Alice decides to use the route to Dean through Charlie
            • Bob notices the cost to Dean through Alice increased
              • Loop with updated, ever increasing costs
      Alice Bob Charlie Dean
    • 16. Avoiding Loops
      • Defense: "Counting to infinity" detection
        • Maximum distance value
          • Infinity is 16
      • Split horizon
        • Don't advertise a route back to the router that made the route possible
          • Prevents two-computer loops
            • Previous loop example was with split horizon
      • Other heuristics
        • Poisoned reverse
          • Advertise routes back to the router that made the routes possible, but with infinite (16) cost to speed convergence
    • 17. Distance Vector
      • a.k.a. Routing by rumor
      • Routers are advertising routes they are not directly connected to
      • Slow convergence
      • Doesn’t scale well
    • 18. RIP: Routing Information Protocol
      • RFC 1058 (version 1)
      • UDP Port 520
      • 0 1 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | command (1) | version (1) | must be zero (2) | +---------------+---------------+-------------------------------+ | address family identifier (2) | must be zero (2) | +-------------------------------+-------------------------------+ | IP address (4) | +---------------------------------------------------------------+ | must be zero (4) | +---------------------------------------------------------------+ | must be zero (4) | +---------------------------------------------------------------+ | metric (4) | +---------------------------------------------------------------+
    • 19. Black Hole Routing: Incidents at Purdue and MAI Virginia
      • Students in networking class started advertising that they had the fastest route to anywhere, so internet traffic was redirected to CS Dept!
      • MAI Router bug produced the same effect as above and caused the internet to disconnect (1997)
      • Illustrated the need for increased robustness
      • result: access control based on IP address was suggested but is not part of the protocol...
        • defeated by IP spoofing (trivial with UDP messages)
    • 20. Attacks on Distance-Vector Algorithms
      • Malicious router can:
        • Advertise 0-cost to some networks but do not forward
          • DoS for some routes
      • Mallory can create fake messages with UDP spoofing
        • Create loops
        • Send all traffic to one router
        • Make counting to infinity (16) take infinity by resetting the count every so often...
        • Send messages saying that router A is unable to reach its own networks, to other routers...
    • 21. MIM Routing Attack
      • Send a message to all gateways, saying the gateway to network A has made network A unreachable
      • Send another message advertising that you can reach network A cheaply
        • You will start receiving all traffic for network A
      • Forward the traffic to the original gateway, after doing whatever you want to do with it
    • 22. FIRP Attack
      • “Faulty Intermediate Router Problem”
      • In distance vector algorithms, a node sends agregated and processed information from other nodes, which subsequent nodes have to trust
      • Router makes faulty calculations, by accident or on purpose
      • How much a single FIRP can affect the routing?
        • Devastating to distance-vector algorithms
    • 23. RIP V. 2
      • RFC 2453
      • Adds authentication via a shared password
        • 16 octets
        • plain text (can be sniffed)
      • Weakest point of failure still brings down the protocol (black hole routing, FIRP problem)
      • Access control recommended but not specified
    • 24. Path Vector Protocols
      • Add policies (rules) on top of distance vector algorithms, to dynamically vary the costs, reject paths, or even choose a non-optimal path
      • Cost is number of Autonomous Systems, not number of routers as for distance-vector protocols (RIP)
      • Can diverge due to reactionary changes in policies, resulting in unstable routes
    • 25. BGP: Border Gateway Protocol
      • Inter-Autonomous System routing protocol
      • Uses TCP (or any reliable transport mechanism)
        • Port 179
      • RFC 1771 (BGP-4)
        • Optional authentication field
          • Various authentication options
        • Authentication is only in the "OPEN" message
          • Connection can be hijacked afterwards
            • TCP session hijacking
    • 26. BGP Connections
      • Once a connection to another BGP router has been established, it is expected to remain open and stable
        • If it closes:
          • All resources for that BGP connection are deallocated.
          • Routing table entries associated with the remote peer are marked as invalid.
          • The fact that the routes have become invalid is passed to other BGP peers before the routes are deleted from the system.
      • TCP RST attacks can be very damaging!
        • Cause routing instabilities
        • Must use the TCP MD5 signature option (RFC 2385)
          • Or IPSEC, etc...
    • 27. BGP Limitations
      • BGP (Border Gateway Protocol) has all the issues of Distance Vector algorithms
      • New issues due to unsafe policies
        • Reference: “Policy Disputes in Path-Vector Protocols” Timothy G. Griffin, F. Bruce Shepherd, and Gordon Wilfong
      • Works well in practice
        • Popular
      • Quite vulnerable in theory
    • 28. Link State Protocols
      • Each router is responsible for meeting neighbors and learning their names
      • Each router constructs a packet called a Link State Advertisement (LSA)
      • List of neighbors
      • Cost of link
      • LSAs are reliably “flooded” to all routers; everyone gets the same consistent information, so there is no “counting to infinity” or memory.
      • Each router computes the best routes on its own -- no need to trust your neighbor’s calculations.
    • 29. OSPF: Open Shortest Path First
      • It’s an authenticated link state protocol (RFC 2328) running directly on top of IP (proto 89) and using multicasts instead of broadcasts
        • Alternative to RIP
      • Each node advertises only the information it knows first-hand (no hearsay)
      • Every node calculates the paths independently, requiring matching information from both sides of a link to validate it! A single rogue router can’t claim inexistent links.
    • 30. "Fight Back" Phenomenon
      • Because LSAs (Link State Advertisements) are flooded, an LSA produced by a malicious router is sent to all
      • A router that knows better will respond and try to correct a tainted LSA
      • Malicious router has to keep attacking: “persistent” attack is needed
      • More costly to attacker, and less stealthy
      • Better route integrity
      • Real security requires cryptographic signatures
    • 31. Authentication in OSPF
      • Methods:
        • 1. Password (plain text), vulnerable to sniffers
        • 2. Keyed MD5 (a.k.a. HMAC-MD5)
          • K is a shared secret key (padded with zeros)
          • T is the message
          • H() is a hash function like MD5
          • F(K, T) is a function that pre-mixes T and K
          • Idea: Along with message, send also H(F(K,T)). Routers that know K can verify the integrity of T, as well as authenticate the message.
          • See RFC 1828
          • Similar to TCP MD5 signature option (RFC 2385)
    • 32. OSPF in IPSEC and IPv6
      • No authentication at the OSPF level
      • Uses IPSEC/IPv6 to provide security
      • Does not protect against the faulty intermediate router problem (FIRP)
        • Intermediate router is man-in-the-middle
          • MIM protection judged too expensive
        • Must ultimately rely on intrusion detection
    • 33. More on OSPF
      • RFC 2328
      • "Seven of Nine" Lectures On OSPF
        • http://routergod.com/sevenofnine/
    • 34. IGRP
      • Interior Gateway Routing Protocol
        • also used externally in practice
      • Cisco protocol (1980's)
      • Distance vector algorithm
      • Metric is weighted formula using internetwork delay, bandwidth, reliability, and load
      • Has a "holddown" period for keeping bad routes down and increasing routing information consistency
        • Useful for route stability and against race conditions between routing updates
    • 35. EIGRP
      • Enhanced IGRP (1990's)
      • Distance vector algorithm
      • Uses "Diffusing Update Algorithm (DUAL)" to prevent loops
        • State machine
        • Timers
        • More complex
    • 36. Question
      • Which is an advantage of link state protocols over distance vector algorithms? a) Distance vector algorithms can’t verify the results of calculations presented to them by other routers b) link state protocols are less complex c) link state protocols count to infinity faster than distance vector algorithms d) link state protocols are authenticated
    • 37. Question
      • Which is an advantage of link state protocols over distance vector algorithms? a) Distance vector algorithms can’t verify the results of calculations presented to them by other routers b) link state protocols are less complex c) link state protocols count to infinity faster than distance vector algorithms d) link state protocols are authenticated
        • They are not authenticated by definition
          • OSPF relies on IPSEC/IPv6
    • 38. Question
      • If a router is “lying” (i.e., giving incorrect information) is it easier to find which router is doing so with:
      • a) BGP
      • b) OSPF
      • c) RIP
    • 39. Question
      • If a router is “lying” (i.e., giving incorrect information) is it easier to find which router is doing so with:
      • a) BGP
      • b) OSPF
      • c) RIP
    • 40. Question
      • The goal of authentication in routing protocols is primarily to guarantee which one of these? a) Confidentiality b) Integrity c) Auditability d) Privacy
    • 41. Question
      • The goal of authentication in routing protocols is primarily to guarantee which one of these? a) Confidentiality b) Integrity c) Auditability d) Privacy
    • 42. Discussion
      • Which routing protocol, if any (static routes are also a choice) would you use in:
      • a) A company network with a few subnets
        • What if you wish to provide visitors with internet access?
      • b) In the routers between engineering and company networks
      • c) In an ISP
    • 43. Discussion
      • Which routing protocol, if any (static routes are also a choice) would you use in:
      • a) A company network with a few subnets
        • Static routes
      • b) In the routers between engineering and company networks
        • Routing firewalls
      • c) In an ISP
        • OSPF (and BGP to communicate with upstream internet routers)
    • 44. Mini-Lab
      • The class will design a set of policies for a routing firewall
        • Instructor will write them on whiteboard
          • Define needed functionality
            • Without needed functionality, firewall could just block everything
            • e.g., Web server on other side of firewall
              • Outbound DNS, ssh, ftp (or other update mechanism)
              • Inbound ssh, http, https
          • Define security requirements
            • Which threats do we want to counter?
          • Define network topology
            • e.g., the server behind the firewall is on a separate physical segment
          • Define policies for each network layer
            • ARP, ICMP, etc...
    • 45. Mini-Lab
      • Implement the rules
        • Instructor must decide on which firewall to use and have it ready before this step
          • e.g., SGS appliance
          • Firewall already setup and ready to go
            • If iptables, need setup instructions
      • Setup and run a packet sniffer to verify the effectiveness of rules
      • Bonus activity:
        • Try to break through the firewall
          • e.g., using Firewalk (see http://www.packetfactory.net/Projects/firewalk/)
    • 46. Questions or Comments?
    • 47. About These Slides
      • You are free to copy, distribute, display, and perform the work; and to make derivative works, under the following conditions.
        • You must give the original author and other contributors credit
        • The work will be used for personal or non-commercial educational uses only, and not for commercial activities and purposes
        • For any reuse or distribution, you must make clear to others the terms of use for this work
        • Derivative works must retain and be subject to the same conditions, and contain a note identifying the new contributor(s) and date of modification
        • For other uses please contact the Purdue Office of Technology Commercialization.
      • Developed thanks to the support of Symantec Corporation
    • 48. Pascal Meunier [email_address]
      • Contributors:
      • Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera

    ×