SlideShare a Scribd company logo

PLNOG 9: Piotr Wojciechowski - Multicast Security

PROIDEA
PROIDEA

The document discusses several approaches for securing multicast networks and traffic. It begins by outlining main security issues like unauthorized access, modification of traffic, and denial of service attacks. It then describes techniques for securing the edge of the multicast network, including filtering PIM messages, preventing RP mapping, using multicast boundaries, and passive interfaces. Additional methods covered include filtering multicast groups, using access control lists (ACLs) on trusted senders and receivers, and securing the rendezvous point (RP).

1 of 49
Download to read offline
MULTICAST SECURITY Piotr Wojciechowski (CCIE #25543)
ABOUT ME ¢  Senior Network Engineer MSO at VeriFone Inc. ¢  Previously Network Solutions Architect at one of top polish IT integrators ¢  CCIE #25543 (Routing & Switching) ¢  Blogger – http://ccieplayground.wordpress.com ¢  Administrator of CCIE.PL board —  The biggest Cisco community in Europe —  Over 6100 users —  3 admin, 7 moderators —  48 polish CCIEs as members, 20 of them actively posting —  About 150 new topics per month —  About 1000 posts per month —  English section available!
AGENDA ¢  Main security issues ¢  Securing the edge of multicast network ¢  Trusted and secure sender/receiver ¢  Dense Mode Fallback problems ¢  Tunneled multicasts ¢  Admission control
MAIN SECURITY ISSUES
MAIN SECURITY ISSUES ¢  Why to control? —  Access control – permit specified sources/destinations —  Policies —  Admission – can we transport multicast? ¢  Where to deploy security? —  Local router/switch —  policy-server
MAIN SECURITY ISSUES ¢  What we have to protect? —  Content and services —  Device control-plane —  Data plane protection – saturation of network links ¢  How we can protect? —  Packet filtering —  Registration filtering —  State creation —  Encryption
MAIN SECURITY ISSUES ¢  Threat overview —  Threats against confidentiality ¢  Must multicast applications does not encrypt data – traffic can be eavesdropped —  Threats against traffic integrity ¢  Without application-level security or network-based security multicast traffic is open to being modified in transit —  Threats against network integrity ¢  Unauthorized senders, receivers, or compromised network elements can access the multicast network, send and receive traffic without authorization or overload network resources. —  Threats against availability ¢  There are a number of denial of service attack possibilities that can make resources unavailable to legitimate users
MAIN SECURITY ISSUES ¢  Threats from the sender side —  Layer 2 attacks – not multicast specific but still dangerous —  Masquerading – sender can pretend to be another sender (ie. Source IP Spoofing) —  Theft of service – without proper control it is possible to use the multicast service illegitimately from the sender side
MAIN SECURITY ISSUES ¢  Threats from the sender side —  Attacks with multicast traffic ¢  Network saturation ¢  Multicast state attack – to many states created on router ¢  Attempt to become PIM DF on LAN segment ¢  Fake RP announcement to disrupt PIM-SM/BiDir service – spoofing AutoRP or BSR ¢  Unauthorized sender ¢  Attacks against control-plane using multicast traffic (ie. OSPF multicast traffic)
MAIN SECURITY ISSUES ¢  Threats from the receiver side —  Similar attacks as for sender side —  Layer2 attacks —  Masquerading and thief of data —  Attack vector usually an IGMP
MAIN SECURITY ISSUES ¢  Threats against a Rendezvous Point and BSR —  PIM-SM RP and PIM-BSRs are critical points in multicast network —  Vulnerable to all forms of attacks described before —  Additionally: ¢  PIM Unicast attacks with source IP Spoofing ¢  DoS attacks by sending PIM Register and PIM Register-stop messages
SECURING MULTICAST EDGE
SECURING MULTICAST EDGE ¢  Multicast PIM Control Packets: —  Hello, Join/Prune, Assert etc. —  All messages are link-local (TTL=1) —  Destination All-PIM-Routers (224.0.0.13) —  Attack must originate on the same subnet ¢  Unicast PIM Control Packets: —  Register, Register-Stop, C-RP-Advertisement —  Attacks can originate from anywhere
SECURING MULTICAST EDGE FILTERING PIM MESSAGES ¢  Filter all PIM packets from untrusted sources —  Router must receive PIM Hellos to establish relation —  PIM packets can be filtered —  It’s not spoofing-proof  
SECURING MULTICAST EDGE FILTERING PIM MESSAGES ¢  Filter all PIM packets from untrusted sources   interface  Ethernet0/0    ip  address  10.0.12.1  255.255.255.0    ip  pim  neighbor-­‐filter  PIM-­‐FILTER   !   ip  access-­‐list  standard  PIM-­‐FILTER    permit  10.0.0.1  
SECURING MULTICAST EDGE PREVENT RP MAPPING ¢  RP Announce Filter —  Configure it on Mapping Agent —  Specify which IP addresses are accepted as RP Candidates for which groups. ip  pim  rp-­‐announce-­‐filter  rp-­‐list  RP  group-­‐list  MGROUPS   !   ip  access-­‐list  standard  MGROUPS    permit  224.0.0.0  15.255.255.255   ip  access-­‐list  standard  RP    permit  10.0.0.2    permit  10.0.0.3   For what groups MA should accept C-RP List of allowed C-RP’s
SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  Multicast boundary —  Administratively scoped boundary on an interface in order to filter source traffic coming into the interface —  Prevent mroute states from being created on the interface —  Enables reuse of the same multicast group address in different administrative domains —  Filter data and control plane traffic including IGMP, PIM, and Auto-RP messages. PIM Register messages are sent using unicast and will not be filtered.
SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  Multicast boundary —  AutoRP Filtering
SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  BSR Border —  BSR message filtering applied to interface —  Protects from both sending and receiving BSR messages —  Does not set up multicast boundary
SECURING MULTICAST EDGE PIM PASSIVE ¢  PIM Passive Interface —  No PIM messages are sent or received —  Router does not join to 224.0.0.13 —  No AutoRP or BSR messages are sent —  Unicast PIM Packets unaffected —  Configure only on non-redundant segments! interface  Ethernet0/0    ip  address  10.0.12.1  255.255.255.0    ip  pim  passive  
SECURING MULTICAST EDGE MULTICAST GROUP FILTERING ¢  Multicast groups filtering —  New and nice way to filter all multicast traffic for particular groups —  Introduced in IOS 12.2(33)SXI, 12.2(33)SRE, 15.0(1)M; IOS XR 2.6 —  Disables multicast protocol actions and traffic forwarding for unauthorized groups or channels for all interfaces on the router —  No IGMP/MLD cache entries, PIM, MRIB/MFIB state are ever created for these group ranges and all data packets are immediately dropped
SECURING MULTICAST EDGE MULTICAST GROUP FILTERING ¢  Multicast groups filtering —  VRF aware —  Access-list that defines the multicast groups or channels to be permitted or denied globally ¢  Standard ACL for groups ¢  Extended ACL for (S,G) —  AutoRP have to be explicitly permitted, otherwise it would be filtered ip  multicast  group-­‐range  1     !   access-­‐list  1  permit  224.0.1.39  0.0.0.0     access-­‐list  1  permit  224.0.1.40  0.0.0.0     access-­‐list  1  permit  239.0.0.0  0.255.255.255    
TRUSTED AND SECURE SENDER/RECEIVER
TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  Many multicast security issues originating at the sender can be mitigated with appropriate unicast security mechanisms —  Source address spoofing protection (uRPF and ACL with IP Source Guard for the access layer) —  Infrastructure ACL interface  GigabitEthernet0/0    ip  access-­‐group  permit_mcast     ip  access-­‐list  extended  permit_mcast    permit  10.0.0.0  0.0.0.255  239.0.0.0  0.127.255.255    deny  ip  any  224.0.0.0  15.255.255.255  log    permit  ip  any  any  
TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  Advantages of ACLs: —  Done in hardware on most platforms —  Filters before multicast routing occurs so no states are created if denied —  Best for ingress filtering —  Search documentation for best practice examples
TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ip  access-­‐list  extended  igmp-­‐control    …      deny  igmp  any  any  pim              !  No  PIMv1      deny  igmp  any  any  dvmrp              !  No  DVMRP  packets      deny  igmp  any  any  host-­‐query                  !  Do  not  use  this  command  with  redundant  routers.                    !  In  that  case  this  packet  type  is  required              permit  igmp  any  host  224.0.0.22            !  IGMPv3  membership  reports      permit  igmp  any  any  14              !  Mtrace  responses      permit  igmp  any  any  15              !  Mtrace  queries      permit  igmp  any  224.0.0.0  15.255.255.255  host-­‐query        !  IGMPv1/v2/v3  queries      permit  igmp  any  224.0.0.0  15.255.255.255  host-­‐report      !  IGMPv1/v2  reports    permit  igmp  any  224.0.0.0  15.255.255.255  7                          !  IGMPv2  leave  messages    deny  igmp  any  any                !  Implicitly  deny  unicast  IGMP  here!     …     permit  ip  any  any                !  Permit  other  packets       interface  ethernet  0      ip  access-­‐group  igmp-­‐control  in    
TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  IGMP Filtering —  Controls entries into IGMP cache —  Extended ACL – you know how to do it!
TRUSTED AND SECURE SENDER/RECEIVER SOURCE CONTROL ¢  Rendezvous Point gives a single point of control for all sources in the network for any group range in ASM and PIM-SM networks ¢  (S,G) is not created on RP but still is on FHR ¢  It’s control-plane – possibility to DDoS RP. ¢  Works best with other edge filtering methods
TRUSTED AND SECURE SENDER/RECEIVER SECURING RECEIVER ¢  Control IGMP on receiver side —  IGMP is enabled by default if multicasts are enabled —  IGMP carries protocols – PIMv1, Mrinfo, DVMRP, Mtrace —  Unicast IGMP should always be filtered – those are used in special situations like unidirectional links —  If single IGMP querier is present on non-redundant segment then IGMP queries should be dropped
TRUSTED AND SECURE SENDER/RECEIVER SECURING RECEIVER ¢  Restrict which multicast sources receiver can join —  For ASM filter basing on destination address —  For SSM using IGMPv3 filter basing on source and destination address
DENSE MODE FALLBACK PROBLEMS
DENSE MODE FALLBACK PROBLEMS ¢  Dense Mode Fallback occurs when RP information is lost —  PIM determines whether a multicast group operates in PIM-DM or PIM sparse-dense mode based solely on the existence of RP information in the group-to-RP mapping cache ¢  It’s event, when PIM mode falling back from sparse mode to dense mode —  Dense mode flooding occurs
DENSE MODE FALLBACK PROBLEMS ¢  Dense Mode Fallback Prevention provides a method for: —  Preventing Dense Mode Fallback —  Blocking multicast traffic for groups not specifically configured (there is no RP for the group) ¢  By default Dense Mode Fallback is enabled —  Except when all interfaces are configured in PIM Sparse Mode (not PIM Sparse-Dense Mode)
DENSE MODE FALLBACK PROBLEMS ip  multicast-­‐routing     ip  pim  send-­‐rp-­‐announce  ethernet  0  scope  16  group-­‐list  1       ip  pim  rp-­‐address  10.8.0.20  1       no  ip  pim  dm-­‐fallback     !   interface  ethernet  0/0      ip  pim  sparse-­‐dense-­‐mode    
ADMISSION CONTROL
ADMISSION CONTROL ¢  Control-plane protection ¢  Resource allocation ¢  Bandwidth protection from congestion ¢  Content-based policies ¢  Subscriber-based policies
ADMISSION CONTROL ¢  Limiting number of multicast routes in mroute table —  No new entries created after reaching limit —  Syslog warning beyond threshold point —  vrf-aware  
ADMISSION CONTROL ¢  Limiting mroute state for PIM and IGMP per interface ¢  Egress admission control
ADMISSION CONTROL ¢  Limiting mroute state for PIM and IGMP per interface ¢  Egress admission control ¢  Ingress admission control
ADMISSION CONTROL ¢  Limit the number of IGMP groups joined both globally and per interface ip  igmp  limit  100   ¢  Exceptions can be defined by ACL ip  igmp  limit  100  except  MCAST-­‐GRP   !   ip  access-­‐list  extended  MCAST-­‐GRP    permit  ip  any  host  239.255.255.254    deny  ip  any  any  
ADMISSION CONTROL
TUNNELED MULTICAST
TUNNELLED MULTICAST ¢  IPSec point-to-point tunnel interfaces since late 12.3T permits to encrypt multicast traffic ¢  Multicast for GET VPN since 12.4(6)T —  Including control-plane security ¢  Manual key distribution or RFC3547 GDOI (Group Domain of Interpretation)
TUNNELLED MULTICAST ¢  GDOI Implementation —  Group members register with the key server – IPsec policy and keys that are necessary for encrypt and decrypt IP Multicast packets are distributed —  Group members exchange IP Multicast packets that are encrypted using IPSec —  As needed, the key server pushes a rekey message to the group members
TUNNELLED MULTICAST ¢  GDOI with DMVPN
TUNNELLED MULTICAST ¢  GDOI – few facts: —  It’s not IKE! —  Uses UDP port 848 —  Not negotiated – server push keys and policies —  No keepalives
TUNNELLED MULTICAST ¢  Secure PIM control traffic —  Encrypt and Authenticate PIM Packets —  Crypt map for 224.0.0.13 (PIM Control Messages) except of PIM Register which is unicast – require additional protection —  Hop-by-hop encryption —  Not all combinations of hash+security+encryption works for multicast traffic! —  Recommended mode is transport with manual keys
QUESTIONS?
THANK YOU

Recommended

InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 Attacks
Tien Dung
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
Lakshan Perera
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
Bangladesh Network Operators Group
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
 

Recommended

InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun
 
Understanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 AttacksUnderstanding and Preventing Layer 2 Attacks
Understanding and Preventing Layer 2 Attacks
Tien Dung
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
P1Security
 
Mitigating Layer2 Attacks
Mitigating Layer2 AttacksMitigating Layer2 Attacks
Mitigating Layer2 Attacks
dkaya
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
Lakshan Perera
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
Bangladesh Network Operators Group
 
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacksNSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NSC #2 - D3 04 - Guillaume Valadon & Nicolas Vivet - Detecting BGP hijacks
NoSuchCon
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network Portfolio
SELTA
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
samis
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
Sleek International
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
moonmanik
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
robertoxe
 
Network security
Network securityNetwork security
Network security
Telematika Open Session
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
Yudi Arijanto
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
Priyanka Aash
 
보안위협 관리통제
보안위협 관리통제보안위협 관리통제
보안위협 관리통제
Munkyeonggu
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Faelix Ltd
 
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PROIDEA
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
Kenwood Catalogue
Kenwood CatalogueKenwood Catalogue
Kenwood Catalogue
Kentua Kayode
 
Simplifying your network management using software tools
Simplifying your network management using software toolsSimplifying your network management using software tools
Simplifying your network management using software tools
Westermo Network Technologies
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Jiunn-Jer Sun
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
dkaya
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
Woo Hyung Choi
 

More Related Content

What's hot

Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
Faelix Ltd
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network Portfolio
SELTA
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
samis
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
guestd05b31
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
Sleek International
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
moonmanik
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
robertoxe
 
Network security
Network securityNetwork security
Network security
Telematika Open Session
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
Yudi Arijanto
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
Priyanka Aash
 
보안위협 관리통제
보안위협 관리통제보안위협 관리통제
보안위협 관리통제
Munkyeonggu
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Faelix Ltd
 
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PROIDEA
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
Bangladesh Network Operators Group
 
Kenwood Catalogue
Kenwood CatalogueKenwood Catalogue
Kenwood Catalogue
Kentua Kayode
 
Simplifying your network management using software tools
Simplifying your network management using software toolsSimplifying your network management using software tools
Simplifying your network management using software tools
Westermo Network Technologies
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Sumutiu Marius
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Jiunn-Jer Sun
 

What's hot (20)

Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
VYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edgeVYOS & RPKI at the BGP as edge
VYOS & RPKI at the BGP as edge
 
Cohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for JuniperCohesive Networks Support Docs: VNS3 Setup for Juniper
Cohesive Networks Support Docs: VNS3 Setup for Juniper
 
SELTA Access Network Portfolio
SELTA Access Network PortfolioSELTA Access Network Portfolio
SELTA Access Network Portfolio
 
Network Security - Layer 2
Network Security - Layer 2Network Security - Layer 2
Network Security - Layer 2
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
ACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACITACIT - CCNA Training Course Topic - Switch Stp ACIT
ACIT - CCNA Training Course Topic - Switch Stp ACIT
 
Router security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summaryRouter security-configuration-guide-executive-summary
Router security-configuration-guide-executive-summary
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
Network security
Network securityNetwork security
Network security
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
 
보안위협 관리통제
보안위협 관리통제보안위협 관리통제
보안위협 관리통제
 
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing SecurityNetmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
Netmcr 40 - Salt + Netbox + Vyos = Network Automation + Routing Security
 
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
PLNOG15: VidMon - monitoring video signal quality in Service Provider IP netw...
 
Secured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRRSecured Internet Gateway for ISP with pfsense & FRR
Secured Internet Gateway for ISP with pfsense & FRR
 
Kenwood Catalogue
Kenwood CatalogueKenwood Catalogue
Kenwood Catalogue
 
Simplifying your network management using software tools
Simplifying your network management using software toolsSimplifying your network management using software tools
Simplifying your network management using software tools
 
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
Hacking Layer 2 - Enthernet Switcher Hacking Countermeasures.
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
 

Similar to PLNOG 9: Piotr Wojciechowski - Multicast Security

Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
dkaya
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
Woo Hyung Choi
 
Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
Bangladesh Network Operators Group
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
Cisco Russia
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Cisco Russia
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
Conferencias FIST
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PROIDEA
 
Lec21 22
Lec21 22Lec21 22
Lec21 22
namish_maheshwari
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
EC-Council
 
CCNA
CCNACCNA
CCNA
Abhishek Parihari
 
Firewall
FirewallFirewall
Firewall
Manikyala Rao
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
Marrion Kujinga
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
ernestlithur
 
6.Routing
6.Routing6.Routing
6.Routing
phanleson
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
Hanaysha
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Tran Thanh Song
 
Firewalls
FirewallsFirewalls
Firewalls
hemantag
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
Hai Nguyen
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
Christopher Duffy
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PROIDEA
 

Similar to PLNOG 9: Piotr Wojciechowski - Multicast Security (20)

Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
ACI Multicast 구성 가이드
ACI Multicast 구성 가이드ACI Multicast 구성 가이드
ACI Multicast 구성 가이드
 
Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting Participant Access Control in IP Multicasting
Participant Access Control in IP Multicasting
 
Catalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your NetworkCatalyst Smart Operations : Simplify Your Network
Catalyst Smart Operations : Simplify Your Network
 
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpecОбеспечение безопасности сети оператора связи с помощью BGP FlowSpec
Обеспечение безопасности сети оператора связи с помощью BGP FlowSpec
 
Switch and Router Security Testing
Switch and Router Security TestingSwitch and Router Security Testing
Switch and Router Security Testing
 
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek JanikPLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
PLNOG14: Czy można żyć bez systemu ochrony przed atakami DDoS - Marek Janik
 
Lec21 22
Lec21 22Lec21 22
Lec21 22
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul CogginTakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
 
CCNA
CCNACCNA
CCNA
 
Firewall
FirewallFirewall
Firewall
 
Marrion Kujinga ; Firewalls
Marrion Kujinga ; FirewallsMarrion Kujinga ; Firewalls
Marrion Kujinga ; Firewalls
 
Chapter10ccna
Chapter10ccnaChapter10ccna
Chapter10ccna
 
6.Routing
6.Routing6.Routing
6.Routing
 
Firewall arch by Tareq Hanaysha
Firewall arch by Tareq HanayshaFirewall arch by Tareq Hanaysha
Firewall arch by Tareq Hanaysha
 
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua CiscoGiai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
Giai phap bao mat - so sanh switch bao mat cua HDN va switch cua Cisco
 
Firewalls
FirewallsFirewalls
Firewalls
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
 

Recently uploaded

Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Dutch Power
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
OECD Directorate for Financial and Enterprise Affairs
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
gharris9
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
gpww3sf4
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
OECD Directorate for Financial and Enterprise Affairs
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
1990 Media
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
gharris9
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
OECD Directorate for Financial and Enterprise Affairs
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
artemacademy2
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Rosie Wells
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Dutch Power
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
samililja
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
ToshihiroIto4
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
SkillCertProExams
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
OECD Directorate for Financial and Enterprise Affairs
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
Frederic Leger
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
amekonnen
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
OECD Directorate for Financial and Enterprise Affairs
 

Recently uploaded (20)

Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
Presentatie 4. Jochen Cremer - TU Delft 28 mei 2024
 
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...Competition and Regulation in Professions and Occupations – ROBSON – June 202...
Competition and Regulation in Professions and Occupations – ROBSON – June 202...
 
Gregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptxGregory Harris' Civics Presentation.pptx
Gregory Harris' Civics Presentation.pptx
 
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
原版制作贝德福特大学毕业证(bedfordhire毕业证)硕士文凭原版一模一样
 
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
Artificial Intelligence, Data and Competition – SCHREPEL – June 2024 OECD dis...
 
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPointMẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
Mẫu PPT kế hoạch làm việc sáng tạo cho nửa cuối năm PowerPoint
 
Gregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics PresentationGregory Harris - Cycle 2 - Civics Presentation
Gregory Harris - Cycle 2 - Civics Presentation
 
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
Competition and Regulation in Professions and Occupations – OECD – June 2024 ...
 
Carrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real lifeCarrer goals.pptx and their importance in real life
Carrer goals.pptx and their importance in real life
 
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie WellsCollapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
Collapsing Narratives: Exploring Non-Linearity • a micro report by Rosie Wells
 
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
Presentatie 8. Joost van der Linde & Daniel Anderton - Eliq 28 mei 2024
 
XP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to LeadershipXP 2024 presentation: A New Look to Leadership
XP 2024 presentation: A New Look to Leadership
 
ASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdfASONAM2023_presection_slide_track-recommendation.pdf
ASONAM2023_presection_slide_track-recommendation.pdf
 
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
Mastering the Concepts Tested in the Databricks Certified Data Engineer Assoc...
 
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussionArtificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
Artificial Intelligence, Data and Competition – OECD – June 2024 OECD discussion
 
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
Artificial Intelligence, Data and Competition – ČORBA – June 2024 OECD discus...
 
2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf2024-05-30_meetup_devops_aix-marseille.pdf
2024-05-30_meetup_devops_aix-marseille.pdf
 
Tom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issueTom tresser burning issue.pptx My Burning issue
Tom tresser burning issue.pptx My Burning issue
 
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...
 
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussionPro-competitive Industrial Policy – OECD – June 2024 OECD discussion
Pro-competitive Industrial Policy – OECD – June 2024 OECD discussion
 

PLNOG 9: Piotr Wojciechowski - Multicast Security

  • 2. ABOUT ME ¢  Senior Network Engineer MSO at VeriFone Inc. ¢  Previously Network Solutions Architect at one of top polish IT integrators ¢  CCIE #25543 (Routing & Switching) ¢  Blogger – http://ccieplayground.wordpress.com ¢  Administrator of CCIE.PL board —  The biggest Cisco community in Europe —  Over 6100 users —  3 admin, 7 moderators —  48 polish CCIEs as members, 20 of them actively posting —  About 150 new topics per month —  About 1000 posts per month —  English section available!
  • 3. AGENDA ¢  Main security issues ¢  Securing the edge of multicast network ¢  Trusted and secure sender/receiver ¢  Dense Mode Fallback problems ¢  Tunneled multicasts ¢  Admission control
  • 5. MAIN SECURITY ISSUES ¢  Why to control? —  Access control – permit specified sources/destinations —  Policies —  Admission – can we transport multicast? ¢  Where to deploy security? —  Local router/switch —  policy-server
  • 6. MAIN SECURITY ISSUES ¢  What we have to protect? —  Content and services —  Device control-plane —  Data plane protection – saturation of network links ¢  How we can protect? —  Packet filtering —  Registration filtering —  State creation —  Encryption
  • 7. MAIN SECURITY ISSUES ¢  Threat overview —  Threats against confidentiality ¢  Must multicast applications does not encrypt data – traffic can be eavesdropped —  Threats against traffic integrity ¢  Without application-level security or network-based security multicast traffic is open to being modified in transit —  Threats against network integrity ¢  Unauthorized senders, receivers, or compromised network elements can access the multicast network, send and receive traffic without authorization or overload network resources. —  Threats against availability ¢  There are a number of denial of service attack possibilities that can make resources unavailable to legitimate users
  • 8. MAIN SECURITY ISSUES ¢  Threats from the sender side —  Layer 2 attacks – not multicast specific but still dangerous —  Masquerading – sender can pretend to be another sender (ie. Source IP Spoofing) —  Theft of service – without proper control it is possible to use the multicast service illegitimately from the sender side
  • 9. MAIN SECURITY ISSUES ¢  Threats from the sender side —  Attacks with multicast traffic ¢  Network saturation ¢  Multicast state attack – to many states created on router ¢  Attempt to become PIM DF on LAN segment ¢  Fake RP announcement to disrupt PIM-SM/BiDir service – spoofing AutoRP or BSR ¢  Unauthorized sender ¢  Attacks against control-plane using multicast traffic (ie. OSPF multicast traffic)
  • 10. MAIN SECURITY ISSUES ¢  Threats from the receiver side —  Similar attacks as for sender side —  Layer2 attacks —  Masquerading and thief of data —  Attack vector usually an IGMP
  • 11. MAIN SECURITY ISSUES ¢  Threats against a Rendezvous Point and BSR —  PIM-SM RP and PIM-BSRs are critical points in multicast network —  Vulnerable to all forms of attacks described before —  Additionally: ¢  PIM Unicast attacks with source IP Spoofing ¢  DoS attacks by sending PIM Register and PIM Register-stop messages
  • 13. SECURING MULTICAST EDGE ¢  Multicast PIM Control Packets: —  Hello, Join/Prune, Assert etc. —  All messages are link-local (TTL=1) —  Destination All-PIM-Routers (224.0.0.13) —  Attack must originate on the same subnet ¢  Unicast PIM Control Packets: —  Register, Register-Stop, C-RP-Advertisement —  Attacks can originate from anywhere
  • 14. SECURING MULTICAST EDGE FILTERING PIM MESSAGES ¢  Filter all PIM packets from untrusted sources —  Router must receive PIM Hellos to establish relation —  PIM packets can be filtered —  It’s not spoofing-proof  
  • 15. SECURING MULTICAST EDGE FILTERING PIM MESSAGES ¢  Filter all PIM packets from untrusted sources   interface  Ethernet0/0    ip  address  10.0.12.1  255.255.255.0    ip  pim  neighbor-­‐filter  PIM-­‐FILTER   !   ip  access-­‐list  standard  PIM-­‐FILTER    permit  10.0.0.1  
  • 16. SECURING MULTICAST EDGE PREVENT RP MAPPING ¢  RP Announce Filter —  Configure it on Mapping Agent —  Specify which IP addresses are accepted as RP Candidates for which groups. ip  pim  rp-­‐announce-­‐filter  rp-­‐list  RP  group-­‐list  MGROUPS   !   ip  access-­‐list  standard  MGROUPS    permit  224.0.0.0  15.255.255.255   ip  access-­‐list  standard  RP    permit  10.0.0.2    permit  10.0.0.3   For what groups MA should accept C-RP List of allowed C-RP’s
  • 17. SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  Multicast boundary —  Administratively scoped boundary on an interface in order to filter source traffic coming into the interface —  Prevent mroute states from being created on the interface —  Enables reuse of the same multicast group address in different administrative domains —  Filter data and control plane traffic including IGMP, PIM, and Auto-RP messages. PIM Register messages are sent using unicast and will not be filtered.
  • 18. SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  Multicast boundary —  AutoRP Filtering
  • 19. SECURING MULTICAST EDGE MULTICAST NETWORK BOUNDARY ¢  BSR Border —  BSR message filtering applied to interface —  Protects from both sending and receiving BSR messages —  Does not set up multicast boundary
  • 20. SECURING MULTICAST EDGE PIM PASSIVE ¢  PIM Passive Interface —  No PIM messages are sent or received —  Router does not join to 224.0.0.13 —  No AutoRP or BSR messages are sent —  Unicast PIM Packets unaffected —  Configure only on non-redundant segments! interface  Ethernet0/0    ip  address  10.0.12.1  255.255.255.0    ip  pim  passive  
  • 21. SECURING MULTICAST EDGE MULTICAST GROUP FILTERING ¢  Multicast groups filtering —  New and nice way to filter all multicast traffic for particular groups —  Introduced in IOS 12.2(33)SXI, 12.2(33)SRE, 15.0(1)M; IOS XR 2.6 —  Disables multicast protocol actions and traffic forwarding for unauthorized groups or channels for all interfaces on the router —  No IGMP/MLD cache entries, PIM, MRIB/MFIB state are ever created for these group ranges and all data packets are immediately dropped
  • 22. SECURING MULTICAST EDGE MULTICAST GROUP FILTERING ¢  Multicast groups filtering —  VRF aware —  Access-list that defines the multicast groups or channels to be permitted or denied globally ¢  Standard ACL for groups ¢  Extended ACL for (S,G) —  AutoRP have to be explicitly permitted, otherwise it would be filtered ip  multicast  group-­‐range  1     !   access-­‐list  1  permit  224.0.1.39  0.0.0.0     access-­‐list  1  permit  224.0.1.40  0.0.0.0     access-­‐list  1  permit  239.0.0.0  0.255.255.255    
  • 23. TRUSTED AND SECURE SENDER/RECEIVER
  • 24. TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  Many multicast security issues originating at the sender can be mitigated with appropriate unicast security mechanisms —  Source address spoofing protection (uRPF and ACL with IP Source Guard for the access layer) —  Infrastructure ACL interface  GigabitEthernet0/0    ip  access-­‐group  permit_mcast     ip  access-­‐list  extended  permit_mcast    permit  10.0.0.0  0.0.0.255  239.0.0.0  0.127.255.255    deny  ip  any  224.0.0.0  15.255.255.255  log    permit  ip  any  any  
  • 25. TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  Advantages of ACLs: —  Done in hardware on most platforms —  Filters before multicast routing occurs so no states are created if denied —  Best for ingress filtering —  Search documentation for best practice examples
  • 26. TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ip  access-­‐list  extended  igmp-­‐control    …      deny  igmp  any  any  pim              !  No  PIMv1      deny  igmp  any  any  dvmrp              !  No  DVMRP  packets      deny  igmp  any  any  host-­‐query                  !  Do  not  use  this  command  with  redundant  routers.                    !  In  that  case  this  packet  type  is  required              permit  igmp  any  host  224.0.0.22            !  IGMPv3  membership  reports      permit  igmp  any  any  14              !  Mtrace  responses      permit  igmp  any  any  15              !  Mtrace  queries      permit  igmp  any  224.0.0.0  15.255.255.255  host-­‐query        !  IGMPv1/v2/v3  queries      permit  igmp  any  224.0.0.0  15.255.255.255  host-­‐report      !  IGMPv1/v2  reports    permit  igmp  any  224.0.0.0  15.255.255.255  7                          !  IGMPv2  leave  messages    deny  igmp  any  any                !  Implicitly  deny  unicast  IGMP  here!     …     permit  ip  any  any                !  Permit  other  packets       interface  ethernet  0      ip  access-­‐group  igmp-­‐control  in    
  • 27. TRUSTED AND SECURE SENDER/RECEIVER ACL ON THE EDGE ¢  IGMP Filtering —  Controls entries into IGMP cache —  Extended ACL – you know how to do it!
  • 28. TRUSTED AND SECURE SENDER/RECEIVER SOURCE CONTROL ¢  Rendezvous Point gives a single point of control for all sources in the network for any group range in ASM and PIM-SM networks ¢  (S,G) is not created on RP but still is on FHR ¢  It’s control-plane – possibility to DDoS RP. ¢  Works best with other edge filtering methods
  • 29. TRUSTED AND SECURE SENDER/RECEIVER SECURING RECEIVER ¢  Control IGMP on receiver side —  IGMP is enabled by default if multicasts are enabled —  IGMP carries protocols – PIMv1, Mrinfo, DVMRP, Mtrace —  Unicast IGMP should always be filtered – those are used in special situations like unidirectional links —  If single IGMP querier is present on non-redundant segment then IGMP queries should be dropped
  • 30. TRUSTED AND SECURE SENDER/RECEIVER SECURING RECEIVER ¢  Restrict which multicast sources receiver can join —  For ASM filter basing on destination address —  For SSM using IGMPv3 filter basing on source and destination address
  • 32. DENSE MODE FALLBACK PROBLEMS ¢  Dense Mode Fallback occurs when RP information is lost —  PIM determines whether a multicast group operates in PIM-DM or PIM sparse-dense mode based solely on the existence of RP information in the group-to-RP mapping cache ¢  It’s event, when PIM mode falling back from sparse mode to dense mode —  Dense mode flooding occurs
  • 33. DENSE MODE FALLBACK PROBLEMS ¢  Dense Mode Fallback Prevention provides a method for: —  Preventing Dense Mode Fallback —  Blocking multicast traffic for groups not specifically configured (there is no RP for the group) ¢  By default Dense Mode Fallback is enabled —  Except when all interfaces are configured in PIM Sparse Mode (not PIM Sparse-Dense Mode)
  • 34. DENSE MODE FALLBACK PROBLEMS ip  multicast-­‐routing     ip  pim  send-­‐rp-­‐announce  ethernet  0  scope  16  group-­‐list  1       ip  pim  rp-­‐address  10.8.0.20  1       no  ip  pim  dm-­‐fallback     !   interface  ethernet  0/0      ip  pim  sparse-­‐dense-­‐mode    
  • 36. ADMISSION CONTROL ¢  Control-plane protection ¢  Resource allocation ¢  Bandwidth protection from congestion ¢  Content-based policies ¢  Subscriber-based policies
  • 37. ADMISSION CONTROL ¢  Limiting number of multicast routes in mroute table —  No new entries created after reaching limit —  Syslog warning beyond threshold point —  vrf-aware  
  • 38. ADMISSION CONTROL ¢  Limiting mroute state for PIM and IGMP per interface ¢  Egress admission control
  • 39. ADMISSION CONTROL ¢  Limiting mroute state for PIM and IGMP per interface ¢  Egress admission control ¢  Ingress admission control
  • 40. ADMISSION CONTROL ¢  Limit the number of IGMP groups joined both globally and per interface ip  igmp  limit  100   ¢  Exceptions can be defined by ACL ip  igmp  limit  100  except  MCAST-­‐GRP   !   ip  access-­‐list  extended  MCAST-­‐GRP    permit  ip  any  host  239.255.255.254    deny  ip  any  any  
  • 43. TUNNELLED MULTICAST ¢  IPSec point-to-point tunnel interfaces since late 12.3T permits to encrypt multicast traffic ¢  Multicast for GET VPN since 12.4(6)T —  Including control-plane security ¢  Manual key distribution or RFC3547 GDOI (Group Domain of Interpretation)
  • 44. TUNNELLED MULTICAST ¢  GDOI Implementation —  Group members register with the key server – IPsec policy and keys that are necessary for encrypt and decrypt IP Multicast packets are distributed —  Group members exchange IP Multicast packets that are encrypted using IPSec —  As needed, the key server pushes a rekey message to the group members
  • 46. TUNNELLED MULTICAST ¢  GDOI – few facts: —  It’s not IKE! —  Uses UDP port 848 —  Not negotiated – server push keys and policies —  No keepalives
  • 47. TUNNELLED MULTICAST ¢  Secure PIM control traffic —  Encrypt and Authenticate PIM Packets —  Crypt map for 224.0.0.13 (PIM Control Messages) except of PIM Register which is unicast – require additional protection —  Hop-by-hop encryption —  Not all combinations of hash+security+encryption works for multicast traffic! —  Recommended mode is transport with manual keys