2 control plane protection - wiki.rg.net · control plane protection preventing accidentally on...

Control Plane Protection

Preventing accidentally on purpose

We really talking about making sure routers do what we expect.Making sure the route decision stays under our control.

Layer 2 Attacks

• ARP injections

• MAC address flooding

http://packetpushers.net/do-we-really-need-layer-2-security/

ARP Injection

• What is ARP injection?

• How can it be used?

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603839.htmlThe only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?

What is ARP injection?

• ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.

How does it work?

How does it work?

How does it work?

How does it work?

ARP injection

• What can it be used for?

• Allows for traffic interception.

• Switch flooding.

• Disrupting traffic flows.

Defenses?

• Dynamic ARP Inspection.

• Your whole layer two domain is on DHCP right?

• Other wise ARP ACL’s’

• :(

MAC address flooding

• What is it?

• How can it be used?

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_603836.htmlMac address limits on switch ports

What is MAC address flooding?

• Switches have a maximum number of ARP address they can store (in the tens of thousands normally)

• So you send more than it can handle.

• The switch turns into a hub and floods all traffic to all ports.

Network Flooding

Network Flooding

Network Flooding

Success.

Switches

• STP

• VTP

• VLAN Hopping

• Native VLAN

http://www.nsa.gov/ia/_files/switches/switch-guide-version1_01.pdf

STP

• What is STP?

• Potential attacks.

What is STP

• Allows a network of switches to automatically remove loops from a layer two network.

• It assists in directing traffic through the network

http://www.secpoint.com/what-is-a-spanning-tree-protocol-attack.htmlhttp://www.alliedtelesis.com/solutions/diagram-27So it could be used for intercepting traffic or disrupting traffic flow.Also sending a lot can cause STP to not converge.

VTP

• Cisco proprietary protocol for distributing vlan configuration.

• Never allow it to the outside world.

• Just disable it.

VLAN hopping

• Gaining access to a VLAN that was unintended.

• Harder than some people think.

http://packetlife.net/blog/2010/feb/22/experimenting-vlan-hopping/Potential to exploit DTPswitchport nonegotiateswitchport mode access

Native VLAN

• What is a native VLAN?

• When a port is a trunk, the native VLAN defines the behaviour of untagged packets.

Don’t run management or customer traffic over vlan 1.Force the native VLAN to use tagged packets, Also change it.switchport trunk native vlan tagswitchport trunk native vlan 999

On unused ports change the default vlan to something elseswitchport access vlan 2

Layer 3 Protection

• ICMP

• Open Protocols

ICMP

• source-route

• redirects

• router advertisments

• unreachables• proxy-arp• gratuitous-arps• mask-reply

Source routing

• Source routing allows the sender of the packet to choose the next hop.

• Don’t allow random packets to choose their routing and ignore our policy.

Redirects

• Router won’t accept them anyway, this disables sending.

• But don’t send them as it’s a leak of information.

Router Advertisements

• Used for advertising routers to a local subnet.

For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges.For IPv6 it’s enable automatically :(ipv6 nd ra suppress all

Unreachables

• no ip unreachables

• Rate limiting is now the default.

http://www.ciscopress.com/articles/article.asp?p=345618&seqNum=5http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/hticmpun.html

proxy-arp

• Please tell me no one is still using this!

ip arp gratuitous none

• Disable accepting ARP packets we didn’t ask for.

This disables the acceptance of unsolicited ARP packets.ip arp gratuitous none <- globalhttp://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ip_arp_gratuitous_through_ip_dhcp_ping_packets.html#GUID-C730F25E-343A-4C4A-9E8C-2662B09EA5C4http://www.cisco.com/en/US/docs/ios-xml/ios/ipaddr/command/ip_arp_gratuitous_through_ip_dhcp_ping_packets.html#GUID-7A4211CF-8BFA-4A12-A9F7-1F8552D3CFED

mask-reply

• Disables replying to ICMP packets that request the subnet.

Echo Reply Request

• Don’t disable it.

OSPF

• Make sure it’s passive by default.

• Only enable it on internal networks.

• Always use MD5 authentication.

eBGP Security

• MD5 authentication

• TTL hack

• Prefix filters for inbound routes.

• Prefix filters for outbound routes.

http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/guide/irg_external_sp.html

MD5 Passwords

• Without means you trust everyone

• Prevents making connections without authentication.

• Also means corrupted packets will be dropped.

• But the MD5 sum needs to be verified for every packet.

TTL Protection

• Has anyone heard of this?

• It’s pretty neat.

http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html#7

TTL Protection

• Most BGP connections are on directly connected routers.

• So the TTL should never be decremented.

• So if we set the TTL to one on our packets should never get back to an attacker.

TTL Protection

• But that doesn’t save us from accepting those initial SYN packets.

• And calculating the MD5 sum for the packet

• :(

TTL Protection

• So instead set the TTL to 255.

• If the TTL is less than 254, drop it.

• :)

• Must be hard to configure!

TTL Protection

! Configuration.bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on eBGP!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!

Prefix Filters

• They really need some thinking about before applying them.

• Policy needs to be thought about before creating.

Prefix Filters

• RFC 1918 address space?

• RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598?

1122 127.0.0.1/8, 240.0.0.0/4 Loopback Address1918 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 Private Space2544 192.18.0.0/15 Network interconnection device testing.3068 192.88.99.0/24 6to4 relay Anycast.3927 169.254.0.0/16 Local link v45737 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24 Test networks6333 192.0.0.0/296598 100.64.0.0/106890 192.0.0.0/24 IETF protocol assignments.

Prefix Filters

• Bogon Filtering

https://www.team-cymru.org/Services/Bogons/

Prefix Filters

• Your own prefixes?

• For downstream customer, only accept their prefix.

• For upstream vendors you’ll need to accept routes for customers that are multihoming.

Prefix Filters

• Customer filtering.• Accept only what’s assigned.

• Peer filtering.• Get a prefix list from them, but still block

bogons and your space.

• Provider filtering.• Unlikely they would give you a prefix list, it

would be too long anyway, still filter bogons and your space.

Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise.ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/T-ip-prefix-filter-ingress-loose-check-vCurrent.txt

Max Prefixes

• Should you accept 1,000,000 routes from everyone? Even customers?

• Is there one good number?

Communities + Route maps

• Settings communities on BGP routes is a great policy enforcement tool.

• Reduces the need to statically configure prefix lists at every peering point.

• Makes out bound prefix selection a breeze.

• If it’s fast and easy it will be better maintained.

Use route maps to apply policy to incoming and outgoing routes.

Internet Exchange Security

• Layer 2 issues.

• ARP injection

• MAC attacks (flooding)

• Layer 3 issues

• Non-Policy Routing.

http://conference.apnic.net/__data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_1346119861.pdfhttps://www.ams-ix.net/config-guide

Layer 2 Issues

• We’ve talked about this already, but this is where you are most in danger of it happening.

• I’ve never heard about anyone being attacked, so don’t be too nervous.

Non-Policy Routing?

• What’s that?

• When another organisation ignores advertised routing policy and makes up their own.

• Examples?

Free outbound transit

• Easy, just add a static route for a destination and send it to a router on the exchange.

• This isn’t a how-to

Of course you’ll want to test it before put the route in.

Free outbound

Lay out, two AS both connected to the same exchange.

Free outbound

AS10 notices that it’s outbound traffic to it’s upstream is busy.Doesn’t want to pay for more bandwidth!

Free outbound

They noticed that a lot of the traffic is going to AS30.They also notice that AS30 is connected directly to AS20.

Free outbound

So a less than ethical admin adds a route for 10.30.0.0/16 to send traffic via AS20’s router that is attached to the exchange.

Free outbound

Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20’s exchange port gets busy, so they pay for an upgrade.

Free inbound transit

• Bit more difficult to do.

• Again this isn’t a how to

Free inbound

Free inbound

So advertise more specifics via a lower cost path. Perhaps you wouldn’t want to advertise your whole address space de-aggregated.

Free inbound

Is this the only way to do it?Nope, you could just advertise subnet, or use appending ASs to your path.You could use this on peers as well.

Free symmetric traffic.

• This is the most valuable type of stealing bandwidth.

• So the most specific and difficult.

• Still this is not a how to

Free symmetric transit

So here we have AS10 is connected to two exchanges, along with AS20.

Free symmetric transit

So AS10 has an expensive transit services between it’s two POPs.But it’s getting too busy, what to do?So an unethical admin notices that AS20 is connected to both exchanges as well.

Free symmetric transit

So after a bit of testing adds static route for two subnets to send traffic via AS20.

Free symmetric transit

Problem solved, for someone.Other ways to achieve that?Advertise those sub-subnets?

Defences?

• Prefixes lists.

• ACLs.

• Separate exchange router, recommended.

• Separate VRF.

Exchange Router

The null0 route drops all the traffic for which there is no known routes.

VRF Lite

• Combined with uRPF is a way to secure your peering interface.

• Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface.

• Be warned it makes configurations difficult.

https://supportforums.cisco.com/thread/201655http://routing-bits.com/2010/09/13/vrf-lite-route-leaking/http://packetlife.net/blog/2010/mar/29/inter-vrf-routing-vrf-lite/http://blog.ipexpert.com/2010/12/01/vrf-route-leaking/http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_28010516.htmlhttp://packetlife.net/blog/2009/apr/30/intro-vrf-lite/

Mike JagerExchange security testing

v4 vs v6 SecurityIs there a difference in the control plane?

v4 vs v6 SecurityActually there are some slight differences.

What’s different?

• There’s no ARP any more.

• Now there’s multicast for neighbour discovery.

What’s different?

• They insist on making our lives “easier”

• SLAAC via RD and RA’s

• Source routing still available.

Source routing is disabled by default in Cisco boxes, yay.

What’s different?

• I can’t heard wh..<bzzt>

• No more fragmentation on routers.

What’s different?

• But that means ICMPv6 is important now.

• Neighbour discovery (v6 ARP)

• SLAAC

• Packet too big ICMP messages

Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.

What’s different?

• The max packet size allowable is now,

• 32**2-1 (That’s over 4Gig in size)

Can’t wait to see what some operating systems make of that.

What’s different?

• Privacy is harder to find with SLAAC

• But minimum allocations are /64 so the OS can use temporary addresses.

What’s different?

• The addresses are HEAPS longer.

• Making management harder.

What’s different?

• Tunneling? We got tunneling.

• 6to4 (automatic)

• Teredo (automatic)

• 6in4 (configured)

• All run over protocol 41, but can fallback to UDP.

Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.

What’s different?

• Implementations are new, so there will be new bugs.

• Juniper was forwarding traffic to link-local addresses?!