150 likes | 162 Views
Learn how to secure router infrastructure by implementing control plane packet filters. This includes using receive access-lists, input filters, and denying IP fragments, while permitting specific protocols and subsets of ICMP and UDP.
E N D
Implications of Securing Router Infrastructure NANOG 31 May 24, 2004 Ryan McDowell ryanm@sprint.net
Control Plane Packet Filters • Receive Access-List (rACL) on Cisco • Input filter on Lo0 on Juniper • Deployed in 2002 • Deny IP fragments • Permit SSH, SNMP, DNS, TACACS, NTP, etc • secured by src/dst pairs • Permit BGP, IGMP, PIM • Permit subset of ICMP • Permit UDP >= 1024 • do not break traceroute to the router • Deny everything else • and count it…
Control Plane Packet Filters • How we deployed Cisco rACLs: 1. Build the access-list 2. Replace all deny statements with permit 3. Deploy on several routers 4. If you get matches where you shouldn’t, change to permit/log and see what it is 5. Repeat until no more unexpected matches • Constantly improve • Add src/dst pairs, reduce src/dst ranges, etc
Control Plane Packet Filters • Good IP addressing strategy needed • Made routers harder to kill • Really helps with the magic packet attacks • Few operational implications • “Sprint’s routers are broken because I cannot ping your router with a 1501/4471 byte (fragmented) packet.” • Change control can be difficult • Routers still vulnerable to attacks against TCP/179, ICMP, IP options, UDP, etc
Limit Reachability To Control Plane IP Addresses • Most attacks target IPs on routers obtained from a traceroute • Let’s remove the ability to reach SprintLink-Customer /30 networks from the big dangerous Internet
Best route to 192.0.2.4/30 is null0 Advertise 192.0.2.0/24 via eBGP Static route to 192.0.2.6/32 added if needed Do not redistribute connected routes into BGP or igp. Run next-hop self Route 192.0.2.0/24 to Null0 .5 192.0.2.4/30 .6
Packets from 192.0.2.4/30 will pass uRPF check (i.e. ICMP Type 3 Code 4) 192.0.2.4/30 is no longer reachable from ISP A 192.0.2.4/30 is still reachable from ISP B .5 192.0.2.4/30 .6
Limit Reachability To Control Plane IP Addresses • Does not add 100% security • But makes it a little harder for the attacker • 25% of customers required the use of their point-to-point address • Took over a year to implement • Implications • Traceroute through the router not impacted • Any packets to the routers breaks • PING • Folks LOVE to PING our routers… • Traceroute
Limit Reachability To Control Plane IP Addresses • Do the same thing in the core • “advertise-passive-only” in Cisco • IS-IS export policy in Juniper
Do not redistribute connected routes into BGP or igp. Run IS-IS “advertise passive-only” Can’t reach 192.0.2.4/30 Can reach 192.0.2.6/31 Can’t reach 192.0.2.4/31 .4 192.0.2.4/31 Route 192.0.2.0/24 to Null0 .5 .6 192.0.2.6/31 .7
Limit Reachability To Control Plane IP Addresses • RFC1918 loop backs for management (SNMP, SSH, iBGP, etc….) • Rate limiting rACL • CoPP (Control Plane Policing) on Cisco • Apply BTSH/GTSH to rACL • Ignore IP-Options • Forward packets as if there are no options set • Similar to “no ip source-route” on Cisco
What does all this mean? • Don’t plan on sending any packets destined to the router. • But this is already happening with the MPLS-ization of networks. • More secure infrastructure • Not perfect, but better than where most of us are now • Can be done without ingress filtering which is hard
References http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s22/ft_ipacl.pdf http://www.juniper.net/solutions/literature/app_note/350013.pdf