1 Control Plane Protection Preventing accidentally on purpose We really talking about making sure routers do what we expect. Making sure the route decision stays under our control.
2 Layer 2 Attacks ARP injections MAC address flooding
3 ARP Injection What is ARP injection? How can it be used? The only protection is to protect your communications, unless you control the switch. Perhaps add in what is arp?
4 What is ARP injection? ARP injection is where a on a shared layer 2 an attacker modifies the ARP table on one or more routers.
5 How does it work?
6 How does it work?
7 How does it work?
8 How does it work?
9 ARP injection What can it be used for? Switch flooding. Allows for traffic interception. Disrupting traffic flows.
10 Defenses? Dynamic ARP Inspection. Your whole layer two domain is on DHCP right? Other wise ARP ACL s :(
11 MAC address flooding What is it? How can it be used? Mac address limits on switch ports
12 What is MAC address flooding? Switches have a maximum number of ARP address they can store (in the tens of thousands normally) So you send more than it can handle. The switch turns into a hub and floods all traffic to all ports.
13 Network Flooding
14 Network Flooding
15 Success. Network Flooding
16 Switches STP VTP VLAN Hopping Native VLAN
17 STP What is STP? Potential attacks.
18 What is STP Allows a network of switches to automatically remove loops from a layer two network. It assists in directing traffic through the network So it could be used for intercepting traffic or disrupting traffic flow. Also sending a lot can cause STP to not converge.
19 VTP Cisco proprietary protocol for distributing vlan configuration. Never allow it to the outside world. Just disable it.
20 VLAN hopping Gaining access to a VLAN that was unintended. Harder than some people think. Potential to exploit DTP switchport nonegotiate switchport mode access
21 Native VLAN What is a native VLAN? When a port is a trunk, the native VLAN defines the behaviour of untagged packets. Don t run management or customer traffic over vlan 1. Force the native VLAN to use tagged packets, Also change it. switchport trunk native vlan tag switchport trunk native vlan 999 On unused ports change the default vlan to something else switchport access vlan 2
24 Source routing Source routing allows the sender of the packet to choose the next hop. Don t allow random packets to choose their routing and ignore our policy.
25 Redirects Router won t accept them anyway, this disables sending. But don t send them as it s a leak of information.
26 Router Advertisements Used for advertising routers to a local subnet. For IPv4 abandoned, perhaps if you have a large layer two domain filter on the edges. For IPv6 it s enable automatically :( ipv6 nd ra suppress all
27 Unreachables no ip unreachables Rate limiting is now the default.
28 proxy-arp Please tell me no one is still using this!
29 ip arp gratuitous none Disable accepting ARP packets we didn t ask for. This disables the acceptance of unsolicited ARP packets. ip arp gratuitous none <- global C730F25E-343A-4C4A-9E8C-2662B09EA5C4 A9F7-1F8552D3CFED
30 mask-reply Disables replying to ICMP packets that request the subnet.
31 Echo Reply Request Don t disable it.
32 OSPF Make sure it s passive by default. Only enable it on internal networks. Always use MD5 authentication.
33 ebgp Security MD5 authentication TTL hack Prefix filters for inbound routes. Prefix filters for outbound routes.
34 MD5 Passwords Without means you trust everyone Prevents making connections without authentication. Also means corrupted packets will be dropped. But the MD5 sum needs to be verified for every packet.
35 TTL Protection Has anyone heard of this? It s pretty neat.
36 TTL Protection Most BGP connections are on directly connected routers. So the TTL should never be decremented. So if we set the TTL to one on our packets should never get back to an attacker.
37 TTL Protection But that doesn t save us from accepting those initial SYN packets. And calculating the MD5 sum for the packet :(
38 TTL Protection So instead set the TTL to 255. :) Must be hard to configure! If the TTL is less than 254, drop it.
39 TTL Protection! Configuration. bgp router AS neighbor <neighbour> ttl-security hops 1!! obviously needs to be done at both ends.! Only on ebgp!! check with show ip bgp neighbors <neighbour>! Look for;! Mininum incoming TTL 254, Outgoing TTL 255!
40 Prefix Filters They really need some thinking about before applying them. Policy needs to be thought about before creating.
41 Prefix Filters RFC 1918 address space? RFC 1122, 3927, 5736, 5737, 2544, 6333, 3068 and 6598? /8, /4 Loopback Address /8, /12, /16 Private Space /15 Network interconnection device testing /24 6to4 relay Anycast /16 Local link v /24, /24, /24 Test networks / / /24 IETF protocol assignments.
42 Prefix Filters Bogon Filtering
43 Prefix Filters Your own prefixes? For downstream customer, only accept their prefix. For upstream vendors you ll need to accept routes for customers that are multihoming.
44 Prefix Filters Customer filtering. Accept only what s assigned. Peer filtering. Get a prefix list from them, but still block bogons and your space. Provider filtering. Unlikely they would give you a prefix list, it would be too long anyway, still filter bogons and your space. Note that for peers, they may advertise other peers thus providing a limited form of transit as well. So check what your peers advertise. ftp://ftp-eng.cisco.com/cons/isp/security/ingress-prefix-filter-templates/t-ip-prefix-filter-ingress-loose-check-vcurrent.txt
45 Max Prefixes Should you accept 1,000,000 routes from everyone? Even customers? Is there one good number?
46 Communities + Route maps Settings communities on BGP routes is a great policy enforcement tool. Reduces the need to statically configure prefix lists at every peering point. Makes out bound prefix selection a breeze. If it s fast and easy it will be better maintained. Use route maps to apply policy to incoming and outgoing routes.
47 Internet Exchange Security Layer 2 issues. ARP injection MAC attacks (flooding) Layer 3 issues Non-Policy Routing. data/assets/pdf_file/0018/50706/apnic34-mike-jager-securing-ixp-connectivity_ pdf
48 Layer 2 Issues We ve talked about this already, but this is where you are most in danger of it happening. I ve never heard about anyone being attacked, so don t be too nervous.
49 Non-Policy Routing? What s that? When another organisation ignores advertised routing policy and makes up their own. Examples?
50 Free outbound transit Easy, just add a static route for a destination and send it to a router on the exchange. This isn t a how-to Of course you ll want to test it before put the route in.
51 Lay out, two AS both connected to the same exchange. Free outbound
52 AS10 notices that it s outbound traffic to it s upstream is busy. Doesn t want to pay for more bandwidth! Free outbound
53 They noticed that a lot of the traffic is going to AS30. They also notice that AS30 is connected directly to AS20. Free outbound
54 Free outbound So a less than ethical admin adds a route for /16 to send traffic via AS20 s router that is attached to the exchange.
55 Free outbound Now their traffic bound for AS30 goes via AS20 over their hopefully well provisioned exchange port. Now the link between and AS20 and AS30 is busy who pays for the upgrade?, or perhaps AS20 s exchange port gets busy, so they pay for an upgrade.
56 Free inbound transit Bit more difficult to do. Again this isn t a how to
57 Free inbound
58 Free inbound So advertise more specifics via a lower cost path. Perhaps you wouldn t want to advertise your whole address space de-aggregated.
59 Is this the only way to do it? Nope, you could just advertise subnet, or use appending ASs to your path. You could use this on peers as well. Free inbound
60 Free symmetric traffic. This is the most valuable type of stealing bandwidth. So the most specific and difficult. Still this is not a how to
61 So here we have AS10 is connected to two exchanges, along with AS20. Free symmetric transit
62 Free symmetric transit So AS10 has an expensive transit services between it s two POPs. But it s getting too busy, what to do? So an unethical admin notices that AS20 is connected to both exchanges as well.
63 Free symmetric transit So after a bit of testing adds static route for two subnets to send traffic via AS20.
64 Problem solved, for someone. Other ways to achieve that? Advertise those sub-subnets? Free symmetric transit
65 Defences? Prefixes lists. ACLs. Separate exchange router, recommended. Separate VRF.
66 The null0 route drops all the traffic for which there is no known routes. Exchange Router
67 VRF Lite Combined with urpf is a way to secure your peering interface. Creates a separate forwarding instance that allows you to select what routes are accessible from the exchange interface. Be warned it makes configurations difficult
68 Mike Jager Exchange security testing
69 v4 vs v6 Security Is there a difference in the control plane?
70 v4 vs v6 Security Actually there are some slight differences.
71 What s different? There s no ARP any more. Now there s multicast for neighbour discovery.
72 What s different? They insist on making our lives easier SLAAC via RD and RA s Source routing still available. Source routing is disabled by default in Cisco boxes, yay.
73 What s different? I can t heard wh..<bzzt> No more fragmentation on routers.
74 What s different? But that means ICMPv6 is important now. Neighbour discovery (v6 ARP) SLAAC Packet too big ICMP messages Also by the way, TTL has been renamed to Hop Limit, but also changing the function instead of being related to time spent in transit it refers to hop limit. Which everyone did anyway.
75 What s different? The max packet size allowable is now, 32**2-1 (That s over 4Gig in size) Can t wait to see what some operating systems make of that.
76 What s different? Privacy is harder to find with SLAAC But minimum allocations are /64 so the OS can use temporary addresses.
77 What s different? The addresses are HEAPS longer. Making management harder.
78 What s different? Tunneling? We got tunneling. 6to4 (automatic) Teredo (automatic) 6in4 (configured) All run over protocol 41, but can fallback to UDP. Perhaps a user installs some torrenting software, and they are now firewall free, inside your organisation.
79 What s different? Implementations are new, so there will be new bugs. Juniper was forwarding traffic to linklocal addresses?!
2016/01/17 04:05 1/19 Basic BGP Lab Basic BGP Lab Introduction The purpose of this exercise is to: Understand the routing implications of connecting to multiple external domains Learn to configure basic
Volume: 217 Questions Question: 1 Which three parameters must match to establish OSPF neighbor adjacency? (Choose three.) A. the process ID B. the hello interval C. the subnet mask D. authentication E.
Multihoming Complex Cases & Caveats ISP Workshops Last updated 6 October 2011 Complex Cases & Caveats p Complex Cases n Multiple Transits n Multi-exit backbone n Disconnected Backbone n IDC Multihoming
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 07 - MPLS BASED LAYER 2 SERVICES 1 by Xantaro MPLS BASED LAYER 2 VPNS USING MPLS FOR POINT-TO-POINT LAYER 2 SERVICES 2 by Xantaro Why are Layer-2
Internet Control Message Protocol The Internet Control Message Protocol is used by routers and hosts to exchange control information, and to inquire about the state and configuration of routers and hosts.
Prof. Dr. Hans Peter Großmann mit M. Rabel sowie H. Hutschenreiter und T. Nau Sommersemester 2012 Institut für Organisation und Management von Informationssystemen Lecture Computer Networks Internet Protocol
MPLS VPN 5 ian 2010 What this lecture is about: IP CEF MPLS architecture What is MPLS? MPLS labels Packet forwarding in MPLS MPLS VPNs 3 IP CEF & MPLS Overview How does a router forward packets? Process
Interconnecting Cisco Networking Devices Part 1 (ICND1) Course Overview This course will teach students about building a simple network, establishing internet connectivity, managing network device security,
This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent
IPv6 Neighbor Discovery Last Updated: September 19, 2012 The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the
CHAPTER 4 Deploying LISP Host Mobility with an Extended Subnet Figure 4-1 shows the Enterprise datacenter deployment topology where the 10.17.1.0/24 subnet in VLAN 1301 is extended between the West and
Juniper Netscreen Security Device Page-51 Netscreen Firewall - Interfaces Below is a screen shot for a Netscreen Firewall interface. All interfaces have an IPv6 address except ethernet0/0. We will step
Introduction to Switched Networks Routing And Switching 1 Converged Networks Growing Complexity of Networks Our digital world is changing Information must be accessed from anywhere in the world Networks
28 CHAPTER This chapter describes how to configure IP unicast routing on the Catalyst 3750 Metro switch. Note For more detailed IP unicast configuration information, refer to the Cisco IOS IP and IP Routing
The IPv6 neighbor discovery process uses Internet Control Message Protocol (ICMP) messages and solicited-node multicast addresses to determine the link-layer address of a neighbor on the same network (local
LARGE SCALE IP ROUTING LECTURE BY SEBASTIAN GRAF MODULE 05 MULTIPROTOCOL LABEL SWITCHING (MPLS) AND LABEL DISTRIBUTION PROTOCOL (LDP) 1 by Xantaro IP Routing In IP networks, each router makes an independent
Last time Network layer Introduction forwarding vs. routing Virtual circuit vs. datagram details connection setup, teardown VC# switching forwarding tables, longest prefix matching IP: the Internet Protocol
400-101 - CCIE Routing and Switching (v5.0) 1. Which two statements about MAC ACLs are true? (Choose two.) A. They support only inbound filtering. B. They support both inbound and outbound filtering. C.
Mobile IP Petr Grygárek rek 1 Basic principle Picture from IOS IP and IP Routing Configuration Guide Mobile node maintains the same IP address even while roaming in foreign networks even if it s address
Lecture 10: Addressing CSE 123: Computer Networks Alex C. Snoeren HW 2 due WEDNESDAY Lecture 10 Overview ICMP The other network-layer protocol IP Addresses Class-based addressing Subnetting Classless addressing
MPLS Label Distribution Protocol (LDP) First Published: January 1, 1999 Last Updated: May 1, 2008 Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) enables peer label switch routers
Advanced Multihoming BGP Traffic Engineering 1 Service Provider Multihoming Previous examples dealt with loadsharing inbound traffic Of primary concern at Internet edge What about outbound traffic? Transit
: Computer Networks Lecture 2, part 2: Feb 4, 2004 IP (Internet Protocol) More ICMP messages These were added over time RFC1191: Path MTU Discovery Added the size of the limiting MTU to the ICMP Packet
IPv6 tutorial RedIRIS Miguel Angel Sotos email@example.com Agenda History Why IPv6 IPv6 addresses Autoconfiguration DNS Transition mechanisms Security in IPv6 IPv6 in Windows and Linux IPv6 now 2
CHAPTER 3 This chapter describes how to configure Internet Protocol version 6 (IPv6), which includes addressing, Neighbor Discovery Protocol (ND), and Internet Control Message Protocol version 6 (ICMPv6),
CHAPTER 3 This chapter describes how to configure the Protocol Independent Multicast (PIM) features on Cisco NX-OS switches in your IPv4 networks. This chapter includes the following sections: Information
Hot Standby Router Protocol (HSRP): Frequently Asked Questions Document ID: 9281 Contents Introduction Will the standby router take over if the active router LAN interface state is "interface up line protocol
MIX Peering Port Configuration How-to Page 1 of 11 DOCUMENT CODE : MIX-305E VERSION : 1.0 ENGLISH TRANSLATION DEPARTMENT : TECHNICAL OFFICE STATUS : DEFINITIVE DATE : 01/03/2011 NUMBER OF PAGES : 11 RELEASED
Cisco Validated design Intelligent WAN Multiple VRFs Deployment Guide September 2017 Table of Contents Table of Contents Deploying the Cisco Intelligent WAN... 1 Deploying the Cisco IWAN Multiple VRFs...
Network layer: Overview Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing 1 Network Layer Functions Transport packet from sending to receiving hosts Network layer protocols in every
This chapter describes how to configure Q-in-Q VLAN tunnels. Finding Feature Information, page 1 Feature History for Q-in-Q Tunnels and Layer 2 Protocol Tunneling, page 1 Information About Q-in-Q Tunnels,
IPv6 and IPv4: Twins or Distant Relatives Paul Ebersman, IPv6 Evangelist NANOG54, San Diego (5-8 Feb 2012) 1 What you ll see immediately More addresses 340 undecillion Bigger, beefier addresses 2001:db8:dead:beef::1
21 CHAPTER This chapter describes how to configure control plane policing (CoPP) on the NX-OS device. This chapter includes the following sections: Information About CoPP, page 21-1 Guidelines and Limitations,
A Practical (and Personal) Perspective on IPv6 for Servers Geoff Huston June 2011 Lets look at... Why we need IPv6 The differences between IPv4 and IPv6 Some practical hints for Dual Stack Services Why?
The Enhanced Interior Gateway Routing Protocol (EIGRP) is an enhanced version of the Interior Gateway Routing Protocol (IGRP) developed by Cisco. The convergence properties and the operating efficiency
HP FlexFabric 5930 Switch Series Layer 3 IP Services Command Reference Part number: 5998-4568 Software version: Release 2406 & Release 2407P01 Document version: 6W101-20140404 Legal and notice information
2015/07/23 23:33 1/13 BGP route filtering and advanced features BGP route filtering and advanced features Objective: Using the network configured in Module 6, use various configuration methods on BGP peerings
1 BGP made easy John van Oppen Spectrum Networks / AS11404 2 What is BGP? Snarky answer: RFC-4271 BGP is an Exterior gateway protocol, the only one used on the public Internet and is used for inter-autonomous
Fixed Internetworking Protocols and Networks IP mobility Rune Hylsberg Jacobsen Aarhus School of Engineering firstname.lastname@example.org 1 2011 ITIFN Mobile computing Vision Seamless, ubiquitous network access for mobile
This chapter describes how to configure the Cisco ASA to route data, perform authentication, and redistribute routing information using the Open Shortest Path First () routing protocol. About, page 1 Guidelines
Internet Protocol v6 October 25, 2016 email@example.com Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration Why IPv6? IPv6 Address Space Customer LAN migration IPv4 DASH BOARD THE REASON For IPv6
2015/07/23 23:32 1/8 More ibgp and Basic ebgp More ibgp and Basic ebgp Objective: Connect your ISP to a Transit provider and the Internet Exchange Point using a combination of ISIS, internal BGP, and external
CMPE 344 Computer Networks Spring 2012 Internetworking Part 2 Reading: Peterson and Davie, 3.2, 4.1 19/04/2012 1 Aim and Problems Aim: Build networks connecting millions of users around the globe spanning
Troubleshooting Lab Q1. PC 110 cannot access R7/R8, fix the problem so that PC 110 can ping R7 Q2. R17 should have one default route which points to R12 via PPP as shown below R17# sh ip route S* 0.0.0.0/0
Case Study A Service Provider s Road to IPv6 September 2010 Menog Amir Tabdili UnisonIP Consulting firstname.lastname@example.org The Scenario Residential Network L3 MPLS VPN Network Public Network The Scenario What
Outline IPv6: An Introduction Dheeraj Sanghi Department of Computer Science and Engineering Indian Institute of Technology Kanpur email@example.com http://www.cse.iitk.ac.in/users/dheeraj Problems with
MPLS LDP Nurul Islam Roman (firstname.lastname@example.org) 1 Agenda LDP Overview LDP Protocol Details LDP Configuration and Monitoring 1 Label Distribution Protocol Overview MPLS nodes need to exchange label information
2015 IEEE 2015 International Conference on Computer, Communication, and Control Technology (I4CT 2015), April 21-23 in Imperial Kuching Hotel, Kuching, Sarawak, Malaysia A Review on ICMPv6 Vulnerabilities
Digital Network Architecture (DNA) Security Access (SA) is an Enterprise architecture that brings together multiple building blocks needed for a programmable, secure, and highly automated fabric. Secure
Results of a Security Assessment of the Internet Protocol version 6 (IPv6) Fernando Gont DEEPSEC 2011 Conference Vienna, Austria, November 15-18, 2011 About... I have worked in security assessment of communication
CS 457 Lecture 11 More IP Networking Fall 2011 IP datagram format IP protocol version number header length (bytes) type of data max number remaining hops (decremented at each router) upper layer protocol
Introduction to routing in the Internet Ethernet, switching vs. routing Internet architecture IPv4 Addressing Routing principles Protocols: IPv4, ICMP, ARP (Chapters 2 3 in Huitema) E7310/Internet basics/comnet
Which statement about stateless autoconfiguration is true? A host can autoconfigure itself by appending its MAC address to the local link prefix (64 bits). 2 Autoconfiguration allows devices to connect
COMP211 Chapter 4 Network Layer: The Data Plane All material copyright 1996-2016 J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking: A Top Down Approach 7 th edition Jim Kurose, Keith Ross
Computer Network Architectures and Multimedia Guy Leduc Chapter 2 MPLS networks Chapter based on Section 5.5 of Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley,
Workshop on Scientific Applications for the Internet of Things (IoT) March 16-27 2015 IP Networks: From IPv4 to IPv6 Alvaro Vives - email@example.com Contents 1 Digital Data Transmission 2 Switched Packet
Configuring Cache Services Using the Web Cache Communication Protocol Finding Feature Information, page 1 Prerequisites for WCCP, page 1 Restrictions for WCCP, page 2 Information About WCCP, page 3 How
Connecting to a Service Provider Using External BGP First Published: May 2, 2005 Last Updated: August 21, 2007 This module describes configuration tasks that will enable your Border Gateway Protocol (BGP)
Configuring VLANs This chapter provides information about configuring virtual LANs (VLANs). It includes command-line interface (CLI) procedures for using commands that have been specifically created or
Session 8. TCP/IP Dongsoo S. Kim (firstname.lastname@example.org) Electrical and Computer Engineering Indiana U. Purdue U. Indianapolis IP Packet 0 4 8 16 19 31 Version IHL Type of Service Total Length Identification
7 C H A P T E R S U P P L E M E N T This online supplement of Chapter 7 focuses on two important developments. The first one is Inter-Autonomous. Inter-Autonomous is a concept whereby two service provider
8 CHAPTER This chapter includes tasks to complete the interface configuration in transparent firewall mode. This chapter includes the following sections: Information About Completing Interface Configuration
control Networking: Network layer Comp Sci 3600 Security Outline control 1 2 control 3 4 5 Network layer control Outline control 1 2 control 3 4 5 Network layer purpose: control Role of the network layer
BGP Best Current Practices ISP Workshops Last updated 10 th July 2015 1 Configuring BGP Where do we start? 2 IOS Good Practices p ISPs should start off with the following BGP commands as a basic template:
Configuring Access and Trunk Interfaces Ethernet interfaces can be configured either as access ports or trunk ports. Trunks carry the traffic of multiple VLANs over a single link and allow you to extend
Troubleshooting and Maintaining Cisco IP Networks v2 (300-135) Exam Description: Troubleshooting and Maintaining Cisco IP Networks v2 (TSHOOT 300-135) is a 120- minute qualifying exam with 15 25 questions
Introduction to routing in the Internet Internet architecture IPv4, ICMP, ARP Addressing, routing principles (Chapters 2 3 in Huitema) Internet-1 Internet Architecture Principles End-to-end principle by
White Paper Service Graph Design with Cisco Application Centric Infrastructure 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 101 Contents Introduction...
ITBraindumps http://www.itbraindumps.com Latest IT Braindumps study guide Exam : 300-101 Title : Implementing Cisco IP Routing Vendor : Cisco Version : DEMO Get Latest & Valid 300-101 Exam's Question and
Unit A - Connecting to the Network 1 What is a network? The ability to connect people and equipment no matter where they are in the world. telephone computers television How does your body work as a network?
Mobile IP Mobile Computing Introduction Amount of mobile/nomadic computing expected to increase dramatically in near future. By looking at the great acceptance of mobile telephony, one can foresee a similar
TBGP: A more scalable and functional BGP Paul Francis Jan. 2004 BGP: Border Gateway Protocol BGP is the top-level routing protocol in the Internet It holds the Internet together BGP allows routers to tell