Securing Routing Protocol


Routing Protocol Authentication Overview
As a network administrator, you have to be aware that your routers are at risk from attack just as much as your end-user systems. Anyone with a packet sniffer such as Wireshark can read information propagating between routers. In general, routing systems can be attacked in two ways:

Disruption of peers
Falsification of routing information

Disruption of peers is the less critical of the two attacks because routing protocols heal themselves, making the disruption last only slightly longer than the attack itself.
A more subtle class of attack targets the information carried within the routing protocol. Falsified routing information may generally be used to cause systems to misinform (lie to) each other, cause a DoS, or cause traffic to follow a path it would not normally follow. The consequences of falsifying routing information are as follows:

1. Redirect traffic to create routing loops.
2. Redirect traffic so it can be monitored on an insecure link
3. Redirect traffic to discard it

A straightforward way to attack the routing system is to attack the routers running the routing protocols, gain access to the routers and inject false information. Be aware that anyone "listening" can capture routing updates.

For example of an attack that creates a routing loop. An attacker has been able to connect directly to the link between routers R2 and R3. The attacker injects false routing information destined to router R1 only, indicating that R3 is the preferred destination to the 192.168.10.10/32 host route. Although R1 has a routing table entry to the directly connected 192.168.10.0/24 network, it will add the injected route to its routing table because of the longer subnet mask. A route with a longer matching subnet mask is considered to be superior to a route with a shorter subnet mask. Consequently when a router receives a packet it will select the longer subnet mask because it is a more precise route to the destination.

When PC3 sends a packet to PC1 (192.168.10.10/24), R1 will not forward the packet to the PC1 host. Instead it will route the packet to router R3, because, as far as it is concerned, the best path to 192.168.10.10/32 is through R3. When R3 gets the packet, it will look in its routing table and forward the packet back to R1, which creates the loop.

The best way to protect routing information on the network is to authenticate routing protocol packets using message digest algorithm 5 (MD5). An algorithm like MD5 allows the routers to compare signatures that should all be the same.

1. Encryption algorithm, which is generally public knowledge
2. Key used in the encryption algorithm, which is a secret shared by the routers authenticating their packets
3. Contents of the packet itself

we see how each router authenticates the routing information. Generally, the originator of the routing information produces a signature using the key and routing data it is about to send as inputs to the encryption algorithm. The routers receiving this routing data can then repeat the process using the same key, the data it has received, and the same routing data. If the signature the receiver computes is the same as the signature the sender computes, the data and key must be the same as the sender transmitted, and the update is authenticated.
RIPv2, EIGRP, OSPF, IS-IS, and BGP all support various forms of MD5 authentication.

Configuring RIPv2 with Routing Protocol Authentication
The topology in the figure is displaying a network configured with RIPv2 routing protocol. RIPv2 supports routing protocol authentication. To secure routing updates each router must be configured to support authentication. The steps to secure RIPv2 updates are as follows:

Step 1. Prevent RIP routing update propagation
Step 2. Prevent unauthorized reception of RIP updates
Step 3. Verify the operation of RIP routing

Prevent RIP Routing Update Propagation
You need to prevent an intruder listening on the network from receiving updates to which they are not entitled. You do this by forcing all interfaces on the router into passive mode, and then bringing up only those interfaces that are required for sending and receiving RIP updates. An interface in passive mode receives updates but does not send updates. You must configure passive mode interfaces on all the routers in the network.

Step 1.
The configuration commands to control which interfaces will participate in the routing updates. Routing updates should never be advertised on interfaces which are not connected to other routers. For example, the LAN interfaces on router R1 do not connect to other routers and therefore should not advertise routing updates. Only the S0/0/0 interface on router R1 should advertise routing updates.
In the screen output, the passive-interface default command disables routing advertisements on all interfaces. This also includes the S0/0/0 interface. The no passive-interface s0/0/0 command enables the S0/0/0 interface to send and receive RIP updates.

Prevent Unauthorized Reception of RIP Updates
In the figure the intruder is prevented from intercepting RIP updates because MD5 authentication has been enabled on routers, R1, R2 and R3; the routers that are participating in the RIP updates.
Tthe commands to configure routing protocol authentication on router R1. Routers R2 and R3 also need to be configured with these commands on the appropriate interfaces.

The example shows commands to create a key chain named RIP_KEY. Although multiple key can be considered our example only shows one key. Key 1 is configured to contain a key string called cisco. The key string is similar to a password and routers exchanging authentication keys must configured with the same key string. Interface S0/0/0 is configured to support MD5 authentication. The RIP_KEY chain and the routing update, are processed using the MD5 algorithm to produce a unique signature.

Once R1 is configured, the other routers will receive encrypted routing updates and consequently will no longer be able to decipher the updates from R1. This condition will remain until each router in the network is configured with routing protocol authentication.

Verify the Operation of RIP Routing
After you have configured all the routers in the network you need to verify the operation of RIP routing in the network.
Using the show ip route command the output confirms that router R1 has authenticated with the other routers and has been able to acquire the routes from the routers R2 and R3.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog