PPT Version

Download Report

Transcript PPT Version 

Routing Security Capabilities
draft-zhao-opsec-routing-capabilities-02.txt
[email protected]
OPSEC WG, IETF #66
Packet Filtering vs. Routing Filtering
• Packet filtering
– Applied to network layer packets being forwarded
– Based on IP and transport header usually
– Out of scope of this document
• Routing filtering
– Applied to routing packet being sent or received
– Based on routing protocol along with other protocols
– Fit in the scope of this document
Filters for External Routing Protocols
• Current implementation
– Applied to both sent and received routing packets on perinterface basis
– Outbound Route Filter (ORF), whether and which ORF, on perinterface basis
– Limit the scope of route redistribution between different routing
protocols
• Filtering Criteria
–
–
–
–
–
Specific route prefixes
Maximum length of route prefixes
Maximum number of route prefixes received
AS_PATH
BGP community and extended community
Filters for IGP Areas
• IGP requires same view of the topology within an
area
– Route should be flooded unchanged
– Infeasible to implement filtering within an area
• Filtering between IGP areas
– Router may provide the option to filter routing between
IGP areas
– Caution: the routing filtering may results in some
address unreachable
Filters by TTL
• Accept packets from only immediate neighbor
– TTL spoofing is supposed impossible
– Most routing packets originate from immediate
neighbor
– TTL is 255 if the neighbor sets the default 255
• Note: not applicable to Multi-hop IBGP
Route Flap Dampening
• Route flap is bad
– How about route flap dampening?
• Configurable
– Timer
– Could be turned off
» http://www.ripe.net/ripe/docs/ripe-378.html
Routing Authentication
• Key must be configurable on router
• System transition from one key to another based
on system time
• Stronger algorithms than MD5
– Rescorla-Bellovin analysis
• Preferable key distribution/update mechanism
• Note: current routing protocol specification
(standard track) on authentication is too weak to
meet security requirement
What is the next step?
• Adopted as a working group document?
Thanks!