Additional Security Engineer Materials [PDF]
Certified Advanced Security Engineer (MTCASE) Riga, Latvia March 7 - March 8, 2019 Schedule • Training day: 9AM - 5P
32 0 6MB
Papiere empfehlen
![Additional Security Engineer Materials [PDF]](https://vdoc.tips/img/200x200/additional-security-engineer-materials.jpg)
- Author / Uploaded
- José Alfredo García Dávalos
Datei wird geladen, bitte warten...
Zitiervorschau
Certified Advanced Security Engineer (MTCASE)
Riga, Latvia March 7 - March 8, 2019
Schedule
• Training day: 9AM - 5PM • 30 minute breaks: 10:30AM and 3PM • 1 hour lunch: 12:30PM • Certification test: last day, 1 hour
2
INTRODUCE YOURSELF 3
Introduce Yourself
• Name • Company / Student • Current Position • Job Rules • Expectation from Training
4
LAB SETUP
5
Lab Setup SSID
: CLASS-AP
BAND
: 2.4 / 5 Ghz
KEY
: MikrotikLab
AP
R1
R2
Rn
Wireless-Link Ether-Link
6
Lab Setup
N N
• Router Name
: N_Your-Name
• wlan1
: dhcp-client
• ether4
: to your laptop
• Local IP address
: 192.168.N.0/24
• P2P IP address
: 10. NN.0.(N/N)/24
Your Router Number Partner Router Number
7
SECURITY INTRO
8
What Security is all about? • Security is about protection of assets. • D. Gollmann, Computer Security, Wiley
• Confidentiality : Protecting personal privacy and proprietary information. • Integrity : Ensuring information non-repudiation and authenticity. • Availability : Ensuring timely and reliable access to and use of information
9
What Security is all about? • Prevention : take measures that prevent your assets from being damaged (or stolen) • Detection : take measures so that you can detect when, how, and by whom an asset has been damaged • Reaction : take measures so that you can recover your assets
10
Security Attacks, Mechanisms & Services • Security Attack : Any action that compromises the security of information • Security Mechanism : a process / device that is designed to detect, prevent or recover from a security attack. • Security Service : a service intended to counter security attacks, typically by implementing one or more mechanisms.
11
Security Threats / Attacks
NORMAL FLOW Information source
Information destination
12
Security Threats / Attacks
INTERRUPTION Information source
Information destination
“services or data become unavailable, unusable, destroyed, and so on, such as lost of file, denial of service, etc.”
13
Security Threats / Attacks INTERCEPTION Information source
Information destination
Attacker
“an unauthorized subject has gained access to an object, such as stealing data, overhearing others communication, etc.” 14
Security Threats / Attacks MODIFICATION Information source
Information destination
Attacker
unauthorized changing of data or tempering with services, such as alteration of data, modification of messages, etc. 15
Security Threats / Attacks FABRICATION Information source
Information destination
Attacker
“additional data or activities are generated that would normally no exist, such as adding a password to a system, replaying previously send messages, etc.” 16
Type of Threats / Attacks
Interruption
Active Attacks / Threats
Attack / Threats
Modification
Fabrication
Passive Attacks / Threats
Interception
17
Security Mechanisms • Encryption : transforming data into something an attacker cannot understand, i.e., providing a means to implement confidentiality, as well as allowing user to check whether data have been modified. • Authentication : verifying the claimed identity of a subject, such as user name, password, etc. • Authorization : checking whether the subject has the right to perform the action requested. • Auditing : tracing which subjects accessed what, when, and which way. In general, auditing does not provide protection, but can be a tool for analysis of problems.
18
COMMON THREATS 19
Common Security Threats Botnet “Collection of software robots, or 'bots', that creates an army of infected computers (known as ‘zombies') that are remotely controlled by the originator” What it can do : • Send spam emails with viruses attached. • Spread all types of malware. • Can use your computer as part of a denial of service attack against other systems.
20
Common Security Threats Distributed denial-of-service (DDoS) “A distributed denial-of-service (DDoS) attack — or DDoS attack — is when a malicious user gets a network of zombie computers to sabotage a specific website or server.” What it can do : • The most common and obvious type of DDoS attack occurs when an attacker “floods” a network with useless information. • The flood of incoming messages to the target system essentially forces it to shut down, thereby denying access to legitimate users.
21
Common Security Threats Hacking “Hacking is a term used to describe actions taken by someone to gain unauthorized access to a computer.” What it can do : • Find weaknesses (or pre-existing bugs) in your security settings and exploit them in order to access your. • Install a Trojan horse, providing a back door for hackers to enter and search for your information.
22
Common Security Threats Malware “Malware is one of the more common ways to infiltrate or damage your computer, it’s software that infects your computer, such as computer viruses, worms, Trojan horses, spyware, and adware.” What it can do : • Intimidate you with scareware, which is usually a pop-up message that tells you your computer has a security problem or other false information. • Reformat the hard drive of your computer causing you to lose all your information. • Alter or delete files. • Steal sensitive information. • Send emails on your behalf. • Take control of your computer and all the software running on it.
23
Common Security Threats Phishing “Phishing is used most often by cyber criminals because it's easy to execute and can produce the results they're looking for with very little effort.” What it can do : • Trick you into giving them information by asking you to update, validate or confirm your account. It is often presented in a manner than seems official and intimidating, to encourage you to take action. • Provides cyber criminals with your username and passwords so that they can access your accounts (your online bank account, shopping accounts, etc.) and steal your credit card numbers.
24
Common Security Threats Ransomware “Ransomware is a type of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be removed.” What it can do : • Lockscreen ransomware: displays an image that prevents you from accessing your computer. • Encryption ransomware: encrypts files on your system's hard drive and sometimes on shared network drives, USB drives, external hard drives, and even some cloud storage drives, preventing you from opening them.
25
Common Security Threats Spam “Spam is one of the more common methods of both sending information out and collecting it from unsuspecting people.” What it can do : • Annoy you with unwanted junk mail. • Create a burden for communications service providers and businesses to filter electronic messages. • Phish for your information by tricking you into following links or entering details with too-good-to-be-true offers and promotions. • Provide a vehicle for malware, scams, fraud and threats to your privacy.
26
Common Security Threats Spoofing “This technique is often used in conjunction with phishing in an attempt to steal your information.” What it can do : • Spends spam using your email address, or a variation of your email address, to your contact list. • Recreates websites that closely resemble the authentic site. This could be a financial institution or other site that requires login or other personal information.
27
Common Security Threats Spyware & Adware “This technique is often used third parties to infiltrate your computer or steal your information without you knowing it.” What it can do : • Collect information about you without you knowing about it and give it to third parties. • Send your usernames, passwords, surfing habits, list of applications you've downloaded, settings, and even the version of your operating system to third parties. • Change the way your computer runs without your knowledge. • Take you to unwanted sites or inundate you with uncontrollable pop-up ads.
28
Common Security Threats Trojan Horses “A malicious program that is disguised as, or embedded within, legitimate software. It is an executable file that will install itself and run automatically once it's downloaded.” What it can do : • Delete your files. • Use your computer to hack other computers. • Watch you through your web cam. • Log your keystrokes (such as a credit card number you entered in an online purchase). • Record usernames, passwords and other personal information.
29
Common Security Threats Virus “Malicious computer programs that are often sent as an email attachment or a download with the intent of infecting your computer.” What it can do : • Send spam. • Provide criminals with access to your computer and contact lists. • Scan and find personal information like passwords on your computer. • Hijack your web browser. • Disable your security settings. • Display unwanted ads.
30
Common Security Threats Worm “A worm, unlike a virus, goes to work on its own without attaching itself to files or programs. It lives in your computer memory, doesn't damage or alter the hard drive and propagates by sending itself to other computers in a network.” What it can do : • Spread to everyone in your contact list. • Cause a tremendous amount of damage by shutting down parts of the Internet, wreaking havoc on an internal network and costing companies enormous amounts of lost revenue.
31
SECURITY DEPLOYMENT 32
MikroTik as a Global Firewall Router
DATA CENTER
OFFICE INTERNET
GUEST
33
MikroTik as a Global Firewall Router Pros • Simple topology • Easy to manage Cons • Concentrate in one single-of-failure • High resource demanding
34
MikroTik as a Specific Router Firewall
DATA CENTER
OFFICE INTERNET
GUEST
35
MikroTik as a Specific Router Firewall Pros • Less resource consumption on each routers • Only focusing security firewall on each network Cons • Different network segment, different treatment • Need to configure firewall differently on each routers • Sometimes happening configure double firewall rules on one another routers 36
MikroTik as an IPS
DATA CENTER
OFFICE INTERNET
GUEST
37
MikroTik as an IPS Pros • Clean firewall configuration on Router, because all firewall configuration already defined on IPS router. Cons • Need high resource Device on Mikrotik as IPS
38
MikroTik with IDS as a trigger
DATA CENTER
OFFICE INTERNET
GUEST IDS SERVER
39
MikroTik with IDS as a trigger Pros • All firewall rules are made automatically by API from IDS Server Cons • Need additional device for triggering a bad traffic • Need powerful device for mirroring all traffic in/out from networks • Need special scripting for sending information to router • expensive 40
IPv6 SECURITY
41
IPv6 Review – Address Comparison
42
IPv6 Review – Header Comparison
43
IPv6 Review – Extension Header
44
IPv6 Review – Usable Addresses
45
IPv6 Threat Types • Reconnaissance : Provide the adversary with information • Unauthorized access : Exploit • Header manipulation and fragmentation : Evade or overwhelm • Layer 3–Layer 4 spoofing : Mask the intent or origin of the traffic • NDP and DHCP attacks : Subvert the host initialization process • Broadcast amplification attacks (smurf) : Amplify the effect of a flood
46
IPv6 Threat Types • • • • •
Routing attacks : Disrupt or redirect traffic flows Viruses and worms : Propagation of the malicious payload Sniffing : Capturing data Application layer attacks : Attacks executed at Layer 7 Rogue devices : Unauthorized devices connected to a network • Man-in-the-middle attacks : Attacks which involve interposing an adversary between two communicating parties • Flooding : Consume enough resources to delay processing of valid traffic
47
IPv6 Threats - Scanning • Subnet Size is much larger – Default subnets in IPv6 have 2^64 addresses (approx. 18x10^18). Exhaustive scan on every address on a subnet is no longer reasonable (if 1000 000 address per second then > 500 000 year to scan) – NMAP doesn't even support for IPv6 network scanning
• IPv6 Scanning methods are likely to change – Public servers will still need to be DNS reachable giving attacker some hosts to attack – this is not new! – Administrators may adopt easy to remember addresses (::1,::2,::53, or simply IPv4 last octet) – EUI-64 address has “fixed part” – Ethernet card vendors guess – New techniques to harvest addresses – e.g. from DNS zones, logs
48
IPv6 Threats - Scanning • Deny DNS zone transfer – By compromising routers at key transit points in a network, an attacker can learn new addresses to scan
• Other possible network hiding: DNS splitting • New attack vectors “All node/router …. addresses” • New Multicast Addresses - IPv6 supports new multicast addresses that can enable an attacker to identify key resources on a network and attack them – For example, all nodes (FF02::1), all routers (FF05::2) and all DHCP servers (FF05::5) – These addresses must be filtered at the border in order to make them unreachable from the outside – this is the default if no IPv6 multicasting enabled
49
IPv6 Threats - Unauthorized Access • Policy implementation in IPv6 with Layer 3 and Layer 4 is still done in firewalls • Some design considerations! – Filter site-scoped multicast addresses at site boundaries – Filter IPv4 mapped IPv6 addresses on the wire – Multiple address per interfaces
• non-routable + bogon address filtering slightlydifferent – in IPv4 easier deny non-routable + bogon – in IPv6 easier to permit legitimate (almost)
50
IPv6 Threats - Header Manipulation • Deny IPv6 fragments destined to an inter-networking device - Used as a DOS vector to attack the infrastructure • Ensure adequate IPv6 fragmentation filtering capabilities. For example, drop all packets with the routing header if you don't have MIPv6 • Potentially drop all fragments with less than 1280 octets (except the last fragment) • All fragment should be delivered in 60 seconds otherwise drop
51
IPv6 Threats - L3 / L4 Spoofing • While L4 spoofing remains the same, IPv6 addresses are globally aggregated making spoof mitigation at aggregation points easy to deploy • Can be done easier since IPv6 address is hierarchical • However host part of the address is not protected – IPv6 MAC address (user) mapping is needed for accountability
52
IPv6 Threats - Auto Configuration • Neigbor Discovery ~ security ~ Address Resolution Protocol – No attack tools – arp cache poisoning – No prevention tools – dhcp snooping
• Better solution with SEND – based on CGA: token1=hash(modifier, prefix, public key, collision count) – RFC3972 available!
• DHCPv6 with authentication is possible • ND with IPsec also possible
53
IPv6 Threats – DDoS Attacks • There are no broadcast addresses in IPv6 – This would stop any type of amplification/"Smurf" attacks that send ICMP packets to the broadcast address – Global multicast addresses fro special groups of devices, e.g. link-local addresses, site-local addresses, all site-local routers, etc.
• IPv6 specifications forbid the generation of ICMPv6 packets in response to messages to global multicast addresses (exception Packet too big message – it is questionable practice). – Many popular operating systems follow the specification – Still uncertain on the danger of ICMP packets with global multicast source addresses
54
IPv6 Threats – DDoS Mitigation • Be sure that your host implementation follow the RFC 2463 • Implement RFC 2827 ingress filtering • Implement ingress filtering of IPv6 packets with IPv6 multicast source address
55
IPv6 Threats – Routing Attack • Use traditional authentication mechanisms for BGP and IS-IS. • Use IPsec to secure protocols such as OSPFv3 and RIPng
56
IPv6 Threats – Sniffing • Without IPsec, IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4
57
IPv6 Threats – Application Attacks • Even with IPsec, the majority of vulnerabilities on the Internet today are at the application layer, something that IPsec will do nothing to prevent
58
IPv6 Threats – MITM • Without IPsec, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4
59
IPv6 Threats – Flooding • Flooding attacks are identical for both the IPv4 and the IPv6
60
Man in the Middle Attack • Man in the middle with spoofed ICMPv6 Neighbor Advertisement. • Man in the middle with spoofed ICMPv6 Router Advertisement. • Man in the middle using ICMPv6 Redirect or ICMPv6 too big to implant route. • Man in the middle with rogue DHCPv6 Server
61
NDP Attacks • Attacks related to Neighbor Discovery (ND) – NDP Spoofing – DAD DoS attack
• Attacks related to Router Advertisement (RA) – RA Flooding – Rogue RA
• Note that anyone can send an advertisement (NA or RA)
62
IPv6 Attack Frameworks • “The Hackers’ Choice” THC-IPv6 – https://www.thc.org/thc-ipv6/
• SI6 Networks IPv6 Toolkit – http://www.si6networks.com/tools/ipv6toolkit/
• Chiron – http://www.secfu.net/tools-scripts/
63
Duplicate Address Detection - DoS is This address is unique?
is This address is unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA) for each NS Those addresses are taken
64
DAD Attack Tool - DoS dos-new-ip6 • This tool prevents new IPv6 interfaces to come up by sending answers to duplicate IPv6 checks. This results in a DoS for new IPv6 devices.
65
Neighbor Discovery Spoofing What is Host B’s MAC address? Client sends Neighbor Solicitation (NS) asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA) Spoofs Host B, sends his own MAC I am Host B. This is my MAC.
66
NDP Spoofing – Attack Tool Parasite6 • This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system (or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solicitation requests, specifying FAKE-MAC results in a local DoS.
67
Router Advertisement Spoofing Get New Address
Get New Address
Router Down
Attacker Flood a Router
Attacker act as Router
68
Man in the Middle Attack
2000:db8::1/64 fac:dead:a11::/64
69
Router Advertisement Spoofing • Since this happened on Layer 2, the router nearly blind about this kind of attacks, but you can activate RA Guard feature on your switch. Activating RA Guard feature can mitigate this attack although the script has a few advanced options which can be used to defeat it. • Disabling your “Router Discovery” on your PC it will be discard any RA packets.
70
Router Advertisement Flooding • Traffic flooding with ICMPv6 Router Advertisement, Neighbor Advertisement, Neighbor Solicitation, multicast listener discovery (MLD), or smurf attack. • Denial of Service which prevents new IPv6 attack on the network. • Denial of Service which is related to fragmentation. • Traffic flooding with ICMPv6 Neighbor Solicitation and a lot of crypto stuff to make CPU target busy.
71
Router Advertisement Flooding Get so many IPv6 Address
Get so many IPv6 Address
Attacker Flood Client
72
Router Advertisement Flooding
73
Router Advertisement Flooding
74
Detect Rogue RAs & ND Spoofing • With a generic Intrusion Detection System • signatures needed • decentralized sensors in all network segments needed
• With NDPmon • can monitor RAs, NAs, DAD-DOS • generates syslog-events and/or sends e-mails • free available at ndpmon.sourceforge.net
• Using Deprecation Daemons: • ramond, rafixd
75
RA Guard • Router Advertisement Guard (RFC 6105) • All messages between IPv6 end-devices traverse the controlled L2 networking device. • Filter RA messages based on a set of criteria Allow incoming RA
Block incoming RA Block incoming RA
76
How to Countermeasure • Make sure your router only allowing your IPv6 Network and reject others • Selectively filter ICMPv6 • Determine which ICMPv6 messages are required • Filter unneeded services on your router • Disable “Router Discovery” on your critical server and always using static IPv6 Address • Don’t forget to reject all bogons addresses
77
Allowing own Prefix • Only allowing all forward packet from your own prefixes.
/ipv6 firewall filter add action=drop chain=forward out-interface=ether1-ISP src-address=!2000:aaaa::/40
78
Allowing ICMPv6 • Allow ICMPv6.
/ipv6 firewall filter add action=accept chain=forward protocol=icmpv6
79
Filtering unneeded services • Selectively allowing service port.
/ipv6 firewall filter add action=drop chain=forward dst-port=!22,53,80,443 in-interface=ether1-ISP protocol=tcp add action=drop chain=forward dst-port=!53 in-interface=ether1-ISP protocol=udp
80
Filtering Bogons Address • Drop Bogons address.
/ipv6 firewall filter add action=drop chain=forward in-interface=ether1-ISP src-address-list=ipv6-bogons add action=drop chain=forward dst-address-list=ipv6-bogons in-interface-list=INTERNAL Note : bogons addresses https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
81
OSPF SECURITY
82
OSPF - Attacks Basically, attacks against OSPF consist on forging Hello, LSA and LSU messages on behalf of authorized hosts, causing: • Denial of service and / or • Topology changes
83
OSPF - Resource Starvation Attacks Topology changes, leads to other threats like • Eavesdropping • Man-in-the-middle attack • “Phantom LSAs” are Router/Network LSAs sent on behalf of non-existing OSPF peers. (no need to know the Authentication key) • These entries are ignored by the Shortest Path First (SPF) algorithm (do not produce topology changes) • “Phantom LSAs” are entered in the Link State Database and each entry is kept until “MaxAge” expires
84
OSPF - Resource Starvation Attacks Memory Impact • Bogus LSA's with an arbitrary source take up space in the topology table until the LSA ages out CPU impact • LSA's with bogus MD5 passwords invoke the MD5 function Bandwidth impact • Bogus LSA's and the associated legitimate response traffic could be disruptively high in large, densely populated areas. • Bogus link state request packets can saturate a link with requests for nonexistent networks.
85
OSPF - Resource Starvation Attacks An attacker can force topology changes by introducing false LSA Information Pre-condition: • absence of encryption. • compromised pre shared key. Impacts of Topology Changes • Allow Eavesdropping • Starve/Overload a network • Unstable topology (loops, route-flapping) 86
Misdirecting Traffic to Form Routing Loops
87
Misdirecting Traffic to a Black Hole
88
Eavesdropping/Man-in-the-middle
89
Attacks Against OSPF
90
Protecting OSPF From the point of view of attacker’s location we can divide the possible attacks in; External attacks • Attacker is outside of the Autonomous System (AS) boundary Internal attacks • Attacker is inside the AS, in the same L2 network segment where OSPF is running • Attacker is inside the AS, but not in the same L2 network segment.
91
OSPF Attack
R1
R2 192.168.0.0/24 2
1 11
92
OSPF Attack Scenario • Attacker and two OSPF-enabled routers are in the same network. • Attacker acts as OSPF router • Attacker sends OSPF packets to manipulate routers’ neighbor tables and routing tables
93
OSPF Neighbor/Route Injection Sending OSPF Packets from Attacker using Loki
94
OSPF Neighbor/Route Injection Sending OSPF Packets from Attacker using Loki
95
OSPF Neighbor/Route Injection Sending OSPF Packets from Attacker using Loki
96
OSPF Neighbor/Route Injection Sending OSPF Packets from Attacker using Loki
97
OSPF Neighbor/Route Injection Inject network 10.0.0.0/24 to OSPF routing table
98
Preventing OSPF Attacks • It is recommended to set “Authentication” for every peering to other OSPF routers
/routing ospf interface add authentication=md5 authentication-key=thisissecret interface=ether1-IXP network-type=broadcast
99
Preventing OSPF Attacks • It is recommended to set “Passive” to interface that is not facing other OSPF router and also set Authentication.
/routing ospf interface add authentication=md5 authentication-key=thisisalsosecret interface=ether4-DOWNSTREAM1 network-type=broadcast passive=yes
100
Preventing OSPF Attacks • Drop “ospf” protocol to interface who is not part of OSPF routing interface.
/interface list add name=OSPF-INTERFACE /interface list member add interface=ether-x list=OSPF-INTERFACE /interface list member add interface=ether-y list=OSPF-INTERFACE /interface list member add interface=ether-z list=OSPF-INTERFACE /ip firewall filter add action=drop chain=input in-interface-list=!OSPF-INTERFACE protocol=ospf
101
BGP SECURITY
102
BGP Security • Based on RFC 7547 recommendations can be split into the following categories : • • • • • •
BGP Session Protection Prefix Filtering Recommendations AS-Path Filtering Recommendations Next-Hop Filtering Optional BGP Community Scrubbing Traffic Filtering Recommendations
103
BGP Session Protection • Group of BGP Protection mechanisms is responsible for maintaining stability of BGP sessions. • as providing anti-spoofing and bogus route-injection protection mechanisms. • it’s helps to protect against ‘operators’ mistakes. • • • •
GTSM (Generalized TTL Security Mechanisms) TCP-AO (TCP Authentication Option) MD5 Maximum-Prefix Limit
104
GTSM • GTSM – Generalized TTL Security Mechanisms, also known as TTL security, defined in RFC 5082. • TSM (TTL Security) is a mechanism that checks TTL value of incoming IP Packets in order to make sure they have not been spoofed. • Directly connected BGP peers will set IP TTL value to 255, making it impossible to deliver spoofed IP with TTL=255 packets via non-directly connected interfaces.
105
GTSM
R1
R2
# on R1 / routing bgp peer set R2 ttl=255 # on R2 / routing bgp peer set R1 ttl=255
106
TCP-AO • TCP-AO – TCP Authentication Option is a stronger protection mechanism than traditionally used MD5, it is described in RFC 5925. • it is expected to replace MD5 for session protection • But It has not been widely adopted due to the lack of implementation from equipment vendors. • No configuration examples due to lack of vendors’ implementation.
107
MD5 • MD5 is a TCP session protection mechanism that has been available for many years • It is supported by the vast majority of equipment manufacturers. • It has become the de-facto standard for BGP session protection. • Although it has been made obsolete by TCP-AO protection, it is still used for the majority of BGP peering sessions.
108
MD5
R1
R2
# on R1 / routing bgp peer set R2 tcp-md5-key=this-is-super-secret # on R2 / routing bgp peer set R1 tcp-md5-key=this-is-super-secret
109
Maximum-Prefix Limit • Maximum-Prefix Limit is one of the commonly used safety mechanisms that will bring down BGP session if the number of routes advertised by the peer exceeds pre-configured limit. • There are several BGP peering type • • • •
Public peering or IXP Private peering Upstream / transit peering Downstream
• Unlike MD5 max-prefix limit can be configured on one side only.
110
Maximum-Prefix Limit
R1
R2
# on R1 / routing bgp peer set R2 max-prefix-limit=100 # on R2 / routing bgp peer set R1 max-prefix-limit=500
111
Prefix Filtering • Prefix-filtering policies are responsible for taking decisions on route-advertisements to and from BGP peers. • Route-filtering should be implemented on each BGP session maintained by the service provider : • • • •
Private/Public/Transit Inbound Prefix Filtering Private/Public/Transit Outbound Prefix Filtering Downstream Inbound Prefix Filtering Downstream Outbound Prefix Filtering
112
Inbound and Outbound 101.0.0.0/24 ASN 1001
102.0.0.0/21 ASN 1002
103.0.0.0/22 ASN 1003
IXP
UPSTREAM TRANSIT
PRIVATE PEERING
CORE
DOWNSTREAM 1
DOWNSTREAM 2
DOWNSTREAM 3
DOWNSTREAM 4
100.1.0.0/22 ASN 2001
100.2.0.0/22 ASN 2002
100.3.0.0/22 ASN 2003
100.4.0.0/22 ASN 2004
113
Inbound and Outbound
STATIC OSPF BGP
STATIC INBOUND
OUTBOUND
OSPF BGP
114
Prefix Filtering – Upstream Inbound • Private/Public/Transit Inbound Prefix Filtering • • • • • •
Special-purpose prefixes (RFC 5735) Unallocated prefixes (Bogons prefixes) Prefixes that are too specific (≤ 124) Prefixes belonging to the local AL (your prefixes) IXP LAN prefixes, other than authorized AS The default route (0.0.0.0/0)
115
Prefix Filtering – Upstream Inbound
IXP
UPSTREAM
PRIVATE PEERING
CORE
116
Prefix Filtering – Upstream Inbound # ADD ROUTING FILTER ACCEPT-ALL & DROP-ALL / routing filter add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL" add action=discard chain=DROP-ALL comment="DROP ALL"
# ADD ROUTING FILTER RFC 5735 / routing filter add action=discard chain=RFC-5735 comment="DEFAULT ROUTE" prefix=0.0.0.0/0 add action=discard chain=RFC-5735 comment="PREFIX LOWER /24" prefix=0.0.0.0/0 prefixlength=25-32 add action=discard chain=RFC-5735 comment="RFC 1122 - This Network" prefix=0.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks]" prefix=10.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 1122 - Loopback " prefix=127.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 3927 - Link Local" prefix=169.254.0.0/16 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=172.16.0.0/12 add action=discard chain=RFC-5735 comment="RFC 5736 - IETF Protocol Assignments" prefix=192.0.0.0/24
117
Prefix Filtering – Upstream Inbound # ADD ROUTING FILTER RFC 5735 / routing filter d action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-1" prefix=192.0.2.0/24 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=192.168.0.0/16 add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing" prefix=198.18.0.0/15 add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-2" prefix=198.51.100.0/24 add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast" prefix=192.88.99.0/24 add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-3" prefix=203.0.113.0/24 add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4 add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use" prefix=240.0.0.0/4 add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address" prefix=100.64.0.0/10 add action=return chain=RFC-5735 comment="RETURN PACKET" # ADD ROUTING FILTER DROP-IXP-PREFIX / routing filter add action=discard chain=IXP-PREFIX prefix=101.0.0.0/24 add action=return chain=IXP-PREFIX comment="RETURN PACKET"
118
Prefix Filtering – Upstream Inbound # ADD ROUTING FILTER DROP-YOUR-PREFIX / routing filter add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24 add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET" # CREATE INBOUND FILTER FOR UPSTREAMS /routing filter add action=jump chain=IXP-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=IXP-INBOUND jump-target=IXP-PREFIX add action=jump chain=IXP-INBOUND jump-target=RFC-5735 add action=jump chain=UPSTREAM-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=UPSTREAM-INBOUND jump-target=IXP-PREFIX add action=jump chain=UPSTREAM-INBOUND jump-target=RFC-5735 add action=jump chain=PRVT_PEER-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=PRVT_PEER-INBOUND jump-target=IXP-PREFIX add action=jump chain=PRVT_PEER-INBOUND jump-target=RFC-5735 # APPLIED ROUTING FILTER TO PEER routing bgp peer set peer1-IXP in-filter=IXP-INBOUND routing bgp peer set peer2-UPSTREAM in-filter=UPSTREAM-INBOUND routing bgp peer set peer3-PRVT_PEER in-filter=PRVT_PEER-INBOUND
119
Prefix Filtering – Upstream Outbound • Private/Public/Transit Outbound Prefix Filtering • • • • • •
Special-purpose prefixes (RFC 5735) Prefixes that are too specific (≤ 124) IXP LAN prefixes The default route (0.0.0.0/0) Advertise your own prefixes Re-advertise your downstream prefixes
120
Prefix Filtering – Upstream Outbound
IXP
UPSTREAM
PRIVATE PEERING
CORE
121
Prefix Filtering – Upstream Outbound # ADD ROUTING FILTER ACCEPT-YOUR-PREFIX /routing filter add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24 add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
# ADD ROUTING FILTER ACCEPT-DOWNSTREAMS-PREFIX /routing filter add action=accept chain=DOWNSTREAM1 prefix=100.1.0.0/22 prefix-length=22-24 add action=return chain=DOWNSTREAM1 add action=accept chain=DOWNSTREAM2 prefix=100.2.0.0/22 prefix-length=22-24 add action=return chain=DOWNSTREAM2 add action=accept chain=DOWNSTREAM3 prefix=100.3.0.0/22 prefix-length=22-24 add action=return chain=DOWNSTREAM3 add action=accept chain=DOWNSTREAM4 prefix=100.4.0.0/22 prefix-length=22-24 add action=return chain=DOWNSTREAM4
122
Prefix Filtering – Upstream Outbound /routing filter add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/24 add action=accept chain=OUR-PREFIX-ADV prefix=100.0.1.0/24 add action=accept chain=OUR-PREFIX-ADV prefix=100.0.2.0/24 add action=accept chain=OUR-PREFIX-ADV prefix=100.0.3.0/24 add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
/routing filter add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM4
123
Prefix Filtering – Upstream Outbound /routing filter add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM4 /routing filter add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM4 routing bgp peer set peer1-IXP out-filter=IXP-OUTBOUND routing bgp peer set peer2-UPSTREAM out-filter=UPSTREAM-OUTBOUND routing bgp peer set peer3-PRVT_PEER out-filter=PRVT_PEER-OUTBOUND
124
Prefix Filtering – Downstream Inbound • Downstream Inbound Prefix Filtering • Only accept downstream prefixes
125
Prefix Filtering – Downstream Inbound
CORE
DOWNSTREAM 1
DOWNSTREAM 2
DOWNSTREAM 3
DOWNSTREAM 4
126
Prefix Filtering – Downstream Inbound / routing filter add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DOWNSTREAM1 add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DOWNSTREAM2 add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DOWNSTREAM3 add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DOWNSTREAM4 / routing bgp peer set peer4-DOWNSTREAM1 in-filter=DOWNSTREAM1-INBOUND / routing bgp peer set peer5-DOWNSTREAM2 in-filter=DOWNSTREAM2-INBOUND / routing bgp peer set peer6-DOWNSTREAM3 in-filter=DOWNSTREAM3-INBOUND / routing bgp peer set peer7-DOWNSTREAM4 in-filter=DOWNSTREAM4-INBOUND
127
Prefix Filtering – Downstream Outbound • Downstream Outbound Prefix Filtering • The default route only • Full Internet routing table • Subset of the Full Internet table (e.g. only the routes received via public and private peers, but not the transit routes)
128
Prefix Filtering – Downstream Outbound
CORE
DOWNSTREAM 1
DOWNSTREAM 2
DOWNSTREAM 3
DOWNSTREAM 4
129
Prefix Filtering – Downstream Inbound / routing filter add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ACCEPT-ALL / routing bgp peer set peer4-DOWNSTREAM1 out-filter=DOWNSTREAM1-OUTBOUND / routing bgp peer set peer5-DOWNSTREAM2 out-filter=DOWNSTREAM2-OUTBOUND / routing bgp peer set peer6-DOWNSTREAM3 out-filter=DOWNSTREAM3-OUTBOUND / routing bgp peer set peer7-DOWNSTREAM4 out-filter=DOWNSTREAM4-OUTBOUND
130
AS-Path Filtering • Based on BCP 194 provides a number of AS-Path Filtering recommendations that should be implemented on upstream/private/public peering sessions and customer/downstream sessions. • • • •
Inbound AS-Path Filtering from Private/Public/Transit Peers Outbound AS-Path Filtering from Private/Public/Transit Peers Inbound AS-Path Filtering from Downstream Customers Outbound AS-Path Filtering from Downstream Customers
131
AS-Path Filtering – Upstream Inbound • Inbound AS-Path Filtering from Private/Public/Transit Peers • Private AS numbers should not be accepted, unless used for special purposes such as black-hole origination • AS Paths with the first AS number not the one of the peer should not be accepted, unless originated by IXP’s router server • Do not accept your own AS number in the AS path
132
AS-Path Filtering – Upstream Inbound
IXP
UPSTREAM
PRIVATE PEERING
CORE
133
AS-Path Filtering – Upstream Inbound / routing filter add action=discard bgp-as-path=".* 0 .*" chain=ASN-BOGONS comment="RFC 7607" add action=discard bgp-as-path=".* 23456 .*" chain=ASN-BOGONS comment="RFC 4893 - AS_TRANS" add action=discard bgp-as-path=".* [64496-64511] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/ example ASNs" add action=discard bgp-as-path=".* [65536-65551] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/ example ASNs" add action=discard bgp-as-path=".* [64512-65534] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN" add action=discard bgp-as-path=".* [4200000000-4294967294] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN" add action=discard bgp-as-path=".* 65535 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN" add action=discard bgp-as-path=".* 4294967295 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN" add action=return chain=ASN-BOGONS comment="RETURN PACKET"
/ routing filter add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN comment="YOUR ASN“ add action=return chain=YOUR-ASN comment="RETURN PACKET"
134
AS-Path Filtering – Upstream Inbound / routing filter add action=jump chain=IXP-INBOUND jump-target=YOUR-ASN add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS add action=jump chain=UPSTREAM-INBOUND jump-target=YOUR-ASN add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS add action=jump chain=PRVT_PEER-INBOUND jump-target=YOUR-ASN add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS
135
AS-Path Filtering – Upstream Outbound • Outbound AS-Path Filtering from Private/Public/Transit Peers • Do not originate prefixes with nonempty AS Paths, unless you intend to provide transit for these prefixes • Do not originate prefixes with upstream AS numbers in the AS Path, unless you intend to provide transit to these prefixes • Do not advertise Private AS Paths, unless there is a special “private” arrangement with your peers
136
AS-Path Filtering – Upstream Outbound
IXP
UPSTREAM
PRIVATE PEERING
CORE
137
AS-Path Filtering – Upstream Outbound / routing filter add action=jump chain=IXP-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=UPSTREAM-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=PRVT_PEER-OUTBOUND jump-target=ASN-BOGONS
138
AS-Path Filtering – Downstream Inbound • Inbound AS-Path Filtering from Downstream Customers • Only accept 2-byte and 4-byte AS paths containing ASNs belonging to the customer. • If this is not possible, accept only path lengths relevant to the type of the customer, while discourage excessive prepending • Do not accept your own AS number in the AS path
139
AS-Path Filtering – Downstream Inbound
CORE
DOWNSTREAM 1
DOWNSTREAM 2
DOWNSTREAM 3
DOWNSTREAM 4
140
AS-Path Filtering – Downstream Inbound / routing filter add action=discard bgp-as-path="!.* 2001 .*" chain=DOWNSTREAM1 add action=discard bgp-as-path="!.* 2002 .*" chain=DOWNSTREAM2 add action=discard bgp-as-path="!.* 2003 .*" chain=DOWNSTREAM3 add action=discard bgp-as-path="!.* 2004 .*" chain=DOWNSTREAM4
141
AS-Path Filtering – Downstream Inbound • Outbound AS-Path Filtering from Downstream/ Customers • Do not advertise Private AS Paths, unless there is a special “private” arrangement with your customers
142
AS-Path Filtering – Downstream Inbound
CORE
DOWNSTREAM 1
DOWNSTREAM 2
DOWNSTREAM 3
DOWNSTREAM 4
143
AS-Path Filtering – Downstream Inbound / routing filter add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ASN-BOGONS
144
Rearranging the Routing Filter # IXP PEERING IN/OUT FILTER /routing filter add action=jump chain=IXP-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=IXP-INBOUND jump-target=IXP-PREFIX add action=jump chain=IXP-INBOUND jump-target=RFC-5735 add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS add action=jump chain=IXP-INBOUND jump-target=ACCEPT-ALL add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM4 add action=jump chain=IXP-OUTBOUND jump-target=DROP-ALL
145
Rearranging the Routing Filter # UPSTREAM PEERING IN/OUT FILTER /routing filter add action=jump chain=UPSTREAM-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=UPSTREAM-INBOUND jump-target=IXP-PREFIX add action=jump chain=UPSTREAM-INBOUND jump-target=RFC-5735 add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS add action=jump chain=UPSTREAM-INBOUND jump-target=ACCEPT-ALL add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM4 add action=jump chain=UPSTREAM-OUTBOUND jump-target=DROP-ALL
146
Rearranging the Routing Filter # PRIVATE-PEER PEERING IN/OUT FILTER /routing filter add action=jump chain=PRVT_PEER-INBOUND jump-target=OUR-PREFIX-DROP add action=jump chain=PRVT_PEER-INBOUND jump-target=IXP-PREFIX add action=jump chain=PRVT_PEER-INBOUND jump-target=RFC-5735 add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS add action=jump chain=PRVT_PEER-INBOUND jump-target=ACCEPT-ALL add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM1 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM2 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM3 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM4 add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DROP-ALL
147
Rearranging the Routing Filter # DOWNSTREAMS PEERING IN/OUT FILTER /routing filter add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DOWNSTREAM1 add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DROP-ALL add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DOWNSTREAM2 add action=jump chain=DOWNSTREAM2-INBOUND jump-target=DROP-ALL add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM2-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DOWNSTREAM3 add action=jump chain=DOWNSTREAM3-INBOUND jump-target=DROP-ALL add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM3-OUTBOUND jump-target=ACCEPT-ALL add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DOWNSTREAM4 add action=jump chain=DOWNSTREAM4-INBOUND jump-target=DROP-ALL add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ASN-BOGONS add action=jump chain=DOWNSTREAM4-OUTBOUND jump-target=ACCEPT-ALL
148
Rearranging the Routing Filter # YOUR PREFIX FILTER /routing filter add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24 add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET" add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24 add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET" # IXP PREFIX FILTER /routing filter add action=discard chain=IXP-PREFIX prefix=101.0.0.0/24 add action=return chain=IXP-PREFIX comment="RETURN PACKET"
149
Rearranging the Routing Filter # DOWNSTREAMS PREFIX FILTER /routing filter add action=accept chain=DOWNSTREAM1 prefix=100.1.0.0/22 prefix-length=22-24 add action=discard bgp-as-path="!.* 2001 .*" chain=DOWNSTREAM1 add action=return chain=DOWNSTREAM1 comment="RETURN PACKET" add action=accept chain=DOWNSTREAM2 prefix=100.2.0.0/22 prefix-length=22-24 add action=discard bgp-as-path="!.* 2002 .*" chain=DOWNSTREAM2 add action=return chain=DOWNSTREAM2 comment="RETURN PACKET" add action=accept chain=DOWNSTREAM3 prefix=100.3.0.0/22 prefix-length=22-24 add action=discard bgp-as-path="!.* 2003 .*" chain=DOWNSTREAM3 add action=return chain=DOWNSTREAM3 comment="RETURN PACKET" add action=accept chain=DOWNSTREAM4 prefix=100.4.0.0/22 prefix-length=22-24 add action=discard bgp-as-path="!.* 2004 .*" chain=DOWNSTREAM4 add action=return chain=DOWNSTREAM4 comment="RETURN PACKET"
150
Rearranging the Routing Filter # RFC 5735 PREFIX FILTER /routing filter add action=discard chain=RFC-5735 comment="DEFAULT ROUTE" prefix=0.0.0.0/0 add action=discard chain=RFC-5735 comment="PREFIX LOWER /24" prefix=0.0.0.0/0 prefix-length=25-32 add action=discard chain=RFC-5735 comment="RFC 1122 - This Network" prefix=0.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks]" prefix=10.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 1122 - Loopback " prefix=127.0.0.0/8 add action=discard chain=RFC-5735 comment="RFC 3927 - Link Local" prefix=169.254.0.0/16 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=172.16.0.0/12 add action=discard chain=RFC-5735 comment="RFC 5736 - IETF Protocol Assignments" prefix=192.0.0.0/24 add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-1" prefix=192.0.2.0/24 add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=192.168.0.0/16 add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing" prefix=198.18.0.0/15 add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-2" prefix=198.51.100.0/24 add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast" prefix=192.88.99.0/24 add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-3" prefix=203.0.113.0/24 add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4 add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use" prefix=240.0.0.0/4 add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address" prefix=100.64.0.0/10 add action=return chain=RFC-5735 comment="RETURN PACKET"
151
Rearranging the Routing Filter # YOUR AS NUMBER FILTER /routing filter add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN add action=return chain=YOUR-ASN comment="RETURN PACKET"
# BOGONS NUMBER FILTER /routing filter add action=discard bgp-as-path=".* 0 .*" chain=ASN-BOGONS comment="RFC 7607" add action=discard bgp-as-path=".* 23456 .*" chain=ASN-BOGONS comment="RFC 4893 - AS_TRANS" add action=discard bgp-as-path=".* [64496-64511] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/ example ASNs" add action=discard bgp-as-path=".* [65536-65551] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/ example ASNs" add action=discard bgp-as-path=".* [64512-65534] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN" add action=discard bgp-as-path=".* [4200000000-4294967294] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN" add action=discard bgp-as-path=".* 65535 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN" add action=discard bgp-as-path=".* 4294967295 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN" add action=return chain=ASN-BOGONS comment="RETURN PACKET"
/routing filter add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL" add action=discard chain=DROP-ALL comment="DROP ALL""
152
Traffic Filtering • All packets destined to TCP Port 179 and not originated from addresses of configured BGP peers should be discarded. • If supported, Control Plane ACL should be used. If not supported, ACL applied to each peer-facing port should be used. • If supported, BGP Rate-Limiting should also be implemented, to make sure that the number of BGP packets per second does not exceed platform’s capability. • Static ARP.
153
Traffic Filtering
154
Traffic Filtering /ip firewall filter add action=accept chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp src-address=101.0.0.1 add action=drop chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp src-address=102.0.0.3 add action=drop chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp src-address=103.0.0.3 add action=drop chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp src-address=100.0.0.2 add action=drop chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether5-DOWNSTREAM2 protocol=tcp src-address=100.0.0.6 add action=drop chain=input dst-port=179 in-interface=ether5-DOWNSTREAM2 protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether6-DOWNSTREAM3 protocol=tcp src-address=100.0.0.10 add action=drop chain=input dst-port=179 in-interface=ether6-DOWNSTREAM3 protocol=tcp add action=accept chain=input dst-port=179 in-interface=ether7-DOWNSTREAM4 protocol=tcp src-address=100.0.0.14 add action=drop chain=input dst-port=179 in-interface=ether7-DOWNSTREAM4 protocol=tcp /ip arp add address=101.0.0.1 interface=ether1-IXP mac-address=00:50:00:03:00:01 add address=102.0.0.1 interface=ether2-UPSTREAM mac-address=00:50:00:03:00:02 add address=103.0.0.1 interface=ether3-PRVT_PEER mac-address=00:50:00:03:00:03 add address=100.0.0.6 interface=ether5-DOWNSTREAM2 mac-address=00:50:00:03:00:04 add address=100.0.0.10 interface=ether6-DOWNSTREAM3 mac-address=00:50:00:03:00:05 add address=100.0.0.2 interface=ether4-DOWNSTREAM1 mac-address=00:50:00:03:00:06 add address=100.0.0.14 interface=ether7-DOWNSTREAM4 mac-address=00:50:00:03:00:07
155
CRYPTOGRAPHY
156
What is Cryptography • Cryptography is the "ART" of creating documents that can be shared secretly over public communication. • Traditionally, cryptography refers to : • The practice and the study of encryption. • Transforming information in order to prevent unauthorized people to read it.
• But today, cryptography goes beyond encryption/decryption to include : • Techniques for making sure that encrypted messages are not modified. • Techniques for secure identification/authentication of communication partners.
157
Security Mechanisms Encryption : • Process of transforming plaintext to ciphertext using a cryptographic key • Used all around us • In Application Layer – used in secure email, database sessions, and messaging • In session layer – using Secure Socket Layer (SSL) or Transport Layer Security (TLS) • In the Network Layer – using protocols such as IPSec
• Benefits of good encryption algorithm: • • • •
Resistant to cryptographic attack They support variable and long key lengths and scalability They create an avalanche effect No export or import restrictions
158
Terminology plaintext (P) ciphertext (C) cipher key (k) encipher/encrypt (e) decipher/decrypt (d) cryptography cryptanalysis cryptology
: the original message : the coded message : algorithm for transforming plaintext to cipher text : info used in cipher known only to sender/receiver : converting plaintext to cipher text : recovering cipher text from plaintext : study of encryption principles/methods : the study of principles/ methods of deciphering cipher text without knowing key : the field of both cryptography and cryptanalysis
159
Encryption Methods There are 2 kinds of encryption methods : • Symmetric cryptography • Sender and receiver keys are identical
• Asymmetric (public-key) cryptography • Encryption key (public), decryption key secret (private)
160
Symmetric Encryption • Uses a single key to both encrypt and decrypt information • Also known as a secret-key algorithm • The key must be kept a “secret” to maintain security • This key is also known as a private key
• Follows the more traditional form of cryptography with key lengths ranging from 40 to 256 bits
161
Symmetric Key Algorithms
162
Asymmetric Encryption • Also called public-key cryptography • Keep private key private • Anyone can see public key
• Separate keys for encryption and decryption (public and private key pairs) • Examples of asymmetric key algorithms: • RSA, DSA, Diffie-Hellman, El Gamal, Elliptic Curve and PKCS
163
Asymmetric Encryption • RSA : the first and still most common implementation • DSA : specified in NIST’s Digital Signature Standard (DSS), provides digital signature capability for authentication of messages • Diffie-Hellman : used for secret key exchange only, and not for authentication or digital signature • ElGamal : similar to Diffie-Hellman and used for key exchange • PKCS : set of interoperable standards and guidelines
164
Public Key Infrastructure (PKI) • Framework that builds the network of trust • Combines public key cryptography, digital signatures, to ensure confidentiality, integrity, authentication, nonrepudiation, and access control • Protects applications that require high level of security Functions of a PKI : • • • •
Registration Initialization Certification Key pair recovery
• • • •
Key generation Key update Cross-certification Revocation
165
Components of a PKI • Certificate authority • The trusted third party • Trusted by both the owner of the certificate and the party relying upon the certificate.
• Validation authority • Registration authority • For big CAs, a separate RA might be necessary to take some work off the CA • Identity verification and registration of the entity applying for a certificate
• Central directory 166
CERTIFICATES
167
Certificates • Public key certificates bind public key values to subjects • A trusted certificate authority (CA) verifies the subject’s identity and digitally sign each certificate • Validates
• Has a limited valid lifetime • Can be used using untrusted communications and can be cached in unsecured storage • Because client can independently check the certificate’s signature
• Certificate is NOT equal to signature • It is implemented using signature
• Certificates are static • If there are changes, it has to be re-issued
168
Digital Certificates • Digital certificate – basic element of PKI; secure credential that identifies the owner • Also called public key certificate • Deals with the problem of • Binding a public key to an entity • A major legal issue related to eCommerce
• A digital certificate contains : • User’s public key • User’s ID • Other information e.g. validity period
169
Digital Certificates • Certificate examples : • X509 (standard) • PGP (Pretty Good Privacy) • Certificate Authority (CA) creates and digitally signs certificates
• To obtain a digital certificate, Alice must : • Make a certificate signing request to the CA
• CA returns Alice’s digital certificate, cryptographically binding her identity to public key : • CertA = {IDA, KA_PUB, info, SigCA(IDA,KA_PUB,info)}
170
X.509 • An ITU-T standard for a public key infrastructure (PKI) and Privilege Management Infrastructure (PMI) • Assumes a strict hierarchical system of Certificate Authorities (CAs) • RFC 1422 – basis of X.509-based PKI • Current version X.509v3 provides a common baseline for the Internet • Structure of a Certificate, certificate revocation (CRLs)
171
X.509 X.509 Certificate Usage: • • • •
Fetch certificate Fetch certificate revocation list (CRL) Check the certificate against the CRL Check signature using the certificate
172
Every Certificate Contains • Body of the certificate • • • •
Version number, serial number, names of the issuer and subject Public key associated with the subject Expiration date (not before, not after) Extensions for additional tributes
• Signature algorithm • Used by the CA to sign the certificate
• Signature • Created by applying the certificate body as input to a one-way hash function. The output value is encrypted with the CA’s private key to form the signature value
173
Certificate Authority • Issuer and signer of the certificate • Trusted (Third) Party • Based on trust model • Who to trust?
• Types : • Enterprise CA • Individual CA (PGP) • Global CA (such as VeriSign)
• Functions : • • • •
Enrols and Validates Subscribers Issues and Manages Certificates Manages Revocation and Renewal of Certificates Establishes Policies & Procedures
174
Certificate Revocation List • CA periodically publishes a data structure called a certificate revocation list (CRL). • Described in X.509 standard. • Each revoked certificate is identified in a CRL by its serial number. • CRL might be distributed by posting at known Web URL or from CA’s own X.500 directory entry
175
SELF-SIGNED CERTIFICATE 176
Self-Signed Certificates • A self-signed SSL certificate does not use the chain of trust used by other SSL certificates • Is an identity certificate that is signed by the same entity whose identity it certifies • Most often used when a company wants to perform internal testing without the effort or expense of acquiring a standard SSL certificate.
177
Self-Signed Certificates
example.com example.com
certificate add name=CA country=ES state=Toledo locality=Illescas organization=IT unit=IT common-name=example.com \ subject-alt-name=DNS:example.com key-size=2048 days-valid=365 \ key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
178
Self-Signed Certificates
certificate sign CA name=CA
179
Self-Signed Certificates
webfix.example.com webfix.example.com
certificate add name=www country=ES state=Toledo locality=Illescas organization=IT unit=IT \ common-name=webfix.example.com subject-alt-name=DNS:webfix.example.com key-size=2048 days-valid=365 \ key-usage=digital-signature,key-encipherment,tls-client,tls-server
180
Self-Signed Certificates
certificate sign www name=www ca=CA
181
FREE OF CHARGE VALID CERTIFICATES 182
Let’s Encrypt • Let's Encrypt is a new Certificate Authority (CA) that offers FREE SSL certificates that are just as secure as current paid certificates. • Let’s Encrypt is a free certificate authority developed by the Internet Security Research Group (ISRG). • SSL certificates are issued for a period of 90 days, and need to renew for validity issue. • These certificates are domain-validated, don't require a dedicated IP and are supported on all SiteGround hosting solutions.
183
Let’s Encrypt Key benefits of using a Let’s Encrypt SSL certificate: • It's free – Anyone who owns a domain can obtain a trusted certificate for that domain at zero cost. • It's automatic – The entire enrolment process for certificates occurs painlessly during the server’s native installation or configuration process. The renewal occurs automatically in the background. • It's simple – There's no payment, no validation emails, and certificates renew automatically. • It's secure – Let’s Encrypt serves as a platform for implementing modern security techniques and best practices. • More info – https://letsencrypt.org
184
SSL For Free
https://www.sslforfree.com
185
SSL For Free
186
SSL For Free
187
SSL For Free
188
SSL For Free
189
Free of Charge Valid Certificates
Upload “certificate.crt” and “private.key” to the RouterOS
190
Free of Charge Valid Certificates
“System > Certificate”: import both the “certificate.crt” and the “private.key” 191
Free of Charge Valid Certificates
192
HIGH AVAILABILITY
193
INTERFACE BONDING 194
What is Interface Bonding • Bonding is a technology that allows you to aggregate multiple Ethernet-like interfaces into a single virtual link, thus getting higher data rates and providing fail-over. • Bonding (load balancing) modes: • • • • •
802.3ad Balance-rr Balance-xor Balance-tlb Balance-alb
195
802.3ad • 802.3ad mode is an IEEE standard also called LACP (Link Aggregation Control Protocol).
196
Balance-rr and balance-xor • Balance-rr mode uses Round Robin algorithm - packets are transmitted in sequential order from the first available slave to the last. • When utilizing multiple sending and multiple receiving links, packets often are received out of order (problem for TCP) • Balance-xor balances outgoing traffic across the active ports based on a hash from specific protocol header fields and accepts incoming traffic from any active port
197
Balance-tlb • The outgoing traffic is distributed according to the current load • Incoming traffic is not balanced • This mode is address- pair load balancing • No additional configuration is required for the switch
198
Balance-alb • In short alb = tlb + receive load balancing • This mode requires a device driver capability to change the MAC address
199
Interface Bonding
R1
R2
200
Interface Bonding R1
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
201
Interface Bonding R2
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
202
VRRP
203
What is VRRP • Virtual Router Redundancy Protocol • RFC 2883 Standard plus updates for IPv6 • On RouterOS VRRP is implemented as an interface • Simple setup, few simple steps to get running • Solves Layer 2 redundancy, Virtual MAC • Typical uses, router gateway redundancy
204
What is VRRP
Interface VRID Priority Version IP VIP
: ether1 :1 : 100 :2 : 192.168.1.253 : 192.168.1.1
R1
R2
Interface VRID Priority Version IP VIP
: ether1 :1 : 50 :2 : 192.168.1.253 : 192.168.1.1
205
VRRP Master Selection • Virtual Router is defined by VRID and mapped set of IPv4 or IPv6 addresses. • Each VR node has a single assigned MAC address. Interface VRID Priority Version IP VIP
: ether1 :1 : 100 :2 : 192.168.1.253 : 192.168.1.1
R1
R2
Interface VRID Priority Version IP VIP
: ether1 :1 : 50 :2 : 192.168.1.254 : 192.168.1.1
206
VRRP Master Selection • The selection of the master router is controlled by priority value • Higher number means higher priority • Only the master router is sending periodic advertisement messages to minimize the traffic • It is possible to install VR on more than two routers on a single segment Interface VRID Priority Version IP VIP
: ether1 :1 : 100 :2 : 192.168.1.253 : 192.168.1.1
R1
R2
Interface VRID Priority Version IP VIP
: ether1 :1 : 50 :2 : 192.168.1.254 : 192.168.1.1
207
VRRP Master Configuration
/interface vrrp add interface=ether1 name=vrrp1 priority=100 version=2
208
VRRP Backup Configuration
/interface vrrp add interface=ether1 name=vrrp1 preemption-mode=no priority=50 version=2
209
VRRP Preemption • Ability to preempt a virtual router backup that has taken over for a failing virtual router master with a higher priority virtual router backup that has become available • When set to 'no' backup node will not be elected to be a master until the current master fails Interface VRID Priority Preempt Version IP VIP
: ether1 :1 : 100 : Yes :2 : 192.168.1.253 : 192.168.1.1
R1
R2
Interface VRID Priority Preempt Version IP VIP
: ether1 :1 : 50 : No :2 : 192.168.1.254 : 192.168.1.1
210
VRRP + INTERFACE BONDING 211
VRRP + Interface Bonding • VRRP with Interface Bonding increases the throughput that the router can achieve • At the same time making the router more resilient from issues with the interfaces or the network
212
VRRP + Interface Bonding
Interface VRID Priority Version IP VIP
: bonding1 :1 : 100 :2 : 192.168.1.253 : 192.168.1.1
R1
R2
Interface VRID Priority Version IP VIP
: bonding1 :1 : 50 :2 : 192.168.1.253 : 192.168.1.1
213
Interface Bonding R1
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
214
Interface Bonding R2
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
215
VRRP Master Configuration
/interface vrrp add interface=ether1 name=vrrp1 priority=100 version=2 /ip address add address=192.168.1.253/24 interface=bonding1 network=192.168.1.0 add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
216
VRRP Backup Configuration
/interface vrrp add interface=ether1 name=vrrp1 preemption-mode=no priority=50 version=2 /ip address add address=192.168.1.254/24 interface=bonding1 network=192.168.1.0 add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
217
VRRP + Interface Bonding (VLAN) • Using VRRP + Interface Bonding we can load balancing both routers to have an active traffics • By using multiple VLANs, and splitting higher priority of VRRP to each router • And activate “preempt” mode on Master VRRP
218
VRRP + Interface Bonding (VLAN)
Interface VRID Priority Version IP VIP
: vlan11 : 11 : 100 :2 : 192.168.11.253 : 192.168.11.1
Interface VRID Priority Version IP VIP
: vlan12 : 12 : 50 :2 : 192.168.12.253 : 192.168.12.1
R1
R2
vlan11
Interface VRID Priority Version IP VIP
: vlan11 :1 : 50 :2 : 192.168.11.254 : 192.168.11.1
Interface VRID Priority Version IP VIP
: vlan12 : 12 : 100 :2 : 192.168.12.254 : 192.168.12.1
vlan12
219
Interface Bonding R1
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
220
Interface Bonding R2
/interface bonding add lacp-rate=1sec mode=802.3ad name=bonding1 slaves=ether1,ether2 \ transmit-hash-policy=layer-3-and-4
221
VLAN Interface R1
/interface vlan add interface=bonding1 mtu=1496 name=vlan11 vlan-id=11 add interface=bonding1 mtu=1496 name=vlan12 vlan-id=12
222
VLAN Interface R2
/interface vlan add interface=bonding1 mtu=1496 name=vlan11 vlan-id=11 add interface=bonding1 mtu=1496 name=vlan12 vlan-id=12
223
VRRP R1 Configuration
/interface vrrp add interface=vlan11 name=vrrp-vlan11 priority=100 version=2 vrid=11 add interface=vlan12 name=vrrp-vlan12 preemption-mode=no priority=50 version=2 vrid=12
224
VRRP R2 Configuration
/interface vrrp add interface=vlan11 name=vrrp-vlan11 preemption-mode=no priority=50 version=2 vrid=11 add interface=vlan12 name=vrrp-vlan12 priority=100 version=2 vrid=12
225
IP Addressing R1
/ip address add address=192.168.11.253/24 interface=vlan11 network=192.168.11.0 add address=192.168.12.253/24 interface=vlan12 network=192.168.12.0 add address=192.168.11.1 interface=vrrp-vlan11 network=192.168.11.1 add address=192.168.12.1 interface=vrrp-vlan12 network=192.168.12.1
226
IP Addressing R2
/ip address add address=192.168.11.254/24 interface=vlan11 network=192.168.11.0 add address=192.168.12.254/24 interface=vlan12 network=192.168.12.0 add address=192.168.11.1 interface=vrrp-vlan11 network=192.168.11.1 add address=192.168.12.1 interface=vrrp-vlan12 network=192.168.12.1
227
MTCASE SUMMARY 228
Certification Test • If needed reset router configuration and restore from a backup • Make sure that you have an access to the www.mikrotik.com training portal • Login with your account • Choose my training sessions • Good luck!
229
Thank You! Thank you José Manuel Román Fernández Checa and Fajar Nugroho for creating and sharing the initial version of the MTCASE course materials.
230