[50898] in North American Network Operators' Group
Re: Routing Protocol Security
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Wed Aug 14 00:20:52 2002
Date: Wed, 14 Aug 2002 07:19:03 +0300
To: batz <batsy@vapour.net>, dylan@juniper.net
From: Hank Nussbacher <hank@att.net.il>
Cc: senthil ayyasamy <mplsgeek@yahoo.com>, nanog@merit.edu
In-Reply-To: <Pine.BSF.4.21.0208131900240.1001-100000@vapour.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 07:43 PM 13-08-02 -0400, batz wrote:
>On Mon, 12 Aug 2002 dylan@juniper.net wrote:
>
>:Of the problems folks have run into, are they more often the result of a
>:legitimate speaker being compromised & playing with advertisements
>:somehow (and getting through filters that may or may not be present), or
>:from devices actually spoofing their way into the IGP/EGP? Are there
>:any specific attacks anyone is aware of & can share?
>
>My first pointer would be to the Phrack article Things to do in
>Ciscoland when you are Dead. While this is not routing protocol
>specific, it's more about fun that can be had with tunneling
>traffic from a compromised network.
Better yet:
http://www.phenoelit.de/vippr/index.html
http://www.phenoelit.de/irpas/index.html
Also note that keepalives and routing updates are process switched (for
Ciscos). Think about it.
>The short term solution would be routers that denied all layer-3
>traffic destined to it by default, (passing it to elsewhere)and
>only accepted traffic from specifically configured peers. (Type
>Enforcement(tm) on interfaces anyone?)
Don't forget layer-2 as well (from Networkers 2002):
http://www.cisco.com/networkers/nw02/post/presentations/general_abstracts.html#mitigation
http://www.cisco.com/networkers/nw02/post/presentations/docs/SEC-202.pdf
-Hank
>
>
>Routers should be shipped in a state that is functionally inert to
>packets on layer 3.
>
>Alas..
>
>--
>batz
