1 / 9

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt. miaofy@huawei.com OPSEC WG, IETF #66. Packet Filtering vs. Routing Filtering. Packet filtering Applied to network layer packets being forwarded Based on IP and transport header usually Out of scope of this document

willow-weiss
Download Presentation

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Routing Security Capabilitiesdraft-zhao-opsec-routing-capabilities-02.txt miaofy@huawei.com OPSEC WG, IETF #66

  2. Packet Filtering vs. Routing Filtering • Packet filtering • Applied to network layer packets being forwarded • Based on IP and transport header usually • Out of scope of this document • Routing filtering • Applied to routing packet being sent or received • Based on routing protocol along with other protocols • Fit in the scope of this document

  3. Filters for External Routing Protocols • Current implementation • Applied to both sent and received routing packets on per-interface basis • Outbound Route Filter (ORF), whether and which ORF, on per-interface basis • Limit the scope of route redistribution between different routing protocols • Filtering Criteria • Specific route prefixes • Maximum length of route prefixes • Maximum number of route prefixes received • AS_PATH • BGP community and extended community

  4. Filters for IGP Areas • IGP requires same view of the topology within an area • Route should be flooded unchanged • Infeasible to implement filtering within an area • Filtering between IGP areas • Router may provide the option to filter routing between IGP areas • Caution: the routing filtering may results in some address unreachable

  5. Filters by TTL • Accept packets from only immediate neighbor • TTL spoofing is supposed impossible • Most routing packets originate from immediate neighbor • TTL is 255 if the neighbor sets the default 255 • Note: not applicable to Multi-hop IBGP

  6. Route Flap Dampening • Route flap is bad • How about route flap dampening? • Configurable • Timer • Could be turned off • http://www.ripe.net/ripe/docs/ripe-378.html

  7. Routing Authentication • Key must be configurable on router • System transition from one key to another based on system time • Stronger algorithms than MD5 • Rescorla-Bellovin analysis • Preferable key distribution/update mechanism • Note: current routing protocol specification (standard track) on authentication is too weak to meet security requirement

  8. What is the next step? • Adopted as a working group document?

  9. Thanks!

More Related