routing and switching | IPNET

Cisco: 6 best practice security tips for BGP

As we all know, in today’s digital communication world, there is a very big possibility that your network is or was target for a malicious activity. BGP is one of the most targeted routing protocols when we are talking about network attacks.Why? This is quite simple. BGP is your connection to the exterior world (peer networks, Internet and everything which is outside your LAN/MAN), so it is somehow normal to be the main target of the conducted attacks. If in case of the WWW, DNS, E-mail services we can say that maybe an attack was not intentionally made (e.g. a user got infected with some trojan/malware/botnet tool that is attacking random destinations), in the case of BGP, you can be 90% sure that this is an intentionally conducted attack. The main scope of a BGP attack is to flood the network with false information (e.g. false network prefixes) in this way trying to direct interesting traffic to special destinations where this can be sniffed and decoded.

I will present here 6 tips that I’m using the most to protect BGP against malicious information. This is really easy to implement, if you have any basic idea about how to configure BGP protocol, but it can save you from hours of troubleshooting and investigation.

1. Limit the maximum number of prefixes that you learn from BGP peer, to avoid overload of your machine.
2. Deny updates that include a private AS number in the AS Path (64512 – 65535).
3. Use ACLs on your external interface to permit input/output BGP packets only from your defined source and destination
4. Limit TTL in BGP packets to limit the communication only with next-hop peers.
5. Use a password to authenticate peer neighbors.
6. Limit the maximum length of the AS path

Also here I would like to mention, not necessary as a security tip, but more like a best practice, enable when it is possible logging. This can help you to observe some strange behavior that occur on your machines where you are not arround them.

There is no topology present for this tutorial, but we will assume that we have a point-to-point serial connection between 2 routers, R2 (10.0.23.2) and R3 (10.0.23.3). Please click the image below to view the tutorial:

If for some reasons the tutorial above is not available for you, please check this text file which present in text mode everything needed to implement BGP security tips presented above.

Cisco: IPv6 basics and configuration how-to

Today, I had to deal with IPv6 configuration for my CCIE preparation and I said to write a small tutorial about IPv6 for it’s basic stuff. First of all IPv6 is not more complicated that IPv4, it just look like it is. Second, and this is my personal opinion, I think that as long as IPv4 will be on the market and things like NAT can overcome the problem of IP addresses being exhausted, IPv6 will not be implemented on a large scale. Let’s be honest, I’m more OK in a discussion saying that I had a problem with the IP address 192.168.100.100 than to say 2001:128:1F:633:207:85FF:FE80:71B8 (IPv6).

But what we like and what we have to know as network engineer, that’s a different story. For this reason I said that some information about IPv6 and how to configure it and test a point-to-point connection on a Cisco device, would not hurt anyone.

Some essential points about IPv6 (if you want more there is a lot of information on Internet):
-use of 128 bits compared with 32bits )IPv4
-IPv4 are represented in hexadecimal rather than decimal
-use colon-separated field of 16bits rather than 8 bits decimal points separator
The IPv6 can be write down in different formats. Let’s take:
2001:0001:0000:0000:00A1:0CC0:01AB:397A
this can look like:
2001:1:0:0:A1:CC0:1AB:397A – leading zero in each 16bits group can be eliminated
2001:0001::00A1:0CC0:01AB:397A – two or more 16bits “0000” groups can be write like :: (double colons) one time in the IPv6 address
2001:1::A1:CC0:1AB:397A-the simplest form to write the IPv6 address
A small, but very important hint. Take care of the following common mistake when you are writing IPv6 in short format. Let’s say that we have 2001:0000:0000:0000:00A1:0000:0000:397A and you want to write it in short format with the rule that 2 or more “0000” groups can be write like :: , and you write 2001::A1::397A which is wrong, because after this nobody or no device will know where it was 2 groups of zero and where 3. Taking the wrong format, you want to write the long format back and you can write it as: 2001:0000:0000:00A1:0000:0000:0000:397A, and obvious you can see the mistake.
There are more types of IPv6 address which you can find in the table below:
IPv6 addresses type

There are 3 ways in which you can assign an IPv6 to a Cisco device:
-manual = just like in the IPv4
-stateful autoconfiguration = you use a DHCP server that will assign and IPv6 address to the interface
-stateless autoconfiguration = the interface ID in IPv6 is configured locally by the host to be globally unique using the EUI-64 procedure

In short terms the EUI-64 procedure is used to autoconfigure the last 64bits of the 128bits IPv6 address, which is the interface ID portion. EUI-64 method take the MAC address of the interface (48 bits) which is unique and derives the interface ID (64bits). You’ll ask probably how come 48bits become 64bits. EUI-64 insert in the middle of the MAC address a 16bits portion equal to FFFE and set the universal/local bit (7th bit) to indicate global scope. More clearly, let’s say that the interface has the MAC address 00:07:88:80:71:b9 and IPv6 apply the EUI-64 method this will become 0207:88FF:FE80:71b9 (last 64bits = interface ID).

After this short information (trust me it is short compared to detailed books) I hope that the things look a little bit more clear to you regarding IPv6 and you understood that this is not an IT network monster of any kind. Let me show you a small example of how you can configure the Cisco interfaces for IPv6 connectivity. Routing and more advanced stuff in a future post maybe.

For this tutorial I will use the same topology like in the previous post, please have a look to it here, but for the IPv6 configuration will only focus on the LAN side, the connection between R1 and R2. There is already a working IPv4 link between this 2 devices. Please click below to see the example:

If for some reasons the tutorial above is not available for you, please check this text file which consist of the configuration needed to enable IPv6 configuration between 2 Cisco devices.

Cisco: Use CBAC to achieve firewall functionality on router device

Sometimes, because of cost saving usually, the network engineers are forced to use a Cisco router as a firewall (instead of Cisco PIX or ASA). One of the big difference between router and firewall devices is that the ports have different characteristics. If on routers, ports are permitting by default traffic of any packets in and out, on the firewall devices, any packets are denied, if not explicit permitted.Also firewalls look at ports as Inbound at Outbound while for routers this has no meaning.

Anyway I don’t want to discuss here the differences between firewalls are routers, but to show you an example of how to achive firewall functionality by using Control-based Access Control (CBAC). CBAC intelligently filters TCP and UDP packets based on application-layer protocol session information. You can configure CBAC to permit specified TCP and UDP traffic through a firewall only when the connection is initiated from within the network you want to protect. (In other words, CBAC can inspect traffic for sessions that originate from the external network).CBAC inspects traffic and manage state information for TCP or UDP sessions, which allow it to create temporary openings in the access-lists, to allow returning traffic. Without CBAC, traffic filtering is limited to access list implementations that examine packets at the network layer, or at most, the transport layer.

The above explanation is a very technical one. Please have a look at the topology, to understand better what I’m explaining here and also to understand the example below. I will use telnet protocol in this tutorial. From the topology, imagine that you allow on the LAN interface of R2 (Fa0/0) telnet traffic to R3 and nothing else. Also to protect your environment on R2 WAN interface S1/0 you drop and inbound connection by using “deny ip any any” in an access-list. Good you are protected now. But what about the telnet connection? It will no work! Why? It is obivious that if the packet leaving from LAN on port 23 is allowed, the response from R3 is automatically dropped on S1/0 of R2 because of the deny anything access-list. By configuring “ip inspect” you enable CBAC which will keep track your session, so when you will open a telnet connection toR3, the return connection on random port (xxxxx) will be automatically opened by CBAC, despite the deny all access-list configured. In this way you are protected from outside (access is deny) but still able to use the connections you defined (open certain ports for certain session by CBAC).

So, to achieve firewall functionality on a router you have to follow some simple steps:
– use access list to deny any traffic on router’s ports (like firewall behavior)
– open in access-list traffic that you want to establish (remember that this line has to be above the deny line in ACL)
– enable ip inspect rules to open the connection back port

Please have a look into the example below for a better understanding:

Cisco: Engineer’s trick to avoid suboptimal path

I was explaining in the previous post what is the difference between optimal and suboptimal path and how to avoid the use of not such a good path in your routed environment. Also there I presented this so call “dirty trick” you can use to force the routing protocol to choose the path that you want, based on the Administrative distance modification.

As I said there is another way (for sure more than one) to do it, using a more elegant approach and from the networking point of view more safe considering the complex routing environment. I will use the same topology like in the previous post to offer you the possibility to compare these 2 methods presented and to choose the one that you understand and fit better to your needs. Also there are some other ways to do it and please feel free to discussed them in the comments section and maybe to present them here in a future post.

We will achive the desired results by setting one community on R1 for the advertised network 192.168.82.1 and dropping the prefixes, marked with the same community, on R2. Please be aware that for this method to work you have to allowed BGP peers to send communities list with the command “neighbor xx.xx.xx.xx send-community …” under “router bgp xxx” process.

Please see the example by clicking the image below:

Cisco: Dirty trick to force optimal path in routed environment

Everywhere in the world people try to find the optimal path to achieve something.If we speak about roads, trips and in our case networking, choosing the best path to an end point can have only advantages.

I took the term optimal / suboptimal path from the routing issues that can appear in the OSPF network environment and which are called by the experts suboptimal routing. What I want to explain here, maybe you already seen it, is that in some network environment the best path to a destination is not always preferred by the routing protocol due to some unhappy situations. To understand better what I’m talking here, please have a look at the topology that I will use for this tutorial and for the next one regarding optimal path.

In the example below I will show you a simple and dirty trick how you can escape from this situation. I recommend to use this dirty trick only in urgent cases and only temporary as this can lead to more problems if you have a complex network environment. In the next days I will show you a more elegant method to escape from suboptimal path problem.

As you can see in the topology we have a network environment formed by 4 routers. On R1 we have configured a BGP session with the peer R3 and OSPF with R2. Since the peers are in different autonomous systems the BGP session will be external. For OSPF this does not matter.The Loopback100 interface in R1 is advertised into BGP and OSPF, and it is learned by R2. On R2 the interface 192.168.82.1 arrives on BGP table and OSPF table, but since the Administrative Distance of the eBGP (20) is better that the one of OSPF (110) on the routing table will appear the route through R4. This is bad because without considering the obvious longer path through R4, we can see that the links between R2-R4 and R1-R3 are Serial interfaces and definitely with more limited bandwidth than FastEhernet interface R1-R2 (we assume that we do no have any QoS or other limitation). Last note before we begin, all the routing processes on the devices are completely configured and functional.