Routing and security

Eliezer Croitoru eliezer at ngtech.co.il
Thu Dec 5 05:50:16 CET 2013


Hey Alessandro,

As for you question:
There are two levels that you should notice while this can or cannot happen.
If your network has couple peers and for example the end of the Fiber 
Optic cables is attached at the IXP to a machine that you *own* you will 
see one thing.
While if your machine is in the other end of the cable and a switch that 
is owned by the IXP is managing the traffic your strategy would be 
different.

Since IXP have rules every participant would be obligated to not abuse 
other peers without at-least contact the IXP or ISP management.
If one of the peers would be found abusing you, he will need eventually 
to pay for the *usage* of bandwidth since it's the same thing like using 
your friend car without permission.

Most public IXP ISPs or companies would not try to abuse others peers 
intentionally but sometimes it can happen that an automated system was 
missing a "column" or whatever and someone made a mistake.

It would be preferable to define a rule in the switch that would not 
allow any "rouge" traffic to be dropped\blocked but this is not a 
security measure but a smart thing to implement if possible.

The basic general rule is to use a policy route rule that applies to a 
specific interface and specific traffic.
For example: "for interface0 allow only traffic from my internal src IPs"
This will protect you from rouge clients inside your network imposing to 
other IP addresses.

But this logic is more of a FIREWALL and\or IPTABLES logic.
In a router you don't want any unneeded processing that is above the 
routing level!

When you use a tool like PING for example and the kernel determines that 
there is no "route" in the routing table which matches the host it will 
drop in the terminal something like "no route to this host".
Inside a router it's another story in a completely lower level in the 
kernel.
The kernel "catch" a packet from the interface and put it in the 
corresponding routing "table" which then if found and only if found a 
route "best" matches it will use it to just "put" the packet into the 
cable again towards the next router in the network changing couple tiny 
binary data.

There should not be a "default" route in use in the router that applies 
also on the *forwarded* traffic.
(I will not say anything regarding using a default route globally)

Once you have a route policy which "throw" the traffic that is either 
flowing from your network IP masks or flowing towards your IP masks in 
the right interfaces you can throw it towards the right routing table 
which contains only the needed routes.
Remember that the packet has only one IP address as a src and one IP 
address as a dst which can be matched for two different interfaces but 
there are packets that will never contain src IP address on a specific 
interface.

If you must use IPTABLES for securing your router host there is a 
NO_TRACK module in IPTABLES which should assist you to avoid any 
connection tracking for the FORWARD table by removing any unneeded load 
on the kernel and kernel modules operations.

I have read about something regarding using packet MARKING(not 
connection marking) and IPTABLES which can help while applying dynamic 
rules on LB routers.

One system that can demonstrate a Linux routing system setup would be 
VYATTA which already uses quagga.

The algorithm that cisco or juniper apply that you have asked about is 
not public(to me) and in the case of a Linux kernel it would not even 
make sense to look at their settings or code.
It's sounds to me like "I have a drill and I want to put a nail in the 
wall".

I would just first ask at the IXP what administrative rules they have 
and what are the basic support I have from them about a case I need 
their help to block some traffic or even contact the abuser by phone or 
knock his office\home door.

Traffic flowing towards your router do add overhead to the CPU and 
power-consumption if continues a long period of time.

Regards,
Eliezer

On 03/12/13 14:04, Alessandro Brega wrote:
> Now for security I wonder if other participants could not simply route
> all their outgoing traffic through me? For example what happens if any
> other participant would point a default route to my IXP ip. If I
> understand correctly all outgoing traffic from that participant would
> then go to my router which would route it to the internet using my
> transit uplink, right?
>




More information about the Bird-users mailing list