Black Hat OSPF Vulnerabilities: Much Ado About Nothing

Imagine a group of researchers planning to speak at a conference regarding a previously undiscovered vulnerability present in most homes that would allow a thief to rob your home of its valuables with complete ease.  You would probably be interested in hearing what they had to say so you could take the necessary precautions to protect your home.

Now imagine when they presented their findings, they went on to state that it was incredibly easy to do, so long as you left your front door open and also provided them with the security code for any alarm systems.  You would probably find this implausible and simply the proliferation of fear, uncertainty, and doubt.

That's precisely what happened last week at the well-respected Black Hat security conference in Las Vegas when researchers from the Israel Institute of Technology and Advanced Defense Systems, Ltd. presented their findings of a serious vulnerability present in OSPF.  So serious in fact, the researchers stated the only way to properly mitigate the threat, short of fixing the protocol, is to switch to another routing protocol such as RIP or IS-IS.

The researchers went on to present their research of two previously undiscovered methods Continue reading

Monitoring an entire VLAN on a Layer 3 Switch

A recent and relatively quiet IOS release allows the Catalyst 2960 platform to perform limited Layer 3 Switching (See this thread and this blog post). There are limitations - for instance, it cannot run any sort of routing protocol, so routing must be done statically. Up to 16 static routes can be entered, and routing is limited to SVI’s (maximum of 8), as the platform is not able to route to or from a physical interface, like you’re able to do with most layer 3 switches.

Monitoring an entire VLAN on a Layer 3 Switch

A recent and relatively quiet IOS release allows the Catalyst 2960 platform to perform limited Layer 3 Switching (See this thread and this blog post). There are limitations - for instance, it cannot run any sort of routing protocol, so routing must be done statically. Up to 16 static routes can be entered, and routing is limited to SVI’s (maximum of 8), as the platform is not able to route to or from a physical interface, like you’re able to do with most layer 3 switches.

EIGRP Feasible Successors

Link state routing protocols maintain topology tables to determine the best candidate to place in the routing table. EIGRP is no different - it uses this topology table to build a vision of the network from the perspective of each participating router. This topology table is reviewed by the routing algorithm (in the case of EIGRP, it is DUAL) and decisions are made regarding what gets placed into the routing table.

EIGRP Feasible Successors

Link state routing protocols maintain topology tables to determine the best candidate to place in the routing table. EIGRP is no different - it uses this topology table to build a vision of the network from the perspective of each participating router. This topology table is reviewed by the routing algorithm (in the case of EIGRP, it is DUAL) and decisions are made regarding what gets placed into the routing table.

Nexus Two Way vPC Good to Know

The Scenario Quick overview of topology, two Nexus 7000s and two Nexus 5020s each with two 10Gig connections to each other. In other words, there’s a total of 40Gig between each switch, and they’re...

[[ Summary content only, you can read everything now, just visit the site for full story ]]

Ticket #17 – Repubished

Next ticket, Ticket 18, which will be about MPLS and Security will be published next month on CCIEFlyer.com, then it will be republished here again. ... • R1 was configured to be a backup for the DHCP server on R3. ... • However, the solution is not working and even if it was its too slow and unreliable.

The March to Merchant Silicon in 10Gbe Cloud Networking

The inevitable march towards merchant silicon for Ethernet switching is continuing with the announcement from Intel today that it is acquiring Fulcrum Microsystems. Fulcrum of course the silicon vendor that is the core of our low-latency switch family that is the most widely used switch across the world for high-frequency trading.

I wanted to share my thoughts on what this means for the industry going forward.

10 Gigabit Ethernet – the time is right:

First, virtually every new 10 Gigabit Switch announced this year is based on merchant silicon. We at Arista, of course, have been at the forefront of bringing multiple merchant switch architectures to market, but why all of the sudden this stampede?

The simple answer is that the technology advantages of merchant silicon in terms of throughput and cost-performance are so overwhelming compared to legacy platforms based on proprietary silicon designs, that merchant silicon is where the market is going.

New data centers that are built for the cloud require vastly more network scalability than the data center of yesterday. Throughput of servers has advanced at the speed of Moore’s law. The next generation of Intel server will have more than 100 times the throughput of the Continue reading

The Anatomy of “Show IP Route”

One of the most important skills to have when it comes to basic networking is the ability to look at a routing table and determine exactly where a packet will be routed when it comes to a router. Sometimes a routing table is relatively simple, and this process is easy. However, many times this is not the case. In large networks, especially networks that implement a hub and spoke design where core routers are often required to know hundreds of routes or more, this can be tedious.

The Anatomy of “Show IP Route”

One of the most important skills to have when it comes to basic networking is the ability to look at a routing table and determine exactly where a packet will be routed when it comes to a router. Sometimes a routing table is relatively simple, and this process is easy. However, many times this is not the case. In large networks, especially networks that implement a hub and spoke design where core routers are often required to know hundreds of routes or more, this can be tedious.

GRE Tunneling and Recursive Routing

 

When using a routing protocol over GRE tunnels you might end up learning the tunnel endpoint via the routing protocol. When the tunnel endpoint is preferred using the route learned from the routing protocol you end up with a flapping tunnel.

The router will detect this and generates a message:

%TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing

 

The easiest way to solve this is by using a static route to the tunnel endpoint.

If this is not allowed you can also use a prefix filter. This filter should block the advertisement of the tunnel endpoint prefix via the GRE tunnel. For example:

ip prefix-list FILTER_TUNNEL_ENDPOINT seq 5 deny 150.1.10.0/24

ip prefix-list FILTER_TUNNEL_ENDPOINT seq 10 permit 0.0.0.0/0 le 32

 

This will match the tunnel endpoint address (150.1.10.0/24), but allow the other prefixes.

Use this prefix-list to filter the outgoing advertisements on the tunnel interface.

router rip

 distribute-list prefix FILTER_TUNNEL_ENDPOINT out Tunnel1

Reliable Policy Routing

Reliable Policy Routing can be configured by using the "set ip next-hop verify-availability" statement in a route-map. There are two ways to verify the availability of the next-hop. One way is to use CDP. The other way is to use a tracked object (e.g. IP SLA).
 
Verify availability of next-hop using CDP:
 
route-map PBR_FROM_R3 permit 10
 match ip address FROM_R3_TO_R4
 set ip next-hop 155.1.0.5
 set ip next-hop verify-availability
 set ip default next-hop 155.1.146.4
 
Verify availability using a tracked object:
 
route-map PBR_FROM_R3 permit 20
 match ip address FROM_R3_TO_R5
 set ip next-hop verify-availability 155.1.146.4 1 track 1
 set ip default next-hop 155.1.0.5
 

EIGRP Route Filtering with NX-OS

Overview So we all know how to filter EIGRP routes; right? create a prefix-list or access-list then apply that to the routing process. You can also do offset-lists, all that good stuff. This is...

[[ Summary content only, you can read everything now, just visit the site for full story ]]

Policy Routing

 

Create one or more access-lists that specify what traffic should use policy routing.

ip access-list extended FROM_R4
 permit ip host 155.1.146.4 any

ip access-list extended FROM_R6
 permit ip host 155.1.146.6 any

Then create a route-map that will match the defined access-lists and specify an action.

route-map PBR permit 10
 match ip address FROM_R4
 set ip next-hop 155.1.13.3

route-map PBR permit 20
 match ip address FROM_R6
 set ip next-hop 155.1.0.5

route-map PBR permit 30
 # will match any other traffic

Tie the route-map to an interface to enable policy routing.

interface FastEthernet0/0
 ip policy route-map PBR

Usefull debug commands:

#debug ip policy

IP SLA & Enhanced object tracking

 

Create a SLA object to schedule a ping test

ip sla 1
 icmp-echo <ip address>
 frequency <in seconds>
ip sla schedule 1 life forever start-time now

Enable Enhanced Object tracking on the SLA

track 1 ip sla 1 reachability

Tie the tracked object to a static route

ip route 150.1.1.0 255.255.255.0 155.1.146.1 track 1

 

As soon as the ping test fails the static route will be removed from the routing table.

When there is another static route with a higher Administrative Distance this route will be injected into the routing table.

Once the ping test is successfull again the original static route will be injected again.

Usefull show commands:

#sh track 1
Track 1
  IP SLA 1 reachability
  Reachability is Up
    3 changes, last change 00:21:42
  Latest operation return code: OK
  Latest RTT (millisecs) 1
  Tracked by:
    STATIC-IP-ROUTING 0

#sh ip sla statistics 1
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
Type of operation: icmp-echo
        Latest RTT: 1 milliseconds
Latest operation start time: *20:39:26.283 UTC Wed Jul 13 2011
Latest operation return code: OK
Number of successes: 417
Number of failures: 13
Operation time to live: Forever

Usefull debug commands:

#debug track

#debug ip routing

Juniper SRX Tips :: Altering Default-Deny Behavior

In our previous article, we looked at using apply-groups to alter all the security policies uniformly on an SRX device such that they would all have an implicit logging statement. And while this is fine for all existing policies, it doesn't log traffic which doesn't match any explicitly defined security policy.

The reason for this is due to the fact that in Junos, traffic which doesn't match an explicitly defined security policy matches against the default-deny policy.  However, given the fact that the default-deny policy is implicitly defined, apply-group configurations are of little benefit as apply-groups can only be inherited by those elements which have been explicitly defined.

Often in these cases, administrators will simply choose to create their own deny policies with the desired options and place this deny policy as the last policy for traffic going from one zone to another. However, in instances where there are many zones, it might prove too cumbersome and time consuming to manually configure this to accommodate all zones.

Clearly it would be more beneficial to have something akin to the Global Zone in ScreenOS which can be used to match on all traffic which doesn't match against any of Continue reading

Juniper SRX Tips :: Uniform Security Policy Modification

Often there are instances where we want to affect all security policies configured on an SRX device.  For example, let's say that we have thousands of policies configured on our firewall, and we want to enable logging for every single policy.  Obviously this would take some time if we were to do this manually on each and every individual policy, so an easier way is desired.

In ScreenOS we have the concept of a Global zone which acts as a container encompassing all zones, but to date, Junos does not support a similar functionality on the SRX. Furthermore, the Global zone doesn't affect existing policies but rather is way to apply a consistent policy to all Inter-zone and Intra-zone traffic that doesn't match any of the existing policies.

However, despite all of this, there is in fact a methodology we can use to uniformly modify all of the existing security policies on our box, in a manner that is actually much more powerful than what is accomplished in ScreenOS with the Global zone.

Let's take a look.  First, let's say we have some policies that we would like to enable logging on:

root@ce-1# show security policies
 Continue reading