Re: Routing and security

Сергей Попович popovich_sergei at mail.ru
Tue Dec 3 14:13:20 CET 2013




Вторник,  3 декабря 2013, 13:04 +01:00 от Alessandro Brega <alessandro.brega1 at gmail.com>:
>Hi guys,
>right now I have a quagga router, but I'm open to switch to bird if it makes sense and helps me with my problem below.
>My router has two transit neighbors and announcing my own IP space. I recently joined a public peering exchange (IXP) and so I'm part of their local network (/24), together with all other participants. So far everything works fine.
>Now for security I wonder if other participants could not simply route all their outgoing traffic through me? For example what happens if any other participant would point a default route to my IXP ip. If I understand correctly all outgoing traffic from that participant would then go to my router which would route it to the internet using my transit uplink, right?
>So I wonder if I have to take any measures against it. My ideas are:
>* 
>Setup firewall (iptables) rules so that only traffic with a destination of my own IP space is accepted from other IXP participant. Drop any other traffic from IXP participants.
>* 
>Somehow make quagga use a different kernel routing table for each neighbor (or peer-group). The routing table for the IXP neighbors would not contain any entries except for my own IP space and so no routing using my ip transit uplinks would occur. Looking at the output of ip rule showshows quagga is not doing this automatically? Would bird do this automatically? Not sure about quagga and multiple kernel routing tables (at least without external patch), but BIRD supports multiple routing tables internally and each internal table could be attached and synchronized with kernel. By using Linux PBR (Policy-Based Routing) mechanisms (see ip-rule(8) for more information) you could accomplish task in your second setup (different kernel routing tables).

An minimal PBR config might look like this:
-----------------------------------------------------

ip -4 rule add pref 10000 iif <iface2ixp> table ixp
ip -4 rule add pref 10000 iif lo from <ip_on_iface2ixp> table ixp

(do not forget to add mapping between symbolic name of the routing table "ixp" and routing table number to /etc/iproute2/rt_tables)

In BIRD configuration you should create routing table instance, attach kernel syncer protocol to it (kernel protocol).
Populate routing table at least with following routes: directly connected network on <iface2ixp> (needed to establish
sessions with IXP RSes for example), routes to your ip space, blackhole default route (to match all other routes not in table
and drop traffic).

Am I on the right track? How do other routers like bord or hardware routers (cisco, juniper, ..) deal with this problem?

>Thank you for any help!
>Alessandro

--
SP5474-RIPE
Sergey Popovich
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20131203/182e40f6/attachment-0001.html>


More information about the Bird-users mailing list