Routing and security
Eliezer Croitoru
eliezer at ngtech.co.il
Thu Dec 5 05:50:16 CET 2013
Hey Alessandro,
As for you question:
There are two levels that you should notice while this can or cannot happen.
If your network has couple peers and for example the end of the Fiber
Optic cables is attached at the IXP to a machine that you *own* you will
see one thing.
While if your machine is in the other end of the cable and a switch that
is owned by the IXP is managing the traffic your strategy would be
different.
Since IXP have rules every participant would be obligated to not abuse
other peers without at-least contact the IXP or ISP management.
If one of the peers would be found abusing you, he will need eventually
to pay for the *usage* of bandwidth since it's the same thing like using
your friend car without permission.
Most public IXP ISPs or companies would not try to abuse others peers
intentionally but sometimes it can happen that an automated system was
missing a "column" or whatever and someone made a mistake.
It would be preferable to define a rule in the switch that would not
allow any "rouge" traffic to be dropped\blocked but this is not a
security measure but a smart thing to implement if possible.
The basic general rule is to use a policy route rule that applies to a
specific interface and specific traffic.
For example: "for interface0 allow only traffic from my internal src IPs"
This will protect you from rouge clients inside your network imposing to
other IP addresses.
But this logic is more of a FIREWALL and\or IPTABLES logic.
In a router you don't want any unneeded processing that is above the
routing level!
When you use a tool like PING for example and the kernel determines that
there is no "route" in the routing table which matches the host it will
drop in the terminal something like "no route to this host".
Inside a router it's another story in a completely lower level in the
kernel.
The kernel "catch" a packet from the interface and put it in the
corresponding routing "table" which then if found and only if found a
route "best" matches it will use it to just "put" the packet into the
cable again towards the next router in the network changing couple tiny
binary data.
There should not be a "default" route in use in the router that applies
also on the *forwarded* traffic.
(I will not say anything regarding using a default route globally)
Once you have a route policy which "throw" the traffic that is either
flowing from your network IP masks or flowing towards your IP masks in
the right interfaces you can throw it towards the right routing table
which contains only the needed routes.
Remember that the packet has only one IP address as a src and one IP
address as a dst which can be matched for two different interfaces but
there are packets that will never contain src IP address on a specific
interface.
If you must use IPTABLES for securing your router host there is a
NO_TRACK module in IPTABLES which should assist you to avoid any
connection tracking for the FORWARD table by removing any unneeded load
on the kernel and kernel modules operations.
I have read about something regarding using packet MARKING(not
connection marking) and IPTABLES which can help while applying dynamic
rules on LB routers.
One system that can demonstrate a Linux routing system setup would be
VYATTA which already uses quagga.
The algorithm that cisco or juniper apply that you have asked about is
not public(to me) and in the case of a Linux kernel it would not even
make sense to look at their settings or code.
It's sounds to me like "I have a drill and I want to put a nail in the
wall".
I would just first ask at the IXP what administrative rules they have
and what are the basic support I have from them about a case I need
their help to block some traffic or even contact the abuser by phone or
knock his office\home door.
Traffic flowing towards your router do add overhead to the CPU and
power-consumption if continues a long period of time.
Regards,
Eliezer
On 03/12/13 14:04, Alessandro Brega wrote:
> Now for security I wonder if other participants could not simply route
> all their outgoing traffic through me? For example what happens if any
> other participant would point a default route to my IXP ip. If I
> understand correctly all outgoing traffic from that participant would
> then go to my router which would route it to the internet using my
> transit uplink, right?
>
More information about the Bird-users
mailing list