8/12/2019 3.1.7 - IP Routing
1/53
8 - 1
IP Routing SANS 2000- 2003 1
IP Routing
After completion of this section, the student will have a good foundation of how packets are routed
across IP networks. First we will examine the concept of static routing that most hosts use to decide
how to send traffic originating from the local host. We will also briefly introduce the Ethernet
protocol, since the majority of the IP network traffic is routed using this link layer medium. Much of
the traffic that needs to be routed is between hosts on the same physical network and that is where the
link layer comes into play.
Routing protocols provide the basis by which information is transferred between hosts on the
Internet. Well look at these protocols that provide for dynamic routing. They are divided into major
categories based on a specific operating environment. Besides explaining these various
environments, we will examine their potential strengths and weaknesses. Furthermore, we will
attempt to provide a basic overview of how the different protocols are susceptible to attack and how
some of these threats can be mitigated through simple router configuration changes.
8/12/2019 3.1.7 - IP Routing
2/53
8 - 2
IP Routing SANS 2000- 2003 2
Objectives
Static Routing
Sending packets from the local host
Address Resolution Protocol (ARP)
IP to link layer resolution
Examples of malicious activity
IP Options
Loose source routing
Strict source routing
Dynamic Routing Protocols
Interior Gateway Protocols
Exterior Gateway Protocols
Multicast Routing
Sending packets to multiple hosts
The Objectivesslide outlines the different topics that we will be covering. First, we will look at
static routing which hosts employ to send traffic. Then, well examine the protocols involved in the
transmission of packets on the local network. This will be followed by a discussion of IP options and
how they can be used to alter the course of packets as they travel toward their destination.
Then various protocols that govern how packets traverse IP networks will be investigated.
Specifically, we will examine all of the protocols that affect the transmission of a packet from one
host to another. This transmittal can be as simple as sending a packet from one host to another on the
same local subnet, or as complex as sending a packet across the world. Finally, well examine
multicast routing to send traffic to multiple hosts in a network.
8/12/2019 3.1.7 - IP Routing
3/53
8 - 3
IP Routing SANS 2000- 2003 3
Static Routing
All hosts regardless if they are routers or not have to be able to make initial decisions about how to
send traffic from the local host. They maintain a basic list known as a routing table that directs
traffic from the local host based on its final destination. This table is referenced often by the host
sending traffic, yet it is not updated very frequently hence the name static routing.
In this section, we will examine the types of decisions hosts need to make about routing traffic and
some of the susceptibilities and exploits associated with static routing.
8/12/2019 3.1.7 - IP Routing
4/53
8 - 4
IP Routing SANS 2000- 2003 4
Local Routing Table
netstat -r n
Routing Table:
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ------ ---------
1.2.3.0 1.2.3.4 U 3 5 le0
127.0.0.1 127.0.0.1 UH 0 472 lo0
default 1.2.3.1 UG 0 5444
Look at the Local Routing Table slide to see a Unix hosts relatively static list of routes. The routing
decisions are made based on the destination of the traffic that is to be sent. This table was generated
using the netstat command with the -r n options that indicate to list the routing table, but do not try to
resolve IP numbers to host names. This routing table is for host 1.2.3.4 on the 1.2.3.0 network.
The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through
the local host 1.2.3.4 using interface le0 which is one of its network interface designations. The flag of U
says that this route is up and the reference count indicates how many current connections are established
through that interface and the use column indicates how many packets have traveled through the
interface.
The second line is for the local loopback address that is designated as 127.0.0.1. Some processes such as
X terminal applications require that the host talk to itself and this is the interface through which that
occurs.
The final line indicates the default destination that traffic should be sent if it doesnt match any of the
other destinations in the routing table. This is a default gateway (noted with the G in the Flags column)
which is a router that will forward the traffic and direct it a hop closer to its final destination. This is used
for traffic that is destined for somewhere other than the 1.2.3.0 network and the local host.
8/12/2019 3.1.7 - IP Routing
5/53
8 - 5
IP Routing SANS 2000- 2003 5
Static Routing Decisions
IP layer searches the routing table in the following
manner:
Search for a matching destination host address
Search for a matching destination network
address
Search for a default entry
Turning to slide Static Routing Decisions, we see how the IP layer uses a routing mechanism to
make routing decisions of which interface to direct traffic. If the destination host matches the routing
tables destination entry, the traffic is routed through the corresponding interface. If there is no such
matching entry, then the destination address is compared against all the routing table destination
entries to see if the network addresses match. The network address is determined by combining the
specified IP address and the subnet mask for the network. The first match is sent to the specified
network interface. Finally, if nothing else matches, the traffic is sent to the interface with thedefault designation. This is usually a router on the same local network that will forward the traffic
to the destination.
Many hosts do not act as routers meaning that they do not forward traffic received through one
interface to another interface. Yet, they still need to be able to route traffic generated on the local
host to the correct interface. This is an important distinction.
8/12/2019 3.1.7 - IP Routing
6/53
8 - 6
IP Routing SANS 2000- 2003 6
How Are Routes Added?
Static routes are typically added during the boot
process
Administrative changes can be made with the route
command
ICMP router discovery messages
The next topic of discussion How Are Routes Added?is found on the following slide. Since
these routes are fairly static, they should be assigned during the boot process and remain mostly
unchanged. Some Unix systems have a file /etc/defaultrouter that initializes the routes; others
configure the routes in the boot scripts using the route command. The route command can be used
by the administrator to make changes for new interfaces.
Another way for a host to receive initial routes after the boot process is to issue a router solicitation
message using ICMP router discovery. Routers can respond to these solicitations to inform the host
of the router IP addresses along with a lifetime or number of seconds that the advertised router
addresses are considered to be valid.
8/12/2019 3.1.7 - IP Routing
7/53
8 - 7
IP Routing SANS 2000- 2003 7
How Are Routes Changed?
ICMP redirect messages
ICMP router discovery messages
Slide How are Routes Changed? lists the ways in which a relatively static routing table can be
informed of best routes or changing conditions on the network. A host might have entries in the
routing table that are not the most efficient ones. When this happens ICMP redirect messages are
sent to the host by a router that detects it is not the optimum router to be used. The host will adjust
its routing tables to use a more optimum router when sending traffic the next time to the destination
address that elicited the message.
Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of
available routers. They can change their routing tables to reflect any new information received. A
router must support IRDP and have it turned on to issue these advertisements or respond to
solicitations. Cisco routers have IDRP turned off by default.
8/12/2019 3.1.7 - IP Routing
8/53
8 - 8
IP Routing SANS 2000- 2003 8
Redirect
non-optimum
router
misguided
sending host
target host
optimum router
send datagram to target host
use optimum router next time
datagram delivered to target host
non-optimum.router > sending.host : icmp: redirect target.host to host
optimum.router
The ICMPRedirect message discussed on the next slide allows a router to tell a sending host that
it is not the optimum router to be used for sending the traffic to the desired destination. The non-
optimum router forwards the traffic to the destination, but informs the sending host to change its
routing table so that a more optimum router is chosen the next time traffic is sent to the same
destination host.
In the case of the above slide, we have a misguided sending host attempting to send traffic to the
target host. It routes the traffic through the non-optimum router that forwards the traffic. However,
it issues an ICMP redirect to the misguided sending host to use the optimum router the next time.
Most hosts will perform some checks before changing their routing tables:
1) The optimum router must be on the directly connected network
2) The redirect must be from the non-optimum router that was attempted
3) The redirect must not tell the host to use itself as the optimum router
4) The optimum router must be a router and not a host
8/12/2019 3.1.7 - IP Routing
9/53
8 - 9
IP Routing SANS 2000- 2003 9
IRDP DoS Exploit
spoofing.host > duped.host : icmp: router advertisement
duped.host default.router
normal route
redirected default
route
IRDP
message
spoofing.hostblack hole
4.4.4.4
Now, for a different type of scenario for malicious ICMP messages, look at the next slide IRDP
DoS Exploit. In this case, we have a local or remote host that spoofs an ICMP router discovery
protocol router advertisement.
The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its
routing table so that the default router is 4.4.4.4. Router 4.4.4.4 does not exist or is not accessible to
duped.host on the local network. So, all traffic that duped.host sends outbound will end up in a black
hole essentially causing a denial of service for outbound traffic for duped.host.
A router must support IRDP and have it turned on in order for this exploit to work. By default, Cisco
routers support IRDP, however they have it turned off.
8/12/2019 3.1.7 - IP Routing
10/53
8 - 10
IP Routing SANS 2000- 2003 10
IRDP Windows Exploit
windows.host
192.168.59.181
default.router
192.168.59.1
Actual default route
redirected default route
ICMP router
advertisement
spoofing.host
192.168.59.5
Network Dest Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.59.1 192.168.59.181 1
0.0.0.0 0.0.0.0 192.168.59.5 192.168.59.181 0
Actual router
Bogus router
Lets examine an IRDP attack seen on the slide IRDP Windows Exploit. As the name implies this attack is
mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible. If a
Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route
from the DHCP server. However, using IRDP Router Advertisements, a Windows host can be convinced to
use a different (incorrect) default route.
As youve no doubt witnessed from previous IRDP exploits, the ICMP Router Advertisement packets have no
way to authenticate that the sender is a legitimate trusted host. Therefore, if we can dupe the Windows host
into believing an incorrect default route, we can reroute data leaving the targeted host.
The means by which this is done is by sending a Router Advertisement that contains two or more router
addresses to the target Windows host. Normally, if just one router address is included in the Router
Advertisement, the receiving host examines the source IP to make sure if it is in the same subnet. However,
this same check erroneously is not validated for subsequent addresses in the Router Advertisement. Therefore,
a host outside the network can spoof multiple Router Advertisements and send them to the target host
(assuming the site does not block this type of ICMP message inbound).
Another field in the Router Advertisement tells the metric to be used. The formula for computing this for
Windows hosts is to subtract 1000 from the received metric value. In other words, if the metric in the Router
Advertisement that is sent is 1000, the receiving host will assign a metric of 0 to this route. What thiseffectively does is to give this metric a higher precedence than the existing default router entry with a default
metric of 1. Look at part of the Windows routing table above to see the default and bogus entries. At this
point, traffic will be redirected to the default router assigned by the Router Advertisement packet with a metric
of 0. The man-in-the-middle host would then have to have IP forwarding on to send the wayward packets
through the real router.
This attack was submitted for GIAC certification by Kevin Black. Many thanks to Kevin for his great
analysis.
8/12/2019 3.1.7 - IP Routing
11/53
8 - 11
IP Routing SANS 2000- 2003 11
Static Routing Review
Hosts maintain tables of destination routes
These tables are normally static
Initialized by boot scripts or IRDP
ICMP messages can change entries
Slide Static Routing Review summarizes what weve learned in this section. Each host has a
routing table that is the mechanism used by the IP layer to direct traffic from the host to the correct
interface and closer to its destination. This is called static routing because these tables are relatively
stable and initialized with boot scripts or using ICMP router discovery protocol to populate the table.
Changes can be made to the routing tables using two different ICMP messages. The ICMP redirect
message informs the sending host that a given router used to send traffic to a given destination is not
the best one and informs the host of the better router. Also, IRDP messages inform the host of
changing conditions on the network and allow it to update its routing tables accordingly. As youve
witnessed, ICMP has no way of authenticating whether received messages are genuine and this is
sometimes exploited using man-in-the-middle or denial of service attacks. It is wise to disallow these
types of ICMP messages from entering your network from the outside.
8/12/2019 3.1.7 - IP Routing
12/53
8 - 12
IP Routing SANS 2000- 2003 12
Address Resolution Protocol
(ARP)
Our next section begins with the Address Resolution Protocolslide. The basic foundation to the
movement of IP packets across a physical network is enabled by the the Address Resolution Protocol
(ARP). This protocol, specified by RFC 826, provides the mechanism by which a host can map an IP
address to a hardware address, as well as caching this information for efficiency.
8/12/2019 3.1.7 - IP Routing
13/53
8 - 13
IP Routing SANS 2000- 2003 13
Why do we need ARP?
Sending packets to hosts on the local subnet
Router
Sendingpacketsto
localgateway
Router
Sending packets between adjacent gateways
ARP provides a mechanism to determine the hardware addresses
of hosts on local network
Turning to the slide Why do we need ARP? we will examine exactly what the ARP protocol
provides us. Whenever computers communicate, they transmit packets which must travel from one
host to another host, usually via intermediate routers. While the IP address is used to route the packet
to its final destination, the packets travel from intermediate hop to intermediate hop using Media
Access Control (MAC) addresses. To make a distinction; the IP address is a "logical" address; the
MAC is more of a "hardware" address. ARP is concerned with mapping the "logical" address to the
"hardware" address.
To maximize efficiency, hosts maintain an ARP table that lists the local hosts that have been
communicating with it recently. The entries eventually timeout if there is no communication with the
host in a specified period.
8/12/2019 3.1.7 - IP Routing
14/53
8 - 14
IP Routing SANS 2000- 2003 14
ARP Request
172.21.164.50 00:E0:29:3D:B0:4D
IP Address MAC Address
Initial ARP Cache for host A
arp who-has 172.21.164.75 tell 172.21.164.140
172.21.164.140
172.21.164.110
172.21.164.75
A B
C
The next slide is entitled ARP Request. Host A wants to communicate with host B. Host As
ARP cache does not contain an entry with Bs IP address (172.21.164.75). Therefore, A broadcasts
an ARP request seeking the information. This request is broadcast to all of the hosts on the local
network, since A does not know which host has the IP address in question.
8/12/2019 3.1.7 - IP Routing
15/53
8 - 15
IP Routing SANS 2000- 2003 15
ARP Reply
172.21.164.50 00:E0:29:3D:B0:4D
172.21.164.75 00:E0:29:44:48:82
IP Address MAC Address
Updated ARP Cache for host A
arp reply 172.21.164.75 is-at 0:E0:29:44:48:82
172.21.164.140
172.21.164.110
172.21.164.75
A B
C
Turning to the slide ARP Reply,we can see how As ARP request is answered. After seeing the
ARP request for 172.21.164.75, host B sends an ARP reply to host A indicating that it is located at
00:E0:29:44:48:82.
When A receives this information it updates the ARP cache by adding an entry for 172.21.164.75.
Now host A can send packets to host B. And as long as the entry remains in the cache, host A does
not need to issue any more ARP requests to send datagrams to host Bbecause he now has the
hardware address of host B. Host B also caches the information from host A about its IP address and
MAC address.
8/12/2019 3.1.7 - IP Routing
16/53
8 - 16
IP Routing SANS 2000- 2003 16
Malicious ARP packets
172.21.164.50 00:E0:29:3D:B0:4D
172.21.164.75
IP Address MAC Address
172.21.164.140
172.21.164.110
172.21.164.75
A B
C
arp reply 172.21.164.75 is-at 0:90:27:73:d1:31
00:90:27:73:D1:31
Updated ARP Cache for Host A
00:90:27:73:D1:31
The next slide is Malicious ARP Packets. By altering a hosts ARP table, an attacker can alter
the course that packets take. Although packets transmitted after the table alteration will contain the
correct IP address, they will fail to reach the correct destination because their MAC address is wrong.
In the example shown on the previous slide, host As ARP table contains an entry for host B. Host
C now sends out an unsolicited ARP reply to A stating that host B is at host Cs MAC address (using
the source IP address for B in the reply). Host A updates its ARP table, thinking that the information
came from B. Now any packets that A tries to send to B will be redirected to Host C. In this
example, host C has launched a successful ARP spoofingattack against A. Host C can now exploit
any trusted relations between hosts A and B.
One saving note is that the ARP messages are only valid on the local network. They will not cross a
router. Therefore to perform these malicious ARP spoofing attacks, the attacker must reside on the
local network.
8/12/2019 3.1.7 - IP Routing
17/53
8 - 17
IP Routing SANS 2000- 2003 17
ARP Theory Review
ARP cache maps IP addresses to MAC addresses
On physical networks, IP packets travel from hop-to-hop via
MAC addresses
Many hosts accept unsolicited ARP replies, allowing spoofing
attacks
Hosts cache ARP entries in a table for efficiency
ARP spoofingattacks can only be launched on the local network
Wrapping up this section with ARP Theory Review, youve learned that ARP is the
communication method used between IP addresses and MAC addresses. All IP datagrams are sent
using MAC addresses. They are hardware addresses of the medium that the packet must travel over.
Those sent outside the local network are set to the router hardware address.
A host has no way of authenticating that ARP replies are genuine and is susceptible to accepting and
caching MAC addresses that might not reflect the true host. ARP is a protocol that is limited to the
local network and is not routable.
8/12/2019 3.1.7 - IP Routing
18/53
8 - 18
IP Routing SANS 2000- 2003 18
IP Options
The next section begins with the slide IP Options. The IP options are specified in detail in RFC
791, Internet Protocol. They are appended to the end of the IP header and get processed by each
router as the packet travels to its destination. As the Internet has grown, however, these options have
become unnecessary. Processing IP options actually reduces the performance of a router because the
options field is of variable length. Nevertheless, several of the options can be used in a malicious
fashion to attack or gain reconnaissance on a network.
By understanding how these options can be misused, an administrator can take proactive steps to
insure that these malicious packets do not enter their networks. Secondly, they will be able to look
for these packets to verify that their protective measures are configured correctly.
8/12/2019 3.1.7 - IP Routing
19/53
8 - 19
IP Routing SANS 2000- 2003 19
What are IP options?
Security
Loose Source Routing
Strict Source Routing
Record Route
Stream Identification
Internet Timestamp
These Options represent
potential security holes that
can be used to attack your
network.
The next slide is What are IP Options?. Initially these options were designed as an enhancement
to the IP protocol to perform specific functions and provide alternate methods of tracking and routing
packets. The IP Options are:
Security
Loose Source Routing
Strict Source RoutingRecord Route
Stream ID
Internet Timestamp
The main options that we are interested in are highlighted in bold. These are the options that deal
with routing. Two of these options alter the normal path that a routed packet would take as it travels
through a network, while the third option records the path that a packet takes. By altering the normal
route, these options (if supported) can pose a tremendous risk to the security of the network by
bypassing security mechanisms such as firewalls and Intrusion Detection Systems.
8/12/2019 3.1.7 - IP Routing
20/53
8 - 20
IP Routing SANS 2000- 2003 20
IP Route Options
IP Address #1 IP Address #2 IP Address #3 IP Address #9. . .code length ptr
Codes
0x83 - Loose Source Route Option
0x89 - Strict Source Route Option
0x07 - Record Route Option
On the slide IP Route Options the format for the IP options that involve routing is displayed. The
codefield defines the type of IP option that is being specified. Thelengthfield is used to determine
the number of IP Addresses in the list. And finally, theptr references which IP address we are
currently at in the option list.
For Loose Source Routing and Strict Source Routing, the initiating host must construct the whole IP
routing list. Each gateway along the way inspects the list. If the pointer is greater than the length,
then the list is exhausted and the gateway routes the packet to its destination. If not, the gateway
fetches the IP address pointed to by the pointer, puts its own IP address in that field and routes the
packet to the address it fetched from the list. Just like record route, when the packet reaches its
destination, it has a list of IP addresses through which it traveled.
For Record Route, the list is empty and accumulates IP addresses as the packet is routed across the
network to its destination.
8/12/2019 3.1.7 - IP Routing
21/53
8 - 21
IP Routing SANS 2000- 2003 21
Loose Source Routing
Loosesource routingspecifies only some of theintermediate hops on the route. Example illustrates loose
source route through Y.
Router
Router
Router
A
RP
Y
XRouter
D
Normal Route
Must travel
through
Router Y
The next slide is Loose Source Routing. Loose source routing specifies a route that includes a list
of requirednodes through which the packet must traverse. In the example shown, the option list
will initially contain the IP address Y. The initiating host uses the option address Y as the destination
address for the packet and places the address X on the option list.
Loose Source routing refers to the fact that any number of intermediate routers may be traversed
between the routers listed in the options list. In our example, the first hop does not happen to be Y.
Instead, the packet must first go through P to reach Y. The packet will take whatever hops necessary
to get from the source host A to the router Y and then from the router Y to the destination host X.
8/12/2019 3.1.7 - IP Routing
22/53
8 - 22
IP Routing SANS 2000- 2003 22
Strict Source Routing
Strictsource routingspecifies a group of up to 9
intermediate routers beginning at the sourceaddress that the packets must traverse through.
The example illustrates strict route through P,Y,D.
Router
Router
Router
A
RP
Y
XRouter
D
Normal Route
The next slide is Strict Source Routing. Strict source routing specifies the exact route that a
packet will travel between two hosts for up to the first 9 hops. In the example shown, the original
option address list consists of P, Y, and D. The initiating host takes P and uses it as the address of
the initial packet and places the true destination, X, as the last entry in the option address list, which
then becomes Y, D, and X.
As the packet is routed through the network, each router compares its address to the destination
address of the packet. If they match, then the next address on the option list becomes the new
destination and the ptr is incremented. If the addresses do not match, then the packet is dropped and
an ICMP error message is returned to the initiating host.
If the end of the option list is reached before the final destination is reached, then routing proceeds
normally, until the final destination is reached.
Strict Source routing refers to the fact that the list of routers must be followed exactly as specified in
the option list without any intervening routers, until the list is exhausted.
8/12/2019 3.1.7 - IP Routing
23/53
8 - 23
IP Routing SANS 2000- 2003 23
Record Route Option
Router
Router
Router
A
RP
Y
XRouter
D
TheRecord Route Option will collect theaddresses of all of the routers that the packet
went through.
The final option is covered by the slide labeled Record Route Option. Unlike the previous IP
options that we have discussed, the record route option does not alter the routing of the packet. It
simply records the addresses of all of the routers that the packet travels through. This information
represents extremely valuable reconnaissance information to an attacker.
In the example shown on the slide, the IP option list will contain the following addresses that were
discovered during its traversal from host A to host X: P, D, and R.
8/12/2019 3.1.7 - IP Routing
24/53
8 - 24
IP Routing SANS 2000- 2003 24
Detecting Source Routing
IP header is greater than 20 bytes
IP option field has a hexadecimal value of:
83: loose source routing
89: strict source routing
ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 0x89)
14:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF)
4f00 0028 b5cb 4000 fe01 b229 0102 0304
c0a8 0505 8327 0402 0304 0501 0101 0102 etc.
IP headerlength
IP options
Examine the next slide Detecting Source Routing. First, we have to detect an IP header of greater
than 20 bytes. The IP header length is stored in the first byte of the IP header in the low order nibble.
Values are given in 32-bit words (4 bytes) so an IP header of greater than 5 might indicate an IP
option. Next, we look at the first byte of the IP option field, which is found in the 20thbyte of the IP
header. Specifically, if we find a value of 83 or 89 in that byte, we can assume weve got source
routing.
We see where weve detected some traffic that appears to be source routed. We have to dump the
tcpdump output in hexadecimal (-x option of tcpdump) to verify that this is the case. You see that the
IP length is set to the maximum value of a hexadecimal f which is a decimal 15. So, we have a
header length of a maximum 60 bytes. We see that this is loose source routing because we find a
value of 83 in the IP options header.
8/12/2019 3.1.7 - IP Routing
25/53
8 - 25
IP Routing SANS 2000- 2003 25
Source Route Exploit
spoofing host target host
trusted host
router1
router2 router3
Appears to be
traffic from
trusted host
Lets take a look at one of the malicious uses of source routing on slide Source Route Exploit. In this
slide, weve got a spoofing host sending traffic to a target host pretending to be a trusted host. Normally,
if a spoofing host sends a bogus source IP number pretending to be a trusted host and the target host
receives the traffic, any response will be sent back to the real trusted host. However, if source routing is
allowed into the network of the target host, we have just managed to subvert dynamic routing and have
dictated the path we want the datagram to take on its return trip namely back to the spoofing host.
In this manner, we see that we can emulate a trusted host relationship with the target host. For instance,
if the target host allows access to the host based on trust perhaps no need for a password, we have just
subverted that relationship. Obviously, this is something that you do not want to allow into your
network. Most routers provide a command that disables the route options. For Ciscos IOS, the
command is simply no ip source-route. Verifying that these options have been disabled is extremely
important to the security of your network.
Somespoofingattacks can also be eliminated through the use of packet filters. Almost every router
should contain a filter that drops any packets that are attempting to enter a network with a source address
equal to one of the addresses that are part of the destination network. These packets have obviously been
spoofed.
8/12/2019 3.1.7 - IP Routing
26/53
8 - 26
IP Routing SANS 2000- 2003 26
IP Options Review
IP options are rarely used legitimately
IP options can be used to record the path that a
packet takes
IP options can be used to alter the routing of a packet
Correct router configuration can stop these packets
To briefly wrap up what weve learned in this section, turn to IP Options Review. IP options were
used at one time to help debug the Internet to verify that traffic was traveling the way it was
supposed to. But today they are used more for malicious purposes and are considered dangerous if
allowed into your networks. They can record routes of a packet traveling into your network and
enable someone to learn about your internal architecture.
More threatening yet is the ability to source route traffic. This means that normal dynamic routing
will be pre-empted so that spoofed traffic can actually purport to be from one source IP yet be
returned to an entirely different IP from a hostile host. Disallow source routed traffic into your
network.
8/12/2019 3.1.7 - IP Routing
27/53
8 - 27
IP Routing SANS 2000- 2003 27
DynamicRouting Protocols
In our next section Dynamic Routing Protocols, we begin our examination of the routing
decisions encountered when packets must travel beyond the local network.
Routing protocols are divided into two major categories: Interior Gateway Protocols (IGPs) and
Exterior Gateway Protocols (EGPs). The Interior Gateway Protocols are designed to support routing
packets within a network which is under the same administration also known as an Autonomous
System, whereas the Exterior Gateway Protocols are designed to operate when packets must traverse
between multiple autonomous systems.
Autonomous System - A network of routers that all fall under the same administrative control.
8/12/2019 3.1.7 - IP Routing
28/53
8 - 28
IP Routing SANS 2000- 2003 28
Interior Gateway Protocols
Router
Router
Router
Single Administrative Domain
Interior Gateway Protocols
[Autonomous System (AS)]
Our first major category of routing protocols is portrayed by the slide Interior Gateway
Protocols. These routing protocols are designed to operate in an environment in which all of the
routers are controlled by a single administrative authority, also known as an Autonomous System
(AS).
These Interior Gateway Protocols fall into two general categories based on how they construct their
routing tables. These two categories areDistance Vector protocolsandLink State protocols.
Distance Vector protocols are based on the concept of hop counts. They construct routes using a
shortest path computation algorithm. Link State Protocols operate in a more centralized fashion and
maintain a database that can build all of the routes for their section of the network, known as an area.
Convergence the knowledge required to reflect an accurate, consistent view of a changed network
topology.
8/12/2019 3.1.7 - IP Routing
29/53
8 - 29
IP Routing SANS 2000- 2003 29
Distance Vector Routing Protocols
Protocols
Interior Gateway Routing Protocol (IGRP) [Uses IP Protocol 9]
Enhanced IGRP (EIGRP) [Uses IP Protocol 88]
Version 1 [Uses UDP port 520]
Version 2 [Uses UDP port 520]
Routing information exchanged in periodic updates
Relatively slow convergence
Routing based on hop counts
Characteristics
RIP
The slide Distance Vector Routing Protocolsoutlines some of the major characteristics of Distance
Vector protocols, along with specifying some of the major protocols that fall into this category.
Basically Distance Vector Algorithms base their routing calculation on the number of hops between
networks. Note: A hop count is roughly equivalent to the number of intermediate routers between the
networks. Each router constructs routes based on hop counts covering network nodes that it knows how
to reach. These routes are then broadcast to its direct neighbors. The neighbor routers then adjust their
routes and pass this information to their neighbors. Eventually, the changes are propagated, hop by hop
across the network until all of the routers converge on a stable routing configuration. Each time
network connectivity changes or links go down, this process is repeated. This propagation of changes is
one of the main reasons that distance vector routing protocols are characterized by slow convergence
times.
The Routing Information Protocol (RIP) is the most widely used Interior Gateway Protocol. RIP is a
very simple protocol, which requires very little configuration and is supported by essentially every
device.
Each of these protocols incorporate specific features that improve its performance and operational
characteristics. Our focus, however, will be on the security strengths and weaknesses related to thisclass of routing protocols.
8/12/2019 3.1.7 - IP Routing
30/53
8 - 30
IP Routing SANS 2000- 2003 30
Link State Routing Protocols
Open Shortest Path First (OSPF) [ Uses IP Protocol 89]
Intermediate System-Intermediate System (IS-IS)
Protocols
Characteristics
Relatively fast convergence
Each router maintains route table for entire network
Flooding of routing updates
With the slide Link State Routing Protocols we will begin our discussion of the 2nd major class
of Interior Gateway Protocols. Link State Routing Protocols operate in a more centralized fashion
relying on a flooded distribution mechanism. Instead of exchanging distances to destinations, the
nodes use flooded link state messages to maintain a map of the network that can be quickly
updated after any change in the network topology. These networks are also usually broken down into
a set of areas, each of which comprises a separate network map. These areas are joined by a
contiguous backbone area.
Unlike distance vector protocols, the convergence of these protocols is quick due to the flooded
update mechanism.
8/12/2019 3.1.7 - IP Routing
31/53
8 - 31
IP Routing SANS 2000- 2003 31
Comparison of Protocols
Passes link state routingupdates to other routers
Passes copies of routingtable to neighbor routers
Event-triggered updates:
faster convergence
Frequent, periodic
updates: slow
convergence
Calculates the shortest
path to other routers
Adds hops from router to
router
Gets common view of
entire network topology
Views network topology
from neighborsperspective
Distance Vector Link State
In an attempt to contrast the distance vector and link state protocols, turn to the slide Comparison
of Protocols. Distance vector protocols get a perspective on the network by receiving and
processing routing tables from its neighbors. Computation of the best routes are done by adjusting
the hop count as routing tables are received from other routers. Updates for changes are periodic and
need to be passed from router to router so convergence is slower.
Link state routers obtain a wide view of the entire network topology by maintaining a database of
routing information. Each router calculates its own shortest path to destinations. Updates are
triggered by network topology changes and convergence time is quicker.
8/12/2019 3.1.7 - IP Routing
32/53
8 - 32
IP Routing SANS 2000- 2003 32
Distance Vector Security Mechanisms
Provides cryptographic authentication using MD5
checksums.
EIGRP
Provides password authentication
Provides MD5 authentication
RIP-2 MD5 Authentication (RFC-2082)
RIP Version 2 (RFC 2453)
Provides password authentication
The next slide Security Mechanismswill illustrate some of the measures that have been taken to
secure Distance Vector Protocols. The initial distance vector protocols, which originated in the late
1980s, were not very secure (RIPv1 and IGRP). As time progressed, however, newer versions of
these protocols were hardened to help protect them from attack.
The first measure taken was the addition of password authentication. These passwords were still
subject to being captured by a network sniffer. This led to the addition of cryptographic support.
Now, the popular distance vector protocols all provide a cryptographic method of securing routing
messages using MD5 checksums. An MD5 checksum is an algorithm applied to the data that returns
a fixed-length value. This is used in conjunction with some kind of shared key. If the data has not
been changed in transit, then the MD5 checksum computed by the receiving host should be the same
as computed by the sending host.
8/12/2019 3.1.7 - IP Routing
33/53
8 - 33
IP Routing SANS 2000- 2003 33
Link State Security Mechanisms
OSPF
0: No Authentication
1: Simple Authentication
2: Cryptographic Authentication
All records are protected by a checksum
The messages can be authenticated
Our next slide Security Mechanismsbegins our discussion of the measures taken to secure the Link
State Protocols. This discussion will focus on OSPF, the most popular link state protocol.
To address the security concerns, the OSPF protocol is designed to provide the network administrator
with the capability to secure the routers OSPF messages. Many of these mechanisms are not foolproof.
The checksum value is mainly used to verify that the packet has not been corrupted in transit. An
authentication algorithm must be used to provide any actual protection against attackers.
Using simple password authentication provides minimal protection since the password traverses the
network in the clear. Using a network sniffer, someone can retrieve the password and generate forged
packets.
To provide the most protection available, the third option which uses cryptographic techniques should
be used. By employing cryptographic checksums and a sequence number, this option protects against
forged messages, and replay attacks.
Although the cryptographic option is the most secure, it does involve some extra work. The secret keys
must be maintained and updated periodically.
8/12/2019 3.1.7 - IP Routing
34/53
8 - 34
IP Routing SANS 2000- 2003 34
Exterior Gateway Protocols
Router
Router
Border
Router
Border
RouterBorder
Router
Border
Router
AS
AS
AS
AS
Router
Exterior Gateway
Protocols
Router
The slide Exterior Gateway Protocolssymbolizes the environment that Exterior Gateway Routing
Protocols are designed to operate in. These protocols serve as the glue to tie separate Autonomous
Systems into a single network in which all of the computers on the network can interact seamlessly with
each other.
Originally a protocol named Exterior Gateway Protocol (EGP) was developed to operate in this
environment. At its inception in 1983, it operated quite well. As the Internet grew, however, the
environment placed excessive stress on the EGP protocol. The main limiting factors were:
1) It was highly susceptible to false information. An EGP router could incorrectly advertise lower
routes for destinations that were not even part of its Autonomous System and its neighbors would
gladly accept the information and begin using it to make routing decisions.
2) It needed to be capable of supporting more complex topologies. EGP assumed that the topology
was tree-structured with a single core. The Internet did not evolve into this structure.
These limitations prevented EGP from thriving. Currently the recommended protocol for exchanging
information between ASs is Border Gateway Protocol (BGP).
8/12/2019 3.1.7 - IP Routing
35/53
8 - 35
IP Routing SANS 2000- 2003 35
Border Gateway Protocol
Characteristics
Each BGP server maintains a route table consisting ofevery possible external address
Protocol used for the backbone of the Internet
Route aggregation is used to reduce the size of routing tables
Protocol transmits messages using the TCP protocol
BGP is assigned TCP port 179
The slide Border Gateway Protocolbegins our discussion of BGP, the recommended choice with
respect to Exterior Gateway Protocols. Currently BGP provides the routing protocol that supports
the current Internet backbone.
BGP servers on the Internet backbone must maintain routing tables that include all of the external
addresses on the Internet. As our historical figures indicated, this was already exceeding 65,000 by
1999. To efficiently handle these large quantities of external route entries, BGP incorporated several
useful features. One of the most important features was route aggregation. With the advent of the
Classless Inter-Domain Routing architecture, when companies need IP addresses they are given a
contiguous block of class C addresses. Route aggregation allows the BGP server to consolidate
those contiguous class C addresses into a single external route. This cuts down dramatically on the
number of external routes that a BGP server needs to maintain.
8/12/2019 3.1.7 - IP Routing
36/53
8 - 36
IP Routing SANS 2000- 2003 36
Security Concerns
A BGP server is a prime target for attack
SYN flooding attacks against server
RST attack attempting to break down connection to server
Data insertion attacks attempting to forge packets in the TCP stream
Hijacking attacks attempting to gain control of the TCP connection
Next we turn to the slide Security Concerns to examine the potential security concerns related to
BGP. The BGP servers enable the routing of all packets that are destined outside of the local
Autonomous System (AS). They sit at the edge of the AS and only deal with packets that are
entering or leaving the AS. An AS usually only has one BGP server connecting itself with the rest of
the network. If that server goes down, either accidentally or maliciously, the outage can be quite
extensive. Therefore, the BGP servers need to be protected against attack.
The TCP connections that BGP servers maintain between their neighbors, provide a potential target
for attackers and other malevolent parties. Several attacks have been developed which attack the
TCP protocol. These attacks can be utilized to attack the BGP server connections as well. These
attacks are:
SYN flooding
RST attacks
DATA insertion attacks
Session Hijacking attacks
8/12/2019 3.1.7 - IP Routing
37/53
8 - 37
IP Routing SANS 2000- 2003 37
Security Mechanisms
TCP MD5 signature option (detailed in RFC-2385)
Password mechanism
Provides minimal protection
Hastily deployed to protect against TCP attacks
Judged weak by security experts against concerted attacks
Does not prevent the TCP protocol attacks
The slide Security Mechanisms, illustrates some of the security measures that have been added to
BGP to secure the transmission of BGP control messages. Earlier versions of BGP (prior to version
4) provided password authentication capability. These passwords, however, were transmitted across
the network in the clear. Anyone with access to the network could use a sniffer to capture these
passwords. Furthermore, the password authentication did not prevent the TCP Protocol attacks that
have arisen. Realizing that attacks on the BGP server connections could have very nefarious
consequences, TCP MD5 Signature Option (RFC-2385) was hastily developed. This modification toBGP represented an attempt to establish a cryptographic mechanism that could secure the BGP TCP
connections from attack. It implemented a MD5 checksum at the TCP layer to validate the packets.
By implementing the MD5 signature option, the level of protection is dramatically increased
compared to the simple password authentication. This option, however, is not without its flaws. In
fact, security experts have stated that the algorithm contains security weaknesses against a concerted
attack.
8/12/2019 3.1.7 - IP Routing
38/53
8 - 38
IP Routing SANS 2000- 2003 38
Routing Protocols Review
Interior Gateway Protocols govern the routing of
packets in a single Autonomous System
Exterior Gateway Protocols govern the routing of
packets across multiple Autonomous Systems
Interior Gateway Protocols fall into two generalclassifications:
Distance Vector Routing Protocols:
Link State Routing Protocols:
The current Internet backbone uses BGP
Lets recap what has been covered in the Routing Protocols Review section. Basically, there are
two types of routing protocols one that manages the routers within a given autonomous system
known as Interior Gateway Protocols. Within this group we have two different types of protocols 1)
distance vector routing protocols that use hop counts to discover the best route 2) link state routing
protocols that use individual links to adjacent routers to find the best route.
The second major group of routing protocols manages routing across autonomous systems; this group
is known as the Exterior Gateway Protocols. For both the interior and exterior protocols there are
weaknesses with exchanges of information. Servers that maintain exterior routes can be targets of
hostile activity just because they maintain so much important information.
8/12/2019 3.1.7 - IP Routing
39/53
8 - 39
IP Routing SANS 2000- 2003 39
Multicast Routing
Router
Router
Router
Router
Server
The Multicast Routingslide illustrates a simple multicast routing example. The server at the
upper left of the slide wants to broadcast information to all of the other hosts. To transmit this
information using unicast, the server would have to transmit the information 7 times, once to each
destination host. As the number of receiving hosts grows, this obviously uses a large amount of
network bandwidth. By transmitting the information using Multicast Routing, the server simply
sends the data to the correct multicast address. This information is then broadcast across the network
by the various routers and each host receives the information. This is obviously a preferable solutionwhen the groups or the amount of data is large.
But what is driving the need for robust Multicast Routing Protocols? The answer is simple. The
increasing demand for multimedia streaming applications (both audio and video), distributed
conferences, and large-scale gaming sessions continues on the Internet.
8/12/2019 3.1.7 - IP Routing
40/53
8 - 40
IP Routing SANS 2000- 2003 40
Multicast Addresses
Composed of Class D IP addresses:
High-Order four bits of address are 1110 (1110 0000 = 224)
Range from 224.0.0.0 to 239.255.255.255
224.0.0.0 is never assigned to a group
224.0.0.1 is permanently assigned to group composed of all IP hosts
The slide Multicast Addressesdefines the range of numbers which can be used for multicast
groups. The multicast group addresses are taken from the class D address space, meaning that the
four high-order bits are 1110. This means that the lowest multicast address is 11100000 which is
224. By the same process, the highest multicast address is 11101111 which is 239. This leads to an
address space of 224.0.0.0 through 239.255.255.255. The address 224.0.0.0 is never to be assigned
to a group. And the address 224.0.0.1 is permanently assigned to the group represented by all of the
IP hosts (including gateways). It is used to address all of the multicast hosts on the directlyconnected network. The addresses of any other well-known permanent groups are listed in Assigned
Numbers RFC 1700.
Some other permanently assigned multicast addresses:
224.0.0.9 : All RIPv2 routers
224.0.0.10 : All IGRP routers
224.0.1.1 : Network Time Protocol (NTP)
224.2.0.0 - 224.2.255.255 : Multimedia Conference Calls
8/12/2019 3.1.7 - IP Routing
41/53
8 - 41
IP Routing SANS 2000- 2003 41
IGMP
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Msg. TypeMax Response
TimeChecksum
Group Address
IGMP messages use IP Protocol 2
IGMP is defined by RFC 1112
IGMP Message Format
The next slide titled IGMPbegins our discussion of the Internet Group Management Protocol
(IGMP). This protocol is an integral part of IP, similar to ICMP. In order for a host to receive IP
Multicasts, it must implement IGMP.
IGMP messages are encapsulated in IP packets that contain an IP protocol number of 2. These
messages are used to join and leave multicast groups. The messages basically inform the routers that
they are interested in a particular IP multicast group. The routers then know which networks need to
receive which IP multicast data. If no one on a network has joined a particular multicast group, then
the router does not need to transmit that multicast traffic.
8/12/2019 3.1.7 - IP Routing
42/53
8 - 42
IP Routing SANS 2000- 2003 42
IP Routing Quiz
1. By accepting unsolicited ARP replies, many operating systems are
susceptible to ARP spoofing (T/F).
2. The ARP protocol provides a mechanism to associate IP addresses
with MAC addresses (T/F).
3. The IP address for the local host is 127.0.0.1. (T/F)
4. Static host routing is used to send traffic between independent
autonomous systems. (T/F)
5. Initial routes for a hosts routing table are generally populated as the
host is booting or by ICMP Router Discovery Protocol. (T/F)
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
43/53
8 - 43
IP Routing SANS 2000- 2003 43
IP Routing Quiz (2)
6. Static routing tables normally change frequently. (T/F)
7. Allowing source routed packets into your network is not a security risk.
(T/F)
8. ARP poisoning can allow a non-trusted host to act as a trusted
one.(T/F)
9. There are two types of source routing loose and strict.(T/F)
10. There is no way to detect source routing. (T/F)
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
44/53
8 - 44
IP Routing SANS 2000- 2003 44
IP Routing Quiz (3)
11. There is no way to block source routing. (T/F)
12. An autonomous system is a network of routers that fall under the
same administrative control. (T/F)
13. Interior Gateway Protocols are designed to support routing between
multiple autonomous systems. (T/F)
14. Exterior Gateway Protocols are designed to support routing between
multiple autonomous systems. (T/F)
15. One of the problems of using password authentication between
communicating routers is they can be sniffed if they are in clear text.(T/F)
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
45/53
8 - 45
IP Routing SANS 2000- 2003 45
IP Routing Quiz (4)
16. A command that can be used to see the local routing table is:a) netstat r n
b) tcpdump
c) ARP
d) no ip source-route
17. A default route is placed in the routing table to:
a) send traffic to the local host
b) send traffic to a default router to forward it closer to the destination
c) send traffic to the host via ARP
d) send traffic to a host without a cached ARP entry
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
46/53
8 - 46
IP Routing SANS 2000- 2003 46
IP Routing Quiz (5)
18. Static routes are changed by the following:
a) ICMP redirects and ICMP Router Discovery Protocol
b) RIP
c) OSPF
d) BGP
19. An ICMP redirect tells a host to:
a) send no more data
b) change the routing protocol from RIP to OSPF
c) change the routing protocol from OSPF to RIP
d) use a more optimum route
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
47/53
8 - 47
IP Routing SANS 2000- 2003 47
IP Routing Quiz (6)
20. Hosts which accept ICMP routing messages are susceptible to:
a) SYN floods
b) ARP poisoning
c) man-in-the-middle and DoS attacks
d) DNS poisoning
21. ARP is necessary because:
a) the IP layers uses IP addresses and the link layer uses MAC
addresses to communicate
b) we are running out of IP numbers
c) we are running out of MAC addresses
d) telnet requires MAC addresses for destination addresses
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
48/53
8 - 48
IP Routing SANS 2000- 2003 48
IP Routing Quiz (7)
22. Interior Gateway Protocols are between:
a) routers within an autonomous system
b) routers between autonomous systems
c) link state routers only
d) distance vector routers only
23. Exterior Gateway Protocols are between:
a) routers within an autonomous system
b) routers between autonomous systems
c) link state routers only
d) distance vector routers only
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
49/53
8 - 49
IP Routing SANS 2000- 2003 49
IP Routing Quiz (8)
24. Distance vector protocols like RIP use the following to calculate
distances:
a) hops
b) time in seconds
c) type of service preference
d) collision rates
25. Border Gateway Routers are primary attack targets because:
a) they are susceptible to ICMP redirect attacks
b) they are susceptible to ICMP router discovery attacks
c) they are susceptible to denial of service, data insertion and
hijacking attacks
d) they are susceptible to DNS poisoning attacks
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
50/53
8 - 50
IP Routing SANS 2000- 2003 50
IP Routing Quiz (9)
26. ARP poisoning is:
a) flooding a host with ARP requests
b) flooding a host with ARP replies
c) fooling a host into accepting a false IP address and MAC address
pair
d) flooding the ARP cache
27. Which of the following is true with source routing:
a) destination hosts are often spoofed
b) dynamic routing is used for all hops
c) a source IP can be spoofed and return traffic can be sent to the
spoofer
d) an infinite number of routers to be traversed can be specified
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
51/53
8 - 51
IP Routing SANS 2000- 2003 51
IP Routing Quiz (10)
28. A way to detect source routing is:
a) it cannot be detected
b) examine the IP header for a length of greater than 5 (32 bit words)
c) examine the IP header for a length of 83
d) examine the IP header for a length of 89
29. One of the uses of source routing is:
a) impersonate as a trusted host
b) poison the ARP cache
c) avoid the use of ARP all together
d) record the packet route
This page intentionally left blank.
8/12/2019 3.1.7 - IP Routing
52/53
8 - 52
IP Routing SANS 2000- 2003 52
IP Routing Quiz (11)
30. A man-in-the-middle attack that can be achieved by corrupting routes
can:
a) poison the ARP
b) SYN flood the target
c) examine outbound traffic and sniff or alter the contents
d) alter the routing protocol from IGP to EGP
Answers:
1) T 16) a
2) T 17) b
3) T 18) a
4) F 19) d
5) T 20) c
6) F 21) a
7) F 22) a
8) T 23) b
9) T 24) a
10) F 25) c
11) F 26) c
12) T 27) c
13) F 28) b
14) T 29) a
15) T 30) c
8/12/2019 3.1.7 - IP Routing
53/53
IP Routing SANS 2000- 2003 53
Course Revision History
v1.0 Jean Triquet
v.1.1 edited by S. Northcutt 23 Oct 2000
v.1.2 edited by J. Novak 25 Dec 2000
v1.3 J. Kolde, formatting changes 22 Jan 2001
v1.4 J. Novak deleted a multicast slide 23 Feb
v1.5 J. Novak Source routing changes per student feedback 17 Jun 2001
v1.6 edited by J. Novak 6 July 2001v1.7 edited and audio recorded by C. Wendt 16 July 2001
v.1.7 Slide 26 per Stephen added word legitimately at end of first slide bullet, Slide 29
reference of IGRP to protocol 88 changed to protocol 9 -Sep 2002
v.1.8 Slide 1 changed reference to webcast to section, slide 4 local routing table deleted
reference to Netscape in paragraph 3, slide 5 static routing decisions added word destination in first
two bullets of slide, slide 7 how are routes changed added 2 final sentences to last paragraph of
notes, slide 8 redirect changed picture, slide 32 last paragraph in notes altered. 9 Nov 2002
v.1.9 J. Novak. slide 2 changed text under ARP in slide, slide 9 added another paragraph to notes.
Feb 2003
v.1.10 J. Novak Mar 2003 Slide 31 changed notes page sentence per student feedback.