3.1.7 - IP Routing

8/12/2019 3.1.7 - IP Routing

1/53

8 - 1

IP Routing SANS 2000- 2003 1

IP Routing

After completion of this section, the student will have a good foundation of how packets are routed

across IP networks. First we will examine the concept of static routing that most hosts use to decide

how to send traffic originating from the local host. We will also briefly introduce the Ethernet

protocol, since the majority of the IP network traffic is routed using this link layer medium. Much of

the traffic that needs to be routed is between hosts on the same physical network and that is where the

link layer comes into play.

Routing protocols provide the basis by which information is transferred between hosts on the

Internet. Well look at these protocols that provide for dynamic routing. They are divided into major

categories based on a specific operating environment. Besides explaining these various

environments, we will examine their potential strengths and weaknesses. Furthermore, we will

attempt to provide a basic overview of how the different protocols are susceptible to attack and how

some of these threats can be mitigated through simple router configuration changes.

8/12/2019 3.1.7 - IP Routing

2/53

8 - 2


Objectives

Static Routing

Sending packets from the local host

Address Resolution Protocol (ARP)

IP to link layer resolution

Examples of malicious activity

IP Options

Loose source routing

Strict source routing

Dynamic Routing Protocols

Interior Gateway Protocols

Exterior Gateway Protocols

Multicast Routing

Sending packets to multiple hosts

The Objectivesslide outlines the different topics that we will be covering. First, we will look at

static routing which hosts employ to send traffic. Then, well examine the protocols involved in the

transmission of packets on the local network. This will be followed by a discussion of IP options and

how they can be used to alter the course of packets as they travel toward their destination.

Then various protocols that govern how packets traverse IP networks will be investigated.

Specifically, we will examine all of the protocols that affect the transmission of a packet from one

host to another. This transmittal can be as simple as sending a packet from one host to another on the

same local subnet, or as complex as sending a packet across the world. Finally, well examine

multicast routing to send traffic to multiple hosts in a network.

8/12/2019 3.1.7 - IP Routing

3/53

8 - 3


Static Routing

All hosts regardless if they are routers or not have to be able to make initial decisions about how to

send traffic from the local host. They maintain a basic list known as a routing table that directs

traffic from the local host based on its final destination. This table is referenced often by the host

sending traffic, yet it is not updated very frequently hence the name static routing.

In this section, we will examine the types of decisions hosts need to make about routing traffic and

some of the susceptibilities and exploits associated with static routing.

8/12/2019 3.1.7 - IP Routing

4/53

8 - 4


Local Routing Table

netstat -r n

Routing Table:

Destination Gateway Flags Ref Use Interface

-------------------- -------------------- ----- ----- ------ ---------

1.2.3.0 1.2.3.4 U 3 5 le0

127.0.0.1 127.0.0.1 UH 0 472 lo0

default 1.2.3.1 UG 0 5444

Look at the Local Routing Table slide to see a Unix hosts relatively static list of routes. The routing

decisions are made based on the destination of the traffic that is to be sent. This table was generated

using the netstat command with the -r n options that indicate to list the routing table, but do not try to

resolve IP numbers to host names. This routing table is for host 1.2.3.4 on the 1.2.3.0 network.

The first line in the table says that any traffic bound for the 1.2.3.0 network should be directed through

the local host 1.2.3.4 using interface le0 which is one of its network interface designations. The flag of U

says that this route is up and the reference count indicates how many current connections are established

through that interface and the use column indicates how many packets have traveled through the

interface.

The second line is for the local loopback address that is designated as 127.0.0.1. Some processes such as

X terminal applications require that the host talk to itself and this is the interface through which that

occurs.

The final line indicates the default destination that traffic should be sent if it doesnt match any of the

other destinations in the routing table. This is a default gateway (noted with the G in the Flags column)

which is a router that will forward the traffic and direct it a hop closer to its final destination. This is used

for traffic that is destined for somewhere other than the 1.2.3.0 network and the local host.

8/12/2019 3.1.7 - IP Routing

5/53

8 - 5


Static Routing Decisions

IP layer searches the routing table in the following

manner:

Search for a matching destination host address

Search for a matching destination network

address

Search for a default entry

Turning to slide Static Routing Decisions, we see how the IP layer uses a routing mechanism to

make routing decisions of which interface to direct traffic. If the destination host matches the routing

tables destination entry, the traffic is routed through the corresponding interface. If there is no such

matching entry, then the destination address is compared against all the routing table destination

entries to see if the network addresses match. The network address is determined by combining the

specified IP address and the subnet mask for the network. The first match is sent to the specified

network interface. Finally, if nothing else matches, the traffic is sent to the interface with thedefault designation. This is usually a router on the same local network that will forward the traffic

to the destination.

Many hosts do not act as routers meaning that they do not forward traffic received through one

interface to another interface. Yet, they still need to be able to route traffic generated on the local

host to the correct interface. This is an important distinction.

8/12/2019 3.1.7 - IP Routing

6/53

8 - 6


How Are Routes Added?

Static routes are typically added during the boot

process

Administrative changes can be made with the route

command

ICMP router discovery messages

The next topic of discussion How Are Routes Added?is found on the following slide. Since

these routes are fairly static, they should be assigned during the boot process and remain mostly

unchanged. Some Unix systems have a file /etc/defaultrouter that initializes the routes; others

configure the routes in the boot scripts using the route command. The route command can be used

by the administrator to make changes for new interfaces.

Another way for a host to receive initial routes after the boot process is to issue a router solicitation

message using ICMP router discovery. Routers can respond to these solicitations to inform the host

of the router IP addresses along with a lifetime or number of seconds that the advertised router

addresses are considered to be valid.

8/12/2019 3.1.7 - IP Routing

7/53

8 - 7


How Are Routes Changed?

ICMP redirect messages

ICMP router discovery messages

Slide How are Routes Changed? lists the ways in which a relatively static routing table can be

informed of best routes or changing conditions on the network. A host might have entries in the

routing table that are not the most efficient ones. When this happens ICMP redirect messages are

sent to the host by a router that detects it is not the optimum router to be used. The host will adjust

its routing tables to use a more optimum router when sending traffic the next time to the destination

address that elicited the message.

Hosts that use the ICMP router discovery protocol (IRDP) can receive periodic advertisements of

available routers. They can change their routing tables to reflect any new information received. A

router must support IRDP and have it turned on to issue these advertisements or respond to

solicitations. Cisco routers have IDRP turned off by default.

8/12/2019 3.1.7 - IP Routing

8/53

8 - 8


Redirect

non-optimum

router

misguided

sending host

target host

optimum router

send datagram to target host

use optimum router next time

datagram delivered to target host

non-optimum.router > sending.host : icmp: redirect target.host to host

optimum.router

The ICMPRedirect message discussed on the next slide allows a router to tell a sending host that

it is not the optimum router to be used for sending the traffic to the desired destination. The non-

optimum router forwards the traffic to the destination, but informs the sending host to change its

routing table so that a more optimum router is chosen the next time traffic is sent to the same

destination host.

In the case of the above slide, we have a misguided sending host attempting to send traffic to the

target host. It routes the traffic through the non-optimum router that forwards the traffic. However,

it issues an ICMP redirect to the misguided sending host to use the optimum router the next time.

Most hosts will perform some checks before changing their routing tables:

1) The optimum router must be on the directly connected network

2) The redirect must be from the non-optimum router that was attempted

3) The redirect must not tell the host to use itself as the optimum router

4) The optimum router must be a router and not a host

8/12/2019 3.1.7 - IP Routing

9/53

8 - 9


IRDP DoS Exploit

spoofing.host > duped.host : icmp: router advertisement

duped.host default.router

normal route

redirected default

route

IRDP

message

spoofing.hostblack hole

4.4.4.4

Now, for a different type of scenario for malicious ICMP messages, look at the next slide IRDP

DoS Exploit. In this case, we have a local or remote host that spoofs an ICMP router discovery

protocol router advertisement.

The duped.host listens for IRDP advertisements, receives one from spoofing.host, and changes its

routing table so that the default router is 4.4.4.4. Router 4.4.4.4 does not exist or is not accessible to

duped.host on the local network. So, all traffic that duped.host sends outbound will end up in a black

hole essentially causing a denial of service for outbound traffic for duped.host.

A router must support IRDP and have it turned on in order for this exploit to work. By default, Cisco

routers support IRDP, however they have it turned off.

8/12/2019 3.1.7 - IP Routing

10/53

8 - 10


IRDP Windows Exploit

windows.host

192.168.59.181

default.router

192.168.59.1

Actual default route

redirected default route

ICMP router

advertisement

spoofing.host

192.168.59.5

Network Dest Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.59.1 192.168.59.181 1

0.0.0.0 0.0.0.0 192.168.59.5 192.168.59.181 0

Actual router

Bogus router

Lets examine an IRDP attack seen on the slide IRDP Windows Exploit. As the name implies this attack is

mostly limited to Windows hosts (95, 98 and 2000) although some Solaris hosts too are susceptible. If a

Windows hosts runs as a Dynamic Host Configuration Protocol (DHCP) client, it will obtain its default route

from the DHCP server. However, using IRDP Router Advertisements, a Windows host can be convinced to

use a different (incorrect) default route.

As youve no doubt witnessed from previous IRDP exploits, the ICMP Router Advertisement packets have no

way to authenticate that the sender is a legitimate trusted host. Therefore, if we can dupe the Windows host

into believing an incorrect default route, we can reroute data leaving the targeted host.

The means by which this is done is by sending a Router Advertisement that contains two or more router

addresses to the target Windows host. Normally, if just one router address is included in the Router

Advertisement, the receiving host examines the source IP to make sure if it is in the same subnet. However,

this same check erroneously is not validated for subsequent addresses in the Router Advertisement. Therefore,

a host outside the network can spoof multiple Router Advertisements and send them to the target host

(assuming the site does not block this type of ICMP message inbound).

Another field in the Router Advertisement tells the metric to be used. The formula for computing this for

Windows hosts is to subtract 1000 from the received metric value. In other words, if the metric in the Router

Advertisement that is sent is 1000, the receiving host will assign a metric of 0 to this route. What thiseffectively does is to give this metric a higher precedence than the existing default router entry with a default

metric of 1. Look at part of the Windows routing table above to see the default and bogus entries. At this

point, traffic will be redirected to the default router assigned by the Router Advertisement packet with a metric

of 0. The man-in-the-middle host would then have to have IP forwarding on to send the wayward packets

through the real router.

This attack was submitted for GIAC certification by Kevin Black. Many thanks to Kevin for his great

analysis.

8/12/2019 3.1.7 - IP Routing

11/53

8 - 11


Static Routing Review

Hosts maintain tables of destination routes

These tables are normally static

Initialized by boot scripts or IRDP

ICMP messages can change entries

Slide Static Routing Review summarizes what weve learned in this section. Each host has a

routing table that is the mechanism used by the IP layer to direct traffic from the host to the correct

interface and closer to its destination. This is called static routing because these tables are relatively

stable and initialized with boot scripts or using ICMP router discovery protocol to populate the table.

Changes can be made to the routing tables using two different ICMP messages. The ICMP redirect

message informs the sending host that a given router used to send traffic to a given destination is not

the best one and informs the host of the better router. Also, IRDP messages inform the host of

changing conditions on the network and allow it to update its routing tables accordingly. As youve

witnessed, ICMP has no way of authenticating whether received messages are genuine and this is

sometimes exploited using man-in-the-middle or denial of service attacks. It is wise to disallow these

types of ICMP messages from entering your network from the outside.

8/12/2019 3.1.7 - IP Routing

12/53

8 - 12


Address Resolution Protocol

(ARP)

Our next section begins with the Address Resolution Protocolslide. The basic foundation to the

movement of IP packets across a physical network is enabled by the the Address Resolution Protocol

(ARP). This protocol, specified by RFC 826, provides the mechanism by which a host can map an IP

address to a hardware address, as well as caching this information for efficiency.

8/12/2019 3.1.7 - IP Routing

13/53

8 - 13


Why do we need ARP?

Sending packets to hosts on the local subnet

Router

Sendingpacketsto

localgateway

Router

Sending packets between adjacent gateways

ARP provides a mechanism to determine the hardware addresses

of hosts on local network

Turning to the slide Why do we need ARP? we will examine exactly what the ARP protocol

provides us. Whenever computers communicate, they transmit packets which must travel from one

host to another host, usually via intermediate routers. While the IP address is used to route the packet

to its final destination, the packets travel from intermediate hop to intermediate hop using Media

Access Control (MAC) addresses. To make a distinction; the IP address is a "logical" address; the

MAC is more of a "hardware" address. ARP is concerned with mapping the "logical" address to the

"hardware" address.

To maximize efficiency, hosts maintain an ARP table that lists the local hosts that have been

communicating with it recently. The entries eventually timeout if there is no communication with the

host in a specified period.

8/12/2019 3.1.7 - IP Routing

14/53

8 - 14


ARP Request

172.21.164.50 00:E0:29:3D:B0:4D

IP Address MAC Address

Initial ARP Cache for host A

arp who-has 172.21.164.75 tell 172.21.164.140

172.21.164.140

172.21.164.110

172.21.164.75

A B

C

The next slide is entitled ARP Request. Host A wants to communicate with host B. Host As

ARP cache does not contain an entry with Bs IP address (172.21.164.75). Therefore, A broadcasts

an ARP request seeking the information. This request is broadcast to all of the hosts on the local

network, since A does not know which host has the IP address in question.

8/12/2019 3.1.7 - IP Routing

15/53

8 - 15


ARP Reply

172.21.164.50 00:E0:29:3D:B0:4D

172.21.164.75 00:E0:29:44:48:82


Updated ARP Cache for host A

arp reply 172.21.164.75 is-at 0:E0:29:44:48:82

172.21.164.140

172.21.164.110

172.21.164.75

A B

C

Turning to the slide ARP Reply,we can see how As ARP request is answered. After seeing the

ARP request for 172.21.164.75, host B sends an ARP reply to host A indicating that it is located at

00:E0:29:44:48:82.

When A receives this information it updates the ARP cache by adding an entry for 172.21.164.75.

Now host A can send packets to host B. And as long as the entry remains in the cache, host A does

not need to issue any more ARP requests to send datagrams to host Bbecause he now has the

hardware address of host B. Host B also caches the information from host A about its IP address and

MAC address.

8/12/2019 3.1.7 - IP Routing

16/53

8 - 16


Malicious ARP packets

172.21.164.50 00:E0:29:3D:B0:4D

172.21.164.75


172.21.164.140

172.21.164.110

172.21.164.75

A B

C

arp reply 172.21.164.75 is-at 0:90:27:73:d1:31

00:90:27:73:D1:31

Updated ARP Cache for Host A

00:90:27:73:D1:31

The next slide is Malicious ARP Packets. By altering a hosts ARP table, an attacker can alter

the course that packets take. Although packets transmitted after the table alteration will contain the

correct IP address, they will fail to reach the correct destination because their MAC address is wrong.

In the example shown on the previous slide, host As ARP table contains an entry for host B. Host

C now sends out an unsolicited ARP reply to A stating that host B is at host Cs MAC address (using

the source IP address for B in the reply). Host A updates its ARP table, thinking that the information

came from B. Now any packets that A tries to send to B will be redirected to Host C. In this

example, host C has launched a successful ARP spoofingattack against A. Host C can now exploit

any trusted relations between hosts A and B.

One saving note is that the ARP messages are only valid on the local network. They will not cross a

router. Therefore to perform these malicious ARP spoofing attacks, the attacker must reside on the

local network.

8/12/2019 3.1.7 - IP Routing

17/53

8 - 17


ARP Theory Review

ARP cache maps IP addresses to MAC addresses

On physical networks, IP packets travel from hop-to-hop via

MAC addresses

Many hosts accept unsolicited ARP replies, allowing spoofing

attacks

Hosts cache ARP entries in a table for efficiency

ARP spoofingattacks can only be launched on the local network

Wrapping up this section with ARP Theory Review, youve learned that ARP is the

communication method used between IP addresses and MAC addresses. All IP datagrams are sent

using MAC addresses. They are hardware addresses of the medium that the packet must travel over.

Those sent outside the local network are set to the router hardware address.

A host has no way of authenticating that ARP replies are genuine and is susceptible to accepting and

caching MAC addresses that might not reflect the true host. ARP is a protocol that is limited to the

local network and is not routable.

8/12/2019 3.1.7 - IP Routing

18/53

8 - 18


IP Options

The next section begins with the slide IP Options. The IP options are specified in detail in RFC

791, Internet Protocol. They are appended to the end of the IP header and get processed by each

router as the packet travels to its destination. As the Internet has grown, however, these options have

become unnecessary. Processing IP options actually reduces the performance of a router because the

options field is of variable length. Nevertheless, several of the options can be used in a malicious

fashion to attack or gain reconnaissance on a network.

By understanding how these options can be misused, an administrator can take proactive steps to

insure that these malicious packets do not enter their networks. Secondly, they will be able to look

for these packets to verify that their protective measures are configured correctly.

8/12/2019 3.1.7 - IP Routing

19/53

8 - 19


What are IP options?

Security

Loose Source Routing

Strict Source Routing

Record Route

Stream Identification

Internet Timestamp

These Options represent

potential security holes that

can be used to attack your

network.

The next slide is What are IP Options?. Initially these options were designed as an enhancement

to the IP protocol to perform specific functions and provide alternate methods of tracking and routing

packets. The IP Options are:

Security


Strict Source RoutingRecord Route

Stream ID

Internet Timestamp

The main options that we are interested in are highlighted in bold. These are the options that deal

with routing. Two of these options alter the normal path that a routed packet would take as it travels

through a network, while the third option records the path that a packet takes. By altering the normal

route, these options (if supported) can pose a tremendous risk to the security of the network by

bypassing security mechanisms such as firewalls and Intrusion Detection Systems.

8/12/2019 3.1.7 - IP Routing

20/53

8 - 20


IP Route Options

IP Address #1 IP Address #2 IP Address #3 IP Address #9. . .code length ptr

Codes

0x83 - Loose Source Route Option

0x89 - Strict Source Route Option

0x07 - Record Route Option

On the slide IP Route Options the format for the IP options that involve routing is displayed. The

codefield defines the type of IP option that is being specified. Thelengthfield is used to determine

the number of IP Addresses in the list. And finally, theptr references which IP address we are

currently at in the option list.

For Loose Source Routing and Strict Source Routing, the initiating host must construct the whole IP

routing list. Each gateway along the way inspects the list. If the pointer is greater than the length,

then the list is exhausted and the gateway routes the packet to its destination. If not, the gateway

fetches the IP address pointed to by the pointer, puts its own IP address in that field and routes the

packet to the address it fetched from the list. Just like record route, when the packet reaches its

destination, it has a list of IP addresses through which it traveled.

For Record Route, the list is empty and accumulates IP addresses as the packet is routed across the

network to its destination.

8/12/2019 3.1.7 - IP Routing

21/53

8 - 21



Loosesource routingspecifies only some of theintermediate hops on the route. Example illustrates loose

source route through Y.

Router

Router

Router

A

RP

Y

XRouter

D

Normal Route

Must travel

through

Router Y

The next slide is Loose Source Routing. Loose source routing specifies a route that includes a list

of requirednodes through which the packet must traverse. In the example shown, the option list

will initially contain the IP address Y. The initiating host uses the option address Y as the destination

address for the packet and places the address X on the option list.

Loose Source routing refers to the fact that any number of intermediate routers may be traversed

between the routers listed in the options list. In our example, the first hop does not happen to be Y.

Instead, the packet must first go through P to reach Y. The packet will take whatever hops necessary

to get from the source host A to the router Y and then from the router Y to the destination host X.

8/12/2019 3.1.7 - IP Routing

22/53

8 - 22


Strict Source Routing

Strictsource routingspecifies a group of up to 9

intermediate routers beginning at the sourceaddress that the packets must traverse through.

The example illustrates strict route through P,Y,D.

Router

Router

Router

A

RP

Y

XRouter

D

Normal Route

The next slide is Strict Source Routing. Strict source routing specifies the exact route that a

packet will travel between two hosts for up to the first 9 hops. In the example shown, the original

option address list consists of P, Y, and D. The initiating host takes P and uses it as the address of

the initial packet and places the true destination, X, as the last entry in the option address list, which

then becomes Y, D, and X.

As the packet is routed through the network, each router compares its address to the destination

address of the packet. If they match, then the next address on the option list becomes the new

destination and the ptr is incremented. If the addresses do not match, then the packet is dropped and

an ICMP error message is returned to the initiating host.

If the end of the option list is reached before the final destination is reached, then routing proceeds

normally, until the final destination is reached.

Strict Source routing refers to the fact that the list of routers must be followed exactly as specified in

the option list without any intervening routers, until the list is exhausted.

8/12/2019 3.1.7 - IP Routing

23/53

8 - 23


Record Route Option

Router

Router

Router

A

RP

Y

XRouter

D

TheRecord Route Option will collect theaddresses of all of the routers that the packet

went through.

The final option is covered by the slide labeled Record Route Option. Unlike the previous IP

options that we have discussed, the record route option does not alter the routing of the packet. It

simply records the addresses of all of the routers that the packet travels through. This information

represents extremely valuable reconnaissance information to an attacker.

In the example shown on the slide, the IP option list will contain the following addresses that were

discovered during its traversal from host A to host X: P, D, and R.

8/12/2019 3.1.7 - IP Routing

24/53

8 - 24


Detecting Source Routing

IP header is greater than 20 bytes

IP option field has a hexadecimal value of:

83: loose source routing

89: strict source routing

ip[0] & 0x0f > 5 and (ip[20] = 0x83 or ip[20] = 0x89)

14:19:31.800000 1.2.3.4 > 192.168.5.5: icmp: echo reply (DF)

4f00 0028 b5cb 4000 fe01 b229 0102 0304

c0a8 0505 8327 0402 0304 0501 0101 0102 etc.

IP headerlength

IP options

Examine the next slide Detecting Source Routing. First, we have to detect an IP header of greater

than 20 bytes. The IP header length is stored in the first byte of the IP header in the low order nibble.

Values are given in 32-bit words (4 bytes) so an IP header of greater than 5 might indicate an IP

option. Next, we look at the first byte of the IP option field, which is found in the 20thbyte of the IP

header. Specifically, if we find a value of 83 or 89 in that byte, we can assume weve got source

routing.

We see where weve detected some traffic that appears to be source routed. We have to dump the

tcpdump output in hexadecimal (-x option of tcpdump) to verify that this is the case. You see that the

IP length is set to the maximum value of a hexadecimal f which is a decimal 15. So, we have a

header length of a maximum 60 bytes. We see that this is loose source routing because we find a

value of 83 in the IP options header.

8/12/2019 3.1.7 - IP Routing

25/53

8 - 25


Source Route Exploit

spoofing host target host

trusted host

router1

router2 router3

Appears to be

traffic from

trusted host

Lets take a look at one of the malicious uses of source routing on slide Source Route Exploit. In this

slide, weve got a spoofing host sending traffic to a target host pretending to be a trusted host. Normally,

if a spoofing host sends a bogus source IP number pretending to be a trusted host and the target host

receives the traffic, any response will be sent back to the real trusted host. However, if source routing is

allowed into the network of the target host, we have just managed to subvert dynamic routing and have

dictated the path we want the datagram to take on its return trip namely back to the spoofing host.

In this manner, we see that we can emulate a trusted host relationship with the target host. For instance,

if the target host allows access to the host based on trust perhaps no need for a password, we have just

subverted that relationship. Obviously, this is something that you do not want to allow into your

network. Most routers provide a command that disables the route options. For Ciscos IOS, the

command is simply no ip source-route. Verifying that these options have been disabled is extremely

important to the security of your network.

Somespoofingattacks can also be eliminated through the use of packet filters. Almost every router

should contain a filter that drops any packets that are attempting to enter a network with a source address

equal to one of the addresses that are part of the destination network. These packets have obviously been

spoofed.

8/12/2019 3.1.7 - IP Routing

26/53

8 - 26


IP Options Review

IP options are rarely used legitimately

IP options can be used to record the path that a

packet takes

IP options can be used to alter the routing of a packet

Correct router configuration can stop these packets

To briefly wrap up what weve learned in this section, turn to IP Options Review. IP options were

used at one time to help debug the Internet to verify that traffic was traveling the way it was

supposed to. But today they are used more for malicious purposes and are considered dangerous if

allowed into your networks. They can record routes of a packet traveling into your network and

enable someone to learn about your internal architecture.

More threatening yet is the ability to source route traffic. This means that normal dynamic routing

will be pre-empted so that spoofed traffic can actually purport to be from one source IP yet be

returned to an entirely different IP from a hostile host. Disallow source routed traffic into your

network.

8/12/2019 3.1.7 - IP Routing

27/53

8 - 27


DynamicRouting Protocols

In our next section Dynamic Routing Protocols, we begin our examination of the routing

decisions encountered when packets must travel beyond the local network.

Routing protocols are divided into two major categories: Interior Gateway Protocols (IGPs) and

Exterior Gateway Protocols (EGPs). The Interior Gateway Protocols are designed to support routing

packets within a network which is under the same administration also known as an Autonomous

System, whereas the Exterior Gateway Protocols are designed to operate when packets must traverse

between multiple autonomous systems.

Autonomous System - A network of routers that all fall under the same administrative control.

8/12/2019 3.1.7 - IP Routing

28/53

8 - 28



Router

Router

Router

Single Administrative Domain


[Autonomous System (AS)]

Our first major category of routing protocols is portrayed by the slide Interior Gateway

Protocols. These routing protocols are designed to operate in an environment in which all of the

routers are controlled by a single administrative authority, also known as an Autonomous System

(AS).

These Interior Gateway Protocols fall into two general categories based on how they construct their

routing tables. These two categories areDistance Vector protocolsandLink State protocols.

Distance Vector protocols are based on the concept of hop counts. They construct routes using a

shortest path computation algorithm. Link State Protocols operate in a more centralized fashion and

maintain a database that can build all of the routes for their section of the network, known as an area.

Convergence the knowledge required to reflect an accurate, consistent view of a changed network

topology.

8/12/2019 3.1.7 - IP Routing

29/53

8 - 29


Distance Vector Routing Protocols

Protocols

Interior Gateway Routing Protocol (IGRP) [Uses IP Protocol 9]

Enhanced IGRP (EIGRP) [Uses IP Protocol 88]

Version 1 [Uses UDP port 520]

Version 2 [Uses UDP port 520]

Routing information exchanged in periodic updates

Relatively slow convergence

Routing based on hop counts

Characteristics

RIP

The slide Distance Vector Routing Protocolsoutlines some of the major characteristics of Distance

Vector protocols, along with specifying some of the major protocols that fall into this category.

Basically Distance Vector Algorithms base their routing calculation on the number of hops between

networks. Note: A hop count is roughly equivalent to the number of intermediate routers between the

networks. Each router constructs routes based on hop counts covering network nodes that it knows how

to reach. These routes are then broadcast to its direct neighbors. The neighbor routers then adjust their

routes and pass this information to their neighbors. Eventually, the changes are propagated, hop by hop

across the network until all of the routers converge on a stable routing configuration. Each time

network connectivity changes or links go down, this process is repeated. This propagation of changes is

one of the main reasons that distance vector routing protocols are characterized by slow convergence

times.

The Routing Information Protocol (RIP) is the most widely used Interior Gateway Protocol. RIP is a

very simple protocol, which requires very little configuration and is supported by essentially every

device.

Each of these protocols incorporate specific features that improve its performance and operational

characteristics. Our focus, however, will be on the security strengths and weaknesses related to thisclass of routing protocols.

8/12/2019 3.1.7 - IP Routing

30/53

8 - 30


Link State Routing Protocols

Open Shortest Path First (OSPF) [ Uses IP Protocol 89]

Intermediate System-Intermediate System (IS-IS)

Protocols

Characteristics

Relatively fast convergence

Each router maintains route table for entire network

Flooding of routing updates

With the slide Link State Routing Protocols we will begin our discussion of the 2nd major class

of Interior Gateway Protocols. Link State Routing Protocols operate in a more centralized fashion

relying on a flooded distribution mechanism. Instead of exchanging distances to destinations, the

nodes use flooded link state messages to maintain a map of the network that can be quickly

updated after any change in the network topology. These networks are also usually broken down into

a set of areas, each of which comprises a separate network map. These areas are joined by a

contiguous backbone area.

Unlike distance vector protocols, the convergence of these protocols is quick due to the flooded

update mechanism.

8/12/2019 3.1.7 - IP Routing

31/53

8 - 31


Comparison of Protocols

Passes link state routingupdates to other routers

Passes copies of routingtable to neighbor routers

Event-triggered updates:

faster convergence

Frequent, periodic

updates: slow

convergence

Calculates the shortest

path to other routers

Adds hops from router to

router

Gets common view of

entire network topology

Views network topology

from neighborsperspective

Distance Vector Link State

In an attempt to contrast the distance vector and link state protocols, turn to the slide Comparison

of Protocols. Distance vector protocols get a perspective on the network by receiving and

processing routing tables from its neighbors. Computation of the best routes are done by adjusting

the hop count as routing tables are received from other routers. Updates for changes are periodic and

need to be passed from router to router so convergence is slower.

Link state routers obtain a wide view of the entire network topology by maintaining a database of

routing information. Each router calculates its own shortest path to destinations. Updates are

triggered by network topology changes and convergence time is quicker.

8/12/2019 3.1.7 - IP Routing

32/53

8 - 32


Distance Vector Security Mechanisms

Provides cryptographic authentication using MD5

checksums.

EIGRP

Provides password authentication

Provides MD5 authentication

RIP-2 MD5 Authentication (RFC-2082)

RIP Version 2 (RFC 2453)

Provides password authentication

The next slide Security Mechanismswill illustrate some of the measures that have been taken to

secure Distance Vector Protocols. The initial distance vector protocols, which originated in the late

1980s, were not very secure (RIPv1 and IGRP). As time progressed, however, newer versions of

these protocols were hardened to help protect them from attack.

The first measure taken was the addition of password authentication. These passwords were still

subject to being captured by a network sniffer. This led to the addition of cryptographic support.

Now, the popular distance vector protocols all provide a cryptographic method of securing routing

messages using MD5 checksums. An MD5 checksum is an algorithm applied to the data that returns

a fixed-length value. This is used in conjunction with some kind of shared key. If the data has not

been changed in transit, then the MD5 checksum computed by the receiving host should be the same

as computed by the sending host.

8/12/2019 3.1.7 - IP Routing

33/53

8 - 33


Link State Security Mechanisms

OSPF

0: No Authentication

1: Simple Authentication

2: Cryptographic Authentication

All records are protected by a checksum

The messages can be authenticated

Our next slide Security Mechanismsbegins our discussion of the measures taken to secure the Link

State Protocols. This discussion will focus on OSPF, the most popular link state protocol.

To address the security concerns, the OSPF protocol is designed to provide the network administrator

with the capability to secure the routers OSPF messages. Many of these mechanisms are not foolproof.

The checksum value is mainly used to verify that the packet has not been corrupted in transit. An

authentication algorithm must be used to provide any actual protection against attackers.

Using simple password authentication provides minimal protection since the password traverses the

network in the clear. Using a network sniffer, someone can retrieve the password and generate forged

packets.

To provide the most protection available, the third option which uses cryptographic techniques should

be used. By employing cryptographic checksums and a sequence number, this option protects against

forged messages, and replay attacks.

Although the cryptographic option is the most secure, it does involve some extra work. The secret keys

must be maintained and updated periodically.

8/12/2019 3.1.7 - IP Routing

34/53

8 - 34


Exterior Gateway Protocols

Router

Router

Border

Router

Border

RouterBorder

Router

Border

Router

AS

AS

AS

AS

Router

Exterior Gateway

Protocols

Router

The slide Exterior Gateway Protocolssymbolizes the environment that Exterior Gateway Routing

Protocols are designed to operate in. These protocols serve as the glue to tie separate Autonomous

Systems into a single network in which all of the computers on the network can interact seamlessly with

each other.

Originally a protocol named Exterior Gateway Protocol (EGP) was developed to operate in this

environment. At its inception in 1983, it operated quite well. As the Internet grew, however, the

environment placed excessive stress on the EGP protocol. The main limiting factors were:

1) It was highly susceptible to false information. An EGP router could incorrectly advertise lower

routes for destinations that were not even part of its Autonomous System and its neighbors would

gladly accept the information and begin using it to make routing decisions.

2) It needed to be capable of supporting more complex topologies. EGP assumed that the topology

was tree-structured with a single core. The Internet did not evolve into this structure.

These limitations prevented EGP from thriving. Currently the recommended protocol for exchanging

information between ASs is Border Gateway Protocol (BGP).

8/12/2019 3.1.7 - IP Routing

35/53

8 - 35


Border Gateway Protocol

Characteristics

Each BGP server maintains a route table consisting ofevery possible external address

Protocol used for the backbone of the Internet

Route aggregation is used to reduce the size of routing tables

Protocol transmits messages using the TCP protocol

BGP is assigned TCP port 179

The slide Border Gateway Protocolbegins our discussion of BGP, the recommended choice with

respect to Exterior Gateway Protocols. Currently BGP provides the routing protocol that supports

the current Internet backbone.

BGP servers on the Internet backbone must maintain routing tables that include all of the external

addresses on the Internet. As our historical figures indicated, this was already exceeding 65,000 by

1999. To efficiently handle these large quantities of external route entries, BGP incorporated several

useful features. One of the most important features was route aggregation. With the advent of the

Classless Inter-Domain Routing architecture, when companies need IP addresses they are given a

contiguous block of class C addresses. Route aggregation allows the BGP server to consolidate

those contiguous class C addresses into a single external route. This cuts down dramatically on the

number of external routes that a BGP server needs to maintain.

8/12/2019 3.1.7 - IP Routing

36/53

8 - 36


Security Concerns

A BGP server is a prime target for attack

SYN flooding attacks against server

RST attack attempting to break down connection to server

Data insertion attacks attempting to forge packets in the TCP stream

Hijacking attacks attempting to gain control of the TCP connection

Next we turn to the slide Security Concerns to examine the potential security concerns related to

BGP. The BGP servers enable the routing of all packets that are destined outside of the local

Autonomous System (AS). They sit at the edge of the AS and only deal with packets that are

entering or leaving the AS. An AS usually only has one BGP server connecting itself with the rest of

the network. If that server goes down, either accidentally or maliciously, the outage can be quite

extensive. Therefore, the BGP servers need to be protected against attack.

The TCP connections that BGP servers maintain between their neighbors, provide a potential target

for attackers and other malevolent parties. Several attacks have been developed which attack the

TCP protocol. These attacks can be utilized to attack the BGP server connections as well. These

attacks are:

SYN flooding

RST attacks

DATA insertion attacks

Session Hijacking attacks

8/12/2019 3.1.7 - IP Routing

37/53

8 - 37


Security Mechanisms

TCP MD5 signature option (detailed in RFC-2385)

Password mechanism

Provides minimal protection

Hastily deployed to protect against TCP attacks

Judged weak by security experts against concerted attacks

Does not prevent the TCP protocol attacks

The slide Security Mechanisms, illustrates some of the security measures that have been added to

BGP to secure the transmission of BGP control messages. Earlier versions of BGP (prior to version

4) provided password authentication capability. These passwords, however, were transmitted across

the network in the clear. Anyone with access to the network could use a sniffer to capture these

passwords. Furthermore, the password authentication did not prevent the TCP Protocol attacks that

have arisen. Realizing that attacks on the BGP server connections could have very nefarious

consequences, TCP MD5 Signature Option (RFC-2385) was hastily developed. This modification toBGP represented an attempt to establish a cryptographic mechanism that could secure the BGP TCP

connections from attack. It implemented a MD5 checksum at the TCP layer to validate the packets.

By implementing the MD5 signature option, the level of protection is dramatically increased

compared to the simple password authentication. This option, however, is not without its flaws. In

fact, security experts have stated that the algorithm contains security weaknesses against a concerted

attack.

8/12/2019 3.1.7 - IP Routing

38/53

8 - 38


Routing Protocols Review

Interior Gateway Protocols govern the routing of

packets in a single Autonomous System

Exterior Gateway Protocols govern the routing of

packets across multiple Autonomous Systems

Interior Gateway Protocols fall into two generalclassifications:

Distance Vector Routing Protocols:

Link State Routing Protocols:

The current Internet backbone uses BGP

Lets recap what has been covered in the Routing Protocols Review section. Basically, there are

two types of routing protocols one that manages the routers within a given autonomous system

known as Interior Gateway Protocols. Within this group we have two different types of protocols 1)

distance vector routing protocols that use hop counts to discover the best route 2) link state routing

protocols that use individual links to adjacent routers to find the best route.

The second major group of routing protocols manages routing across autonomous systems; this group

is known as the Exterior Gateway Protocols. For both the interior and exterior protocols there are

weaknesses with exchanges of information. Servers that maintain exterior routes can be targets of

hostile activity just because they maintain so much important information.

8/12/2019 3.1.7 - IP Routing

39/53

8 - 39


Multicast Routing

Router

Router

Router

Router

Server

The Multicast Routingslide illustrates a simple multicast routing example. The server at the

upper left of the slide wants to broadcast information to all of the other hosts. To transmit this

information using unicast, the server would have to transmit the information 7 times, once to each

destination host. As the number of receiving hosts grows, this obviously uses a large amount of

network bandwidth. By transmitting the information using Multicast Routing, the server simply

sends the data to the correct multicast address. This information is then broadcast across the network

by the various routers and each host receives the information. This is obviously a preferable solutionwhen the groups or the amount of data is large.

But what is driving the need for robust Multicast Routing Protocols? The answer is simple. The

increasing demand for multimedia streaming applications (both audio and video), distributed

conferences, and large-scale gaming sessions continues on the Internet.

8/12/2019 3.1.7 - IP Routing

40/53

8 - 40


Multicast Addresses

Composed of Class D IP addresses:

High-Order four bits of address are 1110 (1110 0000 = 224)

Range from 224.0.0.0 to 239.255.255.255

224.0.0.0 is never assigned to a group

224.0.0.1 is permanently assigned to group composed of all IP hosts

The slide Multicast Addressesdefines the range of numbers which can be used for multicast

groups. The multicast group addresses are taken from the class D address space, meaning that the

four high-order bits are 1110. This means that the lowest multicast address is 11100000 which is

224. By the same process, the highest multicast address is 11101111 which is 239. This leads to an

address space of 224.0.0.0 through 239.255.255.255. The address 224.0.0.0 is never to be assigned

to a group. And the address 224.0.0.1 is permanently assigned to the group represented by all of the

IP hosts (including gateways). It is used to address all of the multicast hosts on the directlyconnected network. The addresses of any other well-known permanent groups are listed in Assigned

Numbers RFC 1700.

Some other permanently assigned multicast addresses:

224.0.0.9 : All RIPv2 routers

224.0.0.10 : All IGRP routers

224.0.1.1 : Network Time Protocol (NTP)

224.2.0.0 - 224.2.255.255 : Multimedia Conference Calls

8/12/2019 3.1.7 - IP Routing

41/53

8 - 41


IGMP

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

Msg. TypeMax Response

TimeChecksum

Group Address

IGMP messages use IP Protocol 2

IGMP is defined by RFC 1112

IGMP Message Format

The next slide titled IGMPbegins our discussion of the Internet Group Management Protocol

(IGMP). This protocol is an integral part of IP, similar to ICMP. In order for a host to receive IP

Multicasts, it must implement IGMP.

IGMP messages are encapsulated in IP packets that contain an IP protocol number of 2. These

messages are used to join and leave multicast groups. The messages basically inform the routers that

they are interested in a particular IP multicast group. The routers then know which networks need to

receive which IP multicast data. If no one on a network has joined a particular multicast group, then

the router does not need to transmit that multicast traffic.

8/12/2019 3.1.7 - IP Routing

42/53

8 - 42


IP Routing Quiz

1. By accepting unsolicited ARP replies, many operating systems are

susceptible to ARP spoofing (T/F).

2. The ARP protocol provides a mechanism to associate IP addresses

with MAC addresses (T/F).

3. The IP address for the local host is 127.0.0.1. (T/F)

4. Static host routing is used to send traffic between independent

autonomous systems. (T/F)

5. Initial routes for a hosts routing table are generally populated as the

host is booting or by ICMP Router Discovery Protocol. (T/F)

This page intentionally left blank.

8/12/2019 3.1.7 - IP Routing

43/53

8 - 43


IP Routing Quiz (2)

6. Static routing tables normally change frequently. (T/F)

7. Allowing source routed packets into your network is not a security risk.

(T/F)

8. ARP poisoning can allow a non-trusted host to act as a trusted

one.(T/F)

9. There are two types of source routing loose and strict.(T/F)

10. There is no way to detect source routing. (T/F)


8/12/2019 3.1.7 - IP Routing

44/53

8 - 44


IP Routing Quiz (3)

11. There is no way to block source routing. (T/F)

12. An autonomous system is a network of routers that fall under the

same administrative control. (T/F)

13. Interior Gateway Protocols are designed to support routing between

multiple autonomous systems. (T/F)

14. Exterior Gateway Protocols are designed to support routing between

multiple autonomous systems. (T/F)

15. One of the problems of using password authentication between

communicating routers is they can be sniffed if they are in clear text.(T/F)


8/12/2019 3.1.7 - IP Routing

45/53

8 - 45


IP Routing Quiz (4)

16. A command that can be used to see the local routing table is:a) netstat r n

b) tcpdump

c) ARP

d) no ip source-route

17. A default route is placed in the routing table to:

a) send traffic to the local host

b) send traffic to a default router to forward it closer to the destination

c) send traffic to the host via ARP

d) send traffic to a host without a cached ARP entry


8/12/2019 3.1.7 - IP Routing

46/53

8 - 46


IP Routing Quiz (5)

18. Static routes are changed by the following:

a) ICMP redirects and ICMP Router Discovery Protocol

b) RIP

c) OSPF

d) BGP

19. An ICMP redirect tells a host to:

a) send no more data

b) change the routing protocol from RIP to OSPF

c) change the routing protocol from OSPF to RIP

d) use a more optimum route


8/12/2019 3.1.7 - IP Routing

47/53

8 - 47


IP Routing Quiz (6)

20. Hosts which accept ICMP routing messages are susceptible to:

a) SYN floods

b) ARP poisoning

c) man-in-the-middle and DoS attacks

d) DNS poisoning

21. ARP is necessary because:

a) the IP layers uses IP addresses and the link layer uses MAC

addresses to communicate

b) we are running out of IP numbers

c) we are running out of MAC addresses

d) telnet requires MAC addresses for destination addresses


8/12/2019 3.1.7 - IP Routing

48/53

8 - 48


IP Routing Quiz (7)

22. Interior Gateway Protocols are between:

a) routers within an autonomous system

b) routers between autonomous systems

c) link state routers only

d) distance vector routers only

23. Exterior Gateway Protocols are between:

a) routers within an autonomous system

b) routers between autonomous systems

c) link state routers only

d) distance vector routers only


8/12/2019 3.1.7 - IP Routing

49/53

8 - 49


IP Routing Quiz (8)

24. Distance vector protocols like RIP use the following to calculate

distances:

a) hops

b) time in seconds

c) type of service preference

d) collision rates

25. Border Gateway Routers are primary attack targets because:

a) they are susceptible to ICMP redirect attacks

b) they are susceptible to ICMP router discovery attacks

c) they are susceptible to denial of service, data insertion and

hijacking attacks

d) they are susceptible to DNS poisoning attacks


8/12/2019 3.1.7 - IP Routing

50/53

8 - 50


IP Routing Quiz (9)

26. ARP poisoning is:

a) flooding a host with ARP requests

b) flooding a host with ARP replies

c) fooling a host into accepting a false IP address and MAC address

pair

d) flooding the ARP cache

27. Which of the following is true with source routing:

a) destination hosts are often spoofed

b) dynamic routing is used for all hops

c) a source IP can be spoofed and return traffic can be sent to the

spoofer

d) an infinite number of routers to be traversed can be specified


8/12/2019 3.1.7 - IP Routing

51/53

8 - 51


IP Routing Quiz (10)

28. A way to detect source routing is:

a) it cannot be detected

b) examine the IP header for a length of greater than 5 (32 bit words)

c) examine the IP header for a length of 83

d) examine the IP header for a length of 89

29. One of the uses of source routing is:

a) impersonate as a trusted host

b) poison the ARP cache

c) avoid the use of ARP all together

d) record the packet route


8/12/2019 3.1.7 - IP Routing

52/53

8 - 52


IP Routing Quiz (11)

30. A man-in-the-middle attack that can be achieved by corrupting routes

can:

a) poison the ARP

b) SYN flood the target

c) examine outbound traffic and sniff or alter the contents

d) alter the routing protocol from IGP to EGP

Answers:

1) T 16) a

2) T 17) b

3) T 18) a

4) F 19) d

5) T 20) c

6) F 21) a

7) F 22) a

8) T 23) b

9) T 24) a

10) F 25) c

11) F 26) c

12) T 27) c

13) F 28) b

14) T 29) a

15) T 30) c

8/12/2019 3.1.7 - IP Routing

53/53


Course Revision History

v1.0 Jean Triquet

v.1.1 edited by S. Northcutt 23 Oct 2000

v.1.2 edited by J. Novak 25 Dec 2000

v1.3 J. Kolde, formatting changes 22 Jan 2001

v1.4 J. Novak deleted a multicast slide 23 Feb

v1.5 J. Novak Source routing changes per student feedback 17 Jun 2001

v1.6 edited by J. Novak 6 July 2001v1.7 edited and audio recorded by C. Wendt 16 July 2001

v.1.7 Slide 26 per Stephen added word legitimately at end of first slide bullet, Slide 29

reference of IGRP to protocol 88 changed to protocol 9 -Sep 2002

v.1.8 Slide 1 changed reference to webcast to section, slide 4 local routing table deleted

reference to Netscape in paragraph 3, slide 5 static routing decisions added word destination in first

two bullets of slide, slide 7 how are routes changed added 2 final sentences to last paragraph of

notes, slide 8 redirect changed picture, slide 32 last paragraph in notes altered. 9 Nov 2002

v.1.9 J. Novak. slide 2 changed text under ARP in slide, slide 9 added another paragraph to notes.

Feb 2003

v.1.10 J. Novak Mar 2003 Slide 31 changed notes page sentence per student feedback.

Documents

3.1.7 - IP Routing