Category Archives: Network

Distance vector vs. Link state routing protocols

Leave a reply

Routing protocols are very important for a network to function. How would a router know

signpost

where to send a packet if there was no routing protocol. A network admin would have to configure this all by hand. Just imagine the administrative burden for a network with more than 10 routers…

 

There are several different routing protocols. These protocols can be divided into two categories (some might argue about this, but these two categories, at least, everybody agrees on). These categories are ‘Distance Vector’ and ‘Link State’. But what’s the difference between the two and which should you be using in your network?

Continue reading

ERSPAN on Cisco Nexus

Leave a reply

Most network admins are familiar with span and rspan which makes it possible to troubleshoot traffic flowing through your switches.

The Nexus switches however, do not support rspan. This makes troubleshooting a switch a tad more difficult. Luckily they do support ERSPAN. ERSPAN stands for Encapsulated Remote Span. It makes span possible using a GRE tunnel to any routable address. This is even better that rspan!

What makes it even more usable is that the newest versions of wireshark natively support erspan. You can send all the span data to your own pc and analyze it from there.

To configure erspan you can use the following guide:

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/system_management/configuration/guide/sm_erspan.html

Kickstarting CentOS using PXE

Leave a reply

There are many tutorials online for kickstarting a linux server, but they all cover part of the whole process. I’ll attempt to cover it all here.

First off, I’ll tell you my setup. I wanted to use PXE, kickstart and a local mirror to be able to install a lot of computers simultaniously. However, to be able to do this I tested the installation in Virtualbox with a virtual machine. Both my server and client are virtual. Second I would like to say that I’m a debian minded person. However, CentOS was required for this setup, so here we go.

One of the things I encountered was a VM which did not do any DHCP. The key here was that you need to select the right network adapter for the VM. I used the network bridge adapter which was virtualised as a PCnet-Fast III. Some others might work, but this one did it for me.

On your server you will need some software packages to be installed:

yum install httpd system-config-kickstart dhcp tftp-server syslinux

It’s possible that some are already installed. system-config-kickstart installes a gui kickstart editor. When your server doesn’t have a gui it’s useless. However, if it does, it’s easier to make a kickstart file with it.

As I also wanted a local yum repository I needed to sync a remote repository. This is not really neccesary, but when using this setup in an offline environment you’ll need it. Bear in mind that a repository for a single release is about 25GB.

rsync -avrt --delete --exclude "local*" --exclude "isos" \
rsync://mirrors.rit.edu/centos/6.2 /usr/local/share/CentOS/

This is going to take a while, but while it is syncing you can continue with the other configuration tasks.

Continue reading

IPv6 security part 2, Duplicate Address Detection

Leave a reply

DAD, or Duplicate Address Detection is a mechanism used by IPv6 autoconfiguring hosts to determine whether the IP address they want to use is available. This prevents IP address conflicts and ensures the proper functioning of the network.

DAD works as follows:

  • The host that wants to use address A sends a so called ‘DupAddrDetectTransmits’ message to address A.
  • The host wanting to use address A waits for a specific time before assuming that address A is available.
  • If the host does not receive a neighbor advertisement using address A within the specified time it begins using address A

The attack on DAD is a simple Denial of Service attack. When replying to every DAD packet saying you use the address you effectively shut out the system from the network. So what can be done to counter these kinds of attack? Once again SeND might offer a solution.

In the SeND implementation public key cryptography is used to verify the ownership of an IP address. How does this work?

As some of you might know, public key cryptography is based on a public and a private key. The public key is known to everybody whereas the private key is only known to yourself. In this case the IP address is the public key.

The process goes as follows:

  • PC A uses its private key to sign the NDP packet.
  • PC A sends the packet to PC B
  • PC B uses the IP address of PC A to verify the signature of the NDP packet
  • If the verification succeeds PC B knows for sure that PC A owns that IP address.

Unfortunately, as stated before SeND is not widely implemented, so we have to make do with other measures. One of these measures is using a DAD proxy. This should be implemented on the switch. The switch gleans into the traffic to determine where specific addresses reside. Depending on the switch’s settings it can do various things:

  • Report suspicious behavior
  • Block traffic on a specific port

DAD gleaning on a switch might best be compared to normal DHCP snooping in combination with mac address filters.

IPv6 Security part 1, Router Advertisements

Leave a reply

This is the first part of a series on IPv6 security. As the IPv4 address space is nearly exhausted more and more companies are looking at IPv6. However, whenever a ‘new’ protocol is implemented there is a big chance of security issues arising. Moreover, as IPv6 is likely to be one of the most fundamental changes to the Internet and network world in the last 30 years and probably many years to come it is important to do it right.

IPv6 is not a new protocol. It has been defined in 1998 in RFC 2460. Back in 1998 some of the common attacks we see nowadays weren’t known. Therefore most of these attacks are applicable to IPv6 as well as IPv4.

In this first part I would like to discuss Router Advertisements (RA). To be able to understand the problem with RA you would first need to know what they are. A router advertisement is a message which is sent by the routers on the network. These messages contain vital information required by network hosts to be able to use the network. For example, a RA contains network information required by hosts to assign themselves an IP address. This is a method of configuring clients without the need for a DHCP server.

One of the most important features of a router advertisement is that it announces the router itself. Clients use this information to send data off-network, thus enabling them to participate in the bigger whole of the network and the Internet. In other words, a RA contains the default gateway for the network.

One of the biggest problems with router advertisements is that any host can send them, thus creating the possibility for a man-in-the-middle attack. When a bad person wants to inspect all the traffic you send over the Internet he can send a false router advertisement reconfiguring your computer to send all data to him. This is possible because router advertisements are not validated and the last received advertisement is assumed to be the correct one. (Note, this attack is nothing else than a rogue DHCP server on IPv4, with the exception that in the IPv4 case you need to be the first instead of the last)

So, what can we do about this? Well, the best way would be validating the router. When you can be sure the RA originated by the real and trusted router on the network you can trust it. In 2005 a standard was specified that achieves just that (among other things). It is called SeND (Secure Neighbor Discovery) and is defined in RFC 3971. It has been implemented by Cisco, but unfortunately nobody else. Another option is to implement the same techniques used to prevent rogue DHCP servers, configure on which switchport resides a router and allow router advertisements only from that specific port (called RA guard, documented in RFC 6105. This mitigates the possible attack on a wired lan and is currently implemented by most (but not all!) big network companies like Cisco.

However, this solution requires you to use a real switch with support for this option. Hubs are not allowed. This gives rise to another question, how do you protect wireless users from this attack? Unfortunately without SeND this becomes quite difficult. The thing you have to do is separating the clients from each other so that they can’t see each others traffic. However this is difficult in a wireless lan as it’s a shared medium. One could choose to create separate IPSec tunnels between the host and a trusted endpoint. In that case even if a hacker manages to insert itself as router in between the traffic flow, all traffic would be encrypted. Limiting the use the attacker has on the data.