Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Secure Routing Header for Segment Routing?

Published byCarmel Hines Modified over 5 years ago

Similar presentations

Presentation on theme: "How to Secure Routing Header for Segment Routing?"— Presentation transcript:

1 How to Secure Routing Header for Segment Routing?
Eric Vyncke, Distinguished Engineer @evyncke

2 Agenda Special use case Security of Routing Header & RFC 5095
Segment Routing Security Packets with Extension Headers are lost?

3 Special Use Case

4 “Extreme Traffic Engineering” from CPE/Set-up Box?
What about mobile node away from SP network? I’m a dumb stateless router but not stupid!!!!Let’s check authorization PE3 PE1 A -> B Via .... SR-IPv6 core I’m a dumb stateless router I’m a dumb stateless router A -> B Via .... A -> B Via .... (SDN) controller Image source wikimedia PE4 PE2

5 Huh??? Source Routing Security? What about RFC 5095?

6 IPv6 Routing Header Next Header = 43 Routing Header IPv6 Basic Header
An extension header, processed by intermediate routers Three types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6 Type 3: RPL (Routing Protocol for Low-Power and Lossy Networks) Next Header = 43 Routing Header IPv6 Basic Header Routing Header Routing Header Next Header Ext Hdr Length RH Type Routing Type Segments Left Routing Header Data

7 RH0: Amplification Attack
What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A .... Packet will loop multiple time on the link A-B An amplification attack! B A

8 Deprecation of Type 0 Routing Headers in IPv6
What RFC 5095 Says J. Abley Afilias P. Savola CSC/FUNET G. Neville-Neil Neville-Neil Consulting December 2007 Deprecation of Type 0 Routing Headers in IPv6 RFC 5095 “The severity of this threat is considered to be sufficient to warrant deprecation of RH0 entirely. A side effect is that this also eliminates benign RH0 use- cases; however, such applications may be facilitated by future Routing Header specifications.”

9 Source: Clipartpanda.com
Type 1: NIMROD A 1994 project funded by DARPA Mobility Hierarchy of routing (kind of LISP) Type 1 was deprecated in 2009 not because of security but project was defunct and AFAIK not a single NIMROD packet was sent over IPv6... Source: Clipartpanda.com

10 IPv6 Type 2 Routing Header: no problem
Rebound/amplification attacks impossible Only one intermediate router: the mobile node home address Next Header = 43 Routing Header IPv6 Basic Header Routing Header Routing Header Next Header Ext Hdr Length RH Type= 2 Routing Type Segments Left= 1 Mobile Node Home Address

11 RH-3 for RPL: no problem Used by Routing Protocol for Low-Power and Lossy Networks But only within a single trusted network (strong authentication of node), never over a public untrusted network Damage is limited to this RPL network If attacker was inside the RPL network, then he/she could do more damage anyway

12 Segment Routing Security
draft-vyncke-6man-segment-routing-security

13 SRH: identical to RFC 2460 Next Header: 8-bit selector. Identifies the type of header immediately following the SRH Hdr Ext Len: 8-bit unsigned integer. Defines the length of the SRH header in 8-octet units, not including the first 8 octets Routing Type: TBD by IANA (SRH) Segment Left: index, in the Segment List, of the current active segment in the SRH. Decremented at each segment endpoint. | Next Header | Hdr Ext Len | Routing Type | Segments Left | | First Segment | Flags | HMAC Key ID | | | | Segment List[0] (128 bits ipv6 address) | | | | | | | ... | | | | | Segment List[n] (128 bits ipv6 address) | | | | | | | | Policy List[0] (128 bits ipv6 address) | | | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) //

14 SRH: New | Next Header | Hdr Ext Len | Routing Type | Segments Left | | First Segment | Flags | HMAC Key ID | | | | Segment List[0] (128 bits ipv6 address) | | | | | | | ... | | | | | Segment List[n] (128 bits ipv6 address) | | | | | | | | Policy List[0] (128 bits ipv6 address) | | | | Policy List[2] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // First Segment: offset in the SRH, not including the first 8 octets and expressed in 16-octet units, pointing to the last element of the Segment List Flags: bit-0: cleanup bit-1: rerouted packet bits 2 and 3: reserved bits 4 to 15: policy flags Segment List[n]: 128 bit IPv6 addresses representing each segment of the path. The segment list is encoded in the reverse order of the path: the last segment is in the first position of the list and the first segment is in the last position Policy List[n] (optional): to mark ingress/ingress SR address, to remember original source address

15 SRH: New for Security | Next Header | Hdr Ext Len | Routing Type | Segments Left | | First Segment | Flags | HMAC Key ID | | | | Segment List[0] (128 bits ipv6 address) | | | | | | | ... | | | | | Segment List[n] (128 bits ipv6 address) | | | | | | | | Policy List[0] (128 bits ipv6 address) | | | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // HMAC Key-id: identifies the shared secret used by HMAC. If 0, HMAC field is not present HMAC: SRH authentication (optional)

16 SRH: HMAC Coverage | Next Header | Hdr Ext Len | Routing Type | Segments Left | | First Segment | Flags | HMAC Key ID | | | | Segment List[0] (128 bits ipv6 address) | | | | | | | ... | | | | | Segment List[n] (128 bits ipv6 address) | | | | | | | | Policy List[0] (128 bits ipv6 address) | | | | Policy List[3] (128 bits ipv6 address) | // HMAC // // (256 bits, optional) // Source Address (not shown): as it is immutable and to prevent SR service stealing First Segment: offset in the SRH, not including the first 8 octets and expressed in 16-octet units, pointing to the last element of the Segment List Flags: bit-0: cleanup bit-1: rerouted packet bits 2 and 3: reserved bits 4 to 15: policy flags HMAC Key ID: Segment List[n]: all segments

17 Segment Routing Security
Addresses concerns of RFC5095 HMAC field to be used at ingress of a SR domain in order to validate/authorize the SRH Inside SR domain, each node trust its brothers (RPL model) HMAC requires a shared secret (SDN & SR ingress routers) Outside of current discussions Pretty much similar to BGP session security or OSPFv3 security

18 Lost of Packets with Extension Headers

19 Issue: Ext Hdr are dropped on the Internet
draft-gont-v6ops-ipv6-ehs-in-real-world About 20-40% of packets with Ext Hdr are dropped over the Internet SRH works only within one administrative domain => not an issue as operator set the security/drop policy Test on your own: And let us know !

20 Another View of Packet Drops
Current research by Polytechnique Paris (Mehdi Kouhen) and Cisco (Eric Vyncke) And VM provided by Sander Steffann (work in progress!)

21

Download ppt "How to Secure Routing Header for Segment Routing?"

Similar presentations

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.

Introduction to IPv6 Presented by: Minal Mishra. Agenda IP Network Addressing IP Network Addressing Classful IP addressing Classful IP addressing Techniques.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Lesson 4 The IPv6 Header.

Lesson 4 The IPv6 Header.
Network Layer Packet Forwarding IS250 Spring 2010

Network Layer Packet Forwarding IS250 Spring 2010
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
1 Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address 0 4 12 16 24 31 IPv6 Header.

1 Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header.
Oct 19, 2004CS573: Network Protocols and Standards1 IP: Datagram and Addressing Network Protocols and Standards Autumn 2004-2005.

Oct 19, 2004CS573: Network Protocols and Standards1 IP: Datagram and Addressing Network Protocols and Standards Autumn
1Group 07 IPv6 2 1.ET/06/6472 2.ET/06/6487 3.ET/06/6491 4.EE/06/6393 5.EE/06/6455 6.EE/06/6473 Group 07 IPv6.

1Group 07 IPv6 2 1.ET/06/ ET/06/ ET/06/ EE/06/ EE/06/ EE/06/6473 Group 07 IPv6.
Internet Protocol (IP)

Internet Protocol (IP)
TELE202 Lecture 9 Internet Protocols (1) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Congestion control »Source: chapter 12 ¥This Lecture »Internet.

TELE202 Lecture 9 Internet Protocols (1) 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »Congestion control »Source: chapter 12 ¥This Lecture »Internet.
ROUTER Routers have the following components: CPU NVRAM RAM ROM (FLASH) IOS Cisco 2800 Series Router.

ROUTER Routers have the following components: CPU NVRAM RAM ROM (FLASH) IOS Cisco 2800 Series Router.

Similar presentations

Ads by Google