|
|
| Previous | Table of Contents | Next |
Suppose two companies—Apple and IBM, for example—have a direct network link between their respective research networks. Each of them has a “border” router with a direct connection to the other border router. Each of them also has border routers connected to several different Internet Service Providers. An external routing protocol, such as EGP, is used to exchange routing information between the two border routers. Apple’s border router tells IBM’s border router what internal networks should be reached from which border routers in Apple’s autonomous system. IBM’s border router inserts these routes in its routing table. It then uses an internal routing protocol to distribute this information within IBM’s research network.
Suppose Apple were to use EGP (the External Gateway Protocol—a name that makes it sound as though no other alternative exists), a classic external routing protocol, to advertise a route to another company’s research network, Intel’s, for example, and IBM normally routed IP traffic through an ISP. The IBM routing tables would not have any specific routing information for Intel and would just use the default route to the ISP and let the ISP worry about the delivery route. If all goes as it would normally, the IBM router sees a route to Intel through one of Apple’s border routers. It makes a specific entry for Intel’s network in its routing table and spreads the reachability information to other IBM routers via its internal routing protocol.
Now, Apple is getting all of the IP traffic sent from IBM to Intel. If no malice is intended in this error, the traffic is routed out to one of Apple’s ISPs and on to Intel with only a short added delay and extra traffic on the edge of Apple’s internal network. On the other hand, the Apple border router could be configured to discard such datagrams and Apple would have succeeded in a denial of service attack. The attack would be discovered quickly and would be fairly pointless. Alternatively, a sniffer on Apple’s internal network would now be able to intercept traffic from IBM to Intel for industrial espionage purposes.
Clearly, a good implementation of an external routing protocol needs to be a bit suspicious of the routing information provided by routers from another organization. A database of network addresses and their associated autonomous system numbers such as the one provided by InterNIC would reveal to IBM’s border router that the Intel network has an autonomous system number different from the one Apple was claiming it had when making the EGP advertisement. With millions of networks and thousands of autonomous networks, you merely need to store the part of the InterNIC database that specifies which network numbers are valid for the autonomous systems that are valid peers of the border router.
Note: EGP is no longer considered state-of-the-art in external routing protocols, but the principle remains the same for all external routing protocols.
Some systems base trust on IP addresses; other systems base trust on Domain Name System (DNS) names. DNS names are easier to remember and easier for most people to work with than dotted decimal IP addresses. Just as the IP address to hardware address correspondence may change over time, the name to address correspondence may change too as different machines are used for a different set of tasks. Unfortunately, the use of names involves yet another layer of software, introducing another point of vulnerability for the security of the systems.
Understanding Name Resolution for Hosts
When software on a host needs to convert a name to an address it sends an address lookup query to a DNS name server. When a client connects to a named host, the client needs to convert the name to an address. The client trusts the DNS system to return the correct address and trusts the routing system to deliver the data to the correct destination. Because virtually all systems place trust in name server, all of the special precautions described previously in this chapter to protect trust should be used to protect that trust. For example, if you go back and see which hosts had permanent ARP cache entries on my Windows 95 machine, one of them was 147.226.112.102—the DNS name server used by my machine. The name server is on the same subnet as my machine, so it would be possible for an ARP spoofer to masquerade as the name server and cause all sorts of mischief by misdirecting datagrams.
Similarly, when a host needs to convert an address to a name it sends a reverse lookup query to a DNS name server. When a server accepts a connection from a prospective client, it can determine the IP address of the prospective client from the IP datagram header. However, the server must rely on the DNS system to perform a reverse lookup query to determine the name of the prospective client. If trust is extended to the client on the basis of the client hostname, the server is trusting the DNS system to perform this reverse lookup properly. If a DNS name server is coerced into providing false data, the security of the system can become compromised.
| Previous | Table of Contents | Next |