index_86
Router Security Configuration Guide
UNCLASSIFIED
86
UNCLASSIFIED
Version 1.0g
Another important aspect of a routing protocol scheme is the amount of time it takes
for network architecture or connectivity changes to be reflected in the route tables of
all affected routers. This is usually called the rate of convergence. In a large
network, OSPF offers much faster convergence than RIP.
4.4.1. Common routing hazards
A question that is often overlooked is Why do we need to concern ourselves with
security of the network? A better question to ask would be What kind of damage
could an adversary do to our network? Section 3 offers some motivations for overall
router security. This section focuses on security issues related to routing and routing
protocols. Routing security should be a top priority for network administrators who
want to:
§ prevent unauthorized access to resources on the network,
§ protect mission information from unauthorized access, exposure, and
modification, and
§ prevent network failures and interruptions in service.
An unprotected router or routing domain makes an easy target for any network-savvy
adversary. For example, an attacker who sends false routing update packets to an
unprotected router can easily corrupt its route table. By doing this, the attacker can
re-route network traffic in whichever manner he desires. The key to preventing such
an attack is to protect the route tables from unauthorized and malicious changes.
There are two basic approaches available for protecting route table integrity:
1. Use only static routes
This may work in small networks, but is unsuitable for large networks.
2. Authenticate route table updates
By using routing protocols with authentication, network administrators
can deter attacks based on unauthorized routing changes. Authenticated
router updates ensure that the update messages came from legitimate
sources, bogus messages are automatically discarded.
Another form of attack an adversary might attempt against a router is a denial of
service attack. This can be accomplished in many different ways. For example,
preventing router update messages from being sent or received will result in bringing
down parts of a network. To resist denial of service attacks, and recover from them
quickly, routers need rapid convergence and backup routes.
4.4.2. ARP and LANs
Address Resolution Protocol, or ARP, is the protocol used to map IP addresses to a
particular MAC or Ethernet address. ARP is described in more detail in RFC 826 and
Parkhurst [2]. Proxy ARP is a method of routing packets using the Ethernet MAC