|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: routing between provider edge and CPE routers
On Wed, 29 Jan 2003, Christopher L. Morrow wrote:
> On Wed, 29 Jan 2003, Mike Bernico wrote:
> >
> > We currently use an IGP to route between our distribution routers and
> > the CPE routers we manage.
>
> So, if customers bounce your IGP churns away? And customers have access to
> your IGP data (provided they break into the CPE, which is trivial, eh?)
Worse yet, any customer which is able to feed routing information to the
backbone (be it any IGP or BGP), unless filtered properly, is able to
trivially create a man-in-the-middle (or trojan horse) attack on systems
protected with plain-text passwords. Simply inject a longer-prefix route
to someone else's network, and then examine (or modify) and bounce the
source-routed packets to the ultimate destination. (Yes, Virginia, source
routing IS evil, and has virtually no legitimate use).
Even supposedly secure things like SSL-protected websites and SSH logins
are vulnerable due to the simple fact that most people won't think twice
to say "yes" to SSH complaining that it detected a new host key; or notice
that they're really talking to a different website (or that the lock icon
is not showing) - if it looks the same, and its URL is similar-looking
(l->1, O->0, etc; and with newish Unicode URLs the fun is unlimited).
So, by accepting routes from CPE you create a huge security vulnerability
for your customers, and other parties. This practice was understood as a
very bad network engineering for decades.
The additional problems created by taking routing information from CPE
are: increased amounts of route flap (because any bouncy tail circuit
or malfunctioning/misconfigured CPE box will cause a flood of routing
updates, potentially killing your entire network), and dramatically
increased incidence of bogus routes (interfering with connectivity of your
other customers, or some third parties).
(I've seen even stupider things - people configuring CPE boxes to
redistribute routes learned from customer's internal LANs! Any compromised
PC, and you're toast).
The solution is:
1) for single-homed sites use static routing, period. Dynamic routing
does not add anything useful in this case (if circuit is down, it's down,
there are no alternative ways to reach the customer's network).
The "convinience" of having to configure only CPE box is no excuse. Invest
some resources in a rather trivial configuration management system, which
keeps track of what network addresses were allocated to which customer,
and produces corresponding bits of router configuration automatically.
Most respectable ISPs did that long time ago. That will also reduce your
tech support costs.
2) for muti-homed sites you have to use routing protocols. Use BGP (_NOT_
IGP!) Implement a strict filtering on all routing updates you get from the
customer. Manage these filters like you manage static routes.
--vadim
PS. They should really require a test in "defensive networking" before
letting anyone to touch provider's routers...
|