document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-25 23:11:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

[Translated]20150407 How to secure BGP sessions using authentication on Quagga.md

Browse Source
This commit is contained in:
GOLinux 2015-05-25 10:01:28 +08:00
parent 67bcd640f7
commit 03a0de1746
2 changed files with 84 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
sources/tech/20150407 How to secure BGP sessions using authentication on Quagga.md
View File

@ -1,86 +0,0 @@
Translating by GOLinux!
How to secure BGP sessions using authentication on Quagga
================================================================================
The BGP protocol runs over TCP, and as such, it inherits all the vulnerabilities of a TCP connection. For example, within a BGP session, an attacker may impersonate a legitimate BGP neighbor, and convince the BGP routers on the other end to share their routing information with the attacker. The problem occurs when the attacker advertises and injects bogus routes towards neighboring routers. The unsuspecting neighboring routers may then start sending live traffic towards the attacker, which in most cases goes nowhere and simply gets dropped. Back in 2008, YouTube actually [fell victim][1] to such BGP route poisoning, and suffered major outage on their video service for more than an hour. In a far worse case, if the attacker is savvy enough, they can falsely act as a transparent transit router and sniff the transit traffic for any sensitive data. As you can imagine, this can have far reaching consequences.
To protect active BGP sessions against such attacks, many service providers leverage [MD5 checksum and a pre-shared key][2] for their BGP sessions. In a protected BGP session, a BGP router which sends a packet generates an MD5 hash value by using a pre-shared key, portions of the IP and TCP headers and the payload. The MD5 hash is then stored as a TCP option field. Upon receipt of the packet, a receiving router uses the same method to generate its version of the MD5 hash using a pre-shared key. It compares the hash with the one of the received packet to decide whether to accept the packet. For an attacker, it is almost impossible to guess the checksum or the key. For BGP routers, they can be assured that each packet is validated before its content is consumed.
In this tutorial, we will see how we can secure a BGP session between two neighbors using MD5 checksum and a pre-shared key.
### Preparation ###
Securing a BGP session is fairly straightforward. We will use the following routers.
注:表格
<table id="content">
<tbody><tr>
<td><b>Router name</b></td>
<td><b>AS</b></td>
<td><b>IP address</b></td>
</tr>
<tr>
<td>router-A</td>
<td>100</td>
<td>10.10.12.1/30</td>
</tr>
<tr>
<td>router-B</td>
<td>200</td>
<td>10.10.12.2/30</td>
</tr>
</tbody></table>
The stock Linux kernel supports TCP MD5 option natively for IPv4 and IPv6. Thus if you built Quagga router from a brand new [Linux box][3], TCP MD5 capability will be automatically available for Quagga. It'll be just a matter of configuring Quagga to take advantage of the capability. But if you are using a FreeBSD box or built a custom kernel for Quagga, make sure that you enable TCP MD5 support on the kernel (e.g., CONFIG_TCP_MD5SIG kernel option in Linux).
### Configuring Router-A for Authentication ###
We will use the CLI shell of Quagga to configure the routers. The only new command that we will use is 'password'.
[root@router-a ~]# vtysh
router-a# conf t
router-a(config)# router bgp 100
router-a(config-router)# network 192.168.100.0/24
router-a(config-router)# neighbor 10.10.12.2 remote-as 200
router-a(config-router)# neighbor 10.10.12.2 password xmodulo
The pre-shared key in this example is 'xmodulo'. Obviously, in a production environment you need to select a strong key.
**Note**: in Quagga, the 'service password-encryption command is supposed to encrypt all plain-text passwords (e.g., login password) in its configuration file. However, when I use this command, I notice that the pre-shared key in BGP configuration still remains in clear text. I am not sure whether it's a limitation of Quagga, or whether it's a version issue.
### Configuring Router-B for Authentication ###
We will configure router-B in a similar fashion.
[root@router-b ~]# vtysh
router-b# conf t
router-b(config)# router bgp 200
router-b(config-router)# network 192.168.200.0/24
router-b(config-router)# neighbor 10.10.12.1 remote-as 100
router-b(config-router)# neighbor 10.10.12.1 password xmodulo
### Verifying a BGP session ###
If everything has been configured correctly, the BGP session should be up, and both routers should be exchanging routes. At this point, every outgoing packet in a TCP session carries a MD5 digest of the packet contents and a secret key, and the digest is automatically validated by the other end point.
We can verify the active BGP session by viewing BGP summary as usual. MD5 checksum verification occurs transparently within Quagga, so you don't see it at the BGP level.
![](https://farm8.staticflickr.com/7621/16837774368_e9ff66b370_c.jpg)
If you want to test BGP authentication, you can configure one neighbor without a password or deliberately use a wrong pre-shared key and see what happens. You can also use a packet sniffer like tcpdump or Wireshark to analyze the packets that go through the BGP session. For example, tcpdump with "-M <secret>" option will validate the MD5 digests found in TCP option field.
To sum up, in this tutorial we demonstrate how we can easily secure the BGP session between two routers. The process is very straightforward compared to other protocols. It is always recommended to secure your BGP session, especially if you are setting up the BGP session with another AS. The pre-shared key should also be kept safe.
--------------------------------------------------------------------------------
via: http://xmodulo.com/bgp-authentication-quagga.html
作者:[Sarmed Rahman][a]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/sarmed
[1]:http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/
[2]:http://tools.ietf.org/html/rfc2385
[3]:http://xmodulo.com/centos-bgp-router-quagga.html

84
translated/tech/20150407 How to secure BGP sessions using authentication on Quagga.md Normal file
View File

@ -0,0 +1,84 @@
Quagga上使用验证加固BGP会话安全
================================================================================
BGP协议运行于TCP之上因而它也继承了TCP连接的所有漏洞。例如在一个BGP会话内攻击者可以冒充一个合法的BGP邻居然后说服另一端的BGP路由器共享路由信息给攻击者。在攻击者通告并向邻居路由注入伪造的路由时就会发生这个问题。毫无戒备的邻居路由器就会开始向攻击者发送通信实况实际上这些信息并没有去向任何地方仅仅只是被丢弃了。回到2008年YouTube实际上也[受害于][1]这样的BGP路由中毒并遭受了长达一个小时的视频服务大量中断。一个更加糟糕的情况是如果攻击者是个足够懂行的人他们可以伪装成一台透明路由器然后嗅探经过的通信以获取敏感数据。你可以想象这会造成深远的影响。
要保护活跃的BGP会话不受攻击许多服务提供商在BGP会话中使用[MD5校验和并预共享密钥][2]。在受保护的BGP会话中一台发送包的BGP路由器通过使用预共享的密钥生成MD5散列值、部分IP和TCP头以及有效负载。然后MD5散列作为一个TCP选项字段存储。在收到包后接受路由器用同样的方法使用预共享密钥生成它的MD5版本。它会将它的MD5散列和接收到的某个包的值进行对比以决定是否接受该包。对于一个攻击者而言几乎不可能猜测校验和或其密钥。对于BGP路由器而言它们能在消耗包的内容前确保每个包的合法性。
在本教程中我们将为大家演示如何使用MD5校验和以及预共享密钥来加固两个邻居间的BGP会话的安全。
### 准备 ###
加固BGP会话安全是相当简单而直截了当的我们会使用以下路由器。
<table id="content">
<tbody><tr>
<td><b>路由器名称</b></td>
<td><b>AS</b></td>
<td><b>IP地址</b></td>
</tr>
<tr>
<td>router-A</td>
<td>100</td>
<td>10.10.12.1/30</td>
</tr>
<tr>
<td>router-B</td>
<td>200</td>
<td>10.10.12.2/30</td>
</tr>
</tbody></table>
常用的Linux内核原生支持TCP的MD5选项用于IPv4和IPv6。因此如果你从全新的[Linux盒子][3]构建了Quagga路由器TCP的MD5功能会自动启用。剩下来的事情仅仅是配置Quagga以使用它的功能。但是如果你使用的是FreeBSD盒子或者为Quagga构建了一个自定义内核请确保内核开启了TCP的MD5支持Linux中的CONFIG_TCP_MD5SIG选项
### 配置Router-A验证功能 ###
我们将使用Quagga的CLI Shell来配置路由器我们将使用的唯一的一个新命令是password
[root@router-a ~]# vtysh
router-a# conf t
router-a(config)# router bgp 100
router-a(config-router)# network 192.168.100.0/24
router-a(config-router)# neighbor 10.10.12.2 remote-as 200
router-a(config-router)# neighbor 10.10.12.2 password xmodulo
本例中使用的预共享密钥是xmodulo。很明显在生产环境中你需要选择一个更健壮的密钥。
**注意** 在Quagga中service password-encryption命令是想加密配置文件中所有明文密码登录密码。然而当我使用该命令时我注意到BGP配置中的预共享密钥仍然是明文的。我不确定这是否是Quagga的限制还是版本自身的问题。
### 配置Router-B验证功能 ###
我们将以类似的方式配置router-B。
[root@router-b ~]# vtysh
router-b# conf t
router-b(config)# router bgp 200
router-b(config-router)# network 192.168.200.0/24
router-b(config-router)# neighbor 10.10.12.1 remote-as 100
router-b(config-router)# neighbor 10.10.12.1 password xmodulo
### 验证BGP会话 ###
如果一切配置正确那么BGP会话就会起来两台路由器应该能交换路由表。这时候TCP会话中的所有流出包都会携带一个MD5摘要的包内容和一个密钥而摘要信息会被另一端自动验证。
我们可以像平时一样通过查看BGP的概要来验证活跃的BGP会话。MD5校验和验证在Quagga内部是透明的因此你在BGP级别是无法看到的。
![](https://farm8.staticflickr.com/7621/16837774368_e9ff66b370_c.jpg)
如果你想要测试BGP验证你可以配置一个邻居路由设置其密码为空或者故意使用错误的预共享密钥然后查看发生了什么。你也可以使用包嗅探器像tcpdump或者Wireshark等来分析通过BGP会话的包。例如带有“-M <secret>”选项的tcpdump将验证TCP选项字段的MD5摘要。
小结之在本教程中我们演示了怎样简单地加固两台路由间的BGP会话安全。相对于其它协议而言配置过程非常简明。强烈推荐你加固BGP会话安全尤其是当你用另一个AS配置BGP会话的时候。预共享密钥也应该安全地保存。
--------------------------------------------------------------------------------
via: http://xmodulo.com/bgp-authentication-quagga.html
作者:[Sarmed Rahman][a]
译者:[GOLinux](https://github.com/GOLinux)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[a]:http://xmodulo.com/author/sarmed
[1]:http://research.dyn.com/2008/02/pakistan-hijacks-youtube-1/
[2]:http://tools.ietf.org/html/rfc2385
[3]:http://xmodulo.com/centos-bgp-router-quagga.html