d_esTin_y

Asynchronous routing and traffic filtering

 General Routing & Switching, Security  No Responses »
Nov 182012
 

Initially there were about 250 hosts in the network attached to switch SW1. The Gateway router HSRP_A is the active router for the network. As the number of hosts increased in the network attached to SW1, a new subnet (10.0.2/24) is introduced as a secondary address in the gateway routers. To achieve some load sharing HSRP_B will be the active router for the group 1 for the network 10.0.1/24 and HSRP_A active for the group 2 which is the 10.0.2/24 network.

The ospf cost advertised from HSRP_A is better than the one advertised from HSRP_B. Thus the return traffic from the network attached to R5 will always take the path via HSRP_A. now let’s look at this scenario where some traffic filtering is in place.

HSRP_A has a filtering rule which states only to allow inbound TCP sessions if it was originated from the networks attached to SW1. For this HSRP_A has an outbound access-list attached to f0/1 named OUTBOUND_ACL_OUT which reflects the outgoing tcp sessions to a reflexive access-list named TCP.

Continue reading »

Fragmentation in IPv4 and IPv6

 General Routing & Switching, IPv6  No Responses »
Oct 272012
 

Fragmentation occurs if an IP device wants to send a packet on a link and the maximum transmission unit of the link is lower than the packet size. If do not fragment bit is set in the IP header, the packet will get dropped other vise FRAGMENTED! If any of the fragments gets lost in transit, the receiver has to request for the whole packet again.

Let’s have a look at how a packet is fragmented. There are a couple of control fields in the IP header to accomplish fragmentation. The Flags will indicate if there are more fragments following or if this is the last fragment. The Fragment Offset indicates the position of the fragment in the original datagram. The Identification field is responsible to uniquely identify each fragments of the original datagram.

Let’s work though the scenario where H1 sends an ICMP request to H2. The payload size of the packet is 1600 bytes. All links other than the segment between R2 and R3 support the default IP MTU of 1500 bytes.

Continue reading »

Path MTU Discovery using IOS CLI Ping

 General Routing & Switching  No Responses »
Oct 122012
 

There may be many cases in trouble shooting to find out the Maximum Transmission Unit (MTU) of the path to the destination. We can us the IOS extended Ping command to find out the maximum size of the IP packet which could transverse over a given link.

The idea behind is to send packets of various sizes with the do not fragment bit set. We will send packets with increasing sizes until we get an ICMP packet too big message from the router which is attached to a link which requires fragmenting or we just see no reply packets coming in.
 

Continue reading »

Implementing Secure Neighbor Discovery (SeND) for RA in LAN

 IPv6  No Responses »
Oct 072012
 

R1 will be advertising the 123::/64 prefix to the local LAN. R2 and R3 are hosts which will generate IPv6 address from the Router Advertisement (RA).

IPv6 hosts in the same broadcast domain use Neighbor Discovery Protocol (NDP) to find out the data link layer address of others. The functions of NDP are Neighbor Discovery, Router Discovery, Address Auto configuration, Address Resolution, Neighbor Unreachability Detection, Duplicate Address Detection, and Redirection. The NDP same as ARP does not have any mechanism to prevent masquerading attacks.

We can use Secure Neighbor Discovery (SeND) to protect against such attacks. SeND uses a RSA key pair along with other parameters to generate an IPv6 address which is called Cryptographically Generated Address (CGA).

Continue reading »

Generating CGA for Secure neighbor discovery (SeND)

 IPv6  No Responses »
Sep 262012
 

CGA stands for cryptographic generated address. Using this method of address generation, it is supposed that address spoofing could be eliminated.

Rfc 3972 states:
The basic idea is to generate the interface identifier of the IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a cryptographically generated address (CGA). The corresponding private key can then be used to sign messages sent from the address.

Let us configure the routers to generate Cryptographic Address.

  •  A RSA must be generated as SeND uses public/private key pairs.
  •  Then this RSA key is used to generate the CGA modifier.
  •  Finally the interface is told to use CGA.

R1(config)#crypto key generate rsa modulus 1024 label SEND
The name for the keys will be: SEND

% The key modulus size is 1024 bits
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]

Continue reading »

 Older Entries  Newer Entries