Network Working Group M. Kaeo
Request for Comments: 4778 Double Shot Security, Inc.
Category: Informational January 2007
Network Working Group M. Kaeo
Request for Comments: 4778 Double Shot Security, Inc.
Category: Informational January 2007
Current Operational Security Practices in Internet Service Provider Environments
Internet服务提供商环境中的当前操作安全实践
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
This document is a survey of the current practices used in today's large ISP operational networks to secure layer 2 and layer 3 infrastructure devices. The information listed here is the result of information gathered from people directly responsible for defining and implementing secure infrastructures in Internet Service Provider environments.
本文档概述了当今大型ISP运营网络中用于保护第2层和第3层基础设施设备的当前做法。此处列出的信息是从直接负责在Internet服务提供商环境中定义和实施安全基础架构的人员收集的信息。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Attack Sources . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Operational Security Impact from Threats . . . . . . . . . 5
1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7
2. Protected Operational Functions . . . . . . . . . . . . . . . 8
2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 8
2.2. Device Management - In-Band and Out-of-Band (OOB) . . . . 10
2.3. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4. Routing Control Plane . . . . . . . . . . . . . . . . . . 18
2.5. Software Upgrades and Configuration
Integrity/Validation . . . . . . . . . . . . . . . . . . . 22
2.6. Logging Considerations . . . . . . . . . . . . . . . . . . 26
2.7. Filtering Considerations . . . . . . . . . . . . . . . . . 29
2.8. Denial-of-Service Tracking/Tracing . . . . . . . . . . . . 30
3. Security Considerations . . . . . . . . . . . . . . . . . . . 32
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1. Normative References . . . . . . . . . . . . . . . . . . . 33
5.2. Informational References . . . . . . . . . . . . . . . . . 33
Appendix A. Protocol Specific Attacks . . . . . . . . . . . . . . 34
A.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 34
A.2. IPv4 Protocol-Based Attacks . . . . . . . . . . . . . . . 34
A.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 36
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Attack Sources . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Operational Security Impact from Threats . . . . . . . . . 5
1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7
2. Protected Operational Functions . . . . . . . . . . . . . . . 8
2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 8
2.2. Device Management - In-Band and Out-of-Band (OOB) . . . . 10
2.3. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4. Routing Control Plane . . . . . . . . . . . . . . . . . . 18
2.5. Software Upgrades and Configuration
Integrity/Validation . . . . . . . . . . . . . . . . . . . 22
2.6. Logging Considerations . . . . . . . . . . . . . . . . . . 26
2.7. Filtering Considerations . . . . . . . . . . . . . . . . . 29
2.8. Denial-of-Service Tracking/Tracing . . . . . . . . . . . . 30
3. Security Considerations . . . . . . . . . . . . . . . . . . . 32
4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1. Normative References . . . . . . . . . . . . . . . . . . . 33
5.2. Informational References . . . . . . . . . . . . . . . . . 33
Appendix A. Protocol Specific Attacks . . . . . . . . . . . . . . 34
A.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 34
A.2. IPv4 Protocol-Based Attacks . . . . . . . . . . . . . . . 34
A.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 36
Security practices are well understood by the network operators who have, for many years, gone through the growing pains of securing their network infrastructures. However, there does not exist a written document that enumerates these security practices. Network attacks are continually increasing and although it is not necessarily the role of an ISP to act as the Internet police, each ISP has to ensure that certain security practices are followed to ensure that their network is operationally available for their customers. This document is the result of a survey conducted to find out what current security practices are being deployed to secure network infrastructures.
多年来,网络运营商一直在努力确保其网络基础设施的安全,他们非常了解安全实践。但是,没有列举这些安全实践的书面文件。网络攻击不断增加,尽管ISP不一定扮演互联网警察的角色,但每个ISP都必须确保遵守某些安全实践,以确保其网络可供其客户使用。本文档是一项调查的结果,旨在了解当前正在部署哪些安全实践来保护网络基础设施。
The scope for this survey is restricted to security practices that mitigate exposure to risks with the potential to adversely impact network availability and reliability. Securing the actual data traffic is outside the scope of the conducted survey. This document
本次调查的范围仅限于安全实践,这些实践减轻了风险的暴露,可能对网络可用性和可靠性产生不利影响。确保实际数据流量的安全不在已进行调查的范围之内。本文件
focuses solely on documenting currently deployed security mechanisms for layer 2 and layer 3 network infrastructure devices. Although primarily focused on IPv4, many of the same practices can (and should) apply to IPv6 networks. Both IPv4 and IPv6 network infrastructures are taken into account in this survey.
专注于记录当前为第2层和第3层网络基础设施设备部署的安全机制。虽然主要关注IPv4,但许多相同的实践可以(也应该)应用于IPv6网络。本次调查同时考虑了IPv4和IPv6网络基础设施。
A threat is a potential for a security violation, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm [RFC2828]. Every operational network is subject to a multitude of threat actions, or attacks, i.e., an assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services, and violate the security policy of a system [RFC2828]. Many of the threats to a network infrastructure occur from an instantiation (or combination) of the following:
威胁是一种潜在的安全违规行为,当存在可能违反安全并造成伤害的情况、能力、行动或事件时,威胁就会存在[RFC2828]。每个运营网络都会受到多种威胁行为或攻击,即对系统安全的攻击,这种攻击源于故意试图逃避安全服务并违反系统安全策略的智能行为[RFC2828]。网络基础设施面临的许多威胁来自以下实例(或组合):
Reconnaissance: An attack whereby information is gathered to ascertain the network topology or specific device information, which can be further used to exploit known vulnerabilities
侦察:收集信息以确定网络拓扑或特定设备信息的一种攻击,可进一步利用这些信息利用已知漏洞进行攻击
Man-In-The-Middle: An attack where a malicious user impersonates either the sender or recipient of a communication stream while inserting, modifying, or dropping certain traffic. This type of attack also covers phishing and session hijacks.
中间人:一种攻击,恶意用户在插入、修改或丢弃某些通信流时模拟通信流的发送者或接收者。这种类型的攻击还包括网络钓鱼和会话劫持。
Protocol Vulnerability Exploitation: An attack that takes advantage of known protocol vulnerabilities due to design or implementation flaws to cause inappropriate behavior.
协议漏洞利用:利用由于设计或实现缺陷导致的已知协议漏洞造成不适当行为的攻击。
Message Insertion: This can be a valid message (it could be a reply attack, which is a scenario where a message is captured and resent at a later time). A message can also be inserted with any of the fields in the message being spoofed, such as IP addresses, port numbers, header fields, or even packet content. Flooding is also part of this threat instantiation.
消息插入:这可能是有效的消息(可能是回复攻击,这是一种捕获消息并在以后重新发送的情况)。消息还可以插入被欺骗的消息中的任何字段,例如IP地址、端口号、头字段,甚至数据包内容。洪水也是威胁实例化的一部分。
Message Diversion/Deletion: An attack where legitimate messages are removed before they can reach the desired recipient, or are re-directed to a network segment that is normally not part of the data path.
消息转移/删除:一种攻击,合法消息在到达所需收件人之前被删除,或被重新定向到通常不属于数据路径的网段。
Message Modification: This is a subset of a message insertion attack where a previous message has been captured and modified before being retransmitted. The message can be captured using a man-in-the-middle attack or message diversion.
消息修改:这是消息插入攻击的子集,其中先前的消息在重新传输之前已被捕获和修改。可以使用中间人攻击或消息转移捕获消息。
Note that sometimes denial-of-service attacks are listed as separate categories. A denial-of-service is a consequence of an attack and can be the result of too much traffic (i.e., flooding), exploiting protocol exploitation, or inserting/deleting/diverting/modifying messages.
请注意,有时拒绝服务攻击被列为单独的类别。拒绝服务是攻击的结果,可能是由于流量过大(即洪水泛滥)、利用协议漏洞或插入/删除/转移/修改消息造成的。
These attacks can be sourced in a variety of ways:
这些攻击可以通过多种方式来源:
Active vs Passive Attacks
主动攻击与被动攻击
An active attack involves writing data to the network. It is common practice in active attacks to disguise one's address and conceal the identity of the traffic sender. A passive attack involves only reading information off the network. This is possible if the attacker has control of a host in the communications path between two victim machines, or has compromised the routing infrastructure to specifically arrange that traffic pass through a compromised machine. There are also situations where mirrored traffic (often used for debugging, performance monitoring, or accounting purposes) is diverted to a compromised machine, which would not necessarily subvert any existing topology, and could be harder to detect. In general, the goal of a passive attack is to obtain information that the sender and receiver would prefer to remain private [RFC3552].
主动攻击涉及将数据写入网络。在主动攻击中,伪装地址和隐藏流量发送者的身份是常见的做法。被动攻击只涉及从网络读取信息。如果攻击者控制了两台受攻击机器之间通信路径中的主机,或者破坏了路由基础设施,专门安排流量通过受攻击机器,则可能发生这种情况。还有一些情况下,镜像流量(通常用于调试、性能监视或记帐目的)被转移到受损机器,这不一定会破坏任何现有拓扑,而且可能更难检测。通常,被动攻击的目标是获取发送方和接收方希望保持隐私的信息[RFC3552]。
On-path vs Off-path Attacks
路径攻击与非路径攻击
In order for a datagram to be transmitted from one host to another, it generally must traverse some set of intermediate links and routers. Such routers are naturally able to read, modify, or remove any datagram transmitted along that path. This makes it much easier to mount a wide variety of attacks if you are on-path. Off-path hosts can transmit arbitrary datagrams that appear to come from any host but cannot necessarily receive datagrams intended for other hosts. Thus, if an attack depends on being able to receive data, off-path hosts must first subvert the topology in order to place themselves on-path. This is by no means impossible, but is not necessarily trivial [RFC3552]. A more subtle attack is one where the traffic-mirroring capability of a device is hijacked and the traffic is diverted to a compromised host since the network topology may not need to be subverted.
为了将数据报从一台主机传输到另一台主机,它通常必须穿过一些中间链路和路由器。这种路由器自然能够读取、修改或删除沿该路径传输的任何数据报。这样,如果您在路径上,就更容易发起各种各样的攻击。非路径主机可以传输看似来自任何主机的任意数据报,但不一定能接收到用于其他主机的数据报。因此,如果攻击取决于是否能够接收数据,则非路径主机必须首先破坏拓扑,以便将自己置于路径上。这绝非不可能,但也不一定是微不足道的[RFC3552]。更微妙的攻击是设备的流量镜像功能被劫持,流量被转移到受损主机,因为网络拓扑可能不需要被破坏。
Insider vs Outsider Attacks
内部攻击与外部攻击
An "insider attack" is initiated from inside a given security perimeter by an entity that is authorized to access system resources, but uses them in a way not approved by those who granted the authorization. An "outside attack" is initiated from outside the perimeter by an unauthorized or illegitimate user of the system.
“内部攻击”是由被授权访问系统资源的实体从给定安全边界内发起的,但其使用方式未经授权者批准。“外部攻击”是由系统的未经授权或非法用户从外围发起的。
Deliberate Attacks vs Unintentional Events
蓄意攻击与无意事件
A deliberate attack is where a miscreant intentionally performs an assault on system security. However, there are also instances where unintentional events cause the same harm, yet are performed without malicious intent. Configuration errors and software bugs can be as devastating to network availability as any deliberate attack on the network infrastructure.
蓄意攻击是指歹徒故意对系统安全进行攻击。然而,也有一些情况下,无意事件会造成相同的伤害,但在没有恶意意图的情况下执行。配置错误和软件缺陷对网络可用性的破坏性与对网络基础设施的任何蓄意攻击一样大。
The attack source can be a combination of any of the above, all of which need to be considered when trying to ascertain the impact any attack can have on the availability and reliability of the network. It is nearly impossible to stop insider attacks or unintentional events. However, if appropriate monitoring mechanisms are in place, these attacks can also be detected and mitigated as with any other attack source. The amount of effort it takes to identify and trace an attack is, of course, dependent on the resourcefulness of the attacker. Any of the specific attacks discussed further in this document will elaborate on malicious behavior, which are sourced by an "outsider" and are deliberate attacks. Some further elaboration will be given to the feasibility of passive vs active and on-path vs off-path attacks to show the motivation behind deploying certain security features.
攻击源可以是上述任意攻击的组合,在试图确定任何攻击对网络可用性和可靠性的影响时,需要考虑所有这些攻击。要阻止内部攻击或意外事件几乎是不可能的。但是,如果有适当的监控机制,也可以像检测任何其他攻击源一样检测和缓解这些攻击。当然,识别和跟踪攻击所需的工作量取决于攻击者的机智。本文档中进一步讨论的任何特定攻击都将详细说明恶意行为,这些行为是由“局外人”发起的,属于蓄意攻击。将进一步阐述被动攻击与主动攻击以及路径上攻击与路径外攻击的可行性,以显示部署某些安全功能背后的动机。
The main concern for any of the potential attack scenarios is the impact and harm it can cause to the network infrastructure. The threat consequences are the security violations that results from a threat action, i.e., an attack. These are typically classified as follows:
任何潜在攻击场景的主要问题都是它可能对网络基础设施造成的影响和危害。威胁后果是威胁行为(即攻击)导致的安全违规行为。这些通常分类如下:
(Unauthorized) Disclosure
(未经授权)披露
A circumstance or event whereby an entity gains access to data for which the entity is not authorized.
实体获取未经授权的数据访问权限的情况或事件。
Deception
欺骗
A circumstance or event that may result in an authorized entity receiving false data and believing it to be true.
可能导致授权实体接收虚假数据并认为其真实的情况或事件。
Disruption
破坏
A circumstance or event that interrupts or prevents the correct operation of system services and functions. A broad variety of attacks, collectively called denial of service attacks, threaten the availability of systems and bandwidth to legitimate users. Many such attacks are designed to consume machine resources, making it difficult or impossible to serve legitimate users. Other attacks cause the target machine to crash, completely denying service to users.
中断或阻止系统服务和功能正确运行的情况或事件。各种各样的攻击,统称为拒绝服务攻击,威胁到合法用户的系统可用性和带宽。许多此类攻击旨在消耗机器资源,使其难以或不可能为合法用户提供服务。其他攻击导致目标计算机崩溃,完全拒绝向用户提供服务。
Usurpation
篡夺
A circumstance or event that results in control of system services or functions by an unauthorized entity. Most network infrastructure systems are only intended to be completely accessible to certain authorized individuals. Should an unauthorized person gain access to critical layer 2/layer 3 infrastructure devices or services, they could cause great harm to the reliability and availability of the network.
导致未经授权的实体控制系统服务或功能的情况或事件。大多数网络基础设施系统仅适用于某些授权人员的完全访问。如果未经授权的人员访问关键的第2层/第3层基础设施设备或服务,他们可能会对网络的可靠性和可用性造成极大的危害。
A complete description of threat actions that can cause these threat consequences can be found in [RFC2828]. Typically, a number of different network attacks are used in combination to cause one or more of the above-mentioned threat consequences. An example would be a malicious user who has the capability to eavesdrop on traffic. First, he may listen in on traffic for a while, doing reconnaissance work and ascertaining which IP addresses belong to specific devices, such as routers. Were this miscreant to obtain information, such as a router password sent in cleartext, he can then proceed to compromise the actual router. From there, the miscreant can launch various active attacks, such as sending bogus routing updates to redirect traffic or capture additional traffic to compromise other network devices. While this document enumerates which countermeasures ISPs are deploying today, a useful generic analysis of actual backbone infrastructure attacks and the appropriate countermeasures can be found in [RTGWG].
可在[RFC2828]中找到可能导致这些威胁后果的威胁行动的完整描述。通常,多种不同的网络攻击组合使用,以造成上述一种或多种威胁后果。例如,有能力窃听流量的恶意用户。首先,他可能会监听流量一段时间,进行侦察工作并确定哪些IP地址属于特定设备,如路由器。如果这个恶棍获得信息,比如明文发送的路由器密码,那么他可以继续破坏实际的路由器。从那里,歹徒可以发起各种主动攻击,例如发送虚假路由更新以重定向流量或捕获额外流量以危害其他网络设备。虽然本文档列举了ISP目前正在部署的应对措施,但[RTGWG]中提供了对实际主干网基础设施攻击和适当应对措施的有用一般分析。
This document is a survey of current operational practices that mitigate the risk of being susceptible to any threat actions. As such, the main focus is on the currently deployed security practices used to detect and/or mitigate attacks. The top-level categories in this document are based on operational functions for ISPs and generally relate to what is to be protected. This is followed by a description of which attacks are possible and the security practices currently deployed. This will provide the necessary security services to help mitigate these attacks. These security services are classified as follows:
本文件是对当前操作实践的调查,旨在降低易受任何威胁行动影响的风险。因此,主要关注当前部署的用于检测和/或缓解攻击的安全实践。本文件中的顶级类别基于ISP的运营功能,通常与要保护的内容相关。然后描述可能的攻击以及当前部署的安全实践。这将提供必要的安全服务,帮助缓解这些攻击。这些安全服务分类如下:
o User Authentication
o 用户身份验证
o User Authorization
o 用户授权
o Data Origin Authentication
o 数据源身份验证
o Access Control
o 访问控制
o Data Integrity
o 数据完整性
o Data Confidentiality
o 机密性
o Auditing/Logging
o 审核/记录
o DoS Mitigation
o DoS缓解
In many instances, a specific protocol currently deployed will offer a combination of these services. For example, Authentication, Authorization, and Accounting (AAA) can offer user authentication, user authorization, and audit/logging services, while the Secure SHell (SSH) Protocol can provide data origin authentication, data integrity, and data confidentiality. The services offered are more important than the actual protocol used. Note that access control will refer basically to logical access control, i.e., filtering. Each section ends with an additional considerations section that explains why specific protocols may or may not be used, and also gives some information regarding capabilities, which are not possible today due to bugs or lack of usability.
在许多情况下,当前部署的特定协议将提供这些服务的组合。例如,身份验证、授权和记帐(AAA)可以提供用户身份验证、用户授权和审计/日志服务,而安全外壳(SSH)协议可以提供数据源身份验证、数据完整性和数据机密性。提供的服务比实际使用的协议更重要。注意,访问控制基本上是指逻辑访问控制,即过滤。每一节最后都有一个额外的注意事项部分,解释了为什么可以使用或不使用特定协议,并给出了一些关于功能的信息,这些功能在今天是不可能的,因为存在缺陷或缺乏可用性。
Device physical access pertains to protecting the physical location and access of the layer 2 or layer 3 network infrastructure device. Physical security is a large field of study/practice in and of itself, arguably the largest, oldest, and most well-understood area of security. Although it is important to have contingency plans for natural disasters, such as earthquakes and floods, which can cause damage to networking devices, this is out of the scope of this document. Here, we concern ourselves with protecting access to the physical location and how a device can be further protected from unauthorized access if the physical location has been compromised, i.e., protecting the console access. This is aimed largely at stopping an intruder with physical access from gaining operational control of the device(s). Note that nothing will stop an attacker with physical access from effecting a denial-of-service attack, which can be easily accomplished by powering off the device or just unplugging some cables.
设备物理访问涉及保护第2层或第3层网络基础设施设备的物理位置和访问。物理安全本身就是一个很大的研究/实践领域,可以说是最大、最古老、最容易理解的安全领域。尽管制定自然灾害(如地震和洪水)应急计划很重要,因为这些自然灾害可能会对网络设备造成损坏,但这超出了本文件的范围。这里,我们关心的是保护对物理位置的访问,以及如果物理位置被破坏,如何进一步保护设备免受未经授权的访问,即保护控制台访问。这主要是为了阻止具有物理访问权限的入侵者获得设备的操作控制。请注意,没有任何东西可以阻止具有物理访问权限的攻击者实施拒绝服务攻击,这可以通过关闭设备电源或拔下一些电缆来轻松实现。
If any intruder gets physical access to a layer 2 or layer 3 device, the entire network infrastructure can be under the control of the intruder. At a minimum, the intruder can take the compromised device out of service, causing network disruption, the extent of which depends on the network topology. A worse scenario is where the intruder uses this device to crack the console password, gaining complete control of the device (perhaps without anyone detecting such a compromise, or to attach another network device onto a port and siphon off data with which the intruder can ascertain the network topology) and the entire network.
如果任何入侵者获得对第2层或第3层设备的物理访问,则整个网络基础设施都可以在入侵者的控制下。入侵者至少可以使受损设备停止服务,造成网络中断,其程度取决于网络拓扑。更糟糕的情况是,入侵者使用该设备破解控制台密码,获得对该设备的完全控制(可能没有任何人检测到此类泄露,或者将另一个网络设备连接到端口,并提取入侵者可以确定网络拓扑的数据)和整个网络。
The threat of gaining physical access can be realized in a variety of ways, even if critical devices are under high security. Cases still occur where attackers have impersonated maintenance workers to gain physical access to critical devices that have caused major outages and privacy compromises. Insider attacks from authorized personnel also pose a real threat and must be adequately recognized and addressed.
获取物理访问的威胁可以通过多种方式实现,即使关键设备处于高度安全状态。攻击者冒充维护人员以获得对关键设备的物理访问权限,从而导致重大停机和隐私泄露的情况仍然存在。授权人员的内部攻击也构成了真正的威胁,必须得到充分承认和解决。
For physical device security, equipment is kept in highly restrictive environments. Only authorized users with card-key badges have access to any of the physical locations that contain critical network infrastructure devices. These card-key systems keep track of who
为了物理设备的安全,设备被保存在高度受限的环境中。只有具有卡密钥徽章的授权用户才能访问包含关键网络基础设施设备的任何物理位置。这些卡钥匙系统跟踪谁
accessed which location and at what time. Most cardkey systems have a fail-back "master key" in case the card system is down. This "master key" usually has limited access and its use is also carefully logged (which should only happen if the card-key system is NOT online/functional).
访问了哪个位置和时间。大多数卡钥匙系统都有一个故障回复“主钥匙”,以防卡系统停机。该“主密钥”通常具有有限的访问权限,并且其使用也会被仔细记录(仅当卡密钥系统不在线/不起作用时才会发生这种情况)。
All console access is always password protected and the login time is set to time out after a specified amount of inactivity - typically between 3-10 minutes. The type of privileges that you obtain from a console login varies between separate vendor devices. In some cases you get initial basic access and need to perform a second authentication step to get more privileged access (i.e., enable or root). In other vendors, you get the more privileged access when you log into the console as root, without requiring a second authentication step.
所有控制台访问始终受密码保护,并且登录时间设置为在指定的不活动时间(通常在3-10分钟之间)后超时。从控制台登录中获得的权限类型因不同的供应商设备而异。在某些情况下,您获得初始基本访问权限,需要执行第二个身份验证步骤以获得更多特权访问权限(即启用或根)。在其他供应商中,当您以root用户身份登录控制台时,您可以获得更高的权限,而不需要第二个身份验证步骤。
How ISPs manage these logins vary greatly, although many of the larger ISPs employ some sort of AAA mechanism to help automate privilege-level authorization and utilize the automation to bypass the need for a second authentication step. Also, many ISPs define separate classes of users to have different privileges while logged onto the console. Typically, all console access is provided via an out-of-band (OOB) management infrastructure, which is discussed in Section 2.2 of this document.
ISP管理这些登录的方式差异很大,尽管许多大型ISP采用某种AAA机制来帮助自动化特权级别授权,并利用自动化绕过第二个身份验证步骤。此外,许多ISP定义了不同的用户类别,以便在登录控制台时拥有不同的权限。通常,所有控制台访问都是通过带外(OOB)管理基础设施提供的,本文档第2.2节对此进行了讨论。
The following security services are offered through the use of the practices described in the previous section:
通过使用上一节中描述的实践提供以下安全服务:
o User Authentication - All individuals who have access to the physical facility are authenticated. Console access is authenticated.
o 用户身份验证-对所有能够访问物理设施的个人进行身份验证。控制台访问已通过身份验证。
o User Authorization - An authenticated individual has implicit authorization to perform commands on the device. In some cases, multiple authentication is required to differentiate between basic and more privileged access.
o 用户授权-经过身份验证的个人具有在设备上执行命令的隐式授权。在某些情况下,需要多重身份验证来区分基本访问和更具特权的访问。
o Data Origin Authentication - Not applicable.
o 数据源身份验证-不适用。
o Access Control - Not applicable.
o 访问控制-不适用。
o Data Integrity - Not applicable.
o 数据完整性-不适用。
o Data Confidentiality - Not applicable.
o 数据保密性-不适用。
o Auditing/Logging - All access to the physical locations of the infrastructure equipment is logged via electronic card-key systems. All console access is logged (refer to Section 2.2 of this document for more details).
o 审核/记录-通过电子卡钥匙系统记录对基础设施设备物理位置的所有访问。所有控制台访问均已记录(有关更多详细信息,请参阅本文档第2.2节)。
o DoS Mitigation - Not applicable.
o DoS缓解-不适用。
Physical security is relevant to operational security practices as described in this document, mostly from a console-access perspective. Most ISPs provide console access via an OOB management infrastructure, which is discussed in Section 2.2 of this document.
物理安全性与本文档中描述的操作安全实践相关,主要是从控制台访问的角度。大多数ISP通过OOB管理基础设施提供控制台访问,本文档第2.2节对此进行了讨论。
The physical and logical authentication and logging systems should be run independently of each other and should reside in different physical locations. These systems need to be secured to ensure that they themselves will not be compromised, which could give the intruder valuable authentication and logging information.
物理和逻辑身份验证和日志记录系统应彼此独立运行,并应位于不同的物理位置。这些系统需要得到保护,以确保它们本身不会受到危害,这可能会给入侵者提供有价值的身份验证和日志信息。
Social engineering plays a big role in many physical access compromises. Most ISPs have set up training classes and awareness programs to educate company personnel to deny physical access to people who are not properly authenticated or authorized to have physical access to critical infrastructure devices.
社会工程在许多物理访问妥协中扮演着重要角色。大多数ISP都设立了培训班和意识计划,教育公司人员拒绝未经适当认证或未经授权的人员对关键基础设施设备进行物理访问。
In-band management is generally considered to be device access, where the control traffic takes the same data path as the data that traverses the network. Out-of-band management is generally considered to be device access, where the control traffic takes a separate path as the data that traverses the network. In many environments, device management for layer 2 and layer 3 infrastructure devices is deployed as part of an out-of-band management infrastructure, although there are some instances where it is deployed in-band as well. Note that while many of the security concerns and practices are the same for OOB management and in-band management, most ISPs prefer an OOB management system, since access to the devices that make up this management network are more vigilantly protected and considered to be less susceptible to malicious activity.
带内管理通常被认为是设备访问,其中控制通信采用与穿过网络的数据相同的数据路径。带外管理通常被认为是设备访问,其中控制流量采用一条单独的路径作为穿越网络的数据。在许多环境中,第2层和第3层基础架构设备的设备管理作为带外管理基础架构的一部分进行部署,尽管在某些情况下,它也部署在带内。请注意,虽然OOB管理和带内管理的许多安全问题和做法是相同的,但大多数ISP更喜欢OOB管理系统,因为对构成此管理网络的设备的访问受到更严格的保护,并且被认为不易受到恶意活动的影响。
Console access is always architected via an OOB network. Presently, the mechanisms used for either in-band management or OOB are via virtual terminal access (i.e., Telnet or SSH), Simple Network Management Protocol (SNMP), or HTTP. In all large ISPs that were interviewed, HTTP management was never used and was explicitly
控制台访问总是通过OOB网络进行架构。目前,用于带内管理或OOB的机制是通过虚拟终端访问(即Telnet或SSH)、简单网络管理协议(SNMP)或HTTP。在所有接受采访的大型ISP中,HTTP管理从未使用过,而且是明确的
disabled. Note that file transfer protocols (TFTP, FTP, and SCP) will be covered in Section 2.5 of this document.
残废请注意,本文件第2.5节将介绍文件传输协议(TFTP、FTP和SCP)。
For device management, passive attacks are possible if someone has the capability to intercept data between the management device and the managed device. The threat is possible if a single infrastructure device is somehow compromised and can act as a network sniffer, or if it is possible to insert a new device that acts as a network sniffer.
对于设备管理,如果有人能够截获管理设备和受管设备之间的数据,则可能发生被动攻击。如果单个基础设施设备受到某种程度的破坏,并且可以充当网络嗅探器,或者如果可以插入充当网络嗅探器的新设备,则可能存在威胁。
Active attacks are possible for both on-path and off-path scenarios. For on-path active attacks, the situation is the same as for a passive attack, where either a device has to already be compromised or a device can be inserted into the path. For off-path active attacks, where a topology subversion is required to reroute traffic and essentially bring the attacker on-path, the attack is generally limited to message insertion or modification.
在路径上和路径外情况下都可能发生主动攻击。对于路径上主动攻击,情况与被动攻击相同,在被动攻击中,设备必须已经受损,或者可以将设备插入路径中。对于非路径主动攻击,如果需要拓扑颠覆来重新路由流量并将攻击者带到路径上,则攻击通常限于消息插入或修改。
Confidentiality violations can occur when a miscreant intercepts any management data that has been sent in cleartext or with weak encryption. This includes interception of usernames and passwords with which an intruder can obtain unauthorized access to network devices. It can also include other information, such as logging or configuration information, if an administrator is remotely viewing local logfiles or configuration information.
当不法分子截获以明文或弱加密方式发送的任何管理数据时,可能会发生违反保密性的情况。这包括截取用户名和密码,入侵者可以利用这些用户名和密码获得对网络设备的未经授权访问。如果管理员正在远程查看本地日志文件或配置信息,它还可以包括其他信息,如日志或配置信息。
If username/password information was encrypted but the cryptographic mechanism used made it easy to capture data and break the encryption key, the device management traffic could be compromised. The traffic would need to be captured either by eavesdropping on the network or by being able to divert traffic to a malicious user.
如果用户名/密码信息已加密,但使用的加密机制使捕获数据和破解加密密钥变得容易,则设备管理流量可能会受到影响。需要通过网络窃听或将流量转移给恶意用户来捕获流量。
For a replay attack to be successful, the management traffic would need to first be captured either on-path or diverted to an attacker to later be replayed to the intended recipient.
为了使重播攻击成功,需要首先在路径上捕获管理通信量,或者将其转移给攻击者,以便稍后将其重播到目标收件人。
Data can be manipulated by someone in control of intermediary hosts. Forging data is also possible with IP spoofing, where a remote host sends out packets that appear to come from another, trusted host.
数据可以由控制中间主机的人进行操作。IP欺骗也可以伪造数据,远程主机发送的数据包似乎来自另一个受信任的主机。
A man-in-the-middle attack attacks the identity of a communicating peer rather than the data stream itself. The attacker intercepts traffic that is sent from a management system to the networking infrastructure device and traffic that is sent from the network infrastructure device to the management system.
中间人攻击攻击的是通信对等方的身份,而不是数据流本身。攻击者拦截从管理系统发送到网络基础设施设备的流量以及从网络基础设施设备发送到管理系统的流量。
OOB management is done via a terminal server at each location. SSH access is used to get to the terminal server from where sessions to the devices are initiated. Dial-in access is deployed as a backup if the network is not available. However, it is common to use dial-back, encrypting modems, and/or one-time-password (OTP) modems to avoid the security weaknesses of plain dial-in access.
OOB管理通过每个位置的终端服务器完成。SSH访问用于访问终端服务器,从那里启动到设备的会话。如果网络不可用,则将拨入访问部署为备份。然而,通常使用回拨、加密调制解调器和/或一次性密码(OTP)调制解调器来避免普通拨号接入的安全弱点。
All in-band management and OOB management access to layer 2 and layer 3 devices is authenticated. The user authentication and authorization is typically controlled by an AAA server (i.e., Remote Authentication Dial-in User Service (RADIUS) and/or Terminal Access Controller Access-Control System (TACACS+)). Credentials used to determine the identity of the user vary from static username/password to one-time username/password schemes such as Secure-ID. Static username/passwords are expired after a specified period of time, usually 30 days. Every authenticated entity via AAA is an individual user for greater granularity of control. Note that often the AAA server used for OOB management authentication is a separate physical device from the AAA server used for in-band management user authentication. In some deployments, the AAA servers used for device management authentication/authorization/accounting are on separate networks to provide a demarcation for any other authentication functions.
对第2层和第3层设备的所有带内管理和OOB管理访问都经过身份验证。用户认证和授权通常由AAA服务器(即,远程认证拨入用户服务(RADIUS)和/或终端访问控制器访问控制系统(TACACS+)控制。用于确定用户身份的凭据从静态用户名/密码到一次性用户名/密码方案(如Secure-ID)各不相同。静态用户名/密码在指定的时间段(通常为30天)后过期。通过AAA认证的每个实体都是一个单独的用户,以实现更大的控制粒度。请注意,通常用于OOB管理身份验证的AAA服务器是与用于带内管理用户身份验证的AAA服务器分开的物理设备。在某些部署中,用于设备管理身份验证/授权/记帐的AAA服务器位于单独的网络上,为任何其他身份验证功能提供了界限。
For backup purposes, there is often a single local database entry for authentication that is known to a very limited set of key personnel. It is usually the highest privilege-level username/password combination, which in most cases is the same across all devices. This local device password is routinely regenerated once every 2-3 months, and is also regenerated immediately after an employee who had access to that password leaves the company or is no longer authorized to have knowledge of that password.
出于备份目的,通常只有一个用于身份验证的本地数据库条目,只有非常有限的一组关键人员知道该条目。它通常是最高权限级别的用户名/密码组合,在大多数情况下,在所有设备上都是相同的。该本地设备密码通常每2-3个月重新生成一次,并且在有权访问该密码的员工离开公司或不再被授权知道该密码后也会立即重新生成。
Each individual user in the AAA database is configured with specific authorization capability. Specific commands are either individually denied or permitted, depending on the capability of the device to be accessed. Multiple privilege levels are deployed. Most individuals are authorized with basic authorization to perform a minimal set of commands, while a subset of individuals are authorized to perform more privileged commands. Securing the AAA server is imperative and access to the AAA server itself is strictly controlled. When an individual leaves the company, his/her AAA account is immediately deleted and the TACACS/RADIUS shared secret is reset for all devices.
AAA数据库中的每个用户都配置了特定的授权功能。根据要访问的设备的能力,特定命令被单独拒绝或允许。部署了多个特权级别。大多数人都有基本授权来执行一组最小的命令,而一部分人有权执行更特权的命令。保护AAA服务器是必要的,对AAA服务器本身的访问受到严格控制。当个人离开公司时,他/她的AAA帐户将立即被删除,所有设备的TACACS/RADIUS共享机密将被重置。
Some management functions are performed using command line interface (CLI) scripting. In these scenarios, a dedicated user is used for the identity in scripts that perform CLI scripting. Once authenticated, these scripts control which commands are legitimate, depending on authorization rights of the authenticated individual.
一些管理功能是使用命令行界面(CLI)脚本执行的。在这些场景中,专用用户用于执行CLI脚本的脚本中的标识。经过身份验证后,这些脚本将根据经过身份验证的个人的授权权限控制哪些命令是合法的。
SSH is always used for virtual terminal access to provide for an encrypted communication channel. There are exceptions due to equipment limitations which are described in the additional considerations section.
SSH始终用于虚拟终端访问,以提供加密的通信通道。由于设备限制,在附加注意事项一节中描述了一些例外情况。
If SNMP is used for management, it is for read queries only and restricted to specific hosts. If possible, the view is also restricted to only send the information that the management station needs, rather than expose the entire configuration file with the read-only SNMP community. The community strings are carefully chosen to be difficult to crack and there are procedures in place to change these community strings between 30-90 days. If systems support two SNMP community strings, the old string is replaced by first configuring a second, newer community string and then migrating over from the currently used string to the newer one. Most large ISPs have multiple SNMP systems accessing their routers so it takes more then one maintenance period to get all the strings fixed in all the right systems. SNMP RW is not used and is disabled by configuration.
如果SNMP用于管理,则它仅用于读取查询,并且仅限于特定主机。如果可能,该视图还被限制为仅发送管理站所需的信息,而不是使用只读SNMP社区公开整个配置文件。社区字符串经过仔细选择,难以破解,并且有适当的程序在30-90天内更改这些社区字符串。如果系统支持两个SNMP社区字符串,则先配置第二个较新的社区字符串,然后从当前使用的字符串迁移到较新的字符串,以替换旧字符串。大多数大型ISP都有多个SNMP系统访问其路由器,因此需要一个以上的维护周期才能在所有正确的系统中修复所有字符串。SNMP RW未使用,已通过配置禁用。
Access control is strictly enforced for infrastructure devices by using stringent filtering rules. A limited set of IP addresses are allowed to initiate connections to the infrastructure devices and are specific to the services to which they are to limited (i.e., SSH and SNMP).
通过使用严格的筛选规则,对基础设施设备实施严格的访问控制。允许一组有限的IP地址来启动与基础设施设备的连接,并且这些IP地址特定于它们被限制的服务(即SSH和SNMP)。
All device management access is audited and any violations trigger alarms that initiate automated email, pager, and/or telephone notifications. AAA servers keep track of the authenticated entity as well as all the commands that were carried out on a specific device. Additionally, the device itself logs any access control violations (i.e., if an SSH request comes in from an IP address that is not
所有设备管理访问都经过审核,任何违规行为都会触发警报,启动自动电子邮件、寻呼机和/或电话通知。AAA服务器跟踪经过身份验证的实体以及在特定设备上执行的所有命令。此外,设备本身会记录任何违反访问控制的情况(即,如果SSH请求来自一个不受限制的IP地址)
explicitly permitted, that event is logged so that the offending IP address can be tracked down and investigations made as to why it was trying to access a particular infrastructure device)
明确允许的情况下,会记录该事件,以便可以跟踪违规IP地址,并调查其试图访问特定基础设施设备的原因)
The security services offered for device OOB management are nearly identical to those of device in-band management. Due to the critical nature of controlling and limiting device access, many ISPs feel that physically separating the management traffic from the normal customer data traffic will provide an added level of risk mitigation and limit the potential attack vectors. The following security services are offered through the use of the practices described in the previous section:
为设备OOB管理提供的安全服务与设备带内管理的安全服务几乎相同。由于控制和限制设备访问的关键性质,许多ISP认为将管理流量与正常客户数据流量物理分离将提供更高级别的风险缓解,并限制潜在的攻击向量。通过使用上一节中描述的实践提供以下安全服务:
o User Authentication - All individuals are authenticated via AAA services.
o 用户身份验证-所有个人都通过AAA服务进行身份验证。
o User Authorization - All individuals are authorized via AAA services to perform specific operations once successfully authenticated.
o 用户授权-一旦成功通过身份验证,所有个人都可以通过AAA服务授权执行特定操作。
o Data Origin Authentication - Management traffic is strictly filtered to allow only specific IP addresses to have access to the infrastructure devices. This does not alleviate risk the from spoofed traffic, although when combined with edge filtering using BCP38 [RFC2827] and BCP84 [RFC3704] guidelines (discussed in Section 2.5), then the risk of spoofing is mitigated, barring a compromised internal system. Also, using SSH for device access ensures that no one can spoof the traffic during the SSH session.
o 数据源身份验证-管理流量经过严格筛选,只允许特定IP地址访问基础设施设备。这并不能降低欺骗流量的风险,尽管当结合使用BCP38[RFC2827]和BCP84[RFC3704]指南(在第2.5节中讨论)进行边缘过滤时,欺骗的风险会降低,除非内部系统受损。另外,使用SSH进行设备访问可以确保在SSH会话期间没有人可以欺骗流量。
o Access Control - Management traffic is filtered to allow only specific IP addresses to have access to the infrastructure devices.
o 访问控制-管理流量经过过滤,只允许特定IP地址访问基础设施设备。
o Data Integrity - Using SSH provides data integrity and ensures that no one has altered the management data in transit.
o 数据完整性-使用SSH提供数据完整性,并确保没有人在传输过程中更改管理数据。
o Data Confidentiality - Using SSH provides data confidentiality.
o 数据机密性—使用SSH提供数据机密性。
o Auditing/Logging - Using AAA provides an audit trail for who accessed which device and which operations were performed.
o 审核/记录-使用AAA提供了对谁访问了哪些设备以及执行了哪些操作的审核跟踪。
o DoS Mitigation - Using packet filters to allow only specific IP addresses to have access to the infrastructure devices. This limits but does not prevent spoofed DoS attacks directed at an infrastructure device. However, the risk is lowered by using a separate physical network for management purposes.
o DoS缓解-使用数据包过滤器仅允许特定IP地址访问基础设施设备。这限制但不能防止针对基础设施设备的欺骗DoS攻击。但是,通过使用单独的物理网络进行管理,可以降低风险。
Password selection for any device management protocol used is critical to ensure that the passwords are hard to guess or break using a brute-force attack.
为使用的任何设备管理协议选择密码对于确保密码不易被猜测或使用暴力攻击破坏至关重要。
IP security (IPsec) is considered too difficult to deploy, and the common protocol to provide for confidential management access is SSH. There are exceptions for using SSH due to equipment limitations since SSH may not be supported on legacy equipment. In some cases, changing the host name of a device requires an SSH rekey event since the key is based on some combination of host name, Message Authentication Code (MAC) address, and time. Also, in the case where the SSH key is stored on a route processor card, a re-keying of SSH would be required whenever the route processor card needs to be swapped. Some providers feel that this operational impact exceeds the security necessary and instead use Telnet from trusted inside hosts (called 'jumphosts' or 'bastion hosts') to manage those devices. An individual would first SSH to the jumphost and then Telnet from the jumphost to the actual infrastructure device, fully understanding that any passwords will be sent in the clear between the jumphost and the device to which it is connecting. All authentication and authorization is still carried out using AAA servers.
IP安全性(IPsec)被认为太难部署,提供机密管理访问的常见协议是SSH。由于传统设备可能不支持SSH,因此由于设备限制,使用SSH会出现例外情况。在某些情况下,更改设备的主机名需要SSH重新密钥事件,因为密钥基于主机名、消息身份验证码(MAC)地址和时间的某种组合。此外,如果SSH密钥存储在路由处理器卡上,则每当需要交换路由处理器卡时,都需要重新设置SSH密钥。一些提供商认为这种操作影响超出了必要的安全性,而是使用来自可信内部主机(称为“jumphosts”或“bastion hosts”)的Telnet来管理这些设备。个人将首先通过SSH连接到jumphost,然后通过Telnet从jumphost连接到实际的基础设施设备,完全理解任何密码都将在jumphost与其连接的设备之间以明文形式发送。所有身份验证和授权仍使用AAA服务器执行。
In instances where Telnet access is used, the logs on the AAA servers are more verbose and more attention is paid to them to detect any abnormal behavior. The jumphosts themselves are carefully controlled machines and usually have limited access. Note that Telnet is NEVER allowed to an infrastructure device except from specific jumphosts; i.e., packet filters are used at the console server and/or infrastructure device to ensure that Telnet is only allowed from specific IP addresses.
在使用Telnet访问的情况下,AAA服务器上的日志更加详细,并且更加注意它们以检测任何异常行为。jumphosts本身是精心控制的机器,通常访问权限有限。请注意,除了特定的jumphosts之外,决不允许Telnet访问基础设施设备;i、 例如,在控制台服务器和/或基础设施设备上使用数据包过滤器,以确保只允许来自特定IP地址的Telnet。
With thousands of devices to manage, some ISPs have created automated mechanisms to authenticate to devices. As an example, Kerberos has been used to automate the authentication process for devices that have support for Kerberos. An individual would first log in to a Kerberized UNIX server using SSH and generate a Kerberos 'ticket'. This 'ticket' is generally set to have a lifespan of 10 hours and is used to automatically authenticate the individual to the infrastructure devices.
由于需要管理数千台设备,一些ISP已经创建了自动机制来对设备进行身份验证。例如,Kerberos已用于自动化支持Kerberos的设备的身份验证过程。个人将首先使用SSH登录到Kerberized UNIX服务器,并生成Kerberos“票证”。此“票证”通常设置为10小时,用于自动向基础设施设备验证个人身份。
In instances where SNMP is used, some legacy devices only support SNMPv1, which then requires the provider to mandate its use across all infrastructure devices for operational simplicity. SNMPv2 is primarily deployed since it is easier to set up than v3.
在使用SNMP的情况下,一些传统设备仅支持SNMPv1,这就要求提供商在所有基础设施设备上强制使用SNMPv1,以简化操作。SNMPv2主要是部署的,因为它比v3更容易设置。
This section refers to how traffic is handled that traverses the network infrastructure device. The primary goal of ISPs is to forward customer traffic. However, due to the large amount of malicious traffic that can cause DoS attacks and render the network unavailable, specific measures are sometimes deployed to ensure the availability to forward legitimate customer traffic.
本节介绍如何处理穿越网络基础设施设备的流量。ISP的主要目标是转发客户流量。但是,由于大量恶意流量可能导致DoS攻击并使网络不可用,因此有时会部署特定措施以确保转发合法客户流量的可用性。
Any data traffic can potentially be attack traffic and the challenge is to detect and potentially stop forwarding any of the malicious traffic. The deliberately sourced attack traffic can consist of packets with spoofed source and/or destination addresses or any other malformed packet that mangle any portion of a header field to cause protocol-related security issues (such as resetting connections, causing unwelcome ICMP redirects, creating unwelcome IP options, or packet fragmentations).
任何数据流量都可能是攻击流量,挑战在于检测并可能停止转发任何恶意流量。故意来源的攻击流量可能包括具有伪造的源地址和/或目标地址的数据包,或任何其他格式错误的数据包,这些数据包会损坏报头字段的任何部分,从而导致与协议相关的安全问题(例如重设连接、导致不受欢迎的ICMP重定向、创建不受欢迎的IP选项或数据包碎片)。
Filtering and rate limiting are the primary mechanism to provide risk mitigation of malicious traffic rendering the ISP services unavailable. However, filtering and rate limiting of data path traffic is deployed in a variety of ways, depending on how automated the process is and what the capabilities and performance limitations of the existing deployed hardware are.
过滤和速率限制是降低导致ISP服务不可用的恶意流量风险的主要机制。但是,数据路径流量的过滤和速率限制以多种方式部署,具体取决于流程的自动化程度以及现有部署硬件的功能和性能限制。
The ISPs that do not have performance issues with their equipment follow BCP38 [RFC2827] and BCP84 [RFC3704] guidelines for ingress filtering. BCP38 recommends filtering ingress packets with obviously spoofed and/or 'reserved' source addresses to limit the effects of denial-of-service attacks, while BCP84 extends the recommendation for multi-homed environments. Filters are also used to help alleviate issues between service providers. Without any filtering, an inter-exchange peer could steal transit just by using static routes, and essentially redirect data traffic. Therefore, some ISPs have implemented ingress/egress filters that block unexpected source and destination addresses not defined in the above-mentioned documents. Null routes and black-hole triggered routing [RFC3882] are used to deter any detected malicious traffic streams. These two techniques are described in more detail in Section 2.8 below.
设备没有性能问题的ISP遵循BCP38[RFC2827]和BCP84[RFC3704]的入口过滤准则。BCP38建议过滤带有明显欺骗和/或“保留”源地址的入口数据包,以限制拒绝服务攻击的影响,而BCP84扩展了多宿主环境的建议。过滤器还用于帮助缓解服务提供商之间的问题。在没有任何过滤的情况下,交换间对等方可以仅通过使用静态路由窃取传输,并基本上重定向数据流量。因此,一些ISP实施了入口/出口过滤器,阻止上述文档中未定义的意外源地址和目标地址。空路由和黑洞触发路由[RFC3882]用于阻止任何检测到的恶意流量流。下面第2.8节将更详细地描述这两种技术。
Most ISPs consider layer 4 filtering useful, but it is only implemented if performance limitations allow for it. Since it poses a large administrative overhead and ISPs are very much opposed to acting as the Internet firewall, Layer 4 filtering is typically
大多数ISP认为第4层过滤是有用的,但是只有在性能限制允许的情况下才实现。由于它会带来巨大的管理开销,而且ISP非常反对充当Internet防火墙,因此第4层过滤通常是
implemented as a last option. Netflow is used for tracking traffic flows, but there is some concern whether sampling is good enough to detect malicious behavior.
作为最后一个选项实现。Netflow用于跟踪流量,但存在一些问题,即采样是否足以检测恶意行为。
Unicast Reverse Path Forwarding (RPF) is not consistently implemented. Some ISPs are in the process of doing so, while other ISPs think that the perceived benefit of knowing that spoofed traffic comes from legitimate addresses are not worth the operational complexity. Some providers have a policy of implementing uRPF at link speeds of Digital Signal 3 (DS3) and below, which was due to the fact that all hardware in the network supported uRPF for DS3 speeds and below. At higher-speed links, the uRPF support was inconsistent and it was easier for operational people to implement a consistent solution.
单播反向路径转发(RPF)的实现并不一致。一些ISP正在这样做,而其他ISP认为,知道欺骗流量来自合法地址的感知好处不值得操作复杂性。一些提供商有一项以数字信号3(DS3)及以下的链路速度实施uRPF的政策,这是因为网络中的所有硬件都支持DS3及以下的uRPF。在高速链路上,uRPF支持不一致,操作人员更容易实施一致的解决方案。
o User Authentication - Not applicable.
o 用户身份验证-不适用。
o User Authorization - Not applicable.
o 用户授权-不适用。
o Data Origin Authentication - When IP address filtering per BCP38, BCP84, and uRPF are deployed at network edges it can ensure that any spoofed traffic comes from at least a legitimate IP address and can be tracked.
o 数据源身份验证—当根据BCP38、BCP84和uRPF进行IP地址筛选部署在网络边缘时,它可以确保任何伪造流量至少来自合法IP地址,并且可以跟踪。
o Access Control - IP address filtering and layer 4 filtering is used to deny forbidden protocols and limit traffic destined for infrastructure device itself. Filters are also used to block unexpected source/destination addresses.
o 访问控制-IP地址过滤和第4层过滤用于拒绝被禁止的协议并限制发送到基础设施设备本身的流量。筛选器还用于阻止意外的源/目标地址。
o Data Integrity - Not applicable.
o 数据完整性-不适用。
o Data Confidentiality - Not applicable.
o 数据保密性-不适用。
o Auditing/Logging - Filtering exceptions are logged for potential attack traffic.
o 审核/记录-记录潜在攻击流量的过滤异常。
o DoS Mitigation - Black-hole triggered filtering and rate-limiting are used to limit the risk of DoS attacks.
o DoS缓解-黑洞触发过滤和速率限制用于限制DoS攻击的风险。
For layer 2 devices, MAC address filtering and authentication is not used in large-scale deployments. This is due to the problems it can cause when troubleshooting networking issues. Port security becomes unmanageable at a large scale where thousands of switches are deployed.
对于第2层设备,大规模部署中不使用MAC地址过滤和身份验证。这是由于在对网络问题进行故障排除时可能导致的问题。在大规模部署数千台交换机的情况下,端口安全性变得难以管理。
Rate limiting is used by some ISPs, although other ISPs believe it is not really useful, since attackers are not well-behaved and it doesn't provide any operational benefit over the complexity. Some ISPs feel that rate limiting can also make an attacker's job easier by requiring the attacker to send less traffic to starve legitimate traffic that is part of a rate limiting scheme. Rate limiting may be improved by developing flow-based rate-limiting capabilities with filtering hooks. This would improve the performance as well as the granularity over current capabilities.
一些ISP使用了速率限制,尽管其他ISP认为它并没有真正的用处,因为攻击者行为不好,并且在操作复杂性方面没有任何好处。一些ISP认为,速率限制还可以通过要求攻击者发送较少的流量来切断作为速率限制方案一部分的合法流量,从而使攻击者的工作更容易。通过开发带有过滤挂钩的基于流的速率限制功能,可以改进速率限制。这将提高性能以及当前功能的粒度。
Lack of consistency regarding the ability to filter, especially with respect to performance issues, cause some ISPs not to implement BCP38 and BCP84 guidelines for ingress filtering. One such example is at edge boxes, where up to 1000 T1s connecting into a router with an OC-12 (Optical Carrier) uplink. Some deployed devices experience a large performance impact with filtering, which is unacceptable for passing customer traffic through, though ingress filtering (uRPF) might be applicable at the devices that are connecting these aggregation routers. Where performance is not an issue, the ISPs make a tradeoff between management versus risk.
在过滤能力方面缺乏一致性,特别是在性能问题方面,导致一些ISP没有实施BCP38和BCP84入口过滤指南。一个这样的例子是在边缘盒,其中多达1000个T1s通过OC-12(光载波)上行链路连接到路由器。一些已部署的设备会受到过滤的巨大性能影响,这对于通过客户流量传递是不可接受的,尽管入口过滤(uRPF)可能适用于连接这些聚合路由器的设备。如果性能不是问题,ISP会在管理和风险之间进行权衡。
The routing control plane deals with all the traffic that is part of establishing and maintaining routing protocol information.
路由控制平面处理作为建立和维护路由协议信息的一部分的所有通信量。
Attacks on the routing control plane can be from both passive or active sources. Passive attacks are possible if someone has the capability to intercept data between the communicating routing peers. This can be accomplished if a single routing peer is somehow compromised and can act as a network sniffer, or if it is possible to insert a new device that acts as a network sniffer.
对路由控制平面的攻击可以来自被动源或主动源。如果有人能够截获通信路由对等方之间的数据,则可能发生被动攻击。如果单个路由对等方受到某种程度的损害,可以充当网络嗅探器,或者可以插入充当网络嗅探器的新设备,则可以实现这一点。
Active attacks are possible for both on-path and off-path scenarios. For on-path active attacks, the situation is the same as for a passive attack, where either a device has to already be compromised or a device can be inserted into the path. This may lead to an attacker impersonating a legitimate routing peer and exchanging routing information. Unintentional active attacks are more common due to configuration errors, which cause legitimate routing peers to feed invalid routing information to other neighboring peers.
在路径上和路径外情况下都可能发生主动攻击。对于路径上主动攻击,情况与被动攻击相同,在被动攻击中,设备必须已经受损,或者可以将设备插入路径中。这可能导致攻击者模拟合法的路由对等方并交换路由信息。由于配置错误,非故意主动攻击更为常见,这会导致合法路由对等方向其他相邻对等方提供无效路由信息。
For off-path active attacks, the attacks are generally limited to message insertion or modification, which can divert traffic to illegitimate destinations, causing traffic to never reach its intended destination.
对于非路径主动攻击,攻击通常限于消息插入或修改,这会将流量转移到非法目的地,导致流量永远无法到达其预期目的地。
Confidentiality violations can occur when a miscreant intercepts any of the routing update traffic. This is becoming more of a concern because many ISPs are classifying addressing schemes and network topologies as private and proprietary information. It is also a concern because the routing protocol packets contain information that may show ways in which routing sessions could be spoofed or hijacked. This in turn could lead into a man-in-the-middle attack, where the miscreants can insert themselves into the traffic path or divert the traffic path and violate the confidentiality of user data.
当不法分子截获任何路由更新流量时,可能会发生违反保密性的情况。这正变得越来越令人担忧,因为许多ISP将寻址方案和网络拓扑划分为私有和专有信息。这也是一个值得关注的问题,因为路由协议数据包包含的信息可能显示路由会话可能被欺骗或劫持的方式。这反过来可能导致中间人攻击,歹徒可以将自己插入交通路径或转移交通路径,并侵犯用户数据的机密性。
If any cryptographic mechanism was used to provide for data integrity and confidentiality, an offline cryptographic attack could potentially compromise the data. The traffic would need to be captured either by eavesdropping on the network or by being able to divert traffic to a malicious user. Note that by using cryptographically protected routing information, the latter would require the cryptographic key to already be compromised anyway, so this attack is only feasible if a device was able to eavesdrop and capture the cryptographically protected routing information.
如果使用任何加密机制来提供数据完整性和机密性,则脱机加密攻击可能会危害数据。需要通过网络窃听或将流量转移给恶意用户来捕获流量。请注意,通过使用受密码保护的路由信息,后者将要求密码密钥无论如何都已被泄露,因此只有当设备能够窃听和捕获受密码保护的路由信息时,此攻击才可行。
For a replay attack to be successful, the routing control plane traffic would need to first be captured either on-path or diverted to an attacker to later be replayed to the intended recipient. Additionally, since many of these protocols include replay protection mechanisms, these would also need to be subverted, if applicable.
为了使重放攻击成功,路由控制平面流量需要首先在路径上捕获,或者转移给攻击者,以便稍后重放到预期的接收者。此外,由于这些协议中的许多都包含重播保护机制,因此如果适用的话,这些协议也需要被破坏。
Routing control plane traffic can be manipulated by someone in control of intermediate hosts. In addition, traffic can be injected by forging IP addresses, where a remote router sends out packets that appear to come from another, trusted router. If enough traffic is injected to be processed by limited memory routers, it can cause a DoS attack.
路由控制平面流量可以由控制中间主机的人来操纵。此外,可以通过伪造IP地址来注入流量,远程路由器发送的数据包似乎来自另一个受信任的路由器。如果注入足够的流量供内存有限的路由器处理,则可能导致DoS攻击。
A man-in-the-middle attack attacks the identity of a communicating peer rather than the data stream itself. The attacker intercepts traffic that is sent from one routing peer to the other and communicates on behalf of one of the peers. This can lead to a diversion of the user traffic to either an unauthorized receiving
中间人攻击攻击的是通信对等方的身份,而不是数据流本身。攻击者拦截从一个路由对等方发送到另一个路由对等方的流量,并代表其中一个对等方进行通信。这可能会导致用户流量转向未经授权的接收
party or cause legitimate traffic to never reach its intended destination.
参与或导致合法流量永远无法到达其预期目的地。
Securing the routing control plane takes many features, which are generally deployed as a system. Message Digest 5 (MD5) authentication is used by some ISPs to validate the sending peer and to ensure that the data in transit has not been altered. Some ISPs only deploy MD5 authentication at the customers' request. Additional sanity checks to ensure with reasonable certainty that the received routing update was originated by a valid routing peer include route filters and the Generalized TTL Security Mechanism (GTSM) feature [RFC3682] (sometimes also referred to as the TTL-Hack). The GTSM feature is used for protocols such as the Border Gateway Protocol (BGP), and makes use of a packet's Time To Live (TTL) field (IPv4) or Hop Limit (IPv6) to protect communicating peers. If GTSM is used, it is typically deployed only in limited scenarios between internal BGP peers due to lack of consistent support between vendor products and operating system versions.
保护路由控制平面需要许多功能,这些功能通常作为一个系统部署。一些ISP使用消息摘要5(MD5)身份验证来验证发送对等方,并确保传输中的数据未被更改。一些ISP仅在客户请求时部署MD5身份验证。额外的健全性检查,以确保合理确定收到的路由更新是由有效的路由对等方发起的,包括路由过滤器和通用TTL安全机制(GTSM)功能[RFC3682](有时也称为TTL黑客)。GTSM功能用于边界网关协议(BGP)等协议,并利用数据包的生存时间(TTL)字段(IPv4)或跃点限制(IPv6)来保护通信对等方。如果使用GTSM,由于供应商产品和操作系统版本之间缺乏一致的支持,通常仅在内部BGP对等方之间的有限场景中部署GTSM。
Packet filters are used to limit which systems can appear as a valid peer, while route filters are used to limit which routes are believed to be from a valid peer. In the case of BGP routing, a variety of policies are deployed to limit the propagation of invalid routing information. These include: incoming and outgoing prefix filters for BGP customers, incoming and outgoing prefix filters for peers and upstream neighbors, incoming AS-PATH filter for BGP customers, outgoing AS-PATH filter towards peers and upstream neighbors, route dampening and rejecting selected attributes and communities. Consistency between these policies varies greatly and there is a definite distinction whether the other end is an end-site vs an internal peer vs another big ISP or customer. Mostly ISPs do prefix-filter their end-site customers, but due to the operational constraints of maintaining large prefix filter lists, many ISPs are starting to depend on BGP AS-PATH filters to/from their peers and upstream neighbors.
包过滤器用于限制哪些系统可以显示为有效对等,而路由过滤器用于限制哪些路由被认为来自有效对等。在BGP路由的情况下,部署了各种策略来限制无效路由信息的传播。其中包括:BGP客户的传入和传出前缀过滤器、对等方和上游邻居的传入和传出前缀过滤器、BGP客户的传入AS-PATH过滤器、对等方和上游邻居的传出AS-PATH过滤器、路由抑制和拒绝所选属性和社区。这些策略之间的一致性差异很大,并且有一个明确的区别,即另一端是终端站点还是内部对等方还是另一个大型ISP或客户。大多数ISP都会对其终端客户进行前缀过滤,但由于维护大型前缀过滤列表的操作限制,许多ISP开始依赖BGP AS-PATH过滤器往返于其对等方和上游邻居。
In cases where prefix lists are not used, operators often define a maximum prefix limit per peer to prevent misconfiguration (e.g., unintentional de-aggregation or neighbor routing policy mis-configuration) or overload attacks. ISPs need to coordinate with each other what the expected prefix exchange is, and increase this number by some sane amount. It is important for ISPs to pad the max-prefix number enough to allow for valid swings in routing announcements, preventing an unintentional shut down of the BGP session. Individual implementation amongst ISPs are unique, and depending on equipment supplier(s), different implementation options
在不使用前缀列表的情况下,操作员通常为每个对等点定义最大前缀限制,以防止配置错误(例如,无意的反聚合或邻居路由策略错误配置)或过载攻击。ISP需要相互协调预期的前缀交换是什么,并将这个数字增加一些合理的数量。ISP必须填充足够的最大前缀号,以允许路由公告中的有效摆动,防止BGP会话意外关闭。ISP之间的单独实施是独特的,并且根据设备供应商的不同,有不同的实施选项
are available. Most equipment vendors offer implementation options ranging from just logging excessive prefixes being received, to automatically shutting down the session. If the option of reestablishing a session after some pre-configured idle timeout has been reached is available, it should be understood that automatically reestablishing the session may potentially introduce instability continuously into the overall routing table if a policy mis-configuration on the adjacent neighbor is causing the condition. If a serious mis-configuration on a peering neighbor has occurred, then automatically shutting down the session and leaving it shut down until being manually cleared, is sometimes best and allows for operator intervention to correct as needed.
都有。大多数设备供应商提供的实现选项从记录接收到的多余前缀到自动关闭会话。如果在达到某个预先配置的空闲超时后重新建立会话的选项可用,则应理解,如果相邻邻居上的策略配置错误导致该情况,则自动重新建立会话可能会在整个路由表中持续引入不稳定性。如果对等邻居上发生严重的错误配置,则自动关闭会话并将其关闭直到手动清除,这有时是最好的,并允许操作员根据需要进行纠正。
Some large ISPs require that routes be registered in an Internet Routing Registry (IRR), which can then be part of the Routing Assets Database (RADb) - a public registry of routing information for networks in the Internet that can be used to generate filter lists. Some ISPs, especially in Europe, require registered routes before agreeing to become an eBGP peer with someone.
一些大型ISP要求在Internet路由注册表(IRR)中注册路由,然后IRR可以成为路由资产数据库(RADb)的一部分。RADb是Internet网络路由信息的公共注册表,可用于生成筛选器列表。一些ISP,特别是在欧洲,在同意成为某个人的eBGP对等方之前,需要注册路由。
Many ISPs also do not propagate interface IP addresses to further reduce attack vectors on routers and connected customers.
许多ISP也不会传播接口IP地址,以进一步减少路由器和连接客户上的攻击向量。
o User Authentication - Not applicable.
o 用户身份验证-不适用。
o User Authorization - Not applicable.
o 用户授权-不适用。
o Data Origin Authentication - By using MD5 authentication and/or the TTL-hack, a routing peer can be reasonably certain that traffic originated from a valid peer.
o 数据源身份验证-通过使用MD5身份验证和/或TTL hack,路由对等方可以合理地确定流量来自有效对等方。
o Access Control - Route filters, AS-PATH filters, and prefix limits are used to control access to specific parts of the network.
o 访问控制-路由筛选器、AS-PATH筛选器和前缀限制用于控制对网络特定部分的访问。
o Data Integrity - By using MD5 authentication, a peer can be reasonably certain that the data has not been modified in transit, but there is no mechanism to prove the validity of the routing information itself.
o 数据完整性-通过使用MD5身份验证,对等方可以合理地确定数据在传输过程中没有被修改,但没有机制来证明路由信息本身的有效性。
o Data Confidentiality - Not implemented.
o 数据机密性-未实施。
o Auditing / Logging - Filter exceptions are logged.
o 审核/记录-记录过滤器异常。
o DoS Mitigation - Many DoS attacks are mitigated using a combination of techniques including: MD5 authentication, the GTSM feature, filtering routing advertisements to bogons, and filtering routing advertisements to one's own network.
o DoS缓解-许多DoS攻击都是通过以下技术的组合来缓解的:MD5身份验证、GTSM功能、过滤到bogons的路由广告,以及过滤到自己网络的路由广告。
So far the primary concern to secure the routing control plane has been to validate the sending peer and to ensure that the data in transit has not been altered. Although MD5 routing protocol extensions have been implemented, which can provide both services, they are not consistently deployed amongst ISPs. Two major deployment concerns have been implementation issues, where both software bugs and the lack of graceful re-keying options have caused significant network down times. Also, some ISPs express concern that deploying MD5 authentication will itself be a worse DoS attack victim and prefer to use a combination of other risk mitigation mechanisms such as GTSM (for BGP) and route filters. An issue with GTSM is that it is not supported on all devices across different vendors' products.
到目前为止,保护路由控制平面的主要问题是验证发送对等方,并确保传输中的数据未被更改。虽然已经实现了MD5路由协议扩展,它可以提供这两种服务,但它们并没有在ISP之间一致地部署。两个主要的部署问题是实现问题,其中软件缺陷和缺少优雅的密钥更新选项都导致了大量的网络停机时间。此外,一些ISP表示担心部署MD5身份验证本身会成为更糟糕的DoS攻击受害者,并倾向于结合使用其他风险缓解机制,如GTSM(用于BGP)和路由过滤器。GTSM的一个问题是,不同供应商产品的所有设备都不支持GTSM。
IPsec is not deployed since the operational management aspects of ensuring interoperability and reliable configurations is too complex and time consuming to be operationally viable. There is also limited concern to the confidentiality of the routing information. The integrity and validity of the updates are of much greater concern.
未部署IPsec,因为确保互操作性和可靠配置的操作管理方面过于复杂和耗时,在操作上不可行。路由信息的保密性也受到了限制。更新的完整性和有效性更值得关注。
There is concern for manual or automated actions, which introduce new routes and can affect the entire routing domain.
存在手动或自动操作的问题,这些操作会引入新路由,并可能影响整个路由域。
Software upgrades and configuration changes are usually performed as part of either in-band or OOB management functions. However, there are additional considerations to be taken into account, which are enumerated in this section.
软件升级和配置更改通常作为带内或OOB管理功能的一部分执行。但是,本节列举了需要考虑的其他因素。
Attacks performed on system software and configurations can be both from passive or active sources. Passive attacks are possible if someone has the capability to intercept data between the network infrastructure device and the system which is downloading or uploading the software or configuration information. This can be accomplished if a single infrastructure device is somehow compromised and can act as a network sniffer, or if it is possible to insert a new device that acts as a network sniffer.
对系统软件和配置执行的攻击既可以来自被动来源,也可以来自主动来源。如果有人能够截获网络基础设施设备与正在下载或上载软件或配置信息的系统之间的数据,则可能发生被动攻击。如果单个基础设施设备受到某种程度的破坏,可以充当网络嗅探器,或者可以插入充当网络嗅探器的新设备,则可以实现这一点。
Active attacks are possible for both on-path and off-path scenarios. For on-path active attacks, the situation is the same as for a passive attack, where either a device has to already be compromised or a device can be inserted into the path. For off-path active attacks, the attacks are generally limited to message insertion or modification where the attacker may wish to load illegal software or configuration files to an infrastructure device.
在路径上和路径外情况下都可能发生主动攻击。对于路径上主动攻击,情况与被动攻击相同,在被动攻击中,设备必须已经受损,或者可以将设备插入路径中。对于非路径主动攻击,攻击通常限于插入或修改消息,攻击者可能希望将非法软件或配置文件加载到基础设施设备。
Note that similar issues are relevant when software updates are downloaded from a vendor site to an ISPs network management system that is responsible for software updates and/or configuration information.
请注意,当软件更新从供应商站点下载到负责软件更新和/或配置信息的ISPs网络管理系统时,也会出现类似问题。
Confidentiality violations can occur when a miscreant intercepts any of the software image or configuration information. The software image may give an indication of exploits which the device is vulnerable to while the configuration information can inadvertently lead attackers to identify critical infrastructure IP addresses and passwords.
当不法分子截取任何软件映像或配置信息时,可能会发生违反保密性的情况。软件映像可能会指示设备易受攻击的漏洞,而配置信息可能会无意中导致攻击者识别关键基础设施IP地址和密码。
If any cryptographic mechanism was used to provide for data integrity and confidentiality, an offline cryptographic attack could potentially compromise the data. The traffic would need to be captured either by eavesdropping on the communication path or by being able to divert traffic to a malicious user.
如果使用任何加密机制来提供数据完整性和机密性,则脱机加密攻击可能会危害数据。需要通过在通信路径上窃听或通过将流量转移给恶意用户来捕获流量。
For a replay attack to be successful, the software image or configuration file would need to first be captured either on-path or diverted to an attacker to later be replayed to the intended recipient. Additionally, since many protocols do have replay protection capabilities, these would have to be subverted as well in applicable situations.
要使重播攻击成功,首先需要在path上捕获软件映像或配置文件,或者将其转移给攻击者,以便稍后将其重播到目标收件人。此外,由于许多协议确实具有重播保护功能,因此在适用的情况下也必须对其进行破坏。
Software images and configuration files can be manipulated by someone in control of intermediate hosts. By forging an IP address and impersonating a valid host which can download software images or configuration files, invalid files can be downloaded to an infrastructure device. This can also be the case from trusted vendors who may unbeknownst to them have compromised trusted hosts. An invalid software image or configuration file can cause a device to
软件映像和配置文件可以由控制中间主机的人进行操作。通过伪造IP地址并模拟可以下载软件映像或配置文件的有效主机,可以将无效文件下载到基础设施设备。受信任的供应商也可能会出现这种情况,他们可能不知道他们的受信任主机受到了损害。无效的软件映像或配置文件可能导致设备损坏
hang and become inoperable. Spoofed configuration files can be hard to detect, especially when the only added command is to allow a miscreant access to that device by entering a filter allowing a specific host access and configuring a local username/password database entry for authentication to that device.
挂起并无法操作。伪造的配置文件可能很难检测到,特别是当添加的唯一命令是通过输入允许特定主机访问的筛选器并配置本地用户名/密码数据库条目以对该设备进行身份验证来允许恶意访问该设备时。
A man-in-the-middle attack attacks the identity of a communicating peer rather than the data stream itself. The attacker intercepts traffic that is sent between the infrastructure device and the host used to upload/download the system image or configuration file. He/she can then act on behalf of one or both of these systems.
中间人攻击攻击的是通信对等方的身份,而不是数据流本身。攻击者拦截在基础结构设备和用于上载/下载系统映像或配置文件的主机之间发送的通信量。然后,他/她可以代表其中一个或两个系统行事。
If an attacker obtained a copy of the software image being deployed, he could potentially exploit a known vulnerability and gain access to the system. From a captured configuration file, he could obtain confidential network topology information, or even more damaging information, if any of the passwords in the configuration file were not encrypted.
如果攻击者获得了正在部署的软件映像的副本,他可能会利用已知漏洞进行攻击并获得对系统的访问权限。从捕获的配置文件中,如果配置文件中的任何密码未加密,他可以获得机密的网络拓扑信息,甚至更具破坏性的信息。
Images and configurations are stored on specific hosts that have limited access. All access and activity relating to these hosts are authenticated and logged via AAA services. When uploaded/downloading any system software or configuration files, either TFTP, FTP, or SCP can be used. Where possible, SCP is used to secure the data transfer and FTP is generally never used. All SCP access is username/password authenticated but since this requires an interactive shell, most ISPs will use shared key authentication to avoid the interactive shell. While TFTP access does not have any security measures, it is still widely used, especially in OOB management scenarios. Some ISPs implement IP-based restriction on the TFTP server, while some custom written TFTP servers will support MAC-based authentication. The MAC-based authentication is more common when using TFTP to bootstrap routers remotely.
映像和配置存储在访问受限的特定主机上。与这些主机相关的所有访问和活动都通过AAA服务进行身份验证和记录。上载/下载任何系统软件或配置文件时,可以使用TFTP、FTP或SCP。在可能的情况下,SCP用于保护数据传输,而FTP通常从不使用。所有SCP访问都经过用户名/密码验证,但由于这需要一个交互式shell,大多数ISP将使用共享密钥验证来避免交互式shell。虽然TFTP访问没有任何安全措施,但它仍然被广泛使用,特别是在OOB管理场景中。一些ISP在TFTP服务器上实施基于IP的限制,而一些自定义编写的TFTP服务器将支持基于MAC的身份验证。当使用TFTP远程引导路由器时,基于MAC的身份验证更为常见。
In most environments, scripts are used for maintaining the images and configurations of a large number of routers. To ensure the integrity of the configurations, every hour the configuration files are polled and compared to the previously polled version to find discrepancies. In at least one environment these, tools are Kerberized to take advantage of automated authentication (not confidentiality). 'Rancid' is one popular publicly available tool for detecting configuration and system changes.
在大多数环境中,脚本用于维护大量路由器的映像和配置。为确保配置的完整性,每小时轮询一次配置文件,并将其与以前轮询的版本进行比较,以找出差异。在至少一种环境中,这些工具都经过了Kerberize,以利用自动身份验证(而不是保密性)Rancid’是一种流行的公开工具,用于检测配置和系统更改。
Filters are used to limit access to uploading/downloading configuration files and system images to specific IP addresses and protocols.
过滤器用于将上传/下载配置文件和系统映像的访问限制为特定IP地址和协议。
The software images perform Cyclic Redundancy Checks (CRC) and the system binaries use the MD5 algorithm to validate integrity. Many ISPs expressed interest in having software image integrity validation based on the MD5 algorithm for enhanced security.
软件映像执行循环冗余检查(CRC),系统二进制文件使用MD5算法验证完整性。许多ISP表示有兴趣基于MD5算法进行软件映像完整性验证,以增强安全性。
In all configuration files, most passwords are stored in an encrypted format. Note that the encryption techniques used in varying products can vary and that some weaker encryption schemes may be subject to off-line dictionary attacks. This includes passwords for user authentication, MD5-authentication shared secrets, AAA server shared secrets, NTP shared secrets, etc. For older software that may not support this functionality, configuration files may contain some passwords in readable format. Most ISPs mitigate any risk of password compromise by either storing these configuration files without the password lines or by requiring authenticated and authorized access to the configuration files that are stored on protected OOB management devices.
在所有配置文件中,大多数密码都以加密格式存储。请注意,不同产品中使用的加密技术可能不同,一些较弱的加密方案可能会受到离线字典攻击。这包括用户身份验证密码、MD5身份验证共享机密、AAA服务器共享机密、NTP共享机密等。对于可能不支持此功能的旧软件,配置文件可能包含一些可读格式的密码。大多数ISP通过在不使用密码行的情况下存储这些配置文件,或者通过要求对存储在受保护的OOB管理设备上的配置文件进行身份验证和授权访问,来降低密码泄露的风险。
Automated security validation is performed on infrastructure devices using Network Mapping (Nmap) and Nessus to ensure valid configuration against many of the well-known attacks.
使用网络映射(Nmap)和Nessus在基础设施设备上执行自动安全验证,以确保针对许多已知攻击的有效配置。
o User Authentication - All users are authenticated before being able to download/upload any system images or configuration files.
o 用户身份验证-所有用户在能够下载/上载任何系统映像或配置文件之前都经过身份验证。
o User Authorization - All authenticated users are granted specific privileges to download or upload system images and/or configuration files.
o 用户授权-所有经过身份验证的用户都被授予下载或上载系统映像和/或配置文件的特定权限。
o Data Origin Authentication - Filters are used to limit access to uploading/downloading configuration files and system images to specific IP addresses.
o 数据源身份验证-筛选器用于将上传/下载配置文件和系统映像的访问限制到特定IP地址。
o Access Control - Filters are used to limit access to uploading/ downloading configuration files and system images to specific IP addresses and protocols.
o 访问控制-过滤器用于将上传/下载配置文件和系统映像的访问限制为特定IP地址和协议。
o Data Integrity - All systems use either a CRC-check or MD5 authentication to ensure data integrity. Also, tools such as rancid are used to automatically detect configuration changes.
o 使用CRC或MDA数据完整性检查系统来确保所有数据的完整性。此外,rancid等工具用于自动检测配置更改。
o Data Confidentiality - If the SCP protocol is used then there is confidentiality of the downloaded/uploaded configuration files and system images.
o 数据机密性-如果使用SCP协议,则下载/上载的配置文件和系统映像具有机密性。
o Auditing/Logging - All access and activity relating to downloading/uploading system images and configuration files are logged via AAA services and filter exception rules.
o 审核/记录-与下载/上载系统映像和配置文件相关的所有访问和活动都通过AAA服务和筛选器异常规则记录。
o DoS Mitigation - A combination of filtering and CRC-check/ MD5-based integrity checks are used to mitigate the risks of DoS attacks. If the software updates and configuration changes are performed via an OOB management system, this is also added protection.
o DoS缓解-过滤和基于CRC检查/MD5的完整性检查的组合用于缓解DoS攻击的风险。如果通过OOB管理系统执行软件更新和配置更改,这也是附加保护。
Where the MD5 algorithm is not used to perform data-integrity checking of software images and configuration files, ISPs have expressed an interest in having this functionality. IPsec is considered too cumbersome and operationally difficult to use for data integrity and confidentiality.
当MD5算法不用于执行软件映像和配置文件的数据完整性检查时,ISP表示有兴趣使用此功能。IPsec被认为过于繁琐,在操作上难以用于数据完整性和机密性。
Although logging is part of all the previous sections, it is important enough to be covered as a separate item. The main issues revolve around what gets logged, how long are logs kept, and what mechanisms are used to secure the logged information while it is in transit and while it is stored.
尽管日志记录是前面所有章节的一部分,但它非常重要,可以作为单独的一项进行介绍。主要问题围绕着记录什么、日志保存多长时间以及在传输和存储过程中使用什么机制来保护记录的信息。
Attacks on the logged data can be both from passive or active sources. Passive attacks are possible if someone has the capability to intercept data between the recipient logging server and the device from which the logged data originated. This can be accomplished if a single infrastructure device is somehow compromised and can act as a network sniffer, or if it is possible to insert a new device that acts as a network sniffer.
对记录数据的攻击既可以来自被动来源,也可以来自主动来源。如果有人能够截获收件人日志服务器和记录数据来源的设备之间的数据,则可能发生被动攻击。如果单个基础设施设备受到某种程度的破坏,可以充当网络嗅探器,或者可以插入充当网络嗅探器的新设备,则可以实现这一点。
Active attacks are possible for both on-path and off-path scenarios. For on-path active attacks, the situation is the same as for a passive attack, where either a device has to already be compromised, or a device can be inserted into the path. For off-path active attacks, the attacks are generally limited to message insertion or modification that can alter the logged data to keep any compromise from being detected, or to destroy any evidence that could be used for criminal prosecution.
在路径上和路径外情况下都可能发生主动攻击。对于路径上主动攻击,情况与被动攻击相同,在被动攻击中,设备必须已经受损,或者可以将设备插入路径。对于非路径主动攻击,攻击通常限于消息插入或修改,这些消息插入或修改可能会改变记录的数据,以防止检测到任何泄露,或破坏可用于刑事起诉的任何证据。
Confidentiality violations can occur when a miscreant intercepts any of the logging data that is in transit on the network. This could lead to privacy violations if some of the logged data has not been sanitized to disallow any data that could be a violation of privacy to be included in the logged data.
当歹徒截获网络上传输的任何日志数据时,可能会发生违反保密性的情况。如果未对某些记录的数据进行消毒,以禁止在记录的数据中包含任何可能侵犯隐私的数据,则这可能会导致隐私侵权。
If any cryptographic mechanism was used to provide for data integrity and confidentiality, an offline cryptographic attack could potentially compromise the data. The traffic would need to be captured either by eavesdropping on the network or by being able to divert traffic to a malicious user.
如果使用任何加密机制来提供数据完整性和机密性,则脱机加密攻击可能会危害数据。需要通过网络窃听或将流量转移给恶意用户来捕获流量。
For a replay attack to be successful, the logging data would need to first be captured either on-path or diverted to an attacker and later replayed to the recipient.
要使重播攻击成功,需要首先在path上捕获日志数据或将其转移给攻击者,然后将其重播给收件人。
Logging data could be injected, deleted, or modified by someone in control of intermediate hosts. Logging data can also be injected by forging packets from either legitimate or illegitimate IP addresses.
日志数据可以由控制中间主机的人注入、删除或修改。还可以通过伪造来自合法或非法IP地址的数据包来注入日志数据。
A man-in-the-middle attack attacks the identity of a communicating peer rather than the data stream itself. The attacker intercepts traffic that is sent between the infrastructure device and the logging server or traffic sent between the logging server and the database that is used to archive the logged data. Any unauthorized access to logging information could lead to the knowledge of private and proprietary network topology information, which could be used to compromise portions of the network. An additional concern is having access to logging information, which could be deleted or modified so as to cover any traces of a security breach.
中间人攻击攻击的是通信对等方的身份,而不是数据流本身。攻击者拦截在基础结构设备和日志服务器之间发送的通信量,或在日志服务器和用于归档日志数据的数据库之间发送的通信量。对日志信息的任何未经授权的访问都可能导致对私有和专有网络拓扑信息的了解,这些信息可能被用来危害网络的某些部分。另一个问题是访问日志信息,这些信息可以被删除或修改,以覆盖任何安全漏洞的痕迹。
When it comes to filtering, logging is mostly performed on an exception auditing basis (i.e., traffic that is NOT allowed is logged). This is to assure that the logging servers are not overwhelmed with data, which would render most logs unusable. Typically the data logged will contain the source and destination IP
当涉及到过滤时,日志记录主要是在异常审计的基础上执行的(即,记录不允许的流量)。这是为了确保日志服务器不会被数据淹没,这将导致大多数日志无法使用。通常,记录的数据将包含源和目标IP
addresses and layer 4 port numbers as well as a timestamp. The syslog protocol is used to transfer the logged data between the infrastructure device to the syslog server. Many ISPs use the OOB management network to transfer syslog data since there is virtually no security performed between the syslog server and the device. All ISPs have multiple syslog servers - some ISPs choose to use separate syslog servers for varying infrastructure devices (i.e., one syslog server for backbone routers, one syslog server for customer edge routers, etc.)
地址和第4层端口号以及时间戳。syslog协议用于将基础结构设备之间记录的数据传输到syslog服务器。许多ISP使用OOB管理网络传输系统日志数据,因为系统日志服务器和设备之间实际上没有执行任何安全性。所有ISP都有多个syslog服务器-一些ISP选择为不同的基础设施设备使用单独的syslog服务器(即,一个syslog服务器用于主干路由器,一个syslog服务器用于客户边缘路由器等)
The timestamp is derived from NTP, which is generally configured as a flat hierarchy at stratum1 and stratum2 to have less configuration and less maintenance. Consistency of configuration and redundancy is the primary goal. Each router is configured with several stratum1 server sources, which are chosen to ensure that proper NTP time is available, even in the event of varying network outages.
时间戳源自NTP,NTP通常在stratum1和stratum2配置为扁平层次结构,以减少配置和维护。配置和冗余的一致性是主要目标。每个路由器都配置了多个stratum1服务器源,这些服务器源的选择是为了确保适当的NTP时间可用,即使在不同的网络中断情况下也是如此。
In addition to logging filtering exceptions, the following is typically logged: routing protocol state changes, all device access (regardless of authentication success or failure), all commands issued to a device, all configuration changes, and all router events (boot-up/flaps).
除了记录过滤异常外,通常还记录以下内容:路由协议状态更改、所有设备访问(无论身份验证成功与否)、向设备发出的所有命令、所有配置更改以及所有路由器事件(启动/关闭)。
The main function of any of these log messages is to see what the device is doing as well as to try and ascertain what certain malicious attackers are trying to do. Since syslog is an unreliable protocol, when routers boot or lose adjacencies, not all messages will get delivered to the remote syslog server. Some vendors may implement syslog buffering (e.g., buffer the messages until you have a route to the syslog destination), but this is not standard. Therefore, operators often have to look at local syslog information on a device (which typically has very little memory allocated to it) to make up for the fact that the server-based syslog files can be incomplete. Some ISPs also put in passive devices to see routing updates and withdrawals and do not rely solely on the device for log files. This provides a backup mechanism to see what is going on in the network in the event that a device may 'forget' to do syslog if the CPU is busy.
这些日志消息的主要功能是查看设备正在做什么,以及尝试和确定某些恶意攻击者正在尝试做什么。由于syslog是一种不可靠的协议,当路由器启动或丢失相邻时,并非所有消息都会传递到远程syslog服务器。一些供应商可能实施系统日志缓冲(例如,缓冲消息,直到您有到系统日志目的地的路由),但这不是标准的。因此,操作员通常必须查看设备上的本地系统日志信息(通常分配给它的内存很少),以弥补基于服务器的系统日志文件可能不完整的事实。一些ISP还安装了被动设备,以查看路由更新和取款,并且不完全依赖该设备获取日志文件。这提供了一种备份机制,以便在CPU忙时设备可能“忘记”执行syslog时查看网络中发生的情况。
The logs from the various syslog server devices are generally transferred into databases at a set interval that can be anywhere from every 10 minutes to every hour. One ISP uses Rsync to push the data into a database, and then the information is sorted manually by someone SSH'ing to that database.
来自各种syslog服务器设备的日志通常以设定的间隔传输到数据库中,该间隔可以是每10分钟到每小时。一个ISP使用Rsync将数据推送到数据库中,然后通过SSH将信息手动排序到该数据库。
o User Authentication - Not applicable.
o 用户身份验证-不适用。
o User Authorization - Not applicable.
o 用户授权-不适用。
o Data Origin Authentication - Not implemented.
o 数据源身份验证-未实现。
o Access Control - Filtering on logging host and server IP address to ensure that syslog information only goes to specific syslog hosts.
o 访问控制—对日志主机和服务器IP地址进行筛选,以确保系统日志信息只流向特定的系统日志主机。
o Data Integrity - Not implemented.
o 数据完整性-未实现。
o Data Confidentiality - Not implemented.
o 数据机密性-未实施。
o Auditing/Logging - This entire section deals with logging.
o 审核/日志记录-本节将介绍日志记录。
o DoS Mitigation - An OOB management system is used and sometimes different syslog servers are used for logging information from varying equipment. Exception logging tries to keep information to a minimum.
o DoS缓解-使用OOB管理系统,有时使用不同的系统日志服务器记录来自不同设备的信息。异常日志记录尝试将信息保持在最低限度。
There is no security with syslog and ISPs are fully cognizant of this. IPsec is considered too operationally expensive and cumbersome to deploy. Syslog-ng and stunnel are being looked at for providing better authenticated and integrity-protected solutions. Mechanisms to prevent unauthorized personnel from tampering with logs is constrained to auditing who has access to the logging servers and files.
syslog没有安全性,ISP完全了解这一点。IPsec被认为在操作上过于昂贵和繁琐,无法部署。Syslog ng和stunnel正在考虑提供更好的认证和完整性保护解决方案。防止未经授权人员篡改日志的机制仅限于审核谁有权访问日志服务器和文件。
ISPs expressed requirements for more than just UDP syslog. Additionally, they would like more granular and flexible facilities and priorities, i.e., specific logs to specific servers. Also, a common format for reporting standard events so that modifying parsers after each upgrade of a vendor device or software is not necessary.
ISP表达的要求不仅仅是UDP系统日志。此外,他们希望获得更细粒度、更灵活的设施和优先级,即特定服务器的特定日志。此外,报告标准事件的通用格式,因此无需在供应商设备或软件每次升级后修改解析器。
Although filtering has been covered under many of the previous sections, this section will provide some more insights to the filtering considerations that are currently being taken into account. Filtering is now being categorized into three specific areas: data plane, management plane, and routing control plane.
虽然过滤已在前面的许多章节中介绍,但本节将对当前正在考虑的过滤注意事项提供更多的见解。过滤现在分为三个特定区域:数据平面、管理平面和路由控制平面。
Data plane filters control the traffic that traverses through a device and affects transit traffic. Most ISPs deploy these kinds of filters at customer facing edge devices to mitigate spoofing attacks using BCP38 and BCP84 guidelines.
数据平面过滤器控制穿过设备并影响传输流量的流量。大多数ISP使用BCP38和BCP84准则在面向客户的边缘设备上部署此类过滤器,以减轻欺骗攻击。
Management filters control the traffic to and from a device. All of the protocols that are used for device management fall under this category and include: SSH, Telnet, SNMP, NTP, HTTP, DNS, TFTP, FTP, SCP, and Syslog. This type of traffic is often filtered per interface and is based on any combination of protocol, source and destination IP address, and source and destination port number. Some devices support functionality to apply management filters to the device rather than to the specific interfaces (e.g., receive ACL or loopback interface ACL), which is gaining wider acceptance. Note that logging the filtering rules can today place a burden on many systems and more granularity is often required to more specifically log the required exceptions.
管理过滤器控制进出设备的流量。用于设备管理的所有协议都属于这一类别,包括:SSH、Telnet、SNMP、NTP、HTTP、DNS、TFTP、FTP、SCP和Syslog。这种类型的流量通常按接口进行过滤,并基于协议、源和目标IP地址以及源和目标端口号的任意组合。一些设备支持将管理过滤器应用于设备而不是特定接口(例如,接收ACL或环回接口ACL)的功能,这一功能正在获得更广泛的接受。请注意,记录过滤规则如今可能会给许多系统带来负担,并且通常需要更高的粒度来更具体地记录所需的异常。
Any services that are not specifically used are turned off.
任何未专门使用的服务都将关闭。
IPv6 networks require the use of specific ICMP messages for proper protocol operation. Therefore, ICMP cannot be completely filtered to and from a device. Instead, granular ICMPv6 filtering is always deployed to allow for specific ICMPv6 types to be sourced or destined to a network device. A good guideline for IPv6 filtering is in the Recommendations for Filtering ICMPv6 Messages in Firewalls [ICMPv6].
IPv6网络需要使用特定的ICMP消息才能进行正确的协议操作。因此,ICMP不能在设备之间完全过滤。相反,始终部署粒度ICMPv6筛选,以允许将特定的ICMPv6类型来源或发送到网络设备。在防火墙中过滤ICMPv6消息的建议[ICMPv6]中有一个很好的IPv6过滤指南。
Routing filters are used to control the flow of routing information. In IPv6 networks, some providers are liberal in accepting /48s due to the still unresolved multihoming issues, while others filter at allocation boundaries, which are typically at /32. Any announcement received that is longer than a /48 for IPv6 routing and a /24 for IPv4 routing is filtered out of eBGP. Note that this is for non-customer traffic. Most ISPs will accept any agreed upon prefix length from its customer(s).
路由筛选器用于控制路由信息流。在IPv6网络中,由于仍然存在未解决的多归属问题,一些提供商在接受/48方面比较自由,而其他提供商则在分配边界处进行过滤,通常为/32。对于IPv6路由和IPv4路由,接收到的任何长度超过a/48和a/24的公告都将从eBGP中筛选出来。请注意,这是针对非客户流量的。大多数ISP将接受其客户提供的任何商定前缀长度。
Denial-of-Service attacks are an ever-increasing problem and require vast amounts of resources to combat effectively. Some large ISPs do not concern themselves with attack streams that are less than 1G in bandwidth - this is on the larger pipes where 1G is essentially less
拒绝服务攻击是一个日益严重的问题,需要大量资源才能有效打击。一些大型ISP并不关心带宽小于1G的攻击流——这是在1G基本上小于1G的较大管道上
than 5% of an offered load. This is largely due to the large amounts of DoS traffic, which continually requires investigation and mitigation. At last count, the number of hosts making up large distributed DoS botnets exceeded 1 million hosts.
超过提供负载的5%。这在很大程度上是由于大量的DoS流量,这需要不断地进行调查和缓解。最后一次统计,构成大型分布式DoS僵尸网络的主机数量超过了100万台。
New techniques are continually evolving to automate the process of detecting DoS sources and mitigating any adverse effects as quickly as possible. At this time, ISPs are using a variety of mitigation techniques including: sinkhole routing, black hole triggered routing, uRPF, rate limiting, and specific control plane traffic enhancements. Each of these techniques will be detailed below.
新技术正在不断发展,以使检测拒绝服务源的过程自动化,并尽快减轻任何不利影响。目前,ISP正在使用各种缓解技术,包括:天坑路由、黑洞触发路由、uRPF、速率限制和特定控制平面流量增强。下面将详细介绍每种技术。
Sinkhole routing refers to injecting a more specific route for any known attack traffic, which will ensure that the malicious traffic is redirected to a valid device or specific system where it can be analyzed.
天坑路由是指为任何已知攻击流量注入更具体的路由,这将确保将恶意流量重定向到有效设备或特定系统,以便对其进行分析。
Black hole triggered routing (also referred to as Remote Triggered Black Hole Filtering) is a technique where the BGP routing protocol is used to propagate routes which in turn redirects attack traffic to the null interface where it is effectively dropped. This technique is often used in large routing infrastructures since BGP can propagate the information in a fast, effective manner, as opposed to using any packet-based filtering techniques on hundreds or thousands of routers (refer to the following NANOG presentation for a more complete description http://www.nanog.org/mtg-0402/pdf/morrow.pdf).
黑洞触发路由(也称为远程触发黑洞过滤)是一种技术,其中BGP路由协议用于传播路由,从而将攻击流量重定向到有效丢弃的空接口。这种技术通常用于大型路由基础设施,因为BGP可以快速、有效地传播信息,而不是在数百或数千个路由器上使用任何基于数据包的过滤技术(有关更完整的描述,请参阅下面的NANOG演示文稿)http://www.nanog.org/mtg-0402/pdf/morrow.pdf).
Note that this black-holing technique may actually fulfill the goal of the attacker if the goal was to instigate black-holing traffic that appeared to come from a certain site. On the other hand, this black hole technique can decrease the collateral damage caused by an overly large attack aimed at something other than critical services.
请注意,如果目标是煽动似乎来自某个站点的黑洞流量,那么这种黑洞技术实际上可能实现攻击者的目标。另一方面,这种黑洞技术可以减少针对关键服务以外的东西的过大攻击所造成的附带损害。
Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating whether or not an incoming packet has a legitimate source address. It has two modes: strict mode and loose mode. In strict mode, uRPF checks whether the incoming packet has a source address that matches a prefix in the routing table, and whether the interface expects to receive a packet with this source address prefix. If the incoming packet fails the unicast RPF check, the packet is not accepted on the
单播反向路径转发(uRPF)是一种验证传入数据包是否具有合法源地址的机制。它有两种模式:严格模式和松散模式。在严格模式下,uRPF检查传入数据包是否具有与路由表中的前缀匹配的源地址,以及接口是否期望接收具有此源地址前缀的数据包。如果传入数据包未通过单播RPF检查,则该数据包不会在网络上被接受
incoming interface. Loose mode uRPF is not as specific and the incoming packet is accepted if there is any route in the routing table for the source address.
传入接口。松散模式uRPF没有那么具体,如果源地址的路由表中有任何路由,则接收传入数据包。
While BCP84 [RFC3704] and a study on uRPF experiences [BCP84-URPF] detail how asymmetry, i.e., multiple routes to the source of a packet, does not preclude applying feasible paths strict uRPF, it is generally not used on interfaces that are likely to have routing asymmetry. Usually for the larger ISPs, uRPF is placed at the customer edge of a network.
虽然BCP84[RFC3704]和一项关于uRPF经验的研究[BCP84-uRPF]详细说明了不对称性(即到数据包源的多条路由)如何不排除应用严格uRPF的可行路径,但通常不在可能具有路由不对称性的接口上使用。通常对于较大的ISP,uRPF位于网络的客户边缘。
Rate limiting refers to allocating a specific amount of bandwidth or packets per second to specific traffic types. This technique is widely used to mitigate well-known protocol attacks such as the TCP-SYN attack, where a large number of resources get allocated for spoofed TCP traffic. Although this technique does not stop an attack, it can sometimes lessen the damage and impact on a specific service. However, it can also make the impact of a DoS attack much worse if the rate limiting is impacting (i.e., discarding) more legitimate traffic.
速率限制是指每秒为特定流量类型分配特定数量的带宽或数据包。该技术广泛用于缓解众所周知的协议攻击,如TCP-SYN攻击,其中大量资源被分配给伪造的TCP流量。尽管这种技术不能阻止攻击,但有时它可以减少对特定服务的损害和影响。但是,如果速率限制正在影响(即丢弃)更合法的通信量,则它也会使DoS攻击的影响更加严重。
Some ISPs are starting to use capabilities that are available from some vendors to simplify the filtering and rate limiting of control traffic. Control traffic here refers to the routing control plane and management plane traffic that requires CPU cycles. A DoS attack against any control plane traffic can therefore be much more damaging to a critical device than other types of traffic. No consistent deployment of this capability was found at the time of this writing.
一些ISP开始使用一些供应商提供的功能来简化控制流量的过滤和速率限制。这里的控制流量是指需要CPU周期的路由控制平面和管理平面流量。因此,针对任何控制平面流量的DoS攻击对关键设备的破坏性可能比其他类型的流量大得多。在撰写本文时,未发现此功能的一致部署。
This entire document deals with current security practices in large ISP environments. It lists specific practices used in today's environments and as such, does not in itself pose any security risk.
整个文档涉及大型ISP环境中的当前安全实践。它列出了当今环境中使用的具体做法,因此,其本身不会带来任何安全风险。
The editor gratefully acknowledges the contributions of: George Jones, who has been instrumental in providing guidance and direction for this document, and the insightful comments from Ross Callon, Ron Bonica, Ryan Mcdowell, Gaurab Upadhaya, Warren Kumari, Pekka Savola, Fernando Gont, Chris Morrow, Ted Seely, Donald Smith, and the numerous ISP operators who supplied the information that is depicted in this document.
编辑衷心感谢以下人士的贡献:乔治·琼斯,他在为本文件提供指导方面发挥了重要作用,以及罗斯·卡隆、罗恩·博尼卡、瑞安·麦克道尔、高拉布·乌帕达亚、沃伦·库马里、佩卡·萨沃拉、费尔南多·冈特、克里斯·莫罗、特德·希利、唐纳德·史密斯、,以及提供本文档所述信息的众多ISP运营商。
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2827]Ferguson,P.和D.Senie,“网络入口过滤:击败利用IP源地址欺骗的拒绝服务攻击”,BCP 38,RFC 2827,2000年5月。
[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May 2000.
[RFC2828]Shirey,R.,“互联网安全词汇表”,RFC 28282000年5月。
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC Text on Security Considerations", BCP 72, RFC 3552, July 2003.
[RFC3552]Rescorla,E.和B.Korver,“关于安全考虑的RFC文本编写指南”,BCP 72,RFC 3552,2003年7月。
[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL Security Mechanism (GTSM)", RFC 3682, February 2004.
[RFC3682]Gill,V.,Heasley,J.,和D.Meyer,“广义TTL安全机制(GTSM)”,RFC 3682,2004年2月。
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004.
[RFC3704]Baker,F.和P.Savola,“多宿网络的入口过滤”,BCP 84,RFC 37042004年3月。
[RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service Attacks", RFC 3882, September 2004.
[RFC3882]Turk,D.,“配置BGP以阻止拒绝服务攻击”,RFC 3882,2004年9月。
[BCP84-URPF] Savola, P., "Experiences from Using Unicast RPF", Work in Progress, November 2006.
[BCP84-URPF]Savola,P.,“使用单播RPF的经验”,正在进行的工作,2006年11月。
[ICMPv6] Davies, E. and J. Mohacsi, "Recommendations for Filtering ICMPv6 Messages in Firewalls", Work in Progress, July 2006.
[ICMPv6]Davies,E.和J.Mohacsi,“在防火墙中过滤ICMPv6消息的建议”,正在进行的工作,2006年7月。
[RTGWG] Savola, P., "Backbone Infrastructure Attacks and Protections", Work in Progress, July 2006.
[RTGWG]Savola,P.,“骨干基础设施攻击和保护”,正在进行的工作,2006年7月。
This section will list many of the traditional protocol-based attacks that have been observed over the years to cause malformed packets and/or exploit protocol deficiencies. Note that they all exploit vulnerabilities in the actual protocol itself and often, additional authentication and auditing mechanisms are now used to detect and mitigate the impact of these attacks. The list is not exhaustive, but is a fraction of the representation of what types of attacks are possible for varying protocols.
本节将列出多年来观察到的许多传统的基于协议的攻击,这些攻击会导致格式错误的数据包和/或利用协议缺陷进行攻击。请注意,它们都利用实际协议本身中的漏洞进行攻击,现在通常使用附加的身份验证和审核机制来检测和减轻这些攻击的影响。该列表并非详尽无遗,但只是表示不同协议可能发生的攻击类型的一小部分。
o ARP Flooding
o ARP泛洪
o IP Addresses, either source or destination, can be spoofed which in turn can circumvent established filtering rules.
o IP地址,无论是源地址还是目标地址,都可能被欺骗,从而绕过已建立的过滤规则。
o IP Source Route Option can allows attackers to establish stealth TCP connections.
o IP源路由选项允许攻击者建立隐形TCP连接。
o IP Record Route Option can disclose information about the topology of the network.
o IP记录路由选项可以公开有关网络拓扑的信息。
o IP header that is too long or too short can cause DoS attacks to devices.
o IP头太长或太短都可能导致对设备的DoS攻击。
o IP Timestamp Option can leak information that can be used to discern network behavior.
o IP时间戳选项可能泄漏可用于识别网络行为的信息。
o Fragmentation attacks which can vary widely - more detailed information can be found at http://www-src.lip6.fr/homepages/ Fabrice.Legond-Aubry/www.ouah.org/fragma.html.
o 碎片攻击可能存在很大差异-更多详细信息请访问http://www-src.lip6.fr/homepages/ Fabrice.Legond-Aubry/www.ouah.org/fragma.html。
o IP ToS field (or the Differentiated Services (DSCP) field) can be used to reroute or reclassify traffic based on specified precedence.
o IP ToS字段(或区分服务(DSCP)字段)可用于根据指定的优先级重新路由或重新分类流量。
o IP checksum field has been used for scanning purposes, for example when some firewalls did not check the checksum and allowed an attacker to differentiate when the response came from an end-system, and when from a firewall.
o IP校验和字段用于扫描目的,例如,当某些防火墙未检查校验和时,允许攻击者区分响应何时来自终端系统,何时来自防火墙。
o IP TTL field can be used to bypass certain network-based intrusion detection systems and to map network behavior.
o IP TTL字段可用于绕过某些基于网络的入侵检测系统并映射网络行为。
The following lists additional attacks, but does not explicitly numerate them in detail. It is for informational purposes only.
下面列出了其他攻击,但没有明确地详细计算它们。它仅供参考。
o IGMP oversized packet
o 超大数据包
o ICMP Source Quench
o 源抑制
o ICMP Mask Request
o ICMP掩码请求
o ICMP Large Packet (> 1472)
o ICMP大数据包(>1472)
o ICMP Oversized packet (>65536)
o ICMP超大数据包(>65536)
o ICMP Flood
o ICMP洪水
o ICMP Broadcast w/ Spoofed Source (Smurf Attack)
o 带有欺骗源的ICMP广播(Smurf攻击)
o ICMP Error Packet Flood
o ICMP错误包泛滥
o ICMP Spoofed Unreachable
o ICMP欺骗无法访问
o TCP Packet without Flag
o 无标志的TCP数据包
o TCP Oversized Packet
o TCP超大数据包
o TCP FIN bit with no ACK bit
o 没有ACK位的TCP FIN位
o TCP Packet with URG/OOB flag (Nuke Attack)
o 带有URG/OOB标志的TCP数据包(核攻击)
o SYN Fragments
o 合成片段
o SYN Flood
o 同步洪流
o SYN with IP Spoofing (Land Attack)
o 带IP欺骗的SYN(地面攻击)
o SYN and FIN bits set
o SYN和FIN位集
o TCP port scan attack
o TCP端口扫描攻击
o UDP spoofed broadcast echo (Fraggle Attack)
o UDP欺骗广播回波(Fraggle攻击)
o UDP attack on diagnostic ports (Pepsi Attack)
o 诊断端口上的UDP攻击(Pepsi攻击)
Any of the above-mentioned IPv4 attacks could be used in IPv6 networks with the exception of any fragmentation and broadcast traffic, which operate differently in IPv6. Note that all of these attacks are based on either spoofing or misusing any part of the protocol field(s).
上述任何IPv4攻击都可以在IPv6网络中使用,但在IPv6中操作不同的碎片和广播流量除外。请注意,所有这些攻击都基于欺骗或误用协议字段的任何部分。
Today, IPv6-enabled hosts are starting to be used to create IPv6 tunnels, which can effectively hide botnet and other malicious traffic if firewalls and network flow collection tools are not capable of detecting this traffic. The security measures used for protecting IPv6 infrastructures should be the same as in IPv4 networks, but with additional considerations for IPv6 network operations, which may be different from IPv4.
如今,支持IPv6的主机开始用于创建IPv6隧道,如果防火墙和网络流收集工具无法检测到僵尸网络和其他恶意流量,则可以有效隐藏这些流量。用于保护IPv6基础设施的安全措施应与IPv4网络中的安全措施相同,但还应考虑IPv6网络操作,这可能与IPv4不同。
Author's Address
作者地址
Merike Kaeo Double Shot Security, Inc. 3518 Fremont Avenue North #363 Seattle, WA 98103 U.S.A.
Merike Kaeo Double Shot Security,Inc.美国华盛顿州西雅图弗里蒙特大道北3518号#363号,邮编98103。
Phone: +1 310 866 0165
EMail: merike@doubleshotsecurity.com
Phone: +1 310 866 0165
EMail: merike@doubleshotsecurity.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。