Chapter 15. Routing Protocol Protection

This chapter focuses on routing security. Up to this point, I have focused on nonrouting functions, such as using filters to prevent unauthorized access. However, your router will have to perform some basic routing functions, and this brings up concerns related to network failures and service interruptions that a spoofed routing attack might create, as well as access and Denial of Service (DoS) attacks.

Most people assume that if they use static routes, they are protected against routing attacks. However, static routes are not scalable in large internetworks. In these situations, a routing protocol typically is used on the perimeter router to help the router find internal routes. In some cases, you need to advertise and receive routes to an attached ISP(s). Care must be taken when using a routing protocol because the default configuration of a routing protocol does not provide any protection: It is easy to spoof routing updates.

Many routing protocols provide an authentication mechanism to detect and defeat spoofing, but this requires configuration on your part. This chapter focuses on authentication for routing protocols, but it covers some additional tools that you can use to protect you from routing and route spoofing attacks. This chapter covers the following concepts:

  • Black hole routing

  • Interior gateway protocol (IGP) security

  • BGP security

  • Reverse-path forwarding (RPF) for unicast traffic