Presentation - Cisco Knowledge Network

More documents

Recommendations

Info

TCP Handshake• DCoPP is an automatic, built in firewall for control plane traffic.• Every Control and Management packet from the line card is rate limitedin hardware to provide flood protect at RPLC 1 IFIB TCAM HW EntriesLocal port Remote port Rate PriorityAny ICMP ANY ANY 1000 lowany 179 any any 100 mediumany 179 202.4.48.99 any 1000 medium202.4.48.1 179 202.4.48.99 2223 10000 medium200.200.0.2 13232 200.200.0.1 646 100 mediumttl255LPTSSocketBGPLDPLC 2 IFIB TCAM HW Entries …SSH
Enhanced Router Authentication / ConfidentialityProblems today:• MD5 Authentication is dated, soft,control plane intensive and rarely used.• More powerful algorithms available• IPSec deployment is limitedSolutions:• TCP-AO: TCP Authentication Object• TCP-AO extends The md5 technology to support timebasedkey rollover and multiple hashing algorithms.• The goal is to use the update the key that is used tocreate a message digest for each TCP segment.• Based upon the perceived threat level the operator canselect the hashing algorithm to create the messagedigest.ISP3 ISP2 ISP1ISP4RoutingAuthenticationapprovedRoutingAuthenticationdenied!Attack© 2012 <strong>Cisco</strong> and/or its affiliates. All rights reserved. 29
Page 1 and 2: Routing SecurityAn Holistic Overvie
Page 3 and 4: • Objectives of this talk:• Pre
Page 5 and 6: © 2012 Cisco and/or its affiliates
Page 7 and 8: Biggest Bandwidth• Largest monito
Page 9 and 10: ThreatsAttack on device control pla
Page 13 and 14: Utilizing routing technology in the
Page 15 and 16: • Implementing blackholing requir
Page 17 and 18: Active/Active FirewallPre-2010 Oper
Page 19 and 20: Sink Hole RoutingIPS/IDS Enhancemen
Page 21 and 22: Hardening the infrastructureOlder S
Page 23 and 24: CoPP Enhancements for Routing• At
Page 25 and 26: • Main function is to forwards fo
Page 27: • LPTS has HW policers on line ca
Page 31 and 32: Securing Inter-AS VPN Confidentiali
Page 33 and 34: Distribution Automation of Security
Page 37 and 38: Malformed BGP UpdatesInvalidAttribu
Page 39 and 40: • Comes into play after attribute
Page 43 and 44: 20Source: NANOG 46: Tom Daly et al.
Page 45 and 46: BeforeAfter© 2012 Cisco and/or its
Page 47 and 48: • http://www.networkworld.com/new
Page 49 and 50: • The goal of the RPKI is to cryp
Page 51 and 52: • Each AS publishes a cryptograph
Page 53 and 54: CA ToolsetPublicationpoint (can beh
Page 55 and 56: EBGP updateRouterCheck and markorig
Page 57 and 58: The “One Behind” Attack• AS65
Page 59 and 60: The “Shorter Prefix” Problem•
Page 61 and 62: Future• Start Here• AS65000 adv
Page 63 and 64: Advertisement vs. Path Validation
Page 65 and 66: • What are Bogons?A bogon is a bo
Page 67 and 68: • Multi-Instance / Multi-AS BGP

Presentation - Cisco Knowledge Network

Create successful ePaper yourself

Delete template?

Save as template?