Paul Knight Dynamic Routing Inside IPsec VPNs Black Hat - USA - 2002
0Dynamic Routing inside IPsec VPNs - New Threats and Defenses
Paul Knight, Standards Engineer, Nortel Networks
[ Routing & Infrastructure ]
Within the last two years, IPsec gateways have begun to offer some capabilities to exchange private routing information among the sites participating in a secure Virtual Private Network (VPN). If the IPsec overlay topology is not a full mesh, the gateways can use the routing information to dynamically determine the best path among the sites. With any topology, dynamic routing carries information on newly-added IP networks or subnets at a site. This provides significant benefits in manageability and fault recovery for the VPN administrator, since entries for individual routes or subnets no longer need to be configured on each participating gateway. However, it also introduces new risks.
When dynamic routing protocols are used in an IPsec-based VPN, the IPsec Security Associations lose some ability to control traffic based on specific source and destination addresses. This presentation looks into the security weaknesses introduced by dynamic routing inside IPsec. It describes attack scenarios from inside and outside the VPN, and discusses the opportunities for security breaches due to unintentional misconfiguration. It presents methods of defending against the attacks and detecting misconfiguration. Finally, the presentation outlines the routing, filtering, and firewall capabilities which must be supported in IPsec gateways in order to maintain security while providing the benefits of dynamic routing among VPN sites.
Paul Knight is a Standards Engineer with Nortel Networks. He is currently a member of two design teams within the IETF's Provider-Provisioned VPN Working Group, focusing on issues related to IPsec VPNs and Virtual Routers. He is the lead author or editor of several current Internet Drafts, including "A Method to Signal and Provide Dynamic Routing in IPsec VPNs," "Network based IP VPN Architecture using Virtual Routers," and "Logical PE Auto-Discovery Mechanism."
Paul has worked in the field of network security for over fifteen years, designed networks for numerous corporate and government clients, and has held high-level security clearances. He managed the IP routing infrastructure for a Fortune 50 corporation, configuring inter-company security gateways and Internet gateway security. As a senior engineer with Nortel Networks, he consults on customer network security issues, and often develops and delivers training for security-related products and technologies for a wide variety of audiences. He has presented seminars on encryption, IP Security, and firewall technology to audiences in Beijing, Taipei, Tokyo, Johannesburg, Monte Carlo, Beirut, Barcelona, San Juan, and numerous North American locations.
Black Hat - USA - 2002
Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security