Hardening the Networking Stack ASAP After Joining IXPs.

Prerequisites:

Long time no write, today I just want to wrap up something interesting in my blog:)

Our challenges:

There may have some trouble when you connect to the Internet Exchange (esp. AMS-IX, DE-CIX, NL-IX, LINX) especially the IXPs requiring the entities to strictly limit their traffic. So let’s have a quick look on their requirements: (Let’s take the AS-IX [Dronten, NL] as an example):

Ethertypes and MAC addresses allowed

Only one MAC address per port connected to AS-IX peering VLAN is allowed.
The expected Ethernet frame types are as follows:

0x0800 – IPv4
0x0806 – ARP
0x86dd – IPv6
Allowed Traffic

The following protocols are allowed at the data link level:

ARP
IPv6 ND
Traffic must be restricted to unicast traffic with the exception of ARP broadcast packets and IPv6ND multicast packets
Members should not send any link-local and other unauthorized protocol traffic to the ports, such as the following:

Proxy ARP
ICMP redirects
IEEE 802 Spanning Tree
Proprietary protocols from different manufacturers, especially discovery:
Discovery protocols: CDP, EDP, MDP
VLAN / trunking protocols: VTP, DTP
Internal routing protocol broadcasts (e.g. OSPF, ISIS, IGRP, EIGRP)
BOOTP/DHCP
ICMPv6 ND-RA

Solutions brought to us by Cisco IOS:

There’s a guide for this, the configuration below is for Cisco router:

no ip redirects
no ip proxy-arp
no ip directed-broadcast
no mop enabled
no cdp enable
udld port disable
no keepalive

For IPv6:

no ipv6 redirects
ipv6 nd suppressor

Our target: sysctl.d parameters.

Then I did some research, I know most of you may not want to use the hardware router in the network, the Linux kernel itself is much flexible, making it possible for you to do some modifications on it. My favorite Linux distro is Arch Linux, Arch Linux added some state-of-the-art, cutting-edge or we always say, bleeding-edge mechanisms into it. For example, the mainline systemd. Some structures of inside of Arch Linux are a little bit different from those of other OSes’, esp, CentOS/Debian/SuSE.
The fastest way of modifying the runtime parameters of Linux kernel is through the sysctl.d utilities, let’s have a quick look through it, although it may not exactly be as the same as it should be in the Cisco IOS, some parameters are still necessarily crucial to be changed, we need to change it ASAP after we connect to the quarantine VLAN (some IXPs have this mechanism where it allows the users to adjust their devices before they being put onto the production VLAN.)

Our tweaks about it(Thanks to the Arch Linux wiki, StackExchange and staffs of Amsterdam Internet Exchange and Seattle Internet Exchange)

#### ipv4 networking and equivalent ipv6 parameters ####
#
### TCP SYN cookie protection (default)
### helps protect against SYN flood attacks
### only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1
#
### protect against tcp time-wait assassination hazards
### drop RST packets for sockets in the time-wait state
### (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
#
### sets the kernels reverse path filtering mechanism to value 1 (on)
### will do source validation of the packet's received from all the interfaces on the machine
### protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.default.rp_filter = 0 #Support the asymmetric routing.
net.ipv4.conf.all.rp_filter = 0
#
### tcp timestamps
### + protect against wrapping sequence numbers (at gigabit speeds)
### + round trip time calculation implemented in TCP
### - causes extra overhead and allows uptime detection by scanners like nmap
### enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
#
### log martian packets
#net.ipv4.conf.default.log_martians = 1
#net.ipv4.conf.all.log_martians = 1
#
### ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
### ignore bogus icmp errors (default)
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
### send redirects (not a router, disable it)
#net.ipv4.conf.default.send_redirects = 0
#net.ipv4.conf.all.send_redirects = 0
#
### ICMP routing redirects (only secure)
##net.ipv4.conf.default.secure_redirects = 1 (default)
##net.ipv4.conf.all.secure_redirects = 1 (default)
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
#Shutdown the ARP proxy mechanism on all of your ports.
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.proxy_arp_pvlan = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.default.proxy_arp_pvlan = 0
net.ipv4.conf.ens<interface1_numbers>.proxy_arp = 0
net.ipv4.conf.ens<interface1_numbers>.proxy_arp_pvlan = 0
net.ipv4.conf.ens<interface2_numbers>.proxy_arp = 0
net.ipv4.conf.ens<interface2_numbers>.proxy_arp_pvlan = 0
net.ipv4.conf.ens<interface3_numbers>.proxy_arp = 0
net.ipv4.conf.ens<interface3_numbers>.proxy_arp_pvlan = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0
# Turn on the ARP filter.
net.ipv4.conf.all.arp_filter=1
# Extra things to do for ARP.
net.ipv4.conf.ens<interface_numbers>.arp_ignore= 1
net.ipv4.conf.ens<interface_numbers>.arp_announce= 1
# Disable the stateless autoconfiguration of IPv6.
net.ipv6.conf.ens<interface1_numbers>.autoconf = 0
net.ipv6.conf.ens<interface2_numbers>.autoconf = 0
net.ipv6.conf.ens<interface3_numbers>.autoconf = 0
# sysctl.conf or interface startup script:
echo "net.ipv4.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
echo "net.ipv6.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf

# iptables:

IPv4:

# Subnets should only be reachable by this router, so anything to be forwarded should be dropped:
-A FORWARD -d [IX IPv4 subnet/prefix] -o [IX_INTERFACE] -j DROP

IPv6:

# Subnets should only be reachable by this router, so anything to be forwarded should be dropped:
-A FORWARD -d [IX IPv6 subnet/prefix] -o [IX_INTERFACE] -j DROP
# Now apply all of the modifications.
sysctl --system

Another target->Systemd-networkd

IPv6AcceptRA=no
IPv4ProxyARP=no
IPv6ProxyNDP=no

Conclusion:

Although it may not be the best solution, I think the tweaks are also crucial for us to apply especially connecting to the Internet Exchange. After all, if you are rich enough, please consider to buy the products of Cisco’s or Juniper’s or some other companies’ as their solutions are the ultimately best for you.

References:

https://ams-ix.net/technical/specifications-descriptions/config-guide#11

https://unix.stackexchange.com/questions/31096/sysctl-parameter-for-correct-arp-response

https://wiki.archlinux.org/index.php/sysctl#Networking

https://www.seattleix.net/faq

Deployment

anyShare分享到:

1 条评论

昵称
  1. qianqian

    😎