TASK 11.11

Hi

Task 11.11 asks "Ensure that R4 does not accept packets with IP addresses of the internal
subnets on its connection to the ISP."

I configured R4 as shown in the solution. I also configured new interface lo1010 on BB3 with the ip address from the internal subnet (150.1.1.1). As a result of R4 does not drop packets with source=150.1.1.1 from BB3.

I think that interface Fa0/0 must be configured in strict mode, but then will not work asymmetric routing.
Thus the task "Ensure that R4 does not accept packets with IP addresses of the internal subnets on its connection to the ISP." and task                               
"There is another connection to the same ISP in the network, so account for possible asymmetric routing issues on R4." mutually exclusive.

Am I right?

Comments

  • As far as I can tell, you are right. Loose mode is needed to counter the asymmetric routing.

    But loose mode will NOT drop a packet as long as there is a route installed to the SOURCE of packet in RIB.

    And we do have all the routes installed for internal subnets.

    So, yes, I think you are right and these two things are exclusive.

  • I agree, there are two conflicking tasks on this lab. I wish INE would check this out and all other security labs. Seems like the quality of these is not a good as the other labs. Too many contradicting statements or underdefined tasks.

     

    just my few cents.

  • Hi,

    I agree, the solution in the SG does not meet the requirements "Ensure that R4 does not accepts packets with IP addresses of the internal subnets on its connection to the ISP".

    But it does not necessarily have to be mutually exclusive to prevent spoofing of internal IP addresses and account for asymetric routing.

    This configuration on interface fa0/0 could in my opinion meet the requirements:

    access-list 9 deny   155.25.0.0 0.0.255.255
    access-list 9 deny   150.25.0.0 0.0.255.255
    access-list 9 permit any

    interface FastEthernet0/0
     ip verify unicast source reachable-via rx 9

    So we have strict uRPF, but only internal networks will be dropped. Is this correct? Thx

  • To see the access-list logs on R4, disable ip route cache on R4's Fa 0/1

     

     

    R4:

     

    int fa0/1

    no ip route-cache

    exit

     

  • I think you need to enable uRPF in strict mode on the link (Fa0/0) to BB3 and apply loose mode to all other interfaces:

    "There is another connection to the ISP in the network, so account for possible asymmetric routing issues on R4" - for me this means that somewhere (and you don"t know where) there is another connection that has the same subnets as BB3 does. We don't know all the subnets and it's the internet so an ACL is not appropriate here. This is why I choose loose mode on all internal interfaces of R4 (Fa0/1, S0/0 and S0/1).

    The last task/restriction "At the same time, R4 should only accept packets from legitimate subnets of 150.x.0.0/16 and 155.x.0.0/16 learned via IGP on its internal connections" is also fullfilled by loos mode, so you at least make sure that you "know" the sources since you have a route to it.

     

    Generally speaking the security section of the WB causes me major issues since I don't always understand the questions :(

     

  • Hi,

    Just my analysis of this task and solution.

    When packet arrives at interface of a router and uRPF is
    configured on this very interface, router will examine src ip of the
    packet and do one of two action types:

    - for strict mode, if there is a route in routing table for this src ip address via this interface, the packet is allowed

    - for loose mode, if there is a route in routing table for this src ip address via any interface, the packet is allowed

    All other cases - packet is dropped. Router is not interested in any
    uRPF settings on any interface except the interface on which packet has
    arrived.

     

    Back to the business - requirements are:

    #1 do not accept packets with source ip address of internal networks on connection to the ISP

    #2 account for another connection to ISP (and assymetric routing)

    #3 only accept packets with internal source addressess from internal interfaces.

    My analyse is:

    Rack29R4#sh ip int brief
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0/0            204.12.29.4     YES NVRAM  up                    up     
    FastEthernet0/1            155.29.146.4    YES NVRAM  up                    up     
    Serial0/0/0                155.29.0.4      YES NVRAM  up                    up     
    Serial0/1/0                155.29.45.4     YES NVRAM  up                    up     
    Loopback0                  150.29.4.4      YES NVRAM  up                    up     

    Loop does not count at all, Fa0/0 is external (ISP connection) Fa0/1, S0/0/0, S0/1/0 are internal interfaces.

    Now let's take the first requirement. It looks quite easy, we need to
    do uRPF in strict mode on Fa0/0. If anything is in our route table with
    internal interfaces, will be dropped.

    Here is where problem starts.

    SG says that uRPF should be enabled on this if
    with loose mode. In loose mode, it will accept any packets that src ip
    is in the routing table including internal subnets.

    Second requirement - we can have other connections to ISP. My logic
    indicates, that any other connection to ISP should be reachable from
    R4's point of view via internal interfaces. At the same time we need to
    assure, that only packets with internal src ip addresses are accepted at
    internal interfaces.

    If so, we should definitely switch fa0/0 to loose mode, but we will
    also accept packets from internal networks on this interface.

    I think we can only choose one of those requirements, both at the same time are not possible to implement.

    If we implement uRPF with strict mode on all internal interfaces, if
    router got packet from redundant ISP (not connected to Fa0/0), it would
    drop it, and objective #2 is defeated.

    If we implement uRPF with loose mode on all internal interfaces, if
    router got packet from redundant ISP it would accept it, but it would
    defeat objective #3 which specifically says that it should accept only
    internal packets.

    So we have three requirements, of which two paris (#1&#2 and #2&#3) are mutually exclusive.

     

Sign In or Register to comment.