Table Of Content0111 •• 11.
CISCO.
Router Security Strategies
Securing IP Network Traffic Planes
Segment and protect traffic In the data, control,
management. and services planes
Gr~g Sehudet CCIE· No. 9591
David J. Smith. CCIE No. 1986
Router Security Strategies
Securing IP Network Traffic Planes
Gregg Schudel, CCIE No. 9591
David J. Smith, CCIE No. 1986
Cisco Press
Cisco Press
800 East 96th Street
Indianapolis, Indiana 46240 USA
ii
Router Security Strategies:
Securing IP Network Traffic Planes
Gregg Schudel, CCIE No. 9591
David J. Smith, CCIE No. 1986
Copyright © 2008 Cisco Systems, Inc.
Cisco Press logo is a trademark of Cisco Systems, Inc.
Published by:
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic
or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ-
ten permission from the publisher, except for the inclusion of brief quotations in a review.
Printed in the United States of America
First Printing December 2007
Library of Congress Cataloging-in-Publication Data:
Schudel, Gregg.
Router security strategies : securing IP network traffic planes /
Gregg Schudel, David J. Smith.
p. cm.
ISBN 978-1-58705-336-8 (pbk.)
1. Routers (Computer networks)—Security measures. 2. Computer networks—Security measures.
3. TCP/IP (Computer network protocol)—Security measures. I. Smith, David J., CCIE. II. Title.
TK5105.543.S38 2007
005.8—dc22
2007042606
ISBN-13: 978-1-58705-336-8
ISBN-10: 1-58705-336-5
Warning and Disclaimer
This book is designed to provide information about strategies for securing IP network traffic planes. Every effort
has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied.
The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither
liability nor responsibility to any person or entity with respect to any loss or damages arising from the information
contained in this book or from the use of the discs or programs that may accompany it.
The opinions expressed in this book belong to the authors and are not necessarily those of Cisco Systems, Inc.
iii
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital-
ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book
should not be regarded as affecting the validity of any trademark or service mark.
Feedback Information
At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted
with care and precision, undergoing rigorous development that involves the unique expertise of members from the
professional technical community.
Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could
improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at
feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message.
We greatly appreciate your assistance.
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales,
which may include electronic versions and/or custom covers and content particular to your business, training goals,
marketing focus, and branding interests. For more information, please contact:
U.S. Corporate and Government Sales 1-800-382-3419 corpsales@pearsontechgroup.com
For sales outside the United States please contact: International Sales international@pearsoned.com
Publisher Paul Boger
Associate Publisher Dave Dusthimer
Cisco Representative Anthony Wolfenden
Cisco Press Program Manager Jeff Brady
Executive Editor Brett Bartow
Managing Editor Patrick Kanouse
Development Editor Eric Stewart
Project Editor San Dee Phillips/Jennifer Gallant
Copy Editor Bill McManus
Technical Editors Marcelo Silva, Vaughn Suazo
Editorial Assistant Vanessa Evans
Book Designer Louisa Adair
Composition ICC Macmillan Inc.
Indexer WordWise Publishing Services, LLC
Proofreader Molly Proue
iv
About the Authors
Gregg Schudel, CCIE No. 9591 (Security), joined Cisco in 2000 as a consulting system engineer sup-
porting the U.S. Service Provider Organization. Gregg focuses on IP core network and services security
architectures and technology for inter-exchange carriers, web services providers, and mobile providers.
Gregg is also part of a team of Corporate and Field resources focused on driving Cisco Service Provider
Security Strategy. Prior to joining Cisco, Gregg worked for many years with BBN Technologies, where
he supported network security research and development, most notably in conjunction with DARPA and
other federal agencies involved in security research.
Gregg holds an MS in engineering from George Washington University, and a BS in engineering from
Florida Institute of Technology. Gregg can be contacted through e-mail at gschudel@cisco.com.
David J. Smith, CCIE No. 1986 (Routing and Switching), joined Cisco in 1995 and is a
consulting system engineer supporting the Service Provider Organization. Since 1999 David has
focused on service provider IP core and edge architectures, including IP routing, MPLS technologies,
QoS, infrastructure security, and network telemetry. Between 1995 and 1999, David supported
enterprise customers designing campus and global WANs. Prior to joining Cisco, David worked at
Bellcore developing systems software and experimental ATM switches.
David holds an MS in information networking from Carnegie Mellon University, and a BS in computer
engineering from Lehigh University. David can be contacted through e-mail at dasmith@cisco.com.
v
About the Technical Reviewers
Marcelo I. Silva, M.S., is a technical marketing engineer for the Service Provider Technology Group
(SPTG) at Cisco. Marcelo is a 19-year veteran of the technology field with experiences in academia and
the high-tech industry. Prior to Cisco, Marcelo was an independent systems consultant and full-time
lecturer at the University of Maryland, Baltimore County. His career at Cisco began in 2000, working
directly with large U.S. service provider customers designing IP/MPLS core and edge networks.
Marcelo’s primary responsibility at Cisco today as a technical marketing engineer (TME) requires him
to travel the world advising services provider customers on the deployment of Cisco’s high-end routers:
Cisco 12000 Series (GSR) and Cisco CRS-1 Carrier Routing System. Marcelo has an MS in information
systems from the University of Maryland, and lives in Waterloo, Belgium with his wife Adriana and son
Gabriel.
Vaughn Suazo, CCIE No. 5109 (Routing and Switching, Security), is a consulting systems engineer
for Wireline Emerging Providers at Cisco. Vaughn is a 17-year veteran of the technology field with
experience in server technologies, LAN/WAN networking, and network security. His career at Cisco
began in 1999, working directly with service provider customers on technology areas such as core and
edge IP network architectures, MPLS applications, network security, and IP services. Vaughn’s primary
responsibility at Cisco today is as a consulting systems engineer (CSE) for service provider customers,
specializing in service provider security and data center technologies and solutions. Vaughn lives in
Oklahoma City, Oklahoma with his wife Terri and two children, and enjoys golfing in his leisure time.
vi
Dedications
To my best friend and beautiful wife, Carol, for her love and encouragement, and for allowing me to
commit precious time away from our family to write this book. To my awesome boys, Alex and Gary,
for their patience and understanding, and for their energy and enthusiasm that keeps me motivated.
Thanks to my co-author, David Smith, for gratefully accepting my challenge, and for bringing his
knowledge and experience to this project.
—Gregg
I dedicate this book to my loving wife, Vickie, and my wonderful children, Harry, Devon, and Edward,
whom have made my dreams come true. Thank you for all of your support and inspiration during the
writing of this book. I also dedicate this book to my mother and late father, whose sacrifices have
afforded my brothers and me great opportunities. Finally, to my co-author, Gregg Schudel, for consider-
ing me for this special project. It was an opportunity of a lifetime and I am forever grateful.
—David
Acknowledgments
This book benefited from the efforts of all Cisco engineers who share our dedication and passion for
understanding and furthering IP network security. Among them, there are a few to whom we are partic-
ularly grateful. To Barry Greene, for his constant innovations, tireless leadership, and dedication to SP
security. Without his efforts, many of these IP traffic plane security concepts would not have been devel-
oped. Also, to Michael Behringer, for his constant encouragement, and for always providing sound
advice on our many technical questions. And to Roland Dobbins, Ryan McDowell, Jason Bos, Rajiv
Raghunarayan, Darrel Lewis, Paul Quinn, Sean Donelan, and Dave Lapin, for always making them-
selves available to consult on the most detailed of questions.
We gratefully thank our extraordinary technical reviewers, Marcelo Silva and Vaughn Suazo, for their
thorough critiques and feedback. Thanks also to John Stuppi and Ilker Temir for providing their invalu-
able reviews as well as to Russell Smoak for his leadership. We also thank Dan Hamilton, Don Heidrich,
Chris Metz, Vaughn Suazo, and Andrew Whitaker for reviewing our original proposal and providing
valuable suggestions. We also give special thanks to John Stewart, Cisco Systems Vice President and
Chief Security Officer, for taking time from his very busy schedule to write the foreword of our book, as
well as for his unique leadership in the areas of both security and network operations.
We would like to thank our managers, Jerry Marsh and Jim Steinhardt, for their tremendous support
throughout this project.
Finally, special thanks go to Cisco Press and our production team: Brett Bartow (Executive Editor),
Eric Stewart (Development Editor), San Dee Phillips (Senior Project Editor), Jennifer Gallant (Project
Editor), and Bill McManus (Copy Editor). Thanks also to Andrew Cupp (Development Editor) for the
valuable editorial assistance. Thank you for working with us to make this book a reality.
vii
viii
Contents at a Glance
Foreword xix
Introduction xx
Part I IP Network and Traffic Plane Security Fundamentals 3
Chapter 1 Internet Protocol Operations Fundamentals 5
Chapter 2 Threat Models for IP Networks 65
Chapter 3 IP Network Traffic Plane Security Concepts 117
Part II Security Techniques for Protecting IP Traffic Planes 145
Chapter 4 IP Data Plane Security 147
Chapter 5 IP Control Plane Security 219
Chapter 6 IP Management Plane Security 299
Chapter 7 IP Services Plane Security 347
Part III Case Studies 403
Chapter 8 Enterprise Network Case Studies 405
Chapter 9 Service Provider Network Case Studies 443
Part IV Appendixes 485
Appendix A Answers to Chapter Review Questions 487
Appendix B IP Protocol Headers 497
Appendix C Cisco IOS to IOS XR Security Transition 557
Appendix D Security Incident Handling 597
Index 608
ix
Contents
Foreword xix
Introduction xx
Part I IP Network and Traffic Plane Security Fundamentals 3
Chapter 1 Internet Protocol Operations Fundamentals 5
IP Network Concepts 5
Enterprise Networks 7
Service Provider Networks 9
IP Protocol Operations 11
IP Traffic Concepts 19
Transit IP Packets 20
Receive-Adjacency IP Packets 21
Exception IP and Non-IP Packets 22
Exception IP Packets 22
Non-IP Packets 23
IP Traffic Planes 24
Data Plane 25
Control Plane 27
Management Plane 29
Services Plane 30
IP Router Packet Processing Concepts 32
Process Switching 36
Fast Switching 39
Cisco Express Forwarding 44
Forwarding Information Base 44
Adjacency Table 45
CEF Operation 46
General IP Router Architecture Types 50
Centralized CPU-Based Architectures 50
Centralized ASIC-Based Architectures 52
Distributed CPU-Based Architectures 54
Distributed ASIC-Based Architectures 56
Summary 62
Review Questions 62
Further Reading 63
