IPsec/IKEv2 between Cisco CSR 1000v and OpenIKED

Recently, I have setup as part of an important lab, an IPsec site-to-site tunnel between a Cisco CSR 1000v router and an OpenBSD gateway running OpenIKED. The latter not only terminates a GRE/IP tunnel, but also provides a global internet connectivity through NAT/PAT. The intend is to secure the GRE traffic between the two devices which are located in two different sites and who are reachable across the internet. The Cisco CSR 1000v instance is also behind NAT, therefore the configuration is slightly more complex than what we may be used to and require the use of the IPsec Tunnel mode and the NAT-T capability. To establish the secure IPsec sessions I decided to use the latest iteration of the Internet Key Exchange protocol, namely IKEv2.

Read More

NAT66 and IPv6 ULA on Juniper SRX

Sometimes, you do not have access to enough public address space to number all your subnets. This is especially recurrent in virtualized environments where network segmentation is a natural design choice. In such environments, you may have several VLANs and routing instances (call them routing domains, or contexts, depending of the vendor terminology you're familiar with), and for each, comes a unique set of subnets. Every network operator knows how painful IP address management is, and we all want to avoid renumbering our network, especially if the following account for hundreds, if not thousands of subnets. You certainly also figured out that Network Address Translation (NAT) could help in this manner, but do you know its benefits could be as well applied to the IPv6 world?

Read More

NTP Amplification Attacks - Impacts and Mitigation

The recent increase in NTP amplification attack has shed the light on the utility of control-plane filtering. A few days ago, the US-CERT issued an advisory that warns the public about this emerging form of Distributed Denial of Service (DDoS) attack. As you know, the Network Time Protocol (NTP) is a very popular UDP based protocol, used by a large number of computers and devices, including routers and switches to keep their software clocks synchronized with remote references clocks. The protocol support a number of administrative requests that returns statistical information, such as a list of the last 600 associated clients, the statistical counters associated with the protocol's I/O module, and so on. Most of these commands are ideal for amplification attacks, because they returns a large number of information, and therefore their replies have sizes significantly higher than their initial requests.

Read More