Thursday, February 28, 2013

Testing for TLS support WWW/SMTP with openssl

As you should know by now, TLS is a mean to transparently secure data connections between hosts. It uses to secure a host of applications from  your Web,Mail,ftp,VPN,etc.... to various other apps.

It uses a combination of symmetrical/asymmetrical encryption methods for encryption and key-exchange.

In this post we will look at a few scripts that will test cipher supports using openssl. The openssl tool is a very powerful application  and does a host of things from crafting CSR ( certificate signing request ) , signing your own certs, and binding to ports to test and debug ssl negogiations. It can also be used just to "Interpet" a certification and extract the key and start/end dates.

1st 

How do we check the support ciphers that a website will accept?

 sahel01:~ kfelix$ cat openssl.sh
#!/usr/bin/env bash

# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -connect $1 2>&1)
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

2nd 

How do we ensure that SMTPs ( secured ) is supported by a MX gateway.

 sahel01:~ kfelix$ cat openssl_smtp.sh
#!/usr/bin/env bash

# OpenSSL requires the port number.
DELAY=1
ciphers=$(openssl ciphers 'ALL:eNULL' | sed -e 's/:/ /g')
smtps=25

echo Obtaining cipher list from $(openssl version).

for cipher in ${ciphers[@]}
do
echo -n Testing $cipher...
result=$(echo -n | openssl s_client -cipher "$cipher" -crlf -state -connect $2:$smtps  -starttls smtp )
if [[ "$result" =~ "Cipher is " ]] ; then
  echo YES
else
  if [[ "$result" =~ ":error:" ]] ; then
    error=$(echo -n $result | cut -d':' -f6)
    echo NO \($error\)
  else
    echo UNKNOWN RESPONSE
    echo $result
  fi
fi
sleep $DELAY
done

3rd

How do we validate a web site certificates to see if they are expired?

sahel01:~ kfelix$ openssl s_client -connect www.google.com:443   | openssl x509 -noout -dates
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
notBefore=Feb 20 13:34:56 2013 GMT
notAfter=Jun  7 19:43:27 2013 GMT

4th

How about the public key ?

sahel01:~ kfelix$ openssl s_client -connect www.google.com:443   | openssl x509 -noout -pubkey
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDg9RWzMhtCE/CTothJekVXIgSa
eBDX05KSdr5/x1KvoI6a5lDcS0r3Cvg/LwaZKvDeNUL/vNj8k7mSAdKYNgiX7NOw
ufmQEJ8JtNQ4kIzP49oym+RnoDgUWJ4G0ZAD0hgrn8ycvkAVm3dYbanHiERBCPyR
+6VBoIPdF1EIAXXQWwIDAQAB
-----END PUBLIC KEY-----

Ken Felix

Freelance Network/Security Engineer

kfelix at hyperfeed d-o-t com

Tuesday, February 26, 2013

Fortigate firewall Password Recovery simple as 1 2 3

Hi

I've been on the road on vacation for a few days now. But figure I would post about the password recovery of a fortigate firewall.

In order to recovery a fortigate that your locked out of, you will  need to be on the console. That means a local console port+cable. 


The recovery process is simple;

1st

 Locate your serial #. This number typically starts with FGTFG or FWF for wireless models  and will be on a tag at the back or bottom of the chassis.

eg serial numbers located on a FGT200A and FWF60D






2nd

Set you console program with 9600 8 no-parity 1 stop bit  and cable into the unit ( 9600 8 n 1 )


3rd

Power cycle the unit and upon the  login

Insert maintainer for the username
and the unit serial # in the format of bcpb<SERIALNUMER>

 
That's how simple  it is for password recovery of fortigate firewall, once logged in, You can config system admin a new password/account or factory reset the  unit.


Ken Felix

Freelance Network/Security Engineer

kfelix  at hyperfeed  dot com


Tuesday, February 19, 2013

About Me

Here's a bio about myself

Ken Felix


Hobbies outside of IT =  Hunting, Fishing, medium/large format B&W photography, Ham radio chasing Satellites and International Space Station and Archery

Started in the network arena Earlier90s with my 1st OS system that I primarily was Dec Ultrix and SCO. Also worked with  various routing platforms built  on the ATT 3B2/600 , Wellfleet's  BCN&AFN and IBM 2210s.

Favorite OS= OpenBSD followed by Linux ( Debian )

Favorite Routing Protocol = BGP (it's fun and interesting )

Favorite shell   =  CSH or TCSH

Most favorite Application or Internet Service  =  DNS

Favorite Router of All times = Cisco 3640 ( rock solid performer, never had a problem )

Favorite Firewall = PfSense

OS hated the most = Any thing Windows all flavors

Most favorite food = Sicilian and  Tex-Mex

Favorite Beer = Fat Tire Ale or any Ale

Dream Car =  Corvette  Stingray

Favorite Tv series = "Tour of Duty"

Best HBO series = "The Wire" ( but the Sopranos is a close 2nd :) )

Most challenging  thing I ever did ( IT related )  = Compiling  drivers for a patch Linux Kernel source 1.0 for a Adaptec SCSI controller card on my pentium 90mhz system. A found a  developer in Belgium that helped me to test his drivers thru Compuserve. And 8 hours later we had a working installation.  ( He built the drivers, but he didn't have the SCSI controller card )

Most challenging thing I 've did in life = Manage not to be killed  while in the USAF Communication Systems groups. I seen some stupid things and ever part took of a few stupid activities. It's a miracle that I didn't die in Korea , or gotten somebody killed.



Ken Felix
Freelance Network & Security Engineer
kfelix  at  hyperfeed .  com





Friday, February 15, 2013

L2TP setup Fortigate 200B 4.0MR3p12

In this blog we will explore  my l2TP configurations on a Fortigate FW appliance

1st here's the design;







Okay here's the configuration;

1st 

Setup the L2TP daemon settings

-->

config vpn l2tp

    set eip 10.100.101.4

    set sip 10.100.101.1

    set status enable

    set usrgrp "Roadwarriors"

end

The usergroup known as Roadwarriors give only those users access via L2TP.

 show user group Roadwarriors
config user group
    edit "Roadwarriors"
            set member "kfelix" "Jill" "Mike" "Louis" "Rey" "Alan"            
    next
end



2nd

Now we go for the fun parts; "we craft our ipsec phase1 & phase 2 settings" ;
  -->
config vpn ipsec phase1

    edit "l2tp_dialupRA01"

        set type dynamic

        set interface "EXT_NET01"

        set dhgrp 2

        set proposal aes256-md5 3des-sha1 aes192-sha1

        set psksecret  mysecuredpsk_make_a_strong_key

next


and
config vpn ipsec phase2

    edit "l2tp_dialupRA01p2p2"

        set encapsulation transport-mode

        set pfs disable

        set phase1name "l2tp_dialupRA01"

        set proposal aes256-md5 3des-sha1 aes192-sha1

        set keylifeseconds 3600

    next

Key points to take away upto this point;

  • L2TP uses  the transport-mode vrs tunnel-mode for ipsec
  • For windows/mac/iphone/android ; the crypto proposals  aes256-md5 and 3des-sha1 are supported
  • disable pfs
  • create the pool of address big enough to cover your needs, growth and the users
  • place the users in a group that you want access ( user group )

3rd 

we now must craft a fwpolicy





NOTE: I crafted a  firewall address for my L2tp range




Okay now you have the basic configuration in place, we can give it a try. In this example I'm using my macosx client. The user kfelix@blahblah was crafted as a local user on the fortigate.





To trouble shoot;


  • make sure your username password is correct
  • make sure the server specified in the  configuration is correct ( correct ip_addr/hostname/etc )
  • ensure you type the PSK  correctly
  • use the following  diag debug cmds on the  fortigate 



-->

fw01 # diag debug application  l2tp 255



fw01 # diag debug en



fw01 # diag debug console





When a end-user authenticates and is assigned an address, the debug output will show  you the following;

-->

L2TPD 97: 179:Connection established to 172.98.122.155, 51942.  Local: 1, Remote: 8.

L2TPD 29: 166:Starting call (launching pppd, opening GRE)

L2TPD 25: 334:Client 172.98.122.155 control connection started (id 1), assigned ip 10.100.101.2


NOTE:c and your diag vpn tunnel list will have a entry that co-relates to the client's address


-->
diag vpn tunnel  list name l2tp_dialupRA01_0


list ipsec tunnel by names in vd 0

------------------------------------------------------

name=l2tp_dialupRA01_0 ver=1 serial=c X.X.X.2:4500->X.X.X.155:1205 lgwy=static tun=tunnel mode=dial_inst bound_if=27

parent=l2tp_dialupRA01 index=0

proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0

stat: rxp=252 txp=126 rxb=42992 txb=12309

dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=7

natt: mode=silent draft=32 interval=10 remote_port=1205

proxyid=l2tp_dialupRA01p2p2 proto=17 sa=1 ref=2 auto_negotiate=0 serial=1 transport-mode

  src: 17:X.X.X.2-X.X.X.2:1701

  dst: 17:X.X.X.155-X.X.X.155:51942

  SA: ref=4 options=00000006 type=00 soft=0 mtu=1424 expire=3415 replaywin=2048 seqno=7f

  life: type=01 bytes=0/0 timeout=3590/3600

  dec: spi=e17a8329 esp=aes key=32 cfed5ed6d2f7c3934b172c2ca6572a16a1db68d5d135220ed73a032a43fb39c9

       ah=md5 key=16 dce803b15318bd87822d05c7edd87db0

  enc: spi=05604708 esp=aes key=32 ad8c14dee466147f9fa1f8ba313693a2f0c342eb46f911016f4d7cf03dca556a

       ah=md5 key=16 8793434295200d87885aab46505d38be

  npu_flag=00 npu_rgwy=X.X.X.155 npu_lgwy=X.X.X.2 npu_selid=b, dec:pkts/bytes=252/24811, enc:pkts/bytes=126/18976


I hope this post helps you with your l2tP configurations and with fortigate firewalls

Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed  . com



Wednesday, February 13, 2013

A tip on BGP route-refresh

Okay we've all at one point have came across configuration lines similar to  next 2 lines;

neighbor upwan soft-reconfiguration inbound

or

neighbor 1.1.1.1 soft-reconfiguration inbound

How about route-refresh?  And how can we deploy this?

Yes, most current BGP speakers support this features. If you remember my earlier BGP post and the one about BGPs message-types and the route-refresh. Will a route-refresh is just that; " a refresh of routes from your peer ".

If you don't specify the soft-reconfiguration in, during your configuration, and during the  BGP neighborship open, the 2 BGP speakers involve, will share  there BGP capabilities;

e.g ( a show ip bgp neighbor output )

Neighbor capabilities:
    Route refresh: advertised and received(new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 21
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  3          3
    Notifications:          1          0
    Updates:                5   22589985
    Keepalives:        297084     309223
    Route Refresh:          1          0
    Total:             297094   22899211
  Default minimum time between advertisement runs is 30 seconds



Notice how this neighbor supports route-refresh ?   A soft reconfiguration in, over write the route-refresh capability.

Per the RFC,

   "A BGP speaker may send a ROUTE-REFRESH message to its peer only if it
   has received the Route Refresh Capability from its peer. "

rfc2918

Okay so what do you think happens if we clear a ip bgp neighbor ? Will we take our BGP peer down ?  Will let's find out;

cr01-rtr1#show ip bg sum  | i 2828
207.239.160.111 4  2828 22956753  297110 127749440    0    0 10:10:34   435016


We have  435k +  bgp prefixes learned from this neighbor.  Let's clear this neighbor;

cr01-rtr1#clear ip bgp 207.239.160.111  in  

and
   
cr01-rtr1#show ip bg sum  | i 2828       
207.239.160.111 4  2828 22964409  297114 127749676    7    0 10:12:09   434998


Notice we didn't go down , and we still have an active session ?

How about our show  ip bgp neighbor cmd output after the above actions;

( output shorten )

Neighbor capabilities:
    Route refresh: advertised and received(new)
    Address family IPv4 Unicast: advertised and received
  Message statistics:
    InQ depth is 0
    OutQ depth is 0
                         Sent       Rcvd
    Opens:                  3          3
    Notifications:          1          0
    Updates:                5   22724302
    Keepalives:        297106     309245
    Route Refresh:          2          0
    Total:             297117   23033550


So as  you can see, we sent a route-refresh to our neighbor. Without the route-refresh, we would have to exec the soft-reconfiguration in and maintain a cached copies of the BGP table from our neighbor at an added memory consumption, & if we didn't want to teardown our BGP sessions in order to refresh our BGP routes.

Once again most current routers, support  the route-refresh feature  by the today's implementation of BGP ver4.

By using the "show ip bgp neighbor cmd"  ( ios ) or "show bgp  ipv4 unicast neighbors cmd" ( ios-XR), we can validate if our neighbors supports route-refresh.

The clear ip bgp in vrs  clear ip bgp soft in ; is the only difference between those two methods ( route-refresh  vrs soft-reconfiguration in )


Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed dot com





Tuesday, February 12, 2013

PFsense HVAP anti-virus for HTTP

In this post, I will explain the HVAP anti-virus pkgs

Details
Pfsense 2.0.1 release
FreeBSD8.1

The HVAP stands for  HTTP antivirus protection. It's a pkg available from the pkg maintainers of Pfsense.

http://www.pfsense.org/

Pfsense is a well write &  maintain  opensource firewall that runs on most x86 platforms. It has a host of supported nics, hardware, & cpu.


It's not gear'd to replace a cisco ASA5550 or  Juniper MX80, but it does a great job for a free opensource solution. In most SOHO/SMB outfits, they can save a fortune if they would invest into opensource networking  such as vyatta or pfsense.

The HVAP is a package that's easy to install and setup. I mean  you can do this in about 10mins.

1st get the package, System > package > Available Packages




2nd after the package has installed, your configuration starts under Services Antivirus;



3rd imho

I think this is the best approach for setting up HVAP; you want to setup up AV database refresh and options first. Here you can select the regional ClamAV source and the time interval for refreshing you AVsignatures. 

I picked  US and with a interval of every 2 hours.




 Depending on your security policy, you can increase or decrease that interval.

 
4th

We now configured the HTTP proxy. You can use configured a static-proxy as in the http.client needs to be address for the proxy , or you can deploy a transparent-proxy. If you do static-proxy, please set a firewall policy to only allow traffic to the proxy,  so the http.clients can't bypass the proxy







note: don't forget to click the enable box




5th we start  both the AV and HVAPd process. Be patience and make sure you give it some time to start.








6th once started ,  you can monitor the logs and  the enable start buttons should reflect that you have the option now to stop the process.



Finally to test this, use your  http client web-browser or wget/curl  and grab these links;

http://www.eicar.org/download/eicar.com.txt
http://www.f-secure.com/virus-info/eicar.com

and



You might want to enable logging for a few days to confirm all is working correctly.



I hope this been helpful

Ken Felix
Freelance Network & Security Engineer
kfelix at hyperfeed dot com



My PFsense machine crashed and I never knew :)

Here's a first, one of my  pfsense hosts that sits on the internet crashed. It's running  OpenBGP daemon and announcing one /24 prefix. I was surprise that I missed this and it looks like my VM crashed over 35+ days ago.




And here's what I found when I logged in to the GUI;




So this is the 1st time of my use of the FreeBSD/PFsense crash reporter and it was crafted very nicely. Basically if you login into the dashboard , you have the option to read the report and download it.

You can also submit it with option buttons located below the dialog box.




The report is very detail and nicely format. It covers a host of details from disk space, pkgs, core dump, files, and so on.......













In my day time job/role, I work for a company that could use a lot of training from the creators of various opensource appliances, and the proper format of  the user interface and diagnostics, but that's another topic and another day.

Ken Felix
Freelance Network/Security Engineer
kfelix  at  hyperfeed dot com



Monday, February 11, 2013

/96 prefix in ipv6/ipv4 mapping. The Why ?

Some one email me about the use of a /96 prefix in my ipv6v4 nat ( NAT 64 ) example. And here's the reason why, the  /96 prefix was created for the allowance of mapping  ipv4 32bit address into ipv6. If you think about it a /96 plus a /32 = 128 bits.

Here's the rfc  that explains some of this feature and mapping of ipv4 and ipv6 addres

http://www.ietf.org/rfc/rfc3056.txt

ipv6/ipv4 mapping becomes more of an issues as we start dealing with DNS64 and ipv6 enabled networks using name-lookup  resources to look up AAAA (  A   ) records, but having the return query massage with the direct ipv4-to-ipv6 mapping.

When ever we use NAT64, we need to be aware of the differences between the two;

-->

ipv4ipv6
ttl           hop-limit
protocol field next-header
dscp/tos traffic  class
frag offsetfrag-header

When  ever we map ipv4 to ipv6, the 32 bit address is always mapped with the lower 32bit  address embedded

e.g  ( using ipv4 address 10.0.0.1 and a 2001:179::/96 prefix )
10.0.0.1 =  A0:01 + /96 bit prefix    2001:179::10:0:0:1 or in hex format 2001:179::A0:01



 The above is  the proper way to map ipv4 to ipv6 address and using the /96 prefix

I hope this clears up  any confusion on way the /96 prefix.

Ken Felix
Freelance  Network & Security Engineer
kfelix at hyperfeed dot com

















BGP dynamic peers cisco-style

BGP has came a long way from my  introduction to BGP.

Both Juniper and Cisco has introduce features to assist  the setup &  speed of deploying  BGP neighbors. With cisco it's called  "Bgp listen" and in Juniper is called  "Promiscuous peering".

1st here the network layout;





BGPR1 is going to be enable for  BGP listen and a subnet range of 10.10.0/24 established.

BGPR1 cfg;
!
!
ip routing

!
router bgp 65001

  bgp router-id 1.0.0.1
 bgp listen range 10.10.0.0/24 peer-group ibgp
 bgp listen limit 10
 neighbor ibgp peer-group
 neighbor ibgp remote-as 65001
 neighbor ibgp default-originate

!
!

and now on the  BGPR3/4 device we deploy the standard cfg;

 config t
!
ip routing
!
router bgp 65001
   neighbor 10.10.0.1 remote-as 65001
!
!
end

And now when these devices attempts to  established a BGP peering relationship, BGPR1 router will dynamically  build the neighbor-ship. Very simple to rollout and deploy.

To confirm bgp listen is setup and for what range;

BGPR1#show ip bgp  sum
BGP peergroup ibgp listen range group members:
  10.10.0.0/24



and our two  routers will have the following when BGP is established;

 show ip  bgp sum
BGP router identifier 1.0.0.3, local AS number 65001

BGP table version is 7, main routing table version 7
1 network entries using 117 bytes of memory
1 path entries using 48 bytes of memory
2/1 BGP path/bestpath attribute entries using 232 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 397 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

10.10.0.1         4  65001       7       6        7    0    0 00:02:12        1
 

and BGPR1 will show the following in it's bgp summary table;

show ip bgp sum
BGP router identifier 1.0.0.1, local AS number 65001
BGP table version is 2, main routing table version 2
1 network entries using 136 bytes of memory
1 path entries using 56 bytes of memory
1/0 BGP path/bestpath attribute entries using 128 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 320 total bytes of memory
BGP activity 1/0 prefixes, 1/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd

*10.10.0.3      4         65001      7       9        2    0    0 00:03:55        0 
*10.10.0.4       4        65001      7       9        2    0    0 00:04:15        0
* Dynamically created based on a listen range command
Dynamically created neighbors: 2, Subnet ranges: 1

BGP peergroup ibgp listen range group members:
  10.10.0.0/24

Total dynamically created neighbors: 2/(10 max), Subnet ranges: 1


and syslog;

*Feb 11 08:27:10.787: %BGP-5-ADJCHANGE: neighbor *10.10.0.3 Up
*Feb 11 08:47:10.883: %BGP-5-ADJCHANGE: neighbor *10.10.0.4 Up

Now why one would deploy bgp listen for bgp configurations?

  • to rapidly deploy bgp peers within a AS
  • to reduce human error such as with remote-as number or other peer-group items
  • to ease the renumbering and moves of existing BGP peers as in a migration or merge

Now I have never seen this feature used outside of the enterprise community, and one should at least enable some type of security by specifying the range and with using a md5-tcp password for the segments that have BGP peers.

Ken Felix
Freelance Network /Security Engineer
kfelix   at  hyperfeed  com

Sunday, February 10, 2013

BGP router-id do you need a interface ip_address

A lot of confusion exist with the BGP router-id. Most network engineers builds around a unique loopback interface and the address of that interface is commonly used for both the BGP and OSPF router-id.

For BGP to work, it must have a bgp router-id.  Here's some key-points to  you should considered
 
  • You can define one or let the ios assume one from  your ip_addressed interfaces
  • If a loopback interface is configured, the BGP speaker will always assume that address for it's bgp router-id
  • If you have no loopback interface and numerous interfaces withan  ip_address, it will always take the highest ip_addressed interface and use that for it's router-id
  • If you have multiple loopbacks, the highest addressed loopback interface will become your router-id 
  • A router-id must be a valid ip_address ( notice I said valid, so 0.0.0.0 or 0.0.0.1 would not be acceptable )
  •  If you are letting the router assume it's bgp router-id, and the interface that it originally assumed for the router-id goes away or is delete, all existing bgp sessions will still stay  up using the previous router-id and any new sessions will use the newly assumed router-id.
  • If you are using a interface as the router-id and delete or change that interface, the active BGP session will state UP, and upon reset or clear, the router will select a new router-id based on the points listed above and if one was not set under your router bgp config
  • Word to the wise, if you ever decide to change the bgp router-id after bgp sessions are up, it will reset ALL established peers.


Let's look at this  configuration and  it's interfaces that I configured ;


!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.0.0.2 remote-as 65001
 no auto-summary
!

r1#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.0.1        YES manual up                    up     
FastEthernet0/1            unassigned      YES unset  administratively down down   
r1#
 



r2#sh run | beg router
router bgp 65001
 no synchronization
 bgp router-id 192.0.2.1
 bgp log-neighbor-changes
 neighbor 10.0.0.1 remote-as 65001
 no auto-summary
!

r2#show ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.0.0.2        YES manual up                    up     
FastEthernet0/1            unassigned      YES unset  administratively down down   
r2#



You notice how a BGP router-id was configured on r2, but that address did not exist ? Do you think bgp would be established ?

Well look at what happen;

r1#show ip bgp sum
BGP router identifier 10.0.0.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.2        4 65001      25      25        1    0    0 00:02:14        0
r1#


and from r2;

r2#show ip bgp sum
BGP router identifier 192.0.2.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4 65001      25      25        1    0    0 00:02:26        0
r2#


Bgp established  with no problems. The 192.0.2.1 ip address was not configured anywhere within the  ios config of r2, but bgp used it for the router-id. And r1 automatically picked  it's fas0/0 {10.0.0.1} interface for it's own router-id.

Okay what happens if we duplicate a router-id under a bgp  config? I will now config  r1 to use 192.0.2.1 to demostrate the issue.



r1#show ip bgp sum
BGP router identifier 192.0.2.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.2        4 65001      15      15        0    0    0 00:04:59 Active
r1#



and r2

r2#show ip bgp sum
BGP router identifier 192.0.2.1, local AS number 65001
BGP table version is 1, main routing table version 1

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
10.0.0.1        4 65001      16      16        0    0    0 00:05:28 Active
r2#


When the bgp router-id are duplicated, you will get the following notification and with the id printed in hex in the error message.


*Mar  1 00:08:19.843: %BGP-3-NOTIFICATION: sent to neighbor 10.0.0.2 2/3 (BGP identifier wrong) 4 bytes C0000201  FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF 002D 0104 FDE9 00B4 C000 0201 1002 0601 0400 0100 0102 0280 0002 0202 00

It's always smart to either let the router use one of it ip_addresssed interface or  more preferred & best practices to  built a loopback interface, and defined that address for both your bgp and ospf router-id.

NOTE: For proper route distribution both the  bgp+ospf router-id must match, I will talk about that  in a future post.


I hope the  above helps you in  your bgp design and any configurations considerations.

Ken Felix
Freelance Network/Security  Engineer
kfelix  at hyperfeed d-o-t com

Monday, February 4, 2013

A quick peek at "Intermediate System-Intermediate System" aka ISIS

In this blog, we will look at the concepts and a few difference of IS-IS and OSPF.

1st Here 's a a typical view of the 2 types of network with 4 areas;










As you can see in the bottom halve, all areas are connected to  Area0 with a ABR. If you have a big network, this area0 can be swamped with LSA, and the ospf-database will become massive.

ISIS overcomes this requirement, since all of the sub-areas within ISIS,  does NOT need connectivity to a common core area0. Each area is a subdomain ,  and can be connected to each other via  a level1/2 router. Each router within the area is a Level1 and only knows about it's self and the other Level1s in that area and the exist via the Level1/2s. Also  with ISIS we now can  travel directly from one area to another if we have connectivity to that area.

NOTE: The level1-2 routers are truly similar to a OSPF abr.

 A few of differences that you need to understand about ISIS;

  • It does not need or use  virtual-links it  is a IS-IS network ( pun intended :) )
  • It  support ipv6 and dynamic routing
  • It supports both md5 and clear-text authentication
  • SPF calculation via Dijkstra alogrithm
  • ISIS is encapsulated in layer2 ( no multicast group like that of ospf 224.0.0.5/6 )
  • ISIS ==  more for the ISP
  • OSPF == more for the Enterprise and the smaller ISP 
  • Does not have a  direct sub-routing  option like that of M-OSPF ( multicast OSPF )
  • A router could be label as a level1  or 2 or 1-2
  • does not support NBMA or multi-point  topologies
Also you can see in the above diagram, since the extended core has no area0, it's considered a loose core , that can be added on with no rigid requirements as in OSPF,  and  with all areas attached to a  common backbone ( area 0 )

Where ISIS shines, if you  merge or gobble up another network, it's easier to integrate that newly acquired network via ISIS vrs OSPF.

Ken Felix
Freelance Network/Security Engineer
kfelix at hyperfeed  dot com