Additional Security Engineer Materials

Certified Advanced Security Engineer
(MTCASE)
Riga, Latvia
March 7 - March 8, 2019
Schedule
• Training day: 9AM - 5PM

• 30 minute breaks: 10:30AM and 3PM
• 1 hour lunch: 12:30PM
• Certification test: last day, 1 hour
2
INTRODUCE
YOURSELF
3
Introduce Yourself
• Name
• Company / Student
• Current Position
• Job Rules
• Expectation from Training
4
LAB SETUP
5
Lab Setup
SSID : CLASS-AP
BAND : 2.4 / 5 Ghz
KEY : MikrotikLab
AP
R1 R2 Rn
Wireless-Link
Ether-Link
6
Lab Setup
• Router Name : N_Your-Name

• wlan1 : dhcp-client
• ether4 : to your laptop
• Local IP address : 192.168.N.0/24
• P2P IP address : 10. NN.0.(N/N)/24
N Your Router Number

N Partner Router Number
7
SECURITY INTRO
8
What Security is all about?
• Security is about protection of assets.

• D. Gollmann, Computer Security, Wiley
• Confidentiality : Protecting personal privacy and
proprietary information.
• Integrity : Ensuring information non-repudiation and
authenticity.
• Availability : Ensuring timely and reliable access to and
use of information
9
What Security is all about?
• Prevention : take measures that prevent your assets

from being damaged (or stolen)
• Detection : take measures so that you can detect when,
how, and by whom an asset has been damaged
• Reaction : take measures so that you can recover your
assets
10
Security Attacks, Mechanisms & Services
• Security Attack : Any action that compromises the

security of information
• Security Mechanism : a process / device that is
designed to detect, prevent or recover from a security
attack.
• Security Service : a service intended to counter
security attacks, typically by implementing one or more
mechanisms.
11
Security Threats / Attacks
NORMAL FLOW
Information Information
source destination
12
INTERRUPTION
source destination
“services or data become unavailable, unusable, destroyed, and so on, such

as lost of file, denial of service, etc.”
13
INTERCEPTION
source destination
Attacker
“an unauthorized subject has gained access to an object, such as stealing

data, overhearing others communication, etc.”
14
MODIFICATION
source destination
Attacker
unauthorized changing of data or tempering with services, such as alteration of

data, modification of messages, etc.
15
FABRICATION
source destination
Attacker
“additional data or activities are generated that would normally no exist, such
as adding a password to a system, replaying previously send messages, etc.”
16
Type of Threats / Attacks
Interruption
Active Attacks /
Modification
Threats
Attack / Threats Fabrication
Passive Attacks /
Interception
Threats
17
Security Mechanisms
• Encryption : transforming data into something an

attacker cannot understand, i.e., providing a means to
implement confidentiality, as well as allowing user to
check whether data have been modified.
• Authentication : verifying the claimed identity of a
subject, such as user name, password, etc.
• Authorization : checking whether the subject has the
right to perform the action requested.
• Auditing : tracing which subjects accessed what, when,
and which way. In general, auditing does not provide
protection, but can be a tool for analysis of problems.
18
COMMON
THREATS
19
Common Security Threats
Botnet
“Collection of software robots, or 'bots', that creates
an army of infected computers (known as ‘zombies') that are
remotely controlled by the originator”
What it can do :
• Send spam emails with viruses attached.
• Spread all types of malware.
• Can use your computer as part of a denial of service
attack against other systems.
20
Distributed denial-of-service (DDoS)

“A distributed denial-of-service (DDoS) attack — or
DDoS attack — is when a malicious user gets a network of
zombie computers to sabotage a specific website or server.”
What it can do :
• The most common and obvious type of DDoS attack occurs
when an attacker “floods” a network with useless
information.
• The flood of incoming messages to the target system
essentially forces it to shut down, thereby denying access to
legitimate users.
21
Hacking
“Hacking is a term used to describe actions taken by
someone to gain unauthorized access to a computer.”
What it can do :
• Find weaknesses (or pre-existing bugs) in your security
settings and exploit them in order to access your.
• Install a Trojan horse, providing a back door for hackers to
enter and search for your information.
22
Malware
“Malware is one of the more common ways to infiltrate or
damage your computer, it’s software that infects your computer, such as
computer viruses, worms, Trojan horses, spyware, and adware.”
What it can do :
• Intimidate you with scareware, which is usually a pop-up message that
tells you your computer has a security problem or other false information.
• Reformat the hard drive of your computer causing you to lose all your
information.
• Alter or delete files.
• Steal sensitive information.
• Send emails on your behalf.
• Take control of your computer and all the software running on it.
23
Phishing
“Phishing is used most often by cyber criminals because
it's easy to execute and can produce the results they're looking for
with very little effort.”
What it can do :
• Trick you into giving them information by asking you to update,
validate or confirm your account. It is often presented in a
manner than seems official and intimidating, to encourage you to
take action.
• Provides cyber criminals with your username and passwords so
that they can access your accounts (your online bank account,
shopping accounts, etc.) and steal your credit card numbers.
24
Ransomware
“Ransomware is a type of malware that restricts
access to your computer or your files and displays a message
that demands payment in order for the restriction to be
removed.”
What it can do :
• Lockscreen ransomware: displays an image that prevents
you from accessing your computer.
• Encryption ransomware: encrypts files on your system's
hard drive and sometimes on shared network drives, USB
drives, external hard drives, and even some cloud storage
drives, preventing you from opening them.
25
Spam
“Spam is one of the more common methods of both
sending information out and collecting it from unsuspecting people.”
What it can do :
• Annoy you with unwanted junk mail.
• Create a burden for communications service providers and
businesses to filter electronic messages.
• Phish for your information by tricking you into following links or
entering details with too-good-to-be-true offers and promotions.
• Provide a vehicle for malware, scams, fraud and threats to your
privacy.
26
Spoofing
“This technique is often used in conjunction with
phishing in an attempt to steal your information.”
What it can do :
• Spends spam using your email address, or a variation of
your email address, to your contact list.
• Recreates websites that closely resemble the authentic
site. This could be a financial institution or other site that
requires login or other personal information.
27
Spyware & Adware

“This technique is often used third parties to infiltrate your
computer or steal your information without you knowing it.”
What it can do :
• Collect information about you without you knowing about it and
give it to third parties.
• Send your usernames, passwords, surfing habits, list of
applications you've downloaded, settings, and even the version
of your operating system to third parties.
• Change the way your computer runs without your knowledge.
• Take you to unwanted sites or inundate you with uncontrollable
pop-up ads.
28
Trojan Horses
“A malicious program that is disguised as, or embedded
within, legitimate software. It is an executable file that will install
itself and run automatically once it's downloaded.”
What it can do :
• Delete your files.
• Use your computer to hack other computers.
• Watch you through your web cam.
• Log your keystrokes (such as a credit card number you entered
in an online purchase).
• Record usernames, passwords and other personal information.
29
Virus
“Malicious computer programs that are often sent as an
email attachment or a download with the intent of infecting your
computer.”
What it can do :
• Send spam.
• Provide criminals with access to your computer and contact lists.
• Scan and find personal information like passwords on your
computer.
• Hijack your web browser.
• Disable your security settings.
• Display unwanted ads.
30
Worm
“A worm, unlike a virus, goes to work on its own
without attaching itself to files or programs. It lives in your
computer memory, doesn't damage or alter the hard drive and
propagates by sending itself to other computers in a network.”
What it can do :
• Spread to everyone in your contact list.
• Cause a tremendous amount of damage by shutting down
parts of the Internet, wreaking havoc on an internal network
and costing companies enormous amounts of lost revenue.
31
SECURITY
DEPLOYMENT
32
MikroTik as a Global Firewall Router
DATA CENTER
OFFICE
INTERNET
GUEST
33
MikroTik as a Global Firewall Router
Pros
• Simple topology
• Easy to manage
Cons
• Concentrate in one single-of-failure
• High resource demanding
34
MikroTik as a Specific Router Firewall
DATA CENTER
OFFICE
INTERNET
GUEST
35
MikroTik as a Specific Router Firewall
Pros
• Less resource consumption on each routers
• Only focusing security firewall on each network
Cons
• Different network segment, different treatment
• Need to configure firewall differently on each routers
• Sometimes happening configure double firewall rules on
one another routers
36
MikroTik as an IPS
DATA CENTER
OFFICE
INTERNET
GUEST
37
MikroTik as an IPS
Pros
• Clean firewall configuration on Router, because all
firewall configuration already defined on IPS router.
Cons
• Need high resource Device on Mikrotik as IPS
38
MikroTik with IDS as a trigger
DATA CENTER
OFFICE
INTERNET
GUEST
IDS SERVER
39
MikroTik with IDS as a trigger
Pros
• All firewall rules are made automatically by API from IDS
Server
Cons
• Need additional device for triggering a bad traffic
• Need powerful device for mirroring all traffic in/out from
networks
• Need special scripting for sending information to router
• expensive
40
IPv6 SECURITY
41
IPv6 Review – Address Comparison
42
IPv6 Review – Header Comparison
43
IPv6 Review – Extension Header
44
IPv6 Review – Usable Addresses
45
IPv6 Threat Types
• Reconnaissance : Provide the adversary with information

• Unauthorized access : Exploit
• Header manipulation and fragmentation : Evade or
overwhelm
• Layer 3–Layer 4 spoofing : Mask the intent or origin of
the traffic
• NDP and DHCP attacks : Subvert the host initialization
process
• Broadcast amplification attacks (smurf) : Amplify the
effect of a flood
46
IPv6 Threat Types
• Routing attacks : Disrupt or redirect traffic flows

• Viruses and worms : Propagation of the malicious payload
• Sniffing : Capturing data
• Application layer attacks : Attacks executed at Layer 7
• Rogue devices : Unauthorized devices connected to a
network
• Man-in-the-middle attacks : Attacks which involve
interposing an adversary between two communicating
parties
• Flooding : Consume enough resources to delay processing
of valid traffic
47
IPv6 Threats - Scanning
• Subnet Size is much larger

– Default subnets in IPv6 have 2^64 addresses (approx. 18x10^18).
Exhaustive scan on every address on a subnet is no longer reasonable
(if 1000 000 address per second then > 500 000 year to scan)
– NMAP doesn't even support for IPv6 network scanning
• IPv6 Scanning methods are likely to change
– Public servers will still need to be DNS reachable giving attacker some
hosts to attack – this is not new!
– Administrators may adopt easy to remember addresses (::1,::2,::53, or
simply IPv4 last octet)
– EUI-64 address has “fixed part”
– Ethernet card vendors guess
– New techniques to harvest addresses – e.g. from DNS zones, logs
48
IPv6 Threats - Scanning
• Deny DNS zone transfer

– By compromising routers at key transit points in a network, an attacker
can learn new addresses to scan
• Other possible network hiding: DNS splitting
• New attack vectors “All node/router …. addresses”
• New Multicast Addresses - IPv6 supports new multicast
addresses that can enable an attacker to identify key
resources on a network and attack them
– For example, all nodes (FF02::1), all routers (FF05::2) and all DHCP
servers (FF05::5)
– These addresses must be filtered at the border in order to make them
unreachable from the outside – this is the default if no IPv6 multicasting
enabled
49
IPv6 Threats - Unauthorized Access
• Policy implementation in IPv6 with Layer 3 and Layer 4

is still done in firewalls
• Some design considerations!
– Filter site-scoped multicast addresses at site boundaries
– Filter IPv4 mapped IPv6 addresses on the wire
– Multiple address per interfaces
• non-routable + bogon address filtering slightlydifferent
– in IPv4 easier deny non-routable + bogon
– in IPv6 easier to permit legitimate (almost)
50
IPv6 Threats - Header Manipulation
• Deny IPv6 fragments destined to an inter-networking

device - Used as a DOS vector to attack the
infrastructure
• Ensure adequate IPv6 fragmentation filtering
capabilities. For example, drop all packets with the
routing header if you don't have MIPv6
• Potentially drop all fragments with less than 1280 octets
(except the last fragment)
• All fragment should be delivered in 60 seconds
otherwise drop
51
IPv6 Threats - L3 / L4 Spoofing
• While L4 spoofing remains the same, IPv6 addresses

are globally aggregated making spoof mitigation at
aggregation points easy to deploy
• Can be done easier since IPv6 address is hierarchical
• However host part of the address is not protected
– IPv6 <– >MAC address (user) mapping is needed for
accountability
52
IPv6 Threats - Auto Configuration
• Neigbor Discovery ~ security ~ Address Resolution

Protocol
– No attack tools – arp cache poisoning
– No prevention tools – dhcp snooping
• Better solution with SEND
– based on CGA: token1=hash(modifier, prefix, public key,
collision count)
– RFC3972 available!
• DHCPv6 with authentication is possible
• ND with IPsec also possible
53
IPv6 Threats – DDoS Attacks
• There are no broadcast addresses in IPv6

– This would stop any type of amplification/"Smurf" attacks that
send ICMP packets to the broadcast address
– Global multicast addresses fro special groups of devices, e.g.
link-local addresses, site-local addresses, all site-local routers,
etc.
• IPv6 specifications forbid the generation of ICMPv6
packets in response to messages to global multicast
addresses (exception Packet too big message – it is
questionable practice).
– Many popular operating systems follow the specification
– Still uncertain on the danger of ICMP packets with global
multicast source addresses
54
IPv6 Threats – DDoS Mitigation
• Be sure that your host implementation follow the RFC

2463
• Implement RFC 2827 ingress filtering
• Implement ingress filtering of IPv6 packets with IPv6
multicast source address
55
IPv6 Threats – Routing Attack
• Use traditional authentication mechanisms for BGP and

IS-IS.
• Use IPsec to secure protocols such as OSPFv3 and
RIPng
56
IPv6 Threats – Sniffing
• Without IPsec, IPv6 is no more or less likely to fall victim

to a sniffing attack than IPv4
57
IPv6 Threats – Application Attacks
• Even with IPsec, the majority of vulnerabilities on the

Internet today are at the application layer, something that
IPsec will do nothing to prevent
58
IPv6 Threats – MITM
• Without IPsec, any attacks utilizing MITM will have the

same likelihood in IPv6 as in IPv4
59
IPv6 Threats – Flooding
• Flooding attacks are identical for both the IPv4 and the
IPv6
60
Man in the Middle Attack
• Man in the middle with spoofed ICMPv6 Neighbor

Advertisement.
• Man in the middle with spoofed ICMPv6 Router
Advertisement.
• Man in the middle using ICMPv6 Redirect or ICMPv6 too
big to implant route.
• Man in the middle with rogue DHCPv6 Server
61
NDP Attacks
• Attacks related to Neighbor Discovery (ND)

– NDP Spoofing
– DAD DoS attack
• Attacks related to Router Advertisement (RA)
– RA Flooding
– Rogue RA
• Note that anyone can send an advertisement (NA or RA)
62
IPv6 Attack Frameworks
• “The Hackers’ Choice” THC-IPv6

– https://www.thc.org/thc-ipv6/
• SI6 Networks IPv6 Toolkit
– http://www.si6networks.com/tools/ipv6toolkit/
• Chiron
– http://www.secfu.net/tools-scripts/
63
Duplicate Address Detection - DoS
is This address is is This address is

unique? unique?
Client sends Neighbor Solicitation (NS)
Attacker sends Neighbor Advertisement (NA) for each NS
Those addresses are

taken
64
DAD Attack Tool - DoS
dos-new-ip6
• This tool prevents new IPv6 interfaces to come up by
sending answers to duplicate IPv6 checks. This results
in a DoS for new IPv6 devices.
65
Neighbor Discovery Spoofing
What is Host B’s

MAC address?
Client sends Neighbor Solicitation (NS)

asking for Host B’s link layer address
Attacker Neighbor Advertisement (NA)

Spoofs Host B, sends his own MAC
I am Host B. This is
my MAC.
66
NDP Spoofing – Attack Tool
Parasite6
• This is an "ARP spoofer" for IPv6, redirecting all local
traffic to your own system (or nirvana if fake-mac does
not exist) by answering falsely to Neighbor Solicitation
requests, specifying FAKE-MAC results in a local DoS.
67
Router Advertisement Spoofing
Get New Address Get New Address
Router Down
Attacker Flood
a Router
Attacker act as
Router
68
Man in the Middle Attack
2000:db8::1/64
fac:dead:a11::/64
69
Router Advertisement Spoofing
• Since this happened on Layer 2, the router nearly blind

about this kind of attacks, but you can activate RA Guard
feature on your switch. Activating RA Guard feature can
mitigate this attack although the script has a few
advanced options which can be used to defeat it.
• Disabling your “Router Discovery” on your PC it will be
discard any RA packets.
70
Router Advertisement Flooding
• Traffic flooding with ICMPv6 Router Advertisement,

Neighbor Advertisement, Neighbor Solicitation, multicast
listener discovery (MLD), or smurf attack.
• Denial of Service which prevents new IPv6 attack on the
network.
• Denial of Service which is related to fragmentation.
• Traffic flooding with ICMPv6 Neighbor Solicitation and a
lot of crypto stuff to make CPU target busy.
71
Get so many IPv6 Get so many IPv6

Address Address
Attacker Flood Client
72
73
74
Detect Rogue RAs & ND Spoofing
• With a generic Intrusion Detection System

• signatures needed
• decentralized sensors in all network segments needed
• With NDPmon
• can monitor RAs, NAs, DAD-DOS
• generates syslog-events and/or sends e-mails
• free available at ndpmon.sourceforge.net
• Using Deprecation Daemons:
• ramond, rafixd
75
RA Guard
• Router Advertisement Guard (RFC 6105)

• All messages between IPv6 end-devices traverse the
controlled L2 networking device.
• Filter RA messages based on a set of criteria
Allow incoming Block incoming

RA RA
Block incoming
RA
76
How to Countermeasure
• Make sure your router only allowing your IPv6 Network

and reject others
• Selectively filter ICMPv6
• Determine which ICMPv6 messages are required
• Filter unneeded services on your router
• Disable “Router Discovery” on your critical server and
always using static IPv6 Address
• Don’t forget to reject all bogons addresses
77
Allowing own Prefix
• Only allowing all forward packet from your own prefixes.
/ipv6 firewall filter add action=drop chain=forward out-interface=ether1-ISP src-address=!2000:aaaa::/40
78
Allowing ICMPv6
• Allow ICMPv6.
/ipv6 firewall filter add action=accept chain=forward protocol=icmpv6
79
Filtering unneeded services
• Selectively allowing service port.
/ipv6 firewall filter

add action=drop chain=forward dst-port=!22,53,80,443 in-interface=ether1-ISP protocol=tcp
add action=drop chain=forward dst-port=!53 in-interface=ether1-ISP protocol=udp
80
Filtering Bogons Address
• Drop Bogons address.
/ipv6 firewall filter

add action=drop chain=forward in-interface=ether1-ISP src-address-list=ipv6-bogons
add action=drop chain=forward dst-address-list=ipv6-bogons in-interface-list=INTERNAL
Note : bogons addresses
https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
81
OSPF SECURITY
82
OSPF - Attacks
Basically, attacks against OSPF consist on forging Hello,

LSA and LSU messages on behalf of authorized hosts,
causing:
• Denial of service and / or
• Topology changes
83
OSPF - Resource Starvation Attacks
Topology changes, leads to other threats like

• Eavesdropping
• Man-in-the-middle attack
• “Phantom LSAs” are Router/Network LSAs sent on
behalf of non-existing OSPF peers. (no need to know the
Authentication key)
• These entries are ignored by the Shortest Path First
(SPF) algorithm (do not produce topology changes)
• “Phantom LSAs” are entered in the Link State Database
and each entry is kept until “MaxAge” expires
84
Memory Impact
• Bogus LSA's with an arbitrary source take up space in the
topology table until the LSA ages out
CPU impact
• LSA's with bogus MD5 passwords invoke the MD5 function
Bandwidth impact
• Bogus LSA's and the associated legitimate response traffic
could be disruptively high in large, densely populated areas.
• Bogus link state request packets can saturate a link with
requests for nonexistent networks.
85
An attacker can force topology changes by introducing

false LSA Information
Pre-condition:
• absence of encryption.
• compromised pre shared key.
Impacts of Topology Changes
• Allow Eavesdropping
• Starve/Overload a network
• Unstable topology (loops, route-flapping)
86
Misdirecting Traffic to Form Routing Loops
87
Misdirecting Traffic to a Black Hole
88
Eavesdropping/Man-in-the-middle
89
Attacks Against OSPF
90
Protecting OSPF
From the point of view of attacker’s location we can divide

the possible attacks in;
External attacks
• Attacker is outside of the Autonomous System (AS)
boundary
Internal attacks
• Attacker is inside the AS, in the same L2 network
segment where OSPF is running
• Attacker is inside the AS, but not in the same L2 network
segment.
91
OSPF Attack
R1 R2
192.168.0.0/24
1 2
11
92
OSPF Attack Scenario
• Attacker and two OSPF-enabled routers are in the same

network.
• Attacker acts as OSPF router
• Attacker sends OSPF packets to manipulate routers’
neighbor tables and routing tables
93
OSPF Neighbor/Route Injection
Sending OSPF Packets from Attacker using Loki
94
95
96
97
Inject network 10.0.0.0/24 to OSPF routing table
98
Preventing OSPF Attacks
• It is recommended to set
“Authentication” for every
peering to other OSPF routers
/routing ospf interface

add authentication=md5 authentication-key=thisissecret interface=ether1-IXP network-type=broadcast
99
• It is recommended to set
“Passive” to interface that is
not facing other OSPF router
and also set Authentication.
/routing ospf interface

add authentication=md5 authentication-key=thisisalsosecret interface=ether4-DOWNSTREAM1
network-type=broadcast passive=yes
100
• Drop “ospf” protocol to interface who is not part of OSPF

routing interface.
/interface list add name=OSPF-INTERFACE

/interface list member add interface=ether-x list=OSPF-INTERFACE
/interface list member add interface=ether-y list=OSPF-INTERFACE
/interface list member add interface=ether-z list=OSPF-INTERFACE
/ip firewall filter add action=drop chain=input in-interface-list=!OSPF-INTERFACE protocol=ospf
101
BGP SECURITY
102
BGP Security
• Based on RFC 7547 recommendations can be split into

the following categories :
• BGP Session Protection
• Prefix Filtering Recommendations
• AS-Path Filtering Recommendations
• Next-Hop Filtering
• Optional BGP Community Scrubbing
• Traffic Filtering Recommendations
103
BGP Session Protection
• Group of BGP Protection mechanisms is responsible for

maintaining stability of BGP sessions.
• as providing anti-spoofing and bogus route-injection
protection mechanisms.
• it’s helps to protect against ‘operators’ mistakes.
• GTSM (Generalized TTL Security Mechanisms)
• TCP-AO (TCP Authentication Option)
• MD5
• Maximum-Prefix Limit
104
GTSM
• GTSM – Generalized TTL Security Mechanisms, also

known as TTL security, defined in RFC 5082.
• TSM (TTL Security) is a mechanism that checks TTL
value of incoming IP Packets in order to make sure they
have not been spoofed.
• Directly connected BGP peers will set IP TTL value to
255, making it impossible to deliver spoofed IP with
TTL=255 packets via non-directly connected interfaces.
105
GTSM
R1 R2
# on R1
/ routing bgp peer set R2 ttl=255
# on R2
/ routing bgp peer set R1 ttl=255
106
TCP-AO
• TCP-AO – TCP Authentication Option is a stronger

protection mechanism than traditionally used MD5, it is
described in RFC 5925.
• it is expected to replace MD5 for session protection
• But It has not been widely adopted due to the lack of
implementation from equipment vendors.
• No configuration examples due to lack of vendors’
implementation.
107
MD5
• MD5 is a TCP session protection mechanism that has

been available for many years
• It is supported by the vast majority of equipment
manufacturers.
• It has become the de-facto standard for BGP session
protection.
• Although it has been made obsolete by TCP-AO
protection, it is still used for the majority of BGP peering
sessions.
108
MD5
R1 R2
# on R1
/ routing bgp peer set R2 tcp-md5-key=this-is-super-secret
# on R2
/ routing bgp peer set R1 tcp-md5-key=this-is-super-secret
109
Maximum-Prefix Limit
• Maximum-Prefix Limit is one of the commonly used

safety mechanisms that will bring down BGP session if
the number of routes advertised by the peer exceeds
pre-configured limit.
• There are several BGP peering type
• Public peering or IXP
• Private peering
• Upstream / transit peering
• Downstream
• Unlike MD5 max-prefix limit can be configured on one
side only.
110
Maximum-Prefix Limit
R1 R2
# on R1
/ routing bgp peer set R2 max-prefix-limit=100
# on R2
/ routing bgp peer set R1 max-prefix-limit=500
111
Prefix Filtering
• Prefix-filtering policies are responsible for taking

decisions on route-advertisements to and from BGP
peers.
• Route-filtering should be implemented on each BGP
session maintained by the service provider :
• Private/Public/Transit Inbound Prefix Filtering
• Private/Public/Transit Outbound Prefix Filtering
• Downstream Inbound Prefix Filtering
• Downstream Outbound Prefix Filtering
112
Inbound and Outbound
101.0.0.0/24 102.0.0.0/21 103.0.0.0/22

ASN 1001 ASN 1002 ASN 1003
UPSTREAM PRIVATE
IXP
TRANSIT PEERING
CORE
DOWNSTREAM 1 DOWNSTREAM 2 DOWNSTREAM 3 DOWNSTREAM 4
100.1.0.0/22 100.2.0.0/22 100.3.0.0/22 100.4.0.0/22

ASN 2001 ASN 2002 ASN 2003 ASN 2004
113
Inbound and Outbound
STATIC STATIC
OSPF INBOUND OUTBOUND OSPF
BGP BGP
114
Prefix Filtering – Upstream Inbound
• Private/Public/Transit Inbound Prefix Filtering

• Special-purpose prefixes (RFC 5735)
• Unallocated prefixes (Bogons prefixes)
• Prefixes that are too specific (≤ 124)
• Prefixes belonging to the local AL (your prefixes)
• IXP LAN prefixes, other than authorized AS
• The default route (0.0.0.0/0)
115
PRIVATE
IXP UPSTREAM
PEERING
CORE
116
# ADD ROUTING FILTER ACCEPT-ALL & DROP-ALL
/ routing filter
add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL"
add action=discard chain=DROP-ALL comment="DROP ALL"
# ADD ROUTING FILTER RFC 5735

/ routing filter
add action=discard chain=RFC-5735 comment="DEFAULT ROUTE" prefix=0.0.0.0/0
add action=discard chain=RFC-5735 comment="PREFIX LOWER /24" prefix=0.0.0.0/0 prefix-
length=25-32
add action=discard chain=RFC-5735 comment="RFC 1122 - This Network" prefix=0.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks]" prefix=10.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1122 - Loopback " prefix=127.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 3927 - Link Local" prefix=169.254.0.0/16
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks"
prefix=172.16.0.0/12
add action=discard chain=RFC-5735 comment="RFC 5736 - IETF Protocol Assignments"
prefix=192.0.0.0/24
117
# ADD ROUTING FILTER RFC 5735
/ routing filter
d action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-1" prefix=192.0.2.0/24
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks"
prefix=192.168.0.0/16
add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing"
prefix=198.18.0.0/15
add action=discard chain=RFC-5735 comment="RFC 5737 - TEST-NET-2" prefix=198.51.100.0/24
add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast"
prefix=192.88.99.0/24
add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use"
prefix=240.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address"
prefix=100.64.0.0/10
add action=return chain=RFC-5735 comment="RETURN PACKET"
# ADD ROUTING FILTER DROP-IXP-PREFIX

/ routing filter
add action=discard chain=IXP-PREFIX prefix=101.0.0.0/24
add action=return chain=IXP-PREFIX comment="RETURN PACKET"
118
# ADD ROUTING FILTER DROP-YOUR-PREFIX
/ routing filter
add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET"
# CREATE INBOUND FILTER FOR UPSTREAMS

/routing filter
add action=jump chain=IXP-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=IXP-INBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-INBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=UPSTREAM-INBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-INBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=PRVT_PEER-INBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-INBOUND jump-target=RFC-5735
# APPLIED ROUTING FILTER TO PEER

routing bgp peer set peer1-IXP in-filter=IXP-INBOUND
routing bgp peer set peer2-UPSTREAM in-filter=UPSTREAM-INBOUND
routing bgp peer set peer3-PRVT_PEER in-filter=PRVT_PEER-INBOUND
119
Prefix Filtering – Upstream Outbound
• Private/Public/Transit Outbound Prefix Filtering

• Special-purpose prefixes (RFC 5735)
• Prefixes that are too specific (≤ 124)
• IXP LAN prefixes
• The default route (0.0.0.0/0)
• Advertise your own prefixes
• Re-advertise your downstream prefixes
120
PRIVATE
IXP UPSTREAM
PEERING
CORE
121
# ADD ROUTING FILTER ACCEPT-YOUR-PREFIX
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-ADV comment="RETURN PACKET"
# ADD ROUTING FILTER ACCEPT-DOWNSTREAMS-PREFIX

/routing filter
add action=accept chain=DOWNSTREAM1 prefix=100.1.0.0/22 prefix-length=22-24
add action=return chain=DOWNSTREAM1
122
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22
/routing filter
add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735
add action=jump chain=IXP-OUTBOUND jump-target=DOWNSTREAM1
123
/routing filter
add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DOWNSTREAM1
/routing filter
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DOWNSTREAM1
routing bgp peer set peer1-IXP out-filter=IXP-OUTBOUND

routing bgp peer set peer2-UPSTREAM out-filter=UPSTREAM-OUTBOUND
routing bgp peer set peer3-PRVT_PEER out-filter=PRVT_PEER-OUTBOUND
124
Prefix Filtering – Downstream Inbound
• Downstream Inbound Prefix Filtering

• Only accept downstream prefixes
125
CORE
126
/ routing filter
add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DOWNSTREAM1
/ routing bgp peer set peer4-DOWNSTREAM1 in-filter=DOWNSTREAM1-INBOUND

127
Prefix Filtering – Downstream Outbound
• Downstream Outbound Prefix Filtering

• The default route only
• Full Internet routing table
• Subset of the Full Internet table (e.g. only the routes received
via public and private peers, but not the transit routes)
128
Prefix Filtering – Downstream Outbound
CORE
129
/ routing filter
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ACCEPT-ALL
/ routing bgp peer set peer4-DOWNSTREAM1 out-filter=DOWNSTREAM1-OUTBOUND

130
AS-Path Filtering
• Based on BCP 194 provides a number of AS-Path

Filtering recommendations that should be implemented
on upstream/private/public peering sessions and
customer/downstream sessions.
• Inbound AS-Path Filtering from Private/Public/Transit Peers
• Outbound AS-Path Filtering from Private/Public/Transit Peers
• Inbound AS-Path Filtering from Downstream Customers
• Outbound AS-Path Filtering from Downstream Customers
131
AS-Path Filtering – Upstream Inbound
• Inbound AS-Path Filtering from Private/Public/Transit

Peers
• Private AS numbers should not be accepted, unless used for
special purposes such as black-hole origination
• AS Paths with the first AS number not the one of the peer
should not be accepted, unless originated by IXP’s router server
• Do not accept your own AS number in the AS path
132
PRIVATE
IXP UPSTREAM
PEERING
CORE
133
/ routing filter
add action=discard bgp-as-path=".* 0 .*" chain=ASN-BOGONS comment="RFC 7607"
add action=discard bgp-as-path=".* 23456 .*" chain=ASN-BOGONS comment="RFC 4893 - AS_TRANS"
add action=discard bgp-as-path=".* [64496-64511] .*" chain=ASN-BOGONS comment="RFC 5398 - and documentation/
example ASNs"
example ASNs"
add action=discard bgp-as-path=".* [64512-65534] .*" chain=ASN-BOGONS comment="RFC 6996 - Private ASN"
add action=discard bgp-as-path=".* [4200000000-4294967294] .*" chain=ASN-BOGONS comment="RFC 6996 - Private
ASN"
add action=discard bgp-as-path=".* 65535 .*" chain=ASN-BOGONS comment="RFC 7300 - Last 16 and 32 bit ASN"
add action=return chain=ASN-BOGONS comment="RETURN PACKET"
/ routing filter
add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN comment="YOUR ASN“
add action=return chain=YOUR-ASN comment="RETURN PACKET"
134
/ routing filter
add action=jump chain=IXP-INBOUND jump-target=YOUR-ASN
add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-INBOUND jump-target=YOUR-ASN
add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-INBOUND jump-target=YOUR-ASN
add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS
135
AS-Path Filtering – Upstream Outbound
• Outbound AS-Path Filtering from Private/Public/Transit

Peers
• Do not originate prefixes with nonempty AS Paths, unless you
intend to provide transit for these prefixes
• Do not originate prefixes with upstream AS numbers in the AS
Path, unless you intend to provide transit to these prefixes
• Do not advertise Private AS Paths, unless there is a special
“private” arrangement with your peers
136
PRIVATE
IXP UPSTREAM
PEERING
CORE
137
/ routing filter
add action=jump chain=IXP-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-OUTBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=ASN-BOGONS
138
AS-Path Filtering – Downstream Inbound
• Inbound AS-Path Filtering from Downstream Customers

• Only accept 2-byte and 4-byte AS paths containing ASNs
belonging to the customer.
• If this is not possible, accept only path lengths relevant to the
type of the customer, while discourage excessive prepending
• Do not accept your own AS number in the AS path
139
CORE
140
/ routing filter
add action=discard bgp-as-path="!.* 2001 .*" chain=DOWNSTREAM1
141
• Outbound AS-Path Filtering from Downstream/

Customers
• Do not advertise Private AS Paths, unless there is a special
“private” arrangement with your customers
142
CORE
143
/ routing filter
add action=jump chain=DOWNSTREAM1-OUTBOUND jump-target=ASN-BOGONS
144
Rearranging the Routing Filter
# IXP PEERING IN/OUT FILTER
/routing filter
add action=jump chain=IXP-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=IXP-INBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-INBOUND jump-target=RFC-5735
add action=jump chain=IXP-INBOUND jump-target=ASN-BOGONS
add action=jump chain=IXP-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=IXP-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=IXP-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=IXP-OUTBOUND jump-target=RFC-5735
add action=jump chain=IXP-OUTBOUND jump-target=DROP-ALL
145
# UPSTREAM PEERING IN/OUT FILTER
/routing filter
add action=jump chain=UPSTREAM-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=UPSTREAM-INBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-INBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-INBOUND jump-target=ASN-BOGONS
add action=jump chain=UPSTREAM-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=UPSTREAM-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=UPSTREAM-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=UPSTREAM-OUTBOUND jump-target=RFC-5735
add action=jump chain=UPSTREAM-OUTBOUND jump-target=DROP-ALL
146
# PRIVATE-PEER PEERING IN/OUT FILTER
/routing filter
add action=jump chain=PRVT_PEER-INBOUND jump-target=OUR-PREFIX-DROP
add action=jump chain=PRVT_PEER-INBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-INBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-INBOUND jump-target=ASN-BOGONS
add action=jump chain=PRVT_PEER-INBOUND jump-target=ACCEPT-ALL
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=OUR-PREFIX-ADV
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=IXP-PREFIX
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=RFC-5735
add action=jump chain=PRVT_PEER-OUTBOUND jump-target=DROP-ALL
147
# DOWNSTREAMS PEERING IN/OUT FILTER
/routing filter
add action=jump chain=DOWNSTREAM1-INBOUND jump-target=DROP-ALL
148
# YOUR PREFIX FILTER
/routing filter
add action=accept chain=OUR-PREFIX-ADV prefix=100.0.0.0/22 prefix-length=22-24
add action=discard chain=OUR-PREFIX-DROP prefix=100.0.0.0/22 prefix-length=22-24
add action=return chain=OUR-PREFIX-DROP comment="RETURN PACKET"
# IXP PREFIX FILTER

/routing filter
add action=discard chain=IXP-PREFIX prefix=101.0.0.0/24
add action=return chain=IXP-PREFIX comment="RETURN PACKET"
149
# DOWNSTREAMS PREFIX FILTER
/routing filter
add action=return chain=DOWNSTREAM1 comment="RETURN PACKET"
150
# RFC 5735 PREFIX FILTER
/routing filter
add action=discard chain=RFC-5735 comment="DEFAULT ROUTE" prefix=0.0.0.0/0
add action=discard chain=RFC-5735 comment="PREFIX LOWER /24" prefix=0.0.0.0/0 prefix-length=25-32
add action=discard chain=RFC-5735 comment="RFC 1122 - This Network" prefix=0.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks]" prefix=10.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 1122 - Loopback " prefix=127.0.0.0/8
add action=discard chain=RFC-5735 comment="RFC 3927 - Link Local" prefix=169.254.0.0/16
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=172.16.0.0/12
add action=discard chain=RFC-5735 comment="RFC 5736 - IETF Protocol Assignments" prefix=192.0.0.0/24
add action=discard chain=RFC-5735 comment="RFC 1918 - Private-Use Networks" prefix=192.168.0.0/16
add action=discard chain=RFC-5735 comment="RFC 2544 - Device Benchmark Testing" prefix=198.18.0.0/15
add action=discard chain=RFC-5735 comment="RFC 3068 - 6to4 Relay Anycast" prefix=192.88.99.0/24
add action=discard chain=RFC-5735 comment="RFC 3171 - Multicast" prefix=224.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 1112 - Reserved for Future Use" prefix=240.0.0.0/4
add action=discard chain=RFC-5735 comment="RFC 6598 - Shared CGN IPv4 Address" prefix=100.64.0.0/10
add action=return chain=RFC-5735 comment="RETURN PACKET"
151
# YOUR AS NUMBER FILTER
/routing filter
add action=discard bgp-as-path=".* 1111 .*" chain=YOUR-ASN
add action=return chain=YOUR-ASN comment="RETURN PACKET"
# BOGONS NUMBER FILTER

/routing filter
add action=discard bgp-as-path=".* 0 .*" chain=ASN-BOGONS comment="RFC 7607"
add action=discard bgp-as-path=".* 23456 .*" chain=ASN-BOGONS comment="RFC 4893 - AS_TRANS"
example ASNs"
example ASNs"
add action=return chain=ASN-BOGONS comment="RETURN PACKET"
/routing filter
add action=accept chain=ACCEPT-ALL comment="ACCEPT ALL"
add action=discard chain=DROP-ALL comment="DROP ALL""
152
Traffic Filtering
• All packets destined to TCP Port 179 and not originated

from addresses of configured BGP peers should be
discarded.
• If supported, Control Plane ACL should be used. If not
supported, ACL applied to each peer-facing port should
be used.
• If supported, BGP Rate-Limiting should also be
implemented, to make sure that the number of BGP
packets per second does not exceed platform’s capability.
• Static ARP.
153
Traffic Filtering
154
Traffic Filtering
/ip firewall filter
add action=accept chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp src-address=101.0.0.1
add action=drop chain=input dst-port=179 in-interface=ether1-IXP protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp src-address=102.0.0.3
add action=drop chain=input dst-port=179 in-interface=ether2-UPSTREAM protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp src-address=103.0.0.3
add action=drop chain=input dst-port=179 in-interface=ether3-PRVT_PEER protocol=tcp
add action=accept chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp src-address=100.0.0.2
add action=drop chain=input dst-port=179 in-interface=ether4-DOWNSTREAM1 protocol=tcp
/ip arp
add address=101.0.0.1 interface=ether1-IXP mac-address=00:50:00:03:00:01
add address=102.0.0.1 interface=ether2-UPSTREAM mac-address=00:50:00:03:00:02
add address=103.0.0.1 interface=ether3-PRVT_PEER mac-address=00:50:00:03:00:03
add address=100.0.0.6 interface=ether5-DOWNSTREAM2 mac-address=00:50:00:03:00:04
155
CRYPTOGRAPHY
156
What is Cryptography
• Cryptography is the "ART" of creating documents that can be

shared secretly over public communication.
• Traditionally, cryptography refers to :
• The practice and the study of encryption.
• Transforming information in order to prevent unauthorized people
to read it.
• But today, cryptography goes beyond encryption/decryption to
include :
• Techniques for making sure that encrypted messages are not
modified.
• Techniques for secure identification/authentication of
communication partners.
157
Security Mechanisms
Encryption :
• Process of transforming plaintext to ciphertext using a
cryptographic key
• Used all around us
• In Application Layer – used in secure email, database sessions, and
messaging
• In session layer – using Secure Socket Layer (SSL) or Transport Layer
Security (TLS)
• In the Network Layer – using protocols such as IPSec
• Benefits of good encryption algorithm:
• Resistant to cryptographic attack
• They support variable and long key lengths and scalability
• They create an avalanche effect
• No export or import restrictions
158
Terminology
plaintext (P) : the original message
ciphertext (C) : the coded message
cipher : algorithm for transforming plaintext to cipher text
key (k) : info used in cipher known only to sender/receiver
encipher/encrypt (e) : converting plaintext to cipher text
decipher/decrypt (d) : recovering cipher text from plaintext
cryptography : study of encryption principles/methods
cryptanalysis : the study of principles/ methods of deciphering
cipher text without knowing key
cryptology : the field of both cryptography and cryptanalysis
159
Encryption Methods
There are 2 kinds of encryption methods :

• Symmetric cryptography
• Sender and receiver keys are identical
• Asymmetric (public-key) cryptography
• Encryption key (public), decryption key secret (private)
160
Symmetric Encryption
• Uses a single key to both encrypt and decrypt information

• Also known as a secret-key algorithm
• The key must be kept a “secret” to maintain security
• This key is also known as a private key
• Follows the more traditional form of cryptography with key
lengths ranging from 40 to 256 bits
161
Symmetric Key Algorithms
162
Asymmetric Encryption
• Also called public-key cryptography

• Keep private key private
• Anyone can see public key
• Separate keys for encryption and decryption (public and
private key pairs)
• Examples of asymmetric key algorithms:
• RSA, DSA, Diffie-Hellman, El Gamal, Elliptic Curve and PKCS
163
Asymmetric Encryption
• RSA : the first and still most common implementation

• DSA : specified in NIST’s Digital Signature Standard (DSS),
provides digital signature capability for authentication of
messages
• Diffie-Hellman : used for secret key exchange only, and not
for authentication or digital signature
• ElGamal : similar to Diffie-Hellman and used for key
exchange
• PKCS : set of interoperable standards and guidelines
164
Public Key Infrastructure (PKI)
• Framework that builds the network of trust

• Combines public key cryptography, digital signatures, to
ensure confidentiality, integrity, authentication,
nonrepudiation, and access control
• Protects applications that require high level of security
Functions of a PKI :
• Registration • Key generation
• Initialization • Key update
• Certification • Cross-certification
• Key pair • Revocation
recovery
165
Components of a PKI
• Certificate authority
• The trusted third party
• Trusted by both the owner of the certificate and the party relying
upon the certificate.
• Validation authority
• Registration authority
• For big CAs, a separate RA might be necessary to take some
work off the CA
• Identity verification and registration of the entity applying for a
certificate
• Central directory
166
CERTIFICATES
167
Certificates
• Public key certificates bind public key values to subjects

• A trusted certificate authority (CA) verifies the subject’s
identity and digitally sign each certificate
• Validates
• Has a limited valid lifetime
• Can be used using untrusted communications and can be
cached in unsecured storage
• Because client can independently check the certificate’s signature
• Certificate is NOT equal to signature
• It is implemented using signature
• Certificates are static
• If there are changes, it has to be re-issued
168
Digital Certificates
• Digital certificate – basic element of PKI; secure

credential that identifies the owner
• Also called public key certificate
• Deals with the problem of
• Binding a public key to an entity
• A major legal issue related to
eCommerce
• A digital certificate contains :
• User’s public key
• User’s ID
• Other information e.g. validity period
169
Digital Certificates
• Certificate examples :
• X509 (standard)
• PGP (Pretty Good Privacy)
• Certificate Authority (CA) creates and digitally signs certificates
• To obtain a digital certificate, Alice must :
• Make a certificate signing request to the CA
• CA returns Alice’s digital certificate, cryptographically
binding her identity to public key :
• CertA = {IDA, KA_PUB, info, SigCA(IDA,KA_PUB,info)}
170
X.509
• An ITU-T standard for a public key infrastructure (PKI)

and Privilege Management Infrastructure (PMI)
• Assumes a strict hierarchical system of Certificate
Authorities (CAs)
• RFC 1422 – basis of X.509-based PKI
• Current version X.509v3 provides a common baseline
for the Internet
• Structure of a Certificate, certificate revocation (CRLs)
171
X.509
X.509 Certificate Usage:

• Fetch certificate
• Fetch certificate revocation list (CRL)
• Check the certificate against the CRL
• Check signature using the certificate
172
Every Certificate Contains
• Body of the certificate

• Version number, serial number, names of the issuer and subject
• Public key associated with the subject
• Expiration date (not before, not after)
• Extensions for additional tributes
• Signature algorithm
• Used by the CA to sign the certificate
• Signature
• Created by applying the certificate body as input to a one-way
hash function. The output value is encrypted with the CA’s
private key to form the signature value
173
Certificate Authority
• Issuer and signer of the certificate

• Trusted (Third) Party
• Based on trust model
• Who to trust?
• Types :
• Enterprise CA
• Individual CA (PGP)
• Global CA (such as VeriSign)
• Functions :
• Enrols and Validates Subscribers
• Issues and Manages Certificates
• Manages Revocation and Renewal of Certificates
• Establishes Policies & Procedures
174
Certificate Revocation List
• CA periodically publishes a data structure called a certificate

revocation list (CRL).
• Described in X.509 standard.
• Each revoked certificate is identified in a CRL by its serial
number.
• CRL might be distributed by posting at known Web URL or
from CA’s own X.500 directory entry
175
SELF-SIGNED
CERTIFICATE
176
Self-Signed Certificates
• A self-signed SSL certificate does not use the chain of trust

used by other SSL certificates
• Is an identity certificate that is signed by the same entity
whose identity it certifies
• Most often used when a company wants to perform internal
testing without the effort or expense of acquiring a standard
SSL certificate.
177
example.com
example.com
certificate add name=CA country=ES state=Toledo locality=Illescas organization=IT unit=IT common-name=example.com \

subject-alt-name=DNS:example.com key-size=2048 days-valid=365 \
key-usage=digital-signature,key-encipherment,data-encipherment,key-cert-sign,crl-sign
178
certificate sign CA name=CA
179
webfix.example.com
webfix.example.com
certificate add name=www country=ES state=Toledo locality=Illescas organization=IT unit=IT \

common-name=webfix.example.com subject-alt-name=DNS:webfix.example.com key-size=2048 days-valid=365 \
key-usage=digital-signature,key-encipherment,tls-client,tls-server
180
certificate sign www name=www ca=CA
181
FREE OF CHARGE
VALID
CERTIFICATES
182
Let’s Encrypt
• Let's Encrypt is a new Certificate Authority (CA) that

offers FREE SSL certificates that are just as secure as
current paid certificates.
• Let’s Encrypt is a free certificate authority developed by
the Internet Security Research Group (ISRG).
• SSL certificates are issued for a period of 90 days, and
need to renew for validity issue.
• These certificates are domain-validated, don't require a
dedicated IP and are supported on all SiteGround
hosting solutions.
183
Let’s Encrypt
Key benefits of using a Let’s Encrypt SSL certificate:

• It's free – Anyone who owns a domain can obtain a trusted certificate
for that domain at zero cost.
• It's automatic – The entire enrolment process for certificates occurs
painlessly during the server’s native installation or configuration
process. The renewal occurs automatically in the background.
• It's simple – There's no payment, no validation emails, and certificates
renew automatically.
• It's secure – Let’s Encrypt serves as a platform for implementing
modern security techniques and best practices.
• More info – https://letsencrypt.org
184
SSL For Free
https://www.sslforfree.com
185
SSL For Free
186
SSL For Free
187
SSL For Free
188
SSL For Free
189
Free of Charge Valid Certificates
Upload “certificate.crt” and “private.key” to the RouterOS
190
“System > Certificate”: import both the “certificate.crt” and the “private.key”
191
192
HIGH AVAILABILITY
193
INTERFACE
BONDING
194
What is Interface Bonding
• Bonding is a technology that allows you to aggregate

multiple Ethernet-like interfaces into a single virtual link,
thus getting higher data rates and providing fail-over.
• Bonding (load balancing) modes:
• 802.3ad
• Balance-rr
• Balance-xor
• Balance-tlb
• Balance-alb
195
802.3ad
• 802.3ad mode is an IEEE standard also called LACP

(Link Aggregation Control Protocol).
196
Balance-rr and balance-xor
• Balance-rr mode uses Round Robin algorithm - packets

are transmitted in sequential order from the first
available slave to the last.
• When utilizing multiple sending and multiple receiving
links, packets often are received out of order (problem
for TCP)
• Balance-xor balances outgoing traffic across the active
ports based on a hash from specific protocol header
fields and accepts incoming traffic from any active port
197
Balance-tlb
• The outgoing traffic is

distributed according to the
current load
• Incoming traffic is not
balanced
• This mode is address- pair
load balancing
• No additional configuration
is required for the switch
198
Balance-alb
• In short alb = tlb + receive load balancing

• This mode requires a device driver capability to change
the MAC address
199
Interface Bonding
R1 R2
200
Interface Bonding R1
/interface bonding
add lacp-rate=1sec mode=802.3ad
name=bonding1 slaves=ether1,ether2 \
transmit-hash-policy=layer-3-and-4
201
/interface bonding
202
VRRP
203
What is VRRP
• Virtual Router Redundancy Protocol

• RFC 2883 Standard plus updates for IPv6
• On RouterOS VRRP is implemented as an interface
• Simple setup, few simple steps to get running
• Solves Layer 2 redundancy, Virtual MAC
• Typical uses, router gateway redundancy
204
What is VRRP
Interface : ether1 Interface : ether1

VRID :1 VRID :1
Priority : 100 Priority : 50
Version :2 Version :2
IP : 192.168.1.253 IP : 192.168.1.253
R1 R2 VIP : 192.168.1.1
VIP : 192.168.1.1
205
VRRP Master Selection
• Virtual Router is defined by VRID and mapped set of IPv4 or

IPv6 addresses.
• Each VR node has a single assigned MAC address.

VRID :1 VRID :1
IP : 192.168.1.253 R1 R2 IP : 192.168.1.254
VIP : 192.168.1.1 VIP : 192.168.1.1
206
VRRP Master Selection
• The selection of the master router is controlled by priority value

• Higher number means higher priority
• Only the master router is sending periodic advertisement messages to
minimize the traffic
• It is possible to install VR on more than two routers on a single segment
VRID :1 VRID :1
IP : 192.168.1.253 R1 R2 IP : 192.168.1.254
VIP : 192.168.1.1 VIP : 192.168.1.1
207
VRRP Master Configuration
/interface vrrp add interface=ether1 name=vrrp1 priority=100 version=2
208
VRRP Backup Configuration
/interface vrrp add interface=ether1 name=vrrp1 preemption-mode=no priority=50 version=2
209
VRRP Preemption
• Ability to preempt a virtual router backup that has taken over for a
failing virtual router master with a higher priority virtual router
backup that has become available
• When set to 'no' backup node will not be elected to be a master until
the current master fails
VRID :1 VRID :1
Preempt : Yes Preempt : No
IP : 192.168.1.253 R1 R2 IP : 192.168.1.254
VIP : 192.168.1.1 VIP : 192.168.1.1
210
VRRP
+
INTERFACE
BONDING
211
VRRP + Interface Bonding
• VRRP with Interface Bonding increases the throughput

that the router can achieve
• At the same time making the router more resilient from
issues with the interfaces or the network
212
VRRP + Interface Bonding
Interface : bonding1 Interface : bonding1

VRID :1 VRID :1
IP : 192.168.1.253 IP : 192.168.1.253
VIP : 192.168.1.1 R1 R2 VIP : 192.168.1.1
213
/interface bonding
214
/interface bonding
215
VRRP Master Configuration
/interface vrrp add interface=ether1 name=vrrp1 priority=100 version=2
/ip address
add address=192.168.1.253/24 interface=bonding1 network=192.168.1.0
add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
216
VRRP Backup Configuration
/interface vrrp add interface=ether1 name=vrrp1 preemption-mode=no priority=50 version=2
/ip address
add address=192.168.1.254/24 interface=bonding1 network=192.168.1.0
add address=192.168.1.1 interface=vrrp1 network=192.168.1.1
217
VRRP + Interface Bonding (VLAN)
• Using VRRP + Interface Bonding we can load balancing

both routers to have an active traffics
• By using multiple VLANs, and splitting higher priority of
VRRP to each router
• And activate “preempt” mode on Master VRRP
218
VRRP + Interface Bonding (VLAN)
Interface : vlan11 Interface : vlan11

VRID : 11 VRID :1
IP : 192.168.11.253 IP : 192.168.11.254
R1 R2
VIP : 192.168.11.1 VIP : 192.168.11.1
Interface : vlan12 Interface : vlan12

VRID : 12 VRID : 12
IP : 192.168.12.253 IP : 192.168.12.254
VIP : 192.168.12.1 VIP : 192.168.12.1
vlan11 vlan12
219
/interface bonding
220
/interface bonding
221
VLAN Interface R1
/interface vlan
add interface=bonding1 mtu=1496 name=vlan11 vlan-id=11
222
VLAN Interface R2
/interface vlan
223
VRRP R1 Configuration
/interface vrrp
add interface=vlan11 name=vrrp-vlan11 priority=100 version=2 vrid=11
add interface=vlan12 name=vrrp-vlan12 preemption-mode=no priority=50 version=2 vrid=12
224
VRRP R2 Configuration
/interface vrrp
add interface=vlan11 name=vrrp-vlan11 preemption-mode=no priority=50 version=2 vrid=11
add interface=vlan12 name=vrrp-vlan12 priority=100 version=2 vrid=12
225
IP Addressing R1
/ip address
add address=192.168.11.253/24 interface=vlan11 network=192.168.11.0
add address=192.168.11.1 interface=vrrp-vlan11 network=192.168.11.1
226
IP Addressing R2
/ip address
227
MTCASE
SUMMARY
228
Certification Test
• If needed reset router configuration and restore from a

backup
• Make sure that you have an access to the
www.mikrotik.com training portal
• Login with your account
• Choose my training sessions
• Good luck!
229
Thank You!
Thank you
José Manuel Román Fernández Checa
and
Fajar Nugroho
for creating and sharing the initial version
of the MTCASE course materials.
230

Additional Security Engineer Materials

Uploaded by

Copyright:

Available Formats

You might also like

Additional Security Engineer Materials

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Additional Security Engineer Materials

Uploaded by

Copyright:

Available Formats

Certified Advanced Security Engineer

• Training day: 9AM - 5PM

BAND : 2.4 / 5 Ghz

• Router Name : N_Your-Name

N Your Router Number

• Security is about protection of assets.

• Prevention : take measures that prevent your assets

• Security Attack : Any action that compromises the

“services or data become unavailable, unusable, destroyed, and so on, such

“an unauthorized subject has gained access to an object, such as stealing

unauthorized changing of data or tempering with services, such as alteration of

Attack / Threats Fabrication

• Encryption : transforming data into something an

Distributed denial-of-service (DDoS)

Spyware & Adware

• Reconnaissance : Provide the adversary with information

• Routing attacks : Disrupt or redirect traffic flows

• Subnet Size is much larger

• Deny DNS zone transfer

• Policy implementation in IPv6 with Layer 3 and Layer 4

• Deny IPv6 fragments destined to an inter-networking

• While L4 spoofing remains the same, IPv6 addresses

• Neigbor Discovery ~ security ~ Address Resolution

• There are no broadcast addresses in IPv6

• Be sure that your host implementation follow the RFC

• Use traditional authentication mechanisms for BGP and

• Without IPsec, IPv6 is no more or less likely to fall victim

• Even with IPsec, the majority of vulnerabilities on the

• Without IPsec, any attacks utilizing MITM will have the

• Man in the middle with spoofed ICMPv6 Neighbor

• Attacks related to Neighbor Discovery (ND)

• “The Hackers’ Choice” THC-IPv6

is This address is is This address is

Client sends Neighbor Solicitation (NS)

Attacker sends Neighbor Advertisement (NA) for each NS

Those addresses are

What is Host B’s

Client sends Neighbor Solicitation (NS)

Attacker Neighbor Advertisement (NA)

Get New Address Get New Address

• Since this happened on Layer 2, the router nearly blind

• Traffic flooding with ICMPv6 Router Advertisement,

Get so many IPv6 Get so many IPv6

Attacker Flood Client

• With a generic Intrusion Detection System

• Router Advertisement Guard (RFC 6105)

Allow incoming Block incoming

• Make sure your router only allowing your IPv6 Network

• Only allowing all forward packet from your own prefixes.

/ipv6 firewall filter add action=drop chain=forward out-interface=ether1-ISP src-address=!2000:aaaa::/40

/ipv6 firewall filter add action=accept chain=forward protocol=icmpv6

• Selectively allowing service port.

/ipv6 firewall filter

• Drop Bogons address.

/ipv6 firewall filter

Basically, attacks against OSPF consist on forging Hello,

Topology changes, leads to other threats like