3com 3031 Instruccion De Instalación
Security Authentication Before Route Information Exchange
775
Figure 191 illustrates the elements selected by a packet filter for decision making
(on IP packets), given the upper layer carried by IP is TCP/UDP.
(on IP packets), given the upper layer carried by IP is TCP/UDP.
Figure 191 Packet filtering elements
Most packet filter systems do not make any operations on data itself or make
contents-based filtering.
contents-based filtering.
ACL
Before the system can filter the packets, you should configure some rules in ACLs
to specify the types of packets allowed or denied.
to specify the types of packets allowed or denied.
A user should configure an ACL according to the security policy and apply it to a
particular interface or the whole equipment. After that, the router will examine all
the packets on the interface or all the interfaces based on the ACL and make
forwarding/discard decision on the packets matching the rules. In this way, it plays
the role of a firewall.
particular interface or the whole equipment. After that, the router will examine all
the packets on the interface or all the interfaces based on the ACL and make
forwarding/discard decision on the packets matching the rules. In this way, it plays
the role of a firewall.
The ACL for packet filtering and the complicated traffic classification rules for QoS
are processed together. The fundamentals and operations of them are the same
except of the actions taken after the matching.
are processed together. The fundamentals and operations of them are the same
except of the actions taken after the matching.
Security
Authentication Before
Route Information
Exchange
Authentication Before
Route Information
Exchange
So far as a backbone router is concerned, a correctly managed route forwarding
table is essential to the proper operation of the router. The maintenance of route
forwarding table depends on the dynamic route information exchanging between
neighboring routers.
table is essential to the proper operation of the router. The maintenance of route
forwarding table depends on the dynamic route information exchanging between
neighboring routers.
Necessity of implementing security authentication before route
information exchange
information exchange
As the neighboring routers on a network need to exchange enormous route
information, there is the likelihood for a router to receive the network equipment
attacking information sent from unreliable routers. If available with the route
authentication function, a router will be able to authenticate the switching route
update packets received from the neighboring routers and hence make sure to
receive only the reliable route information.
information, there is the likelihood for a router to receive the network equipment
attacking information sent from unreliable routers. If available with the route
authentication function, a router will be able to authenticate the switching route
update packets received from the neighboring routers and hence make sure to
receive only the reliable route information.
Authentication Implementation
The routers exchanging route information share the same password key that is
sent along with the route information packets. The routers receiving the route
information will authenticate the packets, and verify the password key carried by
the packets. If the key carried by the packets is the same as the shared password
key, the packets will be accepted. If not, they will be discarded.
sent along with the route information packets. The routers receiving the route
information will authenticate the packets, and verify the password key carried by
the packets. If the key carried by the packets is the same as the shared password
key, the packets will be accepted. If not, they will be discarded.
IP header
TCP/UDP
header
Application layer header
Data
Source/Destination
IP addresses
Source/Destination
Ports
Application layer traffic
Packet filtering elements
IP header
TCP/UDP
header
Application layer header
Data
Source/Destination
IP addresses
Source/Destination
Ports
Application layer traffic
Packet filtering elements