Planning, Implementing, and Maintaining Routing and Remote Access

Routing is the process of taking data from one network and sending it to another network.

A static routing environment is one in which all routing entries in a routing table are entered manually. In other words, if you want the router to know that the destination for all traffic is not local to the subnet that the router is connected to, you must manually enter the route into the router's table so it can be used.

You create a dynamic routing table with a routing protocol such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). Understanding the routing table first is key to understanding the protocol because the protocol is responsible for building the table for you from information it is configured to learn. In other words, if you turn on RIP, the router builds a table from information it learns from other routers that are adjacent to it.

Routing tables are used to compute the next hop for a packet. Remember that a routing table must have two fields: the IP prefix and the next hop address, which also needs to be valid. The router in which the packet is leaving and going to must be able to reach this valid address. You must be connected; otherwise , the router will not work. Lastly, if you do not have a match (a packet comes in and does not have a routing table entry match), the packet is discarded, and you will most likely get an Internet Control Message Protocol (ICMP) notification that the destination host was unreachable.

Following are some pros and cons of the different routing types:

• Static routing is tedious . You must know exactly what you want to do because any mistake causes the router to either not work properly or make routing errors.

• You may want to implement static routing if you have only a few routes to maintain. Remember, each time a packet enters the router, the router needs to process it, so tables that are very long can cause the router to take longer to make a routing decision, which in turn could slow down your network. When you use dynamic routing protocols, it is possible to have a router learn as many as hundreds of routes, depending on network size.

• Static routes are more secure because only a few required routes are in the table, so no one can see too much information. In this case, if the router is compromised by an attacker, he or she cannot glean too much information from your compromised router. The attacker may know only a default route back to the core network, for example; whereas if the attacker compromises a core router with 300 networks in the table, he or she can map your whole network from that one router.

• Dynamic routing is easy to configure and, once configured, is easy to maintain. If changes are made to the network, more than likely the routers will learn the changes, and they can quickly establish convergence on the network. Convergence occurs when all routers know all other routers on the network, and the topology is accurate.

• Dynamic routing is becoming more secure as more and more routing protocols provide ways to encrypt and authenticate updates between peers. However, configuring dynamic routes requires that the administrator have a greater level of knowledge and experience than when configuring static routes.

A Link State routing protocol ensures that each router on the network maintains a map of the network. For example, say one of your WAN links has a problem that results in two routers losing contact with each other. Both can (through the routing protocol) adjust for this loss of the link between them because they are programmed to do so. When your router link fails, it is programmed to sense the loss of carrier on the line and then, through the routing protocol, send updates to the other routers adjacent to them so that they all know that the link is down and the IP subnet that they maintained is no longer available for destination packets on the wire. When a network link changes state (up to down, or vice versa), a notification, called a link state advertisement (LSA), is flooded throughout the network. Routers all over the network address this change and make sure that their routing tables are adjusted accordingly . Another configurable option of Link State protocols is that they can use something other than hop count to determine their path through the network. Link State protocols can also determine that going over more routers may be quicker if the available bandwidth is higher instead of choosing the shortest path deemed solely on how many routers away the destination is.

Distance Vector protocols are easy to configure and maintain, but not as reliable or efficient as Link State protocols. Distance Vector protocols (such as RIP) allow for simple design and easy maintenance, but your bandwidth may suffer as a result. A Distance Vector protocol lets every router that is configured to use it inform every other adjacent router of its entire routing table. This means that each router on the network gets a full routing table from each neighboring router. These tables are used to create a metric based on hop count. Each router knows how far it is to another subnet in the network so that when incoming packets (when the router strips the header and reads the destination address) are read, the router will know the quickest way to get the packet there.

RIP is a Distance Vector routing protocol. Following are some details about RIP:

• RIP is limited to 15 router hops, with 16 hops being infinity. What does this mean? Picture a LAN with a PC that needs to communicate with a server on another LAN that is 15 routers away. The routers keep a list of which subnets are no more than 15 routers away, and if you try to expand the network past the 16 ^th router, communications do not happen. Remember, you have a 15-hop minimum between networks, and the 16 ^th is deemed infinity.

• RIP has problems with subnetted networks. In Chapter 2, we briefly covered what subnetted networks would resemble in your design. RIP was created and deployed before networks were subnetted to the degree that they are today, and because they have no direct support for RIP, your networks cannot support it. It really comes down to the information that each router sends to each other and what that packet contains. If the routing update does not contain a field in the packet to allow for subnetted networks, it does not carry over the information you may need it to. In other words, the RIP protocol is configured to look at the prefix of the IP address in the routing update and know whether it's either A, B, or C, and nothing more. If you subnet, your subnet will not be supported because RIP understands only that if a packet with an IP address of 10.0.0.1 comes in, it's automatically assigned a subnet of 255.0.0.0, even if you have it subnetted down to 255.255.255.0.

• RIP is bandwidth intensive, and although that isn't a problem on most networks, a smaller network with WAN links that are set small (such as Frame Relay links set with a 32KB committed information rate) could feel the effect of constant broadcasts every 30 seconds, especially if the routing table is large. If the routing table is too large, more than one update could be sent every 30 seconds, making it even more bandwidth intensive . For the 70-293 exam, remember that, by default, RIP broadcasts to its neighbors every 30 seconds lists of networks and subnets it can reach.

• RIP is not very secure. RIP contains no security features or configurable parameters to make it secure. Other protocols used today have configurable parameters to make them more secure; however, RIP does not contain any solution to make it secure by default.

RIP2, or RIP version 2, was created for RIP users to overcome problems with security. This version adds an option for authentication to the RIP packet as well as adding support for subnetted networks and allows for variable length subnetted networks to be passed through routing updates.

Open Shortest Path First (OSPF) is a Link State “based nonproprietary routing protocol. Following are some details about OSPF:

• OSPF is highly scalable. You will be hard pressed to build (or support) a network large enough to outdo OSPF. OSPF was designed to work in very large networks, and it works very well at that. It does not have a hop count restriction as RIP does. With OSPF's use of areas and a subdivided domain, the design possibilities are almost seemingly infinite.

• With RIP, you cannot use subnetted networks; with OSPF, you can.

• With OSPF, your bandwidth is spared. With RIP, an entire routing table is broadcast from every router on the network every 30 seconds. With OSPF (in stable environments that do not suffer from many changes), packets (called hello packets) are sent out intermittently to verify links between adjacent routers. This way, less bandwidth is used, and a major update check is performed only every 30 minutes.

OSPF divides the network (what it considers a routing domain) into areas. An area is a subdivision of the entire network and is given a label. Area 0 (zero) is considered the backbone of an OSPF network. If your network is small enough, you can set up the entire network to use Area 0, which is very important. For example, if the network becomes more subdivided (say you have three areas, including Area 0), you would need to know that if all traffic must travel between areas, the packets are first routed to the backbone, or Area 0. When you plan a network this way, the design keeps subnets consolidated to areas, thus reducing the size of the link state database that is updated on every router in an OSPF network. This keeps your OSPF network running optimally.

Following is some other important information to remember about OSPF:

• OSPF sends out hello packets to each adjacent router connected to the network. OSPF uses hello packets to verify that the network is always ready to work as advertised. These hellos are sent out of every router interface every 10 seconds but are so small in size that they do not affect your available bandwidth.

• Link state advertisements provide other functionality, such as providing a solution for a scenario in which a router does not hear from its neighboring router for more than 40 seconds. The router then sends out LSAs marking the other router as down so that all the other routers can adjust their tables with the change.

• Hellos can be adjusted. A hello has a timer value that, when configured properly throughout the OSPF network, allows proper and accurate communications to take place. It is important to know that if a hello timer is misconfigured (not all timers are identical), problems can occur. Make sure that when you plan an OSPF network, you ensure that all the hello timers match. They must all be consistent across all routers on a network segment.

• Because LSAs age, it is important to get a refreshed routing table (or database) from a neighboring router just in case anything has changed. If nothing has changed on a particular router for 30 minutes, the router flushes its information and seeks an updated database from its adjacent routers. This means that the network reconverges every 30 minutes ”a far cry from the forced reconvergence in a RIP network every 30 seconds!

Three forms of traffic traverse a network:

• Unicast ” When a single node on the network sends data to its destination node under one single packet, it knows where the destination node is and gets the data to it. Remember uni as being a single transmission.

• Broadcast ” Broadcasting (think of the word broad ) occurs when the destination is not known or cannot be found, and that node (which needs to find the destination node) sends out packets to all nodes on the network segment to see whether it can find its destination node. This process is conducive to increased traffic, collisions on hubbed networks, and so on. Broadcasts are at times a necessary evil, but most of the time you should prevent them from happening often or control their number. Basically, broadcast traffic adds overhead to your network (bandwidth utilization) and its devices (processing packets they don't need to look at).

• Multicast ” Multicast is the happy medium but still can cause problems. A multicast transmission is based on a group. In simple terms, think of 20 nodes on a network, 5 of which need to communicate at all times and 15 of which do not need to ever know what the other 5 are doing. Say these nodes are OSPF routers. OSPF routers send out updates to each other via a multicast, so you might ask, "What about devices that do not need to know this information?" If you use a multicast address, such as 224.0.0.5 (the all-OSPF routers multicast address) for OSPF-based networks, only those devices listen for transmissions from other nodes using this service. This reduces the problems caused by broadcast traffic and enables you to cause one sender to get information to multiple ( group ) nodes without that message going to every node on the network. Consequently, multicasting is good, but as with any other technology, it can cause problems as well or require an advanced level of administration to make it work properly.

Considering multicast routing is very important because your network must be able to build packet distribution trees that allow sources to send packets to all receivers. These trees are meant to make certain that each packet on the network exists one time only and is found only on a specific network. If this limitation did not exist, you would have problems with IP multicast routing. Also, multicast routing, which is the propagation of multicast listening information, is provided by multicast routing protocols such as Distance Vector Multicast Routing Protocol (DVMRP) and Multicast Open Shortest Path First (MOSPF), which is an extension to OSPF that allows it to support IP multicasting. Such protocols ease manual configuration of VPN- and OSPF-based networks and are becoming the standard for these types of networks.

The Internet Group Management Protocol (IGMP) is an Internet protocol that allows nodes that are configured to use it to communicate as a group instead of individually. IGMP allows a node to report its multicast group membership (the group to which it is assigned) to adjacent routers. Multicasting allows a node to send data to many other nodes that have also identified themselves as being part of that group. This cuts down on broadcast traffic and bandwidth consumption. IGMP is detailed in RFC 2236.

When you want to access a network remotely, you must provide credentials. If you did not, security would not exist, and anyone could freely enter your network and exploit it. Based on this fact, you could say that Windows Server 2003 handles network access authorization based on account dial-in properties as well as remote access policies. Remote access polices are sets of rules (applied in an order) that define how incoming requests for authentication are handled ”either accepted or rejected. Each policy is made up of profile settings and a remote access permissions setting.

Windows Server 2003 includes a new feature called Network Access Quarantine Control. This feature allows the delay of a remote access connection attempt to the Remote Access Server (RAS) until a script that verifies the configuration of the remote access computer runs. The connection attempt goes into quarantine until verified. The actual process is as follows : When a remote computer attempts to connect to the Remote Access Server, the computer is assigned an IP address to participate on the network. Then the user credentials are verified and authenticated, but the connection stays in quarantine until the remote computer is verified against the script. A script runs, and after it is completed, the server hosting quarantine releases the connection from quarantine after this information is verified . Network Access Quarantine Control is one of the newest features of Remote Access Security provided by default with Windows Server 2003.

Windows Server 2003 also provides Secure User Authentication. This means that security is obtained from the encrypted user credentials that are exchanged when you try to connect to a system. This can be done via the Point-to-Point Protocol (PPP) and its authentication-based protocols such as Extensible Authentication Protocol (EAP), Challenge Handshake Authentication Protocol (CHAP), and others. You can configure your Windows Server 2003 Remote Access Server to require specific secure authentication methods . The connection attempt is denied if the authentication credentials are not met.

EAP is a commonly used protocol on networks today; it is good at authenticating. EAP is responsible for creating an authentication method in which the authentication scheme to be used is negotiated by the remote access client and the authenticator, which could be either the Remote Access Server or even a RADIUS server. Windows Server 2003 Routing and Remote Access (RRAS) includes support for EAP-TLS by default; TLS stands for Transport Layer Security. It could be considered an EAP type, much like the wireless access protocol, called LEAP, provided by Cisco systems. There are many types of EAP, although they all perform similar functions, such as authentication; they just use different methods to do so.

Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is a nonreversible, encrypted password authentication protocol. MS-CHAP allows you to use Microsoft Point-to-Point Encryption (MPPE), which allows you to encrypt the data as well.

Version 2 of the MS-CHAP protocol provides stronger security for remote access connection attempts to your Remote Access Server. MS-CHAP version 2 solves a major issue with the cryptographically weak LAN Manager encoding used for backward compatibility and password changes because backward compatibility is no longer supported. This way, you don't have problems with crypto-based attacks on your networks that may break your security posture . It is for reasons such as this that you should opt to use version 2 over version 1.

Version 2 also solves other problems with version 1; for example, version 2 stops one-way authentication, which allows masquerading attacks on your Remote Access Server. Because two-way authentication is not available with version 1, such attacks are possible because the client that is trying to connect to a network remotely does not know whether it is dialing into the company's Remote Access Server or perhaps another server, one used for malicious intent. Again, you should use version 2 rather than version 1. MS-CHAP v2 provides two-way authentication, which is also called mutual authentication.

Challenge Handshake Authentication Protocol (CHAP) uses the industry standard Message Digest 5 (MD5) protocol. MD5 is a hashing scheme that encrypts your data in transit over the remote access network. CHAP does not allow you to change passwords during the authentication process, which may be a major issue, and one of the major reasons you would not want to include CHAP as part of your network.

The Shiva Password Authentication Protocol (SPAP) is an authentication protocol provided by a Shiva LAN Rover. If a Shiva client tries to connect to a Windows Server 2003 Remote Access Server, or a Windows client (such as XP) connects to a Shiva LAN Rover, SPAP is used. Because Shiva was prominent in the remote access market at one time, it is wise to include this support. Because PAP is used for cross-platform connectivity, it is not as secure as CHAP or even MS-CHAP. SPAP is even open to replay attacks (such attacks occur when data packets are captured in transit, examined, and then replayed to the server to gain access) because the same user password is always sent over the network in the same reversibly encrypted way each time. You should use SPAP only when you absolutely have to.

Routers keep routing tables. You can edit routing tables because if you use static routes, you have to enter them yourself, maintain them, and so on. You can use the RRAS console to manipulate this data, but nothing is faster or easier than using the route command. Within seconds, you can add a route in the routing table, adjust one, or take one out.