- Secure Operating System
- Securing Access to the Router
- Securing the Forwarding Plane
- Summary
- References
Securing Access to the Router
You can access an IOS XR router by using the physical console and auxiliary ports or using the logical vty ports. The console port helps create a terminal session with the router using the standard RS-232 asynchronous serial communications using a commonly found RJ-45 connection. Console ports help configure the router for the first time when it has no configuration and it is advisable to maintain a console connection to the router to aid in debugging or disaster recovery. The auxiliary (aux) port natively runs the Korn Shell (ksh) as its mode of operation. In addition to the physical asynchronous serial ports, IOS XR natively supports router access through 100 vty ports from the range 0 to 99. Furthermore, IOS XR by default enables vty ports in the range 100 to 106 for the embedded event manager (EEM) scripts. This section talks about the access security of the router using local and external AAA.
AAA authentication commands are defined in Cisco IOS XR to verify a user who attempts to access the system. Cisco IOS XR performs authentication by comparing the incoming user ID and password with what is stored in a security database.
AAA authorization is supported in Cisco IOS XR. It maintains the capability to create audit trails by recording user’s actions if specified to do so in Cisco IOS XR.
AAA accounting is the process of tracking user activity and the amount of resources being consumed. Cisco IOS XR provides a method of collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, and the executed commands on the router. Cisco IOS XR software supports both the TACACS+ and RADIUS methods of accounting.
Cisco IOS XR operating software maintains two resource management planes from a router access perspective:
- Admin plane
- Secure domain router (SDR) plane
The admin plane consists of resources shared across all secure domain routers. On the other hand, the SDR plane consists of those resources specific to the particular SDR.
IOS XR router security involves concepts of user and task groups. The concepts of user group, task group, and inheritance are important for the understanding of command permissions. These topics will be discussed in more detail later in this chapter. External AAA using TACACS+ and RADIUS are standard access security features. These features will also be illustrated with configuration examples in future sections of this chapter. Configuration examples are provided for Secure Shell (SSH) configurations along with useful show commands.
IOS XR MPP provides the network administrator with the flexibility to restrict interfaces on which network management packets are allowed to enter a device. MPP discussion and examples are a forthcoming topic in this chapter.
Admin Plane
The admin plane maintains responsibility for the owner SDR, and certain administrative responsibilities for all other nonowner SDRs. These functions include user control over power, fan-trays, fabric modules, and environmental aspects of the router required to maintain normal operations. The admin plane is accessible only to a type of user known as the root-system user. IOS XR requires configuration of a root-system user using the initial setup dialog. IOS XR router does not allow the system to operate without a user group configuration. If all users and external AAA configurations get deleted, IOS XR prompts the next logged-in user for a new username and password.
SDR Plane
As mentioned in the preceding section, the root-system user has the highest level of privilege for the router operation. This user has the ability to provision SDRs and create root SDR users. After being created, root-lr (the abbreviation lr in root-lr stands for logical router) users take most of the responsibilities from the root-system user for the SDR. The root-lr user is the equivalent of root-system user from an SDR perspective and has jurisdiction only for the particular SDR on which it is defined. A detailed discussion of SDR plane is included in Chapter 11, “Secure Domain Router.”
User Groups and Task Groups
Before getting into the details of AAA configuration, this section acquaints you with the concepts of user groups, task groups, and task IDs. The user group concept in IOS XR relates to a group of users with common characteristics. A user that logs in to an IOS XR router may have one or more preconfigured user groups assigned to it. Some user groups are precreated by default and others may be defined via configuration. Table 6-1 lists the predefined user and task groups in IOS XR.
Table 6-1. Predefined User Groups
User Groups and Task Groups |
Purpose |
cisco-support |
Used by Cisco Support Team. Provides access to troubleshooting commands. |
netadmin |
Provides the ability to control and monitor all system- and network-related parameters. |
operator |
Provides very basic user privileges. |
root-lr |
Provides the ability to control and monitor the specific SDR. |
root-system |
Provides the ability to control and monitor the entire system. |
sysadmin |
Provides the ability to control and monitor all system parameters but cannot configure network protocols. |
serviceadmin |
Provides the ability to administer session border controllers. |
In addition to the predefined task groups, IOS XR provides the ability to custom create task groups consisting of individual tasks. Tasks, in turn, contain a collection of task IDs that define actions such as READ, WRITE, EXECUTE, or DEBUG (R/W/E/D).
The following list elaborates the R/W/E/D task IDs:
- R: Permits only a read operation
- W: Permits a change (or write) operation and allows an implicit read
- E: Permits an access operation (or execution), such as ping or Telnet
- D: Permits a debug operation
The concept of tasks, task groups, and task IDs might sound confusing. An example can elucidate this new concept. Suppose a network administrator wants to create a user group called igp-admin that has the capability to execute the following tasks:
- Run debug commands for bundle interfaces
- Carry out all configuration and monitoring tasks related to OSPF
- Run only debug and show commands for MPLS TE
Example 6-1 illustrates the steps needed to meet the preceding requirements.
Example 6-1. Creating User Groups and Task Groups
! A taskgroup igp-admin is created, the following show command depicts the task- group igp-admin ! RP/0/RP0/CPU0:CRS1-1#show running-config taskgroup igp-admin taskgroup igp-admin task read ospf task read mpls-te task write ospf task execute ospf task debug ospf task debug bundle description OSPF Administrator ! Create a usergroup called igp-admin RP/0/RP0/CPU0:CRS1-1(config)#usergroup igp-admin RP/0/RP0/CPU0:CRS1-1(config-ug)#taskgroup igp-admin RP/0/RP0/CPU0:CRS1-1(config-ug)#commit RP/0/RP0/CPU0:CRS1-1(config-ug)#exit ! ! Use the following show command to verify the user-group igp-admin RP/0/RP0/CPU0:CRS1-1#show running-config usergroup igp-admin usergroup igp-admin taskgroup igp-admin ! ! Create a username called igpadmin and configure a secret RP/0/RP0/CPU0:CRS1-1(config)#username igpadmin RP/0/RP0/CPU0:CRS1-1(config-un)#group igp-admin RP/0/RP0/CPU0:CRS1-1(config-un)#secret cisco RP/0/RP0/CPU0:CRS1-1(config-un)#commit ! ! The following show command verifies the creation of the user-group igpadmin ! RP/0/RP0/CPU0:CRS1-1#show running-config username igpadmin username igpadmin secret 5 $1$JodH$mJSA9cRx5IiISitvvOywU. group igp-admin !
Example 6-1 creates a task group called igp-admin and assigns the task IDs READ, WRITE, EXECUTE, and DEBUG for OSPF and only READ capability for MPLS-TE and DEBUG capability for bundle tasks, respectively.
A user group called igp-admin is created that references the task group igp-admin. A local AAA username configuration is created that assigns the user group igp-admin to username igpadmin. The username igpadmin is configured with a secret password for authentication purposes. IOS XR supports both a clear text password and a one-way encrypted secret. Using the one-way encrypted secret is ideal for the application shown in Example 6-1.
Example 6-2 demonstrates the describe command that can be used to determine the right authorizations if some useful tasks are found to be missing. A user logs in to the router and tries to execute the show route summary command only to realize that the command cannot be executed due to missing task authorizations. The describe command reveals that the RIB (READ) privilege is required before show route summary can be executed.
Example 6-2. Determining the Right Task ID for an Operation
! Telnet to the router to verify the new configuration. IP address 192.168.254.1 is that ! of the router on which the new user igpadmin was created. RP/0/RP0/CPU0:CRS1-1#telnet 192.168.254.1 Trying 192.168.254.1... Connected to 192.168.254.1. Escape character is '^^'. Username: igpadmin Password: ! ! RP/0/RP0/CPU0:CRS1-1#show user igpadmin ! The following command verifies the newly created tasks and their task IDs RP/0/RP0/CPU0:CRS1-1#show user tasks Task: bundle : DEBUG Task: mpls-te : READ Task: ospf : READ WRITE EXECUTE DEBUG ! Try executing a routing related show command RP/0/RP0/CPU0:CRS1-1#show route summary % This command is not authorized ! It appears that an important show command that this user ! needs is not working due to the lack of the right authorization. ! The "describe" command can be used to find out why this command may not have ! worked, though to execute the describe command the user logs in again ! with privileges root-system and cisco-support. ! RP/0/RP0/CPU0:CRS1-1#describe show route The command is defined in ip_rib_cmds.parser Node 0/RP0/CPU0 has file ip_rib_cmds.parser for boot package /disk0/hfr-os-mbi- 3.6.0/mbihfr-rp.vm from hfr-base Package: hfr-base hfr-base V3.6.0[00] Base Package Vendor : Cisco Systems Desc : Base Package Build : Built on Mon Dec 17 09:25:24 PST 2007 Source : By edde-bld1 in /auto/srcarchive2/production/3.6.0/hfr/workspace for c2.95.3-p8 Card(s): RP, DRP, DRPSC, OC3-POS-4, OC12-POS, GE-3, OC12-POS-4, OC48-POS, E3-OC48-POS, E3-OC12-POS-4, E3-OC3-POS-16, E3-OC3-POS-8, E3-OC3-POS-4, E3-OC48- CH, E3-OC12-CH-4, E3-OC3-CH-16, E3-GE-4, E3-OC3-ATM-4, E3-OC12-ATM-4, E5-CEC, E5-CEC-v2, SE-SEC, LC, SP, SC Restart information: Default: parallel impacted processes restart Component: ip-rib V[main/217] Generic RIB infrastructure File: ip_rib_cmds.parser Card(s) : RP, DRP, SC Local view : /pkg/parser/ip_rib_cmds.parser Local install path : /disk0/hfr-base-3.6.0/parser/ip_rib_cmds User needs ALL of the following taskids: rib (READ) It will take the following actions: Spawn the process: show_ipv4_rib -X 0x1 -Y 0x1 -Z ________ -s ipv4 ________ ! ! From the highlighted output it is obvious that to ! use "show route" command the task rib must have ! TaskID (READ) ! ! The output of the describe command indicates ! that the tasked "rib (READ)" is required. ! RP/0/RP0/CPU0:CRS1-1(config)#taskgroup igp-admin RP/0/RP0/CPU0:CRS1-1(config-tg)#task read rib RP/0/RP0/CPU0:CRS1-1(config-tg)#task execute rib RP/0/RP0/CPU0:CRS1-1(config-tg)#task write rib RP/0/RP0/CPU0:CRS1-1(config-tg)#task debug rib RP/0/RP0/CPU0:CRS1-1(config-tg)#commit RP/0/RP0/CPU0:CRS1-1(config-tg)#exit ! ! A show command showing the newly modified taskgroup ! RP/0/RP0/CPU0:CRS1-1#show running-config taskgroup igp-admin taskgroup igp-admin task read rib task read ospf task read mpls-te task write rib task write ospf task execute rib task execute ospf task debug rib task debug ospf task debug bundle description OSPF Administrator ! ! Login to the router once again to verify the new settings RP/0/RP0/CPU0:CRS1-1#telnet 192.168.254.1 Trying 192.168.254.1... Connected to 192.168.254.1. Escape character is '^^'. Username: igpadmin Password: ! show user command shows the new rib task RP/0/RP0/CPU0:CRS1-1#show user Igpadmin RP/0/RP0/CPU0:CRS1-1#show user tasks Task: bundle : DEBUG Task: mpls-te : READ Task: ospf : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG ! !show route command can now be executed as the ! authorization issue stands resolved RP/0/RP0/CPU0:CRS1-1#show route summary Route Source Routes Backup Deleted Memory (bytes) connected 11 5 0 2176 local 16 0 0 2176 ospf 1 5 0 0 680 isis xr 4 4 0 1216 static 2 0 0 272 bgp 102 0 0 0 0 local SMIAP 1 0 0 136 Total 39 9 0 6656
User Group and Task Group Inheritance
User groups and task groups can inherit from other user groups and task groups, respectively. If task group X inherits from task group Y, task group X contains the attributes of X as well as those of Y. In other words, this inheritance produces a “union” of two task groups. The same concept is true for user groups.
Example 6-3 helps illustrate the concept of inheritance. Consider the user group igpadmin created in the previous example. A new user group is created and named deb-eigrp. The user group deb-eigrp has been assigned the debug task for the EIGRP protocol.
Example 6-3. User Group Inheritance
usergroup igpadmin taskgroup igp-admin ! The example shows a user called igpadmin that uses the usergroup igpadmin username igpadmin group igpadmin secret 5 $1$laNp$2s/dTtBkqvfkB01B9wqft/ ! User igpadmin logs into the router as shown: RP/0/RP1/CPU0:CRS-1#telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Username: igpadmin Password: cisco ! After logging into the router the user checks his tasks with the "show user ! tasks" command. RP/0/RP1/CPU0:CRS-1#show user tasks Fri Mar 20 10:26:01.356 PST Task: bundle : DEBUG Task: mpls-te : READ Task: ospf : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG ! Now a new usergroup called deb-eigrp is created that uses the taskgroup ! debug-eigrp. ! This configuration is carried out the network administrator and not the ! igpadmin user. RP/0/RP1/CPU0:CRS-1#show run taskgroup debug-eigrp Fri Mar 20 10:31:44.150 PST taskgroup debug-eigrp task debug eigrp ! usergroup deb-eigrp taskgroup debug-eigrp ! The administrator assigns the usergroup deb-eigrp to usergroup igpadmin by way of inheritance. usergroup igpadmin taskgroup igp-admin inherit usergroup deb-eigrp ! ! The user igpadmin logs again into the router and executes the command "show ! user tasks". Note that inheritance has allowed eigrp debug capability to be ! added to the user igpadmin. RP/0/RP1/CPU0:CRS-1#telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Username: igpadmin Password: cisco Mar 18 07:59:33 2009: 2 days, 2 hours, 34 minutes ago RP/0/RP1/CPU0:CRS-1#show user tasks Fri Mar 20 10:33:50.893 PST Task: bundle : DEBUG Task: eigrp : DEBUG Task: mpls-te : READ Task: ospf : READ WRITE EXECUTE DEBUG Task: rib : READ WRITE EXECUTE DEBUG RP/0/RP1/CPU0:CRS-1#
Let us use another example to demonstrate the concept of inheritance in task groups. A new task group is being created for the user mplsadmin. The requirements for this user are as follows:
- READ, WRITE, EXECUTE, and DEBUG task IDs for MPLS TE
- All the attributes of task group igp-admin
Example 6-4 creates the new task group using inheritance from the already existing task group called igp-admin that was created in Example 6-3.
Example 6-4. Determining the Right Task ID for an Operation
RP/0/RP1/CPU0:CRS1-1(config)#taskgroup mpls-admin RP/0/RP1/CPU0:CRS1-1(config-tg)#task debug mpls-te RP/0/RP1/CPU0:CRS1-1(config-tg)#task execute mpls-te RP/0/RP1/CPU0:CRS1-1(config-tg)#task read mpls-te RP/0/RP1/CPU0:CRS1-1(config-tg)#task write mpls-te RP/0/RP1/CPU0:CRS1-1(config)#inherit taskgroup igp-admin RP/0/RP1/CPU0:CRS1-1(config-tg)#commit RP/0/RP1/CPU0:CRS1-1(config-tg)#exit ! ! Use the following show command to verify the configuration from the previous task RP/0/RP1/CPU0:CRS1-1#show running-config taskgroup mpls-admin taskgroup mpls-admin task read mpls-te task write mpls-te task execute mpls-te task debug mpls-te inherit taskgroup igp-admin !
External AAA
Cisco IOS XR supports external AAA using standard IP-based protocols such as TACACS+ and RADIUS. TACACS+ and RADIUS protocols can be used in conjunction with a product such as the Cisco Secure Access Control Server (ACS) to provide an external AAA database. The following describes some key elements of AAA configuration:
- The security server and client are identified by IP addresses and a secret shared key is configured between them.
- The notion of a user group on IOS XR local AAA is unrelated to a user group on an ACS server. The configuration of user groups on the ACS server is a separate ACS-only feature.
- IOS XR task groups are identified as optional attributes on the ACS server. Two methods exist that can help identify task IDs remotely. The first method uses the concept of task maps and the second uses the privilege levels.
Example 6-5 demonstrates the external configuration for tasks. Note that these configurations are on the server side of external AAA and not on the router.
Example 6-5. Task Configuration Semantics on an External Server
user = igpadmin{ member = igp-admin-group opap = cleartext "cisco" service = exec { task = "rwxd:ospf,#operator" } }
Example 6-5 specifies the task ID as an attribute in the external TACACS+ or RADIUS server. Note that this is shown as an example only. Because the procedure can vary from server to server, consult the TACACS+ or RADIUS server documentation to find out how you can use the optional attributes. A freeware TACACS+ server from Cisco might require an asterisk (*) instead of an equal sign (=) before the attribute value for optional attributes. Example 6-5 shows the task string in the configuration file of the TACACS+ server where tokens are delimited by a comma (,). Each token contains either a task ID name or its permissions in the following format:
task = "<permissions>:<taskid name>, #<usergroup name>, ..." .
In Example 6-5, the task = “rwxd:ospf,#operator” assigns READ, WRITE, EXECUTE, and DEBUG task IDs to the OSPF task and assigns the user group operator.
Example 6-6 is quoted from Cisco.com and demonstrates the ability to interact with a TACACS+ daemon that does not have the concept of task IDs. In this case a privilege-level mapping is used.
Example 6-6. Privilege-Level Mappings
! ! TACACS+ example ! user = admin1{ member = bar service = exec-ext { priv_lvl = 5 } } ! !RADIUS Example using Cisco AV-pair ! user = admin2{ member = bar Cisco-AVPair = "shell:tasks=#root-system,#cisco-support"{ Cisco-AVPair = "shell:priv-lvl=10" } }
Cisco IOS XR AAA supports a mapping between privilege levels that can be defined for a given user in the external TACACS+ server file. The local user group on the router needs to be configured with a user group with a name that matches the privilege level. After TACACS+ authentication, the user gets assigned the task map of the user group mapped to the privilege level received from the external TACACS+ server. Example 6-6 shows a TACACS+ configuration followed by a RADIUS configuration. If the IOS XR router is configured with local user groups priv5 and priv10, they can be mapped to the privilege levels 5 and 10 configured for TACACS+ and RADIUS, respectively. Privilege levels from 1 to 13 may be used in a similar way. Privilege level 15 maps to the root-system and privilege level 14 maps to root-lr.
The following sections discuss the configuration behind external AAA. Various CLI command options for configuring TACACS+ are presented.
Configuring a TACACS+ Server
Figure 6-2 shows an IOS XR router connected to an ACS server. Example 6-7 creates a simple TACACS+ configuration using an external ACS server with an IP address of 172.18.172.16.
Figure 6-2 Authentication with an External AAA Server
Example 6-7. Configuring AAA with an External TACACS+ Server
RP/0/RP0/CPU0:CRS-A#show run aaa usergroup priv11 taskgroup netadmin taskgroup igpadmin ! tacacs-server host 172.18.172.16 port 49 tacacs-server key 7 06150E2F46411A1C tacacs source-interface MgmtEth0/0/CPU0/0 ! aaa group server tacacs+ chap6 server 172.18.172.17 ! aaa authentication login console local aaa authentication login chap-6 group chap6 local aaa default-taskgroup root-system ! line template lab login authentication chap-6 exec-timeout 30 0 ! line console login authentication console vty-pool default 0 99 line-template lab
In Example 6-7, a privilege 11 configuration exists on the ACS server. The AAA server is identified with the tacacs server host command and a backup server is identified with the aaa group server command. The local keyword in the aaa authentication login chap-6 group chap6 local command ensures that AAA will authenticate locally in the case of failure of both the ACS servers. The AAA method list chap-6 gets assigned to the vty pool.
Authentication Using RADIUS
This section shows some configuration examples for AAA RADIUS client configuration on IOS XR to allow authentication with an external ACS server.
Example 6-8 shows a basic AAA RADIUS configuration. The basic concept is the same as that shown in Example 6-7 except the TACACS+ protocol has been replaced by RADIUS.
Example 6-8. Configuring AAA with an External RADIUS Server
RP/0/RP0/CPU0:CRS-B_IOX#show run aaa usergroup priv13 taskgroup root-system taskgroup cisco-support ! radius-server host 172.18.172.16 key 7 104D000A0618 ! radius source-interface MgmtEth0/RP0/CPU0/0 aaa authentication login telnet group radius local aaa authentication login default local ! line template rads login authentication telnet exec-timeout 0 0 session-timeout 0 vty-pool default 0 99 line-template rads telnet ipv4 server max-servers no-limit
Example 6-9 shows AAA RADIUS authentication and introduces a new authorization command: aaa authorization exec default none. This command has the same effect as the keyword if-authenticated in IOS AAA authorization commands. The configuration states that if a user is authenticated, that user is also authorized.
Example 6-9. AAA with an External RADIUS Server with Accounting and Authorization
! Configures Radius server dead times and dead-criteria ! radius-server deadtime 1 radius-server dead-criteria time 15 radius-server dead-criteria tries 2 ! ! Configures the RADIUS server hosts ! aaa group server radius XR-GROUP server 172.18.172.16 auth-port 1645 acct-port 1646 server 172.18.172.17 auth-port 1645 acct-port 1646 ! ! Enables AAA accounting aaa accounting exec default start-stop group XR-GROUP aaa accounting commands default start-stop group XR-GROUP ! ! Configure authorization to occur automatically if the user gets authenticated ! aaa authorization exec default none ! ! sets login authentication to use the default method list and XR-GROUP server aaa authentication login default group XR-GROUP local end
Configuring Secure Shell
Secure Shell (SSH) is a useful protocol or application for establishing secure sessions with the router. A router configured with SSH server allows a secure connection to the router similar to Telnet. The Telnet application has limited security. SSH provides stronger encryption and deploys public-key cryptography for added confidentiality. SFTP also comes as a component of SSH and enables secure FTP (SFTP) capabilities for downloading software or configuration files. IOS XR supports two versions of SSH:
- SSH version 1 uses Rivest, Shamire, and Adelman (RSA) keys.
- SSH version 2 uses the Digital Signature Algorithm (DSA).
Enabling SSH on IOS XR requires the Hfr-k9sec security PIE to be installed on the router. In addition to installing the k9sec PIE, IOS XR requires RSA or DSA keys to be generated on the router before SSH runs in server mode. Example 6-10 illustrates the SSH configuration on IOS XR.
Example 6-10. Enabling SSH v2 on IOS XR
! !The command below verifies the existence of k9sec pie ! RP/0/RP1/CPU0:CRS1-1(admin)#show install active | include k9sec disk0:hfr-k9sec-3.6.0 ! ! The following command generates DSA key pairs ! RP/0/RP1/CPU0:CRS1-1#crypto key generate dsa The name for the keys will be: the_default Choose the size of your DSA key modulus. Modulus size can be 512, 768, or 1024 bits. Choosing a key modulus How many bits in the modulus [1024]: 1024 Generating DSA keys ... Done w/ crypto generate keypair [OK] ! RP/0/RP1/CPU0:CRS1-1(config)#ssh server v2 RP/0/RP1/CPU0:CRS1-1(config)#commit
In Example 6-10 the presence of the k9sec PIE is verified first. If this PIE is not present, it needs to be installed. The example shows the generation of DSA keys by executing the crypto key generate dsa command, followed by enabling SSH version 2 in Configuration mode.
Example 6-11 demonstrates the debugging of SSH server functionality on a router with the debug ssh server command followed by the show ssh session detail command.
Example 6-11. Debugging SSH v2 on IOS XR
! Enable ssh server debugging on the router ! RP/0/RP1/CPU0:CRS1-1#debug ssh server RP/0/RP1/CPU0:CRS1-1#show debug #### debug flags set from tty 'vty0' #### ssh server flag is ON ! ! Create an SSH session from a unix server to the IOS XR router ! $ ssh cisco@10.10.20.31 Password:cisco Last switch-over Sun Jun 1 08:51:09 2008: 2 weeks, 3 hours, 27 minutes ago RP/0/RP1/CPU0:CRS1-1#RP/0/RP1/CPU0:Jun 15 12:18:50.284 : SSHD_[364]: Spawned new child process 6852847 RP/0/RP1/CPU0:Jun 15 12:18:50.482 : SSHD_[65775]: Client sockfd 3 RP/0/RP1/CPU0:Jun 15 12:18:50.494 : SSHD_[65775]: Connection from 10.10.20.100 port 61532 RP/0/RP1/CPU0:Jun 15 12:18:50.517 : SSHD_[65775]: Session id 0 RP/0/RP1/CPU0:Jun 15 12:18:50.521 : SSHD_[65775]: Exchanging versions RP/0/RP1/CPU0:Jun 15 12:18:50.539 : SSHD_[65775]: Remote protocol version 2.0, remote software version Sun_SSH_1.1 RP/0/RP1/CPU0:Jun 15 12:18:50.540 : SSHD_[65775]: In Key exchange RP/0/RP1/CPU0:Jun 15 12:18:51.137 : SSHD_[65775]: Received — — — — — — — > KEXINIT RP/0/RP1/CPU0:Jun 15 12:18:51.137 : SSHD_[65775]: Calling Receive kexinit 10 RP/0/RP1/CPU0:Jun 15 12:18:51.137 : SSHD_[65775]: Peer Proposal : diffie-hellman- group-exchange-sha1,diffie-hellman-group1-sha1 RP/0/RP1/CPU0:Jun 15 12:18:51.138 : SSHD_[65775]: Peer Proposal : ssh-rsa,ssh-dss RP/0/RP1/CPU0:Jun 15 12:18:51.139 : SSHD_[65775]: Peer Proposal : aes128- ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc RP/0/RP1/CPU0:Jun 15 12:18:51.139 : SSHD_[65775]: Peer Proposal : aes128- ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc RP/0/RP1/CPU0:Jun 15 12:18:51.140 : SSHD_[65775]: Peer Proposal : hmac-md5,hmac- sha1,hmac-sha1-96,hmac-md5-96 RP/0/RP1/CPU0:Jun 15 12:18:51.140 : SSHD_[65775]: Peer Proposal : hmac-md5,hmac- sha1,hmac-sha1-96,hmac-md5-96 RP/0/RP1/CPU0:Jun 15 12:18:51.141 : SSHD_[65775]: Peer Proposal : none,zlib RP/0/RP1/CPU0:Jun 15 12:18:51.141 : SSHD_[65775]: Peer Proposal : none,zlib RP/0/RP1/CPU0:Jun 15 12:18:51.141 : SSHD_[65775]: Peer Proposal : i-default RP/0/RP1/CPU0:Jun 15 12:18:51.141 : SSHD_[65775]: Peer Proposal : i-default RP/0/RP1/CPU0:Jun 15 12:18:51.164 : SSHD_[65775]: Negotiated Alg : diffie-hellman- group1-sha1 RP/0/RP1/CPU0:Jun 15 12:18:51.168 : SSHD_[65775]: Publikey Alg = ssh-dss RP/0/RP1/CPU0:Jun 15 12:18:51.173 : SSHD_[65775]: Incoming cipher = 3des-cbc RP/0/RP1/CPU0:Jun 15 12:18:51.176 : SSHD_[65775]: Outgoing cipher = 3des-cbc RP/0/RP1/CPU0:Jun 15 12:18:51.179 : SSHD_[65775]: Incoming mac = hmac-md5 RP/0/RP1/CPU0:Jun 15 12:18:51.180 : SSHD_[65775]: Outgoing mac = hmac-md5 RP/0/RP1/CPU0:Jun 15 12:18:51.181 : SSHD_[65775]: Keylen Reqd = 24 RP/0/RP1/CPU0:Jun 15 12:18:51.204 : SSHD_[65775]: Waiting for KEXDH_INIT RP/0/RP1/CPU0:Jun 15 12:18:51.215 : SSHD_[65775]: Received KEXDH_INIT RP/0/RP1/CPU0:Jun 15 12:18:51.269 : SSHD_[65775]: Extracting pubkey from crypto engine RP/0/RP1/CPU0:Jun 15 12:18:51.284 : SSHD_[65775]: Received pubkey from crypto engine RP/0/RP1/CPU0:Jun 15 12:18:51.285 : SSHD_[65775]: bloblen = 433 RP/0/RP1/CPU0:Jun 15 12:18:51.285 : SSHD_[65775]: prime = 129, subprime = 21, base = 128, y =128 RP/0/RP1/CPU0:Jun 15 12:18:51.286 : SSHD_[65775]: Calculating kex hash with client_str = SSH-2.0-Sun_SSH_1.1 (len = 19) RP/0/RP1/CPU0:Jun 15 12:18:51.286 : SSHD_[65775]: server_str = SSH-1.99-Cisco-2.0 (len = 18) RP/0/RP1/CPU0:Jun 15 12:18:51.325 : SSHD_[65775]: Sending KEXDH_REPLY RP/0/RP1/CPU0:Jun 15 12:18:51.328 : SSHD_[65775]: Sending NEWKEYS RP/0/RP1/CPU0:Jun 15 12:18:51.329 : SSHD_[65775]: Waiting for NEWKEYS RP/0/RP1/CPU0:Jun 15 12:18:51.362 : SSHD_[65775]: In Authenticate RP/0/RP1/CPU0:Jun 15 12:18:51.373 : SSHD_[65775]: Request service name - ssh- userauth RP/0/RP1/CPU0:Jun 15 12:18:51.375 : SSHD_[65775]: Sending Servie Accept msg RP/0/RP1/CPU0:Jun 15 12:18:51.377 : SSHD_[65775]: Waiting for Userauth req RP/0/RP1/CPU0:Jun 15 12:18:51.391 : SSHD_[65775]: In Interactive shell RP/0/RP1/CPU0:Jun 15 12:18:51.402 : SSHD_[65775]: Remote channel type - session, remote chan id = 0 RP/0/RP1/CPU0:Jun 15 12:18:51.405 : SSHD_[65775]: Winsize = 65536, maxpacksize = 16384 RP/0/RP1/CPU0:Jun 15 12:18:51.406 : SSHD_[65775]: Sending Channel open success msg RP/0/RP1/CPU0:Jun 15 12:18:51.437 : SSHD_[65775]: Connecting to VTY Server RP/0/RP1/CPU0:Jun 15 12:18:51.494 : SSHD_[65775]: Opening file /dev/vty9999 RP/0/RP1/CPU0:Jun 15 12:18:51.496 : SSHD_[65775]: Allocated pty vty1. RP/0/RP1/CPU0:Jun 15 12:18:51.497 : SSHD_[65775]: Setting window size row = 24, col = 106 RP/0/RP1/CPU0:Jun 15 12:18:51.615 : SSHD_[65775]: Spawned shell RP/0/RP1/CPU0:Jun 15 12:18:51.677 : SSHD_[65775]: event_contex_init done ! ! Show command to verify the SSH session detail on the router. ! RP/0/RP1/CPU0:CRS1-1#show ssh session details SSH version : Cisco-2.0 id key-exchange pubkey incipher outcipher inmac outmac — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — - Incoming Session diffie-hellman ssh-dss 3des-cbc 3des-cbc hmac-md5 hmac-md5 ! A command output showing the incoming SSH TCP session ! RP/0/RP1/CPU0:CRS1-1#show tcp brief PCB VRF-ID Recv-Q Send-Q Local Address Foreign Address State 0x482e2c30 0x60000000 0 0 :::22 :::0 LISTEN 0x482e2ea0 0x60000001 0 0 :::22 :::0 LISTEN 0x482e8248 0x00000000 0 0 :::22 :::0 LISTEN 0x482e5a38 0x60000000 0 0 10.0.0.11:646 10.0.0.31:35777 ESTAB 0x482cc0a8 0x60000000 0 0 10.0.0.11:646 10.0.0.21:57878 ESTAB 0x482deff4 0x60000000 0 0 10.10.20.31:23 10.10.20.100:61512 ESTAB 0x482e7714 0x60000000 0 0 10.10.20.31:22 10.10.20.100:61532 ESTAB 0x482e8380 0x60000000 0 0 0.0.0.0:22 0.0.0.0:0 LISTEN 0x482e2d68 0x60000001 0 0 0.0.0.0:22 0.0.0.0:0 LISTEN 0x482e8598 0x00000000 0 0 0.0.0.0:22 0.0.0.0:0 LISTEN 0x482d0660 0x60000000 0 0 0.0.0.0:23 0.0.0.0:0 LISTEN 0x482e0dc4 0x00000000 0 0 0.0.0.0:23 0.0.0.0:0 LISTEN 0x482cf2e4 0x60000000 0 0 0.0.0.0:639 0.0.0.0:0 LISTEN 0x482cd9e4 0x60000000 0 0 0.0.0.0:646 0.0.0.0:0 LISTEN
Example 6-11 shows an SSH session created from a UNIX host to the router and the corresponding debug output produced on the console. The debug output shows the exchanging of SSH version between the UNIX host and the router as well as the negotiation of the Diffie-Hellman key exchange. The example also presents the show ssh session detail command’s output showing the details of the SSH session. The output of show tcp brief shows the TCP port 22 sessions that identifies the incoming SSH connection.
Management Plane Protection
Management plane refers to a router’s architectural components involved in the processing of traffic that is meant for the management of the routing platform. Management Plane Protection (MPP) is a relatively new feature in IOS XR; it was introduced in Release 3.5.0. It helps control the interfaces on which network management traffic can enter the router. The capability helps enhance the router-level security and allows the network administrator better granularity in controlling management access to the router.
Following are the salient features of MPP:
- Enhances the manageability and security aspects of IOS XR.
- Helps alleviate the need to configure more access lists in controlling router access.
- Management ports on RP and DRP are not configurable under MPP because they are out of band by default.
- Controls incoming traffic for protocols, such as TFTP, Telnet, Simple Network Management Protocol (SNMP), SSH, and HTTP.
- Allows control for both in-band and out-of-band interfaces.
- Can specify a peer IPv4 or IPv6 address or subnet from which traffic is allowed, thus providing more control.
In the context of MPP, an in-band management interface is an interface that receives and processes management packets as well as forwards Internet traffic. This interface may also be referred to as a shared management interface. An out-of-band interface allows only management protocol traffic to be forwarded or processed. This type of interface does not process or receive any customer or Internet traffic and, therefore, has lower potential for becoming a victim of a DoS attack. Out-of-band interfaces are usually also the last hop interfaces in the life of a packet, and these packets are then processed by higher-layer protocols on the router.
Example 6-12 illustrates the configuration steps for MPP.
Example 6-12. Configuring MPP
RP/0/RP1/CPU0:CRS1-1#configure t RP/0/RP1/CPU0:CRS1-1(config)#control-plane RP/0/RP1/CPU0:CRS1-1(config-ctrl)#management-plane RP/0/RP1/CPU0:CRS1-1(config-mpp)#inband RP/0/RP1/CPU0:CRS1-1(config-mpp-inband)#interface tenGigE 0/0/0/0 RP/0/RP1/CPU0:CRS1-(config-mpp-inband-TenGigE0_0_0_0)#allow telnet RP/0/RP1/CPU0:CRS1-(config-mpp-inband-TenGigE0_0_0_0)#commit RP/0/RP1/CPU0:CRS1-(config-mpp-inband-TenGigE0_0_0_0)#exit RP/0/RP1/CPU0:CRS1-1(config-mpp-inband)#exit RP/0/RP1/CPU0:CRS1-1(config-mpp)#out-of-band RP/0/RP1/CPU0:CRS1-1(config-mpp-outband)#vrf red RP/0/RP1/CPU0:CRS1-1(config-mpp-outband)#interface tenGigE 0/0/0/0.1 RP/0/RP1/CPU0:CR(config-mpp-outband-TenGigE0_0_0_0.1)#allow snmp RP/0/RP1/CPU0:CR(config-mpp-outband-TenGigE0_0_0_0.1)#allow telnet RP/0/RP1/CPU0:CR(config-mpp-outband-TenGigE0_0_0_0.1)#commit RP/0/RP1/CPU0:CR(config-mpp-outband-TenGigE0_0_0_0.1)# ! Using an MPP show command RP/0/RP1/CPU0:CRS1-1#show mgmt-plane Management Plane Protection inband interfaces — — — — — — — — — — — interface - TenGigE0_0_0_0 telnet configured - All peers allowed outband interfaces — — — — — — — — — — — interface - TenGigE0_0_0_0.1 telnet configured - All peers allowed snmp configured - All peers allowed RP/0/RP1/CPU0:CRS1-1#
Example 6-12 shows MPP configuration where the Telnet protocol is enabled for only one in-band interface (Tengig0/0/0/0), and the out-of-band management interface Tengig0/0/0/0.1 under vrf red is enabled for telnet and SNMP.