Title: Linux - routing software

KBTAG: kben10000086
URL: http://www.securityportal.com/lskb/10000050/kben10000086.html
Date created: 17/07/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Linux - routing software
Keywords: Network

Summary:

There are a variety of routing software packages available for Linux. Most of them support the newer routing protocols which have a much higher degree of security then the older protocols such as RIP.

More information:

routed

routed is one of the standard routing packages available for Linux. It supports RIP (about the oldest routing protocol still in service), and that’s it. RIP is very simple, routers simply broadcast their routing tables to neighboring routers, resulting (in theory) in a complete routing table that contains entries for every destination on the Internet. This method is fundamentally insecure, and very inefficient outside of small secure networks (in which case it probably is not needed). Securing it is really not possible, you can firewall ports 520 and 521 which RIP uses to transfer data, however this can result in routes you want not getting through, and attackers can still spoof routes. Running this service is a very bad idea.

gated

gated is a more advanced piece of routing software then routed. It supports RIP versions 1 and 2, DCN HELLO, OSPF version 2, EGP version 2, and BGP versions 2 through 4. Currently the most popular routing protocol seems to be BGP (Border Gateway Protocol), with OSPF gaining popularity (OSPF has built in security, is very efficient, and quite a bit more complicated). 

MRT

MRT (Multi-threaded Routing Toolkit) is a routing daemon and test toolkit that can handle IPv4 and IPv6. You can get it at: http://www.mrtd.net/.

zebra

zebra is much more featured then gated, and sports a nice Cisco style command line interface. It runs as a daemon, and is multi threaded for performance, each protocol (RIP, OSPF, etc.) has it’s own configuration, and you can run multiple protocols simultaneously (although this could lead to confusion/problems). There is a master configuration port, and a port for each protocol:

zebrasrv		2600/tcp		# zebra service
zebra		2601/tcp		# zebra vty
ripd		2602/tcp		# RIPd vty
ripngd		2603/tcp		# RIPngd vty
ospfd		2604/tcp		# OSPFd vty
bgpd		2605/tcp		# BGPd vty
ospf6d		2606/tcp		# OSPF6d vty

I would advise firewalling these ports. Access is controlled by a login password, and access to command functions requires another password (using the same syntax as Cisco, “enable”). You can download zebra from: http://www.zebra.org/.