SIDR D. McPherson
Internet-Draft Verisign, Inc.
Intended status: Informational S. Amante
Expires: May 19, 2012 Level 3 Communications, Inc.
November 16, 2011
Route Leak Attacks Against BGPSEC
draft-foo-sidr-simple-leak-attack-bgpsec-no-help-01
Abstract
This document describes a very simple attack vector that illustrates
how RPKI-enabled BGPSEC machinery as currently defined can be easily
circumvented in order to launch a Man In The Middle (MITM) attack via
BGP. It is meant to serve as input to the IETF's Secure Inter-Domain
Routing working group during routing security requirements
discussions and subsequent specification.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 19, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
McPherson & Amante Expires May 19, 2012 [Page 1]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4
6. Informative References . . . . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5
McPherson & Amante Expires May 19, 2012 [Page 2]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
1. Introduction
This document describes a very simple attack vector that illustrates
how RPKI-enabled BGPSEC [I-D.ietf-sidr-bgpsec-protocol] machinery as
currently defined can be easily circumvented in order to launch a Man
In The Middle (MITM) attack via BGP [RFC4271]. It is meant to serve
as input to the IETF's SIDR Working Group during routing security
requirements discussions and subsequent specification.
The authors believe the capability to prevent leaks should be a
first-order engineering objective in any secure routing architecture.
2. Discussion
Assume a multi-homed autonomous system (AS), AS 1, connects to two
ISPs (ISP1 & ISP2), and wishes to insert themselves in the datapath
between a target network (prefix P) connected to ISP2 and systems in
ISP1's network in order to launch a Man In The Middle (MITM) attack.
Further assume that an RPKI-enabled BGPSEC
[I-D.ietf-sidr-bgpsec-protocol] as currently defined is fully
deployed by all parties in this scenario and functioning as designed.
Network operators on the Internet today typically prefer customer
routes over routes learned from bi-lateral or settlement free peers.
Network operators commonly accomplish this via application of one or
more BGP [RFC4271] Path Attributes, most commonly, LOCAL_PREF as
illustrated in [RFC1998], that are evaluated earlier in the BGP Path
Selection process than AS_PATH length.
As currently defined, BGPSEC only provides two functions:
1. Is an Autonomous System authorized to originate an IP prefix?
2. Is the AS_PATH represented in the route the same as the list of
ASes through which the NLRI traveled?
In order for an attacker (AS 1) to divert traffic from ISP1 for
prefix P through their AS they simply fail to scope the propagation
of the target prefix P (received from ISP2) by announcing a
(syntactically correct) BGPSEC update for prefix P to ISP1. This
vulnerability is what the authors refer to as a 'route leak'. It is
important to note that the default behavior in BGP [RFC4271] is to
announce all best paths to external BGP peers, unless explicitly
scoped by a BGP speaker through configuration. Because ISP1 prefers
prefixes learned from customers (AS 1) over prefixes learned from
peers (ISP2), they begin forwarding traffic for prefix P destinations
through the attacker's AS (AS 1). Voila!
McPherson & Amante Expires May 19, 2012 [Page 3]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
It should be understood that any multi-homed AS can potentially
launch such an attack, even if through simple misconfiguration, as is
a common occurrence today on the Internet. Determination of benign
versus malicious intent in these situations is usually imperceptible,
and as such, preventative controls are requisite. In an environment
where BGPSEC is fully deployed there would be high assurance of the
semantic integrity of the AS_PATH BGP Path attrubute, and as such, it
should accurately reflect the attacker's AS number in the appropriate
location of the AS_PATH; however, it would not prevent the attack.
Discussion of out of band methods to mitigate this attack are beyond
the scope of this document, as it's objective is to inform routing
protocol design choices currently being considered within the IETF's
SIDR Working Group.
3. Acknowledgements
4. IANA Considerations
5. Security Considerations
This document describes an attack on an RPKI-enabled BGPSEC and is
meant to inform the IETF Secure Inter-Domain Routing working group on
the vulnerabilty that exists as a result of "leaks".
The authors believe the capability to prevent leaks should be a
first-order engineering objective in any secure routing architecture.
6. Informative References
[I-D.ietf-sidr-bgpsec-protocol]
Lepinski, M., "BGPSEC Protocol Specification",
draft-ietf-sidr-bgpsec-protocol-01 (work in progress),
October 2011.
[RFC1998] Chen, E. and T. Bates, "An Application of the BGP
Community Attribute in Multi-home Routing", RFC 1998,
August 1996.
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006.
McPherson & Amante Expires May 19, 2012 [Page 4]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
Authors' Addresses
Danny McPherson
Verisign, Inc.
21355 Ridgetop Circle
Dulles, VA 20166
USA
Phone: +1 703.948.3200
Email: dmcpherson@verisign.com
Shane Amante
Level 3 Communications, Inc.
1025 Eldorado Boulevard
Broomfield, CO 80021
US
Phone: +1 720.888.1000
Email: shane@level3.net
McPherson & Amante Expires May 19, 2012 [Page 5]