Network Working Group A. Barbir
Internet-Draft Nortel Networks
Expires: March 16, 2004 S. Murphy
Network Associates, Inc
Y. Yang
Cisco Systems
September 16, 2003
Generic Threats to Routing Protocols
draft-ietf-rpsec-routing-threats-03
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 16, 2004.
Copyright Notice
Copyright (C) The Internet Society (2003). All Rights Reserved.
Abstract
Routing protocols are subject to attacks that can harm individual
users or network operations as a whole. This document provides a
description and a summary of generic threats that affects routing
protocols in general. This work describes threats, including threat
sources and capabilities, threat actions, and threat consequences as
well as a breakdown of routing functions that might be separately
attacked.
Barbir, et al. Expires March 16, 2004 [Page 1]
Internet-Draft Generic Threats to Routing Protocols September 2003
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Routing Functions Overview . . . . . . . . . . . . . . . . . 4
3. Generic Routing Protocol Threat Model . . . . . . . . . . . 5
3.1 Threat Definitions . . . . . . . . . . . . . . . . . . . . . 5
3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 Threat Consequences . . . . . . . . . . . . . . . . . . . . 7
4. Generally Identifiable Routing Threats . . . . . . . . . . . 11
4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . . 11
4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 12
4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . . 13
4.5.1 Falsifications by Originators . . . . . . . . . . . . . . . 13
4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 16
4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . . 17
4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 18
4.8 Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 18
5. Security Considerations . . . . . . . . . . . . . . . . . . 19
Normative References . . . . . . . . . . . . . . . . . . . . 20
Informative References . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 21
A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23
B. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . 25
Barbir, et al. Expires March 16, 2004 [Page 2]
Internet-Draft Generic Threats to Routing Protocols September 2003
1. Introduction
Routing protocols are subject to threats and attacks that can harm
individual users or the network operations as a whole. The document
provides a summary of generic threats that affects routing protocols.
In particular, this work identifies generic threats to routing
protocols that include threat sources, threat actions, and threat
consequences. A breakdown of routing functions that might be
separately attacked is provided.
This work should be considered as a precursor to developing a common
set of security requirements for routing protocols. While it is well
known that bad, incomplete, or poor implementations of routing
protocols may, in themselves, lead to routing problems or failures,
or may increase the risk of a network being attacked successfully,
these issues are not considered here. This document only considers
attacks against robust, well considered implementations of routing
protocols, as outlined in OSPF [6], IS-IS [10] , RIP [11] and BGP
[17].
This documents investigates general threats to routing functions. In
this work, the "owner" of an address prefix or an AS [17] number is
an organization that has been granted the right to use that prefix or
number. Each Regional Internet Registry (RIR) acquires prefixes and
AS numbers from IANA, and further distributes (delegates use of) them
to organizations such as ISPs and multi-homed subscribers. For
address prefixes, delegation typically involves assigning a subset of
a prefix to an organization, which may, in turn, further delegate
subsets to other organizations, e.g., subscribers or downstream
providers.
The document is organized as follows: Section 2 provides a review of
routing functions. Section 3 defines threats. In section 4 a
discussion on generally identifiable routing threat actions is
provided. Section 5 addresses security considerations.
Barbir, et al. Expires March 16, 2004 [Page 3]
Internet-Draft Generic Threats to Routing Protocols September 2003
2. Routing Functions Overview
This section provides an overview of common functions that are shared
among various routing protocols. In general, routing protocols share
the following functions:
o Transport Subsystem: The routing protocol transmits messages to
its neighbors using some underlying protocol. For example, OSPF
uses IP, while other protocols may run over TCP.
o Neighbor State Maintenance: neighboring relationship formation is
the first step for topology determination. For this reason,
routing protocols may need to maintain the state of their
neighbors. Each routing protocol may use a different mechanism
for determining its neighbors in the routing topology. Some
protocols have distinct exchange through which they establish
neighboring relationships, e.g., Hello exchanges in OSPF.
o Database Maintenance: Routing protocols exchange network topology
and reachability information. The routers collect this
information in routing databases with varying detail. The
maintenance of these databases is a significant portion of the
function of a routing protocol.
A router's functions can be divided into control and data plane
(protocol traffic vs. data traffic). In a similar fashion, a routing
protocol has a control and a data plane. A routing protocol has a
control plane that exchanges messages that are intended only for
control of the protocol state.
Routing protocol data plane uses messages to exchange information
that is intended to be used in the forwarding function. For example,
the information can be used to establish a forwarding table in each
router or to return a description of the route to be used.
Routing functions may affect the control and the data planes.
However, there may be an emphasis on one of the planes as opposed to
the other. For example, neighbor maintenance is likely to focus on
the routing protocol control plane, while database maintenance may
focus on the data plane.
Barbir, et al. Expires March 16, 2004 [Page 4]
Internet-Draft Generic Threats to Routing Protocols September 2003
3. Generic Routing Protocol Threat Model
The model developed in this section can be used to identify threats
to any routing protocol. It examines attacks which can be launched
against routing from subverted entities within the routing system,
and from entities outside the routing system. Both of these types of
entities are called unauthorized entities.
Routing protocols are subject to treats at the control and data
planes and at the functional level. At the control plane level,
control and data plane are subject to attack. An attacker may be able
to break a neighbor (e.g., peering, adjacency) relationship. This
type of attack can impact the network routing behavior in the
affected routers and likely the surrounding neighborhood. An
attacker who is able to break a database exchange between two routers
can also affect routing behavior. In the routing protocol data
plane, an attacker who is able to introduce bogus data can have a
strong effect on the behavior of routing in the neighborhood.
At the routing function level threats can affect the transport
subsystem, where the routing protocol can be subject to attacks on
its underlying protocol. At the neighbor state maintenance level,
there are threats that can lead to attacks that can disrupt the
neighboring relationship with widespread consequences. For example,
in BGP, if a router receives a CEASE message, it can lead to breaking
of its neighboring relationship to other routers.
There are threats against the database maintenance functionality. For
example, the information in the database must be authentic and
authorized. Threats that jeopardize this information can affect the
routing functionality in the overall network. For example, if an
OSPF router sends LSAs with the wrong Advertising Router, the
receivers will compute a SPF tree that is incorrect and might not
forward the traffic. If a BGP router advertises a NLRI that it is
not authorized to advertise, then receivers might forward that NLRI's
traffic toward that router and the traffic would not be deliverable.
A PIM router might transmit a JOIN message to receive multicast data
it would otherwise not receive
3.1 Threat Definitions
In this work, a threat is defined as a motivated, capable adversary.
This characterization of threats clearly distinguishes threats from
attacks. By modeling the motivations (attack goals) and capabilities
of the adversaries who are threats, one can better understand what
classes of attacks these threats may mount and thus what types of
countermeasures will be required to deal with these attacks. In [1] a
threat is defined as a potential for violation of security, which
Barbir, et al. Expires March 16, 2004 [Page 5]
Internet-Draft Generic Threats to Routing Protocols September 2003
exists when there is a circumstance, capability, action, or event
that could breach security and cause harm. A threat presents itself
when an adversary has the ability to take advantage of an existing
security weakness. Threats can be categorized based on various
rules, such as threat sources, threat actions, threat consequences,
threat consequence zones, and threat consequence periods.
3.1.1 Threat Sources
There are many sources for threats that may affect routing protocols.
In some cases, unauthorized entities such as attackers may illegally
participate in the routing operations. In other circumstances, there
are threats to routing protocols from entities that are running
incorrect code, or using invalid configurations.
Threats can originate form outsiders or insiders. An insider is an
authorized participant in the routing protocol. An outsider is any
other host or network. A particular router determines if a host is
an outsider or an insider. An authorized protocol speaker can be an
outsider to a particular router if the router does not consider it to
be a legitimate peer (as could conceivably happen on a multi-access
link).
In general, threats can be classified into the following categories
based on their sources [2]:
o Threats that result from subverted links: A link become subverted
when an attacker gain access (or control) to it through a physical
medium. The attacker can then take control over the link. This
threat can result from the lack (or the use of weak) access
control mechanisms as applied to physical mediums or channels. The
attacker may eavesdrop, replay, delay, or drop routing messages,
or break routing sessions between authorized routers, without
participating in the routing exchange.
o Threats that result from subverted devices (e.g. routers): A
subverted device (router) is an authorized router that may have
been broken into by an attacker. The attacker can use the
subverted device to inappropriately claim authority for some
network resources, or violate routing protocols, such as
advertising invalid routing information.
For example, an OSPF router will form a peering relationship with any
attached device which appears to be running OSPF, unless MD5
authentication (or some other means) is used to prevent the
neighboring relationship from forming.
Barbir, et al. Expires March 16, 2004 [Page 6]
Internet-Draft Generic Threats to Routing Protocols September 2003
3.1.2 Threat Consequences
A threat consequence is a security violation that results from a
threat action [1]. The compromise to the behavior of the routing
system can damage a particular network or host or can damage the
operation of the network as a whole.
There are four types of threat consequences: disclosure, deception,
disruption, and usurpation [1].
o Disclosure: Disclosure of routing information happens when a
router successfully accesses the information without being
authorized. Subverted links can cause disclosure, if routing
exchanges lack confidentiality. Subverted devices (routers), can
cause disclosure, as long as they are successfully involved in the
routing exchanges. Although inappropriate disclosure of routing
information can pose a security threat or be part of a later,
larger, or higher layer attack, confidentiality is not generally a
design goal of routing protocols.
o Deception: This consequence happens when a legitimate router
receives a false routing message and believes it to be true.
Subverted links and/or subverted device (routers)can cause this
consequence if the receiving router lacks ability to check
routing message integrity, routing message origin, authentication
or peer router authentication.
o Disruption: This consequence occurs when a legitimate router's
operation is being interrupted or prevented. Subvert links can
cause this by replaying, delaying, or dropping routing messages,
or breaking routing sessions between legitimate routers. Subverted
devices (router) can cause this consequence by sending false
routing messages, interfering normal routing exchanges, or
flooding unnecessary messages. (DoS is a common threat action
causing disruption.)
o Usurpation: This consequence happens when an attacker gains
control over a legitimate router's services/functions. Subverted
links can cause this by delaying or dropping routing exchanges, or
replaying out-dated routing information. Subverted routers can
cause this consequence by sending false routing information,
interfering routing exchanges, or system integrity.
Note: an attacker does not have to directly control a router to
control its services. For example, in Figure 1, Network 1 is
dual-homed through Router A and Router B, and Router A is preferred.
However, Router B is compromised and advertises a lower metric.
Consequently, devices on the Internet choose the path through Router
Barbir, et al. Expires March 16, 2004 [Page 7]
Internet-Draft Generic Threats to Routing Protocols September 2003
B to reach Network 1. In this way, Router B steals the data traffic
and Router A surrenders its control of the services to Router B. This
depicted in Figure 1.
+-------------+ +-------+
| Internet |---| Rtr A |
+------+------+ +---+---+
| |
| |
| |
| *-+-*
+-------+ / \
| Rtr B |----------* N 1 *
+-------+ \ /
*---*
Figure 1: Dual-homed Network
Several threat consequences might be caused by a single threat
action. In Figure 1, there exist at least two consequences: routers
using Router B to reach Network 1 are deceived, while Router A is
usurped.
Within the context of the threat consequences described above, damage
that might result from attacks against the network as a whole may
include:
o Network congestion: more data traffic is forwarded through some
portion of the network than would otherwise need to carry the
traffic,
o Blackhole: large amounts of traffic are directed to be forwarded
through one router that cannot handle the increased level of
traffic and drops many/most/all packets,
o Looping: data traffic is forwarded along a route that loops, so
that the data is never delivered (resulting in network
congestion),
o Partition: some portion of the network believes that it is
partitioned from the rest of the network when it is not,
o Churn: the forwarding in the network changes (unnecessarily) at a
rapid pace, resulting in large variations in the data delivery
patterns (and adversely affecting congestion control techniques),
Barbir, et al. Expires March 16, 2004 [Page 8]
Internet-Draft Generic Threats to Routing Protocols September 2003
o Instability: the protocol becomes unstable so that convergence on
a global forwarding state is not achieved, and
o Overload: the protocol messages themselves become a significant
portion of the traffic the network carries.
The damage that might result from attacks against a particular host
or network address may include:
o Starvation: data traffic destined for the network or host is
forwarded to a part of the network that cannot deliver it,
o Eavesdrop: data traffic is forwarded through some router or
network that would otherwise not see the traffic, affording an
opportunity to see the data or at least the data delivery pattern,
o Cut: some portion of the network believes that it has no route to
the host or network when it is in fact connected,
o Delay: data traffic destined for the network or host is forwarded
along a route that is in some way inferior to the route it would
otherwise take,
o Looping: data traffic for the network or host is forwarded along a
route that loops, so that the data is never delivered
It is important to consider all compromises, because some security
solutions can protect against one attack but not against others. It
might be possible to design a security solution that protects
against an attack that eavesdropped on one destination's traffic
without protecting against an attack that overwhelmed a router.
Similarly, it is possible to design a security solution that prevents
a starvation attack against one host, but not against a network wide
resources. The security requirements must be clear as to which
compromises are being avoided and which compromises must be addressed
by other means (e.g., by administrative means outside the protocol).
3.1.2.1 Threat Consequence Zone
A threat consequence zone covers the area within which the network
operations have been affected by threat actions. Possible threat
consequence zones can be classified as: a single link or router,
multiple routers (within a single routing domain), a single routing
domain, multiple routing domains, or the global Internet. The threat
consequence zone varies based on the threat action and origin.
Similar threat actions that happened at different locations may cause
totally different threat consequence zones. For example, when a
compromised link breaks the routing session between a distribution
Barbir, et al. Expires March 16, 2004 [Page 9]
Internet-Draft Generic Threats to Routing Protocols September 2003
router and a stub router, only reachability to and from the network
devices attached on the stub router will be impaired. In other words,
the threat consequence zone is a single router. Nonetheless, if the
compromised router is located between a customer edge router and its
corresponding provider edge router, such an action might cause the
whole customer site to lose its connection. In this case, the threat
consequence zone might be a single routing domain.
3.1.2.2 Threat Consequence Periods
Threat consequence period is defined as a portion of time during
which the network operations have been impacted by the threat
consequences. The threat consequence period is influenced by, but not
totally dependent on the duration of the threat action. In some
cases, the network operations will get back to normal as soon as the
threat action has been stopped. In other cases, however, threat
consequences may appear longer than threat action. For example, in
the original ARPANET link-state algorithm, some errors in a router
might introduce three instances of an LSA, and all of them would be
flooded throughout the network forever, until the entire network was
power cycled [3].
Barbir, et al. Expires March 16, 2004 [Page 10]
Internet-Draft Generic Threats to Routing Protocols September 2003
4. Generally Identifiable Routing Threats
This section addresses generally identifiable and recognized threat
action against routing protocols. The threats are not necessarily
specific to individual protocols but may be present in one or more of
the common routing protocols in use today.
4.1 Deliberate Exposure
Deliberate Exposure occurs when an attacker takes control of a router
and intentionally releases routing information directly to other
routers. In some cases, the receiving routers may not be authorized
to access the leaked routing information. Deliberate exposure is
always a threat action, however, the exposure of routing information
may not be.
The consequence of deliberate exposure is the disclosure of routing
information.
The threat consequence zone of deliberate exposure depends on the
routing information that the attackers have exposed. The more
knowledge they have exposed, the bigger the threat consequence zone.
The threat consequence period of deliberate exposure might be longer
than the duration of the action itself. The routing information
exposed will not be out-dated until there is a topology change of the
exposed network.
4.2 Sniffing
Sniffing is an action whereby attackers monitor and/or record the
routing exchanges between authorized routers. Attackers can use
subverted links to sniff for routing information.
The consequence of sniffing is disclosure of routing information.
The threat consequence zone of sniffing depends on the attacker's
location, the routing protocol type, and the routing information that
has been recorded. For example, if the subverted link is in an OSPF
totally stubby area, the threat consequence zone should be limited to
the whole area. An attacker that is sniffing a subverted link in an
EBGP session can gain knowledge of multiple routing domains.
The threat consequence period might be longer than the duration of
the action. If an attacker stops sniffing a subverted link their
acquired knowledge will not be out-dated until there is a topology
change of the affected network.
Barbir, et al. Expires March 16, 2004 [Page 11]
Internet-Draft Generic Threats to Routing Protocols September 2003
4.3 Traffic Analysis
Traffic analysis is action whereby attackers gain routing information
by analyzing the characteristics of the data traffic on a subverted
link. Traffic analysis threats can affect any data that is sent in
the clear over a communication link. This threat is not peculiar to
routing protocols and is included here for completeness.
The consequence of data traffic analysis is the disclosure of routing
information. For example, the source and destination IP address of
the data traffic, the type, magnitude, and volume of traffic is
disclosed.
The threat consequence zone of the traffic analysis depends on the
attacker's location and what data traffic has passed through. A
subverted link at the network core should be able to disclose more
information than its counterpart at the edge.
The threat consequence period might be longer than the duration of
the traffic analysis. After the attacker stops traffic analysis, its
knowledge will not be out-dated until there is a topology change of
the disclosed network.
4.4 Spoofing
Spoofing occurs when an illegitimate device assumes the identity of a
legitimate one. Spoofing in and of itself is often not the true
attack. Spoofing is special in that it can be used to carry out other
threat actions causing other threat consequences. An attacker can use
spoofing as a means for launching other types of attacks. For
example, if an attacker succeeds in spoofing the identity of a
router, the subverted router can act as a masquerading router. In
other situations, the spoofed router can be used to send out
unrealistic routing information that might cause the disruption of
network services.
There are a few cases where spoofing can be an attack in and of
itself. For example, messages from an attacker which spoof the
identity of a legitimate router may cause a neighbor relationship to
form and deny the formation of the relationship with the legitimate
router.
The consequences of spoofing are:
o The disclosure of routing information: The spoofed router will be
able to gain access to the routing information.
o The deception of peer relationship: The authorized routers, which
Barbir, et al. Expires March 16, 2004 [Page 12]
Internet-Draft Generic Threats to Routing Protocols September 2003
exchange routing messages with the spoofed router, do not realize
they are neighboring with a router that is faking another router's
identity.
The threat consequence zone includes:
The consequence zone of the disclosed routing information depends
on what routing information has been exchanged between the spoofed
router and its neighbors.
The threat consequence zone covers:
o The consequence zone of the fake peer relationship will be limited
to those routers mistrusting the attacker's identity.
o The consequence zone of the disclosed routing information depends
on the attacker's location, the routing protocol type, and the
routing information that has been exchanged between the attacker
and its deceived neighbors.
4.5 Falsification
Falsification is an intentional action whereby false routing
information is sent by a subverted router. To falsify the routing
information, an attacker has to be either the originator or a
forwarder of the routing information. False routing information
describes the network in an unrealistic fashion, whether or not
intended by the authoritative network administrator.
To falsify the routing information, an attacker has to be either the
originator or a forwarder of the routing information. It cannot be a
receiver-only.
4.5.1 Falsifications by Originators
An originator of routing information can launch the falsifications
that are described in the next sections.
4.5.1.1 Overclaiming
Overclaiming occurs when a subverted router advertises its control of
some network resources, while in reality it does not, or the
advertisement is not authorized. This is given in Figure 2 and
Figure 3.
Barbir, et al. Expires March 16, 2004 [Page 13]
Internet-Draft Generic Threats to Routing Protocols September 2003
+-------------+ +-------+ +-------+
| Internet |---| Rtr B |---| Rtr A |
+------+------+ +-------+ +---+---+
| .
| |
| .
| *-+-*
+-------+ / \
| Rtr C |------------------* N 1 *
+-------+ \ /
*---*
Figure 2: Overclaiming-1
+-------------+ +-------+ +-------+
| Internet |---| Rtr B |---| Rtr A |
+------+------+ +-------+ +-------+
|
|
|
| *---*
+-------+ / \
| Rtr C |------------------* N 1 *
+-------+ \ /
*---*
Figure 3: Overclaiming-2
The above figures provide examples of overclaiming. Router A, the
attacker, is connected with the Internet through Router B. Router C
is authorized to advertise its link to Network 1. In Figure 2, Router
A controls a link to Network 1, but is not authorized to advertise
it. In Figure 3, Router A does not control such a link. But in either
case, Router A advertises the link to the Internet, through Router B.
Compromised routers, unauthorized routers, and masquerading routers
can overclaim network resources. The consequence of overclaiming
includes:
o Usurpation of the overclaimed network resources. In Figure 2 and
Figure 3, it will cause a usurpation of Network 1 when Router B or
other routers on the Internet (not shown in the figures) believe
that Router A provides the best path to reach the Network 1. They,
the routers, thereby forward the data traffic, destined to Network
Barbir, et al. Expires March 16, 2004 [Page 14]
Internet-Draft Generic Threats to Routing Protocols September 2003
1, to Router A. The best result is the data traffic uses an
unauthorized path Figure 2, and the worst case is the data never
reach the destination Network 1 Figure 3. The ultimate
consequence is Router A gaining control over Network 1's services,
by controlling the data traffic.
o Usurpation of the legitimate advertising routers. In Figure 2 and
Figure 3, Router C is the legitimate advertiser of Network 1. By
overclaiming, Router A also controls (partially or totally) the
services/functions provided by the Router C. (This is NOT a
disruption, because Router C is operating in a way intended by the
authoritative network administrator.)
o Deception of other routers. In Figure 2 and Figure 3, Router B, or
other routers on the Internet, might be deceived to believe the
path through Router A is the best.
o Disruption of data planes on some routers. This might happen on
routers that are on the path, which is used by other routers to
reach the overclaimed network resources through the attacker. In
Figure 2 and Figure 3, when other routers on the Internet are
deceived, they will forward the data traffic to Router B, which
might be overloaded.
The threat consequence zone varies based on the consequence:
o Where usurpation is concerned, the consequence zone covers the
network resources that are overclaimed by the attacker (Network 1
in Figure 2 and 3), and the routers that are authorized to
advertise the network resources but lose the competition against
the attacker(Router C in Figure 2 and Figure 3).
o Where deception is concerned, the consequence zone covers the
routers that do believe the attacker's advertisement and use the
attacker to reach the claimed subnets (Router B and other deceived
routers on the Internet in Figure 2 and Figure 3).
o Where disruption is concerned, the consequence zone includes the
routers that are on the path of misdirected data traffic (Router B
in Figure 2 and Figure 3).
The threat consequence will cease when the attacker stops
overclaiming, and will totally disappear when the routing tables are
converged. As a result the consequence period is longer than the
duration of the overclaiming.
4.5.1.2 Misclaiming
Barbir, et al. Expires March 16, 2004 [Page 15]
Internet-Draft Generic Threats to Routing Protocols September 2003
A misclaiming threat is defined as an attacker action advertising its
authorized control of some network resources in a way that is not
intended by the authoritative network administrator. An attacker can
eulogize or disparage when advertising these network resources.
Subverted routers, unauthorized routers, and masquerading routers can
misclaim network resources.
The threat consequences of misclaiming are similar to the
consequences of overclaimin.
The consequence zone and period are also similar to those of
overclaiming.
4.5.2 Falsifications by Forwarders
When a legitimate router forwards routing information, it must or
must not modify the routing information, depending on the routing
information and the routing protocol type. For example, in RIP, the
forwarder must modify the routing information by increasing the hop
count by 1. On the other hand, the forwarder must not modify the type
1 LSA in OSPF. In general, forwarders in distance vector routing
protocols are authorized to and must modify the routing information,
while most forwarders in link state routing protocols are not
authorized to and must not modify most routing information.
As a forwarder authorized to modify routing message, an attacker
might not forward necessary routing information to other authorized
routers. Unauthorized aggregation (summarization) is special type of
understatement.
4.5.2.1 Misstatement
This is defined as an action whereby the attacker describes route
attributes in an incorrect manner. For example, in RIP, the attacker
might increase the path cost by two hops instead of one. In BGP, the
attacker might delete some AS numbers from the AS PATH.
Where forwarding routing information should not be modified, an
attacker can launch the following falsifications:
o Deletion: Attacker deletes valid data in the routing message.
o Insertion: Attacker inserts false data in the routing message.
o Substitution: Attacker replaces valid data in the routing message
with false data.
Barbir, et al. Expires March 16, 2004 [Page 16]
Internet-Draft Generic Threats to Routing Protocols September 2003
o Replaying: Attacker replays out-dated data in the routing message.
All types of attackers (Compromised links, compromised routers,
unauthorized routers, and masquerading routers) can falsify the
routing information when they forward the routing messages.
The threat consequences of these falsifications by forwarders are
similar to those caused by originators: Usurpation of some network
resources and related routers; deception of routers using false
paths; and disruption of data planes of routers on the false paths.
The threat consequence area and period are also similar.
4.6 Interference
Interference is a threat action where an attacker uses a subverted
link or router to inhibit the exchanges by legitimate routers. The
attacker can do this by adding noise, or by not forwarding packets,
or by replaying out-dated packets, or by delaying responses, or by
denial of receipts, and breaking synchronization.
Subverted, unauthorized and masquerading routers can slowdown their
routing exchanges or create flapping routing sessions of legitimate
neighboring routers.
The consequence of interference is the disruption of routing
operations.
The consequence zone of interference varies based on the source of
the threats:
o When a subverted link is used to launch the action, the threat
consequence zone covers routers that are using the link to
exchange the routing information. An attack on a link can cause
consequences at the neighbor maintenance level, that may lead to
changes in the database. In this case, the consequences can be
felt network-wide.
o When subverted routers, unauthorized routers, or masquerading
routers are the attackers, the threat consequence zone covers
routers with which the attackers are exchanging routing
information.
o The threat consequences might disappear as soon as the
interference is stopped, or might not totally disappear until the
networks have converged. Therefore, the consequence period is
equal or longer than the duration of the interference.
Barbir, et al. Expires March 16, 2004 [Page 17]
Internet-Draft Generic Threats to Routing Protocols September 2003
4.7 Overload
Overload is defined as a threat action whereby attackers place excess
burden on legitimate routers. For example, it is possible for an
attacker to overload the control plane. In this regard, it is
possible for a compromised router to trigger creation of an excessive
amount of state that routers within the network are not able to
handle. In a similar fashion, it is possible for an attacker to
overload the data plane. Since data plane is involved in routing
exchanges, overload of the data plane can also influence the routing
operations.
This section combines overload of the control plane and the data
plane (i.e., the routing protocol messages and the data traffic, not
the control and data plane of the routing protocol itself as
discussed in section 2.1). The routing protocol design might have a
chance to limit control plane traffic. However, the routing protocol
cannot limit the data traffic. Thus, an attacker can affect the
behavior of the entire routing system.
4.8 Byzantine Failures
As described in [4], "A node with a Byzantine failure may corrupt
messages, forge messages, delay messages, or send conflicting
messages to different nodes." These faults may arise from routers
which have been subverted by an attacker or which have faulty
hardware or software. In any case, they represent a threat to
correct operation of routing and routing protocols.
The ability of the network to function in the face of such defects is
described as Byzantine robustness and would fall into the scope of a
requirements document for routing protocol security which may build
from the base established in this document.
Barbir, et al. Expires March 16, 2004 [Page 18]
Internet-Draft Generic Threats to Routing Protocols September 2003
5. Security Considerations
This entire document is security related. Specifically the document
addresses security of routing protocols as associated with threats to
those protocols. In a larger context, this work builds upon the
recognition of the IETF community that signaling and control/
management planes of networked devices need strengthening. Routing
protocols can be considered part of that signaling and control plane.
However, to date, routing protocols have largely remained unprotected
and open to malicious attacks. This document discusses inter- and
intra-domain routing protocol threats that are currently known and
lays the foundation for other documents that will discuss security
requirements for routing protocols.
Barbir, et al. Expires March 16, 2004 [Page 19]
Internet-Draft Generic Threats to Routing Protocols September 2003
Normative References
[1] Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000.
[2] Smith, R et al., "Securing Distance-Vector Routing Protocols",
Symposium on Network and Distributed System Security ,
February 1997.
[3] Rosen, E., "Vulnerabilities of Network Control Protocols: An
Example, Computer Communication Review", , July 1981.
[4] Perlman, R, "Network Layer Protocols with Byzantine
Robustness", , August 1988 .
[5] Murphy, S et al., "OSPF with Digital Signatures", RFC 2154 ,
June 1997.
[6] Moy, J, "OSPF Version 2", RFC 2328 , April 1998.
[7] Mittal, V et al., "Sensor-Based Intrusion Detection for
Intra-Domain istance-Vector Routing", Proceedings of the ACM
Conference on Computer and Communication Security (CCS'02),
Washington, DC , November 2002.
[8] Cheung, S. et. al., "Protecting Routing Infrastructures from
Denial of Service using co-operative intrusion detection", In
Proceedings of the 1995 IEEE Symposium on Security and Privacy
, May 1995.
[9] Bradley, K. et. al., "A distributed Network Monitoring
approach", Published , November 2001.
[10] Shen, N. et. al., "Dynamic Hostname Exchange Mechanism for
IS-IS", RFC 2763 , February 2000.
[11] Malkin, G., "RIP Version 2 Protocol Analysis", RFC 1721
, November 1994.
Barbir, et al. Expires March 16, 2004 [Page 20]
Internet-Draft Generic Threats to Routing Protocols September 2003
Informative References
[12] Vetter, W. et al., "Experimental Study of Insider Attacks in a
Link State Routing Protocol", 5th IEEE International
Conference on Network Protocols, Atlanta, GA , 1997.
[13] "Internet Group Management Protocol", RFC 3376 , October 2002.
[14] Estrin, D. et al., "Independent Multicast-Sparse Mode (PIM-SM):
Protocol pecification", RFC 2362 , June 1998 .
[15] Ballardie, A. et al., "Multicast-Specific Security Threats and
Counter-Measures", "Symposium on network and Distributed
System Security" , February 1995.
[16] Smith, A. et al., "Securing the Border Gateway Routing
Protocol", Proc. Global Internet'96 , November 1996.
[17] Kent, S. et al., "Secure Border Gateway Protocol
(Secure-BGP)", IEEE Journal on Selected Areas in Communications
, April 2000.
Authors' Addresses
Abbie Barbir (Editor)
Nortel Networks
3500 Carling Avenue
Nepean, Ontario K2H 8E9
Canada
Phone:
EMail: abbieb@nortelnetworks.com
Sandy Murphy
Network Associates, Inc
3060 Washington Rd.
Glenwood, MD 21738
USA
Phone: 443-259-2303
EMail: sandy@tislabs.com
Barbir, et al. Expires March 16, 2004 [Page 21]
Internet-Draft Generic Threats to Routing Protocols September 2003
Yi Yang
Cisco Systems
7025 Kit Creek Road
RTP, NC 27709
Canada
Phone:
EMail: yiya@cisco.com
Barbir, et al. Expires March 16, 2004 [Page 22]
Internet-Draft Generic Threats to Routing Protocols September 2003
Appendix A. Acknowledgements
This draft would not have been possible save for the excellent
efforts and team work characteristics of those listed here.
o Dennis Beard- Nortel Networks
o Ayman Musharbash - Nortel Networks
o Jean-Jacques Puig, int-evry, France
o Paul Knight - Nortel Networks
o Elwyn Davies - Nortel Networks
o Ameya Dilip Pandit - Graduate student - University of Missouri
o Senthilkumar Ayyasamy - Graduate student - University of Missouri
o Stephen Kent- BBN
Barbir, et al. Expires March 16, 2004 [Page 23]
Internet-Draft Generic Threats to Routing Protocols September 2003
Appendix B. Acronyms
AODV - Ad-hoc On-demand Distance Vector routing protocol
AS - Autonomous system. Set of routers under a single technical
administration. Each AS normally uses a single interior gateway
protocol (IGP) and metrics to propagate routing information within
the set of routers. Also called routing domain.
AS-Path - In BGP, the route to a destination. The path consists of
the AS numbers of all routers a packet must go through to reach a
destination.
BGP - Border Gateway Protocol. Exterior gateway protocol used to
exchange routing information among routers in different autonomous
systems.
LSA - Link-State Announcement
M-OSPF - Multicast Open Shortest Path First
NLRI - Network layer reachability information. Information that is
carried in BGP packets and is used by MBGP.
OSPF - Open Shortest Path First. A link-state IGP that makes routing
decisions based on the shortest-path-first (SPF) algorithm (also
referred to as the Dijkstra algorithm).
Barbir, et al. Expires March 16, 2004 [Page 24]
Internet-Draft Generic Threats to Routing Protocols September 2003
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances of
licenses to be made available, or the result of an attempt made to
obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification can
be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assignees.
This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
Barbir, et al. Expires March 16, 2004 [Page 25]
Internet-Draft Generic Threats to Routing Protocols September 2003
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Barbir, et al. Expires March 16, 2004 [Page 26]