Network Working Group A. Barbir
Internet-Draft Nortel Networks
Expires: April 25, 2005 S. Murphy
Sparta, Inc.
Y. Yang
Cisco Systems
October 25, 2004
Generic Threats to Routing Protocols
draft-ietf-rpsec-routing-threats-07
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 25, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004).
Abstract
Routing protocols are subject to attacks that can harm individual
users or network operations as a whole. This document provides a
description and a summary of generic threats that affect routing
protocols in general. This work describes threats, including threat
Barbir, et al. Expires April 25, 2005 [Page 1]
Internet-Draft Generic Threats to Routing Protocols October 2004
sources and capabilities, threat actions, and threat consequences as
well as a breakdown of routing functions that might be separately
attacked.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Routing Functions Overview . . . . . . . . . . . . . . . . . . 4
3. Generic Routing Protocol Threat Model . . . . . . . . . . . . 5
3.1 Threat Definitions . . . . . . . . . . . . . . . . . . . . 5
3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . 5
3.1.2 Threat Consequences . . . . . . . . . . . . . . . . . 8
4. Generally Identifiable Routing Threat Actions . . . . . . . . 12
4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . 12
4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . 13
4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . 14
4.5.1 Falsifications by Originators . . . . . . . . . . . . 14
4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . 17
4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . 18
4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . 18
5. Security Considerations . . . . . . . . . . . . . . . . . . . 19
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
7.1 Normative References . . . . . . . . . . . . . . . . . . . . 21
7.2 Informative References . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 21
A. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
B. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Intellectual Property and Copyright Statements . . . . . . . . 25
Barbir, et al. Expires April 25, 2005 [Page 2]
Internet-Draft Generic Threats to Routing Protocols October 2004
1. Introduction
Routing protocols are subject to threats and attacks that can harm
individual users or the network operations as a whole. The document
provides a summary of generic threats that affect routing protocols.
In particular, this work identifies generic threats to routing
protocols that include threat sources, threat actions, and threat
consequences. A breakdown of routing functions that might be
separately attacked is provided.
This work should be considered as a precursor to developing a common
set of security requirements for routing protocols. While it is well
known that bad, incomplete, or poor implementations of routing
protocols may, in themselves, lead to routing problems or failures,
or may increase the risk of a network being attacked successfully,
these issues are not considered here. This document only considers
attacks against robust, well considered implementations of routing
protocols, such as are specified in OSPF [4], IS-IS [5], RIP [6] and
BGP [7]. Attacks against implementation specific weaknesses and
vulnerabilities are out of scope for this document.
The document is organized as follows: Section 2 provides a review of
routing functions. Section 3 defines threats. In section 4, a
discussion on generally identifiable routing threat actions is
provided. Section 5 addresses security considerations. Section 6
addresses IANA considerations.
Barbir, et al. Expires April 25, 2005 [Page 3]
Internet-Draft Generic Threats to Routing Protocols October 2004
2. Routing Functions Overview
This section provides an overview of common functions that are shared
among various routing protocols. In general, routing protocols share
the following functions:
o Transport Subsystem: The routing protocol transmits messages to
its neighbors using some underlying protocol. For example, OSPF
uses IP, while other protocols may run over TCP.
o Neighbor State Maintenance: Neighboring relationship formation is
the first step for topology determination. For this reason,
routing protocols may need to maintain state information. Each
routing protocol may use a different mechanism for determining its
neighbors in the routing topology. Some protocols have distinct
exchanges through which they establish neighboring relationships,
e.g., Hello exchanges in OSPF.
o Database Maintenance: Routing protocols exchange network topology
and reachability information. The routers collect this
information in routing databases with varying detail. The
maintenance of these databases is a significant portion of the
function of a routing protocol.
In a routing protocol there are message exchanges that are intended
for the control of the state of the protocol. For example, neighbor
maintenance messages carry such information. On the other hand,
there are messages that are used to exchange information that is
intended to be used in the forwarding function, for example, messages
that are used to maintain the database.. These messages affect the
data (information) part of the routing protocol.
Barbir, et al. Expires April 25, 2005 [Page 4]
Internet-Draft Generic Threats to Routing Protocols October 2004
3. Generic Routing Protocol Threat Model
The model developed in this section can be used to identify threats
to any routing protocol.
Routing protocols are subject to threats at various levels. For
example, threats can affect the transport subsystem, where the
routing protocol can be subject to attacks on its underlying
protocol. An attacker may also attack messages that carry control
information in a routing protocol to break a neighboring (e.g.,
peering, adjacency) relationship. This type of attack can impact the
network routing behavior in the affected routers and likely the
surrounding neighborhood as well. For example, in BGP, if a router
receives a CEASE message, it will break its neighboring relationship
to its peer and potentially send new routing information to any
remaining peers.
An attacker may also attack messages that carry data information in
order to break a database exchange between two routers or to affect
the database maintenance functionality. For example, the information
in the database must be authentic and authorized. An attacker who is
able to introduce bogus data can have a strong effect on the behavior
of routing in the neighborhood. For example, if an OSPF router sends
LSAs with the wrong Advertising Router, the receivers will compute an
SPF tree that is incorrect and might not forward the traffic. If a
BGP router advertises a NLRI that it is not authorized to advertise,
then receivers might forward that NLRI's traffic toward that router
and the traffic would not be deliverable. A PIM router might
transmit a JOIN message to receive multicast data it would otherwise
not receive.
3.1 Threat Definitions
In [1], a threat is defined as a potential for violation of security,
which exists when there is a circumstance, capability, action, or
event that could breach security and cause harm. Threats can be
categorized as threat sources, threat actions, threat consequences,
threat consequence zones, and threat consequence periods.
3.1.1 Threat Sources
In the context of deliberate attack, a threat source is defined as a
motivated, capable adversary. By modeling the motivations (attack
goals) and capabilities of the adversaries who are threat sources,
one can better understand what classes of attacks these threats may
mount and thus what types of countermeasures will be required to deal
with these attacks.
Barbir, et al. Expires April 25, 2005 [Page 5]
Internet-Draft Generic Threats to Routing Protocols October 2004
3.1.1.1 Adversary Motivations
We assume that the most common goal of an adversary deliberately
attacking routing is to cause inter-domain routing to malfunction. A
routing malfunction affects data transmission to result in traffic
following a path (sequence of autonomous systems in the case of BGP)
other than one that would have been computed by the routing protocol
if it were operating properly (i.e., if it were not under attack).
As a result of an attack, a route may terminate at a router other
than the one that legitimately represents the destination address of
the traffic, or it may traverse routers other than those that it
would otherwise have traversed. In either case, a routing
malfunction may allow an adversary to passively wiretap traffic, or
to engage in man-in-the-middle (MITM) active attacks, including
discarding traffic (denial of service).
A routing malfunction might be effected for financial gain related to
traffic volume (vs. related to the content of the routed traffic),
e.g., to affect settlements among ISPs.
Another possible goal for attacks against routing can be damage to
the network infrastructure itself, on a targeted or on a wide scale
basis. Thus, for example, attacks that cause excessive transmission
of UPDATE or other management messages, and attendant router
processing, could be motivated by these goals.
Irrespective of the goals noted above, an adversary may or may not be
averse to detection and identification. This characteristic of an
adversary influences some of the ways in which attacks may be
accomplished.
3.1.1.2 Adversary Capabilities
Different adversaries possess varied capabilities.
o All adversaries are presumed to be capable of directing packets to
routers from remote locations, and can assert a false IP source
address with each packet (IP address spoofing) in an effort to
cause the targeted router to accept and process the packet as
though it emanated from the indicated source. Spoofing attacks
may be employed to trick routers into acting on bogus messages to
effect misrouting, or these messages may be used to overwhelm the
management processor in a router, to effect DoS. Protection from
such adversaries must not rely on the claimed identity in routing
packets that the protocol receives.
o Some adversaries can monitor links over which routing traffic is
carried and thus can emit packets that mimic data contained in
legitimate routing traffic carried over these links and can
actively participate in message exchanges with the legitimate
Barbir, et al. Expires April 25, 2005 [Page 6]
Internet-Draft Generic Threats to Routing Protocols October 2004
routers. This increases the opportunities for an adversary to
generate bogus routing traffic that may be accepted by a router,
to effect misrouting or DoS. Retransmission of previously
delivered management traffic (replay attacks) exemplify this
capability. As a result, protection from such adversaries ought
not rely on the secrecy of unencrypted data in packet headers or
payloads.
o Some adversaries can effect MITM attacks against routing traffic,
e.g., as a result of active wiretapping on a link between two
routers. This represents the ultimate wiretapping capability for
an adversary. Protection from such adversaries must not rely on
the integrity of inter-router links to authenticate traffic,
unless cryptographic measures are employed to detect unauthorized
modification.
o Some adversaries can subvert routers, or the management
workstations used to control these routers. These Byzantine
failures represent the most serious form of attack capability in
that they result in bogus traffic being emitted by legitimate
routers. As a result, protection from such adversaries must not
rely on the correct operation of neighbor routers. Protection
measures should adopt the principle of least privilege, to
minimize the impact of attacks of this sort. To counter Byzantine
attacks, routers ought not trust÷ management traffic (e.g., based
on its source) but rather each router should independently
authenticate management traffic before acting upon it.
We will assume that any cryptographic countermeasures employed to
secure BGP will employ algorithms and modes that are resistant to
attack, even by sophisticated adversaries, thus we will ignore
cryptanalytic attacks.
Deliberate attacks are mimicked by failures that are random and
unintentional. In particular, a Byzantine failure in a router may
occur because the router is faulty in hardware or software or is
misconfigured. As described in [3], "A node with a Byzantine failure
may corrupt messages, forge messages, delay messages, or send
conflicting messages to different nodes". Byzantine routers, whether
faulty, misconfigured or subverted have the context to provide
believable and very damaging bogus routing information. Byzantine
routers may also claim another legitimate peer's identity. Given
their status as peers, they may even elude the authentication
protections, if those protections can only detect that a source is
one of the legitimate peers (e.g., the router uses the same
cryptographic key to authenticate all peers)
We therefore characterize threat sources into two groups:
Barbir, et al. Expires April 25, 2005 [Page 7]
Internet-Draft Generic Threats to Routing Protocols October 2004
outsiders: These attackers may reside anywhere in the Internet, have
the ability to send IP traffic to the router, may be able to
observe the router's replies and may even control the path for a
legitimate peer's traffic. These are not legitimate participants
in the routing protocol.
Byzantine: These attackers are faulty, misconfigured or subverted
routers, i.e., legitimate participants in the routing protocol.
3.1.2 Threat Consequences
A threat consequence is a security violation that results from a
threat action [1]. To a routing protocol, a security violation is a
compromise of some aspect of the correct behavior of the routing
system. The compromise can damage the data traffic intended for a
particular network or host or can damage the operation of the routing
infrastructure of the network as a whole.
There are four types of general threat consequences: disclosure,
deception, disruption, and usurpation [1].
o Disclosure: Disclosure of routing information happens when an
attacker successfully accesses the information without being
authorized. Outsiders who can observe or monitor a link may cause
disclosure, if routing exchanges lack confidentiality. Byzantine
routers can cause disclosure, as long as they are successfully
involved in the routing exchanges. Although inappropriate
disclosure of routing information can pose a security threat or be
part of a later, larger, or higher layer attack, confidentiality
is not generally a design goal of routing protocols.
o Deception: This consequence happens when a legitimate router
receives a forged routing message and believes it to be authentic.
Both outsiders and Byzantine routers can cause this consequence if
the receiving router lacks the ability to check routing message
integrity or origin authentication.
o Disruption: This consequence occurs when a legitimate router's
operation is being interrupted or prevented. Outsiders can cause
this by inserting, corrupting, replaying, delaying, or dropping
routing messages, or breaking routing sessions between legitimate
routers. Byzantine routers can cause this consequence by sending
false routing messages, interfering with normal routing exchanges,
or flooding unnecessary routing protocol messages. (DoS is a
common threat action causing disruption.)
o Usurpation: This consequence happens when an attacker gains
control over the services/functions a legitimate router is
providing to others. Outsiders can cause this by delaying or
dropping routing exchanges, fabricating or replaying routing
information. Byzantine routers can cause this consequence by
sending false routing information or interfering with routing
exchanges.
Barbir, et al. Expires April 25, 2005 [Page 8]
Internet-Draft Generic Threats to Routing Protocols October 2004
Note: an attacker does not have to directly control a router to
control its services. For example, in Figure 1, Network 1 is
dual-homed through Router A and Router B, and Router A is preferred.
However, Router B is compromised and advertises a better metric.
Consequently, devices on the Internet choose the path through Router
B to reach Network 1. In this way, Router B steals the data traffic
and Router A loses its control of the services to Router B. This is
depicted in Figure 1.
+-------------+ +-------+
| Internet |---| Rtr A |
+------+------+ +---+---+
| |
| |
| |
| *-+-*
+-------+ / \
| Rtr B |----------* N 1 *
+-------+ \ /
*---*
Figure 1: Dual-homed Network
Several threat consequences might be caused by a single threat
action. In Figure 1, there exist at least two consequences: routers
using Router B to reach Network 1 are deceived, while Router A is
usurped.
3.1.2.1 Threat Consequence Scope
As mentioned above, an attack might damage the data traffic intended
for a particular network or host or damage the operation of the
routing infrastructure of the network as a whole. Damage that might
result from attacks against the network as a whole may include:
o Network congestion: more data traffic is forwarded through some
portion of the network than would otherwise need to carry the
traffic,
o Blackhole: large amounts of traffic are unnecessarily re-directed
to be forwarded through one router and that router drops
many/most/all packets,
o Looping: data traffic is forwarded along a route that loops, so
that the data is never delivered (resulting in network
congestion),
o Partition: some portion of the network believes that it is
partitioned from the rest of the network when it is not,
Barbir, et al. Expires April 25, 2005 [Page 9]
Internet-Draft Generic Threats to Routing Protocols October 2004
o Churn: the forwarding in the network changes (unnecessarily) at a
rapid pace, resulting in large variations in the data delivery
patterns (and adversely affecting congestion control techniques),
o Instability: the protocol becomes unstable so that convergence on
a global forwarding state is not achieved,
o Overcontrol: the routing protocol messages themselves become a
significant portion of the traffic the network carries, and
o Clog: a router receives an excessive number of routing protocol
messages, causing it to exhaust some resource (e.g., memory, CPU,
battery).
The damage that might result from attacks against a particular host
or network address may include:
o Starvation: data traffic destined for the network or host is
forwarded to a part of the network that cannot deliver it,
o Eavesdrop: data traffic is forwarded through some router or
network that would otherwise not see the traffic, affording an
opportunity to see the data or at least the data delivery pattern,
o Cut: some portion of the network believes that it has no route to
the host or network when it is in fact connected,
o Delay: data traffic destined for the network or host is forwarded
along a route that is in some way inferior to the route it would
otherwise take,
o Looping: data traffic for the network or host is forwarded along a
route that loops, so that the data is never delivered
It is important to consider all consequences, because some security
solutions can protect against one consequence but not against others.
It might be possible to design a security solution that protects
against eavesdropping on one destination's traffic without protecting
against churn in the network. Similarly, it is possible to design a
security solution that prevents a starvation attack against one host,
but not a clogging attack against a router. The security
requirements must be clear as to which consequences are being avoided
and which consequences must be addressed by other means (e.g., by
administrative means outside the protocol).
3.1.2.2 Threat Consequence Zone
A threat consequence zone covers the area within which the network
operations have been affected by threat actions. Possible threat
consequence zones can be classified as: a single link or router,
multiple routers (within a single routing domain), a single routing
domain, multiple routing domains, or the global Internet. The threat
consequence zone varies based on the threat action and the position
of the target of the attack. Similar threat actions that happen at
different locations may result in totally different threat
consequence zones. For example, when an outsider breaks the routing
Barbir, et al. Expires April 25, 2005 [Page 10]
Internet-Draft Generic Threats to Routing Protocols October 2004
session between a distribution router and a stub router, only
reachability to and from the network devices attached to the stub
router will be impaired. In other words, the threat consequence zone
is a single router. In another case, if the outsider is located
between a customer edge router and its corresponding provider edge
router, such an action might cause the whole customer site to lose
its connection. In this case, the threat consequence zone might be a
single routing domain.
3.1.2.3 Threat Consequence Periods
A threat consequence period is defined as the portion of time during
which the network operations are impacted by the threat consequences.
The threat consequence period is influenced by, but not totally
dependent on the duration of the threat action. In some cases, the
network operations will get back to normal as soon as the threat
action has been stopped. In other cases, however, threat
consequences may persist longer than the threat action. For example,
in the original ARPANET link-state algorithm, some errors in a router
introduced three instances of an LSA. All of them flooded throughout
the network continuously, until the entire network was power cycled
[2].
Barbir, et al. Expires April 25, 2005 [Page 11]
Internet-Draft Generic Threats to Routing Protocols October 2004
4. Generally Identifiable Routing Threat Actions
This section addresses generally identifiable and recognized threat
actions against routing protocols. The threat actions are not
necessarily specific to individual protocols but may be present in
one or more of the common routing protocols in use today.
4.1 Deliberate Exposure
Deliberate Exposure occurs when an attacker takes control of a router
and intentionally releases routing information to other entities
(e.g., the attacker, a web page, mail posting, other routers etc. )
that, otherwise, should not receive the exposed information.
The consequence of deliberate exposure is the disclosure of routing
information.
The threat consequence zone of deliberate exposure depends on the
routing information that the attackers have exposed. The more
knowledge they have exposed, the bigger the threat consequence zone.
The threat consequence period of deliberate exposure might be longer
than the duration of the action itself. The routing information
exposed will not be out-dated until there is a topology change of the
exposed network.
4.2 Sniffing
Sniffing is an action whereby attackers monitor and/or record the
routing exchanges between authorized routers to sniff for routing
information. Attackers can also sniff data traffic information
(however, this is out of scope of the current work).
The consequence of sniffing is disclosure of routing information.
The threat consequence zone of sniffing depends on the attacker's
location, the routing protocol type, and the routing information that
has been recorded. For example, if the outsider is sniffing a link
that is in an OSPF totally stubby area, the threat consequence zone
should be limited to the whole area. An attacker that is sniffing a
link in an EBGP session can gain knowledge of multiple routing
domains.
The threat consequence period might be longer than the duration of
the action. If an attacker stops sniffing a link, their acquired
knowledge will not be out-dated until there is a topology change of
the affected network.
Barbir, et al. Expires April 25, 2005 [Page 12]
Internet-Draft Generic Threats to Routing Protocols October 2004
4.3 Traffic Analysis
Traffic analysis is an action whereby attackers gain routing
information by analyzing the characteristics of the data traffic on a
subverted link. Traffic analysis threats can affect any data that is
sent over a communication link. This threat is not peculiar to
routing protocols and is included here for completeness.
The consequence of data traffic analysis is the disclosure of routing
information. For example, the source and destination IP addresses of
the data traffic, and the type, magnitude, and volume of traffic can
be disclosed.
The threat consequence zone of the traffic analysis depends on the
attacker's location and what data traffic has passed through. An
attacker at the network core should be able to gather more
information than its counterpart at the edge and would therefore have
be able to analyze traffic patterns in a wider area.
The threat consequence period might be longer than the duration of
the traffic analysis. After the attacker stops traffic analysis, its
knowledge will not be out-dated until there is a topology change of
the disclosed network.
4.4 Spoofing
Spoofing occurs when an illegitimate device assumes the identity of a
legitimate one. Spoofing in and of itself is often not the true
attack. Spoofing is special in that it can be used to carry out
other threat actions causing other threat consequences. An attacker
can use spoofing as a means for launching other types of attacks.
For example, if an attacker succeeds in spoofing the identity of a
router, the attacker can send out unrealistic routing information
that might cause the disruption of network services.
There are a few cases where spoofing can be an attack in and of
itself. For example, messages from an attacker which spoof the
identity of a legitimate router may cause a neighbor relationship to
form and deny the formation of the relationship with the legitimate
router.
The consequences of spoofing are:
o The disclosure of routing information: The spoofing router will be
able to gain access to the routing information.
o The deception of peer relationship: The authorized routers, which
exchange routing messages with the spoofing router, do not realize
they are neighboring with a router that is faking another router's
identity.
Barbir, et al. Expires April 25, 2005 [Page 13]
Internet-Draft Generic Threats to Routing Protocols October 2004
The threat consequence zone covers:
o The consequence zone of the fake peer relationship will be limited
to those routers trusting the attacker's claimed identity.
o The consequence zone of the disclosed routing information depends
on the attacker's location, the routing protocol type, and the
routing information that has been exchanged between the attacker
and its deceived neighbors.
Note: This section focuses on addressing spoofing as a threat on its
own. However, spoofing creates conditions for other threats. Other
consequences are considered falsifications and are treated in the
next section.
4.5 Falsification
Falsification is an action whereby a router sends false routing
information. To falsify the routing information, an attacker has to
be either the originator or a forwarder of the routing information.
It cannot be a receiver-only. False routing information describes
the network in an unrealistic fashion, whether or not intended by the
authoritative network administrator.
4.5.1 Falsifications by Originators
An originator of routing information can launch the falsifications
that are described in the next sections.
4.5.1.1 Overclaiming
Overclaiming occurs when a Byzantine router or outsider advertises
its control of some network resources, while in reality it does not,
or the advertisement is not authorized. This is given in Figure 2
and Figure 3.
Barbir, et al. Expires April 25, 2005 [Page 14]
Internet-Draft Generic Threats to Routing Protocols October 2004
+-------------+ +-------+ +-------+
| Internet |---| Rtr B |---| Rtr A |
+------+------+ +-------+ +---+---+
| .
| |
| .
| *-+-*
+-------+ / \
| Rtr C |------------------* N 1 *
+-------+ \ /
*---*
Figure 2: Overclaiming-1
+-------------+ +-------+ +-------+
| Internet |---| Rtr B |---| Rtr A |
+------+------+ +-------+ +-------+
|
|
|
| *---*
+-------+ / \
| Rtr C |------------------* N 1 *
+-------+ \ /
*---*
Figure 3: Overclaiming-2
The above figures provide examples of overclaiming. Router A, the
attacker, is connected to the Internet through Router B. Router C is
authorized to advertise its link to Network 1. In Figure 2, Router A
controls a link to Network 1, but is not authorized to advertise it.
In Figure 3, Router A does not control such a link. But in either
case, Router A advertises the link to the Internet, through Router B.
Both Byzantine routers and outsiders can overclaim network resources.
The consequence of overclaiming includes:
o Usurpation of the overclaimed network resources. In Figure 2 and
Figure 3, usurpation of Network 1 can occur when Router B (or
other routers on the Internet, (not shown in the figures))
believes that Router A provides the best path to reach the Network
1. As a result, routers forward data traffic destined to Network
1 to Router A. The best result is that the data traffic uses an
unauthorized path, as in Figure 2. The worst case is that the
Barbir, et al. Expires April 25, 2005 [Page 15]
Internet-Draft Generic Threats to Routing Protocols October 2004
data never reaches the destination Network 1, as in Figure 3. The
ultimate consequence is Router A gaining control over Network 1's
services, by controlling the data traffic.
o Usurpation of the legitimate advertising routers. In Figure 2 and
Figure 3 Router C is the legitimate advertiser of Network 1. By
overclaiming, Router A also controls (partially or totally) the
services/functions provided by the Router C. (This is NOT a
disruption, because Router C is operating in a way intended by the
authoritative network administrator.)
o Deception of other routers. In Figure 2 and Figure 3, Router B,
or other routers on the Internet, might be deceived into believing
the path through Router A is the best.
o Disruption of data planes on some routers. This might happen to
routers that are on the path that is used by other routers to
reach the overclaimed network resources through the attacker. In
Figure 2 and Figure 3, when other routers on the Internet are
deceived, they will forward the data traffic to Router B, which
might be overloaded.
The threat consequence zone varies based on the consequence:
o Where usurpation is concerned, the consequence zone covers the
network resources that are overclaimed by the attacker (Network 1
in Figure 2 and 3), and the routers that are authorized to
advertise the network resources but lose the competition against
the attacker(Router C in Figure 2 and Figure 3).
o Where deception is concerned, the consequence zone covers the
routers that do believe the attacker's advertisement and use the
attacker to reach the claimed networks (Router B and other
deceived routers on the Internet in Figure 2 and Figure 3).
o Where disruption is concerned, the consequence zone includes the
routers that are on the path of misdirected data traffic (Router B
in Figure 2 and Figure 3 and other routers in the Internet on the
path of the misdirected traffic).
The threat consequence will not cease when the attacker stops
overclaiming, and will totally disappear only when the routing tables
are converged. As a result the consequence period is longer than the
duration of the overclaiming.
4.5.1.2 Misclaiming
A misclaiming threat is defined as an action where an attacker is
advertising some network resources that it is authorized to control,
but in a way that is not intended by the authoritative network
administrator. For example, it may be advertising inappropriate link
costs in an OSPF LSA. An attacker can eulogize or disparage when
advertising these network resources. Byzantine routers can misclaim
network resources.
Barbir, et al. Expires April 25, 2005 [Page 16]
Internet-Draft Generic Threats to Routing Protocols October 2004
The threat consequences of misclaiming are similar to the
consequences of overclaiming.
The consequence zone and period are also similar to those of
overclaiming.
4.5.2 Falsifications by Forwarders
In each routing protocol, routers which forward routing protocol
messages are expected to leave some fields unmodified and to modify
other fields in certain circumscribed ways. The fields to be
modified, the possible new contents of those fields and their
computation from the original fields, the fields that must remain
unmodified, etc., are all detailed in the protocol specification.
They may vary depending on the function of the router or its network
environment. For example, in RIP, the forwarder must modify the
routing information by increasing the hop count by 1. On the other
hand, a forwarder must not modify any field of the type 1 LSA in OSPF
except the age field. In general, forwarders in distance vector
routing protocols are authorized to and must modify the routing
information, while most forwarders in link state routing protocols
are not authorized to and must not modify most routing information.
As a forwarder authorized to modify routing messages, an attacker
might also falsify by not forwarding routing information to other
authorized routers as required.
4.5.2.1 Misstatement
This is defined as an action whereby the attacker modifies route
attributes in an incorrect manner. For example, in RIP, the attacker
might increase the path cost by two hops instead of one. In BGP, the
attacker might delete some AS numbers from the AS PATH.
Where forwarding routing information should not be modified, an
attacker can launch the following falsifications:
o Deletion: Attacker deletes valid data in the routing message.
o Insertion: Attacker inserts false data in the routing message.
o Substitution: Attacker replaces valid data in the routing message
with false data.
A forwarder can also falsify data by replaying out-dated data in the
routing message as current data.
All types of attackers, outsiders and Byzantine routers, can falsify
the routing information when they forward the routing messages.
The threat consequences of these falsifications by forwarders are
Barbir, et al. Expires April 25, 2005 [Page 17]
Internet-Draft Generic Threats to Routing Protocols October 2004
similar to those caused by originators: usurpation of some network
resources and related routers; deception of routers using false
paths; and disruption of data planes of routers on the false paths.
The threat consequence zone and period are also similar.
4.6 Interference
Interference is a threat action where an attacker inhibits the
exchanges by legitimate routers. The attacker can do this by adding
noise, by not forwarding packets, by replaying out-dated packets, by
inserting or corrupting messages, by delaying responses, by denial of
receipts, or by breaking synchronization.
Byzantine routers can slow down their routing exchanges or induce
flapping in the routing sessions of legitimate neighboring routers.
The consequence of interference is the disruption of routing
operations.
The consequence zone of interference depends on the severity of the
interference. If the interference results in consequences at the
neighbor maintenance level, then there may be changes in the
database, resulting in consequences network-wide.
The threat consequences might disappear as soon as the interference
is stopped, or might not totally disappear until the networks have
converged. Therefore, the consequence period is equal or longer than
the duration of the interference.
4.7 Overload
Overload is defined as a threat action whereby attackers place excess
burden on legitimate routers. For example, it is possible for an
attacker to trigger a router to create an excessive amount of state
that other routers within the network are not able to handle. In a
similar fashion, it is possible for an attacker to overload database
routing exchanges and thus influence the routing operations.
Barbir, et al. Expires April 25, 2005 [Page 18]
Internet-Draft Generic Threats to Routing Protocols October 2004
5. Security Considerations
This entire document is security related. Specifically the document
addresses security of routing protocols as associated with threats to
those protocols. In a larger context, this work builds upon the
recognition of the IETF community that signaling and
control/management planes of networked devices need strengthening.
Routing protocols can be considered part of that signaling and
control plane. However, to date, routing protocols have largely
remained unprotected and open to malicious attacks. This document
discusses inter- and intra-domain routing protocol threats that are
currently known and lays the foundation for other documents that will
discuss security requirements for routing protocols. This document
is protocol independent.
Barbir, et al. Expires April 25, 2005 [Page 19]
Internet-Draft Generic Threats to Routing Protocols October 2004
6. IANA Considerations
This document has no actions for IANA.
Barbir, et al. Expires April 25, 2005 [Page 20]
Internet-Draft Generic Threats to Routing Protocols October 2004
7. References
7.1 Normative References
[1] Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000.
[2] Rosen, E., "Vulnerabilities of Network Control Protocols: An
Example, Computer Communication Review", , July 1981.
[3] Perlman, R, "Network Layer Protocols with Byzantine Robustness",
, August 1988 .
[4] Moy, J, "OSPF Version 2", RFC 2328, April 1998.
[5] Shen, N. et. al., "Dynamic Hostname Exchange Mechanism for
IS-IS", RFC 2763 , February 2000.
[6] Malkin, G., "RIP Version 2 Protocol Analysis", RFC 1721 ,
November 1994.
7.2 Informative References
[7] Kent, S. et al., "Secure Border Gateway Protocol
(Secure-BGP)", IEEE Journal on Selected Areas in Communications
, April 2000.
Authors' Addresses
Abbie Barbir
Nortel Networks
3500 Carling Avenue
Nepean, Ontario K2H 8E9
Canada
Phone:
EMail: abbieb@nortelnetworks.com
Sandy Murphy
Sparta, Inc.
7075 Samuel Morse Drive
Columbia, MD
USA
Phone: 410-872-1515 x206
EMail: sandy@tislabs.com
Barbir, et al. Expires April 25, 2005 [Page 21]
Internet-Draft Generic Threats to Routing Protocols October 2004
Yi Yang
Cisco Systems
7025 Kit Creek Road
RTP, NC 27709
USA
Phone:
EMail: yiya@cisco.com
Barbir, et al. Expires April 25, 2005 [Page 22]
Internet-Draft Generic Threats to Routing Protocols October 2004
Appendix A. Acknowledgments
This draft would not have been possible save for the excellent
efforts and team work characteristics of those listed here.
o Dennis Beard- Nortel Networks
o Ayman Musharbash - Nortel Networks
o Jean-Jacques Puig, int-evry, France
o Paul Knight - Nortel Networks
o Elwyn Davies - Nortel Networks
o Ameya Dilip Pandit - Graduate student - University of Missouri
o Senthilkumar Ayyasamy - Graduate student - University of Missouri
o Stephen Kent- BBN
o Tim Gage - CISCO
o James Ng - CISCO
o Alvaro Retana - CISCO
Barbir, et al. Expires April 25, 2005 [Page 23]
Internet-Draft Generic Threats to Routing Protocols October 2004
Appendix B. Acronyms
AS - Autonomous system. Set of routers under a single technical
administration. Each AS normally uses a single interior gateway
protocol (IGP) and metrics to propagate routing information within
the set of routers. Also called routing domain.
AS-Path - In BGP, the route to a destination. The path consists of
the AS numbers of all routers a packet must go through to reach a
destination.
BGP - Border Gateway Protocol. Exterior gateway protocol used to
exchange routing information among routers in different autonomous
systems.
LSA - Link-State Announcement
NLRI - Network layer reachability information. Information that is
carried in BGP packets and is used by MBGP.
OSPF - Open Shortest Path First. A link-state IGP that makes routing
decisions based on the shortest-path-first (SPF) algorithm (also
referred to as the Dijkstra algorithm).
Barbir, et al. Expires April 25, 2005 [Page 24]
Internet-Draft Generic Threats to Routing Protocols October 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Barbir, et al. Expires April 25, 2005 [Page 25]