Network Working Group Alex Zinin
Internet Draft Alcatel
Expiration Date: October 2004 May 2004
File name: draft-zinin-rtg-dos-01.txt
Protecting Internet Routing Infrastructure from
Outsider CPU Attacks
draft-zinin-rtg-dos-01.txt
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet Drafts are working documents of the Internet Engineering
Task Force (IETF), its Areas, and its Working Groups. Note that other
groups may also distribute working documents as Internet Drafts.
Internet Drafts are draft documents valid for a maximum of six
months. Internet Drafts may be updated, replaced, or obsoleted by
other documents at any time. It is not appropriate to use Internet
Drafts as reference material or to cite them other than as a "working
draft" or "work in progress".
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
The mechanism described in this document helps to secure an Internet
Service Provider's router infrastructure from outsider attacks,
including (but not limited to) Distributed denial of service (DDoS)
attacks based on CPU and/or queue exhaustion (e.g., TCP SYN flooding
and flooding of invalid MD5-signed routing protocol packets.) The
presented approach is based on explicitly marking control packets
from trusted sources by different link-layer encapsulation and does
not require any modifications to user data exchange protocols, ICMP,
routing protocols or changes to existing hardware in routers, which
allows it to be deployed quickly throughout the Internet.
Zinin [Page 1]
INTERNET DRAFT Router DoS protection May 2004
1 Introduction
1.1 Problem Description
The packet authentication mechanisms currently used in Internet
routing protocols [OSPF, TCP-MD5] leave a generic threat open for an
outside attacker--overloading the control CPUs of the routers with
packets that look like they belong to a valid routing protocol
adjacency or a peering session, yet are fake and would be discarded
because of invalid digest value. Because all IP parameters of valid
and faked packets look absolutely identical, it is impossible to
reject faked packets earlier in the process. This leads to
overloading of internal queues allocated for control traffic (routing
and signaling protocols), and hence dropping of legitimate control
packets. This, combined with high CPU utilization, results in
destruction of routing protocol sessions and finally in denial of
service by the network. It is interesting to observe that as security
mechanisms in routing protocols become more sophisticated and
computationally expensive, it becomes easier for an attacker to mount
a CPU-exhaustion-based attack against a router.
Another example of an attack mountable against routers is the simple
SYN-flood attack, which could potentially exhaust the router's CPU.
The in-band nature of IP routing and signaling creates a perfect
environment for an attacker to put the network itself out of service.
The fundamental problems leading to the possibility of a DoS attack
on a router are (a) legitimate and forged packets share resources
inside the router (such as queues) before the authentication check is
performed, and (b) the negative authentication decision is
computationally expensive enough to discourage router vendors from
performing the check at the line rate. In the latter case, it is
important to note that the lack of line-rate processing significantly
increases the router's susceptibility to a distributed DoS attack.
1.2 Existing Approaches and Disadvantages
Potential approaches to the problem known to date include:
1. Adding specialized HW elements to the line-card architecture
that would allow the line cards to identify packets that need
to be authenticated (e.g., OSPF, BGP, RSVP) and perform the
MD5 check at the line rate (before the packets are put in any
queue), as well as identify TCP SYN packets and limit the rate
at which they are sent to the control card.
2. Perform aggressive packet filtering at the edges of the net-
work, on both customer-facing and service provider peering
Zinin [Page 2]
INTERNET DRAFT Router DoS protection May 2004
interfaces to make sure that packets destined for the internal
routers are not received from outside the network.
3. Use a completely separate set of links for control protocols
and customer data, i.e. out-of-band network control.
Below are the disadvantages of these methods (correspondingly):
1. From the service provider's perspective, additional HW
increases the cost of the system and requires upgrades of the
line-cards of all routers in a service provider's network.
From the Internet security perspective, it will take years
before a considerable number of service providers upgrade
their routing infrastructure, and thus before the threat of
DoS attack on the Internet routing system is sufficiently mit-
igated.
2. Many of today's deployed Internet core routers do not have the
ability to perform line-rate access control list (ACL) pro-
cessing at high speeds, which means that the inter-service
provider links will remain insecure. Combined with the fact
that not all service providers filter potentially dangerous
packets on the customer interfaces, this approach has the same
disadvantages from the deployment and Internet security per-
spective as the first approach.
3. While the out-of-band control scheme is extremely interesting,
implementation could require substantial modification to the
routing protocols and complete re-architecting of the service
provider networks. From the architectural point of view, it
would also require a major shift from the assumption that con-
trol-plane connectivity implies connectivity of the data
plane.
The solution described in this document allows service providers to
improve their network without major hardware upgrades , changes to
routing protocols or network architecture, and with limited software
modifications.
2 Solution
2.1 Overview
The proposed mechanism uses the fact that there are only a limited
number of devices in a network that have a legitimate right to send a
packet to a router's control plane. This set of devices includes, of
course, other routers in the service provider's network, and network
operations center (NOC) machines. The rest of the devices in the
Zinin [Page 3]
INTERNET DRAFT Router DoS protection May 2004
Internet, including user hosts, and routers in other service provider
networks should not need to send packets to the routers internal to
the first provider's network..
They key aspect of the proposal is marking of packets from the set of
trusted devices in a way that it would either be impossible to spoof
by an untrusted device or that would ensure that even if an attacker
created such a packet, it would be dropped by the routers already
deployed in the Internet today. One option of such marking described
in this document is using a different protocol ID in the layer-2
frames when sending IPv4 control packets among the routers. We call
this "control IPv4 encapsulation". All Internet routers used today
will drop these packets as unrecognized by default. This step makes
sure that such a packet marking technique can be relied upon.
The next step is a small modification to the router's local IP pro-
cessing and encapsulation logic to allow only control-encapsulated
IPv4 packets to be sent to the control plane along the normal path.
Other packets are considered dangerous and are put on a heavily rate-
limited queue. This ensures that outsider attacks do not exhaust
resources used for communication with trusted devices. Note that the
encapsulation check has O(1) complexity, and can easily be performed
at line rate even in legacy routers without major HW or SW modifica-
tions. One of the many advantages of this approach is in the fact
that no additional packet filtering at the customer or peering inter-
faces is requires by the service provider, since user data packets
always enter the network as dangerous.
Note that the proposed mechanism does not require modification or
affect existing Internet user data or network troubleshooting proto-
cols--ICMP will still work they way it works today, so ping, tracer-
oute, TCP path MTU discovery, remain functional. The reason for this
is the fact that the proposal only helps routers quickly classify
packets as trusted and untrusted, but does not require untrusted
packets (e.g., ICMP) to be dropped. Of course, if a router already
has a capability to identify ICMP packets and put them on a separate
queue, the service provider may decide to configure the router to
drop all untrusted packets except for ICMP.
It should also be noted, that this proposal is not an attempt to pro-
tect from compromised trusted routers or insider attacks, neither it
is an attemp to substitute existing security mechanisms in routing
protocols. Instead it helps to protect the routers from outsider
(user-level) attacks, such as distributed DoS attacks based on infec-
tion of untrusted devices (Internet-connected hosts) with computer
viruses turning them into traffic generators targeted against Inter-
net routers, which is considered to be a bigger threat today. In the
situation where a trusted router is compromised, the mechanism still
Zinin [Page 4]
INTERNET DRAFT Router DoS protection May 2004
offers additional security by limiting the potential affect of the
attack to the boundaries of the trust domain the compromised router
participates in through the notion of interface groups. Routers
implementing this mechanism and not participating in that domain will
not be susceptible to the attack.
Finally, the mechanism allows for gradual deployment across the
Internet without a flag day and incremental security gain as it is
deployed wider.
2.2 Separating Data and Control Encapsulation
As discussed before, the packet marking technique needs to have the
property of default invalidity in order to make sure that no data
flowing on the Internet today is considered trusted and is accepted
into a service provider's network with such marking if an attacker
tried to spoof a packet. Using techniques like DSCP-code marking or
IP options does not satisfy this requirement, as it would call for
filtering at every customer-facing router in the Internet to make
sure that no user data packet is injected with this reserved DSCP
value. This is the reason why the author has chosen to use a layer-2
encapsulation technique to achieve this--frames carrying unknown pro-
tocols are dropped by todays deployed routers.
This document describes two possible methods for a different layer-2
encapsulation--a separate protocol ID, and a link-local MPLS label.
Each has its own advantages and disadvantages discussed below .
Option 1: New Protocol ID
As a protocol ID value is defined for IPv4 and IPv6 for each used
media type today (such as Ether_type code), it would be possible to
define IPv4-control and IPv6-control protocol IDs.
The advantage of this method is an implicit 100% guarantee that if
the protocol ID is selected from an unused space, the packets will
be unrecognized. This approach also seems like the "clean" way of
doing this.
The disadvantage of this approach is that the control encapsulation
protocol ID will need to be defined for each media type used today,
which may take a while. Another disadvantage is that in case of an
MPLS network, a control packet maybe put on an LSP together with
data packets, so the receiving router wouldn't be able to tell the
difference. Getting around this problem may require maintaining two
sets of next-hops per route in the data path. See Option 3 below,
however.
Zinin [Page 5]
INTERNET DRAFT Router DoS protection May 2004
Option 2: Link-local MPLS Label
This method is more of a hack and relies on the fact that MPLS
encapsulation is either defined for or mapped to most of today's
used media types. It should be possible to reserve a single label
value (or 2 if a separate one for IPv6 is deemed necessary) from
the "reserved" range (values 4-15 defined by [MPLS-STACK]), declare
it to be link-local, disallow this value from being used for tran-
sit MPLS LSPs, and use this as the control encapsulation. Note that
since the label would only have significance on the local link, it
can be reused on all links. Control messages used for signaling of
transit label switched paths (LSPs) can be safely put on top of
this label, as there are no order of origin dependencies. Routers
that do not support MPLS would not need to have any MPLS code added
and could just treat this as a special sequence of octects in the
link frame that identifies control encapsulation.
When a control packet for a multi-hop routing session (iBGP or OSPF
virtual link) is put on an LSP, an extra label with the reserved
value would be added on top of the label stack thus identifying the
control packet.
Because service providers generally do not support MPLS on their
customer interfaces, and because the label value would be taken
from the reserved space, it would be impossible for an Internet
user to spoof a control packet using existing Internet infrastruc-
ture.
The advantage of this approach is that only a single value for the
label would need to be reserved.
The disadvantages are that more modifications of the router
microcode are necessary.
Option 3: Combined
It is possible to use the new protocol ID whenever a control packet
is not MPLS-encapsulated, and use an extra reserved label whenever
it is put on an LSP. See section XXX for more information on sup-
port of MPLS networks.
Control-plane software is then modified to make sure that all
locally-originated packets that are relevant within the service
provider's network only (such as routing protocols, MPLS signaling,
telnet, ssh, SNMP, etc.) are control-encapsulated when the outbound
interface is configured as such. Control packets that need to be
received by the users (ICMP) are either encapsulated as before (data
encapsulation) or also as control. In the latter case, they will be
Zinin [Page 6]
INTERNET DRAFT Router DoS protection May 2004
data-encapsulated as soon as they leave the trust domain of the ser-
vice provider.
2.3 Interface Groups
When deploying this mechanism, the service provider will need to
identify a group of interfaces where the control encapsulation should
or should not be used. There will most probably be a group of inter-
faces used for the backbone connection, and another group used for
customer connections and peering with other service providers.
The described mechanism uses the notion of an "interface group".
There is practically no complexity associated with an interface
group--each interface has an interface-group attribute associated
with it. Two interfaces are considered to be in one interface group
if their interface-group attributes are equal. The service provider
is expected to configure the interface group attributes of the inter-
faces to match the trust communities, as in the following example.
Backbone interfaces, interfaces to customer A, interfaces to customer
B, interfaces to service provider X, and interfaces to service
provider Y, would all be put in separate interface-groups: "back-
bone", "cust-A", "cust-B", "peer-X", "peer-Y", correspondingly.
As we will see further in the document, when a control-encapsulated
packet is forwarded across an interface-group boundary, it become
data-encapsulated (untrusted). This is to ensure that if, for exam-
ple, two service providers are using control encapsulation for their
eBGP session, or if an eBGP session between a service provider and a
customer is control-encapsulated, forged packets originated by a
potentially compromised BGP peer and destined inside of the service
provider's network are not considered trusted beyond the border
router. In other words, we trust control traffic from a customer or
another service provider only as far as it needs to go and no fur-
ther. Again, once a control-encapsulated packet crosses an interface-
group boundary, its encapsulation is changed to data and it will be
considered as untrusted by all other routers.
2.4 Modified Local Processing and Packet Encapsulation Procedures
The following new interface parameters used by the modified algo-
rithms are introduced.
InterfaceGroup:
the ID of the group the interface belongs to
IpCtlSendEncap:
defines which encapsulation should be used on the interface to
send control packets originated locally by the router or
Zinin [Page 7]
INTERNET DRAFT Router DoS protection May 2004
received as control-encapsulated on another interface. Possi-
ble values: Data, and Control. Default: Data.
IpCtlRcvEncap:
defines the type of encapsulation that needs to be used in
order for the received packet to be allowed for local process-
ing by the RP as trusted. Values: Data, Control, Both .
Default: Data.
The router's behavior is modified as follows.
1. A packet addressed to the router itself is considered trusted
and is allowed to be locally processed (queued to the control
card) if IpCtlRcvEncap of the receiving interface is set to
Both, or matches the encapsulation that was used to send the
received packet. Otherwise, the packet is put on a "slow"
queue (or dropped if the router has the capability to recog-
nize ICMP packets and still allow them to be processed in a
rate-limited fashion).
2. The router uses Control encapsulation for an outgoing packet
if IpCtlSndEncap of the outbound interface is Control AND the
packet:
a) Has been locally originated by the router itself, OR
b) Has been received in Control encapsulation AND Interface-
Group parameters of the inbound and outbound interfaces
are the same (the packet is not leaving its trust
domain.)
Otherwise, (the packet is untrusted or is leaving its trust
domain by crossing the interface-group boundary), Data encap-
sulation is used.
2.5 NOC Support and "Trusted" Interfaces
Hosts on the NOC segments of the service provider's network are an
example of trusted devices that are not routers. However, unlike
routers, it is unrealistic to expect hosts within the NOC segment to
exchange packets using Control encapsulation, as this would require
modification to many operating systems. Another specific of a NOC
segment is the fact that it majority of cases, it will need to be
able to communicate with the rest of the service provider's network
using both Data and Control encapsulated packets. The following is an
explanation why.
It is already a common practice to allow incoming telnet, ssh, and
Zinin [Page 8]
INTERNET DRAFT Router DoS protection May 2004
snmp packets to routers only if they were originated within a NOC
segment (this is usually done by configuring CLI and SNMP-specific
filters by access control lists), however, the network administrators
are rarely physically located on the NOC premises-many of them work
from home and are often mobile. This is why management access to the
routers usually requires establishing a secure shell (SSH) session to
a server in the NOC, and then from there another SSH session to a
router. Of course, the SSH server is usually behind a firewall (let's
call it FW1). In our case, this would be a firewall that communicates
Data packets with the rest of the service provider's network.
Since all telnet, ssh, snmp, etc. packets going from the NOC segment
to the routers in the network need to appear in Control encapsula-
tion, regular data packets exchanged on the NOC segment at some point
need to be sent out as Control encapsulated packets. This, of course,
introduces a potential security threat (if the hosts on the NOC seg-
ment were used to attack the routers, all forged packets would be
considered by routers as trusted.) However, it is much less expensive
for a service provider to protect its routers from its own NOC seg-
ments by installing a firewall (let's call it FW2) that will make
sure that only valid packets are sent out as control to the routers
in the network.
Note that FW1 and FW2 are only functionally separate, but may physi-
cally be the same device.
There are potentially two ways how NOC data packets can be injected
as Control into the network: a) FW2's network-facing interface sup-
ports Control encapsulation, and b) FW2 has no support of Control
encapsulation, but the first-hop router it is connected to performs
the "translation". The former case is the most secure, while the lat-
ter is the most probable, at least in the beginning. Below is how the
router performs the translation function.
The notion of a "trusted interface" is defined by introducing the
following parameter:
IpTrustedInterface: When True, identifies a trusted interface. It is
expected that only very few interfaces in the service provider's net-
work will be configured as Trusted (for example, interfaces connect-
ing a NOC segment to the rest of the network through a firewall.)
Possible values: True, and False. Default: False.
The router's behavior is further modified to accommodate the notion
of trusted interface as follows:
1. A packet received on a Trusted interface in any encapsulation
is treated as if it was received in Control encapsulation
Zinin [Page 9]
INTERNET DRAFT Router DoS protection May 2004
(i.e., is allowed to be locally processed and is sent out
using Control encapsulation as long as it stays within the
same interface group).
2. All packets (trusted and untrusted) sent out of a Trusted
interface are Data-encapsulated.
DISCUSSION: we may want to allow only trusted packets to be sent on a
Trusted interface towards NOC. This will make the job of FW2 much
easier, but will cut off ICMP messages coming from outside the net-
work or from a different trust domain if the service provider has
many.
2.6 ICMP, Ping, and Traceroute
ICMP needs special attention, because its scope of validity is not so
well contained as for routing and signaling protocols. Let's consider
how this proposals handles ICMP by looking at the following generic
combinations for ICMP messages:
1. Originated by and addressed to devices within the same trust
domain, for example, an ICMP "Echo Request" message originated
by a NOC host and received by a router. Same for an ICMP "Echo
Reply". All ICMP messages will be considered trusted. No
issues here.
2. Originated by a trusted device (router), addressed to an
untrusted one (a ICMP "Destination Unreachable" to an Inter-
net-connected host, for example). The router will inject the
packet using Control encapsulation, however, as the packet
leaves the service provider's network, it will be sent out
using Data encapsulation (see step 2 in the modified router
algorithm), as expected by the receiver.
3. Originated by an untrusted host, addressed to a service
provider's router. The router will put the packet on the
'untrusted' queue, and it will be processed.
4. Originated by and addressed to an untrusted host. The message
will enter and leave the network as untrusted data without
touching any router's control plane.
Traceroute from the outside world does not present any problem,
because Control-encapsulated ICMP messages sent back to the probing
host will be automatically converted to Data as they leave the trust
domain.
Traceroute within the network (e.g., from NOC or a router) is not a
Zinin [Page 10]
INTERNET DRAFT Router DoS protection May 2004
problem because the messages are exchanged in Control encapsulation.
If traceroute crosses multiple trust domains or goes outside the ser-
vice provider's network, ICMP messages will come back as Data and
will go through a FW to NOC or may be received through the slow queue
by the router (if traceroute is originated by the router.)
2.6 Routing Protocols
One of the advantages of the described mechanism is that no modifica-
tion of existing routing protocols is required. Routing protocols
still work over IPv4, the only difference is actual layer-2 encapsu-
lation of those packets, which is (in the simplest case) Control for
all packets originated by a router.
The routing paradigm remains the same--the messages are sent inbound
across the same physical links as data packets. Control and data are
only virtually separated, just enough to make a decision on whether a
packet should be considered from a trusted source or not.
Because the IS-IS routing protocol encapsulates its PDUs in L2
frames, as opposed to IP packets, it is not susceptible to the out-
sider attacks, and hence no modification to IS-IS encapsulation is
required. If IS-IS-in-IP is used, the routers need to make sure that
the IP packets is Control-encapsulated. Note that the fact the IS-IS
routing protocol is not susceptible to outsider attacks does not mean
that ISP running IS-IS should not be worried about those attacks.
There's a whole set of potential CPU-based attacks which an outsider
could mount, and this set is constantly growing.
2.7 Multicast
There are two aspects of IP mutlicast we're interested in from the
routing security point of view: routing protocols, and (S,G) state.
From the routing protocols perspective, service provider's routers
are protected by the presented mechanism as with unicast.
The link between data and control plane required to maintain the
(S,G) state is part of the multicast architecture and may be consid-
ered by some as an issue (it is definitely safer to decouple control
and data planes of the network as much as possible). Presented secu-
rity mechanism does not affect it in anyway. The service provider
will have to make an informed decision whether to deploy multicast in
its network or not keeping in mind the possibility of some router
implementations not being able to keep up with large amounts of (S,G)
state.
Zinin [Page 11]
INTERNET DRAFT Router DoS protection May 2004
2.8 MPLS Networks
When the mechanism is deployed in an MPLS network, it is possible for
any IP packet (including a control one) that is sent over multiple
hops to be put on an LSP due to an LSR using either LDP-derived FECs
or IGP-shortcut FECs. Because layer-2 encapsulation is not preserved
when an IP packet is put on an LSP, it will be impossible for the
receiving router to tell the difference between data and control
packets if just a different link-layer protocol ID was used to mark
trusted packets.
To solve this problem, the LSR putting the control packet on an LSP,
adds an extra inner label with the reserved value described before to
the label stack.
If penultimate hop popping (PHP) is used in the network, the tail-end
LSR may not even notice the fact that the packet has traveled on a
LSP if the MPLS-label approach is used for encapsulation, because the
LSR will receive the packet with only one--reserved--label.
If the PHP mechanism is not used, the receiving LSR, after popping
the outer label, will need to recognize the reserved value of the
inner label and treat the packet as Control-encapsulated.
3 Deployment Considerations
The following subsections discuss how the described mechanism would
be deployed in a service provider's network. Note that we consider
the final setup, after all transitional steps. The transition scenar-
ios are described in a separate subsection
3.1 Backbone-only Routers
Routers where all interfaces are connected to internal links will
most often have all of them configured to be in the same interface
group. It is possible of course, to have multiple Control trust
domains within a single service provider's network if for example,
BGP AS confederations are used. In this case, each member-AS would be
a separate trust domain and some BGP speakers would have more than
one interface group. One consideration related to running a network
with multiple trust domains is the fact that control message that are
not naturally scoped to a single trust domain (such as ICMP) will be
encapsulated as Data once they leave the trust domain they have been
originated in. This means that Control encapsulation-aware firewalls
connecting the NOC segment need to also receive and process Data-
encapsulated ICMP.
Receiving and sending encapsulation of control packets would be set
Zinin [Page 12]
INTERNET DRAFT Router DoS protection May 2004
to Control on all interfaces.
3.2 Customer-facing Routers
Customer facing routers will have more than one interface group.
One group will be configured for all backbone links. In this group
receive and send encapsulation will be configured as Control.
For each customer, all interfaces providing connections to it will be
configured as a separate interface group. The type of encapsulation
is expected to be Data for a long time, before customer routers start
supporting Control encapsulation. With Data encapsulation, the router
is allowed to send Data-encapsulated control packets to the control
plane CPU. Other packets, supposedly both valid data and potentially
forged packets, are forwarded onwards to the network using Data
encapsulation, so other routers in the network won't allow these
packets to the control plane in case of an attack.
When Control encapsulation is supported by the customer routers, the
service provider will configure send and receive control packet
encapsulation on those links to be Control. This will prevent DoS
attacks on the customer-facing router on those links.
3.3 Peer-facing Routers
Peer-facing routers will be configured similar to the customer-facing
routers. If the peering routers do not support Control encapsulation,
the routers are configured to allow Data-encapsulated packets to be
received by the control CPU. Potential attacks against the border
router could be prevented by the BGP TTL hack (though implementing
Control encapsulation seems easier.) service provider's internal
routers will not be susceptible to the attacks originated in other
service providers, because forged packets will be sent as Data and
won't be allowed to the routers' control plane CPUs. When Control
encapsulation is supported, the border router will be protected from
the DoS attack on the links to those service providers supporting
this technique.
An important point to keep in mind here is the fact that trust
domains of the service providers are not merged when they peer with
each other. Links used to peer with other service providers are put
in a separate interface group from the backbone interface group. This
means that even if routers of another service provider are compro-
mised and forged packets are sent as Control to us, they would first
be translated to Data encapsulation by that service provider's border
router, but even if they are not for some reason (or if the service
provider's border router is compromised), our border router will
Zinin [Page 13]
INTERNET DRAFT Router DoS protection May 2004
"translate" any forged control packets into Data as they cross the
boundary between the peering and the backbone interface group.
3.4 Internet Exchgange Points and Help from LAN Switches
In the case where a LAN segment is used to connect devices under dif-
ferent administrative control (as in the case of an Internet Exchange
point, for example), it is possible that some connected devices may
not be trusted enough for others to agree to receive control-encapsu-
lated packets from them. In order to avoid line-rate source-based
filtering, LAN switches may be equipped with a small bit of addi-
tional functionality controlling whether inbound control-encapsulated
packets are allowed on a specific port. Because this check is done on
a per-port basis and the switch does not need to look further than
the layer-2 frame, this check can easily be performed at the line
rate without performance degradation. The LAN switch administrator
would then have to ensure that control frames are allowed only from
trusted devices.
From the security perspective this essentially means that the service
provider, normally only marginally trusting its IX peers, would need
to trust the IX administrator's decision on whether the remote device
is trusted or not, in other words, when a service provider agrees to
accept control frames on an IX-connected interface, it essentially
agrees to trust the security of that IX. However, though this means
that IX-connected routers are less secure from each other, even if a
trusted IX router is compromised, the effect of the attack is limited
to the border router by the notion of the interface groups. Besides,
IX-connected routers still have the same level of security against
user-level attacks, which is thought of as a bigger threat than an
attack from a compromised or untrusted IX-connected device.
3.5 NOC
As describe before, NOC segments can be connected to a service
provider's network either through a Control-encapsulation-aware FW,
or through a regular FW connected to a router implementing Trusted
interfaces.
3.5 Transition Scenarios
To be completed.
Note that no flag day is required and gradual deployment gives incre-
mental security increase.
4 Security Considerations
Zinin [Page 14]
INTERNET DRAFT Router DoS protection May 2004
The described proposal does not claim to provide complete protection
of routers against all types of attacks. Instead, it raises the bar
by attempting to prevent attacks mounted by outsiders that have no
access to the SP's network except for basic IP connectivity. These
types of attacks are considered to be the immediate threat on the
Internet routing system and the proposal attempts to protect against
it without requiring expensive hardware upgrades. By virtually sepa-
rating control and data packets, the level of security in IP networks
is raised to the one normally found in ATM or Frame Relay networks,
where routing and signaling are virtually out-of-band. This level of
security is considered by many to be just enough to feel comfortable.
Insider attacks, based on the physical access to the SP's equipment
or on compromising a trusted device (such as a router or a NOC-
attached host) are not prevented by this mechanism.
The described proposal relies on the notion of a trust domain, which
implies that if a router is configured to accept Control-encapsulated
packets on an interface, the administrator administrator has full
control of the devices attached to the segment and capable of sending
Control-encapsulated packets (in reality, any connected device should
be assumed to be capable of doing so), and those devices are autho-
rized to send them. In other words, physical security needs to be
insured by the SP. This practically means that no devices that with
high probability can be compromised by an outside attacker (such as
servers, or hosts) should be allowed on the segments used for router
connections. Point-to-point links used between routers encourage this
requirement by their very nature, while LAN segments require more
attention to ensure no unauthorized devices have access to them.
Fortunately, this is already the best current practice that the ser-
vice providers follow. In the situations where a device connected to
an otherwise trusted segment is considered to be highly susceptible
to being compromised, some help from the LAN switch used to implement
the segment is required. See Section XXX for more information.
Finally, because the described mechanism does not prevent from
insider attacks, it should not be considered as a substitute for
existing or future authentication mechanisms in routing protocols or
other security measures used in the service provider networks (e.g.,
SSH). Instead, they should be considered complimentary to each other
and used together. In fact, the more elaborate and computationally
expensive routing protocol-specific mechanisms become, the easier it
will be for an outside attacker to bring a router to its knees, and
the more important it will be to separate control and data encapsula-
tion in the Internet.
4. Intellectual Property Considerations
Zinin [Page 15]
INTERNET DRAFT Router DoS protection May 2004
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to per-
tain to the implementation or use of the technology described in this
document or the extent to which any license under such rights might
or might not be available; neither does it represent that it has made
any effort to identify any such rights. Information on the IETF's
procedures with respect to rights in standards-track and standards-
related documentation can be found in BCP-11. Copies of claims of
rights made available for publication and any assurances of licenses
to be made available, or the result of an attempt made to obtain a
general license or permission for the use of such proprietary rights
by implementors or users of this specification can be obtained from
the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
The IETF has been notified of intellectual property rights claimed in
regard to some or all of the specification contained in this docu-
ment. For more information consult the online list of claimed
rights.
5. Acknowledgements
Thanks to Ben Crosby, Steve Buchko, Randy Bush, John Heasley, Radia
Perlman, and Tony Li for an early review of this work.
6. References
[OSPF] J. Moy. OSPF version 2. Technical Report RFC 2328, Internet
Engineering Task Force, 1998.
[TCP-MD5] A. Hefferman. Protection of BGP Sessions via the TCP MD5
Signature Option. RFC 2385. 1998.
[MPLS-STACK] RFC 3032. MPLS Label Stack Encoding.
7. Authors' Addresses
Alex Zinin
Alcatel
E-mail: zinin@psg.com
Zinin [Page 16]
INTERNET DRAFT Router DoS protection May 2004
Full Copyright Statement
Copyright (C) The Internet Society (date). All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implmentation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights defined
in the Internet Standards process must be followed, or as required to
translate it into languages other than English.
The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns. This
document and the information contained herein is provided on an "AS
IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK
FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL
NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY
OR FITNESS FOR A PARTICULAR PURPOSE.
Zinin [Page 17]