Threat Model for BGP Path Security
RFC 7132
Internet Engineering Task Force (IETF) S. Kent
Request for Comments: 7132 BBN
Category: Informational A. Chi
ISSN: 2070-1721 UNC-CH
February 2014
Threat Model for BGP Path Security
Abstract
This document describes a threat model for the context in which
External Border Gateway Protocol (EBGP) path security mechanisms will
be developed. The threat model includes an analysis of the Resource
Public Key Infrastructure (RPKI) and focuses on the ability of an
Autonomous System (AS) to verify the authenticity of the AS path info
received in a BGP update. We use the term "PATHSEC" to refer to any
BGP path security technology that makes use of the RPKI. PATHSEC
will secure BGP, consistent with the inter-AS security focus of the
RPKI.
The document characterizes classes of potential adversaries that are
considered to be threats and examines classes of attacks that might
be launched against PATHSEC. It does not revisit attacks against
unprotected BGP, as that topic has already been addressed in the
BGP-4 standard. It concludes with a brief discussion of residual
vulnerabilities.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7132.
Kent & Chi Informational [Page 1]
RFC 7132 Threat Model for BGP Path Security February 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Threat Characterization . . . . . . . . . . . . . . . . . . . 6
4. Attack Characterization . . . . . . . . . . . . . . . . . . . 8
4.1. Active Wiretapping of Sessions between Routers . . . . . 8
4.2. Attacks on a BGP Router . . . . . . . . . . . . . . . . . 9
4.3. Attacks on Network Operator Management Computers (Non-CA
Computers) . . . . . . . . . . . . . . . . . . . . . . . 11
4.4. Attacks on a Repository Publication Point . . . . . . . . 12
4.5. Attacks on an RPKI CA . . . . . . . . . . . . . . . . . . 14
5. Residual Vulnerabilities . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
8. Informative References . . . . . . . . . . . . . . . . . . . 18
1. Introduction
This document describes the security context in which PATHSEC is
intended to operate. The term "PATHSEC" (for path security) refers
to any design used to preserve the integrity and authenticity of the
AS_PATH attribute carried in a BGP update message [RFC4271]. The
security context used throughout this document is established by the
Secure Inter-Domain Routing (SIDR) working group charter [SIDR-CH].
The charter requires that solutions that afford PATHSEC make use of
the Resource Public Key Infrastructure (RPKI) [RFC6480]. It also
calls for protecting only the information required to verify that a
received route traversed the Autonomous Systems (ASes) in question,
and that the Network Layer Reachability Information (NLRI) in the
route is what was advertised.
Kent & Chi Informational [Page 2]
RFC 7132 Threat Model for BGP Path Security February 2014
Thus, the goal of PATHSEC is to enable a BGP speaker to verify that
Show full document text