datatracker.ietf.org
Sign In
Version 5.1.0, 2014-03-05
Report a bug

Threat Model for BGP Path Security
RFC 7132

Document type: RFC - Informational (February 2014)
Document stream: IETF
Last updated: 2014-02-21
Other versions: plain text, pdf, html
IETF State: Submitted to IESG for Publication
Consensus: Yes
Document shepherd: Alexey Melnikov
Shepherd Write-Up: Last changed 2013-07-30
IESG State: RFC 7132 (Informational)
IANA Action State: No IC
Responsible AD: Stewart Bryant
Send notices to: sidr-chairs@tools.ietf.org, draft-ietf-sidr-bgpsec-threats@tools.ietf.org
Email Authors | IPR Disclosures | Dependencies to this document | References | Referenced By | Check nits | History feed | Search Mailing Lists 
Internet Engineering Task Force (IETF)                           S. Kent
Request for Comments: 7132                                           BBN
Category: Informational                                           A. Chi
ISSN: 2070-1721                                                   UNC-CH
                                                           February 2014

                   Threat Model for BGP Path Security

Abstract

   This document describes a threat model for the context in which
   External Border Gateway Protocol (EBGP) path security mechanisms will
   be developed.  The threat model includes an analysis of the Resource
   Public Key Infrastructure (RPKI) and focuses on the ability of an
   Autonomous System (AS) to verify the authenticity of the AS path info
   received in a BGP update.  We use the term "PATHSEC" to refer to any
   BGP path security technology that makes use of the RPKI.  PATHSEC
   will secure BGP, consistent with the inter-AS security focus of the
   RPKI.

   The document characterizes classes of potential adversaries that are
   considered to be threats and examines classes of attacks that might
   be launched against PATHSEC.  It does not revisit attacks against
   unprotected BGP, as that topic has already been addressed in the
   BGP-4 standard.  It concludes with a brief discussion of residual
   vulnerabilities.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7132.

Kent & Chi                    Informational                     [Page 1]
RFC 7132           Threat Model for BGP Path Security      February 2014

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Threat Characterization . . . . . . . . . . . . . . . . . . .   6
   4.  Attack Characterization . . . . . . . . . . . . . . . . . . .   8
     4.1.  Active Wiretapping of Sessions between Routers  . . . . .   8
     4.2.  Attacks on a BGP Router . . . . . . . . . . . . . . . . .   9
     4.3.  Attacks on Network Operator Management Computers (Non-CA
           Computers)  . . . . . . . . . . . . . . . . . . . . . . .  11
     4.4.  Attacks on a Repository Publication Point . . . . . . . .  12
     4.5.  Attacks on an RPKI CA . . . . . . . . . . . . . . . . . .  14
   5.  Residual Vulnerabilities  . . . . . . . . . . . . . . . . . .  16
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  18
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  18
   8.  Informative References  . . . . . . . . . . . . . . . . . . .  18

1.  Introduction

   This document describes the security context in which PATHSEC is
   intended to operate.  The term "PATHSEC" (for path security) refers
   to any design used to preserve the integrity and authenticity of the
   AS_PATH attribute carried in a BGP update message [RFC4271].  The
   security context used throughout this document is established by the
   Secure Inter-Domain Routing (SIDR) working group charter [SIDR-CH].
   The charter requires that solutions that afford PATHSEC make use of
   the Resource Public Key Infrastructure (RPKI) [RFC6480].  It also
   calls for protecting only the information required to verify that a
   received route traversed the Autonomous Systems (ASes) in question,
   and that the Network Layer Reachability Information (NLRI) in the
   route is what was advertised.

Kent & Chi                    Informational                     [Page 2]

[include full document text]