Network Working Group D. Beard Internet Draft Nortel Networks draft-beard-rpsec-routing-threats-00.txt Y. Yang Category: Informational Cisco Systems Expires: April 2002 October 2002 Known Threats to Routing Protocols Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 4, 2003. Copyright Notice Copyright (C) The Internet Society (2002). All Rights Reserved. Abstract This draft provides a summary of known threats to routing protocols. ------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 1] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 Table of Contents 1.0 INTRODUCTION ......................................2 2.0 THREAT CATEGORY .................................3 2.1 THREAT SOURCES .................................3 2.2 THREAT ACTIONS .................................3 2.3 THREAT CONSEQUENCE DEFINITIONS.....................3 2.4 THREAT CONSEQUENCE ZONES ..........................4 2.5 THREAT CONSEQUENCE PERIODS ........................5 3.0 GENERALLY IDENTIFIABLE ROUTING THREATS ............5 3.1 DELIBERATE EXPOSURE ...............................5 3.2 SNIFFING ..........................................6 3.3 TRAFFIC ANALYSIS ..................................6 3.4 SPOOF .............................................7 3.5 FALSIFICATION......................................8 3.5.1 Falsifications by Originators .................8 3.5.1.1 Overclaiming ..............................8 3.5.1.2 Underclaiming ............................10 3.5.1.3 Misclaiming ..............................12 3.5.2 Falsifications by Forwarders .................13 3.6 INTERFERENCE .....................................14 3.7 OVERLOAD .........................................14 4.0 SPECIFIC THREAT TYPES ............................15 4.1 IMPERSONATION AND INTRUSION DETECTION ............15 4.2 BYZANTINE FAILURES ...............................16 4.3 DISCARDING OF CONTROL PACKETS ....................16 5.0 SUBVERSION OF CONTROL PLANE THREATS ..............17 5.1 NETWORK MAPPING THREATS ..........................17 5.2 PROMISCUOUS MODE AND NETWORK TOPOLOGY ............18 5.3 INSTABILITY IN UNICAST ROUTING PROTOCOLS .........18 6.0 MULTICAST ROUTING PROTOCOL CONSIDERATION .........18 6.1 CORE AND SOURCE-BASED TREES ......................19 6.2 MULTICAST AND UNICAST THREATS ....................20 7.0 SECURITY CONSIDERATIONS ..........................21 8.0 ACKNOWLEDGEMENTS .................................21 9.0 AUTHOR'S ADDRESS ...........................21 10.0 APPENDIX 1 - REFERENCES ..........................22 1.0 Introduction This draft provides a summary of known threats to routing protocols. This document is organized as follows: Section 2 defines threat categories. Section 3 defines identifiable routing threat actions. Section 4 defines specific threat types. Section 5 defines compromise of the control plane. Section 6 discusses multicast routing protocol considerations. Section 7 discusses security considerations. ------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 2] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 2.0 Threat Category Threat is defined in [SEC-GLOSS] as a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. A threat presents itself when an attacker has the ability to take advantage of an existing security weakness. Threats can be categorized based on various rules, such as threat sources, threat actions, threat consequences, threat consequence zones, and threat consequence periods. 2.1 Threat Sources A threat against routing protocols always sources from a device (router) that is not legitimate. A device (router) is legitimate when it is intended by the authoritative network administrator to participate in the routing dialog and computation, running correct and bug-free code, and using correct and bug-free configuration information [DV-SECURITY]. By correct and bug-free configuration information, we mean the configurations obey routing protocols and are intended by the authoritative network administrator. Threats can be classified into four categories, based on their sources [DV-SECURITY]: 1. Threat from compromised links: A compromised link is where an attacker can, somehow, access a physical medium and/or have some control over the channel. This threat exists when there is no access control mechanisms applied to physical mediums or channels, or such mechanisms can be circumvented. The attacker may eavesdrop, replay, delay, or drop routing messages, or break routing sessions between authorized routers, without participating in the routing exchange. 2. Threats from compromised devices (e.g. routers): A compromised device (router) is an authorized router with routing software bugs, hardware defects, and / or incorrect/unintended configurations. This threat takes place when there are no mechanisms to verify a device's (router) system integrity, i.e. the router is working correctly as been intended by the authoritative network administrator, or such mechanisms can be circumvented. The attacker may inappropriately claim authority for some network resources, or violate routing protocols, such as advertising invalid routing information and etc. 3. Threat from unauthorized devices (routers): An unauthorized device (router) participates in routing exchange and computation, without being authorized (explicitly or implicitly) from the authoritative network administrator. This threat happens when there is no access control mechanism applied to routing sessions/routing exchanges or such mechanism can be circumvented. The attacker may gain knowledge of the network topology through routing exchange, as well as do anything that a compromised router can do. 4. Threat from masquerading devices (routers): A masquerading device (router) illegitimately assumes another router's identity. This threat occurs when there are no (data origin or peer entity) authentication mechanisms, or such mechanisms can be circumvented. The attacker can do anything that an unauthorized router can do. A device (router) can play multiple roles concurrently. A legitimate OSPF router might be a masquerading RIP router, and a compromised iBGP link might be a compromised OSPF router as well. 2.2 Threat Actions A threat action is an assault on system security [SEC-GLOSS], which could be an intentional behaviour, or an accidental event. 2.3 Threat Consequence Definitions A threat consequence is A security violation that results from a threat action [SEC-GLOSS]. Four types of threat consequences, disclosure, deception, disruption, and usurpation, are identified in [SEC-GLOSS]. Specifically for threats against routing protocols, these consequences can be described as: ------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 3] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 Disclosure: Disclosure of routing information happens where a router successfully accesses the information without being authorized. Compromised links can cause disclosure, if routing exchanges lack confidentiality. Compromised devices (routers), unauthorized devices (routers), and masquerading devices (routers) can always cause disclosure, as long as they are successfully involved in the routing exchanges. (Anyway, routers are designed to learn the network topology) Deception: This consequence happens when a legitimate router receives a false routing message and believes it to be true. All attackers (Compromised links, compromised device (routers), unauthorized devices (routers), and masquerading devices (routers) can cause this consequence if the receiving router lacks ability to check routing message integrity, routing message origin authentication or peer router authentication. Disruption: This consequence occurs when a legitimate router's operation is being interrupted or prevented. Subvert links can cause this by replaying, delaying, or dropping routing messages, or breaking routing sessions between legitimate routers. Compromised devices (router), unauthorized devices (routers), and masquerading device (routers) can cause this consequence by sending false routing messages, interfering normal routing exchanges, or flooding unnecessary messages. (DoS is a common threat action causing disruption.) Usurpation: This consequence happens when an attacker gains control over a legitimate router's services/functions. Compromised links can cause this by delaying or dropping routing exchanges, or replaying out-dated routing information. Compromised routers, unauthorized routers, and masquerading routers can cause this consequence by sending false routing information, interfering routing exchanges, or system integrity. Note: an attacker does not have to directly control a router to control its services. For example, in Figure 2-1, Network 1 is dual-homed through Router A and Router B, and Router A is preferred. However, Router B is compromised and advertises a lower metric. Consequently, devices on the Internet choose the path through Router B to reach Network 1. In this way, Router B steals the data traffic and Router A surrenders its control of the services to Router B. +-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B |------* N 1 * +-------+ \ / *---* Figure 2-1 Also, several threat consequences might be caused by a single threat action. In Figure 2-1, there exist at least two consequences: routers using Router B to reach Network 1 are deceived, while Router A is usurped. 2.4 Threat Consequence Zones A threat consequence zone covers an area within which the network resources could be affected by the threat consequences. Possible threat consequence zones can be classified as: a single link or router, multiple routers (within a single routing domain), a single routing domain, multiple routing domains, or the global Internet. The threat consequence zone varies based on the threat action and origin. Similar threat actions that happened at different locations may cause totally different threat consequence zones. For example, when a compromised link breaks the routing session between a distribution router and a stub router, only reach ability from and to the network devices attached on the stub router will be impaired. In other words, the threat consequence zone is a single router. Nonetheless, if the compromised router is located between a customer edge router and its corresponding provider edge router, such an action might cause the whole customer site to lose its connection. In this case, the threat consequence zone might be a single routing domain. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 4] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 2.5 Threat Consequence Periods Threat consequence period is defined as a portion of time from an attacker's launching a threat action to the threat consequence disappears and the network operating as intended by the authoritative network administrator. The threat consequence period is related with the duration of the threat action. In some cases, the network operation will get back to normal as soon as the threat action has been stopped. In other cases, however, threat consequences may appear longer than threat action. For example, in the original ARPANET link-state algorithm, some errors in a router might introduce three instances of an LSA, and all of them would be flooded throughout the network forever, until the entire network was power cycled [PROTO-VULN]. With security facilities, the network might detect the threat action, implement countermeasures, and resume normal operations even before the threat action has been stopped. In this documentation, we assume such facilities do not exist. 3.0 Generally Identifiable Routing Threats This section addresses generally identifiable and recognized threat action against routing protocols. The threats are not necessarily specific to individual protocols but may be present in one or more of the common routing protocols in use today. 3.1 Deliberate Exposure Deliberate Exposure is defined as an intentional action that attackers employ to release false routing information directly to other routers. This definition presumes that the receiving routers are not authorized to access the routing information. All types of attackers (Compromised links, compromised routers, unauthorized routers, and masquerading routers) can deliberately expose routing information to whomever they want, after obtaining the critical routing information. The consequence of deliberate exposure is the disclosure of routing information. The threat consequence zone of deliberate exposure depends on the routing information that the attackers have exposed. The more knowledge they have exposed, the bigger the threat consequence zone. The threat consequence period of deliberate exposure might be longer than the duration of the action itself. The routing information exposed will not be out-dated until there is a topology change of the exposed network. Note: An exposure is different from a deliberate exposure. While the deliberate exposure is always a threat action, the exposure is not. A legitimate router may expose routing information to peering unauthorized/masquerading routers, by routing exchanging, as long as the legitimate router is deceived and misbelieves its peers are also legitimate. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 5] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 3.2 Sniffing Sniffing is an action whereby attackers monitor and/or record the routing exchanges between authorized routers. Compromised links can sniff the links over which they have control. (Compromised routers, unauthorized routers, and masquerading routers can sniff, but do not need to do this, to access the routing information. They can learn the routing information as long as they are successfully involved in the routing exchanges). The consequence of sniffing is disclosure of routing information. The threat consequence zone of sniffing depends on the attacker's location, the routing protocol type, and, ultimately, what routing information has been recorded. For example, if the compromised link were located in an OSPF totally stubby area, the threat consequence zone should be limited to the whole area. Or, the compromised link could gain knowledge of multiple routing domains, if it sniffs an eBGP session between two providers. The threat consequence period might be longer than the duration of the action. After the compromised link stops sniffing, its knowledge will not be out-dated until there is a topology change of the disclosed network. 3.3 Traffic Analysis Traffic analysis is action whereby attackers gain routing information by analyzing the characteristics of the data traffic. Compromised links can analyze the data traffic over the links where they have control. (Compromised routers, unauthorized routers, and masquerading routers do not need to do this, although they can, to access the routing information. They learn the routing information by being successfully involved in the routing exchanges). The consequence of data traffic analysis is the disclosure of routing information. For example, the source and destination IP address of the data traffic, the type, magnitude, and volume of traffic is disclosed. The threat consequence zone of the traffic analysis depends on the attacker's location and, ultimately, what data traffic has flown through. A compromised link at the network core should be able to gain more information than its counterpart at the edge. The threat consequence period might be longer than the duration of the traffic analysis. After the attacker stops traffic analysis, its knowledge will not be out-dated until there is a topology change of the disclosed network. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 6] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 3.4 Spoof A spoof is defined as an action whereby an attacker participates in the routing computation and exchanges with authorized routers by illegitimately assumes a legitimate router's identity. All types of attackers (compromised links, compromised routers, unauthorized routers, and masquerading routers) can spoof. When an attacker succeeds to spoof, it plays a role of masquerading router. The consequences of spoof are: 1. The deception of peer relationship: The deceived peering routers do not believe the masquerading router's fake identity. 2. The deception of peer relationship: The authorized routers, which exchange routing messages with the masquerading router, do not realize they are peering with a router that is faking another router's identity. There are other consequences caused by a spoofing (masquerading) router. For example, the masquerading router might cause disruption of a network by sending unrealistic routing information. But these consequences are directly resulted from other threat actions instead of spoof, which are also discussed in this documentation. The threat consequence zone covers two different scopes: 1. The consequence zone of the disclosed routing information depends on what routing information has been exchanged between the attacker and its peers. 2. The disclosure of routing information: The masquerading router will participate in the routing computation and exchanges, and consequently gain access to the routing information. There are other consequences caused by a spoofing (masquerading) router. For example, the masquerading router might cause disruption of a network by sending unrealistic routing information. But these consequences are directly resulted from other threat actions instead of spoof. The threat consequence zone covers two different scopes: 1. The consequence zone of the fake peer relationship will be limited to those routers mistrusting the attacker's identity. 2. The consequence zone of the disclosed routing information depends on the attacker's location, the routing protocol type, and, ultimately, what routing information has been exchanged between the attacker and its deceived peers. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 7] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 The threat consequence period has two different definitions too: 1. The consequence period of the fake peer relationship is same as the duration of the spoof. As soon as the attacker stops spoofing, the fake peer relationship disappears. 2. The consequence period of the disclosed routing information will be longer than the duration of the spoof. After the attacker stops spoofing, its knowledge will not be out-dated until there is a topology change of the disclosed network. 3.5 Falsification Falsification is defined as an intentional action whereby false routing information is being sent. Routers use routing information to depict network topology, compute routing table, and further forward data traffic. False routing information describes the network in a way unrealistic, or realistic but not intended by the authoritative network administrator. Routers can originate, receive, and forward routing information. A router originates some routing information to advertise the attached network resource to other routers. A router receives routing information to gain routing knowledge. And, unless the router is a stub router, the router usually forwards the routing information to other routers. To falsify the routing information, an attacker has to be either the originator or a forwarder of the routing information. It cannot be a receiver-only. 3.5.1 Falsifications by Originators An originator of routing information can launch following falsifications: 3.5.1.1 Overclaiming An over-claiming is defined as an action that an attacker employs to advertise its ownership of some network resources, while in reality, this ownership does not exist, or the advertisement is not authorized. +-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +---+---+ | . | | | . | *-+-* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---* Figure 3-1 ------------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 8] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 +-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +-------+ | | | | *---* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---* Figure 3-2 Figure 3-1 and 3-2 provide examples. Router A, the attacker, is connected with the Internet through Router B. Router C is authorized to advertise its link to Network 1. In Figure 3-1, Router A owns a link to the Network 1, but is not authorized to advertise it. In Figure 3-2, Router A does not own such a link. But in either case, Router A advertises the link to the Internet, through Router B. Compromised routers, unauthorized routers, and masquerading routers can over-claim network resources. The consequence of overclaiming includes: 1. Usurpation of the overclaimed network resources. In Figure 3-1 and 3-2, it will cause a usurpation of Network 1 when Router B or other routers on the Internet (not shown in the figures) believe that Router A provides the best path to reach the Network 1 and thereby forward the data traffic, destined to Network 1, to Router A. The best result is the data traffic uses an unauthorized path (Figure 3-1), and the worst case is the data never reach the destination Network 1 (Figure 3-2). The ultimate consequence is Router A gains the control over the Network 1's services, by controlling the data traffic. 2. Usurpation of the legitimate advertising routers. In Figure 3-1 and 3-2, Router C is the legitimate advertiser of Network 1. By overclaiming, Router A also controls (partially or totally) the services/functions provided by the Router C. (This is NOT a disruption, because Router C is operating in a way intended by the authoritative network administrator.) 3. Deception of other routers. In Figure 3-1 and 3-2, Router B, or other routers on the Internet, might be deceived to believe the path through Router A is the best. 4. Disruption of data planes on some routers. This might happen on routers that are on the path, which is used by other routers to reach the overclaimed network resources through the attacker. In Figure 3-1 and 3-2, when other routers on the Internet are deceived, they will forward the data traffic to Router B, which might be overloaded. ------------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 9] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 The threat consequence zone varies based on the consequence: 1. Where usurpation is concerned, the consequence zone covers the network resources that are overclaimed by the attacker (Network 1 in Figure 3-1 and 3-2), and the routers that are authorized to advertise the network resources but lose the competition against the attacker (Router C in Figure 31 and 3-2). 2. Where deception is concerned, the consequence zone covers the routers that do not believe the attacker's advertisement and use the attacker to reach the claimed subnets (Router B and other deceived routers on the Internet in Figure 3-1 and 3-2). 3. Where disruption is concerned, the consequence zone includes the routers that are on the path of misdirected data traffic (Router B in Figure 3-1 and 3-2). The threat consequence will cease when the attacker stops overclaiming, and will totally disappear when the routing tables are converged. As a result the consequence period is longer than the duration of the overclaiming. 3.5.1.2 Underclaiming An underclaiming threat is defined as an action that an attacker illegitimately hides its authorized ownership of some network resources. The attacker could be the only router authorized to claim the network resources, or there might exist some legitimate backup routers. Figure 3-3 and 3-4 provide two examples. +-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B | * N 1 * +-------+ \ / *---* Figure 3-3 +-------------+ +-------+ | Internet |----------------| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ +-------+ / \ | Rtr C |-----| Rtr B |-----* N 1 * +-------+ +-------+ \ / *---* Figure 3-4 ------------------------------------------------------------------------ Beard/Yang Known Threats to Routing Protocols [Page 10] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 Router A, the attacker, owns a link to Network 1 and is authorized to advertise Network 1. Nevertheless, Router A refuses to advertise Network 1. In Figure 3-3, Network 1 is single-homed with Router A and therefore can only be advertised by Router A. In Figure 3-4, Network is dual-homed with Router A and B, and both routers are authorized to advertise Network 1 (Router A may or may not provide a preferred path against Router B, the backup router). Compromised routers, unauthorized routers, and masquerading routers can underclaim network resources. The consequence of underclaiming includes: 1. Usurpation of the underclaimed network resources: In Figure 3-3, when Router A underclaims Network 1, Network 1 is isolated from the rest of the world, and cannot provide services to other devices, though Network 1's own operation is not disrupted. In Figure 3-4, if the path through Router A is preferred, the underclaiming will force Network 1 to use a sub-optimal path to provide its services. (If the path through Router B is intended to be preferred, the services by Network 1 will not really be hurt even though Router A underclaims). 2. Usurpation of the legitimate backup routers. In Figure 3-4, if Router A's path is preferred but Router A underclaims Network 1, it actually force Router B to serve Network 1. (Again, if Router B's path is intended to be preferred, Router A's underclaim does not really usurp Router B.) 3. Deception of other routers. Routers on the Internet (not shown in Figure 3-3 or 3-4) might not be able to reach Network 1 (Figure 3-3), or have to use a sub-optimal path through Router B when Router A's path is preferred. 4. Disruption of data planes on some routers. This might happen on routers that are on the sub-optimal paths. In Figure 3-4, when other routers on the Internet are deceived and use the sub-optimal path through Router B to reach Network 1, they will forward the data traffic to Router C. Router B and C might then become overloaded. (When the path through Router B is intended to be preferred, Router B and C might also be overloaded. However, the disruption in such a case is not a consequence of an underclaim). Note: Some others type of usurpation might result from an underclaim in routing protocols. Figure 3-5 provides an example. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 11] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 +-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B | * N 1 * +---+---+ \ / | *---* *-+-* / \ * N 2 * \ / *---* Figure 3-5 The threat consequence zone varies based on the consequence: 1. Where usurpation is concerned, the consequence zone covers the network resources that are underclaimed by the attacker (Network 1 in Figure 3-3 and 3-4), and the routers that are intended to be backup with a lower preference (Router B in Figure 3-4, if Router A's path is preferred). 2. Where deception is concerned, the consequence zone covers the routers that cannot reach the underclaimed network resources or those that have to use sub-optimal paths. 3. Where disruption is concerned, the consequence zone covers the routers that cannot reach the underclaimed network resources or those that have to use sub-optimal paths. Like overclaiming, the consequence period is longer than the duration of the underclaiming--the threat consequence will mitigate when the attacker stops underclaiming and will totally disappear when routing tables are converged. 3.5.1.3 Misclaiming A Misclaiming threat is defined as an attacker action advertising its authorized ownership of some network resources in a way that is not intended by the authoritative network administrator. An attacker can eulogize or disparage when advertising these network resources. Compromised routers, unauthorized routers, and masquerading routers can misclaim network resources. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 12] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 The threat consequences of Misclaiming are a combination of consequences from overclaiming and underclaiming. Eulogizing the network resources might cause the same consequences made by overclaiming, while disparaging might trigger the same results from underclaiming. The consequence zone and period are also similar to those of overclaiming or underclaiming. 3.5.2 Falsifications by Forwarders When a legitimate router forwards routing information, it must or must not modify the routing information, depending on the routing information and the routing protocol type. For example, in RIP, the forwarder must modify the routing information by increasing the hop count by 1. On the other hand, the forwarder must not modify the type 1 LSA in OSPF. In general, forwarders in distance vector routing protocols are authorized to and must modify the routing information, while most forwarders in link state routing protocols are not authorized to and must not modify most routing information. As a forwarder authorized to modify routing message, an atteby an attacker does not forward necessary routing information to other authorized routers. Unauthorized aggregation (summarization) is a special type of understatements. 3. Misstatement: This is defined as an action whereby the attacker describes route attributes in a wrong way. For example, in RIP, the attacker increases the path cost by two hops instead of one. Another example is, in BGP, the attacker deletes some AS numbers from the AS PATH. When forwarding routing information that should not be modified, an attacker can launch the following falsifications: 1. Deletion: Attacker deletes valid data in the routing message. 2. Insertion: Attacker inserts false data in the routing message. 3. Substitution: Attacker replaces valid data in the routing message with false data. 4. Replaying: Attacker replays out-dated data in the routing message. All types of attackers (Compromised links, compromised routers, unauthorized routers, and masquerading routers) can falsify the routing information when they forward the routing messages. The threat consequences of these falsifications by forwarders are similar to those caused by originators: Usurpation of some network resources and related routers; deception of routers using false paths; and disruption of data planes of routers on the false paths. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 13] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 The threat consequence area and period are also similar. 3.6 Interference Interference is defined as a threat action where attackers inhibit exchanges on legitimate routers. Attackers can do this by adding noise, not forwarding packets, replaying out-dated packets, delaying responses, denial of receipts, and breaking synchronization. Compromised links can interfere with the routing exchanges over the links where they have control. Compromised, unauthorized and masquerading routers can slowdown their routing exchanges or create flapping routing sessions of the legitimate peering routers. The consequence of interference is the disruption of routing operations. The consequence zone of interference varies based on the source of the threats: 1. When a compromised link launches the action, the threat consequence zone covers routers that are using the link to exchange the routing information. Routers behind might be disrupted too. 2. When compromised routers, unauthorized routers, or masquerading routers are the attackers, the threat consequence zone covers routers with which the attackers are exchanging routing information, and router behind. The threat consequences might disappear as soon as the interference is stopped, or might not totally disappear until the networks are converged. Therefore, the consequence period is equal or longer than the duration of the interference. 3.7 Overload Overload is defined as a threat action whereby attackers place excess burden on legitimate routers. Attackers can overload data plane or control plane. Because data plane is involved in routing exchanges, overload of data plane will also influence the routing operations. The consequence of overload is the disruption of routing operations. The consequence zone varies based on several factors: 1. When compromised links launch an overload action against the control plane, the consequence zone covers routers that are using the links to exchange the routing information, and routers behind. 2. When compromised links launch an overload action against the data plane, the consequence zone coves routers that are physically connected by the links, and routers behind. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 14] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 3. When Compromised routers, unauthorized routers, or masquerading routers launch an overload action against the control plane, the threat consequence zone covers routers with which the attackers are exchanging routing, and routers behind. 4. When Compromised routers, unauthorized routers, or masquerading routers launch an overload action against the data plane, the threat consequence zone covers of routers with which the attackers have physical connections, and routers behind. The threat consequences might disappear as soon as the overload is stopped, or not disappear until networks are converged. 4.0 Specific Threat Types In this section a more specific focus of threats to routing protocols is discussed. These threats may be further exploited based upon weakness in routing operations associated with the general threats described above. 4.1 Impersonation and Intrusion This subsection describes threats through the perspective of an impersonation detection scheme in multicast or unicast routing protocol environments. Threats are defined based upon prevention and detection attributes suggested for the routing protocol. A routing protocol can be secured by prevention or detection mechanisms. In prevention mechanisms, threats are identified and the protocol is designed to alleviate or eliminate those threats. The classical example to take is the Perlman [BYZANTINE] Digital Signature (DS) approach in securing networks. The gist of these schemes is based on a router having a pair and each router signing a routing message with its private key so that other routers along the path can be verify the authenticity of the message with originator's public key. Approaches in reference [OSPF-SIG] have been defined for Link State protocols like OSPF, and the idea can be extended to other routing protocols. Therefore, the prevention schemes although very attractive have an added cost for security. As an example in the case of a DS scheme as proposed by Perlman [BYZANTINE] and Murphy et. al. [OSPF-SIG], the performance cost associated with the setup of these keys is an added factor that can be prohibitively expensive for a large network. Also, the performance cost wherein each router in the path verifies the signature is an important factor that needs to be considered. The link state protocol in OSPF has a basic cryptographic authentication scheme defined in RFC 2328 [OSPFv2]. In this approach all the routers share the same session keys. The protocol is insecure when an insider compromises, as the compromised insider has access to the key and becomes a threat to the network. Such a scheme is good for external threats. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 15] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 Any intrusion detection schemes [SENSOR-IDS,DOS-IDS,and DIST-MONINTOR] can help to secure against external attacks and the following threats: * Non-existent information * Modification of information. These detection schemes are involved at a higher level. The protocol is modified to generate the set of data that is used by the external Intrusion Detection Systems (IDS) to detect bad routers in the network. 4.2 Byzantine Failures Byzantine failures are malicious attempts to control a router in order to attack that system as an authenticated system element. Byzantine attacks may be seen where any intermediate node or group of nodes can intentionally create routing loops, misrouting packets on non-optimal paths, or selectively dropping packets (black hole). Another way to state the problem is that Byzantine failures occur when a processor returns incorrect or malicious data. Under such an attack, only the source and destination nodes are assumed to be trusted. Detecting a Byzantine error is harder than the fail-stop model in the sense that at least one other processor must do the same computation to confirm the results. What isn't clear is just how much validation is required to determine whether a Byzantine failure has occurred. 4.3 Discarding of Control Packets Similar to Byzantine threats discussed above, uncontrolled discarding of control packets lies in the same plane. That is, discarding of control packets will have the same consequence as an incorrect routing control packet propagated in the network by a compromised router. In distance vector protocols the consequences may not be as dire because of the protocol behaviour, i.e. the routing update, is exchanged only with the neighbour. However in the case of link state routing protocols, the threat associated to discarding of control packet can become a serious issue, as the routing updates are flooded in the network. Exploitation of this threat was discussed by S.F. Wu B. Vetter and F. Wang [ATTACK-LS]from the perspective of an insider attacks in a Link State Routing environment. It is worth considering this threat in more detail. If the compromised (bad) router partitions the network, i.e. the router is the only path between two good routers, then the bad router can avoid forwarding the routing information on to the network on the other side. *-----* *----* / \ *---* / \ / Routers \ / \ / Routers \ * on one *-------* F *-------* on other * \ side / \ / \ side / *-----* *---* *------* Figure 4-1 Network Partitioning Due to F ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 16] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 In this scenario, the network is partitioned and either side may not receive correct updates and the update packets may be dropped. Clearly if F is positioned such that the network is not partitioned, then the correctness of the protocol in such circumstances depends on the mechanism of transmitting routing updates. In the case of a typical LSRP like OSPF, reliable flooding is used that guarantees that the updates are received by each and every router in the network. Hence even when a set of bad routers partition a network, if there exists at least one good path between all the routers then this threat can be deterred by designing a robust transmitting mechanism for control updates. 5.0 Subversion of Control Plane Threats Subversion of control a plane takes place when an intruder modifies the operation of the intrusion detector to force false negatives to occur. These negatives prevent the interconnection device (router) from performing its function as in serving packets or frames containing certain protocols. This is not very secure when "speed" is used as the only decision criteria as it provides the intruder with an open door to alert the permission rules installed by the administrator. These modifications could in turn permit, deny or re-route traffic in intruder's favour. As a preventive measure, routers may need to verify the authenticity of many Link State Updates (LSU) and some routers such as border routers may need to sign many LSU, using efficient Message Authentication for Link State Routing. However, the reduced speed is the cost burden. Lack of consistent and timely management and control plane configurations can be considered a form of subversion or routing threat. Good security administration is labour-intensive, and therefore organizations often find it difficult to maintain the security of a large number of internal machines. To protect their machines from outside subversion, organizations often erect an outer security wall or "perimeter". Machines inside the perimeter communicate with the rest of the Internet only through a small set of carefully managed machines called "firewalls". Firewalls may operate at the application layer, in which case they are application relays, or at the IP layer, in which case they are firewall routers. 5.1 Network Mapping Threats Based on a simple set of inputs, computers can generate graphical and quantitative representations of informal knowledge networks within an organization. If there were no preventive measures in place, network map knowledge obtained by unauthorized access to intelligence can be costly and expensive threats. Motivation for snooping can range from curiosity to voyeur tendencies. The threat with router plane data snooping is the fact that it looks to historical information to be an indication of what will happen in the future. The principal threat aspect is that the snooped data can be used to develop a network topology. When unauthorized attackers develop a model, they attempt to create one that will be relevant for all situations going forward. Although these models may not be exact for every situation, they can be applied with a reasonable amount of certainty without introducing any biases based on past information. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 17] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 5.2 Promiscuous Mode and Network Topology Corrupting the router's data plane affords the opportunity to capture network traffic for analysis. Used to identify security risks and/or to monitor employees' activities (such as Web sites visited), a snoop program puts network interfaces into promiscuous mode. Promiscuous mode allows the system to access all the data in each network packet versus only routing-related information, including those packets intended for other computers. In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis, for example, monitoring network usage. In Ethernet local area network environments, promiscuous mode creates a threat since every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is the opposite of non-promiscuous mode for obvious reasons. When a data packet is transmitted in non-promiscuous mode, all the LAN devices "listen to" the data to determine proper and correct network address delivery. The data packet is passed onto the next LAN device until the device with the correct network address is reached. This is legitimate and correct routing operation. 5.3 Instability in Unicast Routing Protocols Instability is considered a potential negative effect of Unicast Routing. While not a security threat issue per se, it is worth noting that if unicast routing is unstable, then the actual routing protocol that source or receiver is using will be subject to the same instability. Both internal and external unicast routing can be weakly protected with keyed MD5 [RFC1828], as implemented in an internal protocol such as OSPF [RFC2382] or in BGP [RFC2385]. More generally, IPSEC [RFC1825] could be used to provide protocol integrity for the unicast routing system. 6.0 Multicast Routing Protocol Consideration This section describes router-to-router threat models specific to multicast routing protocols. As directed by the RPSEC Working Group charter, host-to-router protocols such as the Internet Group Management Protocol [IGMP] are specifically excluded. Likewise, the distribution of multicast keying material is excluded since it is being addressed in other Working Groups. The specific goal of this section is to provide a common basis for discussion between security and routing experts on securing multicast aspects of routing systems Multicast communication may be specifically targeted by security threats, due to its potential for communicating with large numbers of receivers simultaneously. An attacker may attempt to use multicast sessions in order to spread specific data to recipients, or may use multicast traffic patterns to overload links as a denial-of-service (DOS) attack. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 18] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 In general, multicast routing updates can be fabricated, modified, replayed, deleted, and snooped. For example, unauthorized nodes can simply participate in the multicast routing protocol dialog when no access control mechanisms are defined for the protocol. Non-routing devices can masquerade as an authorized router and inject spurious routing updates, perhaps using source routing attacks or TCP session hijacking attacks. Communication links can be compromised by an intruder to facilitate the manipulation of routing messages. Individual routers can be attacked and compromised to run modified software, or use a modified configuration. Although it is possible to run some multicast protocols independent of unicast routing, it is usually expected that multicast routing protocols will operate on routers which are simultaneously performing unicast routing. Thus it is important to consider multicast routing security issues within the larger context of overall routing protocol security. The various multicast routing protocols have varied interactions with unicast routing. 6.1 Core and Source-based Trees In general, multicast routing is accomplished by constructing a tree of network links connecting multicast source(s) with receivers. The basic approaches are core-based trees and source-based trees. Significant work has been done on core-based tree (CBT) architectures (i.e., [RFC 1949] [RFC 2189] [RFC 2201], etc.), but this multicast architecture has not been widely deployed to date. Source-based tree multicast routing protocols have been more widely implemented and deployed, and will be the initial focus of this section. In particular, the following multicast protocols are considered: * Distance Vector Multicast Routing Protocol (DVMRP) * Protocol-Independent Multicast (PIM) (Sparse Mode [RFC 2362] or Dense mode) * Multicast-Enabled Open Shortest Multicast routing protocols Source-based multicast trees are either built by a distance-vector style algorithm, which may be implemented separately from the unicast routing algorithm (as is the case with DVMRP), or the multicast tree may be built using the information present in the underlying unicast routing table, as is the case with PIM-DM. The other algorithm used for building source-based trees is the link -state algorithm, as used in M-OSPF. The method of building trees for specific multicast groups (i.e., prune/join messages) leads to the potential for DOS attacks in some multicast routing protocols. For example, with DVMRP, even routers that do not lead to group members incur significant state overhead due to the need to maintain information regarding prune messages for each active multicast group in the routing domain (potentially in the Internet). Spurious creation of multicast groups, if allowed to proceed without control, could potentially overload routers. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 19] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 With M-OSPF, scaling issues have restricted its use for inter-domain or large-scale backbone implementations. The flooding (or reliable broadcasting) of group membership information appears to be the predominant factor preventing the link state multicast algorithm from being applicable over the wide-area. The other limiting factor is the processing cost of the Dijkstra calculation to compute the shortest-path tree for each active source 6.2 Multicast and Unicast Threats The paragraphs below are applicable to most unicast routing security, as well as to multicast routing security. From the viewpoint of security, perhaps the most important way in which multicast routing differs from unicast routing is the concept of multicast groups. A multicast group contains one or more senders, and one or more receivers. (Receivers may also be senders in the generalized case.) Each group may have a different topology, depending on its current membership. Each router participating in the multicast tree must maintain state information for each active multicast group. In some architecture such as PIM-DM, even routers which are not actively participating in the multicast tree must maintain state information on active groups within the routing domain. Multicast routing protocols are at least as susceptible as unicast routing protocols to security threats. In general, multicast routing updates can be fabricated, modified, replayed, deleted, and snooped. For example, unauthorized nodes can simply participate in the multicast routing protocol dialog when no access control mechanisms are defined for the protocol. Non-routing devices can masquerade as an authorized router and inject spurious routing updates, perhaps using source routing attacks or TCP session hijacking attacks. Communication links can be compromised by an intruder to facilitate the manipulation of routing messages. Individual routers can be attacked and compromised to run modified software, or use a modified configuration. Just as with unicast routing, the key vulnerabilities of multicast routing lie in the introduction of misleading routing information, through non-existent (black hole) or incorrect routes, or in intercepting the routing information for malicious purposes. Incorrect routing information can form the basis for DOS attacks, while intercepting routing information (particularly group membership information) can reveal compromising topological information. Denial-of-service attacks may come either from senders or receivers in the multicast model. That is, if uncontrolled, senders may create large numbers of multicast groups, thus potentially creating a processing burden on multicast routers throughout the domain. Receivers, if uncontrolled, may join large numbers of multicast groups, thus causing the establishment of paths from the senders in each group to the receiver, as well as causing the flow of packets for each of the groups to converge on the receiver. ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 20] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 7.0 Security Considerations This entire informational draft RFC is security related. Specifically, it addresses security of routing protocols as associated with threats to those protocols. In a larger context, this work builds upon the recognition of the IETF community that signalling and control/management planes of networked devices need strengthening. Routing protocols can be considered part of that signalling and control plane. However, to date, routing protocols have largely remained unprotected and open to malicious attacks. This document discusses inter and intra domain routing protocol threats as we know them today and lays the foundation for a future draft which fully discusses security requirements for routing protocols. 8.0 Acknowledgements This draft would not have been possible save for the excellent efforts and team work characteristics of those listed here. Ayman Musharbash - Nortel Networks Paul Knight - Nortel Networks Elwyn Davies - Nortel Networks Ameya Dilip Pandit - Graduate student - University of Missouri Senthilkumar Ayyasamy - Graduate student - University of Missouri In addition, thanks to following individuals for their comments: Marc DesRosiers - Nortel Networks Lawrence Dobranski - Nortel Networks Tim Gage - Cisco Systems Frank Horsfall - Nortel Networks Mike Lee - Nortel Networks James Ng - Cisco Systems Alvaro Retana - Cisco Systems Bing Wen - Nortel Networks Russ White - Cisco Systems Zhong Lin Zhou - Cisco Systems 9.0 Author's Addresses Dennis Beard Nortel Networks Box 3511, Stn C Ottawa, Ontario, Canada K1Y 4H7 Email: beardd@nortelnetworks.com Yi Yang Cisco Systems 7025 Kit Creek Road RTP, NC 27709 Email: yiya@cisco.com ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 21] Internet Draft draft-beard-rpsec-routing-threats-00.txt October 2002 10.0 Appendix I - References References used in section 2: [SEC-GLOSS] R.Shirey, Internet Security Glossary, RFC 2828, May 2000 [DV-SECURITY] B.R.Smith, S.Murthy, and J.J. Garcia-Luna-Aceves, Securing Distance-Vector Routing Protocols, Symposium on Network and Distributed System Security 1997, Feb. 1997 [PROTO-VULN] E.Rosen, Vulnerabilities of Network Control Protocols: An Example, Computer Communication Review, Jul. 1981 References used in section 4.1: [BYZANTINE] http://www.lcs.mit.edu/publications/specpub.php-id=997 Perlman's Thesis on Byzantine robustness [OSPF-SIG] http://www.faqs.org/rfcs/rfc2154.html RFC 2154, OSPF with Digital Signatures [OSPFv2] http://www.faqs.org/rfcs/rfc2328.html RFC 2328, OSPF v2 [SENSOR-IDS] Sensor-Based Intrusion Detection for Intra-Domain Distance-Vector Routing, Proceedings of the ACM Conference on Computer and Communication Security (CCS'02), Washington, DC, November 2002 [DOS-IDS] S.Cheung et. al., Protecting Routing Infrastructures from Denial of Service using co-operative intrusion detection, In Proceedings of the 1995 IEEE Symposium on Security and Privacy [DIST-MONINTOR] K.A. Bradley et. al., A distributed Network Monitoring approach Reference used in section 4.3: [ATTACK-LS] An Experimental Study of Insider Attacks in a Link State Routing Protocol, S.F. Wu B. Vetter, F. Wang. In 5th IEEE International Conference on Network Protocols, Atlanta, GA, 1997. References used in section 6: [IGMP] Internet Group Management Protocol, Version 2 (RFC 2236) [PIM-SM] Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (RFC 2362) [THREATS] - Multicast-Specific Security Threats and Counter-Measures; A. Ballardie and J. Crowcroft; In Proceedings "Symposium on Network and Distributed System Security", February 1995, pp.2-16. (ftp://cs.ucl.ac.uk/darpa/IDMR/mcast-sec-isoc.ps.Z) Scalable Multicast Key Distribution (RFC 1949) Core Based Trees (CBT) Multicast Routing Architecture (RFC 2201) Core Based Trees (CBT version 2) Multicast Routing -- Protocol Specification -- (RFC 2189) Interoperability Rules for Multicast Routing Protocols (RFC 2715) IPv4 Multicast Routing MIB (RFC 2932) Protocol Independent Multicast MIB for IPv4 (RFC 2934) Historical IETF Routing references: http://www.ietf.org/rfc/rfc1825.txt http//www.research.att.com/~smb/papers/ipext.pdf ----------------------------------------------------------------------- Beard/Yang Known Threats to Routing Protocols [Page 22]