Network Working Group A. Barbir Internet-Draft Nortel Networks Expires: September 30, 2003 S. Murphy Network Associates, Inc Y. Yang Cisco Systems April 2003 Generic Threats to Routing Protocols draft-ietf-rpsec-routing-threats-01 Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http:// www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 30, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract Routing protocols are subject to attacks that can harm individual users or the network operations as a whole. This document provides a description and a summary of generic threats that affects routing protocols in general. The work describes threats, including threat sources and capabilities, threat actions, and threat consequences as well as a breakdown of routing functions that might be separately attacked. Barbir, et al. Expires September 30, 2003 [Page 1] Internet-Draft Generic Threats to Routing Protocols April 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Routing Functions Overview . . . . . . . . . . . . . . . . . 4 2.1 Routing Protocol Control and Data Planes . . . . . . . . . . 4 3. Generic Routing Protocol Threat Model . . . . . . . . . . . 5 3.1 Threat Definitions . . . . . . . . . . . . . . . . . . . . . 5 3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 6 3.1.2 Threat Consequences . . . . . . . . . . . . . . . . . . . . 7 4. Generally Identifiable Routing Threats . . . . . . . . . . . 11 4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . . 11 4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 12 4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . . 13 4.5.1 Falsifications by Originators . . . . . . . . . . . . . . . 13 4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 16 4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . . 17 4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 18 4.8 Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 18 4.9 Discarding of Control Packets . . . . . . . . . . . . . . . 18 4.10 Network Mapping Threats . . . . . . . . . . . . . . . . . . 18 4.11 DoS and DDoS Attacks . . . . . . . . . . . . . . . . . . . . 19 5. Security Considerations . . . . . . . . . . . . . . . . . . 20 Normative References . . . . . . . . . . . . . . . . . . . . 21 Informative References . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 22 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 B. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Intellectual Property and Copyright Statements . . . . . . . 25 Barbir, et al. Expires September 30, 2003 [Page 2] Internet-Draft Generic Threats to Routing Protocols April 2003 1. Introduction Routing protocols are subject to threats and attacks that can harm individual users or the network operations as a whole. The document provides a summary of generic threats that affects routing protocols. In particular, the work identifies generic threats to routing protocols that include threat sources, threat actions, and threat consequences. A breakdown of routing functions that might be separately attacked is provided. The work should be considered as a precursor to developing a common set of security requirements for routing protocols. For this reason, the document does not address threats to routers such as hacking, denial of service, flooding attacks and others. The document does not consider threats that result from bad implementations that are related to specific routing. The security requirements derived from this threat analysis are intended to be used as guidance to those who are designing routing protocols. The document is organized as follows: Section 2 provides a review of routing functions. Section 3 defines threats. In section 4 a discussion on generally identifiable routing threats actions is provided. Section 5 addresses security considerations. Barbir, et al. Expires September 30, 2003 [Page 3] Internet-Draft Generic Threats to Routing Protocols April 2003 2. Routing Functions Overview This section provides an overview of common functions that are shared among various routing protocols. In general, routing protocols share the following common functions: o Transport Subsystem: The routing protocol transmits messages to its peers using some underlying protocol. For example, OSPF uses IP, while AODV uses a broadcast link. Other protocols may run over TCP. o Neighbor State Maintenance: Peering relationship formation is the first step for topology determination. For this reason, routing protocols may need to maintain the state of their neighbors. Each routing protocol may use a different mechanism for determining its peers in the routing topology. Some protocols have distinct exchange through which they establish peering relationships, e.g., Hello exchanges in OSPF. o Database Maintenance: Routing protocols exchange network topology and reach-ability information. The routers collect this information in routing databases with varying detail. The maintenance of these databases is a significant portion of the function of a routing protocol. 2.1 Routing Protocol Control and Data Planes A router's functions can be divided into control and data plane (protocol traffic vs. data traffic). In a similar fashion, a routing protocol has a control and a data plane. A routing protocol has a control plane that exchanges messages that are intended only for control of the protocol state. Routing protocol data plane uses messages to exchange information that is intended to be used in the forwarding function. For example, the information can be used to establish a forwarding table in each router or to return a description of the route to be used. Routing functions may affect the control and the data planes. However, there may be an emphasis on one of the planes as opposed to the other. For example, neighbor maintenance is likely to focus on the routing protocol control plane, while database maintenance may focus on the data plane. Barbir, et al. Expires September 30, 2003 [Page 4] Internet-Draft Generic Threats to Routing Protocols April 2003 3. Generic Routing Protocol Threat Model This section develops a model that can be used to identify the threats that can affect routing protocols in general. The model examines the possible threats that routing protocols can be exposed to from unauthorized entities. Routing protocols are subject to treats at the control and data planes and at the functional level. At the control plane level, control and data plane are subject to attack. An attacker may be able to break a neighbor (e.g., peering, adjacency) relationship. This type of attack can impact the network routing behavior in the affected routers and likely the surrounding neighborhood. An attacker who is able to break a database exchange between two routers can also affect routing behavior. In the routing protocol data plane, an attacker who is able to introduce bogus data can have a strong effect on the behavior of routing in the neighborhood. At the routing function level threats can affect the transport subsystem, where the routing protocol can be subject to attacks on its underlying protocol. At the neighbor state maintenance level, there are threats that can lead to attacks that can disrupt the peering relationship with widespread consequences. For example, if the DR election is disrupted in an OSPF network, an unauthorized router could be chosen as designated router. This might allow unauthorized access to routing information. In BGP, if a router receives a CEASE message, it can break the peering relationship and cause any related topology information to be flushed. There are threats against the database maintenance functionality. For example, the information in the database must be authentic and authorized. Threats that jeopardize this information can affect the routing functionality in the overall network. For example, if an OSPF router sends LSA's with the wrong Advertising Router, the receivers will compute a SPF tree that is incorrect and might not forward the traffic. If a BGP router advertises a NLRI that it is not authorized to advertise, then receivers might forward that NLRI's traffic toward that router and the traffic would not be deliverable. A PIM router might transmit a JOIN message to receive multicast data it would otherwise not receive 3.1 Threat Definitions Threat is defined in [1] as a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. A threat presents itself when an attacker has the ability to take advantage of an existing security weakness. Threats can be categorized based on Barbir, et al. Expires September 30, 2003 [Page 5] Internet-Draft Generic Threats to Routing Protocols April 2003 various rules, such as threat sources, threat actions, threat consequences, threat consequence zones, and threat consequence periods. 3.1.1 Threat Sources There are many sources for threats that may affect routing protocols. In some cases, unauthorized entities such as attackers may illegally participate in the routing operations. In other circumstances, there are threats to routing protocols from entities that are running incorrect code, or using invalid configurations. Threats can originate form outsiders or insiders. An insider is an authorized participant in the routing protocol. An outsider is any other host or network. A host is determined to be an outsider or an insider from the point of view of a particular router. Even an authorized protocol speaker can be an outsider to a particular router if the router does not consider the speaker to be a legitimate peer (as could conceivably happen on a multi-access link). In general, threats can be classified into the following categories based on their sources [2]: o Threats that result from subverted links: A link become subverted when an attacker gain access (or control) to it through a physical medium. The attacker can then take control over the link. This threat can result from the lack (or the use of weak) access control mechanisms as applied to physical mediums or channels. The attacker may eavesdrop, replay, delay, or drop routing messages, or break routing sessions between authorized routers, without participating in the routing exchange. o Threats that result from subverted devices (e.g. routers): A subverted device (router) is an authorized router that may have routing software bugs, hardware defects, incorrect or unintended configurations. Devices can be susceptible to such threats due to the lack mechanisms to verify system integrity (For example, the router is working correctly as been intended by the authoritative network administrator), or such mechanisms can be circumvented. Such threats may enable attackers to inappropriately claim authority for some network resources, or violate routing protocols, such as advertising invalid routing information. For some protocols there is no notion of an authorized peer or neighbor. For example, in OSPF (that is, before the MD5 part was added), OSPF speaks to all routers on the local link that answer to the AllSPFRouters multicast address. Furthermore, MANET protocols frequently speak over the broadcast link. Barbir, et al. Expires September 30, 2003 [Page 6] Internet-Draft Generic Threats to Routing Protocols April 2003 3.1.2 Threat Consequences A threat consequence is a security violation that results from a threat action [1]. The compromise to the behavior of the routing system can damage a particular network or host or can damage the operation of the network as a whole. There are four types of threat consequences: disclosure, deception, disruption, and usurpation [1]. o Disclosure: Disclosure of routing information happens when a router successfully accesses the information without being authorized. Subverted links can cause disclosure, if routing exchanges lack confidentiality. Subverted devices (routers), can cause disclosure, as long as they are successfully involved in the routing exchanges. Although inappropriate disclosure of routing information can pose a security threat or be part of a later, larger, or higher layer attack, confidentiality is not generally a design goal of routing protocols. o Deception: This consequence happens when a legitimate router receives a false routing message and believes it to be true. Subverted links and/or subverted device (routers)can cause this consequence if the receiving router lacks ability to check routing message integrity, routing message origin, authentication or peer router authentication. o Disruption: This consequence occurs when a legitimate router's operation is being interrupted or prevented. Subvert links can cause this by replaying, delaying, or dropping routing messages, or breaking routing sessions between legitimate routers. Subverted devices (router) can cause this consequence by sending false routing messages, interfering normal routing exchanges, or flooding unnecessary messages. (DoS is a common threat action causing disruption.) o Usurpation: This consequence happens when an attacker gains control over a legitimate router's services/functions. Subverted links can cause this by delaying or dropping routing exchanges, or replaying out-dated routing information. Subverted routers can cause this consequence by sending false routing information, interfering routing exchanges, or system integrity. Note: an attacker does not have to directly control a router to control its services. For example, in Figure 1, Network 1 is dual-homed through Router A and Router B, and Router A is preferred. However, Router B is compromised and advertises a lower metric. Consequently, devices on the Internet choose the path through Router Barbir, et al. Expires September 30, 2003 [Page 7] Internet-Draft Generic Threats to Routing Protocols April 2003 B to reach Network 1. In this way, Router B steals the data traffic and Router A surrenders its control of the services to Router B. This depicted in Figure 1. +-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B |------* N 1 * +-------+ \ / *---* Figure 1: Figure 1 Several threat consequences might be caused by a single threat action. In Figure 1, there exist at least two consequences: routers using Router B to reach Network 1 are deceived, while Router A is usurped. Within the context of the threat consequences described above, damage that might result from attacks against the network as a whole may include: o Network congestion: more data traffic is forwarded through some portion of the network than would otherwise need to carry the traffic, o Blackhole: large amounts of traffic are directed to be forwarded through one router that cannot handle the increased level of traffic and drops many/most/all packets, o Looping: data traffic is forwarded along a route that loops, so that the data is never delivered (resulting in network congestion), o Partition: some portion of the network believes that it is partitioned from the rest of the network when it is not, o Churn: the forwarding in the network changes (unnecessarily) at a rapid pace, resulting in large variations in the data delivery patterns (and adversely affecting congestion control techniques), Barbir, et al. Expires September 30, 2003 [Page 8] Internet-Draft Generic Threats to Routing Protocols April 2003 o Instability: the protocol becomes unstable so that convergence on a global forwarding state is not achieved, and o Overload: the protocol messages themselves become a significant portion of the traffic the network carries. The damage that might result from attacks against a particular host or network address may include: o Starvation: data traffic destined for the network or host is forwarded to a part of the network that cannot deliver it, o Eavesdrop: data traffic is forwarded through some router or network that would otherwise not see the traffic, affording an opportunity to see the data or at least the data delivery pattern, o Cut: some portion of the network believes that it has no route to the host or network when it is in fact connected, o Delay: data traffic destined for the network or host is forwarded along a route that is in some way inferior to the route it would otherwise take, o Looping: data traffic for the network or host is forwarded along a route that loops, so that the data is never delivered It is important to consider all compromises, because some security solutions can protect against one attack but not against others. It might be possible to design a security solution that protected against an attack that eavesdropped on one destination's traffic without protecting against an attack that overwhelmed a router. Or that prevented a starvation attack against one host, but not against a net wide blackhole. The security requirements must be clear as to which compromises are being avoided and which must be addressed by other means (e.g., by administrative means outside the protocol). 3.1.2.1 Threat Consequence Zone A threat consequence zone covers an area within which the network operations have been affected by the threat consequences. Possible threat consequence zones can be classified as: a single link or router, multiple routers (within a single routing domain), a single routing domain, multiple routing domains, or the global Internet. The threat consequence zone varies based on the threat action and origin. Similar threat actions that happened at different locations may cause totally different threat consequence zones. For example, when a compromised link breaks the routing session between a distribution router and a stub router, only reach ability from and to the network Barbir, et al. Expires September 30, 2003 [Page 9] Internet-Draft Generic Threats to Routing Protocols April 2003 devices attached on the stub router will be impaired. In other words, the threat consequence zone is a single router. Nonetheless, if the compromised router is located between a customer edge router and its corresponding provider edge router, such an action might cause the whole customer site to lose its connection. In this case, the threat consequence zone might be a single routing domain. 3.1.2.2 Threat Consequence Periods Threat consequence period is defined as a portion of time during which the network operations have been impacted by the threat consequences. The threat consequence period is influenced by, but not totally dependent on the duration of the threat action. In some cases, the network operations will get back to normal as soon as the threat action has been stopped. In other cases, however, threat consequences may appear longer than threat action. For example, in the original ARPANET link-state algorithm, some errors in a router might introduce three instances of an LSA, and all of them would be flooded throughout the network forever, until the entire network was power cycled [3]. Barbir, et al. Expires September 30, 2003 [Page 10] Internet-Draft Generic Threats to Routing Protocols April 2003 4. Generally Identifiable Routing Threats This section addresses generally identifiable and recognized threat action against routing protocols. The threats are not necessarily specific to individual protocols but may be present in one or more of the common routing protocols in use today. 4.1 Deliberate Exposure Deliberate Exposure occurs when an attacker takes control of a router and intentionally releases routing information directly to other routers. In some cases, the receiving routers may not be authorized to access the leaked routing information. Deliberate exposure is always a threat action, however, the exposure of routing information may not be. The consequence of deliberate exposure is the disclosure of routing information. The threat consequence zone of deliberate exposure depends on the routing information that the attackers have exposed. The more knowledge they have exposed, the bigger the threat consequence zone. The threat consequence period of deliberate exposure might be longer than the duration of the action itself. The routing information exposed will not be out-dated until there is a topology change of the exposed network. 4.2 Sniffing Sniffing is an action whereby attackers monitor and/or record the routing exchanges between authorized routers. Attackers can use subverted links to sniff for routing information. The consequence of sniffing is disclosure of routing information. The threat consequence zone of sniffing depends on the attacker's location, the routing protocol type, and the routing information that has been recorded. For example, if the subverted link is in an OSPF totally stubby area, the threat consequence zone should be limited to the whole area. An attacker that is sniffing a subverted link in an EBGP session can gain knowledge of multiple routing domains. The threat consequence period might be longer than the duration of the action. If an attacker stops sniffing a subverted link their acquired knowledge will not be out-dated until there is a topology change of the affected network. Barbir, et al. Expires September 30, 2003 [Page 11] Internet-Draft Generic Threats to Routing Protocols April 2003 4.3 Traffic Analysis Traffic analysis is action whereby attackers gain routing information by analyzing the characteristics of the data traffic on a subverted link. Traffic analysis threats can affect any data that is sent in the clear over a communication link. This threat is not peculiar to routing protocols and is included here for completeness. The consequence of data traffic analysis is the disclosure of routing information. For example, the source and destination IP address of the data traffic, the type, magnitude, and volume of traffic is disclosed. The threat consequence zone of the traffic analysis depends on the attacker's location and what data traffic has passed through. A subverted link at the network core should be able to disclose more information than its counterpart at the edge. The threat consequence period might be longer than the duration of the traffic analysis. After the attacker stops traffic analysis, its knowledge will not be out-dated until there is a topology change of the disclosed network. 4.4 Spoofing Spoofing occurs when an illegitimate device assumes the identity of a legitimate one. Spoofing in and of itself is often not the true attack. Spoofing is special in that it can be used to carry out other threat actions causing other threat consequences. An attacker can use spoofing as a means for launching other types of attacks. For example, if an attacker succeeds to spoof the identity of a router, the subverted router can act as masquerading router. In other situation, the spoofed router can be used to send out unrealistic routing information that might cause disruption of network services. There are a few cases where spoofing can be an attack. For example, if a router establishes a neighbor/peering relationship, spoofing the identity of a legitimate router and by that action was able to prevent the legitimate router from establishing a relationship; that would be an attack, denying service to the good router. As a second example, if a router is doing auditing, then the ability to spoof an identity of a router would be an attack, since the audit data would be false. The consequences of spoofing are: o The disclosure of routing information: The spoofed router will be able to gain access to the routing information. Barbir, et al. Expires September 30, 2003 [Page 12] Internet-Draft Generic Threats to Routing Protocols April 2003 o The deception of peer relationship: The authorized routers, which exchange routing messages with the spoofed router, do not realize they are peering with a router that is faking another router's identity. The threat consequence zone includes: The consequence zone of the disclosed routing information depends on what routing information has been exchanged between the spoofed router and its peers. The threat consequence zone covers: o The consequence zone of the fake peer relationship will be limited to those routers mistrusting the attacker's identity. o The consequence zone of the disclosed routing information depends on the attacker's location, the routing protocol type, and the routing information that has been exchanged between the attacker and its deceived peers. 4.5 Falsification Falsification is an intentional action whereby false routing information is sent by a subverted router. To falsify the routing information, an attacker has to be either the originator or a forwarder of the routing information. False routing information describes the network in an unrealistic view, whether or not intended by the authoritative network administrator. To falsify the routing information, an attacker has to be either the originator or a forwarder of the routing information. It cannot be a receiver-only. 4.5.1 Falsifications by Originators An originator of routing information can launch the falsifications that are described in the next sections. 4.5.1.1 Overclaiming Over-claiming occurs when a subverted router advertises its control of some network resources, while in reality it does not, or the advertisement is not authorized. This is given in Figure 2 and Figure 3. Barbir, et al. Expires September 30, 2003 [Page 13] Internet-Draft Generic Threats to Routing Protocols April 2003 +-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +---+---+ | . | | | . | *-+-* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / +-------+ *---* Figure 2: Overclaiming-1 +-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +-------+ | | | | *---* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---* Figure 3: Overclaiming-2 The above figures provide examples of overclaiming. Router A, the attacker, is connected with the Internet through Router B. Router C is authorized to advertise its link to Network 1. In Figure 2, Router A controls a link to Network 1, but is not authorized to advertise it. In Figure 3, Router A does not control such a link. But in either case, Router A advertises the link to the Internet, through Router B. Compromised routers, unauthorized routers, and masquerading routers can overclaim network resources. The consequence of overclaiming includes: o Usurpation of the overclaimed network resources. In Figure 2 and Figure 3, it will cause a usurpation of Network 1 when Router B or other routers on the Internet (not shown in the figures) believe that Router A provides the best path to reach the Network 1. They, the routers, thereby forward the data traffic, destined to Network Barbir, et al. Expires September 30, 2003 [Page 14] Internet-Draft Generic Threats to Routing Protocols April 2003 1, to Router A. The best result is the data traffic uses an unauthorized path Figure 2, and the worst case is the data never reach the destination Network 1 Figure 3. The ultimate consequence is Router A gaining control over Network 1's services, by controlling the data traffic. o Usurpation of the legitimate advertising routers. In Figure 2 and Figure 3, Router C is the legitimate advertiser of Network 1. By overclaiming, Router A also controls (partially or totally) the services/functions provided by the Router C. (This is NOT a disruption, because Router C is operating in a way intended by the authoritative network administrator.) o Deception of other routers. In Figure 2 and Figure 3, Router B, or other routers on the Internet, might be deceived to believe the path through Router A is the best. o Disruption of data planes on some routers. This might happen on routers that are on the path, which is used by other routers to reach the overclaimed network resources through the attacker. In Figure 2 and Figure 3, when other routers on the Internet are deceived, they will forward the data traffic to Router B, which might be overloaded. The threat consequence zone varies based on the consequence: o Where usurpation is concerned, the consequence zone covers the network resources that are overclaimed by the attacker (Network 1 in Figure 2 and 3), and the routers that are authorized to advertise the network resources but lose the competition against the attacker(Router C in Figure 2 and Figure 3). o Where deception is concerned, the consequence zone covers the routers that do not believe the attacker's advertisement and use the attacker to reach the claimed subnets (Router B and other deceived routers on the Internet in FigureFigure 2 and Figure 3). o Where disruption is concerned, the consequence zone includes the routers that are on the path of misdirected data traffic (Router B in Figure 2 and Figure 3). The threat consequence will cease when the attacker stops overclaiming, and will totally disappear when the routing tables are converged. As a result the consequence period is longer than the duration of the overclaiming. 4.5.1.2 Underclaiming Barbir, et al. Expires September 30, 2003 [Page 15] Internet-Draft Generic Threats to Routing Protocols April 2003 TBD: Need to agree on the title and if it is a threat or not? 4.5.1.3 Misclaiming A Misclaiming threat is defined as an attacker action advertising its authorized control of some network resources in a way that is not intended by the authoritative network administrator. An attacker can eulogize or disparage when advertising these network resources. Subverted routers, unauthorized routers, and masquerading routers can misclaim network resources. The threat consequences of Misclaiming are similar to the consequences of overclaimin. Eulogizing the network resources might cause the same consequences made by overclaiming. The consequence zone and period are also similar to those of overclaiming. 4.5.2 Falsifications by Forwarders When a legitimate router forwards routing information, it must or must not modify the routing information, depending on the routing information and the routing protocol type. For example, in RIP, the forwarder must modify the routing information by increasing the hop count by 1. On the other hand, the forwarder must not modify the type 1 LSA in OSPF. In general, forwarders in distance vector routing protocols are authorized to and must modify the routing information, while most forwarders in link state routing protocols are not authorized to and must not modify most routing information. As a forwarder authorized to modify routing message, an attacker does not forward necessary routing information to other authorized routers. Unauthorized aggregation (summarization) is special type of understatements. 4.5.2.1 Misstatement This is defined as an action whereby the attacker describes route attributes in a wrong way. For example, in RIP, the attacker increases the path cost by two hops instead of one. Another example is, in BGP, the attacker deletes some AS numbers from the AS PATH. When forwarding routing information that should not be modified, an attacker can launch the following falsifications: o Deletion: Attacker deletes valid data in the routing message. Barbir, et al. Expires September 30, 2003 [Page 16] Internet-Draft Generic Threats to Routing Protocols April 2003 o Insertion: Attacker inserts false data in the routing message. o Substitution: Attacker replaces valid data in the routing message with false data. o Replaying: Attacker replays out-dated data in the routing message. All types of attackers (Compromised links, compromised routers, unauthorized routers, and masquerading routers) can falsify the routing information when they forward the routing messages. The threat consequences of these falsifications by forwarders are similar to those caused by originators: Usurpation of some network resources and related routers; deception of routers using false paths; and disruption of data planes of routers on the false paths. The threat consequence area and period are also similar. 4.6 Interference Interference is a threat action where an attackers uses a subverted link or router to inhibit the exchanges by legitimate routers. The attacker can do this by adding noise, or by not forwarding packets, or by replaying out-dated packets, or by delaying responses, or by denial of receipts, and breaking synchronization. Subverted, unauthorized and masquerading routers can slowdown their routing exchanges or create flapping routing sessions of legitimate peering routers. The consequence of interference is the disruption of routing operations. The consequence zone of interference varies based on the source of the threats: o When a subverted link is used to launch the action, the threat consequence zone covers routers that are using the link to exchange the routing information. o When subverted routers, unauthorized routers, or masquerading routers are the attackers, the threat consequence zone covers routers with which the attackers are exchanging routing information. o The threat consequences might disappear as soon as the interference is stopped, or might not totally disappear until the networks have converged. Therefore, the consequence period is Barbir, et al. Expires September 30, 2003 [Page 17] Internet-Draft Generic Threats to Routing Protocols April 2003 equal or longer than the duration of the interference. 4.7 Overload Overload is defined as a threat action whereby attackers place excess burden on legitimate routers. Attackers can overload the data plane or control plane. Because data plane is involved in routing exchanges, overload of data plane will also influence the routing operations. Note:Remark below comes directly from the list. More work is needed here. This section combines overload of the control plane and the data plane (the control and data plane of the router, I presume, i.e., the routing protocol messages and the data traffic, not the control and data plane of the routing protocol itself as discussed in section 2.1). I think those are two very different topics. For one thing, the routing protocol design might have a chance to limit control plane traffic. But I don't think the routing protocol has much of a chance to limit the data traffic. Effect on the behavior of the entire routing system of data plane activity is another case where there's no doubt that there's an opportunity for attack, but not much chance that the routing protocol could do anything about it. (The ability of someone to break the transport protocol connection (e.g., TCP RST) is another. Traffic analysis is another. Overload on the data plane is another.) How do we handle these? Leave them out of the Routing *PROTOCOL* threat list? Or list them here as threats but eliminate from the requirements draft? Specially designate them here as threats but not through the routing protocol? I'm not sure - I think we have to decide what the purpose of the document is to make a choice. 4.8 Byzantine Failures Definition is needed. It is not clear how to valid that a Byzantine failure has occurred NOTE: More work is needed 4.9 Discarding of Control Packets TBD: Not clear from the list the needed text here. 4.10 Network Mapping Threats Barbir, et al. Expires September 30, 2003 [Page 18] Internet-Draft Generic Threats to Routing Protocols April 2003 TBD 4.11 DoS and DDoS Attacks TBD: Information to be collected from the list. Barbir, et al. Expires September 30, 2003 [Page 19] Internet-Draft Generic Threats to Routing Protocols April 2003 5. Security Considerations This entire informational draft RFC is security related. Specifically it addresses security of routing protocols as associated with threats to those protocols. In a larger context, this work builds upon the recognition of the IETF community that signaling and control/ management planes of networked devices need strengthening. Routing protocols can be considered part of that signaling and control plane. However, to date, routing protocols have largely remained unprotected and open to malicious attacks. This document discusses inter and intra domain routing protocol threats as we know them today and lays the foundation for a future draft which fully discusses security requirements for routing protocols. Barbir, et al. Expires September 30, 2003 [Page 20] Internet-Draft Generic Threats to Routing Protocols April 2003 Normative References [1] Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000. [2] Smith, R et al., "Securing Distance-Vector Routing Protocols", Symposium on Network and Distributed System Security , February 1997. [3] Rosen, E., "Vulnerabilities of Network Control Protocols: An Example, Computer Communication Review", , July 1981. [4] Perlman, R, "Network Layer Protocols with Byzantine Robustness", , August 1988 . [5] Murphy, S et al., "OSPF with Digital Signatures", RFC 2154 , June 1997. [6] Moy, J, "OSPF Version 2", RFC 2328 , April 1998. [7] Mittal, V et al., "Sensor-Based Intrusion Detection for Intra-Domain istance-Vector Routing", Proceedings of the ACM Conference on Computer and Communication Security (CCS'02), Washington, DC , November 2002. [8] Cheung, S. et. al., "Protecting Routing Infrastructures from Denial of Service using co-operative intrusion detection", In Proceedings of the 1995 IEEE Symposium on Security and Privacy , May 1995. [9] Bradley, K. et. al., "A distributed Network Monitoring approach", Published , November 2001. Barbir, et al. Expires September 30, 2003 [Page 21] Internet-Draft Generic Threats to Routing Protocols April 2003 Informative References [10] Vetter, W. et al., "Experimental Study of Insider Attacks in a Link State Routing Protocol", 5th IEEE International Conference on Network Protocols, Atlanta, GA , 1997. [11] "Internet Group Management Protocol", RFC 3376 , October 2002. [12] Estrin, D. et al., "Independent Multicast-Sparse Mode (PIM-SM): Protocol pecification", RFC 2362 , June 1998 . [13] Ballardie, A. et al., "Multicast-Specific Security Threats and Counter-Measures", "Symposium on network and Distributed System Security" , February 1995. Authors' Addresses Abbie Barbir (Editor) Nortel Networks 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada Phone: EMail: abbieb@nortelnetworks.com Sandy Murphy Network Associates, Inc 3060 Washington Rd. Glenwood, MD 21738 USA Phone: 443-259-2303 EMail: sandy@tislabs.com Yi Yang Cisco Systems 7025 Kit Creek Road RTP, NC 27709 Canada Phone: EMail: yiya@cisco.com Barbir, et al. Expires September 30, 2003 [Page 22] Internet-Draft Generic Threats to Routing Protocols April 2003 Appendix A. Acknowledgements This draft would not have been possible save for the excellent efforts and team work characteristics of those listed here. o Dennis Beard- Nortel Networks o Ayman Musharbash - Nortel Networks o Paul Knight - Nortel Networks o Elwyn Davies - Nortel Networks o Ameya Dilip Pandit - Graduate student - University of Missouri o Senthilkumar Ayyasamy - Graduate student - University of Missouri Barbir, et al. Expires September 30, 2003 [Page 23] Internet-Draft Generic Threats to Routing Protocols April 2003 Appendix B. Acronyms AODV - Ad-hoc On-demand Distance Vector routing protocol AS - Autonomous system. Set of routers under a single technical administration. Each AS normally uses a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routers. Also called routing domain. AS-Path - In BGP, the route to a destination. The path consists of the AS numbers of all routers a packet must go through to reach a destination. BGP - Border Gateway Protocol. Exterior gateway protocol used to exchange routing information among routers in different autonomous systems. eBGP - External BGP. BGP configuration in which sessions are established between routers in different ASs. iBGP - Internal BGP. BGP configuration in which sessions are established between routers in the same ASs. LSRP - Link-State Routing Protocol LSA - Link-State Announcement M-OSPF - Multicast Open Shortest Path First NLRI - Network layer reachability information. Information that is carried in BGP packets and is used by MBGP. OSPF - Open Shortest Path First. A link-state IGP that makes routing decisions based on the shortest-path-first (SPF) algorithm (also referred to as the Dijkstra algorithm). Barbir, et al. Expires September 30, 2003 [Page 24] Internet-Draft Generic Threats to Routing Protocols April 2003 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assignees. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION Barbir, et al. Expires September 30, 2003 [Page 25] Internet-Draft Generic Threats to Routing Protocols April 2003 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC Editor function is currently provided by the Internet Society. Barbir, et al. Expires September 30, 2003 [Page 26]