OPSEC Working Group Z. Ye Internet Draft M. Fuyou Expires: November 2006 Huawei Technologies R. Callon Juniper Networks May 30, 2006 Routing Control Plane Security Capabilities draft-zhao-opsec-routing-capabilities-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 30, 2006. Copyright Notice Copyright (C) The Internet Society (2006). All Rights Reserved. Abstract The document lists the security capabilities needed for the routing control plane of an IP infrastructure to support the practices defined in Operational Security Current Practices [OSCP]. In particular this includes capabilities for route filtering and for authentication of routing protocol packets. Zhao Expires November 30, 2006 [Page 1] Internet-Draft Control Plane Security Capabilities May 2006 Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] Table of Contents 1. Introduction................................................2 1.1. Threat model...........................................3 1.2. Capabilities versus Requirements........................3 1.3. Packet Filtering versus Route Filtering.................3 1.4. RFC 2119 Keywords.......................................4 2. Route Filtering Capabilities.................................5 2.1. Route Filtering of External Routing Protocols...........5 2.2. Route Filtering Within an IGP Area......................7 2.2.1. Route Filtering Within an IGP Area.................7 2.2.2. Route Filtering Between IGP Areas..................7 2.3. Ability to Filter Routing Update by TTL.................8 3. Route Flap Dampening.........................................9 4. Authentication of Routing Protocols..........................9 5. Security Considerations.....................................10 6. Acknowledgements...........................................10 7. References.................................................12 7.1. Normative References...................................12 7.2. Informative References.................................13 Author's Addresses............................................14 Intellectual Property Statement................................14 Disclaimer of Validity........................................15 Copyright Statement...........................................15 Acknowledgment................................................15 1. Introduction This document is defined in the context of [FRAMEWORK] and [OSCP]. The Framework for Operational Security Capabilities [FRAMEWORK] outlines the effort of the IETF OPSEC working group. This includes producing a series of drafts to codify knowledge gained through operational experience about capabilities that are needed to securely deploy and operate managed network elements providing transit services at the data link and IP layers. This document lists the security capabilities needed for the routing control plane of IP infrastructure to support the practices defined in Operational Security Current Practices [OSCP]. In particular this Zhao Expires November 30, 2006 [Page 2] Internet-Draft Control Plane Security Capabilities May 2006 includes capabilities for route filtering and for authentication of routing protocol packets. Note that this document lists capabilities that can reasonably be expected to be currently deployed in the context of existing standards. Extensions to existing protocol standards and development of new protocol standards are outside of the scope of this effort. The preferred capabilities needed for securing the routing infrastructure may evolve over time. There will be other capabilities which are needed to fully secure a router infrastructure. For example, network management of devices must be secured in order to prevent unauthorized access to or denial of service to the device [NMASC]. The reader should refer to [FRAMEWORK] for a more complete list of documents describing operational capabilities for network and link layer devices supporting IP Network Infrastructure. Operational Security Current Practices [OSCP] defines the goals, motivation, scope, definitions, intended audience, threat model, potential attacks and give justifications for each of the practices. 1.1. Threat model The capabilities listed in this document are intended to aid in preventing or mitigating the threats outlined in [FRAMEWORK] and [OSCP]. 1.2. Capabilities versus Requirements Capabilities may or may not be requirements. That is a local determination that must be made by each operator with reference to the policies that they must support. It is hoped that this document, together with [OSCP] will assist operators in identifying their security capability requirements and communicating them clearly to vendors. The capabilities described in this document follow the format outlined in section 1.7 of [FRAMEWORK]. 1.3. Packet Filtering versus Route Filtering It is useful to make a distinction between Packet Filtering versus Route Filtering. The term "packet filter" is used to refer to filters that routers apply to network layer packets that they are forwarding. In general Zhao Expires November 30, 2006 [Page 3] Internet-Draft Control Plane Security Capabilities May 2006 packet filters are based on contents of the network (IP) and transport (TCP,UDP) layers, and are mostly stateless, in the sense that whether or not a filter applies to a particular packet is a function of that packet (including the contents of IP and transport layer headers, size of packet, incoming interface, and similar characteristics), but does not depend upon the contents of other packets which might be part of the same stream (and thus which may also be forwarded by the same router). One commonly minor exception to the "stateless" nature of packet filters is that packets that fit a particular filter may be counted and/or rate limited (the act of counting therefore represents a very simple "state" associated with the filter). Because of the simplicity and stateless nature of packet filters, they can typically be implemented with very high performance. It is not unusual for them to be implemented on line cards and to perform at or near full line rate. For this reason they are very useful to counter very high bandwidth attacks, such as large DDoS attacks. Packet filtering capabilities are outside of the scope of this document. A detailed description of packet filtering capabilities can be found in "Filtering Capabilities for IP Network Infrastructure" [FILTER]. The Term "route filter" is used to refer to filters that routers apply to the content of routing protocol packets that they are either sending or receiving. Typically these therefore occur at the application layer (although which route filters are applied to a particular packet may be a function of network layer information, such as what interface the packet is received on, or the source address for the packet -- indicating the system that transmitted the packet). Route filters are typically implemented in some sort of processor. In many cases the total bandwidth which can be received by the processor is considerably less than the sum of the rate that packets may be received on all interfaces to a router. Therefore in general route filters cannot handle the same bandwidth as packet filters. Route filters are however very useful in that they can be applied to the contents of routing packets. 1.4. RFC 2119 Keywords The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Zhao Expires November 30, 2006 [Page 4] Internet-Draft Control Plane Security Capabilities May 2006 The use of the RFC 2119 keywords is an attempt, by the authors, to assign the correct requirement levels ("MUST", "SHOULD", "MAY"...). It must be noted that different organizations, operational environments, policies and legal environments will generate different requirement levels. NOTE: This document defines capabilities. This document does not define requirements, and there is no requirement that any particular capability be implemented or deployed. The use of the terms MUST, SHOULD, and so on are in the context of each capability in the sense that if you conform to any particular capability then you MUST or SHOULD do what is specified for that capability, but there is no requirement that you actually do conform to any particular capability. 2. Route Filtering Capabilities 2.1. Route Filtering of External Routing Protocols Capability. The device MUST provide a means to filter routing updates for all protocols used to exchange external routing information. Generally this includes BGP [RFC4271], as well as static routes. Supported Practices. See [RFC3013] and section 3.2 of [RFC2196] and section 2.5 of [OSCP]. Current Implementations. Typically BGP implementations allow operators to apply a variety of filters to restrict which incoming updates are accepted from BGP peers, as well as to limit which updates are sent out to BGP peers. In general packet filters may be used in the following ways: - Routers MUST allow operators to configure route filters which restrict which routes are accepted from other peer routers. Route filters MUST be capable of being individually configured on a per- neighbor basis. - Routers MUST allow operators to configure route filters which restrict which routes are sent to other peer routers. Route filters MUST be capable of being individually configured on a per-neighbor basis. - Routers SHOULD allow operators to configure whether Outbound Route Filters [ORF] are accepted from other peer routers. This SHOULD be configurable on a per-neighbor basis. Zhao Expires November 30, 2006 [Page 5] Internet-Draft Control Plane Security Capabilities May 2006 - Routers SHOULD allow operators to configure which (if any) Outbound Route Filters [ORF] are sent to other peer routers. This SHOULD be configurable on a per-neighbor basis. In general route filters determine whether a route is accepted from or sent to a neighboring router. Filters MAY be based upon any combination of route attributes, such as: - Specific route prefixes This may include a list of specific prefixes to be accepted or rejected. This may alternately include a list of prefixes, such that more specific (longer) prefixes which are included in the more inclusive (shorter) prefix are accepted, rejected, or summarized into the shorter prefix. - Maximum length of route prefix - Maximum number of routes to be accepted from a particular peer router If too many routes are received, then the router may reset the BGP session, or may reject excess routes. In either case the failure event should be logged. - Restrictions on the AS_PATH Restrictions on the contents of the AS PATH are frequently used: for example if you get a prefix from AS X, then you might want to make sure that X is in the AS PATH. - Restrictions on BGP Community and Extended Community Route redistribution is used to exchange routing information between different protocols. Although route redistribution bridges between different route domains and improves the flexibility of routing system, it may lead to looping or black hole as well. - Routers SHOULD provide method to limit the scope of route redistribution between different route protocols. Unfiltered redistribution SHOULD be forbidden. Zhao Expires November 30, 2006 [Page 6] Internet-Draft Control Plane Security Capabilities May 2006 Considerations. Operators may wish to ignore advertisements for routes to specially used addresses, such as private addresses, reserved addresses and multicast addresses, etc. The up-to-date allocation of IPv4 address space can be found in [IANA]. 2.2. Route Filtering Within an IGP Area This section describes route filtering as it may be applied to OSPF [RFC 2328] and IS-IS [RFC1195] when used as the interior routing protocol (Internal Gateway Protocol or "IGP") used within a routing domain. Route filtering with RIP [RFC2453] is TBD. 2.2.1. Route Filtering Within an IGP Area A critical design principle of OSPF and IS-IS is that each router within an area has the same view of the topology, thereby allowing consistent routes to be computed by all routers within the area. For this reason, all properly authentication (if applicable) routing topology advertisements (Link State Advertisements or LSAs in OSPF, or Link State Packets or LSPs in IS-IS) are flooded unchanged throughout the area. Route filtering within an OSPF or IS-IS area is therefore not appropriate. 2.2.2. Route Filtering Between IGP Areas Capability It is normal when passing routes into the backbone area (area O.0.0.0 in OSPF, or the level 2 backbone in IS-IS) for routes to be summarized, in the sense that multiple more specific (longer) address prefixes that are reachable in an area may be summarized into a smaller number of less specific (shorter) address prefixes. This provides important scaling improvements, but is generally not primarily intended to aid in security and is therefore outside of the scope of this document. Routers MAY implement the capability to allow the network operator the option of configuring route filters which restrict which routes (i.e. address prefixes) are advertised into areas from outside of the area (i.e. from other OSPF or IS-IS areas). Supported Practices TBD. Current Implementations TBD. Zhao Expires November 30, 2006 [Page 7] Internet-Draft Control Plane Security Capabilities May 2006 Considerations If filters are used which restrict the passing of routes between IGP areas, then this may result in some addresses being unreachable from some other areas within the same routing domain. 2.3. Ability to Filter Routing Update by TTL Capability The device should provide a means to filter route packets based on the value of the TTL field in the IPv4 header or the Hop-Limit field in the IPv6 header. For example, in many cases routing protocol packets should only be arriving from immediate neighboring routers. In these cases, packets SHOULD be dropped if the TTL is not equal to 255. In these cases filtering on TTL prevents any system which is not immediately physically adjacent to a router from sending that router spoofed routing packets. Note that "Filtering Capabilities for IP Network Infrastructure" [FILTER] specifies: Capability. The filtering mechanism supports filtering based on the value(s) of any portion of the protocol headers for IP, ICMP, UDP and TCP. The ability to filter based on TTL is therefore a packet filtering capability which is already implicitly covered by the capabilities listed in [FILTER]. Since this capability is particularly important for routing protocols, we felt that it is worth mentioning here. Supported Practices. See [OSCP] section 2.5.7 Current Implementations. When a router forwards a packet, it will decrement the TTL value (Hop-Limit for IPv6) of the packet by one. Thus, TTL spoofing is considered nearly impossible. Furthermore, the vast majority of routing peers are adjacent. This capability is therefore quite useful, and is widely implemented in routers. Considerations. There will be situations in which the distance to the neighboring router is more than one hop away. This for example is common for I- BGP. Zhao Expires November 30, 2006 [Page 8] Internet-Draft Control Plane Security Capabilities May 2006 3. Route Flap Dampening "Route flap" means that a route's state changes from up to down or down to up. In some cases a route may come up and go down multiple times in a short period of time (for example due to an unstable link somewhere in the global Internet). When repeated route flapping occurs, the route process has to insert or delete an item and the advertised update. If large amounts of routes continue to go up and down multiple times in a short time period this may result in significant load on CPUs and could result in DoS (whether intentional or not). Capabilities. The device MUST provide ability to dampen route flap. Route Flap dampening MUST be configurable. For example, some operators may want to change the timers, and others may want to turn it off altogether. Supported Practices. The function to dampen route flap may enhance the stability of routing system and minimize the influence of flapping. It is useful to counter against some DoS attacks. Current Implementations. In BGP, route flapping dampening is the primary mechanism to mitigate the influence caused by flapping. Most of current implements support this capability. Consideration. None 4. Authentication of Routing Protocols As mentioned in [RFC4272], the authentication mechanism specified in [TCPMD5] can counter several types of attacks on BGP, such as message insertion, modification, deletion, man-in-the-middle, and some types of DOS attack. Even though an assailant can guess TCP sequence numbers of a BGP session, he will fail to launch the attack mentioned above. Most other routing protocols adopt similar authentication mechanism. Capabilities. - MUST provide a mechanism through which operators can manually configure a sequence of keys on peer systems Zhao Expires November 30, 2006 [Page 9] Internet-Draft Control Plane Security Capabilities May 2006 - MUST provide a mechanism through which peer systems can transition from one key to another based upon system time - MUST provide a mechanism through which peer systems can transition from one key to another without resetting the neighboring session - MUST support authentication algorithms that are stronger than MD5 (e.g., CMAC-AES-128-96, HMAC-SHA-1-96). - SHOULD support automatic generation and encrypted distribution of key material. Supported Practices. See [OSCP] section 2.5.7. Current Implementations. [TCPMD5] is deployed widely in BGP. Other routing protocols, such as OSPF, adopt similar technology. In most of current implements, neither the authentication mechanism nor key can be negotiated. An operator has to configure it manually. Consideration. OSPF supports plain text authentication which is not able to counter attacks above. Most OSPF implementations also support MD5 authentication. In this section the authentication mechanism refers to the technology using cryptographic hash functions. In order to counter key-guessing attack, when manual key management is used, a device SHOULD support a proper length of a key . 5. Security Considerations Security is the subject matter of this entire document. This document lists device capabilities intended to improve the ability of the network to withstand security threats. Operational Security Current Practices [OSCP] defines the threat model and practices, and lists justifications for each practice. 6. Acknowledgements The authors gratefully acknowledge the contributions of: o tbd, xxx, yyy, ... Zhao Expires November 30, 2006 [Page 10] Internet-Draft Control Plane Security Capabilities May 2006 o We would like to thank Ron Bonica and Pat Cain for their helpful comments and suggestions. o This listing is intended to acknowledge contributions, not to imply that the individual or organizations approve the content of this document. o Apologies to those who commented on/contributed to the document and were not listed. Zhao Expires November 30, 2006 [Page 11] Internet-Draft Control Plane Security Capabilities May 2006 7. References 7.1. Normative References [RFC1208] Jacobsen, O. and D. Lynch, "Glossary of networking terms", RFC 1208, March 1991. [RFC1812] Baker, F., "Requirements for IP Version 4 Routers", RFC 1812, June 1995. [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and E. Lear, "Address Allocation for Private Internets", BCP 5, RFC 1918, February 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate equirement Levels", BCP 14, RFC 2119, March 1997. [RFC2196] Fraser, B., "Site Security Handbook", RFC 2196, September 1997. [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing", BCP 38, RFC 2827, May 2000. [RFC3013] Killalea, T., "Recommended Internet Service Provider Security Services and Procedures", BCP 46, RFC 3013, November 2000. [RFC3309] Stone, J., Stewart, R., and D. Otis, "Stream Control Transmission Protocol (SCTP) Checksum Change", RFC 3309, September 2002. [RFC3330] IANA, "Special-Use IPv4 Addresses", RFC 3330, September 2002. [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004. [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. [RFC1195] R. Callon, "Use of OSI IS-IS for Routing in TCP/IP and Dual Environments", RFC1195, December 1990. [RFC2328] J. Moy, "OSPF Version 2", RFC2328, April 1998. [RFC2453] G. Malkin, "RIP Version 2", RFC2453, November 1998. Zhao Expires November 30, 2006 [Page 12] Internet-Draft Control Plane Security Capabilities May 2006 [RFC3682] V. Gill, J. Heasley, D. Meyer, "The Generalized TTL Security Mechanism (GTSM)", RFC3682, February 2004. [TCPMD5] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, August 1998. 7.2. Informative References [FRAMEWORK] Jones, G., "Framework for Operational Security Capabilities for IP Network Infrastructure", draft-ietf-opsec- framework-01 (work in progress), October 2005. [OSCP] Kaeo, M., "Operational Security Current Practices", draft- ietf-opsec-current-practices-02 (work in progress), October 2005. [FILTER] Morrow, C., "Filtering Capabilities for IP Network Infrastructure", draft-ietf-opsec-filter-caps-00 (work in progress), October 2005. [NMASC] Bonica, R. and S. Ahmed, "Network Management Access Security Capabilities", draft-bonica-opsec-nmasc-00 (work in progress), October 2005. [IANA] IANA, "INTERNET PROTOCOL V4 ADDRESS" SPACE,http://www.iana.org/assignments/ipv4-address-space [RFC3631] Bellovin, S., Schiller, J., and C. Kaufman, "Security Mechanisms for the Internet", RFC 3631, December 2003. [RFC3871] Jones, G., "Operational Security Requirements for Large Internet Service Provider (ISP) IP Network Infrastructure", RFC 3871, September 2004. [ORF] Enke Chen, Yakov Rekhter, "Cooperative Route Filtering Capability for BGP-4", draft-ietf-idr-route-filter-13.txt, (work in progress), March 2006. [RFC4272] S. Murphy., "BGP Security Vulnerabilities Analysis", RFC 4272, January 2006 Zhao Expires November 30, 2006 [Page 13] Internet-Draft Control Plane Security Capabilities May 2006 Author's Addresses Zhao Ye Huawei Technologies No.3, Xinxi Road, Shangdi Information Industry Base Haidian District, Beijing City 100085 Email: yezhao@huawei.com Miao Fuyou Huawei Technologies No.3, Xinxi Road, Shangdi Information Industry Base Haidian District, Beijing City 100085 Email: miaofy@huawei.com Ross W. Callon Juniper Networks 10 Technology Park Drive Westford, MA 01886 USA Email: rcallon@juniper.net Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org Zhao Expires November 30, 2006 [Page 14] Internet-Draft Control Plane Security Capabilities May 2006 Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Zhao Expires November 30, 2006 [Page 15]