INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 1 Network Working Group L. Amini Internet-Draft IBM Research Expires: March 31, 2003 A. Barbir Nortel Networks Oskar Batuner Independent consultant M. Day Cisco Systems O. Spatscheck AT&T Labs Kobus van der Merwe AT&T Labs Security Threat for Content Internetworking draft-ietf-cdi-threat-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 31, 2003 Copyright Notice Copyright (C) The Internet Society (2000). All Rights Reserved. INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 2 Security Threat for Content Internetworking draft-ietf-cdi-threat-00.txt Abstract Content internetworking (also referred to as content distribution internetworking, or CDI) is the technology for interconnecting content networks. The CDI model allows for interconnecting various Content Networks. The internetworking task requires request routing and content distribution protocols. This document investigates the security risks and threats associated with the content internetworking. Proposed remedies are viewed not as design recommendations but more as illustrations of the nature of threats. 1. Introduction Content internetworking (CDI) combines the resources of multiple content networks (CN) to increase their scale and reach. At the core of CDI are a request routing system and a distribution system. The request-routing system (RRS) directs client requests to surrogates and/or CNs that can best service the request. The internetworking of CNs is performed through Content Internetworking Gateway (CIG). The internetworking distribution system is responsible for moving content from one Distribution CN to another Distribution CN. Finally, the accounting infrastructure tracks and collects data on request-routing, distribution, and delivery functions within the CDN. The details of the CDI model can be found in [1]. The use of CDI - as any new mechanism - introduces new security risks and threats to the internetworked CNs. Some of these threats are specific to the CDI model, some are inherited from the CN systems. This document covers both new and inherited threats with distinctions made were appropriate. The security risks within CDI can be classified along various dimensions including: - the source of the threat ("insider" versus "outsider"), - the level at which the attack occurs (network level attack versus application level attack), - the type of harm that results from an attack (harm to content, harm to identity, harm to finances). INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 3 - the elements of the architecture attacked (e.g., the Distribution System, the Request Routing System, the Accounting System, the clients, or publishers) All of these dimensions are considered in this document (some in greater detail) to develop a complete view of the threat model for content internetworking. However, this document focuses only on those threats specific to the content internetworking model. It does not consider, for example, the following issues: - The security risks within an individual CN, such as denial of service attacks on individual surrogates, are beyond the scope of this document. - Content security issues, such as the integrity of transformations or adaptations performed on content, are outside the scope of the current work. - This document does not specify or recommend any particular solutions. In some cases however, potential threat mitigation steps are given to help illustrate a given threat. The remainder of this document is organized as follows. We begin by describing the CDI Trust Model, and distinguish between "insider" and "outsider" attacks. Next, we broadly classify attacks as occurring at the network, content internetworking, or application level, and detail the resultant type of harm. We refine this list by detailing how the attacks might be perpetrated on specific components of the CDI architecture, and potential mitigation steps. 1.1 Conventions used in this document Key terms in ALL CAPS, except those qualified with explicit citations, are defined in [1]. 2. Content Internetworking Trust model Relationships between CN's in the CDI model can be decomposed into relationships between individual pairs comprising a CONTENT SOURCE and a CONTENT DESTINATION. The ORIGIN refers to the point at which CONTENT enters the CDI model, and therefore is a specific type of CONTENT SOURCE. The trust model utilized within CDI is based on a transitive trust between a CONTENT SOURCE and a CONTENT DESTINATION. The transitive nature of the trust originates from the need of an ORIGIN to rely on one or more CONTENT SOURCE - CONTENT DESTINATION INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 4 pairs to deliver CONTENT to CLIENTs on the ORIGIN's behalf. The trust model involves the following parties in trust relationships: - CONTENT SOURCE and CONTENT DESTINATION - CONTENT SOURCE and CLIENT - CONTENT DESTINATION and CLIENT We will use the term TRUSTED PARTY to refer to a party involved in a trust relationship. We begin by classifying security risks into two main categories: threats from "insiders," and threats from "outsiders." Outsiders are those entities that have not established a trust relationship within the content internetworking system. Insiders are TRUSTED PARTIES that are participating in a trust relationship within the content internetworking system. Threats from within the system may be intentional or unintentional. Intentional threats refer to the ability of a TRUSTED PARTY of a CDI relationship to mislead or harm, the party with which it has a trust relationship. For example, the TRUSTED PARTY, a CONTENT DESTINATION, might misrepresent quality or quantity of the service provided to the trusting party, a CONTENT SOURCE. This is distinct from the case when a TRUSTED PARTY's system is compromised by an outsider, which is covered as an "outsider" threat. Unintentional threats refer to the ability of a TRUSTED PARTY, through improper implementation or configuration resulting in bad system behavior, to mislead or harm the party with which it has a trust relationship. Content internetworking allows for relationships whose terms and conditions are partially or completely established outside the context of the content internetworking protocols, and refers to these relationships as NEGOTIATED RELATIONSHIPS. Just as trust relationships established completely within the context of content internetworking protocols, NEGOTIATED RELATIONSHIPS can result in intentional or unintentional threats. Threats from outside the system, or outsiders, may also be intentional or unintentional. Since unintentional threats from outsiders do not rely on the trust model, and are not specific to the content internetworking model, this document will consider only outsider threats that are intentionally perpetrated. In this document, we will focus on intentional and unintentional threats from within the system, and intentional threats from outside the system. INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 5 3. Threat classification by architectural level In this section, we broadly classify threats according the architectural level -- network, content internetworking, or application -- at which the threat occurs. We refer to threats exploiting design or implementation weaknesses of internetworking and transport protocols (i.e., layer 3 and below of the TCP/IP protocol suite) as network level threats. We refer to threats exploiting weaknesses in content internetworking protocols as content internetworking level threats. We include in content internetworking level attacks, threats against CONTENT distributed using CDI specific protocols. Finally, we refer to threats to applications that utilize a content internetworking system as application level threats. Where appropriate, the type of harm that can result from an attack is provided to show the complex interaction between different threats and/or attacks. For example, harm to content in the form of content degradation or content substitution might harm the finances of the content provider which might in turn harm the finances of the service provider. A denial of service attack or theft of identity might have a similar effect on parties involved with CDI. 3.1 Network Level Threats. The content internetworking model comprises CONTENT NETWORKs, which in turn comprise CONTENT NETWORK ELEMENTS. A CONTENT NETWORK ELEMENT is a network device that performs at least some of its processing by examining CONTENT-related parts of network messages. Examples of CONTENT NETWORK ELEMENTS include CONTENT INTERNETWORKING GATEWAYs (CIG) and SURROGATES. In IP-based networks, a CONTENT NETWORK ELEMENT is a device whose processing depends on examining some or all of an IP packet's body. As such, CONTENT NETWORK ELEMENTs are vulnerable to many types of network level attacks. Examples of TCP/IP attacks include IP spoofing and session stealing. The CERT Coordination Center [2] maintains an extensive repository of Internet Security vulnerabilities. Harm specific to CONTENT NETWORK ELEMENTS, such as a CIG, achievable by hijacking a TCP/IP session includes the ability of outsiders to inject believable content distribution and request routing messages into the communication between CIG peers. This may lead to the injection of bogus content or bogus routing information that may lead to the breaking of the peer to peer connection. Any break in the INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 6 peer to peer communication can have a ripple effect on the request routing system or the distribution system that could lead to disrupted services to end users. CONTENT NETWORK ELEMENTS are also susceptible to a number of security threats commonly associated with network infrastructure. These threats include snooping, denial of service, sabotage, vandalism, industrial espionage, theft of service and inadequate system configuration that leaves unneeded ports and services open to the public. 3.2 . Content Internetworking Level Threats. Content internetworking Level threats generally belong to one or more of the following categories: - denial of service - content distortion - threats to identity - threats to privacy - content theft - security threats - threats to finances In the following subsections we elaborate on these threats and potential resultant harm. 3.2.1 Denial of service threats. At the Content Internetworking level, a denial of service (DoS) threat can be perpetrated on a number of levels. For example, an attack could be launched: - specifically against a CONTENT SOURCE, thereby preventing any distribution from taking place - against a content set, causing all CNs servicing this content set to be affected. - against all SURROGATES of a specific CN. A CONTENT SOURCE distributing streaming content, due to its high bandwidth nature and, in the case of live streaming, limited injection points, are likely to be especially vulnerable to DoS threats. Misuse of a CN may make its facilities unavailable or available only at reduced functionality. Denial of service attacks can be targeted at a CN accounting system, distribution system, or request-routing system. INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 7 3.2.1.1. "Complexity threat": both CDN and CDI introduce many components and complex infrastructure. Malfunctioning of these components and infrastructure may result in DoS. 3.2.1.2. Misconfigured request routing (unintentional or malicious) may cause request loss or looping and result in DoS. 3.2.1.3. Conflicts between request routing and accounting mechanisms may create a DoS threat: a CN may refuse to deliver content because the authorization system treats a valid request as invalid (not coming from an authorized customer). 3.2.1.4. By redistributing the load between CNs CDI may cause DoS by unintentionally overloading one of CNs. Usually CNs have a specific (proprietary) adaptive mechanisms for load balancing. CDI load balancing mechanisms may be inadequate/malfunction or be incompatible with corresponding CDN load balancing. 3.2.1.5. A CN may cause problems in another CN by sending (unintentionally or with malicious intent) more content than advertised capacity permits. 3.2.1.6. Corruption (intentional or non intentional) of security related metadata (authentication data) might result in DoS: CN or CDI may refuse to perform a legitimate service. 3.2.1.7. False advertisement (unintentional or malicious) of nonexistent distribution/coverage capacity may result in failure of several CNs. Same problems may result when advertisement and usage policy do not reflect dynamic conditions. 3.2.1.8. Incompatible request routing systems may cause problems resulting in DoS. 3.2.1.9. Peering agreements may be vital for CDN functionality. This makes peering reliability a security issue. CIG (distribution CIG and request routing CIG) may introduce a single point of failure. Attack on (or malfunctioning of) a CIG may result in system disintegration and DoS for both CNs. 3.2.2 Content distortion threats. 3.2.2.1 An attacker may cause a CN to advertise bogus content, e.g. replacing proper content with bogus content either at the injection point of the system (CN or CDI) or inside elements of the system (e.g. surrogates inside the CN). INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 8 3.2.2.2. A CN may provide bogus information, e.g. a rogue "CN" inserting itself in the distribution path between two CNs to monitor and/or modify the content that they exchange. 3.2.2.3. A CN may advertise the availability of content which it doesn't have and can not distribute. This attacks can be the result of malicious CIG taking over the identity of a CIG to be able to inject bogus info into system, or a CIG that is compromised 3.2.3 Threats to user identity. Identity/authentication threats may result from third party getting access to authentication data of end user or system component (surrogate, CIG) and this data permits unauthorized actions to be performed. Note that the last condition is essential: interception of session initiation packets of replay-resistant secure authentication protocol does not create such a threat. Storage of security related data (user identities, passwords, etc.) creates an additional security threat. 3.2.4 Threats to privacy. Privacy threats may result in personal user information made available to third party without user's consent. 3.2.4.1. A CN may inadvertently or maliciously expose private information (passwords, buying patterns, page views, and credit card numbers) as it collects it and transits from surrogate to origin and/or publisher. 3.2.4.2. Accounting information transfer may jeopardize privacy. 3.2.4.3. Privacy threats may result from differences in privacy policy of Publisher, CDN and CDI. 3.2.4.4. Privacy and security threats from crossing jurisdiction boundaries: transfer and storage of sensitive privacy-related data (accounting, logs), transfer and storage of (secure) content and distribution of content from a different jurisdiction may create a security threat due to different level of legal protection. 3.2.5. Legal threats: by extending activities through jurisdiction boundaries CN and CDI may unintentionally violate local regulations (privacy and security policies). 3.2.6 Content theft. Unauthorized access to non-public (secure or non-secure) content. For INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 9 secure content such unauthorized access clearly violates intention of security system and usually constitutes a content theft (paid content, proprietary data). An example of unauthorized access to non-secure content is interception of form data in not-secure transmission or direct access to URL that is not supposed to be publicly available. 3.2.7 Security threats 3.2.7.1 Unauthorized access to metadata that is not supposed to be publicly available. This may include access to logs and accounting data containing private user's information, access to configuration data that may be used to facilitate future attacks and so on. 3.2.7.2 Exposure of Security Settings: There may be risks that expose client's security settings when content is served from surrogates as opposed to origin servers. Since the location of the surrogate is generally transparent to the client, the client may be aware that its protections are no longer enforced. 3.2.7.3 Improper enforcement of Security Policy Policy information regarding security of the client may not be properly propagated when the requests are directed to surrogates in a CN that are different from the origin server. Client passwords and personal information may be less secure. 3.2.8. Improper Carriage of Security Policies Surrogate may not employ the same security policies and procedures as the origin server. This may expose the client private information to access by unauthorized entities. The same threat may also result if the legal jurisdiction of the surrogate is different from that of the origin. 3.2.8.1. Different implementation of security at Publisher, CDN and CDI level may create security threats 3.2.8.2. Distribution of content from a different network location may create a security threat if client security policy depends on network location ("Internet Web Content Zone"). 3.2.8.3. Transfer and storage of secure content create additional security threats. 3.2.8.4. The process of propagation of security policy and security related data (user identities, passwords, etc.) creates security INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 10 threats both at CDN and CDI level. 3.2.9 Threats to finances Delivery of inaccurate accounting information or malicious distortion of this information may cause financial harm to all participating parties. 3.2.9.1 The client may be inappropriately charged for viewing content that was not successfully accessed or delivered according to some QoS criteria. 3.2.9.2 If a CN or Publisher is unable to collect or receive correct accounting information they may be unable to collect compensation for services. 3.3 Application level threats. TBD (section should include attacks targeting applications that utilize the content internetworking system) 4. Threats against specific elements of the CDI architecture In this section, we refine the list of threats by detailing how the attacks might be perpetrated on specific components of the CDI architecture. This section is intended to be used input to specify the security requirements for the content distribution and request routing protocols. Along the dimension of threats against specific elements of the architecture, threats against the accounting system should also be noted. A detailed analysis of the threats against the accounting system can however only be done within the framework of a specific accounting system and is considered outside the scope of this document. 4.1 Threats to the Content Internetworking Gateway The CIG is the connecting point for the CNs that are participating in the CDI model. CIGs from various CNs establish peer to peer relationships in order to exchange content distribution and request routing information. Threats on the CIG can be perpetrated at all levels, the network, content internetworking, and application level. A CIG must be accessible at the network level from many other CIGs. The CIG is vulnerable to any of the network level attacks specified in Section 3.1. The CIG is susceptible to network level INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 11 attacks from outsiders, which may or may not be posing as the CIG of a TRUSTED PARTY, and from CIGs of TRUSTED PARTIES. 4.2 Threats to Distribution System Threats to distribution system from insiders can be intentional or the result of bad implementation. Outsiders can pose the same threats if they acquire access to the distribution system. The threats include: 4.2.1 Advertising of unavailable content. 4.2.3 Advertising of bad metrics that are associated with a given content. 4.2.4 Delivery of bad content to surrogates in the connected CN 4.2.5 Using badly formed messages for advertisements 4.3 Threats to Request Routing System Threats to the request routing system from insiders or outsiders include: 4.3.1 Advertising of wrong metrics to force unfair or inaccurate redirection to a given CN. 4.3.2 Redirection to a CN that does not have the content. 4.3.3 The introduction of loops in the requesting routing system. 4.3.4 Redirection to an inappropriate surrogate. 4.3.5 Forwarding request when no forwarding is appropriate. 4.3.6 Failing to forward requests when forwarding is appropriate. 4.3.7 Using badly formed messages for advertisements h) TBD 5. CDI Security Threat Mitigation The main security issues for the CDI model are focused on the Trust model. Insiders are TRUSTED PARTIES, while outsiders are not. Threats from outsiders are primarily at the network level. There are well known solutions to network level threats that are practiced in the industry. In this work, it is recommended that the security of the CONTENT NETWORK ELEMENTs at the network level be enhanced using standard techniques and methods that minimize the risks of IP spoofing, snooping, denial of service and session stealing. Threats at the content internetworking and application levels can be mitigated by using strong authentication and encryption techniques. Therefore, there may be the need to make strong authentication and encryption a requirement for the CDI model. IPSec INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 12 and TLS are solutions for this requirement. Regardless of the choice of the protocol, the solution must scale to accommodate large number of interconnected CNs. Furthermore, it is recommended not to send passwords in the clear. To mitigate threats from insiders CDI must implement appropriate monitoring, signaling, logging, dynamic authorization and verification mechanisms. The following sections provide more detailed guidelines for development of request routing and distribution protocols for content internetworking. 5.1 Treatment of malformed messages Malformed message can be the result of bad implementation or a consequence of an outside attack on a given CN whereby, the attacker gains access of the peering system. A Malformed messages is a message that does not comply with the message format for the distribution (or request routing) protocol. A malformed message may be a message that has wrong content attributes in it or wrong IP footprint. A malformed IP or IPSec packet is not considered a malformed message. In the event that a CN detect malformed messages terminating the session appears to be the only safe way to handle it. Terminating a session does not mean terminating the peering relationship. The session can be restarted after termination. If the problem of malformed messages persists, the interconnected CNs must verify the cause of the problem and proceed with a solution. The treatment of malformed messages is different than the case where a peer intentionally or unintentionally sends incorrect advertisements which might lead to incorrect selections. For example, a CN might incorrectly advertise low load, low cost and good coverage and therefore attract a large proportion of traffic. This problem can be somewhat mitigated through filtering of advertisements and local policies but ultimately comes down to a trust relationship between peers. 5.2 General Distribution and Request Routing Protocol Requirements Based on the security threats that are faced by other peer-to-peer based protocols such as BGP, this section provide some guidelines that should be used during the design of the request routing and content distribution protocols. 5.2.1 There should be a mechanism that provides strong protection of the integrity, freshness and source authenticity of the messages in INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 13 the protocol. Techniques such as digital signature may be used. 5.2.2 There should be a mechanism to validate the authenticity of a CN_Path value. 5.2.3 There should be a mechanism to use IP level protection that can be used to provide connectionless integrity, data origin authentication, and secure authentication. 5.2.4 There should be a mechanism to protect the peer-to-peer connection by applying cryptographic protection at the TCP level to provide connectionless integrity and data origin authentication. References [1] Day, M., Cain, B. and G. Tomlinson, "A Model for Content Distribution Internetworking", January 2001. [2] CERT Coordination Center (CERT/CC). http://www.cert.org/nav/index_main.html