idnits 2.17.1 draft-ietf-rpsec-routing-threats-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. ** There are 10 instances of too long lines in the document, the longest one being 5 characters in excess of 72. ** There are 37 instances of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 987 has weird spacing: '...F. Wang from ...' == Line 1137 has weird spacing: '....Mittal and G...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 21, 2003) is 7734 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'BYZANTINE' is defined on line 1129, but no explicit reference was found in the text == Unused Reference: 'OSPF-SIG' is defined on line 1132, but no explicit reference was found in the text == Unused Reference: 'OSPFv2' is defined on line 1135, but no explicit reference was found in the text == Unused Reference: 'SENSOR-IDS' is defined on line 1137, but no explicit reference was found in the text == Unused Reference: 'DOS-IDS' is defined on line 1142, but no explicit reference was found in the text == Unused Reference: 'DIST-MONINTOR' is defined on line 1146, but no explicit reference was found in the text == Unused Reference: 'ATTACK-LS' is defined on line 1149, but no explicit reference was found in the text == Unused Reference: 'IGMP' is defined on line 1153, but no explicit reference was found in the text == Unused Reference: 'PIM-SM' is defined on line 1156, but no explicit reference was found in the text == Unused Reference: 'THREATS' is defined on line 1161, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2828 (ref. 'SEC-GLOSS') (Obsoleted by RFC 4949) -- Possible downref: Non-RFC (?) normative reference: ref. 'DV-SECURITY' -- Possible downref: Non-RFC (?) normative reference: ref. 'PROTO-VULN' -- Possible downref: Non-RFC (?) normative reference: ref. 'BYZANTINE' ** Downref: Normative reference to an Experimental RFC: RFC 2154 (ref. 'OSPF-SIG') -- Possible downref: Non-RFC (?) normative reference: ref. 'SENSOR-IDS' -- Possible downref: Non-RFC (?) normative reference: ref. 'DOS-IDS' -- Possible downref: Non-RFC (?) normative reference: ref. 'DIST-MONINTOR' -- Possible downref: Non-RFC (?) normative reference: ref. 'ATTACK-LS' ** Obsolete normative reference: RFC 2362 (ref. 'PIM-SM') (Obsoleted by RFC 4601, RFC 5059) -- Possible downref: Non-RFC (?) normative reference: ref. 'THREATS' Summary: 8 errors (**), 0 flaws (~~), 14 warnings (==), 10 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group D. Beard 3 Internet-Draft Nortel Networks 4 Expires: August 22, 2003 S. Murphy 5 Network Associates, Inc 6 Y. Yang 7 Cisco Systems 8 February 21, 2003 10 Generic Threats to Routing Protocols 11 draft-ietf-rpsec-routing-threats-00.txt 13 Status of this Memo 15 This document is an Internet-Draft and is in full conformance with 16 all provisions of Section 10 of RFC2026. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that other 20 groups may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at http:// 28 www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on August 22, 2003. 35 Copyright Notice 37 Copyright (C) The Internet Society (2003). All Rights Reserved. 39 Abstract 41 Routing protocols are subject to attacks that can harm individual 42 users or the network operations as a whole. The lack of a common set 43 of security requirements has led to the use in existing routing 44 protocol of a variety of different security solutions, which provide 45 various levels of security coverage. 47 The RPSEC working group intends to deliver in a separate document a 48 set of security requirements for consideration of routing protocol 49 designers. The first step in developing the security requirements is 50 to analyze the threats that face routing protocols. This document 51 describes the threats, including threat sources and capabilities, 52 threat actions, and threat consequences as well as a breakdown of 53 routing functions that might be separately attacked. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. Routing Functions Overview . . . . . . . . . . . . . . . . . 4 59 2.1 Targeted Functions . . . . . . . . . . . . . . . . . . . . . 4 60 3. Threat Definitions . . . . . . . . . . . . . . . . . . . . . 6 61 3.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 6 62 3.2 Threat Actions . . . . . . . . . . . . . . . . . . . . . . . 7 63 3.3 Threat Consequences . . . . . . . . . . . . . . . . . . . . 8 64 3.3.1 Threat Consequence Zone . . . . . . . . . . . . . . . . . . 11 65 3.3.2 Threat Consequence Periods . . . . . . . . . . . . . . . . . 11 66 4. Generally Identifiable Routing Threats Actions . . . . . . . 12 67 4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . . 12 68 4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 12 69 4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 13 70 4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 13 71 4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . . 15 72 4.5.1 Falsifications by Originators . . . . . . . . . . . . . . . 15 73 4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 21 74 4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . . 22 75 4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 23 76 4.8 Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 23 77 4.9 Discarding of Control Packets . . . . . . . . . . . . . . . 24 78 4.10 Network Mapping Threats . . . . . . . . . . . . . . . . . . 25 79 5. Multicast Routing Protocol Considerations . . . . . . . . . 26 80 6. Security Considerations . . . . . . . . . . . . . . . . . . 28 81 References . . . . . . . . . . . . . . . . . . . . . . . . . 29 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 29 83 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 84 Intellectual Property and Copyright Statements . . . . . . . 32 86 1. Introduction 88 The RPSEC working group is tasked to deliver a description of the 89 security requirements for routing protocols. This internet draft 90 discusses an analysis of the threats that face routing protocols, as 91 a precursor to developing a common set of security requirements for 92 routing protocols. Therefore, we intentionally do not address threats 93 to routers (hacking, denial of service flooding attacks, etc.) or to 94 specific routing protocol implementations (bugs, etc.). The security 95 requirements derived from this threat analysis are intended to be 96 guidance to those who are designing routing protocols. 98 2. Routing Functions Overview 100 Routing protocols in general have several common functions: 102 o Transport Subsystem: The routing protocol transmits messages to 103 its peers using some underlying protocol. For some, as in OSPF, 104 this is IP. For others, this can be a broadcast link layer, as in 105 AODV. Still others may run over TCP. In many cases, the routing 106 protocol is subject to attacks on its underlying protocol. 108 o Neighbor State Maintenance: Each protocol has a different 109 mechanism for determining its peers in the routing topology. Some 110 protocols have distinct exchange through which they establish 111 peering relationships, e.g., Hello exchanges in OSPF. The peering 112 relationship formation is the first step of topology 113 determination. For protocols that maintain state about their 114 peering relationships, attacks that disrupt the peering 115 relationship can have widespread consequences. For example, if 116 the DR election is disrupted in an OSPF network, an unauthorized 117 router could be chosen as designated router. This might allow 118 unauthorized access to routing information. In BGP, if a router 119 receives a CEASE message, it can break the peering relationship 120 and cause any related topology information to be flushed. 122 o Database Maintenance: Routing protocols exchange network topology 123 and reachability information. The routers collect this 124 information in routing databases in varying detail. The 125 maintenance of these databases is a significant portion of the 126 function of a routing protocol. The information in the database 127 must be authentic and authorized; otherwise the function of 128 routing in the overall network is damaged. For example, if an 129 OSPF router sends LSA's with the wrong Advertising Router, the 130 receivers will compute a SPF tree that is incorrect and might not 131 forward the traffic. If a BGP router advertises a NLRI that it is 132 not authorized to advertise, then receivers might forward that 133 NLRI's traffic toward that router and the traffic would not be 134 deliverable. A PIM router might transmit a JOIN message to 135 receive multicast data it would otherwise not receive 137 2.1 Targeted Functions 139 Just as a router's functions can be divided into control and data 140 plane (protocol traffic vs. data traffic), so the routing protocol 141 has a control and a data plane. A routing protocol has some message 142 exchanges that are intended only for control of the protocol state. 143 This is the routing protocol control plane. Other message exchanges 144 are intended to distribute the information used to perform the 145 forwarding function, whether that is to establish a forwarding table 146 in each router or to return a description of the route to use. This 147 is the routing protocol data plane. Each of the routing functions 148 may have both control and data aspects, but there will naturally be 149 an emphasis on one or the other. Neighbor maintenance is likely to 150 be focused on the routing protocol control plane aspects, for 151 example, while database maintenance may have more focus on the 152 routing protocol data plane aspects. 154 Both the control and the data plane are subject to attack. An 155 attacker who is able to target the routing protocol control plane so 156 as to break a neighbor (e.g., peering, adjacency) relationship can 157 have a strong effect on the behavior of routing in those routers and 158 likely the surrounding neighborhood. An attacker who is able to 159 break a database exchange between two routers can also affect routing 160 behavior. In the routing protocol data plane, an attacker who is 161 able to introduce bogus data can have a strong effect on the behavior 162 of routing in the neighborhood. 164 3. Threat Definitions 166 Threat is defined in [SEC-GLOSS] as a potential for violation of 167 security, which exists when there is a circumstance, capability, 168 action, or event that could breach security and cause harm. A threat 169 presents itself when an attacker has the ability to take advantage of 170 an existing security weakness. Threats can be categorized based on 171 various rules, such as threat sources, threat actions, threat 172 consequences, threat consequence zones, and threat consequence 173 periods. 175 3.1 Threat Sources 177 Legitimate devices (routers) participate in the routing dialog and 178 computation, intended by the authoritative network administrator, 179 running correct and bug-free code, and using correct and bug-free 180 configuration information. -- By correct and bug-free configuration 181 information, we mean the configurations obey routing protocols and 182 are intended by the authoritative network administrator. 184 On the other hand, attackers may participate routing, not being 185 authorized, running incorrect codes, or using invalid configurations. 186 In general, attackers can be outsiders or insiders. An insider is an 187 authorized participant in the routing protocol. An outsider is any 188 other host or network. A host is determined to be an outsider or an 189 insider from the point of view of a particular router. Even an 190 authorized protocol speaker can be an outsider to a particular router 191 if the router does not consider the speaker to be a legitimate peer 192 (as could conceivably happen on a multi-access link). 194 Specifically, threats can be classified into four categories, based 195 on their sources [DV-SECURITY]: 197 o Threat from compromised links: A compromised link is where an 198 attacker can, somehow, access a physical medium and/or have some 199 control over the channel. This threat exists when there is no 200 access control mechanisms applied to physical mediums or channels, 201 or such mechanisms can be circumvented. The attacker may 202 eavesdrop, replay, delay, or drop routing messages, or break 203 routing sessions between authorized routers, without participating 204 in the routing exchange. 206 o Threats from compromised devices (e.g. routers): A compromised 207 device (router) is an authorized router with routing software 208 bugs, hardware defects, and / or incorrect/unintended 209 configurations. This threat takes place when there are no 210 mechanisms to verify a device's (router) system integrity, i.e. 211 the router is working correctly as been intended by the 212 authoritative network administrator, or such mechanisms can be 213 circumvented. The attacker may inappropriately claim authority 214 for some network resources, or violate routing protocols, such as 215 advertising invalid routing information and etc. 217 o Threat from unauthorized devices (routers): An unauthorized device 218 (router) participates in routing exchange and computation, without 219 being authorized (explicitly or implicitly) from the authoritative 220 network administrator. This threat happens when there is no access 221 control mechanism applied to routing sessions/routing exchanges or 222 such mechanism can be circumvented. The attacker may gain 223 knowledge of the network topology through routing exchange, as 224 well as do anything that a compromised router can do. 226 o Threat from masquerading devices (routers): A masquerading device 227 (router) illegitimately assumes another router's identity. This 228 threat occurs when there are no (data origin or peer entity) 229 authentication mechanisms, or such mechanisms can be circumvented. 230 The attacker can do anything that an unauthorized router can do. 232 A device (router) can play multiple roles concurrently. A legitimate 233 OSPF router might be a masquerading RIP router, and a compromised 234 iBGP link might be a compromised OSPF router as well. 236 3.2 Threat Actions 238 A threat action is an assault on system security [SEC-GLOSS], which 239 could be an intentional behavior, or an accidental event. 241 The actions that might be used to attack routing protocols include: 243 o Masquerade: The attacker, whether insider or outsider, may adopt 244 the identity of a legitimate peer. (This is an attack against 245 origin authenticity.) 247 o Interception:The attacker gains access to routing information that 248 is considered sensitive. (This is an attack against 249 confidentiality, i.e., privacy.) 251 o Falsification: The attacker is able to substitute modified 252 messages for valid routing messages. (This is an attack against 253 integrity.) 255 o Misuse: The attacker is able to introduce unauthorized routing 256 information that disrupts routing behavior. (This is an attack 257 against authorized use.) 259 o Replay The attacker is able to re-introduce previously transmitted 260 messages. (This is an attack against freshness.) 262 These attacks might be used by insider or outsider to accomplish any 263 of the compromises listed below. 265 3.3 Threat Consequences 267 A threat consequence is a security violation that results from a 268 threat action [SEC-GLOSS]. The compromise to the behavior of the 269 routing system can damage a particular network or host or can damage 270 the operation of the network as a whole. 272 Four types of threat consequences, disclosure, deception, disruption, 273 and usurpation, are identified in [SEC-GLOSS]. Specifically for 274 threats against routing protocols, these consequences can be 275 described as: 277 o Disclosure: Disclosure of routing information happens where a 278 router successfully accesses the information without being 279 authorized. Compromised links can cause disclosure, if routing 280 exchanges lack confidentiality. Compromised devices (routers), 281 unauthorized devices (routers), and masquerading devices (routers) 282 can always cause disclosure, as long as they are successfully 283 involved in the routing exchanges. Please note, although 284 disclosure of routing information can pose a security threat or be 285 part of a later, larger, or higher layer attack, confidentiality 286 is not generally a design goal of routing protocols. 288 o Deception: This consequence happens when a legitimate router 289 receives a false routing message and believes it to be true. All 290 attackers (Compromised links, compromised device (routers), 291 unauthorized devices (routers), and masquerading devices (routers) 292 can cause this consequence if the receiving router lacks ability 293 to check routing message integrity, routing message origin 294 authentication or peer router authentication. 296 o Disruption: This consequence occurs when a legitimate router's 297 operation is being interrupted or prevented. Subvert links can 298 cause this by replaying, delaying, or dropping routing messages, 299 or breaking routing sessions between legitimate routers. 300 Compromised devices (router), unauthorized devices (routers), and 301 masquerading device (routers) can cause this consequence by 302 sending false routing messages, interfering normal routing 303 exchanges, or flooding unnecessary messages. (DoS is a common 304 threat action causing disruption.) 306 o Usurpation: This consequence happens when an attacker gains 307 control over a legitimate router's services/functions. Compromised 308 links can cause this by delaying or dropping routing exchanges, or 309 replaying out-dated routing information. Compromised routers, 310 unauthorized routers, and masquerading routers can cause this 311 consequence by sending false routing information, interfering 312 routing exchanges, or system integrity. 314 Note: an attacker does not have to directly control a router to 315 control its services. For example, in Figure 1, Network 1 is 316 dual-homed through Router A and Router B, and Router A is preferred. 317 However, Router B is compromised and advertises a lower metric. 318 Consequently, devices on the Internet choose the path through Router 319 B to reach Network 1. In this way, Router B steals the data traffic 320 and Router A surrenders its control of the services to Router B. This 321 depicted in Figure 1. 323 +-------------+ +-------+ 324 | Internet |---| Rtr A | 325 +------+------+ +---+---+ 326 | | 327 | | 328 | | 329 | *-+-* 330 +---+---+ / \ 331 | Rtr B |------* N 1 * 332 +-------+ \ / 333 *---* 335 Figure 1 337 Also, several threat consequences might be caused by a single threat 338 action. In Figure 1, there exist at least two consequences: 339 routers using Router B to reach Network 1 are deceived, while Router 340 A is usurped. 342 Within the context of the threat consequences described above, damage 343 that might result from attacks against the network as a whole may 344 include: 346 o Network congestion: more data traffic is forwarded through some 347 portion of the network than would otherwise need to carry the 348 traffic, 350 o Blackhole: large amounts of traffic are directed to be forwarded 351 through one router that cannot handle the increased level of 352 traffic and drops many/most/all packets, 354 o Looping: data traffic is forwarded along a route that loops, so 355 that the data is never delivered (resulting in network 356 congestion), 358 o Partition: some portion of the network believes that it is 359 partitioned from the rest of the network when it is not, 361 o Churn: the forwarding in the network changes (unnecessarily) at a 362 rapid pace, resulting in large variations in the data delivery 363 patterns (and adversely affecting congestion control techniques), 365 o Instability: the protocol becomes unstable so that convergence on 366 a global forwarding state is not achieved, and 368 o Overload: the protocol messages themselves become a significant 369 portion of the traffic the network carries. 371 The damage that might result from attacks against a particular host 372 or network address may include: 374 o Starvation: data traffic destined for the network or host is 375 forwarded to a part of the network that cannot deliver it, 377 o Eavesdrop: data traffic is forwarded through some router or 378 network that would otherwise not see the traffic, affording an 379 opportunity to see the data or at least the data delivery pattern, 381 o Cut: some portion of the network believes that it has no route to 382 the host or network when it is in fact connected, 384 o Delay: data traffic destined for the network or host is forwarded 385 along a route that is in some way inferior to the route it would 386 otherwise take, 388 o Looping: data traffic for the network or host is forwarded along a 389 route that loops, so that the data is never delivered, 391 It is important to consider all compromises, because some security 392 solutions can protect against one attack but not against others. It 393 might be possible to design a security solution that protected 394 against an attack that eavesdropped on one destination's traffic 395 without protecting against an attack that overwhelmed a router. Or 396 that prevented a starvation attack against one host, but not against 397 a net wide blackhole. The security requirements must be clear as to 398 which compromises are being avoided and which must be addressed by 399 other means (e.g., by administrative means outside the protocol). 401 3.3.1 Threat Consequence Zone 403 A threat consequence zone covers an area within which the network 404 operations have been affected by the threat consequences. Possible 405 threat consequence zones can be classified as: a single link or 406 router, multiple routers (within a single routing domain), a single 407 routing domain, multiple routing domains, or the global Internet. The 408 threat consequence zone varies based on the threat action and origin. 409 Similar threat actions that happened at different locations may cause 410 totally different threat consequence zones. For example, when a 411 compromised link breaks the routing session between a distribution 412 router and a stub router, only reach ability from and to the network 413 devices attached on the stub router will be impaired. In other words, 414 the threat consequence zone is a single router. Nonetheless, if the 415 compromised router is located between a customer edge router and its 416 corresponding provider edge router, such an action might cause the 417 whole customer site to lose its connection. In this case, the threat 418 consequence zone might be a single routing domain. 420 3.3.2 Threat Consequence Periods 422 Threat consequence period is defined as a portion of time during 423 which the network operations have been impacted by the threat 424 consequences. The threat consequence period is influenced by, but not 425 totally dependent on the duration of the threat action. In some 426 cases, the network operations will get back to normal as soon as the 427 threat action has been stopped. In other cases, however, threat 428 consequences may appear longer than threat action. For example, in 429 the original ARPANET link-state algorithm, some errors in a router 430 might introduce three instances of an LSA, and all of them would be 431 flooded throughout the network forever, until the entire network was 432 power cycled [PROTO-VULN]. 434 With appropriate security detection facilities, the network might 435 detect the threat action, implement countermeasures, and resume 436 normal operations even before the threat action has been stopped. In 437 this documentation, we assume such facilities do not exist. 439 4. Generally Identifiable Routing Threats Actions 441 This section addresses generally identifiable and recognized threat 442 action against routing protocols. The threats are not necessarily 443 specific to individual protocols but may be present in one or more of 444 the common routing protocols in use today. 446 4.1 Deliberate Exposure 448 Deliberate Exposure is defined as an intentional action that 449 attackers employ to release routing information directly to other 450 routers. This definition presumes that the receiving routers are not 451 authorized to access the routing information. However, an exposure is 452 different from a deliberate exposure. While the deliberate exposure 453 is always a threat action, the exposure is not. Routing protocols are 454 designed to expose routing information. A legitimate router should 455 always expose routing information to its legitimate peers. In some 456 cases, a legitimate router may expose routing information to peering 457 unauthorized/masquerading routers, if it is deceived. However, there 458 is no reason that a legitimate router should keep exposing correct 459 routing information to its peers when those peers have been 460 determined to be unauthorized or masquerading entities. 462 The consequence of deliberate exposure is the disclosure of routing 463 information. 465 The threat consequence zone of deliberate exposure depends on the 466 routing information that the attackers have exposed. The more 467 knowledge they have exposed, the bigger the threat consequence zone. 469 The threat consequence period of deliberate exposure might be longer 470 than the duration of the action itself. The routing information 471 exposed will not be out-dated until there is a topology change of the 472 exposed network. 474 4.2 Sniffing 476 Sniffing is an action whereby attackers monitor and/or record the 477 routing exchanges between authorized routers. Compromised links can 478 sniff the links over which they have control. (Compromised routers, 479 unauthorized routers, and masquerading routers can sniff, but do not 480 need to do this, to access the routing information. They can learn 481 the routing information as long as they are successfully involved in 482 the routing exchanges). 484 The consequence of sniffing is disclosure of routing information. 486 The threat consequence zone of sniffing depends on the attacker's 487 location, the routing protocol type, and, ultimately, what routing 488 information has been recorded. For example, if the compromised link 489 were located in an OSPF totally stubby area, the threat consequence 490 zone should be limited to the whole area. Or, the compromised link 491 could gain knowledge of multiple routing domains, if it sniffs an 492 eBGP session between two providers. 494 The threat consequence period might be longer than the duration of 495 the action. After the compromised link stops sniffing, its knowledge 496 will not be out-dated until there is a topology change of the 497 disclosed network. 499 4.3 Traffic Analysis 501 Traffic analysis is action whereby attackers gain routing information 502 by analyzing the characteristics of the data traffic. Compromised 503 links can analyze the data traffic over the links where they have 504 control. (Compromised routers, unauthorized routers, and masquerading 505 routers do not need to do this, although they can, to access the 506 routing information. They learn the routing information by being 507 successfully involved in the routing exchanges). 509 The consequence of data traffic analysis is the disclosure of routing 510 information. For example, the source and destination IP address of 511 the data traffic, the type, magnitude, and volume of traffic is 512 disclosed. 514 The threat consequence zone of the traffic analysis depends on the 515 attacker's location and, ultimately, what data traffic has flown 516 through. A compromised link at the network core should be able to 517 gain more information than its counterpart at the edge. 519 The threat consequence period might be longer than the duration of 520 the traffic analysis. After the attacker stops traffic analysis, its 521 knowledge will not be out-dated until there is a topology change of 522 the disclosed network. 524 4.4 Spoofing 526 A spoofing is defined as an action whereby an attacker participates 527 in the routing computation and exchanges with authorized routers by 528 illegitimately assumes a legitimate router's identity. All types of 529 attackers (compromised links, compromised routers unauthorized 530 routers, and masquerading routers) can spoof. When an attacker 531 succeeds to spoof, it plays a role of masquerading router. 533 The consequences of spoofing are: 535 o The disclosure of routing information: The masquerading router 536 will be able to participate in the routing computation and 537 exchanges, and consequently gain access to the routing 538 information. 540 o The deception of peer relationship: The authorized routers, which 541 exchange routing messages with the masquerading router, do not 542 realize they are peering with a router that is faking another 543 router's identity. 545 Spoofing is special in that it can be used to carry out other threat 546 actions causing other threat consequences. For example, after an 547 attacker spoofs successfully, it can send out unrealistic routing 548 information that might cause disruption of network services. Please 549 note these consequences are directly resulted from other threat 550 actions instead of spoofing, which are also discussed in this 551 documentation. It can be said that spoofing is the means by which one 552 masquerades. 554 The threat consequence zone covers two different scopes: 556 The consequence zone of the disclosed routing information depends 557 on what routing information has been exchanged between the 558 attacker and its peers. 560 The disclosure of routing information: The masquerading router 561 will participate in the routing computation and exchanges, and 562 consequently gain access to the routing information. 564 There are other consequences caused by a spoofing (masquerading) 565 router. For example, the masquerading router might cause disruption 566 of a network by sending unrealistic routing information. But these 567 consequences are directly resulted from other threat actions instead 568 of spoof. 570 The threat consequence zone covers two different scopes: 572 o The consequence zone of the fake peer relationship will be limited 573 to those routers mistrusting the attacker's identity. 575 o The consequence zone of the disclosed routing information depends 576 on the attacker's location, the routing protocol type, and, 577 ultimately, what routing information has been exchanged between 578 the attacker and its deceived peers. 580 The threat consequence period has two different definitions too: 582 o The consequence period of the fake peer relationship is same as 583 the duration of the spoof. As soon as the attacker stops spoofing, 584 the fake peer relationship disappears. 586 o The consequence period of the disclosed routing information will 587 be longer than the duration of the spoof. After the attacker stops 588 spoofing, its knowledge will not be out-dated until there is a 589 topology change of the disclosed network. 591 4.5 Falsification 593 Falsification is defined as an intentional action whereby false 594 routing information is being sent. Routers use routing information 595 to depict network topology, compute routing table, and further 596 forward data traffic. False routing information describes the network 597 in an unrealistic view, whether or not intended by the authoritative 598 network administrator. 600 To falsify the routing information, an attacker has to be either the 601 originator or a forwarder of the routing information. It cannot be a 602 receiver-only. 604 4.5.1 Falsifications by Originators 606 An originator of routing information can launch following 607 falsifications: 609 4.5.1.1 Overclaiming 611 An over-claiming is defined as an action that an attacker employs to 612 advertise its ownership of some network resources, while in reality, 613 this ownership does not exist, or the advertisement is not 614 authorized. This is given in Figure 2 and Figure 3 below. 616 +-------------+ +-------+ +-------+ 617 | Internet |---| Rtr B |---| Rtr A | 618 +------+------+ +-------+ +---+---+ 619 | | 620 | | 621 | | 622 | *-+-* 623 +---+---+ / \ 624 | Rtr C |------------------* N 1 * 625 +-------+ \ / 626 *---* 628 Figure 2 630 +-------------+ +-------+ +-------+ 631 | Internet |---| Rtr B |---| Rtr A | 632 +------+------+ +-------+ +-------+ 633 | 634 | 635 | 636 | *---* 637 +---+---+ / \ 638 | Rtr C |------------------* N 1 * 639 +-------+ \ / 640 *---* 642 Figure 3 644 The above figures provide examples. Router A, the attacker, is 645 connected with the Internet through Router B. Router C is authorized 646 to advertise its link to Network 1. In Figure 2, Router A owns a 647 link to the Network 1, but is not authorized to advertise it. In 648 Figure 3, Router A does not own such a link. But in either case, 649 Router A advertises the link to the Internet, through Router B. 651 Compromised routers, unauthorized routers, and masquerading routers 652 can over-claim network resources. 654 The consequence of overclaiming includes: 656 o Usurpation of the overclaimed network resources. In Figure 2 657 and 3, it will cause a usurpation of Network 1 when Router B or 658 other routers on the Internet (not shown in the figures) believe 659 that Router A provides the best path to reach the Network 1. They, 660 the routers, thereby forward the data traffic, destined to Network 661 1, to Router A. The best result is the data traffic uses an 662 unauthorized path (Figure 2), and the worst case is the data 663 never reach the destination Network 1 (Figure 3). The ultimate 664 consequence is Router A gains the control over the Network 1's 665 services, by controlling the data traffic. 667 o Usurpation of the legitimate advertising routers. In Figure 2 668 and 3, Router C is the legitimate advertiser of Network 1. By 669 overclaiming, Router A also controls (partially or totally) the 670 services/functions provided by the Router C. (This is NOT a 671 disruption, because Router C is operating in a way intended by the 672 authoritative network administrator.) 674 o Deception of other routers. In Figure 2 and 3, Router B, or 675 other routers on the Internet, might be deceived to believe the 676 path through Router A is the best. 678 o Disruption of data planes on some routers. This might happen on 679 routers that are on the path, which is used by other routers to 680 reach the overclaimed network resources through the attacker. In 681 Figure 2 and 3, when other routers on the Internet are 682 deceived, they will forward the data traffic to Router B, which 683 might be overloaded. 685 The threat consequence zone varies based on the consequence: 687 o Where usurpation is concerned, the consequence zone covers the 688 network resources that are overclaimed by the attacker (Network 1 689 in Figure 2 and 3), and the routers that are authorized to 690 advertise the network resources but lose the competition against 691 the attacker(Router C in Figure 2 and 3). 693 o Where deception is concerned, the consequence zone covers the 694 routers that do not believe the attacker's advertisement and use 695 the attacker to reach the claimed subnets (Router B and other 696 deceived routers on the Internet in Figure 2 and 3). 698 o Where disruption is concerned, the consequence zone includes the 699 routers that are on the path of misdirected data traffic (Router B 700 in Figure 2 and 3). 702 The threat consequence will cease when the attacker stops 703 overclaiming, and will totally disappear when the routing tables are 704 converged. As a result the consequence period is longer than the 705 duration of the overclaiming. 707 4.5.1.2 Underclaiming 709 An underclaiming threat is defined as an action that an attacker 710 illegitimately hides its authorized ownership of some network 711 resources. The attacker could be the only router authorized to claim 712 the network resources, or there might exist some legitimate backup 713 routers. Figures below provide two examples. 715 +-------------+ +-------+ 716 | Internet |---| Rtr A | 717 +------+------+ +---+---+ 718 | | 719 | | 720 | | 721 | *-+-* 722 +---+---+ / \ 723 | Rtr B | * N 1 * 724 +-------+ \ / 725 *---* 727 Figure 4 729 +-------------+ +-------+ 730 | Internet |----------------| Rtr A | 731 +------+------+ +---+---+ 732 | | 733 | | 734 | | 735 | *-+-* 736 +---+---+ +-------+ / \ 737 | Rtr C |-----| Rtr B |-----* N 1 * 738 +-------+ +-------+ \ / 739 *---* 741 Figure 5 743 Router A, the attacker, owns a link to Network 1 and is authorized to 744 advertise Network 1. Nevertheless, Router A refuses to advertise 745 Network 1. In Figure 4, Network 1 is single-homed with Router A and 746 therefore can only be advertised by Router A. In Figure 5 Network is 747 dual-homed with Router A and B, and both routers are authorized to 748 advertise Network 1 (Router A may or may not provide a preferred path 749 against Router B, the backup router). 751 Compromised routers, unauthorized routers, and masquerading routers 752 can underclaim network resources. 754 The consequence of underclaiming includes: 756 o Usurpation of the underclaimed network resources: In Figure 5 when 757 Router A underclaims Network 1, Network 1 is isolated from the 758 rest of the world, and cannot provide services to other devices, 759 though Network 1's own operation is not disrupted. In Figure 4, 760 if the path through Router A is preferred, the underclaiming will 761 force Network 1 to use a sub-optimal path to provide its services. 762 (If the path through Router B is intended to be preferred, the 763 services by Network 1 will not really be hurt even though Router A 764 underclaims). 766 o Usurpation of the legitimate backup routers. In Figure 5, Router 767 A's path is preferred but Router A underclaims Network 1, it 768 actually force Router B to serve Network 1. (Again, if Router B's 769 path is intended to be preferred, Router A's underclaim does not 770 really usurp Router B.) 772 o Deception of other routers. Routers on the Internet (not shown in 773 Figure 4 or Figure 5) might not be able to reach Network 1 (Figure 774 5) or have to use a sub-optimal path through Router B when 775 Router A's path is preferred. 777 o Disruption of data planes on some routers. This might happen on 778 routers that are on the sub-optimal paths. In Figure 5, when 779 other routers on the Internet are deceived and use the sub-optimal 780 path through Router B to reach Network 1, they will forward the 781 data traffic to Router C. Router B and C might then become 782 overloaded. (When the path through Router B is intended to be 783 preferred, Router B and C might also be overloaded. However, the 784 disruption in such a case is not a consequence of an underclaim). 786 Note: Some others type of usurpation might result from an underclaim 787 in routing protocols. Below Figure provides an example. 789 *---* *---* 790 / \ +-------+ +-------------+ +-------+ / \ 791 * N 2 *---| Rtr B |---| Internet |---| Rtr A |---* N 1 * 792 \ / +-------+ +-------------+ +-------+ \ / 793 *---* *---* 795 Figure 6 797 In Figure 6, Network 2 is attached with the Router B and provides 798 similar services as Network 1. When Router A hides Network 1, devices 799 on the Internet will turn to Network 2 for those services. Although 800 this issue results from an underclaim in routing protocol, this is 801 rather a usurpation issue in related service (application) protocols, 802 and we are not discussing it in detail in this documentation. 804 The threat consequence zone varies based on the consequence: 806 o Where usurpation is concerned, the consequence zone covers the 807 network resources that are underclaimed by the attacker (Network 1 808 in Figure 4 and 5), and the routers that are intended to be 809 backup with a lower preference (Router B in Figure 5, if Router 810 A's path is preferred). 812 o Where deception is concerned, the consequence zone covers the 813 routers that cannot reach the underclaimed network resources or 814 those that have to use sub-optimal paths. 816 o Where disruption is concerned, the consequence zone covers the 817 routers that cannot reach the underclaimed network resources or 818 those that have to use sub-optimal paths. 820 Like overclaiming, the consequence period is longer than the duration 821 of the underclaiming--the threat consequence will mitigate when the 822 attacker stops underclaiming and will totally disappear when routing 823 tables are converged. 825 4.5.1.3 Misclaiming 827 A Misclaiming threat is defined as an attacker action advertising its 828 authorized ownership of some network resources in a way that is not 829 intended by the authoritative network administrator. An attacker can 830 eulogize or disparage when advertising these network resources. 831 Compromised routers, unauthorized routers, and masquerading routers 832 can misclaim network resources. 834 The threat consequences of Misclaiming are a combination of 835 consequences from overclaiming and underclaiming. Eulogizing the 836 network resources might cause the same consequences made by 837 overclaiming, while disparaging might trigger the same results from 838 underclaiming. 840 The consequence zone and period are also similar to those of 841 overclaiming or underclaiming. 843 4.5.2 Falsifications by Forwarders 845 When a legitimate router forwards routing information, it must or 846 must not modify the routing information, depending on the routing 847 information and the routing protocol type. For example, in RIP, the 848 forwarder must modify the routing information by increasing the hop 849 count by 1. On the other hand, the forwarder must not modify the type 850 1 LSA in OSPF. In general, forwarders in distance vector routing 851 protocols are authorized to and must modify the routing information, 852 while most forwarders in link state routing protocols are not 853 authorized to and must not modify most routing information. 855 As a forwarder authorized to modify routing message, an attacker does 856 not forward necessary routing information to other authorized 857 routers. Unauthorized aggregation (summarization) is special type of 858 understatements. 860 4.5.2.1 Misstatement 862 This is defined as an action whereby the attacker describes route 863 attributes in a wrong way. For example, in RIP, the attacker 864 increases the path cost by two hops instead of one. Another example 865 is, in BGP, the attacker deletes some AS numbers from the AS PATH. 867 When forwarding routing information that should not be modified, an 868 attacker can launch the following falsifications: 870 o Deletion: Attacker deletes valid data in the routing message. 872 o Insertion: Attacker inserts false data in the routing message. 874 o Substitution: Attacker replaces valid data in the routing message 875 with false data. 877 o Replaying: Attacker replays out-dated data in the routing message. 879 All types of attackers (Compromised links, compromised routers, 880 unauthorized routers, and masquerading routers) can falsify the 881 routing information when they forward the routing messages. 883 The threat consequences of these falsifications by forwarders are 884 similar to those caused by originators: Usurpation of some network 885 resources and related routers; deception of routers using false 886 paths; and disruption of data planes of routers on the false paths. 887 The threat consequence area and period are also similar. 889 4.6 Interference 891 Interference is defined as a threat action where attackers inhibit 892 exchanges on legitimate routers. Attackers can do this by adding 893 noise, not forwarding packets, replaying out-dated packets, delaying 894 responses, denial of receipts, and breaking synchronization. 896 Compromised links can interfere with the routing exchanges over the 897 links where they have control. Compromised, unauthorized and 898 masquerading routers can slowdown their routing exchanges or create 899 flapping routing sessions of the legitimate peering routers. 901 The consequence of interference is the disruption of routing 902 operations. 904 The consequence zone of interference varies based on the source of 905 the threats: 907 o When a compromised link launches the action, the threat 908 consequence zone covers routers that are using the link to 909 exchange the routing information. Routers behind might be 910 disrupted too. 912 o When compromised routers, unauthorized routers, or masquerading 913 routers are the attackers, the threat consequence zone covers 914 routers with which the attackers are exchanging routing 915 information, and router behind. 917 o The threat consequences might disappear as soon as the 918 interference is stopped, or might not totally disappear until the 919 networks are converged. Therefore, the consequence period is 920 equal or longer than the duration of the interference. 922 4.7 Overload 924 Overload is defined as a threat action whereby attackers place excess 925 burden on legitimate routers. Attackers can overload data plane or 926 control plane. Because data plane is involved in routing exchanges, 927 overload of data plane will also influence the routing operations. 929 The consequence of overload is the disruption of routing operations. 930 The consequence zone varies based on several factors: 932 o When compromised links launch an overload action against the 933 control plane, the consequence zone covers routers that are using 934 the links to exchange the routing information, and routers behind. 936 o When compromised links launch an overload action against the data 937 plane, the consequence zone coves routers that are physically 938 connected by the links, and routers behind. 940 o When Compromised routers, unauthorized routers, or masquerading 941 routers launch an overload action against the control plane, the 942 threat consequence zone covers routers with which the attackers 943 are exchanging routing, and routers behind. 945 o When Compromised routers, unauthorized routers, or masquerading 946 routers launch an overload action against the data plane, the 947 threat consequence zone covers of routers with which the attackers 948 have physical connections, and routers behind. 950 The threat consequences might disappear as soon as the overload is 951 stopped, or not disappear until networks are converged. 953 4.8 Byzantine Failures 955 When a host or network behaves in a way contrary to the protocol 956 specification or in a way that is not authorized, the behavior is 957 called a "Byzantine failure"[BYZANTINE].These failures can include 958 timing error (producing messages at intervals contrary to the 959 specification), protocol errors (producing messages at variance with 960 the specification, e.g., responding with the incorrect message type), 961 or data error (producing messages that carry faulty data). 963 Byzantine attacks may be seen where any intermediate node or group of 964 nodes can intentionally create routing loops, misrouting packets on 965 non-optimal paths, or selectively dropping packets (black hole). 966 Another way to state the problem is that Byzantine failures occur 967 when a processor returns incorrect or malicious data. Under such an 968 attack, only the source and destination nodes are assumed to be 969 trusted. Detecting a Byzantine error is harder than the fail-stop 970 model in the sense that at least one other processor must do the same 971 computation to confirm the results. What isn't clear is just how 972 much validation is required to determine whether a Byzantine failure 973 has occurred 975 4.9 Discarding of Control Packets 977 Similar to Byzantine threats discussed above, uncontrolled discarding 978 of control packets lies in the same plane. That is, discarding of 979 control packets will have the same consequence as an incorrect 980 routing control packet propagated in the network by a compromised 981 router. In distance vector protocols the consequences may not be as 982 dire because of the protocol behavior, i.e. the routing update, is 983 exchanged only with the neighbor. However in the case of link state 984 routing protocols, the threat associated to discarding of control 985 packet can become a serious issue, as the routing updates are flooded 986 in the network. Exploitation of this threat was discussed by S.F. Wu 987 B. Vetter and F. Wang from the perspective of an insider attacks in 988 a Link State Routing environment. It is worth considering this 989 threat in more detail. 991 If the compromised (bad) router partitions the network, i.e. the 992 router is the only path between two good routers, then the bad router 993 can avoid forwarding the routing information on to the network on the 994 other side. 996 *-----* *-----* 997 / \ *---* / \ 998 / Routers \ / \ / Routers \ 999 * on one *------* F *-------* on other * 1000 \ side / \ / \ side / 1001 \ / *---* \ / 1002 *-----* *-----* 1004 Figure 7 1006 In this scenario, the network is partitioned and either side may not 1007 receive correct updates and the update packets may be dropped. 1008 Clearly if F is positioned such that the network is not partitioned, 1009 then the correctness of the protocol in such circumstances depends on 1010 the mechanism of transmitting routing updates. In the case of a 1011 typical LSRP like OSPF, reliable flooding is used that guarantees 1012 that the updates are received by each and every router in the 1013 network. Hence even when a set of bad routers partition a network, if 1014 there exists at least one good path between all the routers then this 1015 threat can be deterred by designing a robust transmitting mechanism 1016 for control updates. 1018 4.10 Network Mapping Threats 1020 Based on a simple set of inputs, computers can generate graphical and 1021 quantitative representations of informal knowledge networks within an 1022 organization. If there were no preventive measures in place, network 1023 map knowledge obtained by unauthorized access to intelligence can be 1024 costly and expensive threats. Motivation for snooping can range from 1025 curiosity to voyeur tendencies. The threat with router plane data 1026 snooping is the fact that it looks to historical information to be an 1027 indication of what will happen in the future. The principal threat 1028 aspect is that the snooped data can be used to develop a network 1029 topology. When unauthorized attackers develop a model, they attempt 1030 to create one that will be relevant for all situations going forward. 1031 Although these models may not be exact for every situation, they can 1032 be applied with a reasonable amount of certainty without introducing 1033 any biases based on past information. 1035 5. Multicast Routing Protocol Considerations 1037 Based on a simple set of inputs, computers can generate graphical and 1038 quantitative representations of informal knowledge networks within an 1039 organization. If there were no preventive measures in place, network 1040 map knowledge obtained by unauthorized access to intelligence can be 1041 costly and expensive threats. Motivation for snooping can range from 1042 curiosity to voyeur tendencies. The threat with router plane data 1043 snooping is the fact that it looks to historical information to be an 1044 indication of what will happen in the future. The principal threat 1045 aspect is that the snooped data can be used to develop a network 1046 topology. When unauthorized attackers develop a model, they attempt 1047 to create one that will be relevant for all situations going forward. 1048 Although these models may not be exact for every situation, they can 1049 be applied with a reasonable amount of certainty without introducing 1050 any biases based on past information. 1052 In general, multicast routing updates can be fabricated, modified, 1053 replayed, deleted, and snooped. For example, unauthorized nodes can 1054 simply participate in the multicast routing protocol dialog when no 1055 access control mechanisms are defined for the protocol. Non-routing 1056 devices can masquerade as an authorized router and inject spurious 1057 routing updates, perhaps using source routing attacks or TCP session 1058 hijacking attacks. Communication links can be compromised by an 1059 intruder to facilitate the manipulation of routing messages. 1060 Individual routers can be attacked and compromised to run modified 1061 software, or use a modified configuration. 1063 Multicast communication may be specifically targeted by security 1064 threats, due to its potential for communicating with large numbers of 1065 receivers simultaneously. An attacker may attempt to use multicast 1066 sessions in order to spread specific data to recipients, or may use 1067 multicast traffic patterns to overload links as a denial-of-service 1068 (DOS) attack. 1070 In some architecture such as PIM-DM, even routers which are not 1071 actively participating in the multicast tree must maintain state 1072 information on active groups within the routing domain. 1074 Multicast routing protocols are at least as susceptible as unicast 1075 routing protocols to security threats. In general, multicast routing 1076 updates can be fabricated, modified, replayed, deleted, and snooped. 1077 For example, unauthorized nodes can simply participate in the 1078 multicast routing protocol dialog when no access control mechanisms 1079 are defined for the protocol. Non-routing devices can masquerade as 1080 an authorized router and inject spurious routing updates, perhaps 1081 using source routing attacks or TCP session hijacking attacks. 1082 Communication links can be compromised by an intruder to facilitate 1083 the manipulation of routing messages. Individual routers can be 1084 attacked and compromised to run modified software, or use a modified 1085 configuration. 1087 Just as with unicast routing, the key vulnerabilities of multicast 1088 routing lie in the introduction of misleading routing information, 1089 through non-existent (black hole) or incorrect routes, or in 1090 intercepting the routing information for malicious purposes. 1091 Incorrect routing information can form the basis for DOS attacks, 1092 while intercepting routing information (particularly group membership 1093 information) can reveal compromising topological information. 1095 Denial-of-service attacks may come either from senders or receivers 1096 in the multicast model. That is, if uncontrolled, senders may create 1097 large numbers of multicast groups, thus potentially creating a 1098 processing burden on multicast routers throughout the domain. 1099 Receivers, if uncontrolled, may join large numbers of multicast 1100 groups, thus causing the establishment of paths from the senders in 1101 each group to the receiver, as well as causing the flow of packets 1102 for each of the groups to converge on the receiver. 1104 6. Security Considerations 1106 This entire informational draft RFC is security related. Specifically 1107 it addresses security of routing protocols as associated with threats 1108 to those protocols. In a larger context, this work builds upon the 1109 recognition of the IETF community that signaling and control/ 1110 management planes of networked devices need strengthening. Routing 1111 protocols can be considered part of that signaling and control plane. 1112 However, to date, routing protocols have largely remained unprotected 1113 and open to malicious attacks. This document discusses inter and 1114 intra domain routing protocol threats as we know them today and lays 1115 the foundation for a future draft which fully discusses security 1116 requirements for routing protocols. 1118 References 1120 [SEC-GLOSS] R.Shirey, Internet Security Glossary, RFC 2828, May 2000 1122 [DV-SECURITY] B.R.Smith, S.Murthy, and J.J. Garcia-Luna-Aceves, 1123 Securing Distance-Vector Routing Protocols, Symposium on Network and 1124 Distributed System Security 1997, Feb. 1997 1126 [PROTO-VULN] E.Rosen, Vulnerabilities of Network Control Protocols: An 1127 Example, Computer Communication Review, Jul. 1981 1129 [BYZANTINE] R.Perlman, Network Layer Protocols with Byzantine Robustness, 1130 August 1988 1132 [OSPF-SIG] S. Murphy, M. Badger, and B. Wellington, OSPF with 1133 Digital Signatures, RFC2154, June 1997 1135 [OSPFv2] J.Moy, OSPF Version 2, RFC 2328, April 1998 1137 [SENSOR-IDS] V.Mittal and G.Vigna, Sensor-Based Intrusion Detection for 1138 Intra-Domain Distance-Vector Routing, Proceedings of the ACM Conference 1139 on Computer and Communication Security (CCS'02), Washington, DC, 1140 November 2002 1142 [DOS-IDS] S.Cheung et. al., Protecting Routing Infrastructures from 1143 Denial of Service using co-operative intrusion detection, In Proceedings 1144 of the 1995 IEEE Symposium on Security and Privacy 1146 [DIST-MONINTOR] K.A. Bradley et. al., A distributed Network Monitoring 1147 approach 1149 [ATTACK-LS] S.F. Wu B. Vetter, and F. Wang.An Experimental Study of 1150 Insider Attacks in a Link State Routing Protocol, In 5th IEEE 1151 International Conference on Network Protocols, Atlanta, GA, 1997. 1153 [IGMP] B. Cain, S. Deering, I. Kouvelas, B. Fenner, and A. Thyagarajan, 1154 Internet Group Management Protocol, Version 2, RFC 3376, October 2002 1156 [PIM-SM] D. Estrin, D. Farinacci, A. Helmy, D. Thaler, S. Deering, 1157 M. Handley, V. Jacobson, C. Liu, P. Sharma, and L. Wei, Protocol 1158 Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification, 1159 RFC 2362, June 1998 1161 [THREATS] - A. Ballardie and J. Crowcroft, Multicast-Specific Security 1162 Threats and Counter-Measures;; In Proceedings "Symposium on Network and 1163 Distributed System Security", February 1995, pp.2-16. 1164 (ftp://cs.ucl.ac.uk/darpa/IDMR/mcast-sec-isoc.ps.Z) 1166 Authors' Addresses 1168 Dennis Beard 1169 Nortel Networks 1170 3500 Carling Avenue 1171 Nepean, Ontario K2H 8E9 1172 Canada 1174 Phone: 1175 EMail: beardd@nortelnetworks.com 1177 Sandy Murphy 1178 Network Associates, Inc 1179 3060 Washington Rd. 1180 Glenwood, MD 21738 1181 USA 1183 Phone: 443-259-2303 1184 EMail: Sandra_murphy@nai.com 1186 Yi Yang 1187 Cisco Systems 1188 7025 Kit Creek Road 1189 RTP, NC 27709 1190 USA 1192 Phone: 1193 EMail: yiya@cisco.com 1195 Appendix A. Acknowledgements 1197 This draft would not have been possible save for the excellent efforts 1198 and team work characteristics of those listed here. 1200 Ayman Musharbash - Nortel Networks 1201 Paul Knight - Nortel Networks 1202 Elwyn Davies - Nortel Networks 1203 Ameya Dilip Pandit - Graduate student - University of Missouri 1204 Senthilkumar Ayyasamy - Graduate student - University of Missouri 1206 Intellectual Property Statement 1208 The IETF takes no position regarding the validity or scope of any 1209 intellectual property or other rights that might be claimed to 1210 pertain to the implementation or use of the technology described in 1211 this document or the extent to which any license under such rights 1212 might or might not be available; neither does it represent that it 1213 has made any effort to identify any such rights. Information on the 1214 IETF's procedures with respect to rights in standards-track and 1215 standards-related documentation can be found in BCP-11. Copies of 1216 claims of rights made available for publication and any assurances of 1217 licenses to be made available, or the result of an attempt made to 1218 obtain a general license or permission for the use of such 1219 proprietary rights by implementors or users of this specification can 1220 be obtained from the IETF Secretariat. 1222 The IETF invites any interested party to bring to its attention any 1223 copyrights, patents or patent applications, or other proprietary 1224 rights which may cover technology that may be required to practice 1225 this standard. Please address the information to the IETF Executive 1226 Director. 1228 Full Copyright Statement 1230 Copyright (C) The Internet Society (2003). All Rights Reserved. 1232 This document and translations of it may be copied and furnished to 1233 others, and derivative works that comment on or otherwise explain it 1234 or assist in its implementation may be prepared, copied, published 1235 and distributed, in whole or in part, without restriction of any 1236 kind, provided that the above copyright notice and this paragraph are 1237 included on all such copies and derivative works. However, this 1238 document itself may not be modified in any way, such as by removing 1239 the copyright notice or references to the Internet Society or other 1240 Internet organizations, except as needed for the purpose of 1241 developing Internet standards in which case the procedures for 1242 copyrights defined in the Internet Standards process must be 1243 followed, or as required to translate it into languages other than 1244 English. 1246 The limited permissions granted above are perpetual and will not be 1247 revoked by the Internet Society or its successors or assignees. 1249 This document and the information contained herein is provided on an 1250 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 1251 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 1252 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 1253 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 1254 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1256 Acknowledgement 1258 Funding for the RFC Editor function is currently provided by the 1259 Internet Society. 1261 Acronyms 1262 AODV - Ad-hoc On-demand Distance Vector routing protocol 1264 AS - Autonomous system. Set of routers under a single technical 1265 administration. Each AS normally uses a single interior gateway 1266 protocol (IGP) and metrics to propagate routing information 1267 within the set of routers. Also called routing domain. 1269 AS-Path - In BGP, the route to a destination. The path consists 1270 of the AS numbers of all routers a packet must go through to reach a 1271 destination. 1273 BGP - Border Gateway Protocol. Exterior gateway protocol used to 1274 exchange routing information among routers in different autonomous 1275 systems. 1277 eBGP - External BGP. BGP configuration in which sessions are 1278 established between routers in different ASs. 1280 iBGP - Internal BGP. BGP configuration in which sessions are 1281 established between routers in the same ASs. 1283 LSRP - Link-State Routing Protocol 1285 LSA - Link-State Announcement 1287 M-OSPF - Multicast Open Shortest Path First 1289 NLRI - Network layer reachability information. Information that 1290 is carried in BGP packets and is used by MBGP. 1292 OSPF - Open Shortest Path First. A link-state IGP that makes 1293 routing decisions based on the shortest-path-first (SPF) algorithm 1294 (also referred to as the Dijkstra algorithm). 1296 PIM (and PIM DM) - Protocol Independent Multicast. A 1297 protocol-independent multicast routing protocol. PIM Sparse Mode 1298 routes to multicast groups that might span wide-area and 1299 interdomain internets. PIM Dense Mode is a flood-and-prune protocol. 1301 RIP - Routing Information Protocol. Distance-vector interior 1302 gateway protocol that makes routing decisions based on hop count. 1304 SPF - Shortest-path first, an algorithm used by IS-IS and OSPF 1305 to make routing decisions based on the state of network links. Also 1306 called the Dijkstra algorithm. 1308 TCP - Transmission Control Protocol. Works in conjunction with 1309 Internet Protocol (IP) to send data over the Internet. Divides a 1310 message into packets and tracks the packets from point of origin 1311 to destination.