idnits 2.17.1 draft-ietf-rpsec-routing-threats-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There is 1 instance of lines with control characters in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 271 has weird spacing: '...ability to ch...' == Line 374 has weird spacing: '...against a net...' == Line 375 has weird spacing: '...r as to which...' == Line 377 has weird spacing: '... by other m...' == Line 444 has weird spacing: '...d links to sn...' == (3 more instances...) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 16, 2003) is 7521 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: '5' is defined on line 800, but no explicit reference was found in the text == Unused Reference: '7' is defined on line 805, but no explicit reference was found in the text == Unused Reference: '8' is defined on line 810, but no explicit reference was found in the text == Unused Reference: '9' is defined on line 815, but no explicit reference was found in the text == Unused Reference: '12' is defined on line 826, but no explicit reference was found in the text == Unused Reference: '13' is defined on line 830, but no explicit reference was found in the text == Unused Reference: '14' is defined on line 832, but no explicit reference was found in the text == Unused Reference: '15' is defined on line 835, but no explicit reference was found in the text == Unused Reference: '16' is defined on line 839, but no explicit reference was found in the text ** Obsolete normative reference: RFC 2828 (ref. '1') (Obsoleted by RFC 4949) -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' ** Downref: Normative reference to an Experimental RFC: RFC 2154 (ref. '5') -- Possible downref: Non-RFC (?) normative reference: ref. '7' -- Possible downref: Non-RFC (?) normative reference: ref. '8' -- Possible downref: Non-RFC (?) normative reference: ref. '9' ** Obsolete normative reference: RFC 2763 (ref. '10') (Obsoleted by RFC 5301) ** Downref: Normative reference to an Informational RFC: RFC 1721 (ref. '11') -- Obsolete informational reference (is this intentional?): RFC 2362 (ref. '14') (Obsoleted by RFC 4601, RFC 5059) Summary: 7 errors (**), 0 flaws (~~), 17 warnings (==), 9 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Barbir 3 Internet-Draft Nortel Networks 4 Expires: March 16, 2004 S. Murphy 5 Network Associates, Inc 6 Y. Yang 7 Cisco Systems 8 September 16, 2003 10 Generic Threats to Routing Protocols 11 draft-ietf-rpsec-routing-threats-03 13 Status of this Memo 15 This document is an Internet-Draft and is in full conformance with 16 all provisions of Section 10 of RFC2026. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that other 20 groups may also distribute working documents as Internet-Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at http:// 28 www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on March 16, 2004. 35 Copyright Notice 37 Copyright (C) The Internet Society (2003). All Rights Reserved. 39 Abstract 41 Routing protocols are subject to attacks that can harm individual 42 users or network operations as a whole. This document provides a 43 description and a summary of generic threats that affects routing 44 protocols in general. This work describes threats, including threat 45 sources and capabilities, threat actions, and threat consequences as 46 well as a breakdown of routing functions that might be separately 47 attacked. 49 Table of Contents 51 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2. Routing Functions Overview . . . . . . . . . . . . . . . . . 4 53 3. Generic Routing Protocol Threat Model . . . . . . . . . . . 5 54 3.1 Threat Definitions . . . . . . . . . . . . . . . . . . . . . 5 55 3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 6 56 3.1.2 Threat Consequences . . . . . . . . . . . . . . . . . . . . 7 57 4. Generally Identifiable Routing Threats . . . . . . . . . . . 11 58 4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . . 11 59 4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 11 60 4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 12 61 4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 12 62 4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . . 13 63 4.5.1 Falsifications by Originators . . . . . . . . . . . . . . . 13 64 4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 16 65 4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . . 17 66 4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 18 67 4.8 Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 18 68 5. Security Considerations . . . . . . . . . . . . . . . . . . 19 69 Normative References . . . . . . . . . . . . . . . . . . . . 20 70 Informative References . . . . . . . . . . . . . . . . . . . 21 71 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 21 72 A. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 23 73 B. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 24 74 Intellectual Property and Copyright Statements . . . . . . . 25 76 1. Introduction 78 Routing protocols are subject to threats and attacks that can harm 79 individual users or the network operations as a whole. The document 80 provides a summary of generic threats that affects routing protocols. 81 In particular, this work identifies generic threats to routing 82 protocols that include threat sources, threat actions, and threat 83 consequences. A breakdown of routing functions that might be 84 separately attacked is provided. 86 This work should be considered as a precursor to developing a common 87 set of security requirements for routing protocols. While it is well 88 known that bad, incomplete, or poor implementations of routing 89 protocols may, in themselves, lead to routing problems or failures, 90 or may increase the risk of a network being attacked successfully, 91 these issues are not considered here. This document only considers 92 attacks against robust, well considered implementations of routing 93 protocols, as outlined in OSPF [6], IS-IS [10] , RIP [11] and BGP 94 [17]. 96 This documents investigates general threats to routing functions. In 97 this work, the "owner" of an address prefix or an AS [17] number is 98 an organization that has been granted the right to use that prefix or 99 number. Each Regional Internet Registry (RIR) acquires prefixes and 100 AS numbers from IANA, and further distributes (delegates use of) them 101 to organizations such as ISPs and multi-homed subscribers. For 102 address prefixes, delegation typically involves assigning a subset of 103 a prefix to an organization, which may, in turn, further delegate 104 subsets to other organizations, e.g., subscribers or downstream 105 providers. 107 The document is organized as follows: Section 2 provides a review of 108 routing functions. Section 3 defines threats. In section 4 a 109 discussion on generally identifiable routing threat actions is 110 provided. Section 5 addresses security considerations. 112 2. Routing Functions Overview 114 This section provides an overview of common functions that are shared 115 among various routing protocols. In general, routing protocols share 116 the following functions: 118 o Transport Subsystem: The routing protocol transmits messages to 119 its neighbors using some underlying protocol. For example, OSPF 120 uses IP, while other protocols may run over TCP. 122 o Neighbor State Maintenance: neighboring relationship formation is 123 the first step for topology determination. For this reason, 124 routing protocols may need to maintain the state of their 125 neighbors. Each routing protocol may use a different mechanism 126 for determining its neighbors in the routing topology. Some 127 protocols have distinct exchange through which they establish 128 neighboring relationships, e.g., Hello exchanges in OSPF. 130 o Database Maintenance: Routing protocols exchange network topology 131 and reachability information. The routers collect this 132 information in routing databases with varying detail. The 133 maintenance of these databases is a significant portion of the 134 function of a routing protocol. 136 A router's functions can be divided into control and data plane 137 (protocol traffic vs. data traffic). In a similar fashion, a routing 138 protocol has a control and a data plane. A routing protocol has a 139 control plane that exchanges messages that are intended only for 140 control of the protocol state. 142 Routing protocol data plane uses messages to exchange information 143 that is intended to be used in the forwarding function. For example, 144 the information can be used to establish a forwarding table in each 145 router or to return a description of the route to be used. 147 Routing functions may affect the control and the data planes. 148 However, there may be an emphasis on one of the planes as opposed to 149 the other. For example, neighbor maintenance is likely to focus on 150 the routing protocol control plane, while database maintenance may 151 focus on the data plane. 153 3. Generic Routing Protocol Threat Model 155 The model developed in this section can be used to identify threats 156 to any routing protocol. It examines attacks which can be launched 157 against routing from subverted entities within the routing system, 158 and from entities outside the routing system. Both of these types of 159 entities are called unauthorized entities. 161 Routing protocols are subject to treats at the control and data 162 planes and at the functional level. At the control plane level, 163 control and data plane are subject to attack. An attacker may be able 164 to break a neighbor (e.g., peering, adjacency) relationship. This 165 type of attack can impact the network routing behavior in the 166 affected routers and likely the surrounding neighborhood. An 167 attacker who is able to break a database exchange between two routers 168 can also affect routing behavior. In the routing protocol data 169 plane, an attacker who is able to introduce bogus data can have a 170 strong effect on the behavior of routing in the neighborhood. 172 At the routing function level threats can affect the transport 173 subsystem, where the routing protocol can be subject to attacks on 174 its underlying protocol. At the neighbor state maintenance level, 175 there are threats that can lead to attacks that can disrupt the 176 neighboring relationship with widespread consequences. For example, 177 in BGP, if a router receives a CEASE message, it can lead to breaking 178 of its neighboring relationship to other routers. 180 There are threats against the database maintenance functionality. For 181 example, the information in the database must be authentic and 182 authorized. Threats that jeopardize this information can affect the 183 routing functionality in the overall network. For example, if an 184 OSPF router sends LSAs with the wrong Advertising Router, the 185 receivers will compute a SPF tree that is incorrect and might not 186 forward the traffic. If a BGP router advertises a NLRI that it is 187 not authorized to advertise, then receivers might forward that NLRI's 188 traffic toward that router and the traffic would not be deliverable. 189 A PIM router might transmit a JOIN message to receive multicast data 190 it would otherwise not receive 192 3.1 Threat Definitions 194 In this work, a threat is defined as a motivated, capable adversary. 195 This characterization of threats clearly distinguishes threats from 196 attacks. By modeling the motivations (attack goals) and capabilities 197 of the adversaries who are threats, one can better understand what 198 classes of attacks these threats may mount and thus what types of 199 countermeasures will be required to deal with these attacks. In [1] a 200 threat is defined as a potential for violation of security, which 201 exists when there is a circumstance, capability, action, or event 202 that could breach security and cause harm. A threat presents itself 203 when an adversary has the ability to take advantage of an existing 204 security weakness. Threats can be categorized based on various 205 rules, such as threat sources, threat actions, threat consequences, 206 threat consequence zones, and threat consequence periods. 208 3.1.1 Threat Sources 210 There are many sources for threats that may affect routing protocols. 211 In some cases, unauthorized entities such as attackers may illegally 212 participate in the routing operations. In other circumstances, there 213 are threats to routing protocols from entities that are running 214 incorrect code, or using invalid configurations. 216 Threats can originate form outsiders or insiders. An insider is an 217 authorized participant in the routing protocol. An outsider is any 218 other host or network. A particular router determines if a host is 219 an outsider or an insider. An authorized protocol speaker can be an 220 outsider to a particular router if the router does not consider it to 221 be a legitimate peer (as could conceivably happen on a multi-access 222 link). 224 In general, threats can be classified into the following categories 225 based on their sources [2]: 227 o Threats that result from subverted links: A link become subverted 228 when an attacker gain access (or control) to it through a physical 229 medium. The attacker can then take control over the link. This 230 threat can result from the lack (or the use of weak) access 231 control mechanisms as applied to physical mediums or channels. The 232 attacker may eavesdrop, replay, delay, or drop routing messages, 233 or break routing sessions between authorized routers, without 234 participating in the routing exchange. 236 o Threats that result from subverted devices (e.g. routers): A 237 subverted device (router) is an authorized router that may have 238 been broken into by an attacker. The attacker can use the 239 subverted device to inappropriately claim authority for some 240 network resources, or violate routing protocols, such as 241 advertising invalid routing information. 243 For example, an OSPF router will form a peering relationship with any 244 attached device which appears to be running OSPF, unless MD5 245 authentication (or some other means) is used to prevent the 246 neighboring relationship from forming. 248 3.1.2 Threat Consequences 250 A threat consequence is a security violation that results from a 251 threat action [1]. The compromise to the behavior of the routing 252 system can damage a particular network or host or can damage the 253 operation of the network as a whole. 255 There are four types of threat consequences: disclosure, deception, 256 disruption, and usurpation [1]. 258 o Disclosure: Disclosure of routing information happens when a 259 router successfully accesses the information without being 260 authorized. Subverted links can cause disclosure, if routing 261 exchanges lack confidentiality. Subverted devices (routers), can 262 cause disclosure, as long as they are successfully involved in the 263 routing exchanges. Although inappropriate disclosure of routing 264 information can pose a security threat or be part of a later, 265 larger, or higher layer attack, confidentiality is not generally a 266 design goal of routing protocols. 268 o Deception: This consequence happens when a legitimate router 269 receives a false routing message and believes it to be true. 270 Subverted links and/or subverted device (routers)can cause this 271 consequence if the receiving router lacks ability to check 272 routing message integrity, routing message origin, authentication 273 or peer router authentication. 275 o Disruption: This consequence occurs when a legitimate router's 276 operation is being interrupted or prevented. Subvert links can 277 cause this by replaying, delaying, or dropping routing messages, 278 or breaking routing sessions between legitimate routers. Subverted 279 devices (router) can cause this consequence by sending false 280 routing messages, interfering normal routing exchanges, or 281 flooding unnecessary messages. (DoS is a common threat action 282 causing disruption.) 284 o Usurpation: This consequence happens when an attacker gains 285 control over a legitimate router's services/functions. Subverted 286 links can cause this by delaying or dropping routing exchanges, or 287 replaying out-dated routing information. Subverted routers can 288 cause this consequence by sending false routing information, 289 interfering routing exchanges, or system integrity. 291 Note: an attacker does not have to directly control a router to 292 control its services. For example, in Figure 1, Network 1 is 293 dual-homed through Router A and Router B, and Router A is preferred. 294 However, Router B is compromised and advertises a lower metric. 295 Consequently, devices on the Internet choose the path through Router 296 B to reach Network 1. In this way, Router B steals the data traffic 297 and Router A surrenders its control of the services to Router B. This 298 depicted in Figure 1. 300 +-------------+ +-------+ 301 | Internet |---| Rtr A | 302 +------+------+ +---+---+ 303 | | 304 | | 305 | | 306 | *-+-* 307 +-------+ / \ 308 | Rtr B |----------* N 1 * 309 +-------+ \ / 310 *---* 312 Figure 1: Dual-homed Network 314 Several threat consequences might be caused by a single threat 315 action. In Figure 1, there exist at least two consequences: routers 316 using Router B to reach Network 1 are deceived, while Router A is 317 usurped. 319 Within the context of the threat consequences described above, damage 320 that might result from attacks against the network as a whole may 321 include: 323 o Network congestion: more data traffic is forwarded through some 324 portion of the network than would otherwise need to carry the 325 traffic, 327 o Blackhole: large amounts of traffic are directed to be forwarded 328 through one router that cannot handle the increased level of 329 traffic and drops many/most/all packets, 331 o Looping: data traffic is forwarded along a route that loops, so 332 that the data is never delivered (resulting in network 333 congestion), 335 o Partition: some portion of the network believes that it is 336 partitioned from the rest of the network when it is not, 338 o Churn: the forwarding in the network changes (unnecessarily) at a 339 rapid pace, resulting in large variations in the data delivery 340 patterns (and adversely affecting congestion control techniques), 342 o Instability: the protocol becomes unstable so that convergence on 343 a global forwarding state is not achieved, and 345 o Overload: the protocol messages themselves become a significant 346 portion of the traffic the network carries. 348 The damage that might result from attacks against a particular host 349 or network address may include: 351 o Starvation: data traffic destined for the network or host is 352 forwarded to a part of the network that cannot deliver it, 354 o Eavesdrop: data traffic is forwarded through some router or 355 network that would otherwise not see the traffic, affording an 356 opportunity to see the data or at least the data delivery pattern, 358 o Cut: some portion of the network believes that it has no route to 359 the host or network when it is in fact connected, 361 o Delay: data traffic destined for the network or host is forwarded 362 along a route that is in some way inferior to the route it would 363 otherwise take, 365 o Looping: data traffic for the network or host is forwarded along a 366 route that loops, so that the data is never delivered 368 It is important to consider all compromises, because some security 369 solutions can protect against one attack but not against others. It 370 might be possible to design a security solution that protects 371 against an attack that eavesdropped on one destination's traffic 372 without protecting against an attack that overwhelmed a router. 373 Similarly, it is possible to design a security solution that prevents 374 a starvation attack against one host, but not against a network wide 375 resources. The security requirements must be clear as to which 376 compromises are being avoided and which compromises must be addressed 377 by other means (e.g., by administrative means outside the protocol). 379 3.1.2.1 Threat Consequence Zone 381 A threat consequence zone covers the area within which the network 382 operations have been affected by threat actions. Possible threat 383 consequence zones can be classified as: a single link or router, 384 multiple routers (within a single routing domain), a single routing 385 domain, multiple routing domains, or the global Internet. The threat 386 consequence zone varies based on the threat action and origin. 387 Similar threat actions that happened at different locations may cause 388 totally different threat consequence zones. For example, when a 389 compromised link breaks the routing session between a distribution 390 router and a stub router, only reachability to and from the network 391 devices attached on the stub router will be impaired. In other words, 392 the threat consequence zone is a single router. Nonetheless, if the 393 compromised router is located between a customer edge router and its 394 corresponding provider edge router, such an action might cause the 395 whole customer site to lose its connection. In this case, the threat 396 consequence zone might be a single routing domain. 398 3.1.2.2 Threat Consequence Periods 400 Threat consequence period is defined as a portion of time during 401 which the network operations have been impacted by the threat 402 consequences. The threat consequence period is influenced by, but not 403 totally dependent on the duration of the threat action. In some 404 cases, the network operations will get back to normal as soon as the 405 threat action has been stopped. In other cases, however, threat 406 consequences may appear longer than threat action. For example, in 407 the original ARPANET link-state algorithm, some errors in a router 408 might introduce three instances of an LSA, and all of them would be 409 flooded throughout the network forever, until the entire network was 410 power cycled [3]. 412 4. Generally Identifiable Routing Threats 414 This section addresses generally identifiable and recognized threat 415 action against routing protocols. The threats are not necessarily 416 specific to individual protocols but may be present in one or more of 417 the common routing protocols in use today. 419 4.1 Deliberate Exposure 421 Deliberate Exposure occurs when an attacker takes control of a router 422 and intentionally releases routing information directly to other 423 routers. In some cases, the receiving routers may not be authorized 424 to access the leaked routing information. Deliberate exposure is 425 always a threat action, however, the exposure of routing information 426 may not be. 428 The consequence of deliberate exposure is the disclosure of routing 429 information. 431 The threat consequence zone of deliberate exposure depends on the 432 routing information that the attackers have exposed. The more 433 knowledge they have exposed, the bigger the threat consequence zone. 435 The threat consequence period of deliberate exposure might be longer 436 than the duration of the action itself. The routing information 437 exposed will not be out-dated until there is a topology change of the 438 exposed network. 440 4.2 Sniffing 442 Sniffing is an action whereby attackers monitor and/or record the 443 routing exchanges between authorized routers. Attackers can use 444 subverted links to sniff for routing information. 446 The consequence of sniffing is disclosure of routing information. 448 The threat consequence zone of sniffing depends on the attacker's 449 location, the routing protocol type, and the routing information that 450 has been recorded. For example, if the subverted link is in an OSPF 451 totally stubby area, the threat consequence zone should be limited to 452 the whole area. An attacker that is sniffing a subverted link in an 453 EBGP session can gain knowledge of multiple routing domains. 455 The threat consequence period might be longer than the duration of 456 the action. If an attacker stops sniffing a subverted link their 457 acquired knowledge will not be out-dated until there is a topology 458 change of the affected network. 460 4.3 Traffic Analysis 462 Traffic analysis is action whereby attackers gain routing information 463 by analyzing the characteristics of the data traffic on a subverted 464 link. Traffic analysis threats can affect any data that is sent in 465 the clear over a communication link. This threat is not peculiar to 466 routing protocols and is included here for completeness. 468 The consequence of data traffic analysis is the disclosure of routing 469 information. For example, the source and destination IP address of 470 the data traffic, the type, magnitude, and volume of traffic is 471 disclosed. 473 The threat consequence zone of the traffic analysis depends on the 474 attacker's location and what data traffic has passed through. A 475 subverted link at the network core should be able to disclose more 476 information than its counterpart at the edge. 478 The threat consequence period might be longer than the duration of 479 the traffic analysis. After the attacker stops traffic analysis, its 480 knowledge will not be out-dated until there is a topology change of 481 the disclosed network. 483 4.4 Spoofing 485 Spoofing occurs when an illegitimate device assumes the identity of a 486 legitimate one. Spoofing in and of itself is often not the true 487 attack. Spoofing is special in that it can be used to carry out other 488 threat actions causing other threat consequences. An attacker can use 489 spoofing as a means for launching other types of attacks. For 490 example, if an attacker succeeds in spoofing the identity of a 491 router, the subverted router can act as a masquerading router. In 492 other situations, the spoofed router can be used to send out 493 unrealistic routing information that might cause the disruption of 494 network services. 496 There are a few cases where spoofing can be an attack in and of 497 itself. For example, messages from an attacker which spoof the 498 identity of a legitimate router may cause a neighbor relationship to 499 form and deny the formation of the relationship with the legitimate 500 router. 502 The consequences of spoofing are: 504 o The disclosure of routing information: The spoofed router will be 505 able to gain access to the routing information. 507 o The deception of peer relationship: The authorized routers, which 508 exchange routing messages with the spoofed router, do not realize 509 they are neighboring with a router that is faking another router's 510 identity. 512 The threat consequence zone includes: 514 The consequence zone of the disclosed routing information depends 515 on what routing information has been exchanged between the spoofed 516 router and its neighbors. 518 The threat consequence zone covers: 520 o The consequence zone of the fake peer relationship will be limited 521 to those routers mistrusting the attacker's identity. 523 o The consequence zone of the disclosed routing information depends 524 on the attacker's location, the routing protocol type, and the 525 routing information that has been exchanged between the attacker 526 and its deceived neighbors. 528 4.5 Falsification 530 Falsification is an intentional action whereby false routing 531 information is sent by a subverted router. To falsify the routing 532 information, an attacker has to be either the originator or a 533 forwarder of the routing information. False routing information 534 describes the network in an unrealistic fashion, whether or not 535 intended by the authoritative network administrator. 537 To falsify the routing information, an attacker has to be either the 538 originator or a forwarder of the routing information. It cannot be a 539 receiver-only. 541 4.5.1 Falsifications by Originators 543 An originator of routing information can launch the falsifications 544 that are described in the next sections. 546 4.5.1.1 Overclaiming 548 Overclaiming occurs when a subverted router advertises its control of 549 some network resources, while in reality it does not, or the 550 advertisement is not authorized. This is given in Figure 2 and 551 Figure 3. 553 +-------------+ +-------+ +-------+ 554 | Internet |---| Rtr B |---| Rtr A | 555 +------+------+ +-------+ +---+---+ 556 | . 557 | | 558 | . 559 | *-+-* 560 +-------+ / \ 561 | Rtr C |------------------* N 1 * 562 +-------+ \ / 563 *---* 565 Figure 2: Overclaiming-1 567 +-------------+ +-------+ +-------+ 568 | Internet |---| Rtr B |---| Rtr A | 569 +------+------+ +-------+ +-------+ 570 | 571 | 572 | 573 | *---* 574 +-------+ / \ 575 | Rtr C |------------------* N 1 * 576 +-------+ \ / 577 *---* 579 Figure 3: Overclaiming-2 581 The above figures provide examples of overclaiming. Router A, the 582 attacker, is connected with the Internet through Router B. Router C 583 is authorized to advertise its link to Network 1. In Figure 2, Router 584 A controls a link to Network 1, but is not authorized to advertise 585 it. In Figure 3, Router A does not control such a link. But in either 586 case, Router A advertises the link to the Internet, through Router B. 588 Compromised routers, unauthorized routers, and masquerading routers 589 can overclaim network resources. The consequence of overclaiming 590 includes: 592 o Usurpation of the overclaimed network resources. In Figure 2 and 593 Figure 3, it will cause a usurpation of Network 1 when Router B or 594 other routers on the Internet (not shown in the figures) believe 595 that Router A provides the best path to reach the Network 1. They, 596 the routers, thereby forward the data traffic, destined to Network 597 1, to Router A. The best result is the data traffic uses an 598 unauthorized path Figure 2, and the worst case is the data never 599 reach the destination Network 1 Figure 3. The ultimate 600 consequence is Router A gaining control over Network 1's services, 601 by controlling the data traffic. 603 o Usurpation of the legitimate advertising routers. In Figure 2 and 604 Figure 3, Router C is the legitimate advertiser of Network 1. By 605 overclaiming, Router A also controls (partially or totally) the 606 services/functions provided by the Router C. (This is NOT a 607 disruption, because Router C is operating in a way intended by the 608 authoritative network administrator.) 610 o Deception of other routers. In Figure 2 and Figure 3, Router B, or 611 other routers on the Internet, might be deceived to believe the 612 path through Router A is the best. 614 o Disruption of data planes on some routers. This might happen on 615 routers that are on the path, which is used by other routers to 616 reach the overclaimed network resources through the attacker. In 617 Figure 2 and Figure 3, when other routers on the Internet are 618 deceived, they will forward the data traffic to Router B, which 619 might be overloaded. 621 The threat consequence zone varies based on the consequence: 623 o Where usurpation is concerned, the consequence zone covers the 624 network resources that are overclaimed by the attacker (Network 1 625 in Figure 2 and 3), and the routers that are authorized to 626 advertise the network resources but lose the competition against 627 the attacker(Router C in Figure 2 and Figure 3). 629 o Where deception is concerned, the consequence zone covers the 630 routers that do believe the attacker's advertisement and use the 631 attacker to reach the claimed subnets (Router B and other deceived 632 routers on the Internet in Figure 2 and Figure 3). 634 o Where disruption is concerned, the consequence zone includes the 635 routers that are on the path of misdirected data traffic (Router B 636 in Figure 2 and Figure 3). 638 The threat consequence will cease when the attacker stops 639 overclaiming, and will totally disappear when the routing tables are 640 converged. As a result the consequence period is longer than the 641 duration of the overclaiming. 643 4.5.1.2 Misclaiming 644 A misclaiming threat is defined as an attacker action advertising its 645 authorized control of some network resources in a way that is not 646 intended by the authoritative network administrator. An attacker can 647 eulogize or disparage when advertising these network resources. 648 Subverted routers, unauthorized routers, and masquerading routers can 649 misclaim network resources. 651 The threat consequences of misclaiming are similar to the 652 consequences of overclaimin. 654 The consequence zone and period are also similar to those of 655 overclaiming. 657 4.5.2 Falsifications by Forwarders 659 When a legitimate router forwards routing information, it must or 660 must not modify the routing information, depending on the routing 661 information and the routing protocol type. For example, in RIP, the 662 forwarder must modify the routing information by increasing the hop 663 count by 1. On the other hand, the forwarder must not modify the type 664 1 LSA in OSPF. In general, forwarders in distance vector routing 665 protocols are authorized to and must modify the routing information, 666 while most forwarders in link state routing protocols are not 667 authorized to and must not modify most routing information. 669 As a forwarder authorized to modify routing message, an attacker 670 might not forward necessary routing information to other authorized 671 routers. Unauthorized aggregation (summarization) is special type of 672 understatement. 674 4.5.2.1 Misstatement 676 This is defined as an action whereby the attacker describes route 677 attributes in an incorrect manner. For example, in RIP, the attacker 678 might increase the path cost by two hops instead of one. In BGP, the 679 attacker might delete some AS numbers from the AS PATH. 681 Where forwarding routing information should not be modified, an 682 attacker can launch the following falsifications: 684 o Deletion: Attacker deletes valid data in the routing message. 686 o Insertion: Attacker inserts false data in the routing message. 688 o Substitution: Attacker replaces valid data in the routing message 689 with false data. 691 o Replaying: Attacker replays out-dated data in the routing message. 693 All types of attackers (Compromised links, compromised routers, 694 unauthorized routers, and masquerading routers) can falsify the 695 routing information when they forward the routing messages. 697 The threat consequences of these falsifications by forwarders are 698 similar to those caused by originators: Usurpation of some network 699 resources and related routers; deception of routers using false 700 paths; and disruption of data planes of routers on the false paths. 701 The threat consequence area and period are also similar. 703 4.6 Interference 705 Interference is a threat action where an attacker uses a subverted 706 link or router to inhibit the exchanges by legitimate routers. The 707 attacker can do this by adding noise, or by not forwarding packets, 708 or by replaying out-dated packets, or by delaying responses, or by 709 denial of receipts, and breaking synchronization. 711 Subverted, unauthorized and masquerading routers can slowdown their 712 routing exchanges or create flapping routing sessions of legitimate 713 neighboring routers. 715 The consequence of interference is the disruption of routing 716 operations. 718 The consequence zone of interference varies based on the source of 719 the threats: 721 o When a subverted link is used to launch the action, the threat 722 consequence zone covers routers that are using the link to 723 exchange the routing information. An attack on a link can cause 724 consequences at the neighbor maintenance level, that may lead to 725 changes in the database. In this case, the consequences can be 726 felt network-wide. 728 o When subverted routers, unauthorized routers, or masquerading 729 routers are the attackers, the threat consequence zone covers 730 routers with which the attackers are exchanging routing 731 information. 733 o The threat consequences might disappear as soon as the 734 interference is stopped, or might not totally disappear until the 735 networks have converged. Therefore, the consequence period is 736 equal or longer than the duration of the interference. 738 4.7 Overload 740 Overload is defined as a threat action whereby attackers place excess 741 burden on legitimate routers. For example, it is possible for an 742 attacker to overload the control plane. In this regard, it is 743 possible for a compromised router to trigger creation of an excessive 744 amount of state that routers within the network are not able to 745 handle. In a similar fashion, it is possible for an attacker to 746 overload the data plane. Since data plane is involved in routing 747 exchanges, overload of the data plane can also influence the routing 748 operations. 750 This section combines overload of the control plane and the data 751 plane (i.e., the routing protocol messages and the data traffic, not 752 the control and data plane of the routing protocol itself as 753 discussed in section 2.1). The routing protocol design might have a 754 chance to limit control plane traffic. However, the routing protocol 755 cannot limit the data traffic. Thus, an attacker can affect the 756 behavior of the entire routing system. 758 4.8 Byzantine Failures 760 As described in [4], "A node with a Byzantine failure may corrupt 761 messages, forge messages, delay messages, or send conflicting 762 messages to different nodes." These faults may arise from routers 763 which have been subverted by an attacker or which have faulty 764 hardware or software. In any case, they represent a threat to 765 correct operation of routing and routing protocols. 767 The ability of the network to function in the face of such defects is 768 described as Byzantine robustness and would fall into the scope of a 769 requirements document for routing protocol security which may build 770 from the base established in this document. 772 5. Security Considerations 774 This entire document is security related. Specifically the document 775 addresses security of routing protocols as associated with threats to 776 those protocols. In a larger context, this work builds upon the 777 recognition of the IETF community that signaling and control/ 778 management planes of networked devices need strengthening. Routing 779 protocols can be considered part of that signaling and control plane. 780 However, to date, routing protocols have largely remained unprotected 781 and open to malicious attacks. This document discusses inter- and 782 intra-domain routing protocol threats that are currently known and 783 lays the foundation for other documents that will discuss security 784 requirements for routing protocols. 786 Normative References 788 [1] Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000. 790 [2] Smith, R et al., "Securing Distance-Vector Routing Protocols", 791 Symposium on Network and Distributed System Security , 792 February 1997. 794 [3] Rosen, E., "Vulnerabilities of Network Control Protocols: An 795 Example, Computer Communication Review", , July 1981. 797 [4] Perlman, R, "Network Layer Protocols with Byzantine 798 Robustness", , August 1988 . 800 [5] Murphy, S et al., "OSPF with Digital Signatures", RFC 2154 , 801 June 1997. 803 [6] Moy, J, "OSPF Version 2", RFC 2328 , April 1998. 805 [7] Mittal, V et al., "Sensor-Based Intrusion Detection for 806 Intra-Domain istance-Vector Routing", Proceedings of the ACM 807 Conference on Computer and Communication Security (CCS'02), 808 Washington, DC , November 2002. 810 [8] Cheung, S. et. al., "Protecting Routing Infrastructures from 811 Denial of Service using co-operative intrusion detection", In 812 Proceedings of the 1995 IEEE Symposium on Security and Privacy 813 , May 1995. 815 [9] Bradley, K. et. al., "A distributed Network Monitoring 816 approach", Published , November 2001. 818 [10] Shen, N. et. al., "Dynamic Hostname Exchange Mechanism for 819 IS-IS", RFC 2763 , February 2000. 821 [11] Malkin, G., "RIP Version 2 Protocol Analysis", RFC 1721 822 , November 1994. 824 Informative References 826 [12] Vetter, W. et al., "Experimental Study of Insider Attacks in a 827 Link State Routing Protocol", 5th IEEE International 828 Conference on Network Protocols, Atlanta, GA , 1997. 830 [13] "Internet Group Management Protocol", RFC 3376 , October 2002. 832 [14] Estrin, D. et al., "Independent Multicast-Sparse Mode (PIM-SM): 833 Protocol pecification", RFC 2362 , June 1998 . 835 [15] Ballardie, A. et al., "Multicast-Specific Security Threats and 836 Counter-Measures", "Symposium on network and Distributed 837 System Security" , February 1995. 839 [16] Smith, A. et al., "Securing the Border Gateway Routing 840 Protocol", Proc. Global Internet'96 , November 1996. 842 [17] Kent, S. et al., "Secure Border Gateway Protocol 843 (Secure-BGP)", IEEE Journal on Selected Areas in Communications 844 , April 2000. 846 Authors' Addresses 848 Abbie Barbir (Editor) 849 Nortel Networks 850 3500 Carling Avenue 851 Nepean, Ontario K2H 8E9 852 Canada 854 Phone: 855 EMail: abbieb@nortelnetworks.com 857 Sandy Murphy 858 Network Associates, Inc 859 3060 Washington Rd. 860 Glenwood, MD 21738 861 USA 863 Phone: 443-259-2303 864 EMail: sandy@tislabs.com 865 Yi Yang 866 Cisco Systems 867 7025 Kit Creek Road 868 RTP, NC 27709 869 Canada 871 Phone: 872 EMail: yiya@cisco.com 874 Appendix A. Acknowledgements 876 This draft would not have been possible save for the excellent 877 efforts and team work characteristics of those listed here. 879 o Dennis Beard- Nortel Networks 881 o Ayman Musharbash - Nortel Networks 883 o Jean-Jacques Puig, int-evry, France 885 o Paul Knight - Nortel Networks 887 o Elwyn Davies - Nortel Networks 889 o Ameya Dilip Pandit - Graduate student - University of Missouri 891 o Senthilkumar Ayyasamy - Graduate student - University of Missouri 893 o Stephen Kent- BBN 895 Appendix B. Acronyms 897 AODV - Ad-hoc On-demand Distance Vector routing protocol 899 AS - Autonomous system. Set of routers under a single technical 900 administration. Each AS normally uses a single interior gateway 901 protocol (IGP) and metrics to propagate routing information within 902 the set of routers. Also called routing domain. 904 AS-Path - In BGP, the route to a destination. The path consists of 905 the AS numbers of all routers a packet must go through to reach a 906 destination. 908 BGP - Border Gateway Protocol. Exterior gateway protocol used to 909 exchange routing information among routers in different autonomous 910 systems. 912 LSA - Link-State Announcement 914 M-OSPF - Multicast Open Shortest Path First 916 NLRI - Network layer reachability information. Information that is 917 carried in BGP packets and is used by MBGP. 919 OSPF - Open Shortest Path First. A link-state IGP that makes routing 920 decisions based on the shortest-path-first (SPF) algorithm (also 921 referred to as the Dijkstra algorithm). 923 Intellectual Property Statement 925 The IETF takes no position regarding the validity or scope of any 926 intellectual property or other rights that might be claimed to 927 pertain to the implementation or use of the technology described in 928 this document or the extent to which any license under such rights 929 might or might not be available; neither does it represent that it 930 has made any effort to identify any such rights. Information on the 931 IETF's procedures with respect to rights in standards-track and 932 standards-related documentation can be found in BCP-11. Copies of 933 claims of rights made available for publication and any assurances of 934 licenses to be made available, or the result of an attempt made to 935 obtain a general license or permission for the use of such 936 proprietary rights by implementors or users of this specification can 937 be obtained from the IETF Secretariat. 939 The IETF invites any interested party to bring to its attention any 940 copyrights, patents or patent applications, or other proprietary 941 rights which may cover technology that may be required to practice 942 this standard. Please address the information to the IETF Executive 943 Director. 945 Full Copyright Statement 947 Copyright (C) The Internet Society (2003). All Rights Reserved. 949 This document and translations of it may be copied and furnished to 950 others, and derivative works that comment on or otherwise explain it 951 or assist in its implementation may be prepared, copied, published 952 and distributed, in whole or in part, without restriction of any 953 kind, provided that the above copyright notice and this paragraph are 954 included on all such copies and derivative works. However, this 955 document itself may not be modified in any way, such as by removing 956 the copyright notice or references to the Internet Society or other 957 Internet organizations, except as needed for the purpose of 958 developing Internet standards in which case the procedures for 959 copyrights defined in the Internet Standards process must be 960 followed, or as required to translate it into languages other than 961 English. 963 The limited permissions granted above are perpetual and will not be 964 revoked by the Internet Society or its successors or assignees. 966 This document and the information contained herein is provided on an 967 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 968 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 969 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 970 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 971 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 973 Acknowledgment 975 Funding for the RFC Editor function is currently provided by the 976 Internet Society.