idnits 2.17.1 draft-ietf-rpsec-routing-threats-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** Looks like you're using RFC 2026 boilerplate. This must be updated to follow RFC 3978/3979, as updated by RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year == Line 351 has weird spacing: '...against a net...' == Line 352 has weird spacing: '...r as to which...' == Line 353 has weird spacing: '...ssed by other...' == Line 608 has weird spacing: '...eceived route...' -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 17, 2003) is 7435 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 2828 (ref. '1') (Obsoleted by RFC 4949) -- Possible downref: Non-RFC (?) normative reference: ref. '2' -- Possible downref: Non-RFC (?) normative reference: ref. '3' -- Possible downref: Non-RFC (?) normative reference: ref. '4' ** Obsolete normative reference: RFC 2763 (ref. '6') (Obsoleted by RFC 5301) ** Downref: Normative reference to an Informational RFC: RFC 1721 (ref. '7') Summary: 5 errors (**), 0 flaws (~~), 6 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Network Working Group A. Barbir 2 Internet-Draft Nortel Networks 3 Expires: June 16, 2004 S. Murphy 4 Sparta, Inc. 5 Y. Yang 6 Cisco Systems 7 December 17, 2003 9 Generic Threats to Routing Protocols 10 draft-ietf-rpsec-routing-threats-04 12 Status of this Memo 14 This document is an Internet-Draft and is in full conformance with 15 all provisions of Section 10 of RFC2026. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that other 19 groups may also distribute working documents as Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at http:// 27 www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on June 16, 2004. 34 Copyright Notice 36 Copyright (C) The Internet Society (2003). All Rights Reserved. 38 Abstract 40 Routing protocols are subject to attacks that can harm individual 41 users or network operations as a whole. This document provides a 42 description and a summary of generic threats that affect routing 43 protocols in general. This work describes threats, including threat 44 sources and capabilities, threat actions, and threat consequences as 45 well as a breakdown of routing functions that might be separately 46 attacked. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Routing Functions Overview . . . . . . . . . . . . . . . . . 4 52 3. Generic Routing Protocol Threat Model . . . . . . . . . . . 5 53 3.1 Threat Definitions . . . . . . . . . . . . . . . . . . . . . 5 54 3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 6 55 3.1.2 Threat Consequences . . . . . . . . . . . . . . . . . . . . 6 56 4. Generally Identifiable Routing Threats . . . . . . . . . . . 11 57 4.1 Deliberate Exposure . . . . . . . . . . . . . . . . . . . . 11 58 4.2 Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 11 59 4.3 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 12 60 4.4 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 12 61 4.5 Falsification . . . . . . . . . . . . . . . . . . . . . . . 13 62 4.5.1 Falsifications by Originators . . . . . . . . . . . . . . . 13 63 4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 16 64 4.6 Interference . . . . . . . . . . . . . . . . . . . . . . . . 17 65 4.7 Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 18 66 4.8 Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 18 67 5. Security Considerations . . . . . . . . . . . . . . . . . . 19 68 Normative References . . . . . . . . . . . . . . . . . . . . 20 69 Informative References . . . . . . . . . . . . . . . . . . . 21 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 21 71 A. Additional Contributors . . . . . . . . . . . . . . . . . . 22 72 B. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 23 73 Intellectual Property and Copyright Statements . . . . . . . 24 75 1. Introduction 77 Routing protocols are subject to threats and attacks that can harm 78 individual users or the network operations as a whole. The document 79 provides a summary of generic threats that affect routing protocols. 80 In particular, this work identifies generic threats to routing 81 protocols that include threat sources, threat actions, and threat 82 consequences. A breakdown of routing functions that might be 83 separately attacked is provided. 85 This work should be considered as a precursor to developing a common 86 set of security requirements for routing protocols. While it is well 87 known that bad, incomplete, or poor implementations of routing 88 protocols may, in themselves, lead to routing problems or failures, 89 or may increase the risk of a network being attacked successfully, 90 these issues are not considered here. This document only considers 91 attacks against robust, well considered implementations of routing 92 protocols, as outlined in OSPF [5], IS-IS [6], RIP [7] and BGP [8]. 94 The document is organized as follows: Section 2 provides a review of 95 routing functions. Section 3 defines threats. In section 4, a 96 discussion on generally identifiable routing threat actions is 97 provided. Section 5 addresses security considerations. 99 2. Routing Functions Overview 101 This section provides an overview of common functions that are shared 102 among various routing protocols. In general, routing protocols share 103 the following functions: 105 o Transport Subsystem: The routing protocol transmits messages to 106 its neighbors using some underlying protocol. For example, OSPF 107 uses IP, while other protocols may run over TCP. 109 o Neighbor State Maintenance: Neighbor State Maintenance: 110 Neighboring relationship formation is the first step for topology 111 determination. For this reason, routing protocols may need to 112 maintain state information. Each routing protocol may use a 113 different mechanism for determining its neighbors in the routing 114 topology. Some protocols have distinct exchanges through which 115 they establish neighboring relationships, e.g., Hello exchanges in 116 OSPF. 118 o Database Maintenance: Routing protocols exchange network topology 119 and reachability information. The routers collect this information 120 in routing databases with varying detail. The maintenance of these 121 databases is a significant portion of the function of a routing 122 protocol. 124 A router's functions can be divided into control and data plane 125 (protocol traffic vs. data traffic). In a similar fashion, a routing 126 protocol has a control and a data plane. A routing protocol has a 127 control plane that exchanges messages that are intended only for 128 control of the protocol state. 130 Routing protocol data plane uses messages to exchange information 131 that is intended to be used in the forwarding function. For example, 132 the information can be used to establish a forwarding table in each 133 router or to return a description of the route to be used. 135 Routing functions may affect the control and the data planes. 136 However, there may be an emphasis on one of the planes as opposed to 137 the other. For example, neighbor maintenance is likely to focus on 138 the routing protocol control plane, while database maintenance may 139 focus on the data plane. 141 3. Generic Routing Protocol Threat Model 143 The model developed in this section can be used to identify threats 144 to any routing protocol. It examines attacks which can be launched 145 against routing from subverted entities within the routing system and 146 from entities outside the routing system. Both of these types of 147 entities are called unauthorized entities. 149 Routing protocols are subject to threats at the control and data 150 planes and at the functional level. At the control plane level, 151 control and data plane are subject to attack. An attacker may be able 152 to break a neighboring (e.g., peering, adjacency) relationship. This 153 type of attack can impact the network routing behavior in the 154 affected routers and likely the surrounding neighborhood. An attacker 155 who is able to break a database exchange between two routers can also 156 affect routing behavior. In the routing protocol data plane, an 157 attacker who is able to introduce bogus data can have a strong effect 158 on the behavior of routing in the neighborhood. 160 At the routing function level, threats can affect the transport 161 subsystem, where the routing protocol can be subject to attacks on 162 its underlying protocol. At the neighbor state maintenance level, 163 there are threats that can lead to attacks that can disrupt the 164 neighboring relationship with widespread consequences. For example, 165 in BGP, if a router receives a CEASE message, it can lead to breaking 166 its neighboring relationship to other routers. 168 There are threats against the database maintenance functionality. For 169 example, the information in the database must be authentic and 170 authorized. Threats that jeopardize this information can affect the 171 routing functionality in the overall network. For example, if an OSPF 172 router sends LSAs with the wrong Advertising Router, the receivers 173 will compute an SPF tree that is incorrect and might not forward the 174 traffic. If a BGP router advertises a NLRI that it is not authorized 175 to advertise, then receivers might forward that NLRI's traffic toward 176 that router and the traffic would not be deliverable. A PIM router 177 might transmit a JOIN message to receive multicast data it would 178 otherwise not receive. 180 3.1 Threat Definitions 182 In this work, a threat is defined as a motivated, capable adversary. 183 This characterization of threats clearly distinguishes threats from 184 attacks. By modeling the motivations (attack goals) and capabilities 185 of the adversaries who are threats, one can better understand what 186 classes of attacks these threats may mount and thus what types of 187 countermeasures will be required to deal with these attacks. In [1], 188 a threat is defined as a potential for violation of security, which 189 exists when there is a circumstance, capability, action, or event 190 that could breach security and cause harm. Threats can be categorized 191 based on various rules, such as threat sources, threat actions, 192 threat consequences, threat consequence zones, and threat consequence 193 periods. 195 3.1.1 Threat Sources 197 There are many sources for threats that may affect routing protocols. 198 In some cases, unauthorized entities such as attackers may illegally 199 participate in the routing operations. In other circumstances, there 200 are threats to routing protocols from entities that are running 201 incorrect code, or using invalid configurations. 203 Threats can originate from outsiders or insiders. An insider is an 204 authorized participant in the routing protocol. An outsider is any 205 other host or network. A particular router determines if a host is an 206 outsider or an insider. 208 In general, threats can be classified into the following categories 209 based on their sources [2]: 211 o Threats that result from subverted links: A link becomes subverted 212 when an attacker gains access to (or control) it through a 213 physical medium. The attacker can then take control over the link. 214 This threat can result from the lack (or the use of weak) access 215 control mechanisms as applied to physical mediums or channels. The 216 attacker may eavesdrop, replay, delay, or drop routing messages, 217 or break routing sessions between authorized routers, without 218 participating in the routing exchange. 220 o Threats that result from subverted devices (e.g. routers): A 221 subverted device (router) is an authorized router that may have 222 been broken into by an attacker. The attacker can use the 223 subverted device to inappropriately claim authority for some 224 network resources, or violate routing protocols, such as 225 advertising invalid routing information. 227 3.1.2 Threat Consequences 229 A threat consequence is a security violation that results from a 230 threat action [1]. The compromise to the behavior of the routing 231 system can damage a particular network or host or can damage the 232 operation of the network as a whole. 234 There are four types of threat consequences: disclosure, deception, 235 disruption, and usurpation [1]. 237 o Disclosure: Disclosure of routing information happens when a 238 router successfully accesses the information without being 239 authorized. Subverted links can cause disclosure, if routing 240 exchanges lack confidentiality. Subverted devices (routers), can 241 cause disclosure, as long as they are successfully involved in the 242 routing exchanges. Although inappropriate disclosure of routing 243 information can pose a security threat or be part of a later, 244 larger, or higher layer attack, confidentiality is not generally a 245 design goal of routing protocols. 247 o Deception: This consequence happens when a legitimate router 248 receives a forged routing message and believes it to be authentic. 249 Subverted links and/or subverted devices (routers)can cause this 250 consequence if the receiving router lacks the ability to check 251 routing message integrity or origin authentication. 253 o Disruption: This consequence occurs when a legitimate router's 254 operation is being interrupted or prevented. Subverted links can 255 cause this by replaying, delaying, or dropping routing messages, 256 or breaking routing sessions between legitimate routers. Subverted 257 devices (routers) can cause this consequence by sending false 258 routing messages, interfering with normal routing exchanges, or 259 flooding unnecessary messages. (DoS is a common threat action 260 causing disruption.) 262 o Usurpation: This consequence happens when an attacker gains 263 control over a legitimate router's services/functions. Subverted 264 links can cause this by delaying or dropping routing exchanges, or 265 replaying out-dated routing information. Subverted routers can 266 cause this consequence by sending false routing information or 267 interfering routing exchanges. 269 Note: an attacker does not have to directly control a router to 270 control its services. For example, in Figure 1, Network 1 is 271 dual-homed through Router A and Router B, and Router A is preferred. 272 However, Router B is compromised and advertises a better metric. 273 Consequently, devices on the Internet choose the path through Router 274 B to reach Network 1. In this way, Router B steals the data traffic 275 and Router A surrenders its control of the services to Router B. This 276 depicted in Figure 1. 278 +-------------+ +-------+ 279 | Internet |---| Rtr A | 280 +------+------+ +---+---+ 281 | | 282 | | 283 | | 284 | *-+-* 285 +-------+ / \ 286 | Rtr B |----------* N 1 * 287 +-------+ \ / 288 *---* 290 Figure 1: Dual-homed Network 292 Several threat consequences might be caused by a single threat 293 action. In Figure 1, there exist at least two consequences: routers 294 using Router B to reach Network 1 are deceived, while Router A is 295 usurped. 297 Within the context of the threat consequences described above, damage 298 that might result from attacks against the network as a whole may 299 include: 301 o Network congestion: more data traffic is forwarded through some 302 portion of the network than would otherwise need to carry the 303 traffic, 305 o Blackhole: the consequence is that "packets go in, but go 306 nowhere", 308 o Looping: data traffic is forwarded along a route that loops, so 309 that the data is never delivered (resulting in network 310 congestion), 312 o Partition: some portion of the network believes that it is 313 partitioned from the rest of the network when it is not, 315 o Churn: the forwarding in the network changes (unnecessarily) at a 316 rapid pace, resulting in large variations in the data delivery 317 patterns (and adversely affecting congestion control techniques), 319 o Instability: the protocol becomes unstable so that convergence on 320 a global forwarding state is not achieved, and 322 o Overload: the protocol messages themselves become a significant 323 portion of the traffic the network carries. 325 The damage that might result from attacks against a particular host 326 or network address may include: 328 o Starvation: data traffic destined for the network or host is 329 forwarded to a part of the network that cannot deliver it, 331 o Eavesdrop: data traffic is forwarded through some router or 332 network that would otherwise not see the traffic, affording an 333 opportunity to see the data or at least the data delivery pattern, 335 o Cut: some portion of the network believes that it has no route to 336 the host or network when it is in fact connected, 338 o Delay: data traffic destined for the network or host is forwarded 339 along a route that is in some way inferior to the route it would 340 otherwise take, 342 o Looping: data traffic for the network or host is forwarded along a 343 route that loops, so that the data is never delivered 345 It is important to consider all compromises, because some security 346 solutions can protect against one attack but not against others. It 347 might be possible to design a security solution that protects against 348 an attack that eavesdropped on one destination's traffic without 349 protecting against an attack that overwhelmed a router. Similarly, it 350 is possible to design a security solution that prevents a starvation 351 attack against one host, but not against a network wide resources. 352 The security requirements must be clear as to which compromises are 353 being avoided and which compromises must be addressed by other means 354 (e.g., by administrative means outside the protocol). 356 3.1.2.1 Threat Consequence Zone 358 A threat consequence zone covers the area within which the network 359 operations have been affected by threat actions. Possible threat 360 consequence zones can be classified as: a single link or router, 361 multiple routers (within a single routing domain), a single routing 362 domain, multiple routing domains, or the global Internet. The threat 363 consequence zone varies based on the threat action and origin. 364 Similar threat actions that happened at different locations may cause 365 totally different threat consequence. For example, when a compromised 366 link breaks the routing session between a distribution router and a 367 stub router, only reachability to and from the network devices 368 attached to the stub router will be impaired. In other words, the 369 threat consequence zone is a single router. In another case, if the 370 compromised router is located between a customer edge router and its 371 corresponding provider edge router, such an action might cause the 372 whole customer site to lose its connection. In this case, the threat 373 consequence zone might be a single routing domain. 375 3.1.2.2 Threat Consequence Periods 377 Threat consequence period is defined as a portion of time during 378 which the network operations are been impacted by the threat 379 consequences. The threat consequence period is influenced by, but not 380 totally dependent on the duration of the threat action. In some 381 cases, the network operations will get back to normal as soon as the 382 threat action has been stopped. In other cases, however, threat 383 consequences may persist longer than the threat action. For example, 384 in the original ARPANET link-state algorithm, some errors in a router 385 introduced three instances of an LSA. All of them flooded throughout 386 the network continuously, until the entire network was power cycled 387 [3]. 389 4. Generally Identifiable Routing Threats 391 This section addresses generally identifiable and recognized threat 392 actions against routing protocols. The threat actions are not 393 necessarily specific to individual protocols but may be present in 394 one or more of the common routing protocols in use today. 396 4.1 Deliberate Exposure 398 Deliberate Exposure occurs when an attacker takes control of a router 399 and intentionally releases routing information directly to devices 400 that, otherwise, should not receive the exposed information. In some 401 cases, the receiving devices (e.g. routers) may not be authorized to 402 access the leaked routing information. Deliberate exposure is always 403 a threat action; however, the exposure of routing information may not 404 be. 406 The consequence of deliberate exposure is the disclosure of routing 407 information. 409 The threat consequence zone of deliberate exposure depends on the 410 routing information that the attackers have exposed. The more 411 knowledge they have exposed, the bigger the threat consequence zone. 413 The threat consequence period of deliberate exposure might be longer 414 than the duration of the action itself. The routing information 415 exposed will not be out-dated until there is a topology change of the 416 exposed network. 418 4.2 Sniffing 420 Sniffing is an action whereby attackers monitor and/or record the 421 routing exchanges between authorized routers. Attackers can use 422 subverted links to sniff for routing information. Attackers can also 423 sniff data plane information (however, this is out of scope of the 424 current work). 426 The consequence of sniffing is disclosure of routing information. 428 The threat consequence zone of sniffing depends on the attacker's 429 location, the routing protocol type, and the routing information that 430 has been recorded. For example, if the subverted link is in an OSPF 431 totally stubby area, the threat consequence zone should be limited to 432 the whole area. An attacker that is sniffing a subverted link in an 433 EBGP session can gain knowledge of multiple routing domains. 435 The threat consequence period might be longer than the duration of 436 the action. If an attacker stops sniffing a subverted link their 437 acquired knowledge will not be out-dated until there is a topology 438 change of the affected network. 440 4.3 Traffic Analysis 442 Traffic analysis is an action whereby attackers gain routing 443 information by analyzing the characteristics of the data traffic on a 444 subverted link. Traffic analysis threats can affect any data that is 445 sent over a communication link. This threat is not peculiar to 446 routing protocols and is included here for completeness. 448 The consequence of data traffic analysis is the disclosure of routing 449 information. For example, the source and destination IP addresses of 450 the data traffic, and the type, magnitude, and volume of traffic can 451 be disclosed. 453 The threat consequence zone of the traffic analysis depends on the 454 attacker's location and what data traffic has passed through. A 455 subverted link at the network core should be able to disclose more 456 information than its counterpart at the edge. 458 The threat consequence period might be longer than the duration of 459 the traffic analysis. After the attacker stops traffic analysis, its 460 knowledge will not be out-dated until there is a topology change of 461 the disclosed network. 463 4.4 Spoofing 465 Spoofing occurs when an illegitimate device assumes the identity of a 466 legitimate one. Spoofing in and of itself is often not the true 467 attack. Spoofing is special in that it can be used to carry out other 468 threat actions causing other threat consequences. An attacker can use 469 spoofing as a means for launching other types of attacks. For 470 example, if an attacker succeeds in spoofing the identity of a 471 router, the attacker can act as a masquerading router. In other 472 situations, the spoofing router can be used to send out unrealistic 473 routing information that might cause the disruption of network 474 services. 476 There are a few cases where spoofing can be an attack in and of 477 itself. For example, messages from an attacker which spoof the 478 identity of a legitimate router may cause a neighbor relationship to 479 form and deny the formation of the relationship with the legitimate 480 router. 482 The consequences of spoofing are: 484 o The disclosure of routing information: The spoofing router will be 485 able to gain access to the routing information. 487 o The deception of peer relationship: The authorized routers, which 488 exchange routing messages with the spoofing router, do not realize 489 they are neighboring with a router that is faking another router's 490 identity. 492 The threat consequence zone covers: 494 o The consequence zone of the fake peer relationship will be limited 495 to those routers trusting the attacker's claimed identity. 497 o The consequence zone of the disclosed routing information depends 498 on the attacker's location, the routing protocol type, and the 499 routing information that has been exchanged between the attacker 500 and its deceived neighbors. 502 Note: This section focus on addressing spoofing as a threat on its 503 own. However, spoofing creates conditions for other threats. Other 504 consequences are considered falsifications and are treated in the 505 next section. 507 4.5 Falsification 509 Falsification is an intentional action whereby false routing 510 information is sent by a subverted router. To falsify the routing 511 information, an attacker has to be either the originator or a 512 forwarder of the routing information. It cannot be a receiver-only. 513 False routing information describes the network in an unrealistic 514 fashion, whether or not intended by the authoritative network 515 administrator. 517 4.5.1 Falsifications by Originators 519 An originator of routing information can launch the falsifications 520 that are described in the next sections. 522 4.5.1.1 Overclaiming 524 Overclaiming occurs when a subverted router advertises its control of 525 some network resources, while in reality it does not, or the 526 advertisement is not authorized. This is given in Figure 2 and Figure 527 3. 529 +-------------+ +-------+ +-------+ 530 | Internet |---| Rtr B |---| Rtr A | 531 +------+------+ +-------+ +---+---+ 532 | . 533 | | 534 | . 535 | *-+-* 536 +-------+ / \ 537 | Rtr C |------------------* N 1 * 538 +-------+ \ / 539 *---* 541 Figure 2: Overclaiming-1 543 +-------------+ +-------+ +-------+ 544 | Internet |---| Rtr B |---| Rtr A | 545 +------+------+ +-------+ +-------+ 546 | 547 | 548 | 549 | *---* 550 +-------+ / \ 551 | Rtr C |------------------* N 1 * 552 +-------+ \ / 553 *---* 555 Figure 3: Overclaiming-2 557 The above figures provide examples of overclaiming. Router A, the 558 attacker, is connected to the Internet through Router B. Router C is 559 authorized to advertise its link to Network 1. In Figure 2, Router A 560 controls a link to Network 1, but is not authorized to advertise it. 561 In Figure 3, Router A does not control such a link. But in either 562 case, Router A advertises the link to the Internet, through Router B. 564 Compromised routers, unauthorized routers, and masquerading routers 565 can overclaim network resources. The consequence of overclaiming 566 includes: 568 o Usurpation of the overclaimed network resources. In Figure 2 and 569 Figure 3, usurpation of Network 1 can occur when Router B (or 570 other routers on the Internet, (not shown in the figures)) 571 believes that Router A provides the best path to reach the Network 572 1. As a result, routers forward data traffic, destined to Network 573 1 to Router A. The best result is that the data traffic uses an 574 unauthorized path, as in Figure 2. The worst case is that the data 575 never reaches the destination Network 1, as in Figure 3. The 576 ultimate consequence is Router A gaining control over Network 1's 577 services, by controlling the data traffic. 579 o Usurpation of the legitimate advertising routers. In Figure 2 and 580 Figure 3 Router C is the legitimate advertiser of Network 1. By 581 overclaiming, Router A also controls (partially or totally) the 582 services/functions provided by the Router C. (This is NOT a 583 disruption, because Router C is operating in a way intended by the 584 authoritative network administrator.) 586 o Deception of other routers. In Figure 2 and Figure 3, Router B, or 587 other routers on the Internet, might be deceived to believe the 588 path through Router A is the best. 590 o Disruption of data planes on some routers. This might happen to 591 routers that are on the path that is used by other routers to each 592 the overclaimed network resources through the attacker. In Figure 593 2 and Figure 3, when other routers on the Internet are deceived, 594 they will forward the data traffic to Router B, which might be 595 overloaded. 597 The threat consequence zone varies based on the consequence: 599 o Where usurpation is concerned, the consequence zone covers the 600 network resources that are overclaimed by the attacker (Network 1 601 in Figure 2 and 3), and the routers that are authorized to 602 advertise the network resources but lose the competition against 603 the attacker(Router C in Figure 2 and Figure 3). 605 o Where deception is concerned, the consequence zone covers the 606 routers that do believe the attacker's advertisement and use the 607 attacker to reach the claimed networks (Router B and other 608 deceived routers on the Internet in Figure 2 and Figure 3). 610 o Where disruption is concerned, the consequence zone includes the 611 routers that are on the path of misdirected data traffic (Router B 612 in Figure 2 and Figure 3). 614 The threat consequence will cease when the attacker stops 615 overclaiming, and will totally disappear when the routing tables are 616 converged. As a result the consequence period is longer than the 617 duration of the overclaiming. 619 4.5.1.2 Misclaiming 621 A misclaiming threat is defined as an action where an attacker is 622 advertising its authorized control of some network resources in a way 623 that is not intended by the authoritative network administrator. An 624 attacker can eulogize or disparage when advertising these network 625 resources. Subverted routers, unauthorized routers, and masquerading 626 routers can misclaim network resources. 628 The threat consequences of misclaiming are similar to the 629 consequences of overclaiming. 631 The consequence zone and period are also similar to those of 632 overclaiming. 634 4.5.2 Falsifications by Forwarders 636 When a legitimate router forwards routing information, it must or 637 must not modify the routing information, depending on the routing 638 information and the routing protocol type. For example, in RIP, the 639 forwarder must modify the routing information by increasing the hop 640 count by 1. On the other hand, the forwarder must not modify the type 641 1 LSA in OSPF. In general, forwarders in distance vector routing 642 protocols are authorized to and must modify the routing information, 643 while most forwarders in link state routing protocols are not 644 authorized to and must not modify most routing information. 646 As a forwarder authorized to modify routing message, an attacker 647 might not forward necessary routing information to other authorized 648 routers. 650 4.5.2.1 Misstatement 652 This is defined as an action whereby the attacker describes route 653 attributes in an incorrect manner. For example, in RIP, the attacker 654 might increase the path cost by two hops instead of one. In BGP, the 655 attacker might delete some AS numbers from the AS PATH. 657 Where forwarding routing information should not be modified, an 658 attacker can launch the following falsifications: 660 o Deletion: Attacker deletes valid data in the routing message. 662 o Insertion: Attacker inserts false data in the routing message. 664 o Substitution: Attacker replaces valid data in the routing message 665 with false data. 667 o Replaying: Attacker replays out-dated data in the routing message. 669 All types of attackers (compromised links, compromised routers, 670 unauthorized routers, and masquerading routers) can falsify the 671 routing information when they forward the routing messages. 673 The threat consequences of these falsifications by forwarders are 674 similar to those caused by originators: usurpation of some network 675 resources and related routers; deception of routers using false 676 paths; and disruption of data planes of routers on the false paths. 677 The threat consequence zone and period are also similar. 679 4.6 Interference 681 Interference is a threat action where an attacker uses a subverted 682 link or router to inhibit the exchanges by legitimate routers. The 683 attacker can do this by adding noise, or by not forwarding packets, 684 or by replaying out-dated packets, or by delaying responses, or by 685 denial of receipts, or by breaking synchronization. 687 Subverted, unauthorized and masquerading routers can slow down their 688 routing exchanges or induce flapping in the routing sessions of 689 legitimate neighboring routers. 691 The consequence of interference is the disruption of routing 692 operations. 694 The consequence zone of interference varies based on the source of 695 the threats: 697 o When a subverted link is used to launch the action, the threat 698 consequence zone covers routers that are using the link to 699 exchange the routing information. An attack on a link can cause 700 consequences at the neighbor maintenance level that may lead to 701 changes in the database. In this case, the consequences can be 702 felt network-wide. 704 o When subverted routers, unauthorized routers, or masquerading 705 routers are the attackers, the threat consequence zone covers 706 routers with which the attackers are exchanging routing 707 information. 709 The threat consequences might disappear as soon as the interference 710 is stopped, or might not totally disappear until the networks have 711 converged. Therefore, the consequence period is equal or longer than 712 the duration of the interference. 714 4.7 Overload 716 Overload is defined as a threat action whereby attackers place excess 717 burden on legitimate routers. For example, it is possible for an 718 attacker to overload the control plane. In this regard, it is 719 possible for a compromised router to trigger creation of an excessive 720 amount of state that routers within the network are not able to 721 handle. In a similar fashion, it is possible for an attacker to 722 overload the data plane. Since the data plane is involved in routing 723 exchanges, overload of the data plane can also influence the routing 724 operations. 726 This section combines overload of the control plane and the data 727 plane i.e., the routing protocol messages and the data traffic, not 728 the control and data plane of the routing protocol itself as 729 discussed in section 2.1). The routing protocol design might have a 730 chance to limit control plane traffic. However, the routing protocol 731 cannot limit the data traffic. Thus, an attacker can affect the 732 behavior of the entire routing system. 734 4.8 Byzantine Failures 736 As described in [4], "A node with a Byzantine failure may corrupt 737 messages, forge messages, delay messages, or send conflicting 738 messages to different nodes". These faults may arise from routers 739 which have been subverted by an attacker or which have faulty 740 hardware or software. In any case, they represent a threat to correct 741 operation of routing and routing protocols. 743 The ability of the network to function in the face of such defects is 744 described as Byzantine robustness and would fall into the scope of a 745 requirements document for routing protocol security which may build 746 from the base established in this document. 748 5. Security Considerations 750 This entire document is security related. Specifically the document 751 addresses security of routing protocols as associated with threats to 752 those protocols. In a larger context, this work builds upon the 753 recognition of the IETF community that signaling and control/ 754 management planes of networked devices need strengthening. Routing 755 protocols can be considered part of that signaling and control plane. 756 However, to date, routing protocols have largely remained unprotected 757 and open to malicious attacks. This document discusses inter- and 758 intra-domain routing protocol threats that are currently known and 759 lays the foundation for other documents that will discuss security 760 requirements for routing protocols. This document is protocol 761 independent. 763 Normative References 765 [1] Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000. 767 [2] Smith, B et al., "Securing Distance-Vector Routing Protocols", 768 Symposium on Network and Distributed System Security , February 769 1997. 771 [3] Rosen, E., "Vulnerabilities of Network Control Protocols: An 772 Example, Computer Communication Review", , July 1981. 774 [4] Perlman, R, "Network Layer Protocols with Byzantine Robustness", 775 , August 1988 . 777 [5] Moy, J, "OSPF Version 2", RFC 2328, April 1998. 779 [6] Shen, N. et. al., "Dynamic Hostname Exchange Mechanism for 780 IS-IS", RFC 2763 , February 2000. 782 [7] Malkin, G., "RIP Version 2 Protocol Analysis", RFC 1721 , 783 November 1994. 785 Informative References 787 [8] Kent, S. et al., "Secure Border Gateway Protocol 788 (Secure-BGP)", IEEE Journal on Selected Areas in Communications 789 , April 2000. 791 Authors' Addresses 793 Abbie Barbir 794 Nortel Networks 795 3500 Carling Avenue 796 Nepean, Ontario K2H 8E9 797 Canada 799 Phone: 800 EMail: abbieb@nortelnetworks.com 802 Sandy Murphy 803 Sparta, Inc. 804 7075 Samuel Morse Drive 805 Columbia, MD 806 USA 808 Phone: 410-872-1515 x206 809 EMail: sandy@tislabs.com 811 Yi Yang 812 Cisco Systems 813 7025 Kit Creek Road 814 RTP, NC 27709 815 USA 817 Phone: 818 EMail: yiya@cisco.com 820 Appendix A. Additional Contributors 822 This draft would not have been possible save for the excellent 823 efforts and team work characteristics of those listed here. 825 o Dennis Beard- Nortel Networks 827 o Ayman Musharbash - Nortel Networks 829 o Jean-Jacques Puig, int-evry, France 831 o Paul Knight - Nortel Networks 833 o Elwyn Davies - Nortel Networks 835 o Ameya Dilip Pandit - Graduate student - University of Missouri 837 o Senthilkumar Ayyasamy - Graduate student - University of Missouri 839 o Stephen Kent- BBN 841 o Tim Gage - CISCO 843 o James Ng - CISCO 845 o Alvaro Retana - CISCO 847 Appendix B. Acronyms 849 AS - Autonomous system. Set of routers under a single technical 850 administration. Each AS normally uses a single interior gateway 851 protocol (IGP) and metrics to propagate routing information within 852 the set of routers. Also called routing domain. 854 AS-Path - In BGP, the route to a destination. The path consists of 855 the AS numbers of all routers a packet must go through to reach a 856 destination. 858 BGP - Border Gateway Protocol. Exterior gateway protocol used to 859 exchange routing information among routers in different autonomous 860 systems. 862 LSA - Link-State Announcement 864 NLRI - Network layer reachability information. Information that is 865 carried in BGP packets and is used by MBGP. 867 OSPF - Open Shortest Path First. A link-state IGP that makes routing 868 decisions based on the shortest-path-first (SPF) algorithm (also 869 referred to as the Dijkstra algorithm). 871 Intellectual Property Statement 873 The IETF takes no position regarding the validity or scope of any 874 intellectual property or other rights that might be claimed to 875 pertain to the implementation or use of the technology described in 876 this document or the extent to which any license under such rights 877 might or might not be available; neither does it represent that it 878 has made any effort to identify any such rights. Information on the 879 IETF's procedures with respect to rights in standards-track and 880 standards-related documentation can be found in BCP-11. Copies of 881 claims of rights made available for publication and any assurances of 882 licenses to be made available, or the result of an attempt made to 883 obtain a general license or permission for the use of such 884 proprietary rights by implementors or users of this specification can 885 be obtained from the IETF Secretariat. 887 The IETF invites any interested party to bring to its attention any 888 copyrights, patents or patent applications, or other proprietary 889 rights which may cover technology that may be required to practice 890 this standard. Please address the information to the IETF Executive 891 Director. 893 Full Copyright Statement 895 Copyright (C) The Internet Society (2003). All Rights Reserved. 897 This document and translations of it may be copied and furnished to 898 others, and derivative works that comment on or otherwise explain it 899 or assist in its implementation may be prepared, copied, published 900 and distributed, in whole or in part, without restriction of any 901 kind, provided that the above copyright notice and this paragraph are 902 included on all such copies and derivative works. However, this 903 document itself may not be modified in any way, such as by removing 904 the copyright notice or references to the Internet Society or other 905 Internet organizations, except as needed for the purpose of 906 developing Internet standards in which case the procedures for 907 copyrights defined in the Internet Standards process must be 908 followed, or as required to translate it into languages other than 909 English. 911 The limited permissions granted above are perpetual and will not be 912 revoked by the Internet Society or its successors or assignees. 914 This document and the information contained herein is provided on an 915 "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 916 TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 917 BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 918 HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 919 MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 921 Acknowledgment 923 Funding for the RFC Editor function is currently provided by the 924 Internet Society.