Dennis BeardSandra Murphy

Yi Yang

March 2003

Threats to Routing Protocols

Outline Scope Routing Functions Threat Definition Threat Source, Action & Consequence Generally Identifiable Routing Threat

Actions Threats against Multicast Routing

Protocols

Scope All routing protocols Intent: advise routing protocol

designers about security get them thinking about vulnerabilities set requirements (MUST, SHOULD, MAY)

Intra- and Inter-domain (IGP and EGP) Security of the protocol, not of the

operational environment it works in

Routing Functions Transport subsystem

the subsystem that carries the data between routers

can be attacked - impact on routing protocol can carry attack to the routing protocol

Neighbor state determine peer and establish relationship attacks can break relationship - disrupt

routing [typo: draft said BGP and CEASE msg]

Routing Functions (cont) Database maintenance

sometimes a separate step, sometimes an implicit result of the communication of topology info

like wireless keeping interesting routes topology computation from database

Each function has control and data parts different consequences from each

Threat definition

“A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.”Robert Shirey, RFC2828: Internet Security Glossary

The RFC definitions are the basis for the expression of our model

Threat Model - Sources

Intruders or malicious programs launched by the intruder

Compromised (or subverted??) links Compromised (or subverted??) routers Masquerading routers (illegitimately assumes identity/ role)

Unauthorized devices Should RP designers worry about subverted links? Should we distinguish masquerading from

unauthorized routers?* A router may play multiple roles simultaneously

Threat Model - Actions

Attacks and other intentional malicious actions against the routing protocols

Address proper protocol design to mitigate threat Need to identify external factor that protocol should protect

Deliberate exposure Sniffing/ wiretapping Traffic analysis Spoofing Falsification Interference Overload

* An attacker may launch multiple actions simultaneously

Threat Model - Consequences Compromises and the damage done by the

malicious actions Zones (impact to router(s), Autonomous System(s), Global) Period (smaller, equal or greater than threat action

duration) Disclosure

• Unauthorized access to routing info Deception

• Belief of false routing info Disruption

• Operation degradation or interruption Usurpation

• Control/ modification of legitimate router services / functions

* An action may cause multiple consequences

Deliberate Exposure Intentional release of routing information

Sniffing Monitor routing exchange between legitimate routers

Traffic Analysis Indirect access to routing info gained by monitoring data traffic

Spoofing Assume other’s identity

Falsification Declare invalid routing information

Interference Impact routing exchanges

Overload Place excessive burdens

Generally Identifiable Threat Actions

Deliberate Exposure Intentional release of routing

information to unauthorized devices

All attackers Disclosure Is this a valid threat against

routing protocols?

Sniffing/ Wiretapping Monitor / record routing

information Compromised / subverted links Disclosure

Traffic Analysis Analyze data traffic to learn

routing information Compromised / subverted links Disclosure Is this a valid threat against

routing protocols?

Spoof Illegally assumes a legitimate router's identity All attackers Attackers become masquerading routers after

successful spoof It is a threat, as well as a means to launch

threat Consequences:

Deception (on peer relationship) and Dos based on the Deception

Accounting Disclosure (on routing information)

Falsification Make and distribute invalid routing information Sources:

Originator: All attackers except compromised / subverted links

Overclaiming Underclaiming Misclaiming Is underclaiming a valid threat? (not-existing vs. not

defendable) Forwarder: all attackers

Overstatement Understatement Misstatement

Falsification (cont) Consequences:

Deception Usurpation Disruption

Interference Inhibit routing exchanges All attackers Disruption

Overload Place excess burden

Against control plane or data plane Should we care about data plane in

routing protocol design? All attackers Disruption

Byzantine Failures Caused by faulty routers So general that redundant to other

threat actions: falsification, overload…

Should not be listed separately

Discarding of control packets

Similar to underclaiming? OLSR

Network Mapping Threats Threat action or consequence? If this is action, is it redundant to

sniffing/traffic analysis?

Multicast Routing Threat Actions Introduction of misleading route information via

non-existent (black hole) or incorrect routes is a key MC routing vulnerability

MC routing protocols are at least as susceptible as Unicast. Updates can be: Fabricated Modified Replayed Deleted Snooped

Sandy’s Comments Summarized Section 3.1: content Section 4.1: Deliberate Exposure: content Section 4.3: Traffic Analysis: content Section 4.4: Spoofing: editorial Section 4.5: Underclaiming: content Section 4.5a: “ownership”: editorial Section 4.7: Overload: editorial/content Section 4.8: Byzantine Failures: editorial Section 4.9: Discard of Control Messages: content Section 4.10: Network Mapping: editorial Multicast Routing: editorial (redundant, inconsistent)

Sandy’s Comments: Some Themes

privacy of routing data - important? comments both ways on mailing list nemo group wants “location privacy” Section 4.1: Deliberate Exposure Section 4.3: Traffic Analysis

not attack in routing protocol (or not addressable) Section 4.3: Traffic Analysis Section 4.7: Overload Section 2: Transport Subsystem

correctness vs security Section 4.5: Underclaiming Section 4.9: Discard of Control messages

Sanity Checks

Need to compare to BGP Attack Tree document see if there are attacks there not represented here

and vice versa many of that document’s attacks are operational in

nature (I.e., not the business of this analysis) Need to compare to SOBGP/SBGP

see if those approaches deal with these threat actions, sources, consequences

see if there are any further vulnerabilities unprotected Need to compare to other routing protocol

expressed security requirements (e.g., nemo)

In Closing…We have presented a model to: Document threats & related

consequences Provide a format to help prioritize

results Enable a process to:

1. Address top threat actions2. Make a decision on medium/ low threat actions

Must be included Acceptable risk (future work)

Next Step

Need your input to address the following:

Structure Content

Thank You!