Upload
dwain-hunt
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Outline Scope Routing Functions Threat Definition Threat Source, Action & Consequence Generally Identifiable Routing Threat
Actions Threats against Multicast Routing
Protocols
Scope All routing protocols Intent: advise routing protocol
designers about security get them thinking about vulnerabilities set requirements (MUST, SHOULD, MAY)
Intra- and Inter-domain (IGP and EGP) Security of the protocol, not of the
operational environment it works in
Routing Functions Transport subsystem
the subsystem that carries the data between routers
can be attacked - impact on routing protocol can carry attack to the routing protocol
Neighbor state determine peer and establish relationship attacks can break relationship - disrupt
routing [typo: draft said BGP and CEASE msg]
Routing Functions (cont) Database maintenance
sometimes a separate step, sometimes an implicit result of the communication of topology info
like wireless keeping interesting routes topology computation from database
Each function has control and data parts different consequences from each
Threat definition
“A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.”Robert Shirey, RFC2828: Internet Security Glossary
The RFC definitions are the basis for the expression of our model
Threat Model - Sources
Intruders or malicious programs launched by the intruder
Compromised (or subverted??) links Compromised (or subverted??) routers Masquerading routers (illegitimately assumes identity/ role)
Unauthorized devices Should RP designers worry about subverted links? Should we distinguish masquerading from
unauthorized routers?* A router may play multiple roles simultaneously
Threat Model - Actions
Attacks and other intentional malicious actions against the routing protocols
Address proper protocol design to mitigate threat Need to identify external factor that protocol should protect
Deliberate exposure Sniffing/ wiretapping Traffic analysis Spoofing Falsification Interference Overload
* An attacker may launch multiple actions simultaneously
Threat Model - Consequences Compromises and the damage done by the
malicious actions Zones (impact to router(s), Autonomous System(s), Global) Period (smaller, equal or greater than threat action
duration) Disclosure
• Unauthorized access to routing info Deception
• Belief of false routing info Disruption
• Operation degradation or interruption Usurpation
• Control/ modification of legitimate router services / functions
* An action may cause multiple consequences
Deliberate Exposure Intentional release of routing information
Sniffing Monitor routing exchange between legitimate routers
Traffic Analysis Indirect access to routing info gained by monitoring data traffic
Spoofing Assume other’s identity
Falsification Declare invalid routing information
Interference Impact routing exchanges
Overload Place excessive burdens
Generally Identifiable Threat Actions
Deliberate Exposure Intentional release of routing
information to unauthorized devices
All attackers Disclosure Is this a valid threat against
routing protocols?
Traffic Analysis Analyze data traffic to learn
routing information Compromised / subverted links Disclosure Is this a valid threat against
routing protocols?
Spoof Illegally assumes a legitimate router's identity All attackers Attackers become masquerading routers after
successful spoof It is a threat, as well as a means to launch
threat Consequences:
Deception (on peer relationship) and Dos based on the Deception
Accounting Disclosure (on routing information)
Falsification Make and distribute invalid routing information Sources:
Originator: All attackers except compromised / subverted links
Overclaiming Underclaiming Misclaiming Is underclaiming a valid threat? (not-existing vs. not
defendable) Forwarder: all attackers
Overstatement Understatement Misstatement
Overload Place excess burden
Against control plane or data plane Should we care about data plane in
routing protocol design? All attackers Disruption
Byzantine Failures Caused by faulty routers So general that redundant to other
threat actions: falsification, overload…
Should not be listed separately
Network Mapping Threats Threat action or consequence? If this is action, is it redundant to
sniffing/traffic analysis?
Multicast Routing Threat Actions Introduction of misleading route information via
non-existent (black hole) or incorrect routes is a key MC routing vulnerability
MC routing protocols are at least as susceptible as Unicast. Updates can be: Fabricated Modified Replayed Deleted Snooped
Sandy’s Comments Summarized Section 3.1: content Section 4.1: Deliberate Exposure: content Section 4.3: Traffic Analysis: content Section 4.4: Spoofing: editorial Section 4.5: Underclaiming: content Section 4.5a: “ownership”: editorial Section 4.7: Overload: editorial/content Section 4.8: Byzantine Failures: editorial Section 4.9: Discard of Control Messages: content Section 4.10: Network Mapping: editorial Multicast Routing: editorial (redundant, inconsistent)
Sandy’s Comments: Some Themes
privacy of routing data - important? comments both ways on mailing list nemo group wants “location privacy” Section 4.1: Deliberate Exposure Section 4.3: Traffic Analysis
not attack in routing protocol (or not addressable) Section 4.3: Traffic Analysis Section 4.7: Overload Section 2: Transport Subsystem
correctness vs security Section 4.5: Underclaiming Section 4.9: Discard of Control messages
Sanity Checks
Need to compare to BGP Attack Tree document see if there are attacks there not represented here
and vice versa many of that document’s attacks are operational in
nature (I.e., not the business of this analysis) Need to compare to SOBGP/SBGP
see if those approaches deal with these threat actions, sources, consequences
see if there are any further vulnerabilities unprotected Need to compare to other routing protocol
expressed security requirements (e.g., nemo)
In Closing…We have presented a model to: Document threats & related
consequences Provide a format to help prioritize
results Enable a process to:
1. Address top threat actions2. Make a decision on medium/ low threat actions
Must be included Acceptable risk (future work)