[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: (draft-beard-rpsec-routing-threats) 00 01 02 03 04 05 06 07 RFC 4593

Network Working Group                                          A. Barbir
Internet-Draft                                           Nortel Networks
Expires: February 24, 2004                                     S. Murphy
                                                 Network Associates, Inc
                                                                 Y. Yang
                                                           Cisco Systems
                                                         August 26, 2003


                  Generic Threats to Routing Protocols
                  draft-ietf-rpsec-routing-threats-02

Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups. Note that other
   groups may also distribute working documents as Internet-Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time. It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at http://
   www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on February 24, 2004.

Copyright Notice

   Copyright (C) The Internet Society (2003). All Rights Reserved.

Abstract

   Routing protocols are subject to attacks that can harm individual
   users or network operations as a whole. This document provides a
   description and a summary of generic threats that affects routing
   protocols in general. This work describes threats, including threat
   sources and capabilities, threat actions, and threat consequences as
   well as a breakdown of routing functions that might be separately
   attacked.





Barbir, et al.         Expires February 24, 2004                [Page 1]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Table of Contents

   1.    Introduction . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.    Routing Functions Overview . . . . . . . . . . . . . . . . .  4
   2.1   Routing Protocol Control and Data Planes . . . . . . . . . .  4
   3.    Generic Routing Protocol Threat Model  . . . . . . . . . . .  5
   3.1   Threat Definitions . . . . . . . . . . . . . . . . . . . . .  5
   3.1.1 Threat Sources . . . . . . . . . . . . . . . . . . . . . . .  6
   3.1.2 Threat Consequences  . . . . . . . . . . . . . . . . . . . .  7
   4.    Generally Identifiable Routing Threats . . . . . . . . . . . 11
   4.1   Deliberate Exposure  . . . . . . . . . . . . . . . . . . . . 11
   4.2   Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   4.3   Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . 12
   4.4   Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . 12
   4.5   Falsification  . . . . . . . . . . . . . . . . . . . . . . . 13
   4.5.1 Falsifications by Originators  . . . . . . . . . . . . . . . 13
   4.5.2 Falsifications by Forwarders . . . . . . . . . . . . . . . . 16
   4.6   Interference . . . . . . . . . . . . . . . . . . . . . . . . 17
   4.7   Overload . . . . . . . . . . . . . . . . . . . . . . . . . . 18
   4.8   Byzantine Failures . . . . . . . . . . . . . . . . . . . . . 18
   5.    Security Considerations  . . . . . . . . . . . . . . . . . . 20
         Normative References . . . . . . . . . . . . . . . . . . . . 21
         Informative References . . . . . . . . . . . . . . . . . . . 22
         Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 22
   A.    Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 24
   B.    Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . 25
         Intellectual Property and Copyright Statements . . . . . . . 26
























Barbir, et al.         Expires February 24, 2004                [Page 2]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


1. Introduction

   Routing protocols are subject to threats and attacks that can harm
   individual users or the network operations as a whole. The document
   provides a summary of generic threats that affects routing protocols.
   In particular, this work identifies generic threats to routing
   protocols that include threat sources, threat actions, and threat
   consequences. A breakdown of routing functions that might be
   separately attacked is provided.

   This documents takes a general threats to routing functions. In this
   work, the "owner" of an address prefix or an AS [17] number is an
   organization that has been granted the right to use that prefix or
   number. Each Regional Internet Rggistry (RIR) acquires prefixes and
   AS numbers from IANA, and further distributes (delegates use of) them
   to organizations such as ISPs and multi-homed subscribers. For
   address prefixes, delegation typically involves assigning a subset of
   a prefix to an organization, which may, in turn, further delegate
   subsets to other organizations, e.g., subscribers or downstream
   providers.

   This work should be considered as a precursor to developing a common
   set of security requirements for routing protocols. While it is well
   known that bad, incomplete, or poor implementations of routing
   protocols may, in themselves, lead to routing problems or failures,
   or may increase the risk of a network being attacked successfully,
   these issues are not considered here. This document only considers
   attacks against robust, well considered implementations of routing
   protocols, as outlined in OSPF [6], IS-IS [10] , RIP [11] and BGP
   [17].

   The security requirements derived from this analysis are intended to
   be used as guidance to those who are designing and modifying routing
   protocols. They may also be used by routing protocol implementers to
   increase the robustness of their implementations.

   The document is organized as follows: Section 2 provides a review of
   routing functions. Section 3 defines threats. In section 4 a
   discussion on generally identifiable routing threat actions is
   provided. Section 5 addresses security considerations.











Barbir, et al.         Expires February 24, 2004                [Page 3]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


2. Routing Functions Overview

   This section provides an overview of common functions that are shared
   among various routing protocols. In general, routing protocols share
   the following common functions:

   o  Transport Subsystem: The routing protocol transmits messages to
      its neighbors using some underlying protocol.  For example, OSPF
      uses IP, while AODV uses a broadcast link. Other protocols may run
      over TCP.

   o  Neighbor State Maintenance: neighboring relationship formation is
      the first step for topology determination.  For this reason,
      routing protocols may need to maintain the state of their
      neighbors.  Each routing protocol may use a different mechanism
      for determining its neighbors in the routing topology.  Some
      protocols have distinct exchange through which they establish
      neighboring relationships, e.g., Hello exchanges in OSPF.

   o  Database Maintenance: Routing protocols exchange network topology
      and reach-ability information.  The routers collect this
      information in routing databases with varying detail.  The
      maintenance of these databases is a significant portion of the
      function of a routing protocol.


2.1 Routing Protocol Control and Data Planes

   A router's functions can be divided into control and data plane
   (protocol traffic vs. data traffic). In a similar fashion, a routing
   protocol has a control and a data plane.  A routing protocol has a
   control plane that exchanges messages that are intended only for
   control of the protocol state.

   Routing protocol data plane uses messages to exchange information
   that is intended to be used in the forwarding function. For example,
   the information can be used to establish a forwarding table in each
   router or to return a description of the route to be used.

   Routing functions may affect the control and the data planes.
   However, there may be an emphasis on one of the planes as opposed to
   the other.  For example, neighbor maintenance is likely to focus on
   the routing protocol control plane, while database maintenance may
   focus on the data plane.







Barbir, et al.         Expires February 24, 2004                [Page 4]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


3. Generic Routing Protocol Threat Model

   The model developed in this section can be used to identify threats
   to any routing protocol. It examines attacks which can be launched
   against routing from subverted entities within the routing system,
   and from entities outside the routing system. Both of these types of
   entities are called unauthorized entities.

   Routing protocols are subject to treats at the control and data
   planes and at the functional level.  At the control plane level,
   control and data plane are subject to attack. An attacker may be able
   to break a neighbor (e.g., peering, adjacency) relationship. This
   type of attack can impact the network routing behavior in the
   affected routers and likely the surrounding neighborhood.  An
   attacker who is able to break a database exchange between two routers
   can also affect routing behavior.  In the routing protocol data
   plane, an attacker who is able to introduce bogus data can have a
   strong effect on the behavior of routing in the neighborhood.

   At the routing function level threats can affect the transport
   subsystem, where the routing protocol can be subject to attacks on
   its underlying protocol. At the neighbor state maintenance level,
   there are threats that can lead to attacks that can disrupt the
   neighboring relationship with widespread consequences.  For example,
   if the DR election is disrupted in an OSPF network, an unauthorized
   router could be chosen as designated router.  This might allow
   unauthorized access to routing information.  In BGP, if a router
   receives a CEASE message, it can break the neighboring relationship
   and cause any related topology information to be flushed.

   There are threats against the database maintenance functionality. For
   example, the information in the database must be authentic and
   authorized. Threats that jeopardize this information can affect the
   routing functionality in the overall network.  For example, if an
   OSPF router sends LSA's with the wrong Advertising Router, the
   receivers will compute a SPF tree that is incorrect and might not
   forward the traffic.  If a BGP router advertises a NLRI that it is
   not authorized to advertise, then receivers might forward that NLRI's
   traffic toward that router and the traffic would not be deliverable.
   A PIM router might transmit a JOIN message to receive multicast data
   it would otherwise not receive

3.1 Threat Definitions

   Threat is defined in [1] as a potential for violation of security,
   which exists when there is a circumstance, capability, action, or
   event that could breach security and cause harm. A threat presents
   itself when an attacker has the ability to take advantage of an



Barbir, et al.         Expires February 24, 2004                [Page 5]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   existing security weakness.  Threats can be categorized based on
   various rules, such as threat sources, threat actions, threat
   consequences, threat consequence zones, and threat consequence
   periods.

3.1.1 Threat Sources

   There are many sources for threats that may affect routing protocols.
   In some cases, unauthorized entities such as attackers may illegally
   participate in the routing operations. In other circumstances, there
   are threats to routing protocols from entities that are running
   incorrect code, or using invalid configurations.

   Threats can originate form outsiders or insiders.  An insider is an
   authorized participant in the routing protocol.  An outsider is any
   other host or network.  A host is determined to be an outsider or an
   insider from the point of view of a particular router.  Even an
   authorized protocol speaker can be an outsider to a particular router
   if the router does not consider the speaker to be a legitimate peer
   (as could conceivably happen on a multi-access link).

   In general, threats can be classified into the following categories
   based on their sources [2]:

   o  Threats that result from subverted links: A link become subverted
      when an attacker gain access (or control) to it through a physical
      medium. The attacker can then take control over the link.  This
      threat can result from the lack (or the use of weak) access
      control mechanisms as applied to physical mediums or channels. The
      attacker may eavesdrop, replay, delay, or drop routing messages,
      or break routing sessions between authorized routers, without
      participating in the routing exchange.

   o  Threats that result from subverted devices (e.g. routers): A
      subverted device (router) is an authorized router that may have
      routing software bugs, hardware defects, incorrect or unintended
      configurations. Devices can be susceptible to such threats due to
      the lack mechanisms to verify system integrity (For example, the
      router is working correctly as been intended by the authoritative
      network administrator), or such mechanisms can be circumvented.
      Such threats may enable attackers to inappropriately claim
      authority for some network resources, or violate routing
      protocols, such as advertising invalid routing information.

   For example, an OSPF router will form a peering relationship with any
   attached device which appears to be running OSPF, unless MD5
   authentication (or some other means) is used to prevent the
   neighboring relationship from forming. Furthermore, MANET protocols



Barbir, et al.         Expires February 24, 2004                [Page 6]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   frequently speak over the broadcast link.

3.1.2 Threat Consequences

   A threat consequence is a security violation that results from a
   threat action [1]. The compromise to the behavior of the routing
   system can damage a particular network or host or can damage the
   operation of the network as a whole.

   There are four types of threat consequences: disclosure, deception,
   disruption, and usurpation [1].

   o  Disclosure: Disclosure of routing information happens when a
      router successfully accesses the information without being
      authorized. Subverted links can cause disclosure, if routing
      exchanges lack confidentiality.  Subverted devices (routers), can
      cause disclosure, as long as they are successfully involved in the
      routing exchanges.  Although inappropriate disclosure of routing
      information can pose a security threat or be part of a later,
      larger, or higher layer attack, confidentiality is not generally a
      design goal of routing protocols.

   o  Deception: This consequence happens when a legitimate router
      receives a false routing message and believes it to be true.
      Subverted links and/or subverted device (routers)can cause this
      consequence if the receiving router lacks ability  to check
      routing message integrity, routing message origin, authentication
      or peer router authentication.

   o  Disruption: This consequence occurs when a legitimate router's
      operation is being interrupted or prevented. Subvert links can
      cause this by replaying, delaying, or dropping routing messages,
      or breaking routing sessions between legitimate routers. Subverted
      devices (router) can cause this consequence by sending false
      routing messages, interfering normal routing exchanges, or
      flooding unnecessary messages. (DoS is a common threat action
      causing disruption.)

   o  Usurpation:  This consequence happens when an attacker gains
      control over a legitimate router's services/functions. Subverted
      links can cause this by delaying or dropping routing exchanges, or
      replaying out-dated routing information.  Subverted routers can
      cause this consequence by sending false routing information,
      interfering routing exchanges, or system integrity.

   Note: an attacker does not have to directly control a router to
   control its services.  For example, in Figure 1, Network 1 is
   dual-homed through Router A and Router B, and Router A is preferred.



Barbir, et al.         Expires February 24, 2004                [Page 7]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   However, Router B is compromised and advertises a lower metric.
   Consequently, devices on the Internet choose the path through Router
   B to reach Network 1.  In this way, Router B steals the data traffic
   and Router A surrenders its control of the services to Router B. This
   depicted in Figure 1.


      +-------------+   +-------+
      |  Internet   |---| Rtr A |
      +------+------+   +---+---+
             |              |
             |              |
             |              |
             |            *-+-*
      +-------+           /     \
      | Rtr B |----------*  N 1  *
      +-------+           \     /
                           *---*



                           Figure 1: Network

   Several threat consequences might be caused by a single threat
   action.  In Figure 1, there exist at least two consequences: routers
   using Router B to reach Network 1 are deceived, while Router A is
   usurped.

   Within the context of the threat consequences described above, damage
   that might result from attacks against the network as a whole may
   include:

   o  Network congestion: more data traffic is forwarded through some
      portion of the network than would otherwise need to carry the
      traffic,

   o  Blackhole: large amounts of traffic are directed to be forwarded
      through one router that cannot handle the increased level of
      traffic and drops many/most/all packets,

   o  Looping: data traffic is forwarded along a route that loops, so
      that the data is never delivered (resulting in network
      congestion),

   o  Partition: some portion of the network believes that it is
      partitioned from the rest of the network when it is not,

   o  Churn: the forwarding in the network changes (unnecessarily) at a



Barbir, et al.         Expires February 24, 2004                [Page 8]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


      rapid pace, resulting in large variations in the data delivery
      patterns (and adversely affecting congestion control techniques),

   o  Instability: the protocol becomes unstable so that convergence on
      a global forwarding state is not achieved, and

   o  Overload: the protocol messages themselves become a significant
      portion of the traffic the network carries.

   The damage that might result from attacks against a particular host
   or network address may include:

   o  Starvation: data traffic destined for the network or host is
      forwarded to a part of the network that cannot deliver it,

   o  Eavesdrop: data traffic is forwarded through some router or
      network that would otherwise not see the traffic, affording an
      opportunity to see the data or at least the data delivery pattern,

   o  Cut: some portion of the network believes that it has no route to
      the host or network when it is in fact connected,

   o  Delay: data traffic destined for the network or host is forwarded
      along a route that is in some way inferior to the route it would
      otherwise take,

   o  Looping: data traffic for the network or host is forwarded along a
      route that loops, so that the data is never delivered

   It is important to consider all compromises, because some security
   solutions can protect against one attack but not against others.  It
   might be possible to design a security solution that protects
   against an attack that eavesdropped on one destination's traffic
   without protecting against an attack that overwhelmed a router.
   Similarly, it is possible to design a security solution that prevents
   a starvation attack against one host, but not against  a network wide
   resources.  The security requirements must be clear as to  which
   compromises are being avoided and which compromises must be addressed
   by  other means (e.g., by administrative means outside the protocol).

3.1.2.1 Threat Consequence Zone

   A threat consequence zone covers the area within which the network
   operations have been affected by threat actions. Possible threat
   consequence zones can be classified as: a single link or router,
   multiple routers (within a single routing domain), a single routing
   domain, multiple routing domains, or the global Internet. The threat
   consequence zone varies based on the threat action and origin.



Barbir, et al.         Expires February 24, 2004                [Page 9]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   Similar threat actions that happened at different locations may cause
   totally different threat consequence zones. For example, when a
   compromised link breaks the routing session between a distribution
   router and a stub router, only reach ability from and to the network
   devices attached on the stub router will be impaired. In other words,
   the threat consequence zone is a single router. Nonetheless, if the
   compromised router is located between a customer edge router and its
   corresponding provider edge router, such an action might cause the
   whole customer site to lose its connection. In this case, the threat
   consequence zone might be a single routing domain.

3.1.2.2 Threat Consequence Periods

   Threat consequence period is defined as a portion of time during
   which the network operations have been impacted by the threat
   consequences. The threat consequence period is influenced by, but not
   totally dependent on the duration of the threat action. In some
   cases, the network operations will get back to normal as soon as the
   threat action has been stopped.  In other cases, however, threat
   consequences may appear longer than threat action. For example, in
   the original ARPANET link-state algorithm, some errors in a router
   might introduce three instances of an LSA, and all of them would be
   flooded throughout the network forever, until the entire network was
   power cycled [3].



























Barbir, et al.         Expires February 24, 2004               [Page 10]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


4. Generally Identifiable Routing Threats

   This section addresses generally identifiable and recognized threat
   action against routing protocols.  The threats are not necessarily
   specific to individual protocols but may be present in one or more of
   the common routing protocols in use today.

4.1 Deliberate Exposure

   Deliberate Exposure occurs when an attacker takes control of a router
   and intentionally releases routing information directly to other
   routers. In some cases, the receiving routers may not be authorized
   to access the leaked routing information. Deliberate exposure is
   always a threat action, however, the exposure of routing information
   may not be.

   The consequence of deliberate exposure is the disclosure of routing
   information.

   The threat consequence zone of deliberate exposure depends on the
   routing information that the attackers have exposed. The more
   knowledge they have exposed, the bigger the threat consequence zone.

   The threat consequence period of deliberate exposure might be longer
   than the duration of the action itself. The routing information
   exposed will not be out-dated until there is a topology change of the
   exposed network.

4.2 Sniffing

   Sniffing is an action whereby attackers monitor and/or record the
   routing exchanges between authorized routers.  Attackers can use
   subverted links  to sniff for routing information.

   The consequence of sniffing is disclosure of routing information.

   The threat consequence zone of sniffing depends on the attacker's
   location, the routing protocol type, and the routing information that
   has been recorded. For example, if the subverted link is in an OSPF
   totally stubby area, the threat consequence zone should be limited to
   the whole area.  An attacker that is sniffing a subverted link in an
   EBGP session can gain knowledge of multiple routing domains.

   The threat consequence period might be longer than the duration of
   the action. If an attacker stops sniffing a subverted link their
   acquired knowledge will not be out-dated until there is a topology
   change of the affected network.




Barbir, et al.         Expires February 24, 2004               [Page 11]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


4.3 Traffic Analysis

   Traffic analysis is action whereby attackers gain routing information
   by analyzing the characteristics of the data traffic on a subverted
   link. Traffic analysis threats can affect any data that is sent in
   the clear over a communication link. This threat is not peculiar to
   routing protocols and is included here for completeness.

   The consequence of data traffic analysis is the disclosure of routing
   information.  For example, the source and destination IP address of
   the data traffic, the type, magnitude, and volume of traffic is
   disclosed.

   The threat consequence zone of the traffic analysis depends on the
   attacker's location and  what data traffic has passed through. A
   subverted link at the network core should be able to disclose more
   information than its counterpart at the edge.

   The threat consequence period might be longer than the duration of
   the traffic analysis. After the attacker stops traffic analysis, its
   knowledge will not be out-dated until there is a topology change of
   the disclosed network.

4.4 Spoofing

   Spoofing occurs when an illegitimate device assumes the identity of a
   legitimate one. Spoofing in and of itself is often not the true
   attack. Spoofing is special in that it can be used to carry out other
   threat actions causing other threat consequences. An attacker can use
   spoofing as a means for launching other types of attacks. For
   example, if an attacker succeeds to spoof the identity of a router,
   the subverted router can act as masquerading router. In other
   situation, the spoofed router can be used to send out unrealistic
   routing information that might cause disruption of network services.

   There are a few cases where spoofing can be an attack. For example,
   if a router establishes a neighbor/peering relationship, spoofing the
   identity of a legitimate router and by that action was able to
   prevent the legitimate router from establishing a relationship; that
   would be an attack, denying service to the good router. As a second
   example, if a router is doing auditing, then the ability to spoof an
   identity of a router would be an attack, since the audit data would
   be false.

   The consequences of spoofing are:

   o  The disclosure of routing information: The spoofed router will be
      able to gain access to the routing information.



Barbir, et al.         Expires February 24, 2004               [Page 12]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   o  The deception of peer relationship:  The authorized routers, which
      exchange routing messages with the spoofed router, do not realize
      they are neighboring with a router that is faking another router's
      identity.

   The threat consequence zone includes:

      The consequence zone of the disclosed routing information depends
      on what routing information has been exchanged between the spoofed
      router and its neighbors.

   The threat consequence zone covers:

   o  The consequence zone of the fake peer relationship will be limited
      to those routers mistrusting the attacker's identity.

   o  The consequence zone of the disclosed routing information depends
      on the attacker's location, the routing protocol type, and the
      routing information that has been exchanged between the attacker
      and its deceived neighbors.


4.5 Falsification

   Falsification is an intentional action whereby false routing
   information is sent by a subverted router. To falsify the routing
   information, an attacker has to be either the originator or a
   forwarder of the routing information. False routing information
   describes the network in an unrealistic view, whether or not intended
   by the authoritative network administrator.

   To falsify the routing information, an attacker has to be either the
   originator or a forwarder of the routing information. It cannot be a
   receiver-only.

4.5.1 Falsifications by Originators

   An originator of routing information can launch the falsifications
   that are described in the next sections.

4.5.1.1 Overclaiming

   Over-claiming occurs when a subverted router advertises its control
   of some network resources, while in reality it does not, or the
   advertisement is not authorized.  This is given in Figure 2 and
   Figure 3.





Barbir, et al.         Expires February 24, 2004               [Page 13]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


              +-------------+   +-------+   +-------+
              | Internet    |---| Rtr B |---| Rtr A |
              +------+------+   +-------+   +---+---+
                     |                          .
                     |                          |
                     |                          .
                     |                        *-+-*
                 +-------+                   /     \
                 | Rtr C |------------------*  N 1  *
                 +-------+                   \     /
                                              *---*


                        Figure 2: Overclaiming-1



        +-------------+   +-------+   +-------+
        |  Internet   |---| Rtr B |---| Rtr A |
        +------+------+   +-------+   +-------+
               |
               |
               |
               |                        *---*
           +-------+                   /     \
           | Rtr C |------------------*  N 1  *
           +-------+                   \     /
                                        *---*


                        Figure 3: Overclaiming-2

   The above figures provide examples of overclaiming. Router A, the
   attacker, is connected with the Internet through Router B. Router C
   is authorized to advertise its link to Network 1. In Figure 2, Router
   A controls a link to Network 1, but is not authorized to advertise
   it. In Figure 3, Router A does not control such a link. But in either
   case, Router A advertises the link to the Internet, through Router B.

   Compromised routers, unauthorized routers, and masquerading routers
   can overclaim network resources. The consequence of overclaiming
   includes:

   o  Usurpation of the overclaimed network resources.  In Figure 2 and
      Figure 3, it will cause a usurpation of Network 1 when Router B or
      other routers on the Internet (not shown in the figures) believe
      that Router A provides the best path to reach the Network 1. They,
      the routers, thereby forward the data traffic, destined to Network



Barbir, et al.         Expires February 24, 2004               [Page 14]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


      1, to Router A. The best result is the data traffic uses an
      unauthorized path Figure 2, and the worst case is the data never
      reach the destination Network 1 Figure 3.  The ultimate
      consequence is Router A gaining control over Network 1's services,
      by controlling the data traffic.

   o  Usurpation of the legitimate advertising routers.  In Figure 2 and
      Figure 3, Router C is the legitimate advertiser of Network 1.  By
      overclaiming, Router A also controls (partially or totally) the
      services/functions provided by the Router C.  (This is NOT a
      disruption, because Router C is operating in a way intended by the
      authoritative network administrator.)

   o  Deception of other routers. In Figure 2 and Figure 3, Router B, or
      other routers on the Internet, might be deceived to believe the
      path through Router A is the best.

   o  Disruption of data planes on some routers. This might happen on
      routers that are on the path, which is used by other routers to
      reach the overclaimed network resources through the attacker. In
      Figure 2 and Figure 3, when other routers on the Internet are
      deceived, they will forward the data traffic to Router B, which
      might be overloaded.

   The threat consequence zone varies based on the consequence:

   o  Where usurpation is concerned, the consequence zone covers the
      network resources that are overclaimed by the attacker (Network 1
      in Figure 2 and 3), and the routers that are authorized to
      advertise the network resources but lose the competition against
      the attacker(Router C in Figure 2 and Figure 3).

   o  Where deception is concerned, the consequence zone covers the
      routers that do not believe the attacker's advertisement and use
      the attacker to reach the claimed subnets (Router B and other
      deceived routers on the Internet in Figure 2 and Figure 3).

   o  Where disruption is concerned, the consequence zone includes the
      routers that are on the path of misdirected data traffic (Router B
      in Figure 2 and Figure 3).

   The threat consequence will cease when the attacker stops
   overclaiming, and will totally disappear when the routing tables are
   converged.  As a result the consequence period is longer than the
   duration of the overclaiming.

4.5.1.2 Misclaiming




Barbir, et al.         Expires February 24, 2004               [Page 15]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   A Misclaiming threat is defined as an attacker action advertising its
   authorized control of some network resources in a way that is not
   intended by the authoritative network administrator. An attacker can
   eulogize or disparage when advertising these network resources.
   Subverted routers, unauthorized routers, and masquerading routers can
   misclaim network resources.

   The threat consequences of Misclaiming are similar to the
   consequences of overclaimin. Eulogizing the network resources might
   cause the same consequences made by overclaiming.

   The consequence zone and period are also similar to those of
   overclaiming.

4.5.2 Falsifications by Forwarders

   When a legitimate router forwards routing information, it must or
   must not modify the routing information, depending on the routing
   information and the routing protocol type. For example, in RIP, the
   forwarder must modify the routing information by increasing the hop
   count by 1. On the other hand, the forwarder must not modify the type
   1 LSA in OSPF. In general, forwarders in distance vector routing
   protocols are authorized to and must modify the routing information,
   while most forwarders in link state routing protocols are not
   authorized to and must not modify most routing information.

   As a forwarder authorized to modify routing message, an attacker does
   not forward necessary routing information to other authorized
   routers. Unauthorized aggregation (summarization) is special type of
   understatements.


4.5.2.1 Misstatement

   This is defined as an action whereby the attacker describes route
   attributes in a wrong way. For example, in RIP, the attacker
   increases the path cost by two hops instead of one. Another example
   is, in BGP, the attacker deletes some AS numbers from the AS PATH.

   When forwarding routing information that should not be modified, an
   attacker can launch the following falsifications:

   o  Deletion: Attacker deletes valid data in the routing message.

   o  Insertion: Attacker inserts false data in the routing message.

   o  Substitution: Attacker replaces valid data in the routing message
      with false data.



Barbir, et al.         Expires February 24, 2004               [Page 16]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   o  Replaying: Attacker replays out-dated data in the routing message.

   All types of attackers (Compromised links, compromised routers,
   unauthorized routers, and masquerading routers) can falsify the
   routing information when they forward the routing messages.

   The threat consequences of these falsifications by forwarders are
   similar to those caused by originators: Usurpation of some network
   resources and related routers; deception of routers using false
   paths; and disruption of data planes of routers on the false paths.
   The threat consequence area and period are also similar.


4.6 Interference

   Interference is a threat action where an attackers uses a subverted
   link or router to inhibit the exchanges by legitimate routers. The
   attacker can do this by adding noise, or by not forwarding packets,
   or by replaying out-dated packets, or by delaying responses, or by
   denial of receipts, and breaking synchronization.

   Subverted, unauthorized and masquerading routers can slowdown their
   routing exchanges or create flapping routing sessions of legitimate
   neighboring routers.

   The consequence of interference is the disruption of routing
   operations.

   The consequence zone of interference varies based on the source of
   the threats:

   o  When a subverted link is used to launch the action, the threat
      consequence zone covers routers that are using the link to
      exchange the routing information.

   o  When subverted routers, unauthorized routers, or masquerading
      routers are the attackers, the threat consequence zone covers
      routers with which the attackers are exchanging routing
      information.

   o  The threat consequences might disappear as soon as the
      interference is stopped, or might not totally disappear until the
      networks have converged.  Therefore, the consequence period is
      equal or longer than the duration of the interference.







Barbir, et al.         Expires February 24, 2004               [Page 17]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


4.7 Overload

   Overload is defined as a threat action whereby attackers place excess
   burden on legitimate routers.  Attackers can overload the data plane
   or control plane. Because data plane is involved in routing
   exchanges, overload of data plane will also influence the routing
   operations.

   This section combines overload of the control plane and the data
   plane (i.e., the routing protocol messages and the data traffic, not
   the control and data plane of the routing protocol itself as
   discussed in section 2.1).  The routing protocol design might have a
   chance to limit control plane traffic. However, the routing protocol
   cannot limit the data traffic.  Thus, an attacker can effect the
   behavior of the entire routing system. Examples include the ability
   of an attacker  to break the transport protocol connection (e.g., TCP
   RST).

4.8 Byzantine Failures

   Within this work, Byzantine failure is an event resulting from a
   legitimate router or several legitimate routers running as subverted
   devices. Whether the subvertion results from an accidental behavior
   or from a malign attack may be considered for providing solutions in
   some cases (currently, the accidental origin of the threat is much
   more probable than the malign origin), yet in both cases it is
   assumed that the misbehaving routers are still considered as
   authenticated devices (according to the situation; therefore,
   misbehavior of insider(s) in a protocol is often regarded as a
   Byzantine failure). This is opposed to the fail-stop model, in which
   a system halt on the occurrence of a failure.

   The Byzantine failure event may involve many combinations of threat
   actions, threat consequences, threat zone and threat periods possibly
   resulting from subverted devices.

   The Byzantine failure is specific in the sense that it is the
   distributed nature of the threat that is under consideration.
   Because Byzantine devices are, at least at the beginning of the
   problem, undetectable, only source and destination devices are to be
   trusted (though they may also be subverted). Because this threat
   results from a combination of incorrect behaviors, it may be
   difficult to tell apart which devices are subverted, or even to state
   that the system is under the occurrence of such a failure.

   [Byzantine failure is often a threat to a distributed algorithm
   termination, to the agreement of non-subverted nodes, and to the
   validity of the conclusion agreed upon; here, ] Destination



Barbir, et al.         Expires February 24, 2004               [Page 18]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   reachability and integrity of the information transmitted are the
   main system features jeopardized by the failure, according to the
   source and destination point of view. Route attributes (cost, hops,
   confidentiality...) may also be affected and result in a degradation
   of the service provided by the forwarding function.














































Barbir, et al.         Expires February 24, 2004               [Page 19]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


5. Security Considerations

   This entire informational draft RFC is security related. Specifically
   it addresses security of routing protocols as associated with threats
   to those protocols.   In a larger context, this work builds upon the
   recognition of the IETF community that signaling and control/
   management planes of networked devices need strengthening.  Routing
   protocols can be considered part of that signaling and control plane.
   However, to date, routing protocols have largely remained unprotected
   and open to malicious attacks.  This document discusses inter and
   intra domain routing protocol threats as we know them today and lays
   the foundation for a future draft which fully discusses security
   requirements for routing protocols.






































Barbir, et al.         Expires February 24, 2004               [Page 20]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Normative References

   [1]   Shirey, R, "Internet Security Glossary", RFC 2828 , May 2000.

   [2]   Smith, R et al., "Securing Distance-Vector Routing Protocols",
         Symposium on Network and  Distributed System Security ,
         February 1997.

   [3]   Rosen, E., "Vulnerabilities of Network Control Protocols: An
         Example, Computer Communication Review",  , July 1981.

   [4]   Perlman, R, "Network Layer Protocols with Byzantine
         Robustness",  , August 1988 .

   [5]   Murphy, S et al., "OSPF with Digital Signatures", RFC 2154 ,
         June  1997.

   [6]   Moy, J, "OSPF Version 2", RFC 2328 , April   1998.

   [7]   Mittal, V et al., "Sensor-Based Intrusion Detection for
         Intra-Domain istance-Vector Routing", Proceedings of the ACM
         Conference  on Computer and Communication Security (CCS'02),
         Washington, DC , November  2002.

   [8]   Cheung, S.  et. al., "Protecting Routing Infrastructures from
         Denial of Service using co-operative intrusion detection", In
         Proceedings  of the 1995 IEEE Symposium on Security and Privacy
         , May 1995.

   [9]   Bradley, K.  et. al., "A distributed Network Monitoring
         approach", Published , November 2001.

   [10]  Shen, N.  et. al., "Dynamic Hostname Exchange Mechanism for
         IS-IS", RFC 2763 , February  2000.

   [11]  Malkin, G., "RIP Version 2 Protocol Analysis", RFC 1721
         , November  1994.














Barbir, et al.         Expires February 24, 2004               [Page 21]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Informative References

   [12]  Vetter, W. et al., "Experimental Study of  Insider Attacks in a
         Link State Routing Protocol", 5th IEEE  International
         Conference on Network Protocols, Atlanta, GA , 1997.

   [13]  "Internet Group Management Protocol", RFC 3376 , October  2002.

   [14]  Estrin, D. et al., "Independent Multicast-Sparse Mode (PIM-SM):
         Protocol pecification", RFC 2362 , June  1998 .

   [15]  Ballardie, A. et al., "Multicast-Specific Security Threats and
         Counter-Measures", "Symposium on network and    Distributed
         System Security" , February  1995.

   [16]  Smith, A.  et al., "Securing the Border Gateway Routing
         Protocol", Proc. Global Internet'96 , November  1996.

   [17]  Kent, S. et al., "Secure Border Gateway Protocol
         (Secure-BGP)", IEEE Journal on Selected Areas in Communications
         , April 2000.


Authors' Addresses

   Abbie Barbir (Editor)
   Nortel Networks
   3500 Carling Avenue
   Nepean, Ontario  K2H 8E9
   Canada

   Phone:
   EMail: abbieb@nortelnetworks.com


   Sandy Murphy
   Network Associates, Inc
   3060 Washington Rd.
   Glenwood, MD  21738
   USA

   Phone: 443-259-2303
   EMail: sandy@tislabs.com








Barbir, et al.         Expires February 24, 2004               [Page 22]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   Yi Yang
   Cisco Systems
   7025 Kit Creek Road
   RTP, NC  27709
   Canada

   Phone:
   EMail: yiya@cisco.com











































Barbir, et al.         Expires February 24, 2004               [Page 23]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Appendix A. Acknowledgements

   This draft would not have been possible save for the excellent
   efforts and team work characteristics of those listed here.

   o  Dennis Beard- Nortel Networks

   o  Ayman Musharbash - Nortel Networks

   o  Jean-Jacques Puig, int-evry, France

   o  Paul Knight - Nortel Networks

   o  Elwyn Davies - Nortel Networks

   o  Ameya Dilip Pandit - Graduate student - University of Missouri

   o  Senthilkumar Ayyasamy - Graduate student - University of Missouri

































Barbir, et al.         Expires February 24, 2004               [Page 24]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Appendix B. Acronyms

   AODV - Ad-hoc On-demand Distance Vector routing protocol

   AS - Autonomous system. Set of routers under a single technical
   administration. Each AS      normally uses a single interior gateway
   protocol (IGP) and metrics to propagate routing information within
   the set of routers. Also called routing domain.

   AS-Path - In BGP, the route to a destination. The path consists of
   the AS numbers of all routers a packet must go through to reach a
   destination.

   BGP - Border Gateway Protocol. Exterior gateway protocol used to
   exchange routing information among routers in different autonomous
   systems.

   eBGP - External BGP. BGP configuration in which sessions are
   established between routers in different ASs.

   iBGP - Internal BGP. BGP configuration in which sessions are
   established between routers in the same ASs.

   LSRP - Link-State Routing Protocol

   LSA - Link-State Announcement

   M-OSPF - Multicast Open Shortest Path First

   NLRI - Network layer reachability information. Information that is
   carried in BGP packets and is used by MBGP.

   OSPF - Open Shortest Path First. A link-state IGP that makes routing
   decisions based on the shortest-path-first (SPF) algorithm (also
   referred to as the Dijkstra algorithm).
















Barbir, et al.         Expires February 24, 2004               [Page 25]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   intellectual property or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; neither does it represent that it
   has made any effort to identify any such rights. Information on the
   IETF's procedures with respect to rights in standards-track and
   standards-related documentation can be found in BCP-11. Copies of
   claims of rights made available for publication and any assurances of
   licenses to be made available, or the result of an attempt made to
   obtain a general license or permission for the use of such
   proprietary rights by implementors or users of this specification can
   be obtained from the IETF Secretariat.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights which may cover technology that may be required to practice
   this standard. Please address the information to the IETF Executive
   Director.


Full Copyright Statement

   Copyright (C) The Internet Society (2003). All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assignees.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION



Barbir, et al.         Expires February 24, 2004               [Page 26]


Internet-Draft    Generic Threats to Routing Protocols       August 2003


   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.











































Barbir, et al.         Expires February 24, 2004               [Page 27]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/