draft-ietf-opsec-current-practices-07.txt   rfc4778.txt 
OPSEC M. Kaeo Network Working Group M. Kaeo
Internet-Draft Double Shot Security, Inc. Request for Comments: 4778 Double Shot Security, Inc.
Intended status: Informational August 29, 2006 Category: Informational January 2007
Expires: March 2, 2007
Operational Security Current Practices
draft-ietf-opsec-current-practices-07
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at Current Operational Security Practices in
http://www.ietf.org/ietf/1id-abstracts.txt. Internet Service Provider Environments
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 2, 2007. This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document is a survey of the current practices used in today's This document is a survey of the current practices used in today's
large ISP operational networks to secure layer 2 and layer 3 large ISP operational networks to secure layer 2 and layer 3
infrastructure devices. The information listed here is the result of infrastructure devices. The information listed here is the result of
information gathered from people directly responsible for defining information gathered from people directly responsible for defining
and implementing secure infrastructures in Internet Service Provider and implementing secure infrastructures in Internet Service Provider
environments. environments.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Threat Model . . . . . . . . . . . . . . . . . . . . . . . 3
1.3. Attack Sources . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Attack Sources . . . . . . . . . . . . . . . . . . . . . . 4
1.4. Operational Security Impact from Threats . . . . . . . . . 6 1.4. Operational Security Impact from Threats . . . . . . . . . 5
1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7 1.5. Document Layout . . . . . . . . . . . . . . . . . . . . . 7
2. Protected Operational Functions . . . . . . . . . . . . . . . 9 2. Protected Operational Functions . . . . . . . . . . . . . . . 8
2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 9 2.1. Device Physical Access . . . . . . . . . . . . . . . . . . 8
2.2. Device Management - In-Band and Out-of-Band (OOB) . . . . 11 2.2. Device Management - In-Band and Out-of-Band (OOB) . . . . 10
2.3. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 17 2.3. Data Path . . . . . . . . . . . . . . . . . . . . . . . . 16
2.4. Routing Control Plane . . . . . . . . . . . . . . . . . . 19 2.4. Routing Control Plane . . . . . . . . . . . . . . . . . . 18
2.5. Software Upgrades and Configuration Integrity / 2.5. Software Upgrades and Configuration
Validation . . . . . . . . . . . . . . . . . . . . . . . . 23 Integrity/Validation . . . . . . . . . . . . . . . . . . . 22
2.6. Logging Considerations . . . . . . . . . . . . . . . . . . 27 2.6. Logging Considerations . . . . . . . . . . . . . . . . . . 26
2.7. Filtering Considerations . . . . . . . . . . . . . . . . . 30 2.7. Filtering Considerations . . . . . . . . . . . . . . . . . 29
2.8. Denial of Service Tracking / Tracing . . . . . . . . . . . 31 2.8. Denial-of-Service Tracking/Tracing . . . . . . . . . . . . 30
3. Security Considerations . . . . . . . . . . . . . . . . . . . 34 3. Security Considerations . . . . . . . . . . . . . . . . . . . 32
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 4. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 5. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 37 5.1. Normative References . . . . . . . . . . . . . . . . . . . 33
6.1. Normative References . . . . . . . . . . . . . . . . . . . 37 5.2. Informational References . . . . . . . . . . . . . . . . . 33
6.2. Informational References . . . . . . . . . . . . . . . . . 37 Appendix A. Protocol Specific Attacks . . . . . . . . . . . . . . 34
Appendix A. Protocol Specific Attacks . . . . . . . . . . . . . . 39 A.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 34
A.1. Layer 2 Attacks . . . . . . . . . . . . . . . . . . . . . 39 A.2. IPv4 Protocol-Based Attacks . . . . . . . . . . . . . . . 34
A.2. IPv4 Protocol Based Attacks . . . . . . . . . . . . . . . 39 A.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 36
A.3. IPv6 Attacks . . . . . . . . . . . . . . . . . . . . . . . 41
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 42
Intellectual Property and Copyright Statements . . . . . . . . . . 43
1. Introduction 1. Introduction
Security practices are well understood by the network operators who Security practices are well understood by the network operators who
have for many years gone through the growing pains of securing their have, for many years, gone through the growing pains of securing
network infrastructures. However, there does not exist a written their network infrastructures. However, there does not exist a
document that enumerates these security practices. Network attacks written document that enumerates these security practices. Network
are continually increasing and although it is not necessarily the attacks are continually increasing and although it is not necessarily
role of an ISP to act as the Internet police, each ISP has to ensure the role of an ISP to act as the Internet police, each ISP has to
that certain security practices are followed to ensure that their ensure that certain security practices are followed to ensure that
network is operationally available for their customers. This their network is operationally available for their customers. This
document is the result of a survey conducted to find out what current document is the result of a survey conducted to find out what current
security practices are being deployed to secure network security practices are being deployed to secure network
infrastructures. infrastructures.
1.1. Scope 1.1. Scope
The scope for this survey is restricted to security practices that The scope for this survey is restricted to security practices that
mitigate exposure to risks with the potential to adversely impact mitigate exposure to risks with the potential to adversely impact
network availability and reliability. Securing the actual data network availability and reliability. Securing the actual data
traffic is outside the scope of the conducted survey. This document traffic is outside the scope of the conducted survey. This document
skipping to change at page 3, line 36 skipping to change at page 3, line 15
for layer 2 and layer 3 network infrastructure devices. Although for layer 2 and layer 3 network infrastructure devices. Although
primarily focused on IPv4, many of the same practices can (and primarily focused on IPv4, many of the same practices can (and
should) apply to IPv6 networks. Both IPv4 and IPv6 network should) apply to IPv6 networks. Both IPv4 and IPv6 network
infrastructures are taken into account in this survey. infrastructures are taken into account in this survey.
1.2. Threat Model 1.2. Threat Model
A threat is a potential for a security violation, which exists when A threat is a potential for a security violation, which exists when
there is a circumstance, capability, action, or event that could there is a circumstance, capability, action, or event that could
breach security and cause harm [RFC2828]. Every operational network breach security and cause harm [RFC2828]. Every operational network
is subject to a multitude of threat actions, or attacks, i.e. an is subject to a multitude of threat actions, or attacks, i.e., an
assault on system security that derives from an intelligent act that assault on system security that derives from an intelligent act that
is a deliberate attempt to evade security services and violate the is a deliberate attempt to evade security services, and violate the
security policy of a system [RFC2828]. Many of the threats to a security policy of a system [RFC2828]. Many of the threats to a
network infrastructure occur from an instantiation (or combination) network infrastructure occur from an instantiation (or combination)
of the following: of the following:
Reconnaissance: An attack whereby information is gathered to Reconnaissance: An attack whereby information is gathered to
ascertain the network topology or specific device information which ascertain the network topology or specific device information, which
can be further used to exploit known vulnerabilities can be further used to exploit known vulnerabilities
Man-In-The-Middle: An attack where a malicious user impersonates Man-In-The-Middle: An attack where a malicious user impersonates
either the sender or recipient of a communication stream while either the sender or recipient of a communication stream while
inserting, modifying or dropping certain traffic. This type of inserting, modifying, or dropping certain traffic. This type of
attack also covers phishing and session hijacks. attack also covers phishing and session hijacks.
Protocol Vulnerability Exploitation: An attack which takes advantage Protocol Vulnerability Exploitation: An attack that takes advantage
of known protocol vulnerabilities due to design or implementation of known protocol vulnerabilities due to design or implementation
flaws to cause inappropriate behavior. flaws to cause inappropriate behavior.
Message Insertion: This can be a valid message (which could be a Message Insertion: This can be a valid message (it could be a reply
reply attack, which is a scenario where a message is captured and attack, which is a scenario where a message is captured and resent at
resent at later time). A message can also be inserted with any of a later time). A message can also be inserted with any of the fields
the fields in the message being OspoofedO, such as IP addresses, port in the message being spoofed, such as IP addresses, port numbers,
numbers, header fields or even packet content. Flooding is also part header fields, or even packet content. Flooding is also part of this
of this threat instantiation. threat instantiation.
Message Diversion/Deletion: An attack where legitimate messages are Message Diversion/Deletion: An attack where legitimate messages are
removed before they can reach the desired recipient or are re- removed before they can reach the desired recipient, or are
directed to a network segment that is normally not part of the data re-directed to a network segment that is normally not part of the
path. data path.
Message Modification: This is a subset of a message insertion attack Message Modification: This is a subset of a message insertion attack
where a previous message has been captured and modified before being where a previous message has been captured and modified before being
retransmitted. The message can be captured by using a man-in-the- retransmitted. The message can be captured using a man-in-the-middle
middle attack or message diversion. attack or message diversion.
Note that sometimes Denial of service attacks are listed as separate Note that sometimes denial-of-service attacks are listed as separate
categories. A denial of service is a consequence of an attack and categories. A denial-of-service is a consequence of an attack and
can be the result of too much traffic (i.e. flooding), or exploiting can be the result of too much traffic (i.e., flooding), exploiting
protocol exploitation or inserting/deleting/diverting/modifying protocol exploitation, or inserting/deleting/diverting/modifying
messages. messages.
1.3. Attack Sources 1.3. Attack Sources
These attacks can be sourced in a variety of ways: These attacks can be sourced in a variety of ways:
Active vs passive attacks Active vs Passive Attacks
An active attack involves writing data to the network. It is An active attack involves writing data to the network. It is
common practice in active attacks to disguise one's address and common practice in active attacks to disguise one's address and
conceal the identity of the traffic sender. A passive attack conceal the identity of the traffic sender. A passive attack
involves only reading information off the network. This is involves only reading information off the network. This is
possible if the attacker has control of a host in the possible if the attacker has control of a host in the
communications path between two victim machines or has compromised communications path between two victim machines, or has
the routing infrastructure to specifically arrange that traffic compromised the routing infrastructure to specifically arrange
pass through a compromised machine. There are also situations that traffic pass through a compromised machine. There are also
where mirrored traffic (often used for debugging, performance situations where mirrored traffic (often used for debugging,
monitoring or accounting purposes) is diverted to a compromised performance monitoring, or accounting purposes) is diverted to a
machine which would not necessarily subvert any existing topology compromised machine, which would not necessarily subvert any
and could be harder to detect. In general, the goal of a passive existing topology, and could be harder to detect. In general, the
attack is to obtain information that the sender and receiver would goal of a passive attack is to obtain information that the sender
prefer to remain private. [RFC3552] and receiver would prefer to remain private [RFC3552].
On-path vs off-path attacks
On-path vs Off-path Attacks
In order for a datagram to be transmitted from one host to In order for a datagram to be transmitted from one host to
another, it generally must traverse some set of intermediate links another, it generally must traverse some set of intermediate links
and routers. Such routers are naturally able to read, modify, or and routers. Such routers are naturally able to read, modify, or
remove any datagram transmitted along that path. This makes it remove any datagram transmitted along that path. This makes it
much easier to mount a wide variety of attacks if you are on-path. much easier to mount a wide variety of attacks if you are on-path.
Off-path hosts can transmit arbitrary datagrams that appear to Off-path hosts can transmit arbitrary datagrams that appear to
come from any hosts but cannot necessarily receive datagrams come from any host but cannot necessarily receive datagrams
intended for other hosts. Thus, if an attack depends on being intended for other hosts. Thus, if an attack depends on being
able to receive data, off-path hosts must first subvert the able to receive data, off-path hosts must first subvert the
topology in order to place themselves on-path. This is by no topology in order to place themselves on-path. This is by no
means impossible but is not necessarily trivial. [RFC3552] A more means impossible, but is not necessarily trivial [RFC3552]. A
subtle attack is one where the traffic mirroring capability of a more subtle attack is one where the traffic-mirroring capability
device is hijacked and the traffic is diverted to a compromised of a device is hijacked and the traffic is diverted to a
host since the network topology may not need to be subverted. compromised host since the network topology may not need to be
subverted.
Insider or outsider attacks Insider vs Outsider Attacks
An "insider attack" is one which is initiated from inside a given An "insider attack" is initiated from inside a given security
security perimeter, by an entity that is authorized to access perimeter by an entity that is authorized to access system
system resources but uses them in a way not approved by those who resources, but uses them in a way not approved by those who
granted the authorization. An "outside attack" is initiated from granted the authorization. An "outside attack" is initiated from
outside the perimeter, by an unauthorized or illegitimate user of outside the perimeter by an unauthorized or illegitimate user of
the system. the system.
Deliberate attacks vs unintentional events Deliberate Attacks vs Unintentional Events
A deliberate attack is one where a miscreant intentionally A deliberate attack is where a miscreant intentionally performs an
performs an assault on system security. However, there are also assault on system security. However, there are also instances
instances where unintentional events cause the same harm yet are where unintentional events cause the same harm, yet are performed
performed without malice in mind. Configuration errors and without malicious intent. Configuration errors and software bugs
software bugs can be as devastating to network availability as any can be as devastating to network availability as any deliberate
deliberate attack on the network infrastructure. attack on the network infrastructure.
The attack source can be a combination of any of the above, all of The attack source can be a combination of any of the above, all of
which need to be considered when trying to ascertain what impact any which need to be considered when trying to ascertain the impact any
attack can have on the availability and reliability of the network. attack can have on the availability and reliability of the network.
It is nearly impossible to stop insider attacks or unintentional It is nearly impossible to stop insider attacks or unintentional
events. However, if appropriate monitoring mechanisms are in place, events. However, if appropriate monitoring mechanisms are in place,
these attacks can also be detected and mitigated as with any other these attacks can also be detected and mitigated as with any other
attack source. The amount of effort it takes to identify and trace attack source. The amount of effort it takes to identify and trace
an attack is of course dependent on the resourcefulness of the an attack is, of course, dependent on the resourcefulness of the
attacker. Any of the specific attacks discussed further in this attacker. Any of the specific attacks discussed further in this
document will elaborate on malicious behavior which are sourced by an document will elaborate on malicious behavior, which are sourced by
"outsider" and are deliberate attacks. Some further elaboration will an "outsider" and are deliberate attacks. Some further elaboration
be given to the feasibility of passive vs active and on-path vs off- will be given to the feasibility of passive vs active and on-path vs
path attacks to show the motivation behind deploying certain security off-path attacks to show the motivation behind deploying certain
features. security features.
1.4. Operational Security Impact from Threats 1.4. Operational Security Impact from Threats
The main concern for any of the potential attack scenarios is the The main concern for any of the potential attack scenarios is the
impact and harm it can cause to the network infrastructure. The impact and harm it can cause to the network infrastructure. The
threat consequences are the security violations which results from a threat consequences are the security violations that results from a
threat action, i.e. an attack. These are typically classified as threat action, i.e., an attack. These are typically classified as
follows: follows:
(Unauthorized) Disclosure (Unauthorized) Disclosure
A circumstance or event whereby an entity gains access to data for A circumstance or event whereby an entity gains access to data for
which the entity is not authorized. which the entity is not authorized.
Deception Deception
A circumstance or event that may result in an authorized entity A circumstance or event that may result in an authorized entity
skipping to change at page 7, line 6 skipping to change at page 6, line 34
or functions by an unauthorized entity. Most network or functions by an unauthorized entity. Most network
infrastructure systems are only intended to be completely infrastructure systems are only intended to be completely
accessible to certain authorized individuals. Should an accessible to certain authorized individuals. Should an
unauthorized person gain access to critical layer 2 / layer 3 unauthorized person gain access to critical layer 2 / layer 3
infrastructure devices or services, they could cause great harm to infrastructure devices or services, they could cause great harm to
the reliability and availability of the network. the reliability and availability of the network.
A complete description of threat actions that can cause these threat A complete description of threat actions that can cause these threat
consequences can be found in [RFC2828]. Typically, a number of consequences can be found in [RFC2828]. Typically, a number of
different network attacks are used in combination to cause one or different network attacks are used in combination to cause one or
more of the above mentioned threat consequences. An example would be more of the above-mentioned threat consequences. An example would be
a malicious user who has the capability to eavesdrop on traffic. a malicious user who has the capability to eavesdrop on traffic.
First, he may listen in on traffic for a while to do some First, he may listen in on traffic for a while, doing reconnaissance
reconnaissance work and ascertain which IP addresses belonged to work and ascertaining which IP addresses belong to specific devices,
specific devices such as routers. Were this miscreant to obtain such as routers. Were this miscreant to obtain information, such as
information such as a router password sent in cleartext, he can then a router password sent in cleartext, he can then proceed to
proceed to compromise the actual router. From there, the miscreant compromise the actual router. From there, the miscreant can launch
can launch various active attacks such as sending bogus routing various active attacks, such as sending bogus routing updates to
updates to redirect traffic or capture additional traffic to redirect traffic or capture additional traffic to compromise other
compromise other network devices. network devices. While this document enumerates which
countermeasures ISPs are deploying today, a useful generic analysis
of actual backbone infrastructure attacks and the appropriate
countermeasures can be found in [RTGWG].
1.5. Document Layout 1.5. Document Layout
This document is a survey of current operational practices that This document is a survey of current operational practices that
mitigate the risk of being susceptible to any threat actions. As mitigate the risk of being susceptible to any threat actions. As
such, the main focus is on the currently deployed security practices such, the main focus is on the currently deployed security practices
used to detect and/or mitigate attacks. The top-level categories in used to detect and/or mitigate attacks. The top-level categories in
this document are based on operational functions for ISPs and this document are based on operational functions for ISPs and
generally relate to what is to be protected. This is followed by a generally relate to what is to be protected. This is followed by a
description of which attacks are possible and the security practices description of which attacks are possible and the security practices
currently deployed which will provide the necessary security services currently deployed. This will provide the necessary security
to help mitigate these attacks. These security services are services to help mitigate these attacks. These security services are
classified as: classified as follows:
o User Authentication o User Authentication
o User Authorization o User Authorization
o Data Origin Authentication o Data Origin Authentication
o Access Control o Access Control
o Data Integrity o Data Integrity
o Data Confidentiality o Data Confidentiality
o Auditing / Logging o Auditing / Logging
o DoS Mitigation o DoS Mitigation
In many instances, a specific protocol currently deployed will offer In many instances, a specific protocol currently deployed will offer
a combination of these services. For example, AAA can offer user a combination of these services. For example, Authentication,
authentication, user authorization and audit / logging services while Authorization, and Accounting (AAA) can offer user authentication,
SSH can provide data origin authentication, data integrity and data user authorization, and audit/logging services, while the Secure
confidentiality. The services offered are more important than the SHell (SSH) Protocol can provide data origin authentication, data
actual protocol used. Note that access control will refer basically integrity, and data confidentiality. The services offered are more
to logical access control, i.e. filtering. Each section ends with an important than the actual protocol used. Note that access control
additional considerations section which explains why specific will refer basically to logical access control, i.e., filtering.
protocols may or may not be used and also gives some information Each section ends with an additional considerations section that
regarding capabilities which are not possible today due to bugs or explains why specific protocols may or may not be used, and also
lack of ease of use. gives some information regarding capabilities, which are not possible
today due to bugs or lack of usability.
2. Protected Operational Functions 2. Protected Operational Functions
2.1. Device Physical Access 2.1. Device Physical Access
Device physical access pertains to protecting the physical location Device physical access pertains to protecting the physical location
and access of the layer 2 or layer 3 network infrastructure device. and access of the layer 2 or layer 3 network infrastructure device.
Physical security is a large field of study/practice in and of Physical security is a large field of study/practice in and of
itself, arguably the largest, oldest and most well understood area of itself, arguably the largest, oldest, and most well-understood area
security. Although it is important to have contingency plans for of security. Although it is important to have contingency plans for
natural disasters such as earthquakes and floods which can cause natural disasters, such as earthquakes and floods, which can cause
damage to networking devices, this is out-of-scope for this document. damage to networking devices, this is out of the scope of this
Here we concern ourselves with protecting access to the physical document. Here, we concern ourselves with protecting access to the
location and how a device can be further protected from unauthorized physical location and how a device can be further protected from
access if the physical location has been compromised, i.e protecting unauthorized access if the physical location has been compromised,
the console access. This is aimed largely at stopping an intruder i.e., protecting the console access. This is aimed largely at
with physical access from gaining operational control of the stopping an intruder with physical access from gaining operational
device(s). Note that nothing will stop an attacker with physical control of the device(s). Note that nothing will stop an attacker
access from effecting a denial of service attack, which can be easily with physical access from effecting a denial-of-service attack, which
accomplished by powering off the device or just unplugging some can be easily accomplished by powering off the device or just
cables. unplugging some cables.
2.1.1. Threats / Attacks 2.1.1. Threats / Attacks
If any intruder gets physical access to a layer 2 or layer 3 device, If any intruder gets physical access to a layer 2 or layer 3 device,
the entire network infrastructure can be under the control of the the entire network infrastructure can be under the control of the
intruder. At a minimum, the intruder can take the compromised device intruder. At a minimum, the intruder can take the compromised device
out-of-service, causing network disruption, the extent of which out of service, causing network disruption, the extent of which
depends on the network topology. A worse scenario is where the depends on the network topology. A worse scenario is where the
intruder can use this device to crack the console password and have intruder uses this device to crack the console password, gaining
complete control of the device, perhaps without anyone detecting such complete control of the device (perhaps without anyone detecting such
a compromise, or to attach another network device onto a port and a compromise, or to attach another network device onto a port and
siphon off data with which the intruder can ascertain the network siphon off data with which the intruder can ascertain the network
topology and take control of the entire network. topology) and the entire network.
The threat of gaining physical access can be realized in a variety of The threat of gaining physical access can be realized in a variety of
ways even if critical devices are under high-security. There still ways, even if critical devices are under high security. Cases still
occur cases where attackers have impersonated maintenance workers to occur where attackers have impersonated maintenance workers to gain
gain physical access to critical devices that have caused major physical access to critical devices that have caused major outages
outages and privacy compromises. Insider attacks from authorized and privacy compromises. Insider attacks from authorized personnel
personnel also pose a real threat and must be adequately recognized also pose a real threat and must be adequately recognized and
and dealt with. addressed.
2.1.2. Security Practices 2.1.2. Security Practices
For physical device security, equipment is kept in highly restrictive For physical device security, equipment is kept in highly restrictive
environments. Only authorized users with cardkey badges have access environments. Only authorized users with card-key badges have access
to any of the physical locations that contain critical network to any of the physical locations that contain critical network
infrastructure devices. These cardkey systems keep track of who infrastructure devices. These card-key systems keep track of who
accessed which location and at what time. Most cardkey systems have accessed which location and at what time. Most cardkey systems have
a fail back "master key" in case the card system is down. This a fail-back "master key" in case the card system is down. This
"master key" usually has limited access and its use is also carefully "master key" usually has limited access and its use is also carefully
logged (which should only happen if the cardkey system is NOT online/ logged (which should only happen if the card-key system is NOT
functional). online/functional).
All console access is always password protected and the login time is All console access is always password protected and the login time is
set to time out after a specified amount of inactivity - typically set to time out after a specified amount of inactivity - typically
between 3-10 minutes. The type of privileges that you obtain from a between 3-10 minutes. The type of privileges that you obtain from a
console login varies between separate vendor devices. In some cases console login varies between separate vendor devices. In some cases
you get initial basic access and need to perform a second you get initial basic access and need to perform a second
authentication step to get more privileged (i.e. enable or root) authentication step to get more privileged access (i.e., enable or
access. In other vendors you get the more privileged access when you root). In other vendors, you get the more privileged access when you
log into the console as root, without requiring a second log into the console as root, without requiring a second
authentication step. authentication step.
How ISPs manage these logins vary greatly although many of the larger How ISPs manage these logins vary greatly, although many of the
ISPs employ some sort of AAA mechanism to help automate privilege larger ISPs employ some sort of AAA mechanism to help automate
level authorization and can utilize the automation to bypass the need privilege-level authorization and utilize the automation to bypass
for a second authentication step. Also, many ISPs define separate the need for a second authentication step. Also, many ISPs define
classes of users to have different privileges while logged onto the separate classes of users to have different privileges while logged
console. Typically all console access is provided via an out-of-band onto the console. Typically, all console access is provided via an
(OOB) management infrastructure which is discussed in the section on out-of-band (OOB) management infrastructure, which is discussed in
OOB management. Section 2.2 of this document.
2.1.3. Security Services 2.1.3. Security Services
The following security services are offered through the use of the The following security services are offered through the use of the
practices described in the previous section: practices described in the previous section:
o User Authentication - All individuals who have access to the o User Authentication - All individuals who have access to the
physical facility are authenticated. Console access is physical facility are authenticated. Console access is
authenticated. authenticated.
o User Authorization - An authenticated individual has implicit o User Authorization - An authenticated individual has implicit
authorization to perform commands on the device. In some cases authorization to perform commands on the device. In some cases,
multiple authentication is required to differentiate between basic multiple authentication is required to differentiate between basic
and more privileged access. and more privileged access.
o Data Origin Authentication - Not applicable o Data Origin Authentication - Not applicable.
o Access Control - Not applicable o Access Control - Not applicable.
o Data Integrity - Not applicable o Data Integrity - Not applicable.
o Data Confidentiality - Not applicable.
o Data Confidentiality - Not applicable
o Auditing / Logging - All access to the physical locations of the o Auditing / Logging - All access to the physical locations of the
infrastructure equipment is logged via electronic card-key infrastructure equipment is logged via electronic card-key
systems. All console access is logged (refer to the OOB systems. All console access is logged (refer to Section 2.2 of
management section for more details) this document for more details).
o DoS Mitigation - Not applicable o DoS Mitigation - Not applicable.
2.1.4. Additional Considerations 2.1.4. Additional Considerations
Physical security is relevant to operational security practices as Physical security is relevant to operational security practices as
described in this document mostly from a console access perspective. described in this document, mostly from a console-access perspective.
Most ISPs provide console access via an OOB management infrastructure Most ISPs provide console access via an OOB management
which is discussed in the OOB management section of this document. infrastructure, which is discussed in Section 2.2 of this document.
The physical and logical authentication and logging systems should be The physical and logical authentication and logging systems should be
run independently of each other and reside in different physical run independently of each other and should reside in different
locations. These systems need to be secured to ensure that they physical locations. These systems need to be secured to ensure that
themselves will not be compromised which could give the intruder they themselves will not be compromised, which could give the
valuable authentication and logging information. intruder valuable authentication and logging information.
Social engineering plays a big role in many physical access Social engineering plays a big role in many physical access
compromises. Most ISPs have set up training classes and awareness compromises. Most ISPs have set up training classes and awareness
programs to educate company personnel to deny physical access to programs to educate company personnel to deny physical access to
people who are not properly authenticated or authorized to have people who are not properly authenticated or authorized to have
physical access to critical infrastructure devices. physical access to critical infrastructure devices.
2.2. Device Management - In-Band and Out-of-Band (OOB) 2.2. Device Management - In-Band and Out-of-Band (OOB)
In-band management is generally considered to be device access where In-band management is generally considered to be device access, where
the control traffic takes the same data path as the data which the control traffic takes the same data path as the data that
traverses the network. Out-of-band management is generally traverses the network. Out-of-band management is generally
considered to be device access where the control traffic takes a considered to be device access, where the control traffic takes a
separate path as the data which traverses the network. In many separate path as the data that traverses the network. In many
environments, device management for layer 2 and layer 3 environments, device management for layer 2 and layer 3
infrastructure devices is deployed as part of an out-of-band infrastructure devices is deployed as part of an out-of-band
management infrastructure although there are some instances where it management infrastructure, although there are some instances where it
is deployed in-band as well. Note that while many of the security is deployed in-band as well. Note that while many of the security
concerns and practices are the same for OOB management and in-band concerns and practices are the same for OOB management and in-band
management, most ISPs prefer an OOB management system since access to management, most ISPs prefer an OOB management system, since access
the devices which make up this management network are more vigilantly to the devices that make up this management network are more
protected and considered to be less susceptible to malicious vigilantly protected and considered to be less susceptible to
activity. malicious activity.
Console access is always architected via an OOB network. Presently, Console access is always architected via an OOB network. Presently,
the mechanisms used for either in-band management or OOB are via the mechanisms used for either in-band management or OOB are via
virtual terminal access (i.e. Telnet or SSH), SNMP, or HTTP. In all virtual terminal access (i.e., Telnet or SSH), Simple Network
large ISPs that were interviewed, HTTP management is never used and Management Protocol (SNMP), or HTTP. In all large ISPs that were
is explicitly disabled. Note that file transfer protocols (TFTP, interviewed, HTTP management was never used and was explicitly
FTP, SCP) will be covered in the 'Software Upgrades and Configuration disabled. Note that file transfer protocols (TFTP, FTP, and SCP)
Integrity/Validation' section. will be covered in Section 2.5 of this document.
2.2.1. Threats / Attacks 2.2.1. Threats / Attacks
For device management, passive attacks are possible if someone has For device management, passive attacks are possible if someone has
the capability to intercept data between the management device and the capability to intercept data between the management device and
the managed device. The threat is possible if a single the managed device. The threat is possible if a single
infrastructure device is somehow compromised and can act as a network infrastructure device is somehow compromised and can act as a network
sniffer or if it is possible to insert a new device which acts as a sniffer, or if it is possible to insert a new device that acts as a
network sniffer. network sniffer.
Active attacks are possible for both on-path and off-path scenarios. Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active or a device can be inserted into the path. For off-path active
attacks, where a topology subversion is required to reroute traffic attacks, where a topology subversion is required to reroute traffic
and essentially bring the attacker on-path, the attack is generally and essentially bring the attacker on-path, the attack is generally
limited to message insertion or modification. limited to message insertion or modification.
2.2.1.1. Confidentiality Violations 2.2.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any Confidentiality violations can occur when a miscreant intercepts any
management data that has been sent in cleartext or with weak management data that has been sent in cleartext or with weak
encryption. This includes interception of usernames and passwords encryption. This includes interception of usernames and passwords
with which an intruder can obtain unauthorized access to network with which an intruder can obtain unauthorized access to network
devices. It can also include other information such as logging or devices. It can also include other information, such as logging or
configuration information if an administrator is remotely viewing configuration information, if an administrator is remotely viewing
local logfiles or configuration information. local logfiles or configuration information.
2.2.1.2. Offline Cryptographic Attacks 2.2.1.2. Offline Cryptographic Attacks
If username/password information was encrypted but the cryptographic If username/password information was encrypted but the cryptographic
mechanism used made it easy to capture data and break the encryption mechanism used made it easy to capture data and break the encryption
key, the device management traffic could be compromised. The traffic key, the device management traffic could be compromised. The traffic
would need to be captured either by eavesdropping on the network or would need to be captured either by eavesdropping on the network or
by being able to divert traffic to a malicious user. by being able to divert traffic to a malicious user.
2.2.1.3. Replay Attacks 2.2.1.3. Replay Attacks
For a replay attack to be successful, the management traffic would For a replay attack to be successful, the management traffic would
need to first be captured either on-path or diverted to an attacker need to first be captured either on-path or diverted to an attacker
to later be replayed to the intended recipient. to later be replayed to the intended recipient.
2.2.1.4. Message Insertion/Deletion/Modification 2.2.1.4. Message Insertion/Deletion/Modification
Data can be manipulated by someone in control of intermediary hosts. Data can be manipulated by someone in control of intermediary hosts.
Forging data is also possible with IP spoofing, where a remote host Forging data is also possible with IP spoofing, where a remote host
sends out packets which appear to come from another, trusted host. sends out packets that appear to come from another, trusted host.
2.2.1.5. Man-In-The-Middle 2.2.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts peer rather than the data stream itself. The attacker intercepts
traffic that is sent from a management system to the networking traffic that is sent from a management system to the networking
infrastructure device and traffic that is sent from the network infrastructure device and traffic that is sent from the network
infrastructure device to the management system. infrastructure device to the management system.
2.2.2. Security Practices 2.2.2. Security Practices
OOB management is done via a terminal server at each location. SSH OOB management is done via a terminal server at each location. SSH
access is used to get to the terminal server from where sessions to access is used to get to the terminal server from where sessions to
the devices are initiated. Dial-in access is deployed as a backup if the devices are initiated. Dial-in access is deployed as a backup if
the network is not available however, it is common to use dial-back, the network is not available. However, it is common to use dial-
encrypting modems and/or one-time-password (OTP) modems to avoid the back, encrypting modems, and/or one-time-password (OTP) modems to
security weaknesses of plain dial-in access. avoid the security weaknesses of plain dial-in access.
All in-band management and OOB management access to layer 2 and layer All in-band management and OOB management access to layer 2 and layer
3 devices is authenticated. The user authentication and 3 devices is authenticated. The user authentication and
authorization is typically controlled by a AAA server (i.e. RADIUS authorization is typically controlled by an AAA server (i.e., Remote
and/or TACACS+). Credentials used to determine the identity of the Authentication Dial-in User Service (RADIUS) and/or Terminal Access
user vary from static username/password to one-time username/password Controller Access-Control System (TACACS+)). Credentials used to
scheme such as Secure-ID. Static username/passwords are expired determine the identity of the user vary from static username/password
after a specified period of time, usually 30 days. Every to one-time username/password schemes such as Secure-ID. Static
authenticated entity via AAA is an individual user for greater username/passwords are expired after a specified period of time,
granularity of control. Note that often the AAA server used for OOB usually 30 days. Every authenticated entity via AAA is an individual
management authentication is a separate physical device from the AAA user for greater granularity of control. Note that often the AAA
server used for in-band management user authentication. In some server used for OOB management authentication is a separate physical
deployments, the AAA servers used for device management device from the AAA server used for in-band management user
authentication/authorization/accounting are on separate networks to authentication. In some deployments, the AAA servers used for device
provide a demarcation for any other authentication functions. management authentication/authorization/accounting are on separate
networks to provide a demarcation for any other authentication
functions.
For backup purposes, there is often a single local database entry for For backup purposes, there is often a single local database entry for
authentication which is known to a very limited set of key personnel. authentication that is known to a very limited set of key personnel.
It is usually the highest privilege level username/password It is usually the highest privilege-level username/password
combination, which in most cases is the same across all devices. combination, which in most cases is the same across all devices.
This local device password is routinely regenerated once every 2-3 This local device password is routinely regenerated once every 2-3
months and is also regenerated immediately after an employee who had months, and is also regenerated immediately after an employee who had
access to that password leaves the company or is no longer authorized access to that password leaves the company or is no longer authorized
to have knowledge of that password. to have knowledge of that password.
Each individual user in the AAA database is configured with specific Each individual user in the AAA database is configured with specific
authorization capability. Specific commands are either individually authorization capability. Specific commands are either individually
denied or permitted depending on the capability of the device to be denied or permitted, depending on the capability of the device to be
accessed. Multiple privilege levels are deployed. Most individuals accessed. Multiple privilege levels are deployed. Most individuals
are authorized with basic authorization to perform a minimal set of are authorized with basic authorization to perform a minimal set of
commands while a subset of individuals are authorized to perform more commands, while a subset of individuals are authorized to perform
privileged commands. Securing the AAA server is imperative and more privileged commands. Securing the AAA server is imperative and
access to the AAA server itself is strictly controlled. When an access to the AAA server itself is strictly controlled. When an
individual leaves the company, his/her AAA account is immediately individual leaves the company, his/her AAA account is immediately
deleted and the TACACS/RADIUS shared secret is reset for all devices. deleted and the TACACS/RADIUS shared secret is reset for all devices.
Some management functions are performed using command line interface Some management functions are performed using command line interface
(CLI) scripting. In these scenarios, a dedicated user is used for (CLI) scripting. In these scenarios, a dedicated user is used for
the identity in scripts that perform CLI scripting. Once the identity in scripts that perform CLI scripting. Once
authenticated, these scripts control which commands are legitimate authenticated, these scripts control which commands are legitimate,
depending on authorization rights of the authenticated individual. depending on authorization rights of the authenticated individual.
SSH is always used for virtual terminal access to provide for an SSH is always used for virtual terminal access to provide for an
encrypted communication channel. There are exceptions due to encrypted communication channel. There are exceptions due to
equipment limitations which are described in the additional equipment limitations which are described in the additional
considerations section. considerations section.
If SNMP is used for management, it is for read queries only and If SNMP is used for management, it is for read queries only and
restricted to specific hosts. If possible, the view is also restricted to specific hosts. If possible, the view is also
restricted to only send the information that the management station restricted to only send the information that the management station
needs rather than expose the entire configuration file with the read- needs, rather than expose the entire configuration file with the
only SNMP community. The community strings are carefully chosen to read-only SNMP community. The community strings are carefully chosen
be difficult to crack and there are procedures in place to change to be difficult to crack and there are procedures in place to change
these community strings between 30-90 days. If systems support two these community strings between 30-90 days. If systems support two
SNMP community strings, the old string is replaced by first SNMP community strings, the old string is replaced by first
configuring a second newer community string and then migrating over configuring a second, newer community string and then migrating over
from the currently used string to the newer one. Most large ISPs from the currently used string to the newer one. Most large ISPs
have multiple SNMP systems accessing their routers so it takes more have multiple SNMP systems accessing their routers so it takes more
then one maintenance period to get all the strings fixed in all the then one maintenance period to get all the strings fixed in all the
right systems. SNMP RW is not used and is disabled by configuration. right systems. SNMP RW is not used and is disabled by configuration.
Access control is strictly enforced for infrastructure devices by Access control is strictly enforced for infrastructure devices by
using stringent filtering rules. A limited set of IP addresses are using stringent filtering rules. A limited set of IP addresses are
allowed to initiate connections to the infrastructure devices and are allowed to initiate connections to the infrastructure devices and are
specific to the services which they are to limited to (i.e. SSH and specific to the services to which they are to limited (i.e., SSH and
SNMP). SNMP).
All device management access is audited and any violations trigger All device management access is audited and any violations trigger
alarms which initiate automated email, pager and/or telephone alarms that initiate automated email, pager, and/or telephone
notifications. AAA servers keeps track of the authenticated entity notifications. AAA servers keep track of the authenticated entity as
as well as all the commands that were carried out on a specific well as all the commands that were carried out on a specific device.
device. Additionally, the device itself logs any access control Additionally, the device itself logs any access control violations
violations (i.e. if an SSH request comes in from an IP address which (i.e., if an SSH request comes in from an IP address that is not
is not explicitly permitted, that event is logged so that the explicitly permitted, that event is logged so that the offending IP
offending IP address can be tracked down and investigations made as address can be tracked down and investigations made as to why it was
to why it was trying to access a particular infrastructure device) trying to access a particular infrastructure device)
2.2.3. Security Services 2.2.3. Security Services
The security services offered for device OOB management are nearly The security services offered for device OOB management are nearly
identical to those of device in-band management. Due to the critical identical to those of device in-band management. Due to the critical
nature of controlling and limiting device access, many ISPs feel that nature of controlling and limiting device access, many ISPs feel that
physically separating the management traffic from the normal customer physically separating the management traffic from the normal customer
data traffic will provide an added level of risk mitigation and limit data traffic will provide an added level of risk mitigation and limit
the potential attack vectors. The following security services are the potential attack vectors. The following security services are
offered through the use of the practices described in the previous offered through the use of the practices described in the previous
skipping to change at page 15, line 25 skipping to change at page 14, line 28
o User Authentication - All individuals are authenticated via AAA o User Authentication - All individuals are authenticated via AAA
services. services.
o User Authorization - All individuals are authorized via AAA o User Authorization - All individuals are authorized via AAA
services to perform specific operations once successfully services to perform specific operations once successfully
authenticated. authenticated.
o Data Origin Authentication - Management traffic is strictly o Data Origin Authentication - Management traffic is strictly
filtered to allow only specific IP addresses to have access to the filtered to allow only specific IP addresses to have access to the
infrastructure devices. This does not alleviate risk from spoofed infrastructure devices. This does not alleviate risk the from
traffic, although when combined with edge filtering using BCP38 spoofed traffic, although when combined with edge filtering using
[RFC2827] and BCP84 [RFC3704] guidelines (discussed in the section BCP38 [RFC2827] and BCP84 [RFC3704] guidelines (discussed in
2.5), then the risk of spoofing is mitigated barring a compromised Section 2.5), then the risk of spoofing is mitigated, barring a
internal system. Also, using SSH for device access ensures that compromised internal system. Also, using SSH for device access
noone can spoof the traffic during the SSH session. ensures that no one can spoof the traffic during the SSH session.
o Access Control - Management traffic is filtered to allow only o Access Control - Management traffic is filtered to allow only
specific IP addresses to have access to the infrastructure specific IP addresses to have access to the infrastructure
devices. devices.
o Data Integrity - Using SSH provides data integrity and ensures o Data Integrity - Using SSH provides data integrity and ensures
that no one has altered the management data in transit. that no one has altered the management data in transit.
o Data Confidentiality - Using SSH provides data confidentiality. o Data Confidentiality - Using SSH provides data confidentiality.
skipping to change at page 16, line 11 skipping to change at page 15, line 11
limits but does not prevent spoofed DoS attacks directed at an limits but does not prevent spoofed DoS attacks directed at an
infrastructure device. However, the risk is lowered by using a infrastructure device. However, the risk is lowered by using a
separate physical network for management purposes. separate physical network for management purposes.
2.2.4. Additional Considerations 2.2.4. Additional Considerations
Password selection for any device management protocol used is Password selection for any device management protocol used is
critical to ensure that the passwords are hard to guess or break critical to ensure that the passwords are hard to guess or break
using a brute-force attack. using a brute-force attack.
IPsec is considered too difficult to deploy and the common protocol IP security (IPsec) is considered too difficult to deploy, and the
to provide for confidential management access is SSH. There are common protocol to provide for confidential management access is SSH.
exceptions for using SSH due to equipment limitations since SSH may There are exceptions for using SSH due to equipment limitations since
not be supported on legacy equipment. In some cases changing the SSH may not be supported on legacy equipment. In some cases,
hostname of a device requires an SSH rekey event since the key is changing the host name of a device requires an SSH rekey event since
based on some combination of host name, MAC address and time. Also, the key is based on some combination of host name, Message
in the case where the SSH key is stored on a route processor card, a Authentication Code (MAC) address, and time. Also, in the case where
re-keying of SSH would be required whenever the route processor card the SSH key is stored on a route processor card, a re-keying of SSH
needs to be swapped. Some providers feel that this operational would be required whenever the route processor card needs to be
impact exceeds the security necessary and instead use Telnet from swapped. Some providers feel that this operational impact exceeds
trusted inside hosts (called 'jumphosts' or 'bastion hosts') to the security necessary and instead use Telnet from trusted inside
manage those devices. An individual would first SSH to the jumphost hosts (called 'jumphosts' or 'bastion hosts') to manage those
and then Telnet from the jumphost to the actual infrastructure devices. An individual would first SSH to the jumphost and then
device, fully understanding that any passwords will be sent in the Telnet from the jumphost to the actual infrastructure device, fully
clear between the jumphost and the device it is connecting to. All understanding that any passwords will be sent in the clear between
the jumphost and the device to which it is connecting. All
authentication and authorization is still carried out using AAA authentication and authorization is still carried out using AAA
servers. servers.
In instances where Telnet access is used, the logs on the AAA servers In instances where Telnet access is used, the logs on the AAA servers
are more verbose and more attention is paid to them to detect any are more verbose and more attention is paid to them to detect any
abnormal behavior. The jumphosts themselves are carefully controlled abnormal behavior. The jumphosts themselves are carefully controlled
machines and usually have limited access. Note that Telnet is NEVER machines and usually have limited access. Note that Telnet is NEVER
allowed to an infrastructure device except from specific jumphosts; allowed to an infrastructure device except from specific jumphosts;
i.e. packet filters are used at the console server and/or i.e., packet filters are used at the console server and/or
infrastructure device to ensure that Telnet is only allowed from infrastructure device to ensure that Telnet is only allowed from
specific IP addresses. specific IP addresses.
With thousands of devices to manage, some ISPs have created automated With thousands of devices to manage, some ISPs have created automated
mechanisms to authenticate to devices. As an example, Kerberos has mechanisms to authenticate to devices. As an example, Kerberos has
been used to automate the authentication process for devices that been used to automate the authentication process for devices that
have support for Kerberos. An individual would first log in to a have support for Kerberos. An individual would first log in to a
Kerberized UNIX server using SSH and generate a Kerberos 'ticket'. Kerberized UNIX server using SSH and generate a Kerberos 'ticket'.
This 'ticket' is generally set to have a lifespan of 10 hours and is This 'ticket' is generally set to have a lifespan of 10 hours and is
used to automatically authenticate the individual to the used to automatically authenticate the individual to the
infrastructure devices. infrastructure devices.
In instances where SNMP is used, some legacy devices only support In instances where SNMP is used, some legacy devices only support
SNMPv1 which then requires the provider to mandate its use across all SNMPv1, which then requires the provider to mandate its use across
infrastructure devices for operational simplicity. SNMPv2 is all infrastructure devices for operational simplicity. SNMPv2 is
primarily deployed since it is easier to set up than v3. primarily deployed since it is easier to set up than v3.
2.3. Data Path 2.3. Data Path
This section refers to how traffic is handled which traverses the This section refers to how traffic is handled that traverses the
network infrastructure device. The primary goal of ISPs is to network infrastructure device. The primary goal of ISPs is to
forward customer traffic. However, due to the large amount of forward customer traffic. However, due to the large amount of
malicious traffic that can cause DoS attacks and render the network malicious traffic that can cause DoS attacks and render the network
unavailable, specific measures are sometimes deployed to ensure the unavailable, specific measures are sometimes deployed to ensure the
availability to forward legitimate customer traffic. availability to forward legitimate customer traffic.
2.3.1. Threats / Attacks 2.3.1. Threats / Attacks
Any data traffic can potentially be attack traffic and the challenge Any data traffic can potentially be attack traffic and the challenge
is to detect and potentially stop forwarding any of the malicious is to detect and potentially stop forwarding any of the malicious
traffic. The deliberately sourced attack traffic can consist of traffic. The deliberately sourced attack traffic can consist of
packets with spoofed source and/or destination addresses or any other packets with spoofed source and/or destination addresses or any other
malformed packet which mangle any portion of a header field to cause malformed packet that mangle any portion of a header field to cause
protocol-related security issues (such as resetting connections, protocol-related security issues (such as resetting connections,
causing unwelcome ICMP redirects, creating unwelcome IP options or causing unwelcome ICMP redirects, creating unwelcome IP options, or
packet fragmentations). packet fragmentations).
2.3.2. Security Practices 2.3.2. Security Practices
Filtering and rate limiting are the primary mechanism to provide risk Filtering and rate limiting are the primary mechanism to provide risk
mitigation of malicious traffic rendering the ISP services mitigation of malicious traffic rendering the ISP services
unavailable. However, filtering and rate limiting of data path unavailable. However, filtering and rate limiting of data path
traffic is deployed in a variety of ways depending on how automated traffic is deployed in a variety of ways, depending on how automated
the process is and what the capabilities and performance limitations the process is and what the capabilities and performance limitations
of existing deployed hardware are. of the existing deployed hardware are.
The ISPs which do not have performance issues with their equipment The ISPs that do not have performance issues with their equipment
follow BCP38 [RFC2827] and BCP84 [RFC3704] guidelines for ingress follow BCP38 [RFC2827] and BCP84 [RFC3704] guidelines for ingress
filtering. BCP38 recommends filtering ingress packets with obviously filtering. BCP38 recommends filtering ingress packets with obviously
spoofed and/or 'reserved' source addresses to limit the effects of spoofed and/or 'reserved' source addresses to limit the effects of
denial of service attacks while BCP84 extends the recommendation for denial-of-service attacks, while BCP84 extends the recommendation for
multi-homed environments. Filters are also used to help alleviate multi-homed environments. Filters are also used to help alleviate
issues between service providers. Without any filtering, an inter- issues between service providers. Without any filtering, an
exchange peer could steal transit just by using static routes and inter-exchange peer could steal transit just by using static routes,
essentially redirect data traffic. Therefore, some ISPs have and essentially redirect data traffic. Therefore, some ISPs have
implemented ingress/egress filters which block unexpected source and implemented ingress/egress filters that block unexpected source and
destination addresses not defined in the above-mentioned documents. destination addresses not defined in the above-mentioned documents.
Null routes and black-hole triggered routing [RFC3882] are used to Null routes and black-hole triggered routing [RFC3882] are used to
deter any detected malicious traffic streams. These two techniques deter any detected malicious traffic streams. These two techniques
are described in more detail in section 2.8 below. are described in more detail in Section 2.8 below.
Most ISPs consider layer 4 filtering useful but it is only Most ISPs consider layer 4 filtering useful, but it is only
implemented if performance limitations allow for it. Layer 4 implemented if performance limitations allow for it. Since it poses
filtering is typically only when no other option exists since it does a large administrative overhead and ISPs are very much opposed to
pose a large administrative overhead and ISPs are very much opposed acting as the Internet firewall, Layer 4 filtering is typically
to acting as the Internet firewall. Netflow is used for tracking implemented as a last option. Netflow is used for tracking traffic
traffic flows but there is some concern whether sampling is good flows, but there is some concern whether sampling is good enough to
enough to detect malicious behavior. detect malicious behavior.
Unicast RPF is not consistently implemented. Some ISPs are in Unicast Reverse Path Forwarding (RPF) is not consistently
process of doing so while other ISPs think that the perceived benefit implemented. Some ISPs are in the process of doing so, while other
of knowing that spoofed traffic comes from legitimate addresses are ISPs think that the perceived benefit of knowing that spoofed traffic
not worth the operational complexity. Some providers have a policy comes from legitimate addresses are not worth the operational
of implementing uRPF at link speeds of DS3 and below which was due to complexity. Some providers have a policy of implementing uRPF at
the fact that all hardware in the network supported uRPF for DS3 link speeds of Digital Signal 3 (DS3) and below, which was due to the
speeds and below. At higher speed links the uRPF support was fact that all hardware in the network supported uRPF for DS3 speeds
inconsistent and it was easier for operational people to implement a and below. At higher-speed links, the uRPF support was inconsistent
consistent solution. and it was easier for operational people to implement a consistent
solution.
2.3.3. Security Services 2.3.3. Security Services
o User Authentication - Not applicable o User Authentication - Not applicable.
o User Authorization - Not applicable o User Authorization - Not applicable.
o Data Origin Authentication - When IP address filtering per BCP38, o Data Origin Authentication - When IP address filtering per BCP38,
BCP84 and uRPF are deployed at network edges it can ensure that BCP84, and uRPF are deployed at network edges it can ensure that
any spoofed traffic comes from at least a legitimate IP address any spoofed traffic comes from at least a legitimate IP address
and can be tracked. and can be tracked.
o Access Control - IP address filtering and layer 4 filtering is o Access Control - IP address filtering and layer 4 filtering is
used to deny forbidden protocols and limit traffic destined for used to deny forbidden protocols and limit traffic destined for
infrastructure device itself. Filters are also used to block infrastructure device itself. Filters are also used to block
unexpected source/destination addresses. unexpected source/destination addresses.
o Data Integrity - Not applicable o Data Integrity - Not applicable.
o Data Confidentiality - Not applicable o Data Confidentiality - Not applicable.
o Auditing / Logging - Filtering exceptions are logged for potential o Auditing / Logging - Filtering exceptions are logged for potential
attack traffic. attack traffic.
o DoS Mitigation - Black-hole triggered filtering and rate-limiting o DoS Mitigation - Black-hole triggered filtering and rate-limiting
are used to limit the risk of DoS attacks. are used to limit the risk of DoS attacks.
2.3.4. Additional Considerations 2.3.4. Additional Considerations
For layer 2 devices, MAC address filtering and authentication is not For layer 2 devices, MAC address filtering and authentication is not
used in large-scale deployments. This is due to the problems it can used in large-scale deployments. This is due to the problems it can
cause when troubleshooting networking issues. Port security becomes cause when troubleshooting networking issues. Port security becomes
unmanageable at a large scale where 1000s of switches are deployed. unmanageable at a large scale where thousands of switches are
deployed.
Rate limiting is used by some ISPs although other ISPs believe it is Rate limiting is used by some ISPs, although other ISPs believe it is
not really useful since attackers are not well behaved and it doesn't not really useful, since attackers are not well-behaved and it
provide any operational benefit over the complexity. Some ISPs feel doesn't provide any operational benefit over the complexity. Some
that rate limiting can also make an attacker's job easier by ISPs feel that rate limiting can also make an attacker's job easier
requiring the attacker to send less traffic to starve legitimate by requiring the attacker to send less traffic to starve legitimate
traffic that is part of a rate limiting scheme. Rate limiting may be traffic that is part of a rate limiting scheme. Rate limiting may be
improved by developing flow-based rate-limiting capabilities with improved by developing flow-based rate-limiting capabilities with
filtering hooks. This would improve the performance as well as the filtering hooks. This would improve the performance as well as the
granularity over current capabilities. granularity over current capabilities.
Lack of consistency regarding the ability to filter, especially with Lack of consistency regarding the ability to filter, especially with
respect to performance issues cause some ISPs to not implement BCP38 respect to performance issues, cause some ISPs not to implement BCP38
and BCP84 guidelines for ingress filtering. One such example is at and BCP84 guidelines for ingress filtering. One such example is at
edge boxes where you have up to 1000 T1's connecting into a router edge boxes, where up to 1000 T1s connecting into a router with an
with an OC-12 uplink. Some deployed devices experience a large OC-12 (Optical Carrier) uplink. Some deployed devices experience a
performance impact with filtering which is unacceptable for passing large performance impact with filtering, which is unacceptable for
customer traffic through, though ingress filtering (uRPF) might be passing customer traffic through, though ingress filtering (uRPF)
applicable at the devices connecting these aggregation routers. might be applicable at the devices that are connecting these
Where performance is not an issue, the ISPs make a tradeoff between aggregation routers. Where performance is not an issue, the ISPs
management versus risk. make a tradeoff between management versus risk.
2.4. Routing Control Plane 2.4. Routing Control Plane
The routing control plane deals with all the traffic which is part of The routing control plane deals with all the traffic that is part of
establishing and maintaining routing protocol information. establishing and maintaining routing protocol information.
2.4.1. Threats / Attacks 2.4.1. Threats / Attacks
Attacks on the routing control plane can be both from passive or Attacks on the routing control plane can be from both passive or
active sources. Passive attacks are possible if someone has the active sources. Passive attacks are possible if someone has the
capability to intercept data between the communicating routing peers. capability to intercept data between the communicating routing peers.
This can be accomplished if a single routing peer is somehow This can be accomplished if a single routing peer is somehow
compromised and can act as a network sniffer or if it is possible to compromised and can act as a network sniffer, or if it is possible to
insert a new device which acts as a network sniffer. insert a new device that acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios. Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised passive attack, where either a device has to already be compromised
or a device can be inserted into the path. This may lead to an or a device can be inserted into the path. This may lead to an
attacker impersonating a legitimate routing peer and exchanging attacker impersonating a legitimate routing peer and exchanging
routing information. Unintentional active attacks are more common routing information. Unintentional active attacks are more common
due to configuration errors, which cause legitimate routing peers to due to configuration errors, which cause legitimate routing peers to
feed invalid routing information to other neighboring peers. feed invalid routing information to other neighboring peers.
For off-path active attacks, the attacks are generally limited to For off-path active attacks, the attacks are generally limited to
message insertion or modification which can divert traffic to message insertion or modification, which can divert traffic to
illegitimate destinations and cause traffic to never reach its illegitimate destinations, causing traffic to never reach its
intended destination. intended destination.
2.4.1.1. Confidentiality Violations 2.4.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any Confidentiality violations can occur when a miscreant intercepts any
of the routing update traffic. This is becoming more of a concern of the routing update traffic. This is becoming more of a concern
because many ISPs are classifying addressing schemes and network because many ISPs are classifying addressing schemes and network
topologies as private and proprietary information. It is also a topologies as private and proprietary information. It is also a
concern because the routing protocol packets contain information that concern because the routing protocol packets contain information that
may show ways in which routing sessions could be spoofed or hijacked. may show ways in which routing sessions could be spoofed or hijacked.
This in turn could lead into a man-in-the-middle attack where the This in turn could lead into a man-in-the-middle attack, where the
miscreants can insert themselves into the traffic path or divert the miscreants can insert themselves into the traffic path or divert the
traffic path and violate the confidentiality of user data. traffic path and violate the confidentiality of user data.
2.4.1.2. Offline Cryptographic Attacks 2.4.1.2. Offline Cryptographic Attacks
If any cryptographic mechanism was used to provide for data integrity If any cryptographic mechanism was used to provide for data integrity
and confidentiality, an offline cryptographic attack could and confidentiality, an offline cryptographic attack could
potentially compromise the data. The traffic would need to be potentially compromise the data. The traffic would need to be
captured either by eavesdropping on the network or by being able to captured either by eavesdropping on the network or by being able to
divert traffic to a malicious user. Note that by using divert traffic to a malicious user. Note that by using
cryptographically protected routing information, the latter would cryptographically protected routing information, the latter would
require the cryptographic key to already be compromised anyway so require the cryptographic key to already be compromised anyway, so
this attack is only feasible if a device was able eavesdrop and this attack is only feasible if a device was able to eavesdrop and
capture the cryptographically protected routing information. capture the cryptographically protected routing information.
2.4.1.3. Replay Attacks 2.4.1.3. Replay Attacks
For a replay attack to be successful, the routing control plane For a replay attack to be successful, the routing control plane
traffic would need to first be captured either on-path or diverted to traffic would need to first be captured either on-path or diverted to
an attacker to later be replayed to the intended recipient. an attacker to later be replayed to the intended recipient.
Additionally, since many of these protocols include replay protection Additionally, since many of these protocols include replay protection
mechanisms, these would also need to be subverted if applicable. mechanisms, these would also need to be subverted, if applicable.
2.4.1.4. Message Insertion/Deletion/Modification 2.4.1.4. Message Insertion/Deletion/Modification
Routing control plane traffic can be manipulated by someone in Routing control plane traffic can be manipulated by someone in
control of intermediate hosts. In addition, traffic can be injected control of intermediate hosts. In addition, traffic can be injected
by forging IP addresses, where a remote router sends out packets by forging IP addresses, where a remote router sends out packets that
which appear to come from another, trusted router. If enough traffic appear to come from another, trusted router. If enough traffic is
is injected to be processed by limited memory routers it can cause a injected to be processed by limited memory routers, it can cause a
DoS attack. DoS attack.
2.4.1.5. Man-In-The-Middle 2.4.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts peer rather than the data stream itself. The attacker intercepts
traffic that is sent from one routing peer to the other and traffic that is sent from one routing peer to the other and
communicates on behalf of one of the peers. This can lead to communicates on behalf of one of the peers. This can lead to a
diversion of the user traffic to either an unauthorized receiving diversion of the user traffic to either an unauthorized receiving
party or cause legitimate traffic to never reach its intended party or cause legitimate traffic to never reach its intended
destination. destination.
2.4.2. Security Practices 2.4.2. Security Practices
Securing the routing control plane takes many features which are Securing the routing control plane takes many features, which are
generally deployed as a system. MD5 authentication is used by some generally deployed as a system. Message Digest 5 (MD5)
ISPs to validate the sending peer and to ensure that the data in authentication is used by some ISPs to validate the sending peer and
transit has not been altered. Some ISPs only deploy MD5 to ensure that the data in transit has not been altered. Some ISPs
authentication at customer's request. Additional sanity checks to only deploy MD5 authentication at the customers' request. Additional
ensure with reasonable certainty that the received routing update was sanity checks to ensure with reasonable certainty that the received
originated by a valid routing peer include route filters and the routing update was originated by a valid routing peer include route
Generalized TTL Security Mechanism (GTSM) feature [RFC3682] filters and the Generalized TTL Security Mechanism (GTSM) feature
(sometimes also referred to as the TTL-Hack). The GTSM feature is [RFC3682] (sometimes also referred to as the TTL-Hack). The GTSM
used for protocols such as BGP and makes use of a packet's Time To feature is used for protocols such as the Border Gateway Protocol
Live (TTL) field (IPv4) or Hop Limit (IPv6) to protect communicating (BGP), and makes use of a packet's Time To Live (TTL) field (IPv4) or
peers. If GTSM is used, it is typically only deployed in limited Hop Limit (IPv6) to protect communicating peers. If GTSM is used, it
scenarios between internal BGP peers due to lack of consistent is typically deployed only in limited scenarios between internal BGP
support between vendor products and operating system versions. peers due to lack of consistent support between vendor products and
operating system versions.
Packet filters are used to limit which systems can appear as a valid Packet filters are used to limit which systems can appear as a valid
peer while route filters are used to limit which routes are believed peer, while route filters are used to limit which routes are believed
from a valid peer. In the case of BGP routing, a variety of policies to be from a valid peer. In the case of BGP routing, a variety of
are deployed to limit the propagation of invalid routing information. policies are deployed to limit the propagation of invalid routing
These include: incoming and outgoing prefix filters for BGP information. These include: incoming and outgoing prefix filters for
customers, incoming and outgoing prefix filters for peers and BGP customers, incoming and outgoing prefix filters for peers and
upstream neighbors, incoming AS-PATH filter for BGP customers, upstream neighbors, incoming AS-PATH filter for BGP customers,
outgoing AS-PATH filter towards peers and upstream neighbors, route outgoing AS-PATH filter towards peers and upstream neighbors, route
dampening and rejecting selected attributes and communities. dampening and rejecting selected attributes and communities.
Consistency between these policies varies greatly and there is a Consistency between these policies varies greatly and there is a
definite distinction whether the other end is an end-site vs an definite distinction whether the other end is an end-site vs an
internal peer vs another big ISP or customer. Mostly ISPs do prefix- internal peer vs another big ISP or customer. Mostly ISPs do
filter their end-site customers but due to the operational prefix-filter their end-site customers, but due to the operational
constraints of maintaining large prefix filter lists, many ISPs are constraints of maintaining large prefix filter lists, many ISPs are
starting to depend on BGP AS-PATH filters to/from their peers and starting to depend on BGP AS-PATH filters to/from their peers and
upstream neighbors. upstream neighbors.
In cases where prefix lists are not used, operators often define a In cases where prefix lists are not used, operators often define a
maximum prefix limit per peer to prevent misconfiguration (e.g., maximum prefix limit per peer to prevent misconfiguration (e.g.,
unintentional de-aggregation or neighbor routing policy mis- unintentional de-aggregation or neighbor routing policy
configuration) or overload attacks. ISPs need to coordinate between mis-configuration) or overload attacks. ISPs need to coordinate with
each other what the expected prefix exchange is, and increase this each other what the expected prefix exchange is, and increase this
number by some sane amount. It is important for ISPs to pad the max- number by some sane amount. It is important for ISPs to pad the
prefix number enough to allow for valid swings in routing max-prefix number enough to allow for valid swings in routing
announcements to prevent an unintentional shutting down of the BGP announcements, preventing an unintentional shut down of the BGP
session. Individual implementation amongst ISPs are unique, and session. Individual implementation amongst ISPs are unique, and
depending on equipment supplier(s) different implementation options depending on equipment supplier(s), different implementation options
are available. Most equipment vendors offer implementation options are available. Most equipment vendors offer implementation options
ranging from just logging excessive prefixes being received to ranging from just logging excessive prefixes being received, to
automatically shutting down the session. If the option of automatically shutting down the session. If the option of
reestablishing a session after some pre-configured idle timeout has reestablishing a session after some pre-configured idle timeout has
been reached is available, it should be understood that automatically been reached is available, it should be understood that automatically
reestablishing the session may potentially introduce instability reestablishing the session may potentially introduce instability
continuously into the overall routing table if a policy mis- continuously into the overall routing table if a policy
configuration on the adjacent neighbor is causing the condition. If mis-configuration on the adjacent neighbor is causing the condition.
a serious mis-configuration on a peering neighbor has occurred then If a serious mis-configuration on a peering neighbor has occurred,
automatically shutting down the session and leaving it shut down then automatically shutting down the session and leaving it shut down
until being manually cleared is sometimes best and allows for until being manually cleared, is sometimes best and allows for
operator intervention to correct as needed. operator intervention to correct as needed.
Some large ISPs require that routes be registered in an Internet Some large ISPs require that routes be registered in an Internet
Routing Registry [IRR] which can then be part of the RADB - a public Routing Registry (IRR), which can then be part of the Routing Assets
registry of routing information for networks in the Internet that can Database (RADb) - a public registry of routing information for
be used to generate filter lists. Some ISPs, especially in europe, networks in the Internet that can be used to generate filter lists.
require registered routes before agreeing to become an eBGP peer with Some ISPs, especially in Europe, require registered routes before
someone. agreeing to become an eBGP peer with someone.
Many ISPs also do not propagate interface IP addresses to further Many ISPs also do not propagate interface IP addresses to further
reduce attack vectors on routers and connected customers. reduce attack vectors on routers and connected customers.
2.4.3. Security Services 2.4.3. Security Services
o User Authentication - Not applicable o User Authentication - Not applicable.
o User Authorization - Not applicable o User Authorization - Not applicable.
o Data Origin Authentication - By using MD5 authentication and/or o Data Origin Authentication - By using MD5 authentication and/or
the TTL-hack a routing peer can be reasonably certain that traffic the TTL-hack, a routing peer can be reasonably certain that
originated from a valid peer. traffic originated from a valid peer.
o Access Control - Route filters, AS-PATH filters and prefix limits o Access Control - Route filters, AS-PATH filters, and prefix limits
are used to control access to specific parts of the network. are used to control access to specific parts of the network.
o Data Integrity - By using MD5 authentication a peer can be o Data Integrity - By using MD5 authentication, a peer can be
reasonably certain that the data has not been modified in transit reasonably certain that the data has not been modified in transit,
but there is no mechanism to prove the validity of the routing but there is no mechanism to prove the validity of the routing
information itself. information itself.
o Data Confidentiality - Not implemented o Data Confidentiality - Not implemented.
o Auditing / Logging - Filter exceptions are logged. o Auditing / Logging - Filter exceptions are logged.
o DoS Mitigation - Many DoS attacks are mitigated using a o DoS Mitigation - Many DoS attacks are mitigated using a
combination of techniques including: MD5 authentication, the GTSM combination of techniques including: MD5 authentication, the GTSM
feature, filtering routing advertisements to bogons and filtering feature, filtering routing advertisements to bogons, and filtering
routing advertisements to one's own network. routing advertisements to one's own network.
2.4.4. Additional Considerations 2.4.4. Additional Considerations
So far the primary concern to secure the routing control plane has So far the primary concern to secure the routing control plane has
been to validate the sending peer and to ensure that the data in been to validate the sending peer and to ensure that the data in
transit has not been altered. Although MD5 routing protocol transit has not been altered. Although MD5 routing protocol
extensions have been implemented which can provide both services, extensions have been implemented, which can provide both services,
they are not consistently deployed amongst ISPs. Two major they are not consistently deployed amongst ISPs. Two major
deployment concerns have been implementation issues where both deployment concerns have been implementation issues, where both
software bugs and the lack of graceful re-keying options have caused software bugs and the lack of graceful re-keying options have caused
significant network down times. Also, some ISPs express concern that significant network down times. Also, some ISPs express concern that
deploying MD5 authentication will itself be a worse DoS attack victim deploying MD5 authentication will itself be a worse DoS attack victim
and prefer to use a combination of other risk mitigation mechanisms and prefer to use a combination of other risk mitigation mechanisms
such as GTSM (for BGP) and route filters. An issue with GTSM is that such as GTSM (for BGP) and route filters. An issue with GTSM is that
it is not supported on all devices across different vendors it is not supported on all devices across different vendors'
products'. products.
IPsec is not deployed since the operational management aspects of IPsec is not deployed since the operational management aspects of
ensuring interoperability and reliable configurations is too complex ensuring interoperability and reliable configurations is too complex
and time consuming to be operationally viable. There is also limited and time consuming to be operationally viable. There is also limited
concern to the confidentiality of the routing information. The concern to the confidentiality of the routing information. The
integrity and validity of the updates are of much greater concern. integrity and validity of the updates are of much greater concern.
There is concern for manual or automated actions which introduce new There is concern for manual or automated actions, which introduce new
routes and can affect the entire routing domain. routes and can affect the entire routing domain.
2.5. Software Upgrades and Configuration Integrity / Validation 2.5. Software Upgrades and Configuration Integrity / Validation
Software upgrades and configuration changes are usually performed as Software upgrades and configuration changes are usually performed as
part of either in-band or OOB management functions. However, there part of either in-band or OOB management functions. However, there
are additional considerations to be taken into account which are are additional considerations to be taken into account, which are
enumerated in this section. enumerated in this section.
2.5.1. Threats / Attacks 2.5.1. Threats / Attacks
Attacks performed on system software and configurations can be both Attacks performed on system software and configurations can be both
from passive or active sources. Passive attacks are possible if from passive or active sources. Passive attacks are possible if
someone has the capability to intercept data between the network someone has the capability to intercept data between the network
infrastructure device and the system which is downloading or infrastructure device and the system which is downloading or
uploading the software or configuration information. This can be uploading the software or configuration information. This can be
accomplished if a single infrastructure device is somehow compromised accomplished if a single infrastructure device is somehow compromised
and can act as a network sniffer or if it is possible to insert a new and can act as a network sniffer, or if it is possible to insert a
device which acts as a network sniffer. new device that acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios. Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised passive attack, where either a device has to already be compromised
or a device can be inserted into the path. For off-path active or a device can be inserted into the path. For off-path active
attacks, the attacks are generally limited to message insertion or attacks, the attacks are generally limited to message insertion or
modification where the attacker may wish to load illegal software or modification where the attacker may wish to load illegal software or
configuration files to an infrastructure device. configuration files to an infrastructure device.
Note that similar issues are relevant when software updates are Note that similar issues are relevant when software updates are
skipping to change at page 25, line 12 skipping to change at page 24, line 15
to detect, especially when the only added command is to allow a to detect, especially when the only added command is to allow a
miscreant access to that device by entering a filter allowing a miscreant access to that device by entering a filter allowing a
specific host access and configuring a local username/password specific host access and configuring a local username/password
database entry for authentication to that device. database entry for authentication to that device.
2.5.1.5. Man-In-The-Middle 2.5.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts peer rather than the data stream itself. The attacker intercepts
traffic that is sent between the infrastructure device and the host traffic that is sent between the infrastructure device and the host
used to upload/download the system image or configuration file. He/ used to upload/download the system image or configuration file.
she can then act on behalf of one or both of these systems. He/she can then act on behalf of one or both of these systems.
If an attacker obtained a copy of the software image being deployed, If an attacker obtained a copy of the software image being deployed,
he could potentially exploit a known vulnerability and gain access to he could potentially exploit a known vulnerability and gain access to
the system. From a captured configuration file, he could obtain the system. From a captured configuration file, he could obtain
confidential network topology information or even more damaging confidential network topology information, or even more damaging
information if any of the passwords in the configuration file were information, if any of the passwords in the configuration file were
not encrypted. not encrypted.
2.5.2. Security Practices 2.5.2. Security Practices
Images and configurations are stored on specific hosts which have Images and configurations are stored on specific hosts that have
limited access. All access and activity relating to these hosts are limited access. All access and activity relating to these hosts are
authenticated and logged via AAA services. When uploaded/downloading authenticated and logged via AAA services. When uploaded/downloading
any system software or configuration files, either TFTP, FTP or SCP any system software or configuration files, either TFTP, FTP, or SCP
can be used. Where possible, SCP is used to secure the data transfer can be used. Where possible, SCP is used to secure the data transfer
and FTP is generally never used. All SCP access is username/password and FTP is generally never used. All SCP access is username/password
authenticated but since this requires an interactive shell, most ISPs authenticated but since this requires an interactive shell, most ISPs
will use shared key authentication to avoid the interactive shell. will use shared key authentication to avoid the interactive shell.
While TFTP access does not have any security measures, it is still While TFTP access does not have any security measures, it is still
widely used especially in OOB management scenarios. Some ISPs widely used, especially in OOB management scenarios. Some ISPs
implement IP-based restriction on the TFTP server while some custom implement IP-based restriction on the TFTP server, while some custom
written TFTP servers will support MAC-based authentication. The MAC- written TFTP servers will support MAC-based authentication. The
based authentication is more common when using TFTP to bootstrap MAC-based authentication is more common when using TFTP to bootstrap
routers remotely. routers remotely.
In most environments scripts are used for maintaining the images and In most environments, scripts are used for maintaining the images and
configurations of a large number of routers. To ensure the integrity configurations of a large number of routers. To ensure the integrity
of the configurations, every hour the configuration files are polled of the configurations, every hour the configuration files are polled
and compared to the previously polled version to find discrepancies. and compared to the previously polled version to find discrepancies.
In at least one environment these tools are Kerberized to take In at least one environment these, tools are Kerberized to take
advantage of automated authentication (not confidentiality). advantage of automated authentication (not confidentiality).
'Rancid' is one popular publicly available tool for detecting 'Rancid' is one popular publicly available tool for detecting
configuration and system changes. configuration and system changes.
Filters are used to limit access to uploading/downloading Filters are used to limit access to uploading/downloading
configuration files and system images to specific IP addresses and configuration files and system images to specific IP addresses and
protocols. protocols.
The software images perform CRC-checks and the system binaries use The software images perform Cyclic Redundancy Checks (CRC) and the
the MD5 algorithm to validate integrity. Many ISPs expressed system binaries use the MD5 algorithm to validate integrity. Many
interest in having software image integrity validation based on the ISPs expressed interest in having software image integrity validation
MD5 algorithm for enhanced security. based on the MD5 algorithm for enhanced security.
In all configuration files, most passwords are stored in an encrypted In all configuration files, most passwords are stored in an encrypted
format. Note that the encryption techniques used in varying products format. Note that the encryption techniques used in varying products
can vary and that some weaker encryption schemes may be subject to can vary and that some weaker encryption schemes may be subject to
off-line dictionary attacks. This includes passwords for user off-line dictionary attacks. This includes passwords for user
authentication, MD5-authentication shared secrets, AAA server shared authentication, MD5-authentication shared secrets, AAA server shared
secrets, NTP shared secrets, etc. For older software which may not secrets, NTP shared secrets, etc. For older software that may not
support this functionality, configuration files may contain some support this functionality, configuration files may contain some
passwords in readable format. Most ISPs mitigate any risk of passwords in readable format. Most ISPs mitigate any risk of
password compromise by either storing these configuration files password compromise by either storing these configuration files
without the password lines or by requiring authenticated and without the password lines or by requiring authenticated and
authorized access to the configuration files which are stored on authorized access to the configuration files that are stored on
protected OOB management devices. protected OOB management devices.
Automated security validation is performed on infrastructure devices Automated security validation is performed on infrastructure devices
using nmap and nessus to ensure valid configuration against many of using Network Mapping (Nmap) and Nessus to ensure valid configuration
the well-known attacks. against many of the well-known attacks.
2.5.3. Security Services 2.5.3. Security Services
o User Authentication - All users are authenticated before being o User Authentication - All users are authenticated before being
able to download/upload any system images or configuration files. able to download/upload any system images or configuration files.
o User Authorization - All authenticated users are granted specific o User Authorization - All authenticated users are granted specific
privileges to download or upload system images and/or privileges to download or upload system images and/or
configuration files. configuration files.
o Data Origin Authentication - Filters are used to limit access to o Data Origin Authentication - Filters are used to limit access to
uploading/downloading configuration files and system images to uploading/downloading configuration files and system images to
specific IP addresses. specific IP addresses.
o Access Control - Filters are used to limit access to uploading/ o Access Control - Filters are used to limit access to uploading/
downloading configuration files and system images to specific IP downloading configuration files and system images to specific IP
addresses and protocols. addresses and protocols.
o Data Integrity - All systems use either a CRC-check or MD5 o Data Integrity - All systems use either a CRC-check or MD5
authentication to ensure data integrity. Also tools such as authentication to ensure data integrity. Also, tools such as
rancid are used to automatically detect configuration changes. rancid are used to automatically detect configuration changes.
o Data Confidentiality - If the SCP protocol is used then there is o Data Confidentiality - If the SCP protocol is used then there is
confidentiality of the downloaded/uploaded configuration files and confidentiality of the downloaded/uploaded configuration files and
system images. system images.
o Auditing / Logging - All access and activity relating to o Auditing / Logging - All access and activity relating to
downloading/uploading system images and configuration files are downloading/uploading system images and configuration files are
logged via AAA services and filter exception rules. logged via AAA services and filter exception rules.
o DoS Mitigation - A combination of filtering and CRC-check / MD5- o DoS Mitigation - A combination of filtering and CRC-check/
based integrity checks are used to mitigate the risks of DoS MD5-based integrity checks are used to mitigate the risks of DoS
attacks. If the software updates and configuration changes are attacks. If the software updates and configuration changes are
performed via an OOB management system, this is also added performed via an OOB management system, this is also added
protection. protection.
2.5.4. Additional Considerations 2.5.4. Additional Considerations
Where the MD5 algorithm is not used to perform data integrity Where the MD5 algorithm is not used to perform data-integrity
checking of software images and configuration files, ISPs have checking of software images and configuration files, ISPs have
expressed an interest in having this functionality. IPsec is expressed an interest in having this functionality. IPsec is
considered too cumbersome and operationally difficult to use for data considered too cumbersome and operationally difficult to use for data
integrity and confidentiality. integrity and confidentiality.
2.6. Logging Considerations 2.6. Logging Considerations
Although logging is part of all the previous sections, it is Although logging is part of all the previous sections, it is
important enough to be covered as a separate item. The main issues important enough to be covered as a separate item. The main issues
revolve around what gets logged, how long are logs kept and what revolve around what gets logged, how long are logs kept, and what
mechanisms are used to secure the logged information while it is in mechanisms are used to secure the logged information while it is in
transit and while it is stored. transit and while it is stored.
2.6.1. Threats / Attacks 2.6.1. Threats / Attacks
Attacks on the logged data can be both from passive or active Attacks on the logged data can be both from passive or active
sources. Passive attacks are possible if someone has the capability sources. Passive attacks are possible if someone has the capability
to intercept data between the recipient logging server and the device to intercept data between the recipient logging server and the device
the logged data originated from. This can be accomplished if a from which the logged data originated. This can be accomplished if a
single infrastructure device is somehow compromised and can act as a single infrastructure device is somehow compromised and can act as a
network sniffer or if it is possible to insert a new device which network sniffer, or if it is possible to insert a new device that
acts as a network sniffer. acts as a network sniffer.
Active attacks are possible for both on-path and off-path scenarios. Active attacks are possible for both on-path and off-path scenarios.
For on-path active attacks, the situation is the same as for a For on-path active attacks, the situation is the same as for a
passive attack, where either a device has to already be compromised passive attack, where either a device has to already be compromised,
or a device can be inserted into the path. For off-path active or a device can be inserted into the path. For off-path active
attacks, the attacks are generally limited to message insertion or attacks, the attacks are generally limited to message insertion or
modification which can alter the logged data to keep any compromise modification that can alter the logged data to keep any compromise
from being detected or to destroy any evidence which could be used from being detected, or to destroy any evidence that could be used
for criminal prosecution. for criminal prosecution.
2.6.1.1. Confidentiality Violations 2.6.1.1. Confidentiality Violations
Confidentiality violations can occur when a miscreant intercepts any Confidentiality violations can occur when a miscreant intercepts any
of the logging data which is in transit on the network. This could of the logging data that is in transit on the network. This could
lead to privacy violations if some of the logged data has not been lead to privacy violations if some of the logged data has not been
sanitized to disallow any data that could be a violation of privacy sanitized to disallow any data that could be a violation of privacy
to be included in the logged data. to be included in the logged data.
2.6.1.2. Offline Cryptographic Attacks 2.6.1.2. Offline Cryptographic Attacks
If any cryptographic mechanism was used to provide for data integrity If any cryptographic mechanism was used to provide for data integrity
and confidentiality, an offline cryptographic attack could and confidentiality, an offline cryptographic attack could
potentially compromise the data. The traffic would need to be potentially compromise the data. The traffic would need to be
captured either by eavesdropping on the network or by being able to captured either by eavesdropping on the network or by being able to
divert traffic to a malicious user. divert traffic to a malicious user.
2.6.1.3. Replay Attacks 2.6.1.3. Replay Attacks
For a replay attack to be successful, the logging data would need to For a replay attack to be successful, the logging data would need to
first be captured either on-path or diverted to an attacker and later first be captured either on-path or diverted to an attacker and later
replayed to the recipient. replayed to the recipient.
2.6.1.4. Message Insertion/Deletion/Modification 2.6.1.4. Message Insertion/Deletion/Modification
Logging data could be injected, deleted or modified by someone in Logging data could be injected, deleted, or modified by someone in
control of intermediate hosts. Logging data can also be injected by control of intermediate hosts. Logging data can also be injected by
forging packets from either legitimate or illegitimate IP addresses. forging packets from either legitimate or illegitimate IP addresses.
2.6.1.5. Man-In-The-Middle 2.6.1.5. Man-In-The-Middle
A man-in-the-middle attack attacks the identity of a communicating A man-in-the-middle attack attacks the identity of a communicating
peer rather than the data stream itself. The attacker intercepts peer rather than the data stream itself. The attacker intercepts
traffic that is sent between the infrastructure device and the traffic that is sent between the infrastructure device and the
logging server or traffic sent between the logging server and the logging server or traffic sent between the logging server and the
database which is used to archive the logged data. Any unauthorized database that is used to archive the logged data. Any unauthorized
access to logging information could lead to knowledge of private and access to logging information could lead to the knowledge of private
proprietary network topology information which could be used to and proprietary network topology information, which could be used to
compromise portions of the network. An additional concern is having compromise portions of the network. An additional concern is having
access to logging information which could be deleted or modified so access to logging information, which could be deleted or modified so
as to cover any traces of a security breach. as to cover any traces of a security breach.
2.6.2. Security Practices 2.6.2. Security Practices
Logging is mostly performed on an exception auditing basis when it When it comes to filtering, logging is mostly performed on an
comes to filtering (i.e. traffic which is NOT allowed is logged). exception auditing basis (i.e., traffic that is NOT allowed is
This is to assure that the logging servers are not overwhelmed with logged). This is to assure that the logging servers are not
data which would render most logs unusable. Typically the data overwhelmed with data, which would render most logs unusable.
logged will contain the source and destination IP addresses and layer Typically the data logged will contain the source and destination IP
4 port numbers as well as a timestamp. The syslog protocol is used addresses and layer 4 port numbers as well as a timestamp. The
to transfer the logged data between the infrastructure device to the syslog protocol is used to transfer the logged data between the
syslog server. Many ISPs use the OOB management network to transfer infrastructure device to the syslog server. Many ISPs use the OOB
syslog data since there is virtually no security performed between management network to transfer syslog data since there is virtually
the syslog server and the device. All ISPs have multiple syslog no security performed between the syslog server and the device. All
servers - some ISPs choose to use separate syslog servers for varying ISPs have multiple syslog servers - some ISPs choose to use separate
infrastructure devices (i.e. one syslog server for backbone routers, syslog servers for varying infrastructure devices (i.e., one syslog
one syslog server for customer edge routers, etc.) server for backbone routers, one syslog server for customer edge
routers, etc.)
The timestamp is derived from NTP which is generally configured as a The timestamp is derived from NTP, which is generally configured as a
flat hierarchy at stratum1 and stratum2 to have less configuration flat hierarchy at stratum1 and stratum2 to have less configuration
and less maintenance. Consistency of configuration and redundancy is and less maintenance. Consistency of configuration and redundancy is
the primary goal. Each router is configured with several stratum1 the primary goal. Each router is configured with several stratum1
server sources, which are chosen to ensure that proper NTP time is server sources, which are chosen to ensure that proper NTP time is
available even in the event of varying network outages. available, even in the event of varying network outages.
In addition to logging filtering exceptions, the following is In addition to logging filtering exceptions, the following is
typically logged: Routing protocol state changes, all device access typically logged: routing protocol state changes, all device access
(regardless of authentication success or failure), all commands (regardless of authentication success or failure), all commands
issued to a device, all configuration changes and all router events issued to a device, all configuration changes, and all router events
(boot-up/flaps). (boot-up/flaps).
The main function of any of these log messages is to see what the The main function of any of these log messages is to see what the
device is doing as well as to try and ascertain what certain device is doing as well as to try and ascertain what certain
malicious attackers are trying to do. Since syslog is an unreliable malicious attackers are trying to do. Since syslog is an unreliable
protocol, when routers boot or lose adjacencies, not all messages protocol, when routers boot or lose adjacencies, not all messages
will get delivered to the remote syslog server. Some vendors may will get delivered to the remote syslog server. Some vendors may
implement syslog buffering (e.g., buffer the messages until you have implement syslog buffering (e.g., buffer the messages until you have
a route to the syslog destination) but this is not standard. a route to the syslog destination), but this is not standard.
Therefore, operators often have to look at local syslog information Therefore, operators often have to look at local syslog information
on a device (which typically has very little memory allocated to it) on a device (which typically has very little memory allocated to it)
to make up for the fact that the server-based syslog files can be to make up for the fact that the server-based syslog files can be
incomplete. Some ISPs also put in passive devices to see routing incomplete. Some ISPs also put in passive devices to see routing
updates and withdrawals and do not rely solely on the device for log updates and withdrawals and do not rely solely on the device for log
files. This provides a backup mechanism to see what is going on in files. This provides a backup mechanism to see what is going on in
the network in the event that a device may 'forget' to do syslog if the network in the event that a device may 'forget' to do syslog if
the CPU is busy. the CPU is busy.
The logs from the various syslog server devices are generally The logs from the various syslog server devices are generally
transferred into databases at a set interval which can be anywhere transferred into databases at a set interval that can be anywhere
from every 10 minutes to every hour. One ISP uses Rsync to push the from every 10 minutes to every hour. One ISP uses Rsync to push the
data into a database and then the information is sorted manually by data into a database, and then the information is sorted manually by
someone SSH'ing to that database. someone SSH'ing to that database.
2.6.3. Security Services 2.6.3. Security Services
o User Authentication - Not applicable
o User Authorization - Not applicable o User Authentication - Not applicable.
o Data Origin Authentication - Not implemented o User Authorization - Not applicable.
o Data Origin Authentication - Not implemented.
o Access Control - Filtering on logging host and server IP address o Access Control - Filtering on logging host and server IP address
to ensure that syslog information only goes to specific syslog to ensure that syslog information only goes to specific syslog
hosts. hosts.
o Data Integrity - Not implemented o Data Integrity - Not implemented.
o Data Confidentiality - Not implemented o Data Confidentiality - Not implemented.
o Auditing / Logging - This entire section deals with logging. o Auditing / Logging - This entire section deals with logging.
o DoS Mitigation - An OOB management system is used and sometimes o DoS Mitigation - An OOB management system is used and sometimes
different syslog servers are used for logging information from different syslog servers are used for logging information from
varying equipment. Exception logging tries to keep information to varying equipment. Exception logging tries to keep information to
a minimum. a minimum.
2.6.4. Additional Considerations 2.6.4. Additional Considerations
There is no security with syslog and ISPs are fully cognizant of There is no security with syslog and ISPs are fully cognizant of
this. IPsec is considered too operationally expensive and cumbersome this. IPsec is considered too operationally expensive and cumbersome
to deploy. Syslog-ng and stunnel are being looked at for providing to deploy. Syslog-ng and stunnel are being looked at for providing
better authenticated and integrity protected solutions. Mechanisms better authenticated and integrity-protected solutions. Mechanisms
to prevent unauthorized personnel from tampering with logs is to prevent unauthorized personnel from tampering with logs is
constrained to auditing who has access to the logging servers and constrained to auditing who has access to the logging servers and
files. files.
ISPs expressed requirements for more than just UDP syslog. ISPs expressed requirements for more than just UDP syslog.
Additionally, they would like more granular and flexible facilities Additionally, they would like more granular and flexible facilities
and priorities, i.e. specific logs to specific servers. Also, a and priorities, i.e., specific logs to specific servers. Also, a
common format for reporting standard events so that they don't have common format for reporting standard events so that modifying parsers
to modify parsers after each upgrade of vendor device or software. after each upgrade of a vendor device or software is not necessary.
2.7. Filtering Considerations 2.7. Filtering Considerations
Although filtering has been covered under many of the previous Although filtering has been covered under many of the previous
sections, this section will provide some more insights to the sections, this section will provide some more insights to the
filtering considerations that are currently being taken into account. filtering considerations that are currently being taken into account.
Filtering is now being categorized into three specific areas: data Filtering is now being categorized into three specific areas: data
plane, management plane and routing control plane. plane, management plane, and routing control plane.
2.7.1. Data Plane Filtering 2.7.1. Data Plane Filtering
Data plane filters control the traffic that traverses through a Data plane filters control the traffic that traverses through a
device and affect transit traffic. Most ISPs deploy these kinds of device and affects transit traffic. Most ISPs deploy these kinds of
filters at the customer facing edge devices to mitigate spoofing filters at customer facing edge devices to mitigate spoofing attacks
attacks using BCP38 and BCP84 guidelines. using BCP38 and BCP84 guidelines.
2.7.2. Management Plane Filtering 2.7.2. Management Plane Filtering
Management filters control the traffic to and from a device. All of Management filters control the traffic to and from a device. All of
the protocols which are used for device management fall under this the protocols that are used for device management fall under this
category and includes SSH, Telnet, SNMP, NTP, HTTP, DNS, TFTP, FTP, category and include: SSH, Telnet, SNMP, NTP, HTTP, DNS, TFTP, FTP,
SCP and Syslog. This type of traffic is often filtered per interface SCP, and Syslog. This type of traffic is often filtered per
and is based on any combination of protocol, source and destination interface and is based on any combination of protocol, source and
IP address and source and destination port number. Some devices destination IP address, and source and destination port number. Some
support functionality to apply management filters to the device devices support functionality to apply management filters to the
rather than to the specific interfaces (e.g. receive ACL or loopback device rather than to the specific interfaces (e.g., receive ACL or
interface ACL) which is gaining wider acceptance. Note that logging loopback interface ACL), which is gaining wider acceptance. Note
the filtering rules can today place a burden on many systems and more that logging the filtering rules can today place a burden on many
granularity is often required to more specifically log the required systems and more granularity is often required to more specifically
exceptions. log the required exceptions.
Any services that are not specifically used are turned off. Any services that are not specifically used are turned off.
IPv6 networks require the use of specific ICMP messages for proper IPv6 networks require the use of specific ICMP messages for proper
protocol operation. Therefore, ICMP cannot be completely filtered to protocol operation. Therefore, ICMP cannot be completely filtered to
and from a device. Instead, granular ICMPv6 filtering is always and from a device. Instead, granular ICMPv6 filtering is always
deployed to allow for specific ICMPv6 types to be sourced or destined deployed to allow for specific ICMPv6 types to be sourced or destined
to a network device. A good guideline for IPv6 filtering is in the to a network device. A good guideline for IPv6 filtering is in the
draft work in progress on Recommendations for Filtering ICMPv6 Recommendations for Filtering ICMPv6 Messages in Firewalls [ICMPv6].
Messages in Firewalls [I-D.ietf-v6ops-icmpv6-filtering-recs].
2.7.3. Routing Control Plane Filtering 2.7.3. Routing Control Plane Filtering
Routing filters are used to control the flow of routing information. Routing filters are used to control the flow of routing information.
In IPv6 networks, some providers are liberal in accepting /48s due to In IPv6 networks, some providers are liberal in accepting /48s due to
the still unresolved multihoming issues while others filter at the still unresolved multihoming issues, while others filter at
allocation boundaries which are typically at /32. Any announcement allocation boundaries, which are typically at /32. Any announcement
received that is longer than a /48 for IPv6 routing and a /24 for received that is longer than a /48 for IPv6 routing and a /24 for
IPv4 routing is filtered out of eBGP. Note that this is for non- IPv4 routing is filtered out of eBGP. Note that this is for
customer traffic. Most ISPs will accept any agreed upon prefix non-customer traffic. Most ISPs will accept any agreed upon prefix
length from its customer(s). length from its customer(s).
2.8. Denial of Service Tracking / Tracing 2.8. Denial-of-Service Tracking/Tracing
Denial of Service attacks are an ever increasing problem and require Denial-of-Service attacks are an ever-increasing problem and require
vast amounts of resources to combat effectively. Some large ISPs do vast amounts of resources to combat effectively. Some large ISPs do
not concern themselves with attack streams that are less than 1G in not concern themselves with attack streams that are less than 1G in
bandwidth - this is on the larger pipes where 1G is essentially less bandwidth - this is on the larger pipes where 1G is essentially less
than 5% of offered load. This is largely due to the large amounts of than 5% of an offered load. This is largely due to the large amounts
DDoS traffic which continually requires investigation and mitigation. of DoS traffic, which continually requires investigation and
At last count the number of hosts making up large distributed DoS mitigation. At last count, the number of hosts making up large
botnets exceeded 1 million hosts. distributed DoS botnets exceeded 1 million hosts.
New techniques are continually evolving to automate the process of New techniques are continually evolving to automate the process of
detecting DoS sources and mitigating any adverse effects as quickly detecting DoS sources and mitigating any adverse effects as quickly
as possible. At this time, ISPs are using a variety of mitigation as possible. At this time, ISPs are using a variety of mitigation
techniques including: sink hole routing, black-hole triggered techniques including: sinkhole routing, black hole triggered routing,
routing, uRPF, rate limiting and specific control plane traffic uRPF, rate limiting, and specific control plane traffic enhancements.
enhancements. Each of these techniques will be detailed below. Each of these techniques will be detailed below.
2.8.1. Sink Hole Routing 2.8.1. Sinkhole Routing
Sink hole routing refers to injecting a more specific route for any Sink hole routing refers to injecting a more specific route for any
known attack traffic which will ensure that the malicious traffic is known attack traffic, which will ensure that the malicious traffic is
redirected to a valid device or specific system where it can be redirected to a valid device or specific system where it can be
analyzed. analyzed.
2.8.2. Black-Hole Triggered Routing 2.8.2. Black Hole Triggered Routing
Black-hole triggered routing (also referred to as Remote Triggered Black hole triggered routing (also referred to as Remote Triggered
Black Hole Filtering) is a technique where the BGP routing protocol Black Hole Filtering) is a technique where the BGP routing protocol
is used to propagate routes which in turn redirects attack traffic to is used to propagate routes which in turn redirects attack traffic to
the null interface where it is effectively dropped. This technique the null interface where it is effectively dropped. This technique
is often used in large routing infrastructures since BGP can is often used in large routing infrastructures since BGP can
propagate the information in a fast effective manner as opposed to propagate the information in a fast, effective manner, as opposed to
using any packet-based filtering techniques on hundreds or thousands using any packet-based filtering techniques on hundreds or thousands
of routers. [refer to the following NANOG presentation for a more of routers (refer to the following NANOG presentation for a more
complete description http://www.nanog.org/mtg-0402/pdf/morrow.pdf] complete description http://www.nanog.org/mtg-0402/pdf/morrow.pdf).
Note that this black-holing technique may actually fulfill the goal Note that this black-holing technique may actually fulfill the goal
of the attacker if the goal was to instigate blackholing traffic of the attacker if the goal was to instigate black-holing traffic
which appeared to come from a certain site. On the other hand, this that appeared to come from a certain site. On the other hand, this
blackhole technique can decrease the collateral damage caused by an blackhole technique can decrease the collateral damage caused by an
overly large attack aimed at something other than critical services. overly large attack aimed at something other than critical services.
2.8.3. Unicast Reverse Path Forwarding 2.8.3. Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating Unicast Reverse Path Forwarding (uRPF) is a mechanism for validating
whether an incoming packet has a legitimate source address or not. whether or not an incoming packet has a legitimate source address.
It has two modes: strict mode and loose mode. In strict mode, uRPF It has two modes: strict mode and loose mode. In strict mode, uRPF
checks whether the incoming packet has a source address that matches checks whether the incoming packet has a source address that matches
a prefix in the routing table, and whether the interface expects to a prefix in the routing table, and whether the interface expects to
receive a packet with this source address prefix. If the incoming receive a packet with this source address prefix. If the incoming
packet fails the unicast RPF check, the packet is not accepted on the packet fails the unicast RPF check, the packet is not accepted on the
incoming interface. Loose mode uRPF is not as specific and the incoming interface. Loose mode uRPF is not as specific and the
incoming packet is accepted if there is any route in the routing incoming packet is accepted if there is any route in the routing
table for the source address. table for the source address.
While BCP84 [RFC3704] and a study on uRPF experiences While BCP84 [RFC3704] and a study on uRPF experiences [BCP84-URPF]
[I-D.savola-bcp84-urpf-experiences] detail how asymmetry, i.e. detail how asymmetry, i.e., multiple routes to the source of a
multiple routes to the source of a packet, does not preclude applying packet, does not preclude applying feasible paths strict uRPF, it is
feasible paths strict uRPF, it is generally not used on interfaces generally not used on interfaces that are likely to have routing
that are likely to have routing asymmetry. Usually for the larger asymmetry. Usually for the larger ISPs, uRPF is placed at the
ISPs, uRPF is placed at the customer edge of a network. customer edge of a network.
2.8.4. Rate Limiting 2.8.4. Rate Limiting
Rate limiting refers to allocating a specific amount of bandwidth or Rate limiting refers to allocating a specific amount of bandwidth or
packets per second to specific traffic types. This technique is packets per second to specific traffic types. This technique is
widely used to mitigate well-known protocol attacks such as the TCP- widely used to mitigate well-known protocol attacks such as the
SYN attack where a large number of resources get allocated for TCP-SYN attack, where a large number of resources get allocated for
spoofed TCP traffic. Although this technique does not stop an spoofed TCP traffic. Although this technique does not stop an
attack, it can sometimes lessen the damage and impact on a specific attack, it can sometimes lessen the damage and impact on a specific
service. However, it can also make the impact of a DDoS attack much service. However, it can also make the impact of a DoS attack much
worse if the rate limiting is impacting (i.e. discarding) more worse if the rate limiting is impacting (i.e., discarding) more
legitimate traffic. legitimate traffic.
2.8.5. Specific Control Plane Traffic Enhancements 2.8.5. Specific Control Plane Traffic Enhancements
Some ISPs are starting to use capabilities which are available from Some ISPs are starting to use capabilities that are available from
some vendors to simplify the filtering and rate-limiting of control some vendors to simplify the filtering and rate limiting of control
traffic. Control traffic here refers to the routing control plane traffic. Control traffic here refers to the routing control plane
and management plane traffic that requires CPU cycles. A DoS attack and management plane traffic that requires CPU cycles. A DoS attack
against any control plane traffic can therefore be much more damaging against any control plane traffic can therefore be much more damaging
to a critical device than other types of traffic. No consistent to a critical device than other types of traffic. No consistent
deployment of this capability was found at the time of this writing. deployment of this capability was found at the time of this writing.
3. Security Considerations 3. Security Considerations
This entire document deals with current security practices in large This entire document deals with current security practices in large
ISP environments. It lists specific practices used in today's ISP environments. It lists specific practices used in today's
environments and as such does not in itself pose any security risk. environments and as such, does not in itself pose any security risk.
4. IANA Considerations
This document has no actions for IANA.
5. Acknowledgments 4. Acknowledgments
The editor gratefully acknowledges the contributions of: George The editor gratefully acknowledges the contributions of: George
Jones, who has been instrumental in providing guidance and direction Jones, who has been instrumental in providing guidance and direction
for this document and the insighful comments from Ross Callon, Ron for this document, and the insightful comments from Ross Callon, Ron
Bonica, Ryan Mcdowell, Gaurab Upadhaya, Warren Kumari, Pekka Savola, Bonica, Ryan Mcdowell, Gaurab Upadhaya, Warren Kumari, Pekka Savola,
Fernando Gont, Chris Morrow, Ted Seely, Donald Smith and the numerous Fernando Gont, Chris Morrow, Ted Seely, Donald Smith, and the
ISP operators who supplied the information which is depicted in this numerous ISP operators who supplied the information that is depicted
document. in this document.
6. References
6.1. Normative References 5. References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 5.1. Normative References
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source Defeating Denial of Service Attacks which employ IP
Address Spoofing", BCP 38, RFC 2827, May 2000. Source Address Spoofing", BCP 38, RFC 2827, May 2000.
[RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828,
May 2000. May 2000.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552,
July 2003. July 2003.
[RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL [RFC3682] Gill, V., Heasley, J., and D. Meyer, "The Generalized
Security Mechanism (GTSM)", RFC 3682, February 2004. TTL Security Mechanism (GTSM)", RFC 3682,
February 2004.
[RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for
Networks", BCP 84, RFC 3704, March 2004. Multihomed Networks", BCP 84, RFC 3704, March 2004.
[RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service [RFC3882] Turk, D., "Configuring BGP to Block Denial-of-Service
Attacks", RFC 3882, September 2004. Attacks", RFC 3882, September 2004.
6.2. Informational References 5.2. Informational References
[I-D.ietf-v6ops-icmpv6-filtering-recs]
Davies, E. and J. Mohacsi, "Recommendations for Filtering
ICMPv6 Messages in Firewalls",
draft-ietf-v6ops-icmpv6-filtering-recs-02 (work in
progress), July 2006.
[I-D.lewis-infrastructure-security] [BCP84-URPF] Savola, P., "Experiences from Using Unicast RPF", Work
Lewis, D., "Service Provider Infrastructure Security", in Progress, November 2006.
draft-lewis-infrastructure-security-00 (work in progress),
June 2006.
[I-D.savola-bcp84-urpf-experiences] [ICMPv6] Davies, E. and J. Mohacsi, "Recommendations for
Savola, P., "Experiences from Using Unicast RPF", Filtering ICMPv6 Messages in Firewalls", Work
draft-savola-bcp84-urpf-experiences-01 (work in progress), in Progress, July 2006.
June 2006.
[I-D.savola-rtgwg-backbone-attacks] [RTGWG] Savola, P., "Backbone Infrastructure Attacks and
Savola, P., "Backbone Infrastructure Attacks and Protections", Work in Progress, July 2006.
Protections", draft-savola-rtgwg-backbone-attacks-02 (work
in progress), July 2006.
Appendix A. Protocol Specific Attacks Appendix A. Protocol Specific Attacks
This section will list many of the traditional protocol based attacks This section will list many of the traditional protocol-based attacks
which have been observed over the years to cause malformed packets that have been observed over the years to cause malformed packets
and/or exploit protocol deficiencies. Note that they all exploit and/or exploit protocol deficiencies. Note that they all exploit
vulnerabilities in the actual protocol itself and often, additional vulnerabilities in the actual protocol itself and often, additional
authentication and auditing mechanisms are now used to detect and authentication and auditing mechanisms are now used to detect and
mitigate the impact of these attacks. The list is not exhaustive but mitigate the impact of these attacks. The list is not exhaustive,
is a fraction of the representation of what types of attacks are but is a fraction of the representation of what types of attacks are
possible for varying protocols. possible for varying protocols.
A.1. Layer 2 Attacks A.1. Layer 2 Attacks
o ARP Flooding o ARP Flooding
A.2. IPv4 Protocol Based Attacks A.2. IPv4 Protocol-Based Attacks
o IP Addresses, either source or destination, can be spoofed which o IP Addresses, either source or destination, can be spoofed which
in turn can circumvent established filtering rules. in turn can circumvent established filtering rules.
o IP Source Route Option can allows attackers to establish stealth o IP Source Route Option can allows attackers to establish stealth
TCP connections TCP connections.
o IP Record Route Option can discloses information about the o IP Record Route Option can disclose information about the topology
topology of the network. of the network.
o IP header that is too long or too short can cause DoS attacks to o IP header that is too long or too short can cause DoS attacks to
devices. devices.
o IP Timestamp Option can leak information which can be used to o IP Timestamp Option can leak information that can be used to
discern network behavior. discern network behavior.
o Fragmentation attacks which can vary widely - more detailed o Fragmentation attacks which can vary widely - more detailed
information can be found at http://www-src.lip6.fr/homepages/ information can be found at http://www-src.lip6.fr/homepages/
Fabrice.Legond-Aubry/www.ouah.org/fragma.html Fabrice.Legond-Aubry/www.ouah.org/fragma.html.
o IP ToS field (or the Differentiated Services (DSCP) field) can be o IP ToS field (or the Differentiated Services (DSCP) field) can be
used to reroute or reclassify traffic based on specified used to reroute or reclassify traffic based on specified
precedence. precedence.
o IP checksum field has been used for scanning purposes, for example o IP checksum field has been used for scanning purposes, for example
when some firewalls did not check the checksum and allowed an when some firewalls did not check the checksum and allowed an
attacker to differentiate when the response came from an end- attacker to differentiate when the response came from an end-
system, and when from a firewall system, and when from a firewall.
o IP TTL field can be used to bypass certain network based intrusion
o IP TTL field can be used to bypass certain network-based intrusion
detection systems and to map network behavior. detection systems and to map network behavior.
A.2.1. Higher Layer Protocol Attacks A.2.1. Higher Layer Protocol Attacks
The following lists additional attacks but does not explicitly The following lists additional attacks, but does not explicitly
numerate them in detail. It is for informational purposes only. numerate them in detail. It is for informational purposes only.
o IGMP oversized packet o IGMP oversized packet
o ICMP Source Quench o ICMP Source Quench
o ICMP Mask Request o ICMP Mask Request
o ICMP Large Packet (> 1472) o ICMP Large Packet (> 1472)
skipping to change at page 41, line 14 skipping to change at page 36, line 13
o UDP attack on diagnostic ports (Pepsi Attack) o UDP attack on diagnostic ports (Pepsi Attack)
A.3. IPv6 Attacks A.3. IPv6 Attacks
Any of the above-mentioned IPv4 attacks could be used in IPv6 Any of the above-mentioned IPv4 attacks could be used in IPv6
networks with the exception of any fragmentation and broadcast networks with the exception of any fragmentation and broadcast
traffic, which operate differently in IPv6. Note that all of these traffic, which operate differently in IPv6. Note that all of these
attacks are based on either spoofing or misusing any part of the attacks are based on either spoofing or misusing any part of the
protocol field(s). protocol field(s).
Today, IPv6 enabled hosts are starting to be used to create IPv6 Today, IPv6-enabled hosts are starting to be used to create IPv6
tunnels which can effectively hide botnet and other malicious traffic tunnels, which can effectively hide botnet and other malicious
if firewalls and network flow collection tools are not capable of traffic if firewalls and network flow collection tools are not
detecting this traffic. The security measures used for protecting capable of detecting this traffic. The security measures used for
IPv6 infrastructures should be the same as in IPv4 networks but with protecting IPv6 infrastructures should be the same as in IPv4
additional considerations for IPv6 network operations which may be networks, but with additional considerations for IPv6 network
different from IPv4. operations, which may be different from IPv4.
Author's Address Author's Address
Merike Kaeo Merike Kaeo
Double Shot Security, Inc. Double Shot Security, Inc.
3518 Fremont Avenue North #363 3518 Fremont Avenue North #363
Seattle, WA 98103 Seattle, WA 98103
U.S.A. U.S.A.
Phone: +1 310 866 0165 Phone: +1 310 866 0165
Email: merike@doubleshotsecurity.com EMail: merike@doubleshotsecurity.com
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors contained in BCP 78, and except as set forth therein, the authors
retain all their rights. retain all their rights.
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
skipping to change at page 43, line 45 skipping to change at page 37, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Acknowledgment Acknowledgement
Funding for the RFC Editor function is provided by the IETF Funding for the RFC Editor function is currently provided by the
Administrative Support Activity (IASA). Internet Society.
 End of changes. 217 change blocks. 
571 lines changed or deleted 546 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/