Dennis Beard Sandra Murphy Yi Yang - PowerPoint PPT Presentation
Title:
Dennis Beard Sandra Murphy Yi Yang
Description:
Intra- and Inter-domain (IGP and EGP) ... the subsystem that carries the ... Misclaiming. Is underclaiming a valid threat? ( not-existing vs. not defendable) ... – PowerPoint PPT presentation
Number of Views:43
Avg rating:3.0/5.0
Title: Dennis Beard Sandra Murphy Yi Yang
1
Threats to Routing Protocols
- Dennis BeardSandra MurphyYi Yang
- March 2003
2
Outline
- Scope
- Routing Functions
- Threat Definition
- Threat Source, Action Consequence
- Generally Identifiable Routing Threat Actions
- Threats against Multicast Routing Protocols
3
Scope
- All routing protocols
- Intent advise routing protocol designers about
security - get them thinking about vulnerabilities
- set requirements (MUST, SHOULD, MAY)
- Intra- and Inter-domain (IGP and EGP)
- Security of the protocol, not of the operational
environment it works in
4
Routing Functions
- Transport subsystem
- the subsystem that carries the data between
routers - can be attacked - impact on routing protocol
- can carry attack to the routing protocol
- Neighbor state
- determine peer and establish relationship
- attacks can break relationship - disrupt routing
- typo draft said BGP and CEASE msg
5
Routing Functions (cont)
- Database maintenance
- sometimes a separate step, sometimes an implicit
result of the communication of topology info - like wireless keeping interesting routes
- topology computation from database
- Each function has control and data parts
- different consequences from each
6
Threat definition
- A potential for violation of security, which
exists when there is a circumstance, capability,
action, or event that could breach security and
cause harm. - Robert Shirey, RFC2828 Internet Security
Glossary
The RFC definitions are the basis for the
expression of our model
7
Threat Model - Sources
- Intruders or malicious programs launched by the
intruder - Compromised (or subverted??) links
- Compromised (or subverted??) routers
- Masquerading routers (illegitimately assumes
identity/ role) - Unauthorized devices
- Should RP designers worry about subverted links?
- Should we distinguish masquerading from
unauthorized routers?
A router may play multiple roles simultaneously
8
Threat Model - Actions
- Attacks and other intentional malicious actions
against the routing protocols - Address proper protocol design to mitigate threat
- Need to identify external factor that protocol
should protect - Deliberate exposure
- Sniffing/ wiretapping
- Traffic analysis
- Spoofing
- Falsification
- Interference
- Overload
An attacker may launch multiple actions
simultaneously
9
Threat Model - Consequences
- Compromises and the damage done by the malicious
actions - Zones (impact to router(s), Autonomous System(s),
Global) - Period (smaller, equal or greater than threat
action duration) - Disclosure
- Unauthorized access to routing info
- Deception
- Belief of false routing info
- Disruption
- Operation degradation or interruption
- Usurpation
- Control/ modification of legitimate router
services / functions
An action may cause multiple consequences
10
Generally Identifiable Threat Actions
- Deliberate Exposure
- Intentional release of routing information
- Sniffing
- Monitor routing exchange between legitimate
routers - Traffic Analysis
- Indirect access to routing info gained by
monitoring data traffic - Spoofing
- Assume others identity
- Falsification
- Declare invalid routing information
- Interference
- Impact routing exchanges
- Overload
- Place excessive burdens
11
Deliberate Exposure
- Intentional release of routing information to
unauthorized devices - All attackers
- Disclosure
- Is this a valid threat against routing protocols?
12
Sniffing/ Wiretapping
- Monitor / record routing information
- Compromised / subverted links
- Disclosure
13
Traffic Analysis
- Analyze data traffic to learn routing information
- Compromised / subverted links
- Disclosure
- Is this a valid threat against routing protocols?
14
Spoof
- Illegally assumes a legitimate router's identity
- All attackers
- Attackers become masquerading routers after
successful spoof - It is a threat, as well as a means to launch
threat - Consequences
- Deception (on peer relationship) and Dos based on
the Deception - Accounting
- Disclosure (on routing information)
15
Falsification
- Make and distribute invalid routing information
- Sources
- Originator All attackers except compromised /
subverted links - Overclaiming
- Underclaiming
- Misclaiming
- Is underclaiming a valid threat? (not-existing
vs. not defendable) - Forwarder all attackers
- Overstatement
- Understatement
- Misstatement
16
Falsification (cont)
- Consequences
- Deception
- Usurpation
- Disruption
17
Interference
- Inhibit routing exchanges
- All attackers
- Disruption
18
Overload
- Place excess burden
- Against control plane or data plane
- Should we care about data plane in routing
protocol design? - All attackers
- Disruption
19
Byzantine Failures
- Caused by faulty routers
- So general that redundant to other threat
actions falsification, overload - Should not be listed separately
20
Discarding of control packets
- Similar to underclaiming?
- OLSR
21
Network Mapping Threats
- Threat action or consequence?
- If this is action, is it redundant to
sniffing/traffic analysis?
22
Multicast Routing Threat Actions
- Introduction of misleading route information via
non-existent (black hole) or incorrect routes is
a key MC routing vulnerability - MC routing protocols are at least as susceptible
as Unicast. Updates can be - Fabricated
- Modified
- Replayed
- Deleted
- Snooped
23
Sandys Comments Summarized
- Section 3.1 content
- Section 4.1 Deliberate Exposure content
- Section 4.3 Traffic Analysis content
- Section 4.4 Spoofing editorial
- Section 4.5 Underclaiming content
- Section 4.5a ownership editorial
- Section 4.7 Overload editorial/content
- Section 4.8 Byzantine Failures editorial
- Section 4.9 Discard of Control Messages content
- Section 4.10 Network Mapping editorial
- Multicast Routing editorial (redundant,
inconsistent)
24
Sandys Comments Some Themes
- privacy of routing data - important?
- comments both ways on mailing list
- nemo group wants location privacy
- Section 4.1 Deliberate Exposure
- Section 4.3 Traffic Analysis
- not attack in routing protocol (or not
addressable) - Section 4.3 Traffic Analysis
- Section 4.7 Overload
- Section 2 Transport Subsystem
- correctness vs security
- Section 4.5 Underclaiming
- Section 4.9 Discard of Control messages
25
Sanity Checks
- Need to compare to BGP Attack Tree document
- see if there are attacks there not represented
here and vice versa - many of that documents attacks are operational
in nature (I.e., not the business of this
analysis) - Need to compare to SOBGP/SBGP
- see if those approaches deal with these threat
actions, sources, consequences - see if there are any further vulnerabilities
unprotected - Need to compare to other routing protocol
expressed security requirements (e.g., nemo)
26
In Closing
- We have presented a model to
- Document threats related consequences
- Provide a format to help prioritize results
- Enable a process to
- Address top threat actions
- Make a decision on medium/ low threat actions
- Must be included
- Acceptable risk (future work)
27
Next Step
- Need your input to address the following
- Structure
- Content
Thank You!
Recommended
CrystalGraphics Presentations
