Dennis Beard Sandra Murphy Yi Yang - PowerPoint PPT Presentation

About This Presentation
Title:

Dennis Beard Sandra Murphy Yi Yang

Description:

Intra- and Inter-domain (IGP and EGP) ... the subsystem that carries the ... Misclaiming. Is underclaiming a valid threat? ( not-existing vs. not defendable) ... – PowerPoint PPT presentation

Number of Views:43
Avg rating:3.0/5.0
Slides: 28
Provided by: BEA95
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Dennis Beard Sandra Murphy Yi Yang


1
Threats to Routing Protocols
  • Dennis BeardSandra MurphyYi Yang
  • March 2003

2
Outline
  • Scope
  • Routing Functions
  • Threat Definition
  • Threat Source, Action Consequence
  • Generally Identifiable Routing Threat Actions
  • Threats against Multicast Routing Protocols

3
Scope
  • All routing protocols
  • Intent advise routing protocol designers about
    security
  • get them thinking about vulnerabilities
  • set requirements (MUST, SHOULD, MAY)
  • Intra- and Inter-domain (IGP and EGP)
  • Security of the protocol, not of the operational
    environment it works in

4
Routing Functions
  • Transport subsystem
  • the subsystem that carries the data between
    routers
  • can be attacked - impact on routing protocol
  • can carry attack to the routing protocol
  • Neighbor state
  • determine peer and establish relationship
  • attacks can break relationship - disrupt routing
  • typo draft said BGP and CEASE msg

5
Routing Functions (cont)
  • Database maintenance
  • sometimes a separate step, sometimes an implicit
    result of the communication of topology info
  • like wireless keeping interesting routes
  • topology computation from database
  • Each function has control and data parts
  • different consequences from each

6
Threat definition
  • A potential for violation of security, which
    exists when there is a circumstance, capability,
    action, or event that could breach security and
    cause harm.
  • Robert Shirey, RFC2828 Internet Security
    Glossary

The RFC definitions are the basis for the
expression of our model
7
Threat Model - Sources
  • Intruders or malicious programs launched by the
    intruder
  • Compromised (or subverted??) links
  • Compromised (or subverted??) routers
  • Masquerading routers (illegitimately assumes
    identity/ role)
  • Unauthorized devices
  • Should RP designers worry about subverted links?
  • Should we distinguish masquerading from
    unauthorized routers?

A router may play multiple roles simultaneously
8
Threat Model - Actions
  • Attacks and other intentional malicious actions
    against the routing protocols
  • Address proper protocol design to mitigate threat
  • Need to identify external factor that protocol
    should protect
  • Deliberate exposure
  • Sniffing/ wiretapping
  • Traffic analysis
  • Spoofing
  • Falsification
  • Interference
  • Overload

An attacker may launch multiple actions
simultaneously
9
Threat Model - Consequences
  • Compromises and the damage done by the malicious
    actions
  • Zones (impact to router(s), Autonomous System(s),
    Global)
  • Period (smaller, equal or greater than threat
    action duration)
  • Disclosure
  • Unauthorized access to routing info
  • Deception
  • Belief of false routing info
  • Disruption
  • Operation degradation or interruption
  • Usurpation
  • Control/ modification of legitimate router
    services / functions

An action may cause multiple consequences
10
Generally Identifiable Threat Actions
  • Deliberate Exposure
  • Intentional release of routing information
  • Sniffing
  • Monitor routing exchange between legitimate
    routers
  • Traffic Analysis
  • Indirect access to routing info gained by
    monitoring data traffic
  • Spoofing
  • Assume others identity
  • Falsification
  • Declare invalid routing information
  • Interference
  • Impact routing exchanges
  • Overload
  • Place excessive burdens

11
Deliberate Exposure
  • Intentional release of routing information to
    unauthorized devices
  • All attackers
  • Disclosure
  • Is this a valid threat against routing protocols?

12
Sniffing/ Wiretapping
  • Monitor / record routing information
  • Compromised / subverted links
  • Disclosure

13
Traffic Analysis
  • Analyze data traffic to learn routing information
  • Compromised / subverted links
  • Disclosure
  • Is this a valid threat against routing protocols?

14
Spoof
  • Illegally assumes a legitimate router's identity
  • All attackers
  • Attackers become masquerading routers after
    successful spoof
  • It is a threat, as well as a means to launch
    threat
  • Consequences
  • Deception (on peer relationship) and Dos based on
    the Deception
  • Accounting
  • Disclosure (on routing information)

15
Falsification
  • Make and distribute invalid routing information
  • Sources
  • Originator All attackers except compromised /
    subverted links
  • Overclaiming
  • Underclaiming
  • Misclaiming
  • Is underclaiming a valid threat? (not-existing
    vs. not defendable)
  • Forwarder all attackers
  • Overstatement
  • Understatement
  • Misstatement

16
Falsification (cont)
  • Consequences
  • Deception
  • Usurpation
  • Disruption

17
Interference
  • Inhibit routing exchanges
  • All attackers
  • Disruption

18
Overload
  • Place excess burden
  • Against control plane or data plane
  • Should we care about data plane in routing
    protocol design?
  • All attackers
  • Disruption

19
Byzantine Failures
  • Caused by faulty routers
  • So general that redundant to other threat
    actions falsification, overload
  • Should not be listed separately

20
Discarding of control packets
  • Similar to underclaiming?
  • OLSR

21
Network Mapping Threats
  • Threat action or consequence?
  • If this is action, is it redundant to
    sniffing/traffic analysis?

22
Multicast Routing Threat Actions
  • Introduction of misleading route information via
    non-existent (black hole) or incorrect routes is
    a key MC routing vulnerability
  • MC routing protocols are at least as susceptible
    as Unicast. Updates can be
  • Fabricated
  • Modified
  • Replayed
  • Deleted
  • Snooped

23
Sandys Comments Summarized
  • Section 3.1 content
  • Section 4.1 Deliberate Exposure content
  • Section 4.3 Traffic Analysis content
  • Section 4.4 Spoofing editorial
  • Section 4.5 Underclaiming content
  • Section 4.5a ownership editorial
  • Section 4.7 Overload editorial/content
  • Section 4.8 Byzantine Failures editorial
  • Section 4.9 Discard of Control Messages content
  • Section 4.10 Network Mapping editorial
  • Multicast Routing editorial (redundant,
    inconsistent)

24
Sandys Comments Some Themes
  • privacy of routing data - important?
  • comments both ways on mailing list
  • nemo group wants location privacy
  • Section 4.1 Deliberate Exposure
  • Section 4.3 Traffic Analysis
  • not attack in routing protocol (or not
    addressable)
  • Section 4.3 Traffic Analysis
  • Section 4.7 Overload
  • Section 2 Transport Subsystem
  • correctness vs security
  • Section 4.5 Underclaiming
  • Section 4.9 Discard of Control messages

25
Sanity Checks
  • Need to compare to BGP Attack Tree document
  • see if there are attacks there not represented
    here and vice versa
  • many of that documents attacks are operational
    in nature (I.e., not the business of this
    analysis)
  • Need to compare to SOBGP/SBGP
  • see if those approaches deal with these threat
    actions, sources, consequences
  • see if there are any further vulnerabilities
    unprotected
  • Need to compare to other routing protocol
    expressed security requirements (e.g., nemo)

26
In Closing
  • We have presented a model to
  • Document threats related consequences
  • Provide a format to help prioritize results
  • Enable a process to
  • Address top threat actions
  • Make a decision on medium/ low threat actions
  • Must be included
  • Acceptable risk (future work)

27
Next Step
  • Need your input to address the following
  • Structure
  • Content

Thank You!
Write a Comment
User Comments (0)
About PowerShow.com