Transcript Known Threats to Routing Protocols Dennis Beard &

Known Threats to Routing
Protocols
Dennis Beard
&
Yi Yang
Presented by Marc DesRosiers
November 2002
Outline

Threat Model




Work to Date



Sources
Actions
Consequences
Generally Identifiable Threat Actions
Multicast Routing Threat Actions
Work in Progress


Threat Action against Control Planes
Other Specific Threat Actions
Threat definition
“A potential for violation of security,
which exists when there is a
circumstance, capability, action, or
event that could breach security and
cause harm.”
Robert Shirey, RFC2828: Internet
Security Glossary
The RFC definitions are the basis for the expression of our model
Threat Model
Threat Sources
(Attackers / Intruders)
Threat actions
No
No consequence
Succeed?
Yes
Threat Consequences
(Zone, Period)
Threat Model - Sources
Intruders or malicious programs
launched by the intruder




Compromised / subverted links
Compromised / subverted routers
Masquerading routers (illegitimately assumes identity/ role)
Unauthorized devices
* A router may play multiple roles simultaneously
Threat Model - Actions
Attacks and other intentional malicious actions against the routing
protocols
 Address proper protocol design to mitigate threat
 Need to identify external factor that protocol should protect
 Deliberate exposure
 Sniffing/ wiretapping
 Traffic analysis
 Spoofing
 Falsification
 Interference
 Overload
* An attacker may launch multiple actions simultaneously
Threat Model - Consequences
Compromises and the damage done by the malicious
actions



Disclosure
•

Belief of false routing info
Disruption
•

Unauthorized access to routing info
Deception
•

Zones (impact to router(s), Autonomous System(s), Global)
Period (smaller, equal or greater than threat action duration)
Operation degradation or interruption
Usurpation
•
Control/ modification of legitimate router services / functions
* An action may cause multiple consequences
Work to Date – Generally Identifiable
Threat Actions

Deliberate Exposure


Sniffing


Declare invalid routing information
Interference


Assume other’s identity
Falsification


Indirect access to routing info gained by monitoring data traffic
Spoofing


Monitor routing exchange between legitimate routers
Traffic Analysis


Intentional release of routing information
Impact routing exchanges
Overload

Place excessive burdens
Deliberate Exposure



Intentional release of routing
information to unauthorized devices
All attackers
Disclosure
Sniffing/ Wiretapping



Monitor / record routing information
Compromised / subverted links
Disclosure
Traffic Analysis



Analyze data traffic to learn routing
information
Compromised / subverted links
Disclosure
Spoof




Illegally assumes a legitimate router's identity
All attackers
Attackers become masquerading routers after
successful spoof
Consequences:
 Deception (on peer relationship)
 Disclosure (on routing information)
Falsification



Make and distribute invalid routing information
Sources:
 Originator: All attackers except compromised /
subverted links
 Forwarder: all attackers
Consequences:
 Deception
 Usurpation
 Disruption
Interference



Inhibit routing exchanges
All attackers
Disruption
Overload



Place excess burden
All attackers
Disruption
Work to Date - Multicast Threat
Actions


Introduction of misleading route information via nonexistent (black hole) or incorrect routes is a key MC
routing vulnerability
MC routing protocols are at least as susceptible as
Unicast. Updates can be:
 Fabricated
 Modified
 Replayed
 Deleted
 Snooped
Work in Progress – Threat Actions
against Control Planes



Unauthorized network mapping
Promiscuous mode and network
topology
Instability in the routing protocols
Work in Progress – Other Specific
Threat Actions



Byzantine Failures
Discarding of control packets
Impersonation and Intrusion Monitoring
In Closing…
We have presented a model to:

Document threats & related consequences

Provide a format to help prioritize results

Enable a process to:
1.
2.
Address top threat actions
Make a decision on medium/ low threat actions


Must be included
Acceptable risk (future work)
Next Step
Need your input to address the following:
 Structure
 Content
 Consolidation
Thank You!
Contributors






Dennis Beard – Nortel Networks
Yi Yang – Cisco Systems
Paul Knight – Nortel Networks
Ameya Pandit – Univ of Missouri
S. Ayyasamy – Univ of Missouri
Ayman Musharbash- Nortel Networks
Backup Material
Usurpation
Internet
Router A
Router B
20.0.0.0/8
Good Security? or Something Else?
The following are desirable events to the overall routing
infrastructure, but are they security concerns to the routing
protocol?
Topology Hiding – security or scalability/manageability or
a business goal for revenue protection?
Data Consistency – router being able to detect and recover
from inconsistent data received from other routers.
Security or correctness?
Routing Information Policies – security or manageability?
Incremental Deployment – security or good configuration
control?
Another Approach to Identify Routing
Protocol Threats
Identify common subsystems in routing protocols.
Example:
Transport subsystems
Neighbor state maintenance
Database maintenance
Routing state maintenance
Next granularity, describe different categories and
subcategories for each subsystem.