Known Threats to Routing Protocols Dennis Beard &
Download
Report
Transcript Known Threats to Routing Protocols Dennis Beard &
Known Threats to Routing
Protocols
Dennis Beard
&
Yi Yang
Presented by Marc DesRosiers
November 2002
Outline
Threat Model
Work to Date
Sources
Actions
Consequences
Generally Identifiable Threat Actions
Multicast Routing Threat Actions
Work in Progress
Threat Action against Control Planes
Other Specific Threat Actions
Threat definition
“A potential for violation of security,
which exists when there is a
circumstance, capability, action, or
event that could breach security and
cause harm.”
Robert Shirey, RFC2828: Internet
Security Glossary
The RFC definitions are the basis for the expression of our model
Threat Model
Threat Sources
(Attackers / Intruders)
Threat actions
No
No consequence
Succeed?
Yes
Threat Consequences
(Zone, Period)
Threat Model - Sources
Intruders or malicious programs
launched by the intruder
Compromised / subverted links
Compromised / subverted routers
Masquerading routers (illegitimately assumes identity/ role)
Unauthorized devices
* A router may play multiple roles simultaneously
Threat Model - Actions
Attacks and other intentional malicious actions against the routing
protocols
Address proper protocol design to mitigate threat
Need to identify external factor that protocol should protect
Deliberate exposure
Sniffing/ wiretapping
Traffic analysis
Spoofing
Falsification
Interference
Overload
* An attacker may launch multiple actions simultaneously
Threat Model - Consequences
Compromises and the damage done by the malicious
actions
Disclosure
•
Belief of false routing info
Disruption
•
Unauthorized access to routing info
Deception
•
Zones (impact to router(s), Autonomous System(s), Global)
Period (smaller, equal or greater than threat action duration)
Operation degradation or interruption
Usurpation
•
Control/ modification of legitimate router services / functions
* An action may cause multiple consequences
Work to Date – Generally Identifiable
Threat Actions
Deliberate Exposure
Sniffing
Declare invalid routing information
Interference
Assume other’s identity
Falsification
Indirect access to routing info gained by monitoring data traffic
Spoofing
Monitor routing exchange between legitimate routers
Traffic Analysis
Intentional release of routing information
Impact routing exchanges
Overload
Place excessive burdens
Deliberate Exposure
Intentional release of routing
information to unauthorized devices
All attackers
Disclosure
Sniffing/ Wiretapping
Monitor / record routing information
Compromised / subverted links
Disclosure
Traffic Analysis
Analyze data traffic to learn routing
information
Compromised / subverted links
Disclosure
Spoof
Illegally assumes a legitimate router's identity
All attackers
Attackers become masquerading routers after
successful spoof
Consequences:
Deception (on peer relationship)
Disclosure (on routing information)
Falsification
Make and distribute invalid routing information
Sources:
Originator: All attackers except compromised /
subverted links
Forwarder: all attackers
Consequences:
Deception
Usurpation
Disruption
Interference
Inhibit routing exchanges
All attackers
Disruption
Overload
Place excess burden
All attackers
Disruption
Work to Date - Multicast Threat
Actions
Introduction of misleading route information via nonexistent (black hole) or incorrect routes is a key MC
routing vulnerability
MC routing protocols are at least as susceptible as
Unicast. Updates can be:
Fabricated
Modified
Replayed
Deleted
Snooped
Work in Progress – Threat Actions
against Control Planes
Unauthorized network mapping
Promiscuous mode and network
topology
Instability in the routing protocols
Work in Progress – Other Specific
Threat Actions
Byzantine Failures
Discarding of control packets
Impersonation and Intrusion Monitoring
In Closing…
We have presented a model to:
Document threats & related consequences
Provide a format to help prioritize results
Enable a process to:
1.
2.
Address top threat actions
Make a decision on medium/ low threat actions
Must be included
Acceptable risk (future work)
Next Step
Need your input to address the following:
Structure
Content
Consolidation
Thank You!
Contributors
Dennis Beard – Nortel Networks
Yi Yang – Cisco Systems
Paul Knight – Nortel Networks
Ameya Pandit – Univ of Missouri
S. Ayyasamy – Univ of Missouri
Ayman Musharbash- Nortel Networks
Backup Material
Usurpation
Internet
Router A
Router B
20.0.0.0/8
Good Security? or Something Else?
The following are desirable events to the overall routing
infrastructure, but are they security concerns to the routing
protocol?
Topology Hiding – security or scalability/manageability or
a business goal for revenue protection?
Data Consistency – router being able to detect and recover
from inconsistent data received from other routers.
Security or correctness?
Routing Information Policies – security or manageability?
Incremental Deployment – security or good configuration
control?
Another Approach to Identify Routing
Protocol Threats
Identify common subsystems in routing protocols.
Example:
Transport subsystems
Neighbor state maintenance
Database maintenance
Routing state maintenance
Next granularity, describe different categories and
subcategories for each subsystem.