Dennis Beard

1
Known Threats to Routing Protocols

• Dennis BeardYi Yang
• Presented by Marc DesRosiersNovember 2002

2
Outline

• Threat Model
• Sources
• Actions
• Consequences
• Work to Date
• Generally Identifiable Threat Actions
• Multicast Routing Threat Actions
• Work in Progress
• Threat Action against Control Planes
• Other Specific Threat Actions

3
Threat definition

• A potential for violation of security, which
  exists when there is a circumstance, capability,
  action, or event that could breach security and
  cause harm.
• Robert Shirey, RFC2828 Internet Security
  Glossary

The RFC definitions are the basis for the
expression of our model
4
Threat Model
5
Threat Model - Sources

• Intruders or malicious programs launched by the
  intruder
• Compromised / subverted links
• Compromised / subverted routers
• Masquerading routers (illegitimately assumes
  identity/ role)
• Unauthorized devices

A router may play multiple roles simultaneously
6
Threat Model - Actions

• Attacks and other intentional malicious actions
  against the routing protocols
• Address proper protocol design to mitigate threat
• Need to identify external factor that protocol
  should protect
• Deliberate exposure
• Sniffing/ wiretapping
• Traffic analysis
• Spoofing
• Falsification
• Interference
• Overload

An attacker may launch multiple actions
simultaneously
7
Threat Model - Consequences

• Compromises and the damage done by the malicious
  actions
• Zones (impact to router(s), Autonomous System(s),
  Global)
• Period (smaller, equal or greater than threat
  action duration)
• Disclosure
• Unauthorized access to routing info
• Deception
• Belief of false routing info
• Disruption
• Operation degradation or interruption
• Usurpation
• Control/ modification of legitimate router
  services / functions

An action may cause multiple consequences
8
Work to Date Generally Identifiable Threat
Actions

• Deliberate Exposure
• Intentional release of routing information
• Sniffing
• Monitor routing exchange between legitimate
  routers
• Traffic Analysis
• Indirect access to routing info gained by
  monitoring data traffic
• Spoofing
• Assume others identity
• Falsification
• Declare invalid routing information
• Interference
• Impact routing exchanges
• Overload
• Place excessive burdens

9
Deliberate Exposure

• Intentional release of routing information to
  unauthorized devices
• All attackers
• Disclosure

10
Sniffing/ Wiretapping

• Monitor / record routing information
• Compromised / subverted links
• Disclosure

11
Traffic Analysis

• Analyze data traffic to learn routing information
• Compromised / subverted links
• Disclosure

12
Spoof

• Illegally assumes a legitimate router's identity
• All attackers
• Attackers become masquerading routers after
  successful spoof
• Consequences
• Deception (on peer relationship)
• Disclosure (on routing information)

13
Falsification

• Make and distribute invalid routing information
• Sources
• Originator All attackers except compromised /
  subverted links
• Forwarder all attackers
• Consequences
• Deception
• Usurpation
• Disruption

14
Interference

• Inhibit routing exchanges
• All attackers
• Disruption

15
Overload

• Place excess burden
• All attackers
• Disruption

16
Work to Date - Multicast Threat Actions

• Introduction of misleading route information via
  non-existent (black hole) or incorrect routes is
  a key MC routing vulnerability
• MC routing protocols are at least as susceptible
  as Unicast. Updates can be
• Fabricated
• Modified
• Replayed
• Deleted
• Snooped

17
Work in Progress Threat Actions against Control
Planes

• Unauthorized network mapping
• Promiscuous mode and network topology
• Instability in the routing protocols

18
Work in Progress Other Specific Threat Actions

• Byzantine Failures
• Discarding of control packets
• Impersonation and Intrusion Monitoring

19
In Closing

• We have presented a model to
• Document threats related consequences
• Provide a format to help prioritize results
• Enable a process to
• Address top threat actions
• Make a decision on medium/ low threat actions
• Must be included
• Acceptable risk (future work)

20
Next Step

• Need your input to address the following
• Structure
• Content
• Consolidation

Thank You!
21
Contributors

• Dennis Beard Nortel Networks
• Yi Yang Cisco Systems
• Paul Knight Nortel Networks
• Ameya Pandit Univ of Missouri
• S. Ayyasamy Univ of Missouri
• Ayman Musharbash- Nortel Networks

22
Backup Material
23
Usurpation
24
Good Security? or Something Else?

• The following are desirable events to the overall
  routing infrastructure, but are they security
  concerns to the routing protocol?
• Topology Hiding security or scalability/manageab
  ility or a business goal for revenue protection?
• Data Consistency router being able to detect
  and recover from inconsistent data received from
  other routers. Security or correctness?
• Routing Information Policies security or
  manageability?
• Incremental Deployment security or good
  configuration control?

25
Another Approach to Identify Routing Protocol
Threats

• Identify common subsystems in routing protocols.
  Example
• Transport subsystems
• Neighbor state maintenance
• Database maintenance
• Routing state maintenance
• Next granularity, describe different categories
  and subcategories for each subsystem.