RPSEC

1
RPSEC

• draft-murphy-threat-00.txt
• Sandra Murphy
• NAI Laboratories
• sandy_at_tislabs.com

2
Outline

• Scope
• Routing Functions
• Threat Sources
• Threat Actions
• Threat Consequences

3
Scope

• All routing protocols
• Intent advise routing protocol designers about
  security
• get them thinking about vulnerabilities
• set requirements (MUST, SHOULD, MAY)
• Intra- and Inter-domain (IGP and EGP)
• Security of the protocol, not of the operational
  environment it works in

4
Routing Functions

• Transport subsystem
• the subsystem that carries the data between
  routers
• can be attacked - impact on routing protocol
• can carry attack to the routing protocol
• Neighbor state
• determine peer and establish relationship
• attacks can break relationship - disrupt routing
• typo draft said BGP and CEASE msg

5
Routing Functions

• Database maintenance
• sometimes a separate step, sometimes an implicit
  result of the communication of topology info
• like wireless keeping interesting routes
• topology computation from database
• Each function has control and data parts
• different consequences from each

6
Threat Sources

• Outsider - not your peer
• locally connected non-router host
• locally connected router
• distantly connected host(s)
• distantly connected router
• Insider
• a peer
• a peers peer
• etc.

7
Threat Source Capabilities

• Insider
• can transmit any bogus message to its peers
• has context to help make believable message
• Byzantine failure
• Outsider
• able to subvert unprotected transport
• read, insert, replay, modify, etc. -or-
• insert but not read -or-
• so protect transport or protocol control plane

8
Threat Actions

• masquerade, interception, falsification, misuse,
  replay,
• these are attacks foiled by security services
  origin authentication, privacy, integrity,
  authorized use, and freshness)

9
Threat Consequences

• some consequences affect the network as a
  whole network congestion blackhole looping p
  artition disclosure churn instability overlo
  ad

10
Threat Consequences

• some consequences affect one host or
  prefix starvation eavesdrop cut delay loo
  ping

11
Why Threat Sources

• you can apply protections to eliminate one of
  another of the sources
• administrative, physical, cryptographic, etc
• usually by directing protections toward the
  capabilities

12
Why Threat Actions

• some actions can be prevented
• authorization policies
• coupled with strong authentication
• some actions can be detected
• auditing and logging
• coupled with strong authentication

13
Why Threat Consequences

• different people care about different
  consequences
• some protections will protect against some
  consequences and not against others
• some proposed security solutions have been
  directed toward one or another of the consequences

14
Comparison of Drafts - Sources

• insider vs compromised devices
• outsider vs compromised link, unauthorized
  devices, masquerading devices
• but beardd says masquerade unauthorized
  compromised
• distinction is needed if damage is different or
  protections are different or different
  capabilities, otherwise difference is not needed

15
Comparison of Drafts - Actions

• pretty much the same (came from same RFC)

16
Comparison of Drafts- Consequence

• use term in different ways - murphy is talking
  about the damage the network sees beardd is
  talking about it in standard security terms

17
Comparison of Drafts- Zone

• beardd uses zone to depict extent of damage
• not sure how we predict where damage is spread -
  relies on connectivity and topology and policy
  and ...