250 likes | 266 Views
Known Threats to Routing Protocols. Dennis Beard & Yi Yang Presented by Marc DesRosiers November 2002. Outline. Threat Model Sources Actions Consequences Work to Date Generally Identifiable Threat Actions Multicast Routing Threat Actions Work in Progress
E N D
Known Threats to Routing Protocols Dennis Beard&Yi Yang Presented by Marc DesRosiersNovember 2002
Outline • Threat Model • Sources • Actions • Consequences • Work to Date • Generally Identifiable Threat Actions • Multicast Routing Threat Actions • Work in Progress • Threat Action against Control Planes • Other Specific Threat Actions
Threat definition “A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.” Robert Shirey, RFC2828: Internet Security Glossary The RFC definitions are the basis for the expression of our model
Threat Model - Sources Intruders or malicious programs launched by the intruder • Compromised / subverted links • Compromised / subverted routers • Masquerading routers (illegitimately assumes identity/ role) • Unauthorized devices * A router may play multiple roles simultaneously
Threat Model - Actions Attacks and other intentional malicious actions against the routing protocols • Address proper protocol design to mitigate threat • Need to identify external factor that protocol should protect • Deliberate exposure • Sniffing/ wiretapping • Traffic analysis • Spoofing • Falsification • Interference • Overload * An attacker may launch multiple actions simultaneously
Threat Model - Consequences Compromises and the damage done by the malicious actions • Zones (impact to router(s), Autonomous System(s), Global) • Period (smaller, equal or greater than threat action duration) • Disclosure • Unauthorized access to routing info • Deception • Belief of false routing info • Disruption • Operation degradation or interruption • Usurpation • Control/ modification of legitimate router services / functions * An action may cause multiple consequences
Work to Date – Generally Identifiable Threat Actions • Deliberate Exposure • Intentional release of routing information • Sniffing • Monitor routing exchange between legitimate routers • Traffic Analysis • Indirect access to routing info gained by monitoring data traffic • Spoofing • Assume other’s identity • Falsification • Declare invalid routing information • Interference • Impact routing exchanges • Overload • Place excessive burdens
Deliberate Exposure • Intentional release of routing information to unauthorized devices • All attackers • Disclosure
Sniffing/ Wiretapping • Monitor / record routing information • Compromised / subverted links • Disclosure
Traffic Analysis • Analyze data traffic to learn routing information • Compromised / subverted links • Disclosure
Spoof • Illegally assumes a legitimate router's identity • All attackers • Attackers become masquerading routers after successful spoof • Consequences: • Deception (on peer relationship) • Disclosure (on routing information)
Falsification • Make and distribute invalid routing information • Sources: • Originator: All attackers except compromised / subverted links • Forwarder: all attackers • Consequences: • Deception • Usurpation • Disruption
Interference • Inhibit routing exchanges • All attackers • Disruption
Overload • Place excess burden • All attackers • Disruption
Work to Date - Multicast Threat Actions • Introduction of misleading route information via non-existent (black hole) or incorrect routes is a key MC routing vulnerability • MC routing protocols are at least as susceptible as Unicast. Updates can be: • Fabricated • Modified • Replayed • Deleted • Snooped
Work in Progress – Threat Actions against Control Planes • Unauthorized network mapping • Promiscuous mode and network topology • Instability in the routing protocols
Work in Progress – Other Specific Threat Actions • Byzantine Failures • Discarding of control packets • Impersonation and Intrusion Monitoring
In Closing… We have presented a model to: • Document threats & related consequences • Provide a format to help prioritize results • Enable a process to: • Address top threat actions • Make a decision on medium/ low threat actions • Must be included • Acceptable risk (future work)
Next Step Need your input to address the following: • Structure • Content • Consolidation Thank You!
Contributors • Dennis Beard – Nortel Networks • Yi Yang – Cisco Systems • Paul Knight – Nortel Networks • Ameya Pandit – Univ of Missouri • S. Ayyasamy – Univ of Missouri • Ayman Musharbash- Nortel Networks
Good Security? or Something Else? The following are desirable events to the overall routing infrastructure, but are they security concerns to the routing protocol? • Topology Hiding – security or scalability/manageability or a business goal for revenue protection? • Data Consistency – router being able to detect and recover from inconsistent data received from other routers. Security or correctness? • Routing Information Policies – security or manageability? • Incremental Deployment – security or good configuration control?
Another Approach to Identify Routing Protocol Threats Identify common subsystems in routing protocols. Example: • Transport subsystems • Neighbor state maintenance • Database maintenance • Routing state maintenance Next granularity, describe different categories and subcategories for each subsystem.