Security and Routing Source routing and tunnels Routing security –Protocol –Content IGP routing BGP routing Nothing new here: –Going on for years on the telephone network
Security concepts Authentication –I am who I say I am Integrity –A message was not changed after it was sent No Replay –Do not let me do the same thing twice Confidentiality –Do not let other read my communication Non-repudiation –Do not let me say something different later
More concepts Secure hash function –A hash that can not be reversed Digital signatures –Protect documents –Authentication, non-repudiation, integrity –Digital certificates Encryption Symmetric cryptography –Both parties share a key Public key cryptography –Each party has a public key All can send to it Public key infrastructure (PKI) –Public key cryptography is useless if I get a fake public key for talking to my bank –Need certificates for them
Difficulties with security Cryptographic operations may have larger CPU costs Cryptographic information requires more storage Key distribution and management is difficult –Especially on a global scale Certificates need Trusted Authorities –Who are they? Can they be trusted?
Threat model I am an attacker outside the backbone network –Can not observe traffic inside the network – May be able to attack the routers Limited: usually providers filter at the edge I am inside the backbone network –Can observe traffic at one or multiple points Switched Ethernet connections etc Or tap into a point-to-point line, not too easy –Can attack all routers –Can not arbitrarily drop traffic Simply drop HELLOs to bring peerings down I have compromised one router already –The we are in trouble… Can drop packets Can attack the routing system directly
What is the attacker’s goal Bring the network down –Will be detected Disrupt the network but do not bring it down –Stealthy, may be undetected –Make it appear as if it is caused by external causes E.g. fake BGP information Bring some destinations down –Maybe hard to detect –Make it appear as it is externally caused – BGP Hijack the traffic –Send it through some monitoring point –Black hole it –Make it loop
There are a lot of holes ARP: –Attacker can send its own ARP reply message and disconnect a node from the lan –Then it can hijack its session easily –ARP replies are sometimes unsolicited Other systems will accept them even if there was not request sent No need to even wait for an ARP request ICMP –Has the very nasty “redirect” message –Can cause a system to use a different router Which of course could be the attacker –This can and is usually disabled these days IP source routing –I can add an arbitrary source route to any packet I can intercept –So I send it through the attacker’s premises for recording And of course DNS …
Spoofing Source IP, port can be spoofed –This allows me to try to insert a packet into a existing TCP connection Destination will admit the packet if it comes from the right source address/port –RPF check Do not accept a packet from an interface that is different for the one I would use to reach its source Not deployed everywhere Routes can be asymmetric sometimes Can spoof MPLS labels too –Can put a packet inside an existing LSP Do not accept labeled packets in certain interfaces Do not accept labels from interfaces that you did not advertise them
Perimeter security –Providers guard the perimeter of the networks –Install packet filters that block access to the IP interfaces of the backbone routers This prevents any kind of attack to backbone routers from outside the network But difficult to keep the filter rules up to date on incoming links –Do not accept MPLS labeled packets from outside links There may be cases that this is necessary Accept only labels that were advertised to the peer –RPF check to drop spoofed packets –Point-to-point peering connections with other providers Switched connections open the door to monitoring Especially if we have to receive MPLS packet over it
Attacks against routing Make a peering session fail –TCP based vs. packet based TCP is harder –May not be easy to detect Could appear as a temp link failure Insert false information into the peering session –Without having compromised the routers Harder to detect –Can result in traffic hijacking Attack the stability of the system –May have to achieve one of the above first –Cause flapping, resets of peering sessions, general routing overloading Or just attack the routers directly –Crack the passwords to get administrator access –DoS
Attacking routers Like attacking a PC –Port scanning –Password cracking –DoS ICMP is a good choice –Routers limit these very carefully Send too much traffic with IP options set DoS the links to cause peerings to reset TCP SYN floods, bad packets etc… Usually it is not possible to reach the interfaces of the routers directly from outside Of course I can attack the routers if I am already inside the network
Attacking TCP sessions Can bring it down very easily –Just insert a TCP RST in the stream –But I need to guess the sequence numbers correctly –“TCP session hijacking” Various levels –Must be able to physically insert packets in the link Switched Ethernet or similar –Just insert a packet here and there May be quite simple –“Man in the middle” Put my machine in the middle and monitor/change all traffic What will happen with ARP? Need to get the victim to reply to the malicious node –ARP poisoning
TCP session hijacking TCP establishes sequence numbers at the beginning of the session –3-way hand-sake –Other authentication (kerberos, passwords) happens at that time If I can sniff the traffic I can figure out the current sequence numbers If I can spoof the source information of the packet I can inject a packet into the stream –I have to do this before the legit part sends the packet with the same sequence number Plenty of tools for TCP hijacking Defences –Prevent spoofing –Prevent sniffing –Encrypt the exchanged information This will not protect from RSTs that will shutdown the connection
Attacking IP/UDP sessions Simpler than TCP –Send packets directly to the router no need to guess sequence numbers –I can also spoof the source address of the packet to avoid filtering at the victim router –May have to be one-hop away from the router It is always a good idea to rate limit all kinds of traffic –And not only ICMP and TCP SYNs E.g rate limit RSVP traffic –Rate limiting will have to happen at the interface If I receive the packets in the RSVP process I already burned a lot of resources, it is DoS Rate limiting at interfaces is a bit expensive to do at high speeds
Cryptography Packets carry cryptographic information that proves they are “ok” –It does not really solve the DoS problem A protocol will have to receive the packet and verify the crypto –Security processing is more expensive –Even worse potential for DoS now –Just send a lot of packets with bogus crypto Protocol will choke trying to verify the crypto
Protocol Security machinery Use Message Authentication Codes (MACs) –Two peers agree on a password –Sender computes a MAC of each packet it sends MAC is few bytes (64 usually) Using the common password MAC is sent along with the packet –Receiver re-computes the MAC If it does not match what is in the packet it drops it Else a match proves that sender knows the password As safe as the passwords/keys used –And there are a lot of problems with passwords –No existing standard key management system
What do MACs give us? Authentication –I know the sender knows a secret so he must be a good guy Integrity –The message has not been modified after it was sent Replay prevention: –To avoid include a sequence number in each packet OSPF has them, IS-IS does not! –An attacker can fake high sequence numbers No Confidentiality –I can see the TCP headers I can try session hijacking –I can see the contents of the message Do not cover all the packet –IP/TCP headers are not part of the MAC I can still spoof them
MD5 and HMAC A good MAC must be –Collision resistant: Very hard to find two messages that have the same hash –Pre-image attack resistant: Given a MAC very hard to find a message with this MAC –Second pre-image attack resistant: Given a message very hard to find another message with the same MAC RFC2385 proposes to use the MD5 hash as the MAC –MD5 has started to show problems –It is possible to compute collisions effectively, in about 1hr in some cases –Other hashes may have problems too RFC2104 proposes a Hashed MAC (HMAC) that is slowly starting to be used –The HMAC can be using MD5 internally but its security is better –MD5 is still used in BGP though There has been a lot of noise about the security of MD5 recently –There are other issues that are much more important
If MD5 is broken then… How dangerous is this for routing protocols that use it as MAC? –Attacker wants to inject fake packets First, he must have enough physical access and spoofing capability to send it –Need to find a modified message that has the same MAC as a good message This is a pre-image attack Not a collision attack, since I do not control both messages MD5 has problems with collisions not pre-image attacks –Even if I could do a pre-image attack most probably I could not control completely the contents of the fake packet I could change few bits here and there May not be sufficient to do real damage at the protocol level Just send a malformed IGP packet –If the receiving router is buggy it could cause a crash maybe …
The real hard problems are: How to manage passwords and keys –Errors, social engineering –stupid passwords and password policies How to make sure that routers tell the truth –All the possible security in the protocol exchanges and the links can not protect me from a compromised router –it is difficult for IGP –Imagine how bad it gets for BGP/inter-domain routing No central coordination Minimal trust on the 10,000s of ISPs that participate in the system
Intra- vs. Inter-domain Routing Security Very different –Intra-domain routers are under a single administrative control Same policies and best practices Trust in the components of the system Can enforce some security in the perimeter of the network –Inter-domain Forget all that…
How to verify IGP routing information –A bad router can trivialy bring its links down and in general disrupt the network Will be detected easily –But can it lie so that is hijacks traffic undetected? –Some lies can be caught A router lies about its links The router at the other end of the link will not lie –The inconsistency may be detected Unless more than one routers are lying
More checks Other lies can not be caught –A router lies that it has a stub network (without other router at the end) If this stub network does not exist elsewhere in the network this lie can not be caught Can hijack traffic this way - hijack a BGP route for example –Or a bad router claims to have high priority to become DR so it gets elected as DR –Need to know if a router can originate certain information Requires some centralized configuration management tool A bad router can send bad LSUs with spoofed router ids –Others can not trace the wrong information to the bad router –Need to provide origin authentication A bad router can modify LSUs that it sees during flooding –Need to ensure integrity of LSUs
Cryptography to help Use public key cryptography –Proposed since 1997 When a router R originates an LSU it signs it –Using its private key –Receivers can use R’s public key to ensure that it was indeed originated by R –This ensures origin authentication and integrity –To save time compute a hash of the LSU and sign the hash –Needs key infrastructure Or flood the public key of each router through OSPF itself But then public keys are not trusted Need a certification entity that signs these public key records
There are still holes Router can silently drop packets –No protection against that A router can advertise a non-existent stub network ABRs can advertise wrong information for other areas –Given that there will be usually more than one ABRs can compare the information between the two to see if all is ok ASBRs can advertise what they want –And there is not much that can be done In all cases, if we observe something funny at least can find reliably who originated the wrong information –Since all LSUs are signed
Is it deployed? No. The risk-reward balance is not right (yet) –Security solutions are heavy More CPU, decreased protocol performance, convergence and maybe stability –Threat does not seem to large Filtering at the edge and best practices seem to control the problem In intra-domain at least In inter-domain things are bad but it is hard to solve anything –Huge scale –Minimal coordination between participants
NEXT Bgp security stuff The SIDR IETF group (secure interdomain routing)