Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Threat Model for BGPSEC

Published byBryan Kearney Modified over 10 years ago

There are copies: 1
A Threat Model for BGPSEC Steve Kent BBN Technologies.
A Threat Model for BGPSEC Steve Kent BBN Technologies.

Similar presentations

Presentation on theme: "A Threat Model for BGPSEC"— Presentation transcript:

1 A Threat Model for BGPSEC
Steve Kent BBN Technologies

2 Presentation Outline Background Terminology Threat characterization
Attack characterization Active wiretapping of links between BGP speakers Attacks on a BGP router Attacks on ISP management computers Attacks on repositories Attacks on an RPKI CA Residual vulnerabilities

3 Terminology (1/2) Adversary Vulnerability Attack
An adversary is an entity (e.g., a person or an organization) perceived as malicious, relative to a security policy of a system. Vulnerability A vulnerability is a flaw or weakness in a system’s design, implementation, or operation and management, that could be exploited to violate the security policy of a system. Attack An attack is an action that attempts to violate the security policy of a system, e.g., by exploiting a vulnerability.

4 Background The SIDR WG has almost finished work on a set of standards to erroneous origin AS announcements The next step in improving routing security in the public Internet is to counter malicious attacks on BGP UPDATEs The term BGPSEC refers to the mechanisms used to achieve this greater degree of security BGPSEC builds on the RPKI developed in SIDR, and calls for each AS to digitally sign the AS path info that it propagates, and to verify the path info it receives

5 Terminology (2/2) Countermeasure Threat
A countermeasure is a procedure or technique that thwarts an attack, preventing it from being successful. Often countermeasures are specific to attacks or classes of attacks. Threat A threat is a motivated, capable adversary. An adversary who is not motivated, or who is not capable of effecting an attack, is not a threat.

6 Adversary Capabilities
BGP speakers Manipulation of BGP Hackers Compromise of network management systems & routers Criminals Extortion of an ISP or telecom provider Registries Manipulation of the RPKI segments that they control Nations Influence over ISPs, telecom providers and local registries, MITM attacks,

7 Adversaries BGP speakers (ASes) Hackers Criminals Registries Nations
ISPs or multi-homed subscriber Hackers For hire? Criminals Registries IANA, RIRs, NIRs, LIRs Nations Intelligence agencies

8 Attacking eBGP Links Passive wiretapping is not considered a problem
Active wiretapping (MITM on the link attacks) Packet modification Packet deletion Replay Target can be IP, TCP, BGP (including BGPSEC data)

9 Attack Targets BGP routers ISP management systems Repositories
Bogus AS paths, signature removal, bad signature insertion, router key compromise, update replay, … ISP management systems Router manipulation, deleting valid RPKI objects, uploading expired RPKI objects, … Repositories Removing valid RPKI objects or inserting invalid objects RPKI CAs Duplicate allocation of resources, unauthorized revocation or certificates, …

10 BGP Path Attack Examples (1/2)
Valid Origin, bad path Although ROAs allow an ISP to detect and reject a route with an unauthorized origin AS, they do not prevent an AS from advertising a bogus path with a valid origin AS. Prefix “narrowing” An AS along a valid path can advertise a more specific prefix than what was advertised by the origin, making the route preferred over the original advertisement. ROAs do not fix this problem unless the max length option is exactly the same as the prefix length.

11 A Valid Origin, but a Bad Path
Assume AS 120 has a ROA for 129.7/16, maxlen = 18 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (123, 120) 129.7/16 : (124, 120) AS 124 AS 121 AS 124 advertises a path with a valid origin for 129.7/16, but it drops later ASes … AS 122 129.7/16: (121, 120) 129.7/16: (122, 123, 120)

12 More Specific Bad Path Assume AS 120 has a ROA
for 129.7/16, maxlen = 18 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/17: (124, 122, 123, 120) 129.7/16: (123, 120) AS 124 AS 121 AS 122 advertises a more specific prefix for the correct origin AS, so it gets the traffic! AS 122 129.7/16: (121, 120) 129.7/17: (122, 123, 120)

13 BGP Path Attack Examples (2/2)
Dropping an AS Removing one of more ASes (not the origin AS) in a route makes the path shorter, and thus potentially preferable. The path might be “feasible” (e.g., as a backup) but not actually advertised, and thus should be rejected. Replaying an Update An AS that was on a path (perhaps very briefly) can be replayed later, when the prior path is no longer authentic Kapela/Pilosov MITM Attack Emit a bad route to attract traffic, and “poison” the route to cause selected ASes to ignore it, so that traffic can still be forwarded to the targeted AS (enabling a MITM attack)

14 Dropping an AS Assume AS 120 has a ROA for 129.7/16, maxlen = 18
129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (124, 122, 120) 129.7/16: (123, 120) AS 124 AS 121 AS 122 AS 122 drops an AS to make its path appear shorter, to attract 129.7/16 traffic from AS 124 129.7/16: (122, 120) 129.7/16: (121, 120)

15 Hijack via Update Replay (1/2)
Assume AS 120 has a ROA for 129.7/16, maxlen = 18 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (124, 122, 123, 120) 129.7/16: (123, 120) AS 124 AS 121 AS 122 129.7/16: (121, 120) 129.7/16: (122, 123, 120)

16 Hijack via Update Replay (2/2)
Assume AS 120 has a ROA for 129.7/16, maxlen = 18 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (122, 123, 120) AS 124 AS 121 AS 122 no longer has a path to 120, but it can replay an old update AS 122 129.7/16: (122, 123, 120)

17 Kapela/Pilosov Attack (1/2)
AS 125 wants to be a MITM for traffic to 129.7/16 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (124, 122, 123, 120) AS 124 AS 121 AS 122 129.7/16: (121, 120) 129.7/16: (122, 123, 120)

18 Kapela/Pilosov Attack (2/2)
AS 125 forwards hijacked traffic to AS 120 via this path 129.7/16: (120) 129.7/16: (123, 120) AS 120 AS 123 AS 125 129.7/16: (120) 129.7/16: (123, 120) 129.7/17: (125, 123, 120) AS 124 AS 121 AS 122 129.7/17: (122, 124, 125, 123, 120) 129.7/17: (124, 125, 123, 120)

19 Ques t i ons

Download ppt "A Threat Model for BGPSEC"

Similar presentations

A Threat Model for BGPSEC Steve Kent BBN Technologies.

A Threat Model for BGPSEC Steve Kent BBN Technologies.
RPKI Standards Activity Geoff Huston APNIC February 2010.

RPKI Standards Activity Geoff Huston APNIC February 2010.
Security Issues In Mobile IP

Security Issues In Mobile IP
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.

Local TA Management A TA is a public key and associated data used as the starting point for certificate path validation It need not be a self-signed certificate.
RPKI Certificate Policy Status Update Stephen Kent.

RPKI Certificate Policy Status Update Stephen Kent.
1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.

1 Robert Lychev Sharon GoldbergMichael Schapira Georgia Tech Boston University Hebrew University.
Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.
Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.
An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.

An Introduction to Routing Security (and RPKI Tools) Geoff Huston May 2013.
BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley

BGP Security APNIC Open Policy Meeting Routing SIG 23 February 2005 Kyoto, Japan Russ Housley
Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.

Validation Algorithms for a Secure Internet Routing PKI David Montana Mark Reynolds BBN Technologies.
Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.

Review of draft-ietf-sidr-arch-01.txt Steve Kent BBN Technologies.
Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.

Let the Market Drive Deployment A Strategy for Transitioning to BGP Security Phillipa Gill University of Toronto Sharon Goldberg Boston University Michael.
Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.

Information-Centric Networks04c-1 Week 4 / Paper 3 A Survey of BGP Security Issues and Solutions –Kevin Butler, Toni Farley, Patrick McDaniel, and Jennifer.
SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.

SPV: Secure Path Vector Routing for Securing BGP Leonel Ocsa Sáchez School of Computer Science.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.

Securing the Border Gateway Protocol Using S-BGP Dr. Stephen Kent Chief Scientist - Information Security APNIC Open Policy Meeting Routing.
Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.

Resource PKI: Certificate Policy & Certification Practice Statement Dr. Stephen Kent Chief Scientist - Information Security.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Similar presentations

Ads by Google