Known Threats to Routing Protocols Dennis Beard & Yi Yang Presented by Marc DesRosiers November 2002 Outline Threat Model Work to Date Sources Actions Consequences Generally Identifiable Threat Actions Multicast Routing Threat Actions Work in Progress Threat Action against Control Planes Other Specific Threat Actions Threat definition “A potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm.” Robert Shirey, RFC2828: Internet Security Glossary The RFC definitions are the basis for the expression of our model Threat Model Threat Sources (Attackers / Intruders) Threat actions No No consequence Succeed? Yes Threat Consequences (Zone, Period) Threat Model - Sources Intruders or malicious programs launched by the intruder Compromised / subverted links Compromised / subverted routers Masquerading routers (illegitimately assumes identity/ role) Unauthorized devices * A router may play multiple roles simultaneously Threat Model - Actions Attacks and other intentional malicious actions against the routing protocols Address proper protocol design to mitigate threat Need to identify external factor that protocol should protect Deliberate exposure Sniffing/ wiretapping Traffic analysis Spoofing Falsification Interference Overload * An attacker may launch multiple actions simultaneously Threat Model - Consequences Compromises and the damage done by the malicious actions Disclosure • Belief of false routing info Disruption • Unauthorized access to routing info Deception • Zones (impact to router(s), Autonomous System(s), Global) Period (smaller, equal or greater than threat action duration) Operation degradation or interruption Usurpation • Control/ modification of legitimate router services / functions * An action may cause multiple consequences Work to Date – Generally Identifiable Threat Actions Deliberate Exposure Sniffing Declare invalid routing information Interference Assume other’s identity Falsification Indirect access to routing info gained by monitoring data traffic Spoofing Monitor routing exchange between legitimate routers Traffic Analysis Intentional release of routing information Impact routing exchanges Overload Place excessive burdens Deliberate Exposure Intentional release of routing information to unauthorized devices All attackers Disclosure Sniffing/ Wiretapping Monitor / record routing information Compromised / subverted links Disclosure Traffic Analysis Analyze data traffic to learn routing information Compromised / subverted links Disclosure Spoof Illegally assumes a legitimate router's identity All attackers Attackers become masquerading routers after successful spoof Consequences: Deception (on peer relationship) Disclosure (on routing information) Falsification Make and distribute invalid routing information Sources: Originator: All attackers except compromised / subverted links Forwarder: all attackers Consequences: Deception Usurpation Disruption Interference Inhibit routing exchanges All attackers Disruption Overload Place excess burden All attackers Disruption Work to Date - Multicast Threat Actions Introduction of misleading route information via nonexistent (black hole) or incorrect routes is a key MC routing vulnerability MC routing protocols are at least as susceptible as Unicast. Updates can be: Fabricated Modified Replayed Deleted Snooped Work in Progress – Threat Actions against Control Planes Unauthorized network mapping Promiscuous mode and network topology Instability in the routing protocols Work in Progress – Other Specific Threat Actions Byzantine Failures Discarding of control packets Impersonation and Intrusion Monitoring In Closing… We have presented a model to: Document threats & related consequences Provide a format to help prioritize results Enable a process to: 1. 2. Address top threat actions Make a decision on medium/ low threat actions Must be included Acceptable risk (future work) Next Step Need your input to address the following: Structure Content Consolidation Thank You! Contributors Dennis Beard – Nortel Networks Yi Yang – Cisco Systems Paul Knight – Nortel Networks Ameya Pandit – Univ of Missouri S. Ayyasamy – Univ of Missouri Ayman Musharbash- Nortel Networks Backup Material Usurpation Internet Router A Router B 20.0.0.0/8 Good Security? or Something Else? The following are desirable events to the overall routing infrastructure, but are they security concerns to the routing protocol? Topology Hiding – security or scalability/manageability or a business goal for revenue protection? Data Consistency – router being able to detect and recover from inconsistent data received from other routers. Security or correctness? Routing Information Policies – security or manageability? Incremental Deployment – security or good configuration control? Another Approach to Identify Routing Protocol Threats Identify common subsystems in routing protocols. Example: Transport subsystems Neighbor state maintenance Database maintenance Routing state maintenance Next granularity, describe different categories and subcategories for each subsystem.
© Copyright 2026 Paperzz