TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 1
TDC 375 – Network ProtocolsTDC 563 – P&T for Data Networks
Routing Threats
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 2
One of two critical systems
Routing (BGP) and naming (DNS) are by far the two most critical subsystems of the Internet infrastructure. In the case of BGP, participation in and access to the routing system itself is generally, or rather should be, limited to a subset of trustworthy nodes and admins.
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 3
Agenda
• Routing and BGP Refresher
• Threats
• Mitigation
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 4
Do all IP hosts route? Yes.
Most hosts make one of three routing decisions:
1) send packet to another via a relay
2) send packet to itself
3) send packet to a directly attached neighbor
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 5
Simplified routing decision tree
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 6
Your end host != router
• Need to know your address, network and gateway
• not so much a “routing system” process
• this is your host's bootstrap challenge
• We don't tend to think of end hosts as routers
• How do they differ then?
• network / interface attachments
• distributed routing algorithms
• forwarding packets on another's behalf
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 7
Real routers work more like this
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 8
Best match forwarding
• Forward packet via the “most specific” route
• Most specific to least specific (IPv4 example):
• host (/32) route, /31, /30, /29, ... default (/0)
• If no route, drop and return ICMP error to source
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 9
Routers as signposts
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 10
How do routers build a signpost?
• Maybe manually configured, but that doesn't scale
• Routers gossip amongst themselves
• Well defined “gossip” protocols are used
• e.g. RIP, EIGRP, OSPF, IS-IS, BGP
• a bootstrap configuration is generally required
• Reachability information associated with all routes
• e.g. distance, cost, preference, policy
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 11
Key IPv4 field for routing: TTL
• More apt name today would be hop count
• in fact, that is just what it is called in IPv6 now
• This field prevents packets looping forever
• Other uses are secondary to this
• traceroute
• source OS fingerprint and distance detection
• BGP peering hack (aka GTSM, RFC 3682)
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 12
Key IP field for routing:Destination Address
• Consists of both a...
• host/interface identifier (usually unique) and
• a network identifier (also usually unique)
• Combined, the daddr helps hosts and routers
• get the packet to the correct network
• and to the specific host on the correct network
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 13
There is router security and there is route security
• Few serious network engineers use HTTP
• “That's probably good. Yes?”
• But Many Cisco networks still use Telnet
• “Whiskey Tango Foxtrot!?!?”
• Many networks have SNMPv1 write enabled
• “Shut The Front Door!?!”
• Almost nobody watches out for more specifics
• “Specifics, phermifics, big deal!?”
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 14
Au contraire
• Router security
• authentication, filtering, crypto... DONE!
• uhm, no
• Route security
• this is the old, “my security, depends on your ability to do security” problem
• say you have and announce a /16
• someone announces /24's in that /16.
• uh-oh
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 15
BGP Refresher
• Basic protocol overview
• BGP message types
• BGP path attributes
• Properties that affect BGP route decision process
• Jargon
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 16
BGP Overview
• The routing protocol for connecting domains
• Besides the network prefix the path is the key component of a BGP route
• Autonomous system numbers (ASNs) define path
• generally an ASN == domain
• NOTE: this is not a reference to DNS!• Even if you don't use it for actual Internet routing, it
might be handy for other things (e.g Team Cymru bogon route server, IP addr to ASN mapping)
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 17
Exchanges and Peering
• Networks need to connect to each other
• Question: Who pays who?
• Question: Where do they physically connect at?
• Peering is an entire “ecosystem” unto itself
• Paid versus settlement-free peering
• Transit versus peering and exchanges
• Peering requirements and network types
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 18
Path Vector Routing
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 19
BGP over TCP port 179
• One-to-one peering relationship
• Inherit TCP behaviors, advantages and threats
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 20
Common BGP Header
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 21
BGP message types
1 – OPEN
2 – UPDATE
3 – NOTIFICATION
4 – KEEPALIVE
5 – ROUTE-REFRESH
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 22
BGP OPEN
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 23
BGP UPDATE
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 24
BGP NOTIFICATION
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 25
Common BGP Path Attributes
AttributeWell-known mandatory
Well-known discretionary
Optional transitive
Optionalnon-transitive
ORIGIN X
AS_PATH X
NEXT_HOP X
MULTI_EXIT_DISC X
ATOMIC_AGGREGATE X
AGGREGATOR X
COMMUNITY X
MP_REACH_NLRI X
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 26
Affecting BGP Route Decisions
• Prefix length
• LOCAL_PREF
• ORIGIN
• AS_PATH length
• MULTI_EXIT_DISC
• Router import and export policies
• … and more ...
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 27
BGP Operational Challenges
• Each AS operates autonomously
• Implicit trust (“routing by rumor”)
• Configuration and policy intensive
• In-band control traffic
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 28
Threats
• Availability
• Confidentiality
• Integrity
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 29
Threats to Availability
• TCP and lower layer attacks
• Packet floods and control path congestion
• Route instability and churn
• Route flap dampening
• Disaggregation and route table exhaustion
• Implementation bugs and configuration errors
• Route hijacking and black holes
• Policy disputes
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 30
Threats to Confidentiality
• Clear text communications
• Routing leaks
• Policy configuration leaks
• Route hijacking
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 31
Threats to Integrity
• Implementation bugs
• Protocol design weaknesses
• Compromised systems
• Route hijacking
• Path editing
• Overt or covert transit theft
• Divergence
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 32
A Quantitative Analysis of the Insecurity of Embedded Network
Devices: Results of a Wide-Area Scan• “...we have identified over 540,000 publicly
accessible embedded devices configured with factory default root passwords.”
• “...range from enterprise equipment such as firewalls and routers to consumer appliances such as VoIP adapters, cable and IPTV boxes to office equipment...”
• “Vulnerable devices were detected in 144 countries, across 17,427 unique private enterprise, ISP, government, educational, satellite provider as well as residential network environments.”
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 33
Mitigation
• Protecting the transport
• Router BCPs
• Route monitoring
• Policies and Defensive filtering
• RPKI and BGPSEC
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 34
Protecting the transport
• TCP MD5 signature option and TCP-AOhttp://tools.ietf.org/html/rfc2385http://tools.ietf.org/html/rfc5925
• IPSec http://tools.ietf.org/html/rfc4301
• RFC 5082 Generalized TTL Security Mechanismhttp://tools.ietf.org/html/rfc5082
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 35
Router BCPs
• Configuration templateshttp://www.team-cymru.org/ReadingRoom/Templates/http://www.nsa.gov/ia/guidance/security_configuration_guides/
• Control plane protection
• Limited and protected remote access
• Current software
• Configuration management
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 36
Route monitoring
• http://bgpmon.net
• http://bgplay.routeviews.org/bgplay/
• http://puck.nether.net/bgp/leakinfo.cgi
• http://www.ripe.net/data-tools/stats/ris/
• http://www.team-cymru.org/Monitoring/BGP/
• http://bgp.he.net
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 37
Policies and Defensive Filtering
• Document policy with peers
• Internet Routing Registries (IRRs)
• Max prefix and path length limits
• Limiting disaggregation
• Remote triggered black hole filtering (RTBH)http://tools.ietf.org/search/rfc5635
• Dissemination of Flow Specification Ruleshttp://tools.ietf.org/search/rfc5575 http://www.cymru.com/jtk/misc/community-fs.html
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 38
BGP Remote Triggered Blackhole
• Goal: Have remote router /dev/null certain traffic
• Trick: use next-hop address that points to /dev/null
• Trick: Using policy, set next-hop for matching traffic
• Team Cymru bogon route server does this
• Many ISPs offer this as a DDoS relief service
• IPaddr getting packeted? Have upstream null it
• Also see IETF RFC 5635
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 39
unicast Reverse Path Check (uRPF)
• Goal: mitigate source address spoofing
• Trick: Validate source address to ingress interface
• is there a route back via that interface?
• Loose versus strict mode
• Easier than ACLs (filters)? Maybe
• doesn't work for everyone
• What do you do if you have a default route?
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 40
NetFlow
• Key router technology for analysis and monitoring
• NetFlow is not like pcap
• A unidirectional summary of traffic for a “flow”
• Flow is a unique tuple of addrs, proto, ports
• Router “exports” flows at timer, RST, FIN, etc
• Data may be limited due to sampling
• Scales very well and is very popular
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 41
Flow specification (flow-spec)
• Using BGP, exchange “flow-spec” to act on
• Largely used as a distributed firewall filter
• Can be more precise than a BGP RTBH
• Besides filtering, you can rate limit, log, pass
• Not widely implemented
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 42
RPKI and BGPSEC
• Observation:
There is no official, and consequently, no strong association between address assignment and routing announcements
• Problem:
How do you guard against routing threats, such as hijacks, without a means to verify the routing announcements?
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 43
Resource Public Key Infrastructure (RPKI)
• RIRs maintain RPKI infrastructure
• Prefixes linked to authorized AS
• In-band via soBGP or S-BGP
• Out-of-band for near-time validation and monitoring
• IETF SIDR WG spearheading RPKI work
• Only for origin validation
• BGPSEC working on path validation
• Similar in scope to DNSSEC architectural changes
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 44
A Future of IRR with RPKI
TDC 375/563 Spring 2013/14 John Kristoff – DePaul University 45
In Closing
• RFC 4271 A Border Gateway Protocol 4 (BGP-4)
• RFC 4593 Generic Threats to Routing Protocols
• IETF Secure Inter-Domain Routing (sidr) WG
• Academic papers:
• Securing BGP – A Literature Survey
• A Survey of BGP Security Issues and Solutions
• Securing BGP with BGPsec