Threats to and Options for Securing the ATN IPS Routing Infrastructure

ACP/WGN/SGN4 WP1204

SG N1 WP1313

AERONAUTICAL COMMUNICATIONS PANEL(ACP)

Working Group N - NETWORKING

SUBGROUP N4 – Security Services

Meeting 12

Montreal, Canada

April 16-20, 2007

Threats to and Options for Securing

the

ATN IPS Routing Infrastructure

Prepared by: FAA, ATO-P Security Engineering Group

Presented by: Tom McParland

The Border Gateway Protocol Version 4 (BGP4) with multi-protocol extensions is planned to be the Inter-Domain (Exterior) Routing Protocol for the next generation ATN IPS. This paper documents threats to BGP and options for securing routing information exchanged among BGP routers.

1.Introduction

The Draft Manual of Detailed Technical Specification for Internet Protocol Suite (IPS) [ATN/IPS] specifies the Border Gateway Protocol (BGP) as the protocol for interdomain routing in the ATN IPS.

Because of the importance of BGP, (it has become “the de facto interdomain routing protcol” of the Public Internet [BGPScty_Survey]), several government and standardization groups have begun to examinevulnerabilities of BGP and alternatives for applying security measures to it. The US Department of Homeland Security sponsored the Secure Protocols for the Routing Infrastructure [SPRI] project and the National Institute of Standards and Technology (NIST) has published [SP 800-54], Border Gateway Prococol Security. Within the Internet Engineering Task Force (IETF) the Routing Protocol Security Requrements [RPsec] and Secure Inter-Domain Routing [SIDR] working groups have formed to identify and address probems of routing security. The RPsec working group has developed [RFC 4593],“Generic Threats to Routing Protocols” [RFC 4272], “BGP Security Vulnerabilities Analysis”, and [BGPSctyReq] “BGP Security Requirements”. The SIDR working group is tasked to work on problems identified in the RPsec group and among other items is currently developing a Public-Key Infrastructure (PKI) to support BGP security.

2.Threats to the ATN IPS Routing Infrastructure

Threats to BGP can be categorized, following [BGPScty_Survey], into deliberate attacks betwen peers, large scale attacks, denial of service attacks, and threats due to misconfiguration.

2.1Attacks Between Peers

Attacks against BGP peers occur on the interface betwen BGP speakers. A malicious entity may masquerade as a peer or may operate between two otherwise legitimate peers. Attacks may be launched against message integrity, for example, by inserting or modifying UPDATE messages. Attacks may be against message confidentiality by eavsdropping on on BGP sessions. In general BGP sessions do not apply encryption; however, attacks against confidentiality may be used to gather information and in turn lauch attacks against message integrity. Attacks between peers may also be launched to cause termination of the BGP sessions.

SP 800-54 identifies the following specific attacks:

1. Peer Spoofing
2. TCP Reset
3. Session Hijacking

2.2Large Scale Attacks

Because of the highly distributed natue of BGP, attacks do not necessarily have to occur just between peers. Remote attacks may be launched using a fradulent origin. Such attacks can cause traffic to be routed to an unauthorized AS where packets could be dropped.

SP 800-54 identifies the following specific attacks:

1. Route Flapping
2. Route Deaggregation
3. Malicious Route Injection
4. Unallocated Route Injection

2.3Denial of Service Attacks

Many of the attacks identified in 2.2 and 2.3 when applied repeatedly may result in denial of service. This is due to the finite processing and storage resources of routers.

SP 800-54 identifies the following specific attacks:

1. Resource Exhaustion
2. Link Cutting Attack

2.4Misconfiguration

Not all threats to the IPS routing infrastructure are deliberate. A misconfigured router may cause serious network-wide damage. As noted by Montgomery and Murphy [Secure_Routing], “the most serious threats to the BGP infrastructure have come from misconfigurations that have led to widespread, long-standing network outages” [BGP_Misconfig].

3.Options for Securing the ATN IPS Routing Infrastructure

3.1Common Practices

3.1.1TCP/MD5

The most common security technique for secuing BGP is to use [RFC 2385], “Protecton of BGP Sessions via the TCP MD5 Signature Option”. Under this option a keyed message digest is applied at the TCP level. This provides authentication of BGP sessions which operate over TCP.

3.1.2IPsec

Internet Protocol Security (IPsec) may also be applied to protect BGP sessions. The IPsec architecture is defined in [RFC 4301], “Security Architecture for the Internet Protocol”. When configured to operate between routers, tunnel mode will typically be applied. Authentication of BGP sessions can be achieved using either [RFC 4302], “IP Authentication Header” or [RFC 4303], “IP Encapsulating Security Payload (ESP)” with the Null Encryption option.

3.1.3Generalized TTL Security Mechanism

Mechanism do not have to be cryptographic. The Generalized TTL Security Mechanism [RFC 3682] may be used to protect external Border Gateway Protocol peering sessions from CPU utilization-based attacks using forged IP packets. Enabling this feature prevents attempts to hijack the BGP peering session. This feature is enabled by configuring a minimum Time To Live (TTL) value for incoming IP packets received from a specific BGP peer. When this feature is enabled, BGP will establish and maintain the session only if the TTL value in the IP packet header is equal to or greater than the TTL value configured for the peering session. If the value is less than the configured value, the packet is discarded.

3.1.4Defensive Routing Policies

Routers can be configured Route Filtering to prevent improper updates of the routing database and propagation of routing information. Ingress filtering of incoming prefixes and egress filtering of outgoing prefixes may be applied.

3.2Other Countermeasures

Several enhancements to BGP have been proposed that have a complete security architecture. These architectures include Secure BGP (S-BGP) and Secure Origin BGP (soBGP). S-BGP and soBGP involve the application of a Public Key Infrastructure. The Interdomain Route Validation (IVR) architecture involves accessing a server to validate received routing information. See [BGPScty_Survey] for a summary of these approaches.

4.Analysis

The following table is is a summary of the specific attacks and countermeasures identified in SP 800-54.

Threat/Counter-measure / TCP/
MD5 / IPsec / TTL
Hack / Route
Filtering / Specific Countermeasures
Peer Spoofing / X / X / Strong sequence number randomization
TCP Reset / X / X / TCP sequence number checking,
Router Access Control
Session Hijacking / X / X / X / Strong sequence number randomization
Route Flapping / Graceful Restart,
RFC-2439,
RIPE-229
Route Deaggregation / X / Max Prefix-Limit,
Secure router administration
Malicious Route
Injection / X / X
Unallocated Route
Injection / X / X / Drop unallocated prefixes
Resource Exhaustion / X / X / Drop SYN, SYN/ACK,
Increase queue length
Link Cutting / X / Intrusion Detection Systems,
Redundant backup nodes

5.Recommendation

It is recommended that at a minimum a recommendation (“should”) for authentication be added to the ATN/IPS technical manual. Further, SGN4 should incorporate the common practices as Guidance Material.

6.References

[ATN/IPS]Draft Manual of Detailed Technical Specification for Internet Protocol Suite (IPS), Version 10, January 29, 2007

[BGPScty_Survey]A Survey of BGP Security, Kevin Butler, Toni Farley, Patrick McDaniel, Jennifer Rexford, April 2005 ”.

[SPRI]US Department of Homeland Security Secure Protocols for the Routing Infrastructure (SPRI) project.

[SP 800-54]National Institure of Standards and Technology (NIST) Special Publication 800-54, Border Gateway Protocol Security (Draft)

[RPsec]IETF Routing Protocol Security Requirements Working Group.

[SIDR]IETF Secure Inter-Domain Routing Working Group

[Secure_Routing]“Toward Secure Routing Infrastructures”, D. Montgomery and S Murphy, IEEE Security and Privacy, vol.4, no.5, pp. 84-87, Sept/Oct, 2006

[BGP_Misconfig]“Understanding BGP Misconfiguration”, R. Mahajan, D. Wetherall, and T. Anderson, Proc. ACM SIGCOMM 2002, ACM Press, pp. 3-16, 2002

[RFC 4593]“Generic Threats to Routing Protocols”, A. Barbit, S. Murphy and Y. Yang, October 2006

[RFC 4272]“BGP Security Vulnerabilities Analysis”, S. Murphy, January 2006

[BGPSctyReq]“BGP Security Requirements”, draft-ietf-rpsec-bgpsecreq-07, R. Christain, T. Tauber, February 2007

[RFC 2385]“Protecton of BGP Sessions via the TCP MD5 Signature Option”, A. Heffernan, August 1998

[RFC 4301]“Security Architecture for the Internet Protocol”, S. Kent, K. Seo, December 2005

[RFC 4302]“IP Authentication Header”, S. Kent, December 2005

[RFC 4303]“IP Encapsulating Security Payload (ESP)”, S. Kent, December 2005

[RFC 3682]“The Generalized TTL Security Mechanism (GSTM)”, Gill, Heasley, and Meyer,February, 2004

[RFC 2439]“BGP Route Flap Damping”C. Villamizar, R. Chandra, R. Govindan.,November 1998

[RIPE-229]RIPE Routing-WG Recommendations for Route-Flap Damping Parameters

[RIPE-378]RIPE Routing-WG Recommendations for Route-Flap Damping, May 2006

Page 1 of 7