Transcript Security Issues in Control, Management and Routing Protocols

Security Issues in Control,
Management and Routing Protocols
M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi
Computer and Network Security Group
Politecnico di Torino (Italy)
presented by: Madalina Baltatu
Internet = “Insecurity”





TCP/IP protocols lack for security
control and routing protocols have minimal
or non-existent authentication
TCP/IP flaws used to construct serious
attacks at the network infrastructure
... example: hosts/routers rely on IP source
address for authentication
... which can be easily spoofed
ICMP




Internet Control Message Protocol
ICMP vital because IP is a “best-effort”
service
ICMP used by IP nodes:
 to report errors encountered while processing
IP datagrams
 to perform other network layer functions,
such as diagnostics and monitoring
ICMP messages are encapsulated inside IP
Denial of Service
attacker
spoofed ICMP
“port unreachable”
Internet
server
client
Denial of Service
change routing
table
T
Redirect
source
host
spoofed TCP
spoofed
ICMP
response
open
“redirect”
subverted
TCP
open
traffic from T to D
attacker
NET1
PG
subverted
SG
NET2
destination
host
D
“Smurf” attack
intermediary
(broadcast)
network
spoofed ICMP
“echo
request”
attacker’s
network
Internet
target
host
storm of ICMP
“echo replies”
IP broadcast to
layer 2 broadcast
Source address “filtering”
intermediary
(broadcast)
network
attacker’s
network
Internet
victim’s
network
IP source address filtering
at one of the ISP router interfaces
(RFC 2267)
Simple defence against ICMP attacks

Does an incoming ICMP error message really
refer to a particular active traffic flow ?
IP header
type
careful
checks
code
checksum
unused
IP header and 64 bits of the original
offending datagram
Authenticated ICMP messages




IP source address of ICMP messages should be
cryptographically authenticated
IPsec offers authentication services at the network
layer; ICMP could use it
ICMP messages should be sent on IPsec SAs
problems:
 SA negotiation overhead may be un-acceptable
 ICMP traffic may not travel end-to-end
 the intermediate systems involved may have
prohibitive admission policies
 IPsec SA granularity (type & code not supported)
IPsec protection for ICMP
broken
link
Internet
source
G1
explicit SA for ICMP type 3, code 0
SA used by the offending IP traffic
IKE Notify message
G2
destination
Security for intra-domain routing




routing security critical for the entire
networking infrastructure
authentication mechanisms for RIP and OSPF
RIP is based on the distance vector algorithm
(routing tables periodically exchanged
between neighbour routers)
OSPF implements the shortest path algorithm
(link state info is periodically distributed to all
the routers of the AS via flooding)
Security threats for routing protocols



outsider attacks: an intruder masquerading
as a router distributing incorrect routing info
insider attacks: mounted by a subverted or
compromised router
consequences:
 compromised routing tables
 DoS on hosts which trust the affected routers
Protection




cryptographic checksums
 against tampering with routing information
 against generation of fraudulent routing
information
sequence numbers and timestamps
 against re-ordering and delaying genuine
routing information
strong origin authentication
 protection against intruders impersonating
routers
confidentiality is typically not considered a
primary requirement in routing security
Routing security - general
considerations


shared key-based cryptography (e.g., RIP-2):
 significant amount of shared keys
 manual key management can be a
significant burden
 automated key management not yet
integrated with the forthcoming secure
routing architecture
public key-based cryptography (e.g., OSPF):
 comes at a high price
 requests the set up of a PKI
Conclusions

very serious attacks with ICMP and against
routing protocols
Solutions exists but are not applied!



strict traffic filtering against IP source
address spoofing (RFC 2267)
education of the network managers
cryptography: key management protocols not
generally adopted; standard PKI not yet
agreed upon