2012-09-14

Abstract

This document describes a threat model for the context in which BGP
path security mechanisms will be developed.  It assumes the context
established by the SIDR WG charter, as of April 19, 2011.  The
charter established two goals for the SIDR work:

o  Enabling an AS to verify the authorization of an origin AS to
originate a specified set of prefixes

o  Enabling an AS to verify that the AS-PATH [sic] represen

1.  Introduction

This document describes the security context in which PATHSEC is
intended to operate.  It discusses classes of potential adversaries
that are considered to be threats, and classes of attacks that might
be launched against PATHSEC.  Because PATHSEC will rely on the
Resource Public Key Infrastructure (RPKI) [RFC6480], threats and
attacks against the RPKI are included.  This model also takes into
consideration classes of attacks that are enabled by the use of
PATHSEC (based on the current PATHSEC design.)

The motivation for developing PATHSEC, i.e., residual security
concerns for BGP, is well described in several documents, including
"BGP Security Vulnerabilities Analysis" [RFC4272] and "Design and
Analysis of the Secure Border Gateway Protocol (S-BGP)" [Kent2000].
All of these documents note that BGP does not include mechanisms that
allow an Autonomous System (AS) to verify the legitimacy and
authenticity of BGP route advertisements.  (BGP now mandates support
for mechanisms to secure peer-peer communication, i.e., for the links
that connect BGP routers.  There are several secure protocol options
to addresses this security concern, e.g., IPsec [RFC4301] and TCP-AO
[RFC5925].  This document briefly notes the need to address this
aspect of BGP security, but focuses on application layer BGP security
issues that must be addressed by PATHSEC.)

RFC 4272 [RFC4272] succinctly notes:

BGP speakers themselves can inject bogus routing information,
either by masquerading as any other legitimate BGP speaker, or by
distributing unauthorized routing information as themselves.
Historically, misconfigured and faulty routers have been
responsible for widespread disruptions in the Internet.  The
legitimate BGP peers have the context and information to produce
believable, yet bogus, routing information, and therefore have the
opportunity to cause great damage.  The cryptographic protections
of [TCPMD5] and operational protections cannot exclude the bogus
information arising from a legitimate peer.  The risk of
disruptions caused by legitimate BGP speakers is real and cannot
be ignored.

PATHSEC is intended to address the concerns cited above, to provide
significantly improved path security, building upon the route
origination validation capability offered by use of the RPKI
[I-D.ietf-sidr-rpki-rtr].  Specifically, the RPKI enables relying
parties (RPs) to determine if the origin AS for a path was authorized
to advertise the prefix contained in a BGP update message.  This
security feature is enabled by the use of two types of digitally
signed data: a PKI [RFC6487] that associates one or more prefixes

Kent & Chi               Expires March 18, 2013                 [Page 4]

Internet-Draft     Threat Model for BGP Path Security     September 2012

with the public key(s) of an address space holder, and Route
Origination Authorizations (ROAs) [RFC6482] that allows a prefix
holder to specify the AS(es) that are authorized to originate routes
for a prefix.

The security model adopted for PATHSEC does not assume an "oracle"
that can see all of the BGP inputs and outputs associated with every
AS or every BGP router.  Instead, the model is based on a local
notion of what constitutes legitimate, authorized behavior by the BGP
routers associated with an AS.  This is an AS-centric model of secure
operation, consistent with the AS-centric model that BGP employs for
routing.  This model forms the basis for the discussion that follows.

This document begins with a brief set of definitions relevant to the
subsequent sections.  It then discusses classes of adversaries that
are perceived as viable threats against routing in the public
Internet.  It continues to explore a range of attacks that might be
effected by these adversaries, against both path security and the
infrastructure upon which PATHSEC relies.  It concludes with a brief
review of residual vulnerabilities, i.e., vulnerabilities that are
not addressed by use of the RPKI and that appear likely to be outside
the scope of PATHSEC mechanisms.

Kent & Chi               Expires March 18, 2013                 [Page 5]

Internet-Draft     Threat Model for BGP Path Security     September 2012

2.  Terminology

The following security and routing terminology definitions are
employed in this document.

Adversary - An adversary is an entity (e.g., a person or an
organization) perceived as malicious, relative to the security policy
of a system.  The decision to characterize an entity as an adversary
is made by those responsible for the security of a system.  Often one
describes classes of adversaries with similar capabilities or
motivations, rather than specific individuals or organizations.

Attack - An attack is an action that attempts to violate the security
policy of a system, e.g., by exploiting a vulnerability.  There is
often a many to one mapping of attacks to vulnerabilities, because
many different attacks may be used to exploit a vulnerability.

Autonomous System (AS) - An AS is a set of one or more IP networks
operated by a single administrative entity.

AS Number (ASN) - An ASN is a 2 or 4 byte number issued by a registry
to identify an AS in BGP.

Certification Authority (CA) - An entity that issues digital
certificates (e.g., X.509 certificates) and vouches for the binding
between the data items in a certificate.

Countermeasure - A countermeasure is a procedure or technique that
thwarts an attack, preventing it from being successful.  Often
countermeasures are specific to attacks or classes of attacks.

Border Gateway Protocol (BGP) - A path vector protocol used to convey
"reachability" information among autonomous systems, in support of
inter-domain routing.

False (Route) Origination - If a network operator originates a route
for a prefix that the operator does not hold (and that it has not
been authorized to originate by the prefix holder, this is termed
false route origination.

Internet Service Provider (ISP) - An organization managing (and,
typically, selling,) Internet services to other organizations or
individuals.

Internet Number Resources (INRs) - IPv4 or IPv6 address space and
ASNs

Internet Registry - An organization that manages the allocation or

Kent & Chi               Expires March 18, 2013                 [Page 6]

Internet-Draft     Threat Model for BGP Path Security     September 2012

distribution of INRs.  This encompasses the Internet Assigned Number
Authority (IANA), Regional Internet Registries (RIRs), National
Internet Registries (NIRs), and Local Internet Registries (LIRs,
network operators).

Man in the Middle (MITM) - A MITM is an entity that is able to
examine and modify traffic between two (or more) parties on a
communication path.

Network Operator - An entity that manages an AS and thus emits (E)BGP
updates, e.g., an ISP.

NOC (Network Operations Center) - A network operator employs a set
equipment and a staff to manage a network, typically on a 24/7 basis.
The equipment and staff are often referred to as the NOC for the
network.

Prefix - A prefix is an IP address and a mask used to specify a set
of addresses that are grouped together for purposes of routing.

Public Key Infrastructure (PKI) - A PKI is a collection of hardware,
software, people, policies, and procedures used to create, manage,
distribute, store, and revoke digital certificates.

Relying Parties (RPs) - An RP is an entity that makes use of signed
products from a PKI, i.e., relies on signed data that is verified
using certificates and Certificate Revocation Lists (CRLs) from a
PKI.

RPKI Repository System - The RPKI repository system consists of a
distributed set of loosely synchronized databases.

Resource PKI (RPKI) - A PKI operated by the entities that manage
INRs, and that issues X.509 certificates (and CRLs) that attest to
the holdings of INRs.

RPKI Signed Object - An RPKI signed object is a Cryptographic Message
Syntax (CMS)-encapsulated data object complying with the format and
semantics defined in [RFC6488].

Route - In the Internet, a route is a prefix and an associated
sequence of ASNs that indicates a path via which traffic destined for
the prefix can be directed.  (The route includes the origin AS.)

Route leak - A route leak is said to occur when AS-A advertises
routes that it has received from an AS-B to AS-A's neighbors, but
AS-A is not viewed as a transit provider for the prefixes in the
route.

Kent & Chi               Expires March 18, 2013                 [Page 7]

Internet-Draft     Threat Model for BGP Path Security     September 2012

Threat - A threat is a motivated, capable adversary.  An adversary
that is not motivated to launch an attack is not a threat.  An
adversary that is motivated but not capable of launching an attack
also is not a threat.

Vulnerability - A vulnerability is a flaw or weakness in a system's
design, implementation, or operation and management that could be
exploited to violate the security policy of a system.

Read more...........http://tools.ietf.org/html/draft-ietf-sidr-bgpsec-threats-03

Show more