One document matched: draft-foo-sidr-simple-leak-attack-bgpsec-no-help-00.txt
SIDR D. McPherson
Internet-Draft Verisign, Inc.
Intended status: Informational S. Amante
Expires: May 19, 2012 Level 3 Communications, Inc.
November 16, 2011
Route Leak Attacks Against BGPSEC
draft-foo-sidr-simple-leak-attack-bgpsec-no-help-00
Abstract
This document describes a very simple attack vector that illustrates
how RPKI-enabled BGPSEC machinery as currently defined can be easily
circumvented in order to launch a Man In The Middle (MITM) attack via
BGP. It is meant to serve as input to the SIDR WG during routing
security requirements specification and discussions, and secure
routing protocol designs.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 19, 2012.
Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
McPherson & Amante Expires May 19, 2012 [Page 1]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
McPherson & Amante Expires May 19, 2012 [Page 2]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
1. Introduction
This document describes a very simple attack vector that illustrates
how RPKI-enabled BGPSEC machinery as currently defined can be easily
circumvented in order to launch a Man In The Middle (MITM) attack via
BGP. It is meant to serve as input to the SIDR WG during routing
security requirements specification and discussions, and secure
routing protocol designs.
McPherson & Amante Expires May 19, 2012 [Page 3]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
2. Discussion
Assume a stub Autonomous System (AS), AS 1, multi-homed to two ISPs
(ISP1 & ISP2) wishes to insert themselves in the datapath between a
target network (prefix P) connected to ISP2 and systems in ISP1's
network in order to launch a Man In The Middle (MITM) attack.
Further assume that an RPKI-enabled BGPSEC as currently defined is
fully deployed and functioning as designed by all parties in this
scenario.
Network operators on the Internet today typically prefer customer
routes over routes learned from bi-lateral or settlement free peers.
Network operators accomplish this via BGP Path Attributes,
specifically LOCAL_PREF, that are evaluated earlier in the BGP Path
Selection process than AS_PATH length.
As currently defined, BGPSEC only provides two functions:
1. Is an Autonomous System authorized to originate an IP prefix?
2. Is the AS_PATH represented in the route the same as the list of
ASes through which the NLRI traveled?
In order for an attacker (AS 1), to divert traffic from ISP1 for
prefix P through their AS they simply fail to scope the propagation
of the target prefix P (received from ISP2) by announcing a
(syntactically correct) BGPSEC update for prefix P to ISP1. This
vulnerability is what the authors refer to as a 'route leak'. It is
important to note that the default behavior in BGP is to announce all
best paths to external BGP peers, unless explicitly scoped by a BGP
speaker through configuration. Because ISP1 prefers prefixes learned
from customers (AS 1) over prefixes learned from peers (ISP2), they
begin forwarding traffic for prefix P destinations through the
attacker's AS (AS 1). Viola!
Discussion of out of band methods to mitigate this attack are beyond
the scope of this document.
McPherson & Amante Expires May 19, 2012 [Page 4]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
3. Security Considerations
This document describes an attack on an RPKI-enabled BGPSEC and is
meant to inform the IETF Secure Inter-Domain Routing Working Group on
the vulnerabilty that exists as a result of "leaks".
McPherson & Amante Expires May 19, 2012 [Page 5]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
4. Acknowledgements
McPherson & Amante Expires May 19, 2012 [Page 6]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
5. IANA Considerations
No action required.
McPherson & Amante Expires May 19, 2012 [Page 7]
Internet-Draft Route Leak Attacks Against BGPSEC November 2011
Authors' Addresses
Danny McPherson
Verisign, Inc.
Email: dmcpherson@verisign.com
Shane Amante
Level 3 Communications, Inc.
Email: shane@level3.net
McPherson & Amante Expires May 19, 2012 [Page 8]
| PAFTECH AB 2003-2026 | 2026-04-24 09:00:05 |