draft-ietf-sidr-bgpsec-threats-07.txt   draft-ietf-sidr-bgpsec-threats-08.txt 
Secure Inter-Domain Routing S. Kent Secure Inter-Domain Routing S. Kent
Internet-Draft BBN Internet-Draft BBN
Intended status: Informational A. Chi Intended status: Informational A. Chi
Expires: April 11, 2014 UNC-CH Expires: May 26, 2014 UNC-CH
October 08, 2013 November 22, 2013
Threat Model for BGP Path Security Threat Model for BGP Path Security
draft-ietf-sidr-bgpsec-threats-07 draft-ietf-sidr-bgpsec-threats-08
Abstract Abstract
This document describes a threat model for the context in which This document describes a threat model for the context in which
(E)BGP path security mechanisms will be developed. The threat model Exterior Border Gateway Protocol (EBGP) path security mechanisms will
includes an analysis of the RPKI, and focuses on the ability of an AS be developed. The threat model includes an analysis of the Resource
to verify the authenticity of the AS path info received in a BGP Public Key Infrastructure (RPKI), and focuses on the ability of an
update. We use the term PATHSEC to refer to any BGP path security autonomous system (AS) to verify the authenticity of the AS path info
technology that makes use of the RPKI. PATHSEC will secure BGP received in a BGP update. We use the term PATHSEC to refer to any
[RFC4271], consistent with the inter-AS security focus of the RPKI BGP path security technology that makes use of the RPKI. PATHSEC
[RFC6480]. will secure BGP, consistent with the inter-AS security focus of the
RPKI.
The document characterizes classes of potential adversaries that are The document characterizes classes of potential adversaries that are
considered to be threats, and examines classes of attacks that might considered to be threats, and examines classes of attacks that might
be launched against PATHSEC. It does not revisit attacks against be launched against PATHSEC. It does not revisit attacks against
unprotected BGP, as that topic has already been addressed in unprotected BGP, as that topic has already been addressed in the
[RFC4271]. It concludes with brief discussion of residual BGP-4 standard. It concludes with brief discussion of residual
vulnerabilities. vulnerabilities.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2014. This Internet-Draft will expire on May 26, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Threat Characterization . . . . . . . . . . . . . . . . . . . 6 3. Threat Characterization . . . . . . . . . . . . . . . . . . . 6
4. Attack Characterization . . . . . . . . . . . . . . . . . . . 7 4. Attack Characterization . . . . . . . . . . . . . . . . . . . 8
4.1. Active wiretapping of sessions between routers . . . . . 8 4.1. Active wiretapping of sessions between routers . . . . . 8
4.2. Attacks on a BGP router . . . . . . . . . . . . . . . . . 8 4.2. Attacks on a BGP router . . . . . . . . . . . . . . . . . 8
4.3. Attacks on network operator management computers (non-CA 4.3. Attacks on network operator management computers (non-CA
computers) . . . . . . . . . . . . . . . . . . . . . . . 10 computers) . . . . . . . . . . . . . . . . . . . . . . . 10
4.4. Attacks on a repository publication point . . . . . . . . 11 4.4. Attacks on a repository publication point . . . . . . . . 11
4.5. Attacks on an RPKI CA . . . . . . . . . . . . . . . . . . 13 4.5. Attacks on an RPKI CA . . . . . . . . . . . . . . . . . . 13
5. Residual Vulnerabilities . . . . . . . . . . . . . . . . . . 16 5. Residual Vulnerabilities . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 17 6. Security Considerations . . . . . . . . . . . . . . . . . . . 17
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
9. Informative References . . . . . . . . . . . . . . . . . . . 18 9. Informative References . . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
This document describes the security context in which PATHSEC is This document describes the security context in which PATHSEC is
intended to operate. (The term "PATHSEC" is employed in this intended to operate. The term "PATHSEC" (for path security) refers
document to refer to any design used to achieve the path security to any design used to preserve the integrity and authenticity of the
goal described in the SIDR WG charter. The charter focuses on AS_PATH attribute carried in a BGP update message [RFC4271]. The
mechanisms that will enable an AS to determine if the AS_PATH goal of PATHSEC is to enable a BGP speaker to verify that the
represented in a route represents the path via which the Network Autonomous Systems (ASes) enumerated in this path attribute represent
Layer Reachability Information traveled. Other SIDR documents use the sequence of ASes that the Network Layer Reachability Information
the term "BGPSEC" to refer to a specific design.) It discusses (NLRI) traversed. The term PATHSEC is thus consistent with the goal
classes of potential adversaries that are considered to be threats, described in the SIDR WG charter. (Other SIDR documents use the term
and classes of attacks that might be launched against PATHSEC. "BGPSEC" to refer to a specific design, thus we avoid use of that
Because PATHSEC will rely on the Resource Public Key Infrastructure term here.)
(RPKI) [RFC6480], threats and attacks against the RPKI are included.
This model also takes into consideration classes of attacks that are This document discusses classes of potential adversaries that are
enabled by the use of PATHSEC (based on the current PATHSEC design.) considered to be threats, and classes of attacks that might be
launched against PATHSEC. The SIDR charter requires that solutions
that afford PATHSEC must make use of the Resource Public Key
Infrastructure (RPKI) [RFC6480]. Because PATHSEC will rely on the
RPKI, threats and attacks against the RPKI are included. This model
also takes into consideration classes of attacks that are enabled by
the use of PATHSEC (e.g., based on use of the RPKI).
The motivation for developing PATHSEC, i.e., residual security The motivation for developing PATHSEC, i.e., residual security
concerns for BGP, is well described in several documents, including concerns for BGP, is well described in several documents, including
"BGP Security Vulnerabilities Analysis" [RFC4272] and "Design and "BGP Security Vulnerabilities Analysis" [RFC4272] and "Design and
Analysis of the Secure Border Gateway Protocol (S-BGP)" [Kent2000]. Analysis of the Secure Border Gateway Protocol (S-BGP)" [Kent2000].
All of these documents note that BGP does not include mechanisms that All of these documents note that BGP does not include mechanisms that
allow an Autonomous System (AS) to verify the legitimacy and allow an Autonomous System (AS) to verify the legitimacy and
authenticity of BGP route advertisements. (BGP now mandates support authenticity of BGP route advertisements. (BGP now mandates support
for mechanisms to secure peer-peer communication, i.e., for the links for mechanisms to secure peer-peer communication, i.e., for the links
that connect BGP routers. There are several secure protocol options that connect BGP routers. There are several secure protocol options
to addresses this security concern, e.g., IPsec [RFC4301] and TCP-AO to addresses this security concern, e.g., IPsec [RFC4301] and TCP-AO
skipping to change at page 7, line 15 skipping to change at page 7, line 17
Hackers - Hackers are considered a threat. A hacker might assume Hackers - Hackers are considered a threat. A hacker might assume
control of network management computers and routers controlled by control of network management computers and routers controlled by
operators, including operators that implement PATHSEC. In such operators, including operators that implement PATHSEC. In such
cases, hackers would be able to act as rogue network operators (see cases, hackers would be able to act as rogue network operators (see
above). It is assumed that hackers generally do not have the above). It is assumed that hackers generally do not have the
capability to effect MITM attacks on most links between networks capability to effect MITM attacks on most links between networks
(links used to transmit BGP and subscriber traffic). A hacker might (links used to transmit BGP and subscriber traffic). A hacker might
be recruited, without his/her knowledge, by criminals or by nations, be recruited, without his/her knowledge, by criminals or by nations,
to act on their behalf. Hackers may be motivated by a desire for to act on their behalf. Hackers may be motivated by a desire for
"bragging rights" or for profit or to express support for a cause "bragging rights" or for profit or to express support for a cause
("hacktivists" [Sam04]). ("hacktivists" [Sam04]). We view hackers as possibly distinct from
criminals in that the former are presumed to effect attacks only
remotely (not via a physical presence associated with a target) and
not necessarily for monetary gain. Some hackers may commit criminal
acts (depending on the jurisdiction), and thus there is a potential
for overlap between this adversary group and criminals.
Criminals - Criminals may be a threat. Criminals might persuade (via Criminals - Criminals may be a threat. Criminals might persuade (via
threats or extortion) a network operator to act as a rogue operator threats or extortion) a network operator to act as a rogue operator
(see above), and thus be able to effect a wide range of attacks. (see above), and thus be able to effect a wide range of attacks.
Criminals might persuade the staff of a telecommunications provider Criminals might persuade the staff of a telecommunications provider
to enable MITM attacks on links between routers. Motivations for to enable MITM attacks on links between routers. Motivations for
criminals may include the ability to extort money from network criminals may include the ability to extort money from network
operators or network operator clients, e.g., by adversely affecting operators or network operator clients, e.g., by adversely affecting
routing for these network operators or their clients. Criminals also routing for these network operators or their clients. Criminals also
may wish to manipulate routing to conceal the sources of spam, DoS may wish to manipulate routing to conceal the sources of spam, DoS
 End of changes. 8 change blocks. 
28 lines changed or deleted 41 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/