Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Madalina Baltatu

Internet = “Insecurity” n TCP/IP protocols lack for security n control and routing protocols have minimal or non-existent authentication n TCP/IP flaws used to construct serious attacks at the network infrastructure n... example: hosts/routers rely on IP source address for authentication n... which can be easily spoofed n TCP/IP protocols lack for security n control and routing protocols have minimal or non-existent authentication n TCP/IP flaws used to construct serious attacks at the network infrastructure n... example: hosts/routers rely on IP source address for authentication n... which can be easily spoofed

ICMP n Internet Control Message Protocol n ICMP vital because IP is a “best-effort” service n ICMP used by IP nodes: n to report errors encountered while processing IP datagrams n to perform other network layer functions, such as diagnostics and monitoring n ICMP messages are encapsulated inside IP n Internet Control Message Protocol n ICMP vital because IP is a “best-effort” service n ICMP used by IP nodes: n to report errors encountered while processing IP datagrams n to perform other network layer functions, such as diagnostics and monitoring n ICMP messages are encapsulated inside IP

Denial of Service Internet spoofed ICMP “port unreachable” server client attacker Denial of Service

Redirect source host destination host PGSG spoofed TCP open spoofed ICMP “redirect” response TCP open subverted traffic from T to D change routing table NET1 NET2 T D attacker subverted

Internet target host attacker’s network intermediary (broadcast) network “Smurf” attack spoofed ICMP “echo request” storm of ICMP “echo replies” IP broadcast to layer 2 broadcast

Internet victim’s network attacker’s network intermediary (broadcast) network Source address “filtering” IP source address filtering at one of the ISP router interfaces (RFC 2267)

Simple defence against ICMP attacks n Does an incoming ICMP error message really refer to a particular active traffic flow ? IP header type code checksum unused IP header and 64 bits of the original offending datagram careful checks

Authenticated ICMP messages n IP source address of ICMP messages should be cryptographically authenticated n IPsec offers authentication services at the network layer; ICMP could use it n ICMP messages should be sent on IPsec SAs n problems: n SA negotiation overhead may be un-acceptable n ICMP traffic may not travel end-to-end n the intermediate systems involved may have prohibitive admission policies n IPsec SA granularity (type & code not supported) n IP source address of ICMP messages should be cryptographically authenticated n IPsec offers authentication services at the network layer; ICMP could use it n ICMP messages should be sent on IPsec SAs n problems: n SA negotiation overhead may be un-acceptable n ICMP traffic may not travel end-to-end n the intermediate systems involved may have prohibitive admission policies n IPsec SA granularity (type & code not supported)

IPsec protection for ICMP broken link destination Internet sourceG1 G2 explicit SA for ICMP type 3, code 0 SA used by the offending IP traffic IKE Notify message

Security for intra-domain routing n routing security critical for the entire networking infrastructure n authentication mechanisms for RIP and OSPF n RIP is based on the distance vector algorithm (routing tables periodically exchanged between neighbour routers) n OSPF implements the shortest path algorithm (link state info is periodically distributed to all the routers of the AS via flooding) n routing security critical for the entire networking infrastructure n authentication mechanisms for RIP and OSPF n RIP is based on the distance vector algorithm (routing tables periodically exchanged between neighbour routers) n OSPF implements the shortest path algorithm (link state info is periodically distributed to all the routers of the AS via flooding)

Security threats for routing protocols n outsider attacks: an intruder masquerading as a router distributing incorrect routing info n insider attacks: mounted by a subverted or compromised router n consequences: n compromised routing tables n DoS on hosts which trust the affected routers n outsider attacks: an intruder masquerading as a router distributing incorrect routing info n insider attacks: mounted by a subverted or compromised router n consequences: n compromised routing tables n DoS on hosts which trust the affected routers

Protection n cryptographic checksums n against tampering with routing information n against generation of fraudulent routing information n sequence numbers and timestamps n against re-ordering and delaying genuine routing information n strong origin authentication n protection against intruders impersonating routers n confidentiality is typically not considered a primary requirement in routing security n cryptographic checksums n against tampering with routing information n against generation of fraudulent routing information n sequence numbers and timestamps n against re-ordering and delaying genuine routing information n strong origin authentication n protection against intruders impersonating routers n confidentiality is typically not considered a primary requirement in routing security

Routing security - general considerations n shared key-based cryptography (e.g., RIP-2): n significant amount of shared keys n manual key management can be a significant burden n automated key management not yet integrated with the forthcoming secure routing architecture n public key-based cryptography (e.g., OSPF): n comes at a high price n requests the set up of a PKI n shared key-based cryptography (e.g., RIP-2): n significant amount of shared keys n manual key management can be a significant burden n automated key management not yet integrated with the forthcoming secure routing architecture n public key-based cryptography (e.g., OSPF): n comes at a high price n requests the set up of a PKI

Conclusions n very serious attacks with ICMP and against routing protocols Solutions exists but are not applied! n strict traffic filtering against IP source address spoofing (RFC 2267) n education of the network managers n cryptography: key management protocols not generally adopted; standard PKI not yet agreed upon n very serious attacks with ICMP and against routing protocols Solutions exists but are not applied! n strict traffic filtering against IP source address spoofing (RFC 2267) n education of the network managers n cryptography: key management protocols not generally adopted; standard PKI not yet agreed upon