Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

Published byGwendolyn Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di."— Presentation transcript:

1 Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di Torino (Italy) presented by: Madalina Baltatu

2 Internet = “Insecurity” n TCP/IP protocols lack for security n control and routing protocols have minimal or non-existent authentication n TCP/IP flaws used to construct serious attacks at the network infrastructure n... example: hosts/routers rely on IP source address for authentication n... which can be easily spoofed n TCP/IP protocols lack for security n control and routing protocols have minimal or non-existent authentication n TCP/IP flaws used to construct serious attacks at the network infrastructure n... example: hosts/routers rely on IP source address for authentication n... which can be easily spoofed

3 ICMP n Internet Control Message Protocol n ICMP vital because IP is a “best-effort” service n ICMP used by IP nodes: n to report errors encountered while processing IP datagrams n to perform other network layer functions, such as diagnostics and monitoring n ICMP messages are encapsulated inside IP n Internet Control Message Protocol n ICMP vital because IP is a “best-effort” service n ICMP used by IP nodes: n to report errors encountered while processing IP datagrams n to perform other network layer functions, such as diagnostics and monitoring n ICMP messages are encapsulated inside IP

4 Denial of Service Internet spoofed ICMP “port unreachable” server client attacker Denial of Service

5 Redirect source host destination host PGSG spoofed TCP open spoofed ICMP “redirect” response TCP open subverted traffic from T to D change routing table NET1 NET2 T D attacker subverted

6 Internet target host attacker’s network intermediary (broadcast) network “Smurf” attack spoofed ICMP “echo request” storm of ICMP “echo replies” IP broadcast to layer 2 broadcast

7 Internet victim’s network attacker’s network intermediary (broadcast) network Source address “filtering” IP source address filtering at one of the ISP router interfaces (RFC 2267)

8 Simple defence against ICMP attacks n Does an incoming ICMP error message really refer to a particular active traffic flow ? IP header type code checksum unused IP header and 64 bits of the original offending datagram careful checks

9 Authenticated ICMP messages n IP source address of ICMP messages should be cryptographically authenticated n IPsec offers authentication services at the network layer; ICMP could use it n ICMP messages should be sent on IPsec SAs n problems: n SA negotiation overhead may be un-acceptable n ICMP traffic may not travel end-to-end n the intermediate systems involved may have prohibitive admission policies n IPsec SA granularity (type & code not supported) n IP source address of ICMP messages should be cryptographically authenticated n IPsec offers authentication services at the network layer; ICMP could use it n ICMP messages should be sent on IPsec SAs n problems: n SA negotiation overhead may be un-acceptable n ICMP traffic may not travel end-to-end n the intermediate systems involved may have prohibitive admission policies n IPsec SA granularity (type & code not supported)

10 IPsec protection for ICMP broken link destination Internet sourceG1 G2 explicit SA for ICMP type 3, code 0 SA used by the offending IP traffic IKE Notify message

11 Security for intra-domain routing n routing security critical for the entire networking infrastructure n authentication mechanisms for RIP and OSPF n RIP is based on the distance vector algorithm (routing tables periodically exchanged between neighbour routers) n OSPF implements the shortest path algorithm (link state info is periodically distributed to all the routers of the AS via flooding) n routing security critical for the entire networking infrastructure n authentication mechanisms for RIP and OSPF n RIP is based on the distance vector algorithm (routing tables periodically exchanged between neighbour routers) n OSPF implements the shortest path algorithm (link state info is periodically distributed to all the routers of the AS via flooding)

12 Security threats for routing protocols n outsider attacks: an intruder masquerading as a router distributing incorrect routing info n insider attacks: mounted by a subverted or compromised router n consequences: n compromised routing tables n DoS on hosts which trust the affected routers n outsider attacks: an intruder masquerading as a router distributing incorrect routing info n insider attacks: mounted by a subverted or compromised router n consequences: n compromised routing tables n DoS on hosts which trust the affected routers

13 Protection n cryptographic checksums n against tampering with routing information n against generation of fraudulent routing information n sequence numbers and timestamps n against re-ordering and delaying genuine routing information n strong origin authentication n protection against intruders impersonating routers n confidentiality is typically not considered a primary requirement in routing security n cryptographic checksums n against tampering with routing information n against generation of fraudulent routing information n sequence numbers and timestamps n against re-ordering and delaying genuine routing information n strong origin authentication n protection against intruders impersonating routers n confidentiality is typically not considered a primary requirement in routing security

14 Routing security - general considerations n shared key-based cryptography (e.g., RIP-2): n significant amount of shared keys n manual key management can be a significant burden n automated key management not yet integrated with the forthcoming secure routing architecture n public key-based cryptography (e.g., OSPF): n comes at a high price n requests the set up of a PKI n shared key-based cryptography (e.g., RIP-2): n significant amount of shared keys n manual key management can be a significant burden n automated key management not yet integrated with the forthcoming secure routing architecture n public key-based cryptography (e.g., OSPF): n comes at a high price n requests the set up of a PKI

15 Conclusions n very serious attacks with ICMP and against routing protocols Solutions exists but are not applied! n strict traffic filtering against IP source address spoofing (RFC 2267) n education of the network managers n cryptography: key management protocols not generally adopted; standard PKI not yet agreed upon n very serious attacks with ICMP and against routing protocols Solutions exists but are not applied! n strict traffic filtering against IP source address spoofing (RFC 2267) n education of the network managers n cryptography: key management protocols not generally adopted; standard PKI not yet agreed upon

Download ppt "Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)

CSCI 4550/8556 Computer Networks Comer, Chapter 23: An Error Reporting Mechanism (ICMP)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Internet Control Message Protocol (ICMP)

Internet Control Message Protocol (ICMP)
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Cryptography and Network Security

Cryptography and Network Security
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.

1 Internet Control Message Protocol (ICMP) RIZWAN REHMAN CCS, DU.
Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September 1981. The purpose.

Petrozavodsk State University, Alex Moschevikin, 2003NET TECHNOLOGIES Internet Control Message Protocol ICMP author -- J. Postel, September The purpose.
Network Layer4-1 NAT: Network Address Translation 10.0.0.1 10.0.0.2 10.0.0.3 10.0.0.4 138.76.29.7 local network (e.g., home network) 10.0.0/24 rest of.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh 90-91 spring.

ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.

Computer Science and Engineering Computer System Security CSE 5339/7339 Session 24 November 11, 2004.
IP (Internet Protocol) –the network level protocol in the Internet. –Philosophy – minimum functionality in IP, smartness at the end system. –What does.

IP (Internet Protocol) –the network level protocol in the Internet. –Philosophy – minimum functionality in IP, smartness at the end system. –What does.

Similar presentations

Ads by Google