Session 3: Routing Protocol Security

Question 1

What are possible consequences of attacks towards an OSPF-domain?

Answer 1

• Black-holing routes (also known as null routes). PAckets are dropped and not forwarded and hence goes nowere.
• delays, latency and congestion in the network
• Forced loops or partitioning
• Delay or prevention of the routing table convergence
• Imposing of DoS on routers

Attacks can originate externally, but also from the inside originating from router compromise.

Question 2

What are the possible authentication types inside the OSPF-header authentication field?

Answer 2

• Type 0: Null-authentication, meaning that communication is not authenticated at all.
• Type 1: Authentication with password
• Type 2: Cryptographic authentication. This relies on a shared key and MD5 hash calculation for all LSAs

Sequence numbers is used to address replay attacks. Shared keys + weak hashing (MD5) makes the security infeasible.

Question 3

Mention attack vectors and defence mechanisms of OSPF

Answer 3

Defences:

• figh-back mechanism: If a router receives a copy of a LSA (Link-state advertisement) indicating to be its own, it immediately advertises a new LSA instance cancelling out the false LSA. Most attacks will trigger this mechanism, but instability might still lead to DoS.
• A safeguard that ensures only a bidirectionally advertised link is included in routing table calculations.

Attacks vectors:

• controlling one router can send false OSPF messages to trick victims into setting up connections to a non-existing local router.
• OSPF considers LSAs with the same sequence number, checksum and age to be identical. Attackers can create false LSAs matching these fields and immediately send these to other routers in a “race”. This can lead to avoidance of “fight back” or poisoning.
• Fields are easily pre-computed, which makes it easier for attackers.
• MaxAge attack: Uses the LSA age field, assigning it to the value near MaxAge. Results in LSAs being “aged out”, causing entries to be removed once MaxAge is reached.
• Seq++ attack: Sequence number is increased by the attacker and he re-injects the LSA. As in MaxAge, “fight-back” might be triggered but it will still result in instability.

Question 4

Mention security concerns of BGP

Answer 4

• prefix hijacking: It is not verified whether the AS-number and advertised prefixes match. Makes it possible to perform prefix hijacking, black hole attacks and interceptions of traffic
• It can normally run over unprotected TCP: Makes it possible to eavesdrop and learn about routing information/policies. Lack of message integrity allows MitM-attacks, message insertion, deletion, modification and replay. TCP sessions can be disrupted to cause routers assuming that neighbours have disappeared, resulting in “route flapping” (aka when an interface alternates quickly between up/down states, causing interferrence).

Byzantine robustness can mitigate risk.

• filtering of traffic and message content.
• Use of cryptographic extensions to TCP sessions or wrapping the IP/TCP session to secure point-to-point links.

Question 5

How can BGP sessions be better protected?

Answer 5

• Signatures: Often HMAC. Can protect message integrity. Based on shared keys often reliant on MD5 (unsecure).
• Pairwise encryption: Containing information about predecessor, sequence number (timestamp) and signature.
• Hop integrity protocol: Addition of sequence numbers and message MACs. Requires PKI.

TTL attributes in the IP-protocol can also help:

• Setting TTP of packets to 255 and discard packets with TTL < 254.
• BGP speakers being direct neighbours, further discarding all other packets.
• Cannot protect against insiders.

Use of IPsec:

• effective for pairwise session protection.
• Requires key management.

Question 6

How can BGP monitor for threats?

Answer 6

Use of “routing registries” where AS provide policy and topology info.
- Constructs global view of routing info but requires registry information to be correct.

“Looking glass” structures monitors BGP routing tables for anomalies.

• allows for anomalies to be caught earlier.
• But not all attacks are too obvious (attack examples on session 3 slide 135-150).

Question 7

Mention two security extensions for BGP

Answer 7

• Secure Route Origin Authentication: Implemented using Resource Public Key Infrastructure (RPKI)
• Secure Path Validation using BGPSec

Question 8

Explain how RPKI works.

Answer 8

It allows for verification of the “association between resource holders and their internet resources”.

• digital signatures used to match network resources listing resources held by the entity, i.e. AS numbers and IPs.
• Resources can be associated for operators using ROAs (Route Origin Authorisations).

Illustrations of RPKI on session 3 slides 143-152

The RPKI relying party model:

• Announcements can be associated with ROAs that cannot be validated. The announcement is hence not included in the validated cache.
• If a BGP announcement is matched against ROA in validated cache, and matches prefix (not AS) or the max length does not match, it is invalid.
• The BGP announcement status is marked as unknown if no ROA is found in cache.

Question 9

Explain Secure Path Validation with BGPSec

Answer 9

• BGPSec assumes ROA and RPKI are available and in place.
• main benefit is to protect the AS_PATH. With RPKI alone, routers along the path can blaim to be a neighbour of an AS even is RPKI is in place. BGPsec mitigates this with signing BGP update-messages that relies on AS numbers and router identifiers into RPKI certificates.
• The use of BGPsec can further prevent grafting of valid origin onto path and path poisoning
• BGPsec can only be used with neighbours which are also speaking it. Non-BGPsec neighbours must strip this information, which will (as a consequence) isolate them from other BGPsec speakers.

In order to keep paths valid, updates must satisfy:

• BGPsec can only create updates whereas a RPKI ROA authorizing the BGP speaker exists.
• Updates must be re-announced before they expire
• Replay attacks are a concerns, and signatures should have short lifetimes.

Question 10

What is RIB?

Answer 10

RIB stands for the Routing Information Base: a data table residing inside routers or hosts listing network destinations and metrics to other network destinations.

Question 11

What is MPLS and what security mechanism exists for the protocol?

Answer 11

MPLS (Multiprotocol Label Switch) is a “layer 2.5” protocol, working between Layer 2 and Layer 3 of the OSI model. Often used when the need for speed and reliability is considered. It can provide better QoS in the organisation, and are often deployed by service providers and carriers.
Carriers can use it to provide services based on traffic’s characteristics.

For security, MPLS can utilize VPN services, either logically in L2/L3 in OSI. The infrastructure is the same regardless of layer, but the label-based routing is different. Allowsuse of abitrarity underlaying network protocols (more flexible and applicable).

MPLS equipment distinctions:
P = provider
C = customer
CE = customer edge router

NB: The VPN security of MPLS depends on router ability to separate flows. Lack of separate cryptographic protection makes assurance of the VPNs effectivness reliant on the trused IP network. This could introduce attacks that infiltrates labelled traffic from compromised CE routers.
The trust model assumes nobody has access to the IP network to modify labels.