Re: [RPSEC] Re: draft-convery-bgpattack-00
Sean Convery <sean@cisco.com> Tue, 12 November 2002 19:23 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11055 for <rpsec-archive@odin.ietf.org>; Tue, 12 Nov 2002 14:23:10 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gACJPH123286 for rpsec-archive@odin.ietf.org; Tue, 12 Nov 2002 14:25:17 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJPHv23283 for <rpsec-web-archive@optimus.ietf.org>; Tue, 12 Nov 2002 14:25:17 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10997 for <rpsec-web-archive@ietf.org>; Tue, 12 Nov 2002 14:22:39 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJP3v23233; Tue, 12 Nov 2002 14:25:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJJtv23019 for <rpsec@optimus.ietf.org>; Tue, 12 Nov 2002 14:19:55 -0500
Received: from sj-msg-core-2.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10826 for <rpsec@ietf.org>; Tue, 12 Nov 2002 14:17:16 -0500 (EST)
Received: from sj-msg-av-2.cisco.com (sj-msg-av-2.cisco.com [171.70.145.31]) by sj-msg-core-2.cisco.com (8.12.2/8.12.2) with ESMTP id gACJJhep011819; Tue, 12 Nov 2002 11:19:43 -0800 (PST)
Received: from nisser.cisco.com (localhost [127.0.0.1]) by sj-msg-av-2.cisco.com (8.12.2/8.12.2) with ESMTP id gACJJcW7019221; Tue, 12 Nov 2002 11:19:38 -0800 (PST)
Received: from 172.16.30.208 (sjc-vpn1-595.cisco.com [10.21.98.83]) by nisser.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with ESMTP id LAA20250; Tue, 12 Nov 2002 11:19:45 -0800 (PST)
Date: Tue, 12 Nov 2002 11:03:21 -0800
From: Sean Convery <sean@cisco.com>
Subject: Re: [RPSEC] Re: draft-convery-bgpattack-00
To: Iljitsch van Beijnum <iljitsch@muada.com>
cc: rpsec@ietf.org
X-Priority: 3
In-Reply-To: <20021105090907.T50741-100000@sequoia.muada.com>
Message-ID: <r01050400-1021-B9016420F67311D69B890003939CDD90@[172.16.30.208]>
MIME-Version: 1.0
Content-Type: text/plain; Charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Mailsmith 1.5.4 (Blindsider)
Content-Transfer-Encoding: 7bit
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
On 11/5/02 at 9:38 AM, iljitsch@muada.com wrote: SNIP >> - Enterprise BGP Implementation - as a side rant, much of the >> conversation I've seen on idr and rpsec seems to assume an ISP >> deployment. BGP is used plenty in enterprise environments as well. >> Here MITM, sniffing, etc. become much more possible. > >But enterprises aren't typically in the position to propagate much >malicious routing information as their ISPs filter them. > Right, but they are more than capable of being hacked on the inside (regardless of filtering), which is one of the things we should be concerned about. SNIP >> The easiest way we've come up with to do the analysis would be to >> assign attributes to various parts of the tree based on different >> topologies and attackers. For more info check out the end of >> section 1 of the draft. > >What I'd like to see is a simple web-based tool that has the tree and >allows you to add security measures such as anti-spoofing filters, MD5, >static MAC addresses on exchanges and so on, and then see how many of >the attacks go away. This could be a learning experience. Heck, I might >make something like this. > We agree and would love your help. :) Dave Cook is doing some modelling to create the tree graphically from the source XML file. We could probably extend it to do something like this... >> Regarding MD5, that got its own section 2.1.1. Any attack against a >> system employing MD5 would need to first run through that section of >> the tree assuming the overall attack requires the generation of >> valid TCP 179 messages. > >I don't think this is made explicit in every place. > Right, see my previous below response, we're assuming no best practices in place: >> For the entire tree, we assumed no best practices were employed, >> this would give us a base set of attacks that could then be weeded >> down based on lots of factors. > >You don't mention a list of best practices... It might be good to >include a list. Actually I've been working on this for a while. > I would think best practices for BGP would need to be in a separate draft. There are lots of BPs spread all over the web, has anyone grouped them all together for the IETF? SNIP > >>> 2.1.7 man "in the middle" is not necessary as it is trivial to pose >>> as the peer router if there is access to all the traffic. > >> I'm not sure I understand your comment. In this attack we're not >> assuming access to all the traffic. Here the attacker is trying to >> send a spoofed BGP message. > >For a successful man in the middle attack you must be able to: > >AND - sniff original traffic > - inject replacement traffic > - block original traffic > >However, man in the middle is more difficult to do than simply >completely assume the identity of the neighbor and yields no extra >results. > >> This tree shows he can do it one of two ways: > >> 1. TCP Sequence # attack + the spoofed BGP message > >This will obviously break the existing BGP session pretty quickly and >then all routing information (spoofed or otherwise) from this peer is >removed. > Again, we'd love to test this out. I agree, things could go badly for the BGP session. > >> >If people don't filter properly you can also do very funny things by >> >routing the BGP next hop addresses into oblivion. > >> Can you elaborate on that further? I think I understand what you >> are referring to, I'm just not sure where to put it in the tree. Is >> this a spoofed message or an intercepted and modified message from a >> valid peer? > >I suppose it could be either. What you do is inject a route that makes >the next hop address for other BGP routes point to an unexpected >place. For instance, you can announce the /24 for an IX as two /25s >with the next hop address set to your router and then you'll receive >all traffic for all peers connected to the IX. (However, the sessions >would probably go down in this case.) However, this can be stopped >with proper inbound route filters. > Now I got it. We do have some info on more specific route introduction, but it is specific to IGP, We can probably broaden this definition in 2.1.3. Thanks again, Sean _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joachim Jensen
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- [RPSEC] draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] draft-convery-bgpattack-00 Damir Rajnovic
- [RPSEC] Re: draft-convery-bgpattack-00 David G. Boney
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] draft-convery-bgpattack-00 Christopher Lonvick
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Birger Toedtmann
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- [RPSEC] prefix origin authentication (was Re: dra… Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Tony Tauber
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Danny McPherson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Larry J. Blunk
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Barry Raveendran Greene
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- RE: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Jeffrey Haas
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Susan Hares
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- Re: [RPSEC] Re: draft-convery-bgpattack-00 sandy
- Aggregation in S-BGP was RE: [RPSEC] Re: draft-co… Charles Lynn
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Joel M. Halpern
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Randy Bush
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Iljitsch van Beijnum
- [RPSEC] Potential requirements Charles Lynn
- Re: [RPSEC] Potential requirements Iljitsch van Beijnum
- RE: [RPSEC] Re: draft-convery-bgpattack-00 Stephen Kent
- Re: [RPSEC] Potential requirements Tony Tauber
- Re: [RPSEC] Potential requirements Steve Suehring
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Sean Convery
- Re: [RPSEC] Re: draft-convery-bgpattack-00 Michael Richardson