IETF Logo Mail Archive

Re: [RPSEC] Re: draft-convery-bgpattack-00

Sean Convery <sean@cisco.com> Tue, 12 November 2002 19:23 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11055 for <rpsec-archive@odin.ietf.org>; Tue, 12 Nov 2002 14:23:10 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gACJPH123286 for rpsec-archive@odin.ietf.org; Tue, 12 Nov 2002 14:25:17 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJPHv23283 for <rpsec-web-archive@optimus.ietf.org>; Tue, 12 Nov 2002 14:25:17 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10997 for <rpsec-web-archive@ietf.org>; Tue, 12 Nov 2002 14:22:39 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJP3v23233; Tue, 12 Nov 2002 14:25:03 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gACJJtv23019 for <rpsec@optimus.ietf.org>; Tue, 12 Nov 2002 14:19:55 -0500
Received: from sj-msg-core-2.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA10826 for <rpsec@ietf.org>; Tue, 12 Nov 2002 14:17:16 -0500 (EST)
Received: from sj-msg-av-2.cisco.com (sj-msg-av-2.cisco.com [171.70.145.31]) by sj-msg-core-2.cisco.com (8.12.2/8.12.2) with ESMTP id gACJJhep011819; Tue, 12 Nov 2002 11:19:43 -0800 (PST)
Received: from nisser.cisco.com (localhost [127.0.0.1]) by sj-msg-av-2.cisco.com (8.12.2/8.12.2) with ESMTP id gACJJcW7019221; Tue, 12 Nov 2002 11:19:38 -0800 (PST)
Received: from 172.16.30.208 (sjc-vpn1-595.cisco.com [10.21.98.83]) by nisser.cisco.com (8.8.6 (PHNE_14041)/CISCO.SERVER.1.2) with ESMTP id LAA20250; Tue, 12 Nov 2002 11:19:45 -0800 (PST)
Date: Tue, 12 Nov 2002 11:03:21 -0800
From: Sean Convery <sean@cisco.com>
Subject: Re: [RPSEC] Re: draft-convery-bgpattack-00
To: Iljitsch van Beijnum <iljitsch@muada.com>
cc: rpsec@ietf.org
X-Priority: 3
In-Reply-To: <20021105090907.T50741-100000@sequoia.muada.com>
Message-ID: <r01050400-1021-B9016420F67311D69B890003939CDD90@[172.16.30.208]>
MIME-Version: 1.0
Content-Type: text/plain; Charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Mailsmith 1.5.4 (Blindsider)
Content-Transfer-Encoding: 7bit
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

On 11/5/02 at 9:38 AM, iljitsch@muada.com wrote:

SNIP
>> - Enterprise BGP Implementation - as a side rant, much of the
>> conversation I've seen on idr and rpsec seems to assume an ISP
>> deployment.  BGP is used plenty in enterprise environments as well.
>> Here MITM, sniffing, etc. become much more possible.
>
>But enterprises aren't typically in the position to propagate much
>malicious routing information as their ISPs filter them.
>
Right, but they are more than capable of being hacked on the inside
(regardless of filtering), which is one of the things we should be
concerned about.

SNIP
>> The easiest way we've come up with to do the analysis would be to
>> assign attributes to various parts of the tree based on different
>> topologies and attackers.  For more info check out the end of
>> section 1 of the draft.
>
>What I'd like to see is a simple web-based tool that has the tree and
>allows you to add security measures such as anti-spoofing filters, MD5,
>static MAC addresses on exchanges and so on, and then see how many of
>the attacks go away. This could be a learning experience. Heck, I might
>make something like this.
>
We agree and would love your help. :) Dave Cook is doing some modelling
to create the tree graphically from the source XML file.  We could
probably extend it to do something like this...

>> Regarding MD5, that got its own section 2.1.1.  Any attack against a
>> system employing MD5 would need to first run through that section of
>> the tree assuming the overall attack requires the generation of
>> valid TCP 179 messages.
>
>I don't think this is made explicit in every place.
>
Right, see my previous below response, we're assuming no best practices
in place: 

>> For the entire tree, we assumed no best practices were employed,
>> this would give us a base set of attacks that could then be weeded
>> down based on lots of factors.
>
>You don't mention a list of best practices... It might be good to
>include a list. Actually I've been working on this for a while.
>
I would think best practices for BGP would need to be in a separate
draft.  There are lots of BPs spread all over the web, has anyone
grouped them all together for the IETF?

SNIP
>
>>> 2.1.7 man "in the middle" is not necessary as it is trivial to pose
>>> as the peer router if there is access to all the traffic.
>
>> I'm not sure I understand your comment.  In this attack we're not
>> assuming access to all the traffic.  Here the attacker is trying to
>> send a spoofed BGP message.
>
>For a successful man in the middle attack you must be able to:
>
>AND - sniff original traffic
>    - inject replacement traffic
>    - block original traffic
>
>However, man in the middle is more difficult to do than simply
>completely assume the identity of the neighbor and yields no extra
>results.
>
>> This tree shows he can do it one of two ways:
>
>> 1. TCP Sequence # attack + the spoofed BGP message
>
>This will obviously break the existing BGP session pretty quickly and
>then all routing information (spoofed or otherwise) from this peer is
>removed.
>
Again, we'd love to test this out. I agree, things could go badly for
the BGP session.
>
>> >If people don't filter properly you can also do very funny things by
>> >routing the BGP next hop addresses into oblivion.
>
>> Can you elaborate on that further?  I think I understand what you
>> are referring to, I'm just not sure where to put it in the tree.  Is
>> this a spoofed message or an intercepted and modified message from a
>> valid peer?
>
>I suppose it could be either. What you do is inject a route that makes
>the next hop address for other BGP routes point to an unexpected
>place. For instance, you can announce the /24 for an IX as two /25s
>with the next hop address set to your router and then you'll receive
>all traffic for all peers connected to the IX. (However, the sessions
>would probably go down in this case.) However, this can be stopped
>with proper inbound route filters.
>
Now I got it.  We do have some info on more specific route introduction,
but it is specific to IGP, We can probably broaden this definition in
2.1.3.

Thanks again,

Sean
_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email