SIDR D. McPherson Internet-Draft Verisign, Inc. Intended status: Informational S. Amante Expires: May 19, 2012 Level 3 Communications, Inc. November 16, 2011 Route Leak Attacks Against BGPSEC draft-foo-sidr-simple-leak-attack-bgpsec-no-help-01 Abstract This document describes a very simple attack vector that illustrates how RPKI-enabled BGPSEC machinery as currently defined can be easily circumvented in order to launch a Man In The Middle (MITM) attack via BGP. It is meant to serve as input to the IETF's Secure Inter-Domain Routing working group during routing security requirements discussions and subsequent specification. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on May 19, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of McPherson & Amante Expires May 19, 2012 [Page 1] Internet-Draft Route Leak Attacks Against BGPSEC November 2011 the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 4 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 4 6. Informative References . . . . . . . . . . . . . . . . . . . . 4 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 5 McPherson & Amante Expires May 19, 2012 [Page 2] Internet-Draft Route Leak Attacks Against BGPSEC November 2011 1. Introduction This document describes a very simple attack vector that illustrates how RPKI-enabled BGPSEC [I-D.ietf-sidr-bgpsec-protocol] machinery as currently defined can be easily circumvented in order to launch a Man In The Middle (MITM) attack via BGP [RFC4271]. It is meant to serve as input to the IETF's SIDR Working Group during routing security requirements discussions and subsequent specification. The authors believe the capability to prevent leaks should be a first-order engineering objective in any secure routing architecture. 2. Discussion Assume a multi-homed autonomous system (AS), AS 1, connects to two ISPs (ISP1 & ISP2), and wishes to insert themselves in the datapath between a target network (prefix P) connected to ISP2 and systems in ISP1's network in order to launch a Man In The Middle (MITM) attack. Further assume that an RPKI-enabled BGPSEC [I-D.ietf-sidr-bgpsec-protocol] as currently defined is fully deployed by all parties in this scenario and functioning as designed. Network operators on the Internet today typically prefer customer routes over routes learned from bi-lateral or settlement free peers. Network operators commonly accomplish this via application of one or more BGP [RFC4271] Path Attributes, most commonly, LOCAL_PREF as illustrated in [RFC1998], that are evaluated earlier in the BGP Path Selection process than AS_PATH length. As currently defined, BGPSEC only provides two functions: 1. Is an Autonomous System authorized to originate an IP prefix? 2. Is the AS_PATH represented in the route the same as the list of ASes through which the NLRI traveled? In order for an attacker (AS 1) to divert traffic from ISP1 for prefix P through their AS they simply fail to scope the propagation of the target prefix P (received from ISP2) by announcing a (syntactically correct) BGPSEC update for prefix P to ISP1. This vulnerability is what the authors refer to as a 'route leak'. It is important to note that the default behavior in BGP [RFC4271] is to announce all best paths to external BGP peers, unless explicitly scoped by a BGP speaker through configuration. Because ISP1 prefers prefixes learned from customers (AS 1) over prefixes learned from peers (ISP2), they begin forwarding traffic for prefix P destinations through the attacker's AS (AS 1). Voila! McPherson & Amante Expires May 19, 2012 [Page 3] Internet-Draft Route Leak Attacks Against BGPSEC November 2011 It should be understood that any multi-homed AS can potentially launch such an attack, even if through simple misconfiguration, as is a common occurrence today on the Internet. Determination of benign versus malicious intent in these situations is usually imperceptible, and as such, preventative controls are requisite. In an environment where BGPSEC is fully deployed there would be high assurance of the semantic integrity of the AS_PATH BGP Path attrubute, and as such, it should accurately reflect the attacker's AS number in the appropriate location of the AS_PATH; however, it would not prevent the attack. Discussion of out of band methods to mitigate this attack are beyond the scope of this document, as it's objective is to inform routing protocol design choices currently being considered within the IETF's SIDR Working Group. 3. Acknowledgements 4. IANA Considerations 5. Security Considerations This document describes an attack on an RPKI-enabled BGPSEC and is meant to inform the IETF Secure Inter-Domain Routing working group on the vulnerabilty that exists as a result of "leaks". The authors believe the capability to prevent leaks should be a first-order engineering objective in any secure routing architecture. 6. Informative References [I-D.ietf-sidr-bgpsec-protocol] Lepinski, M., "BGPSEC Protocol Specification", draft-ietf-sidr-bgpsec-protocol-01 (work in progress), October 2011. [RFC1998] Chen, E. and T. Bates, "An Application of the BGP Community Attribute in Multi-home Routing", RFC 1998, August 1996. [RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006. McPherson & Amante Expires May 19, 2012 [Page 4] Internet-Draft Route Leak Attacks Against BGPSEC November 2011 Authors' Addresses Danny McPherson Verisign, Inc. 21355 Ridgetop Circle Dulles, VA 20166 USA Phone: +1 703.948.3200 Email: dmcpherson@verisign.com Shane Amante Level 3 Communications, Inc. 1025 Eldorado Boulevard Broomfield, CO 80021 US Phone: +1 720.888.1000 Email: shane@level3.net McPherson & Amante Expires May 19, 2012 [Page 5]