Strategies for Addressing Link State Routing Protocol ... - CiteSeerX

Strategies for Addressing Link State Routing Protocol Vulnerabilities: A Panoramic View Dijiang Huang, Amit Sinha, Deep Medhi, Cory Beard

Abstract— The link state routing protocol is the most widely used intra-domain routing protocol, which is used to distribute and maintain routing information among various routers within a domain. Unfortunately, this protocol is vulnerable to several security attacks. These attacks may be as simple as packet sniffing or as sophisticated as the insider attack. Research has been done to enhance the security of the protocol, but either falls short of providing substantial security or suffers from practical implementation issues. In spite of all these efforts, the research world lacks a comprehensive threat model specific to the link state routing protocol. This article attempts to fill this gap by studying a large number of different kinds of attacks that might occur during the normal execution of the protocols and presents a comprehensive attack model that is aimed at guiding researchers working in the area of securing the link state routing protocol. The article then discusses the existing solutions that address some of the threats and suggests security mechanism for threats that have not yet been addressed. Finally, the need of a new routing framework is underlined that can address the common threats as well as the threats that were not considered in the past. Index Terms— Routing, Computer Network Security.

I. I NTRODUCTION The link state routing protocol runs within an Autonomous System (intra-domain) and is used to distribute and maintain routing information. This facilitates packet forwarding by routers through the best possible path. The lack of strong protection through cryptographic techniques as part of the original routing protocol design has allowed malicious users to exploit the network in numerous ways. In time, the importance of making the routing protocol robust has emerged and several standards have been proposed to handle a variety of threats. In spite of this, the lack of a comprehensive threat model specific to the link state routing protocol and rigorous analysis of strategies to counter the threats has lead to certain potential threats being overlooked. The following excerpts from the CERT r document [8] highlight the importance and imminent need for securing the routing infrastructure:

“. . .One of the most recent and disturbing trends we have seen is an increase in intruder compromise and use of routers. . . . Reports indicate routers are being used by intruders as platforms for scanning activity . . .” “Routers make attractive targets for intruders . . . a part of the network infrastructure . . . routers are often less protected by security policy and monitoring technology . . .” “. . . attacks based on direct attacks against the routing protocols that interconnect the networks comprising the Internet. We believe this to be an imminent and real threat with a potentially high impact.. . .” There has been research done in the past to understand some of the threats highlighted above and to find ways to counter such attacks. A trend-setting work in this area was done by Perlman [16]. She developed a secure link state routing infrastructure to tackle Byzantine failures, wherein some node(s) and or link(s) become faulty (either due to a legitimate or subverted routing equipments), and yet the network continues to operate, but incorrectly. A strong asymmetric cryptographic key scheme (public key scheme) was used to provide a signature for each link-state advertisement (LSA), thus incurring a high computational overhead, which makes the implementation difficult. Murphy et al. proposed the use of digital signatures for OSPF (RFC2154 [14]) using public-key encryption and hence is expensive. The Internet Engineering Task Force (IETF) has formed a new working group – Routing Protocol Security Requirements (rpsec) [9] to address the security requirements for routing protocols. A survey by Papadimitratos and Hass highlights the fact that the counter measures proposed so far have not eradicated the vulnerability of the routing infrastructure [15]. Another work by Chakrabarti and Manimaran provides a taxonomy of security attacks and stresses the need to develop architecture, algorithms and protocols for securing the Internet infrastructure [1]. These works look into the broader issues related to securing the routing/internet infrastructure. In this article we focus

entirely on security issues associated with the link-state routing protocol, and various counter measures to ensure secure and proper functioning of the protocol. We thus start with two broad security issues to lay out the purpose of this article: The first security issue with the current routing framework is its unclarity of non-host based threats for the link state network routing protocol, such as the threats targeting the origination, verification, and transmission of routing data. Thus, it is possible that an attacker can wiretap the transmission link to inject anything he/she wants. An attacker can also overtake the network router itself. The second security issue, which has not received much attention in network routing, is confidentiality. An advantage of confidentiality is that it can guard against passive attacks, such as wiretapping. The routing information (clear text) can be easily intercepted on unprotected network segments in its absence. Since the fundamental communication operation of the link-state routing protocol is flooding, the attacker can easily intercept all routing information just from one network segment and can use it to analyze network topology and traffic patterns. This information can help the attacker in exploiting the weaknesses of the network and launch more devastating and highly efficient attacks. For example, an attacker can split the network and disable it by attacking the minimal number of nodes that partition the network. We analyze the existing security mechanisms, which primarily focus on authentication and encryption of the routing data. We discuss how these mechanisms would fare against various attacks in the existing routing framework. We observe that the trust structure of the current routing system is flat; any router within one routing domain trusts another router depending on a pre-defined configuration. This trust structure makes the network vulnerable to insider attack. Therefore any recovery mechanism will require more time and a complete recovery would most likely be impossible. This calls for some serious thinking in order to modify the existing routing framework. II. T HREAT M ODEL In this section, our discussion focuses on the origination, verification, and transmission of routing data. We start with a brief description of link state routing and security threats specific to it. We discuss the security mechanisms that are known, as of now, to prevent some of these threat actions from taking place. Further, we discuss the vulnerabilities of existing network routing security mechanisms and the improvements that can be

2

done by using stronger authentication and a new method to manage routing data through encryption. A. Link state routing model

The open shortest path first (OSPF) [13] protocol is the most popular link state routing protocol. Based on it, we formulate a simple link state routing model to identify the security issues we will address in this article. The link state routing model is composed of physical entities (routers and communication links) and logical entities (the link state routing protocol running in the routers). Within a link state routing domain, each router originates the link state information for the link that has the direct connection with the router (the link state information is directional) and floods1 this information to its neighbors. A receiving router will forward the routing information (unmodified) via flooding again. Therefore, each router will have the same view of the network. When a router joins the network, it needs to synchronize the link state database with its neighbors. The granularity of routing information in the link state routing protocol is the link state of a router’s interface. This information is called the link state advertisement (LSA). During flooding, multiple LSAs can be encapsulated in a single link state update (LSU) routing packet. The security issues related to the link state routing model can be broadly classified as security for the network device, operational security, and communication security. Security for the network device concerns the physical access to the routers and communication links. Operational security includes the access control of the operating system of a router, privilege mode of a router, etc. Communication security is related to the transmission, reception, and processing of routing data (LSAs and LSUs). Note that all data security related issues in this article are based on ROUTING DATA but not user data and we focus on the communication security aspect of the link-state routing protocol. B. Threats to Link State Network Routing In order to categorize the security threats to the routing protocol, we first need to identify the possible threat sources and their actions. We will follow definitions (such as threats, insider/outsider, etc.) provided in RFC2828 [17] for this purpose and use them in the context of network routing and routing protocols. Threat Sources: The threat sources for link state routing can be through communication links and routers. 1

Flooding provides reliable data transmission, in which a router forwards the routing packets to every interface except the one it receives the routing packets.

Although there could be some malicious network operators/administrators involved, we consider that the final threat actions are originated from network components, such as communication links and routers. We classify them into two groups: insiders and outsiders. The legitimate devices that lie inside the link state routing security perimeter are called insiders. The devices that lie outside the link state routing security perimeter are called outsiders. The security perimeter defines a router/link’s authorized role in network routing, which includes two parts: identity and functionality. For example, a valid router (or an insider) is authorized to perform routing functions, such as exchanging routing information, and associates with a unique router ID. Note that an outsider can masquerade to generate routing information as an insider. It has no valid identifier and is not authorized to perform routing functions. An insider can also masquerade as another authorized router and generate forged routing information. It has a valid identifier, but it is not authorized to impersonate other routers or forge other routers’ routing information (by “authorized” we mean the permission for overall routing operational functionalities). In this sense, we always say an outsider is unauthorized and an insider is authorized. Threat Actions: Threat actions are also called attacks. Here, all our discussions focus on the origination, verification, and transmission of routing data. The attacks can be active or passive. Defined in RFC 2828, “an active attack attempts to alter system resources or affects their operation; a passive attack attempts to learn or makes use of information from the system but does not affect system resources”. Attacks can also be classified based on threat sources – insiders and outsiders. This classification helps to categorize corresponding preventive cryptographic countermeasures which will be discussed in Section III. Note that we discuss the attack model that an attacker uses to compromise other routers’ resources. Thus, we exclude the discussion of insider attackers that overclaim/underclaim/misclaim the network resources that are under its control. For example, a subverted router claims that the bandwidth attached to one of its interfaces is w, but in fact, the actual bandwidth is r, where w 6= r. 1) Attacks by outsiders: Initiated by an unauthorized router/link. (a) Sniffing (passive): Monitoring and recording routing data transmitted on the communication links among routers; see Fig. 1(a). (b) Falsification and masquerading (active): This attack can be of three kinds: (i) Substitution: altering or replacing valid routing information with false routing information; see (1) in Fig. 1(b), (ii) Insertion: introducing false rout-

3

ing data that serves to deceive an authorized router; see (2) in Fig. 1(b), (iii) Masquerading: impersonating an authorized link/router; see (3) in Fig. 1(b). The masquerading is usually executed concurrently with substitution and/or insertion. (c) Obstruction (active): This attack can be of two types: (i) Interference: an attacker can block the transmission link by cutting off the transmission link or by introducing noise into the transmission link to prevent the victims from receiving the routing information correctly; see (1) in Fig. 1(c), (ii) Overload: an attacker can place excess dummy routing traffic that can saturate the victim’s input buffer or exhaust victim’s CPU capacity; see (2) in Fig. 1(c). (d)-(i) Replay (active): a valid routing data transmission is maliciously or fraudulently repeated by an outsider; see (1) in Fig. 1(d). 2) Attacks by Insiders: This form of threat actions is initiated by a subverted router/link.

(d)-(ii) Replay (active): A valid routing data transmission is maliciously or fraudulently repeated by insiders, (see (2) in Fig. 1(d)). (e) Falsification and masquerading (active): (i) Substitution: altering or replacing valid routing data with false routing data; see (1) in Fig. 1(e), (ii) Insertion: introducing malicious routing data to overclaim/underclaim the network resource possessed by the subverted router or misclaim network resources possessed by other authorized routers; see (2) in Fig. 1(e), (iii) Masquerading: impersonating other authorized routers; see (3) in Fig. 1(e). This is the same as specified in outsiders’ threat actions; the masquerading is usually executed concurrently with substitution and/or insertion. (f) Obstruction (active): (i) Stop forwarding: the subverted router does not forward received routing packets; see (1) in Fig. 1(f), (ii) Overload: excessive routing information processing burden is placed on the router in order to saturate the victim’s input buffer or exhaust victim’s CPU capacity; see (2) in Fig. 1(f). (g) Repudiation (active): (i) False denial of origin: a subverted router denies the operations that it had done on the transmitted routing information; see (1) in Fig. 1(g). (ii) False denial of receipt: a subverted router denies receiving the routing data; see (2) in Fig. 1(g). Although an outsider can repudiate what it has done, it is

M

S

R

S

Ms

(i)

(ii) M f’ (iii)M s’

M

S

M s’

R

Md

M

S

R

Ms

(ii)

(i)

4

Ms

S

Ms

A

A

A

(i) A/F (ii)

(a) Sniffing

(b) Outsider falsification & masquerade

(c) Outsider obstruction

(d) Replay

Ms

(i)

F

R

M’s

(ii)M’f

R

(iii)M’s

(e) Insider falsification & masquerade

S

M (i)

F

Md (ii)

R

(f) Insider obstruction

F

(i)

M

(ii)

(g) Repudiation

R

(i)

S/F

Ms (ii)

A F

(h) Exposure

Fig. 1. Outsider attacks (a) to (c) and(d)-(i), Insider attacks (d)-(ii) and (e) to (h), (S:sender R:receiver (or victim) A: outsider (attacker) F: insider (attacker) M : any routing message Ms : routing message from sender Ms ’: forged routing message of sender Mf ’: malicious routing message generated by subverted routers M d : dummy routing traffic that cause overload 99K: delayed transmission)

more critical for insider attacks. A subverted router can cause a more serious problem when it is authorized to perform routing functions. Quickly identifying the subverted routers/links will help to reduce the recovery time imposed by the attacks. (h) Exposure (active): (i) Indeliberate exposure: a router unintentionally releases sensitive routing data to attackers (both insiders and outsiders); see (1) in Fig. 1(h). (ii) Deliberate exposure: a subverted router intentionally releases sensitive routing data to attackers (both insiders and outsiders); see (2) in Fig. 1(h). We note that in our classification all attacks originated from outsiders occur on the routing transmission links, e.g. Fig 1(a) to 1(d). In them, attacks (c)-(i) and (d)(ii) need to get access to the transmission link first and then attackers can launch attacks. Attacks originating from insiders are generated by the subverted routers, e.g., Fig 1(d) to 1(h). When an outsider successfully takes over an authorized router, it becomes an insider (or subverted router). III. P REVENTIVE C RYPTOGRAPHIC C OUNTERMEASURES AGAINST ATTACKS The challenges posed due to the enormity and diversity of the threats has led to various research activities in recent years that address techniques to safeguard a network. On the other hand, the current standards for network routing protocols have not incorporated all of the techniques required to make them as foolproof as possible. A set of unplugged security holes remain that an adversary can use to paralyze the network. In this

section, we analyze the possible preventive cryptographic countermeasures first and then describe how they can completely or partially prevent attacks from taking place. A. Preventive cryptographic countermeasures Table I enlists two preventive cryptographic countermeasures that are described in the literature, including those that have found a place in protocol standards. The two main preventive cryptographic countermeasures that have been suggested for routing protocols are authentication and confidentiality. In the network routing environment, peer entity authentication and data origin authentication are two types of authentication services. Peer entity authentication happens mostly in neighborhood relation set-up procedures and data origin authentication happens mostly in routing information exchanging procedures. Note that a data origin authentication service provides verification that the identity of the original source of a received data unit is as claimed; there can be no such verification if the data unit has been altered. Thus, by definition, authentication services depend on companion data integrity services. Confidentiality ensures that no unauthorized device can decipher the routing information on its way to the destination. In this article, our discussions focus on data origin authentication and confidentiality. More specifically, these two countermeasures can provide packet-level authentication or information-level authentication. We call these two types of data origin authentications as PA and IA respectively. By PA we mean that the authentication is processed for a routing update packet or an IP packet that contains the routing update as a payload. IA provides protection for each piece of routing information carried

TABLE I S ECURITY M ECHANISMS

Methods

Label Description † Packet P AH Packet level, hop by hop authentication Authentication Level P AE ¶ Packet level, end to end authentication (A) Information IAH £ Information level, hop by hop authentication Level IAE ‡ Information level, end to end authentication Confidentiality CP § Confidentiality for the whole packet (C) CI ¶ Confidentiality for the information within the packet † ‡ : OSPFv2 RFC2328 and OSPFv3 tentative Internet. : OSPF extension RFC2154. draft. £ ¶ : Proposed by Huang et al [7]. :Have not yet proposed.

within a routing update packet. Besides PA and IA, there are two other important concepts we need to introduce into our discussion; they are hop by hop (HBH) and end to end (ETE). HBH means that the generation and verification of the authentication codes are performed by every forwarding router. ETE means that the generation of an authentication code is performed only at the source; all the forwarding routers and termination routers are part of the end system, and they only perform verification. We analyze the combinations between the authentication methods: PA and IA and verification methods: HBH and ETE. For brevity, we identify each mechanism with a label; this is noted in Table I. In the link state routing protocol, pieces of routing information, link state advertisements (LSAs), are encapsulated in a link state update (LSU) packet. Most of the current implementations fall into the category of P AH . If P AH is provided for the entire LSU (a routing packet), then P AH can guard against the “manin-the-middle” attack [17]. But, in link state routing, flooding is used for distributing LSAs within a link state routing domain; P AH can not prevent any intermediate subverted router from modifying forwarded LSAs, or a router from originating forged LSAs. ETE is more desirable to provide stronger protection for LSAs. But another difficulty of link state routing is that multiple LSAs are encapsulated within a single LSU packet and the content of each LSU that originated from the different router may be different. This prevents P AE from being implemented efficiently. Hence, IAE and IAH are required to provide information level protection. OSPF with digital signatures [14] is an example of IAE , while the double authentication scheme [7] is an example of IAH . For confidentiality, too, we differentiate between packet level and information level, which is shown in Table I. OSPF running over IPSec [4] is an example of providing CP , which provides confidentiality for the IP payload. Providing confidentiality for each LSA

5

Protection Data Origin Authenticity Information Availability

individually is represented by CI . B. Using preventive cryptographic countermeasures to guard against attacks Now we analyze how to use cryptographic countermeasures presented in Table I to guard against the threat actions illustrated in Fig. 1. Table II presents the mapping of threats and corresponding countermeasures. The threat √ actions marked with are solvable via well known solutions and are all outsider attacks. Attacks presented in (b) can be easily guarded against by using P AH . The dummy routing traffic due to attack (c)-(ii) can be filtered out using P AH . Although, cryptographic-based operation can aggravate the CPU computation burden, the overload attack is usually limited within a small range of where it happens. This is because the excess routing traffic can not get through a router. This may be useful in preventing distributed denial of service (DDOS). Note that preventive countermeasures, such as authentication and confidentiality, can not prevent attacks that are marked with z ((e)-(ii) and (f)-(i)). These attacks need other security mechanisms (such as admission/access control, intrusion detection, etc.) to guard against, which are not addressed in this article. In this article, our discussions focus on the countermeasures marked from F to FFF. The countermeasures marked by F are specified in current literature, such as OSPF with digital signatures [14]. We note that end-to-end authentication is considered as a strong preventive cryptographic countermeasure. A widely accepted proposal uses the public key scheme to sign each LSA. The reason we separate it from PA marked √ by is because of the deployment difficulty of the digital signature, which comes with the high computation overhead compared with the traditional authentication scheme, e.g., the keyed hash function (HMAC) [12]. Countermeasures marked by FF are barely addressed

TABLE II

6

T HREATS AND CORRESPONDING CRYPTOGRAPHIC PREVENTIVE COUNTERMEASURES Threats Threat actions (Attacks)

Attack Types Preventive Label I/O P/A Countermeasures Remarks Wiretapping (a) O Passive CP or CI FF √ Outsider Substitution (b)-(i) O Active P AH √ falsification & Insertion (b)-(ii) O Active P AH √ masquerade Masquerading (b)-(iii) O Active P AH Outsider obstruction Interference (c)-(i) O Active CP or CI FFF √ Overload (c)-(ii) O Active P AH Replay Outsider replay (d)-(i) O Active New keys FF Insider replay (d)-(ii) I Active New keys & CI or IAE FFF Insider Substitution (e)-(i) I Active IAE F falsification & Insertion (e)-(ii) I Active n/a z masquerade Masquerading (e)-(iii) I Active IAE F Insider obstruction Stop forwarding (f)-(i) I Active n/a z Overload (f)-(ii) I Active CI FFF Repudiation False denial of origin (g)-(i) I Active IAE or IAH F False denial of receipt (g)-(ii) I Active P AH FFF Exposure Insider undeliberate exposure (h)-(i) I Active CP † or CI ‡ FF Insider deliberate exposure (h)-(ii) I Active CI FFF I/O: Insider/Outsider (attacks). P/A:Passive/Active (attacks). † : Guard against outsider attacks. √ ‡ : Guard against insider attacks. : Solvable via well known solutions and widely deployed. F: Solvable via well known solutions but less deployed. FF: Solvable via the proposed solution in this article. FFF: Partially solvable via the proposed solution in this article. z: Unsolvable via authentication and confidentiality.

in the current literature, while countermeasures marked by FFF have not been addressed so far. 1) Guarding Against Attacks on Communication Links: As shown in Table II, attacks from (a) to (d)(i) are injected on the communication link. Here, we investigate the possible use of preventive cryptographic countermeasures when attacks (a), (c)-(i) and (d)-(i) occur (marked with FF and FFF). For outsider wiretapping attack (a): CP or CI can be used to prevent outsiders from sniffing packets containing routing information. This is a straight forward method to prevent passive attack. When CP is provided for the whole IP payload, the outsider can not know some general information, such as link state type, advertising router, sequence number, etc., which are contained within the routing packet header. This information can help an attacker to derive network topology and traffic patterns. CI can not prevent an attacker from knowing the information within the routing packet header, but it can prevent subverted routers from decrypting the routing information when they use different encryption/decryption keys. The combination of CP and CI will provide strong security features to guard against ineligible entities. For outsider interference attack (c)-(i): We assume that there is an admission control mechanism to prevent outsiders from using some network tools, such as “traceroute”, to derive network topology. This can also be done by simply disabling those network services.

Then an attacker might arbitrarily wiretap any possible communication links to intercept the routing information. Plain text routing information can help attackers to derive network topology and traffic patterns. Due to flooding of the routing information used by the link state routing protocol, tapping one link can help attackers to intercept all flooded LSAs within its routing domain. The intercepted routing information can be valuable for attackers to decide the location of an attack target, such as the weakest communication links or the partition routers. We note that providing confidentiality can not prevent an attacker from doing active attacks. But, without network topology and traffic pattern information, it is hard for attackers to deploy attacks successfully. Note that most of the active attacks presented in this article require network topology or traffic pattern information. For outsider reply attack (d)-(i): Although link state routing protocols typically use a non-decreasing sequence number to prevent replay attack, the replay attack can still take place when the sequence number is rolled over or a router reboots. OSPF based on IPSec can benefit from its anti-replay window mechanism to prevent replay attack. This mechanism can detect most of the replay attacks, but it is possible that some attacks might go undetected. For example, consider this scenario: an anti-replay window size is 20 for a router. It starts with the sequence number 1; when the sequence number reaches 10, the router reboots. Then it restarts and begins with sequence number 1 again. Now the LSA with

sequence number 10 is captured by an attacker, and, after the router restarts, the network link metric is changed. We assume that all security parameters (e.g., encryption/decryption key, authentication key, etc.) are the same before and after the router restarts. Then the attacker can replay the old LSA successfully. If we change security parameters after a router restarts, the outsider replay can be prevented. For example, if authentication or confidentiality is provided for routing packet/information, a new updated authentication/encryption/decryption key can be used for new LSUs/LSAs. This requires key management to be involved with general network routing operations. 2) Guarding Against Attacks on Routers: We discuss the possible use of preventive cryptographic countermeasures when attacks take place on a router. Insider attacks (d)-(ii), (e)-(i), (f)-(ii), (g), and (h) are some examples of attacks on routers (marked with F, FF and FFF). For insider reply attack (d)-(ii): The analysis of attack (d)-(ii) is similar to the outsider replay attack (d)-(i). The difference is that information security protection is required. We illustrate the reason through a simple example; the LSA contains the bandwidth information of a particular link l which is cl . When all routers share a common key to sign/encrypt LSAs, any subverted insider can replay a LSA. Preventing this form of attack in the current framework is difficult. Therefore, the new framework should be such that one can allocate a different set of keys to routers and sign/encrypt only a sub-portion of bandwidth of link l, say c0l . The insider attacker can only replay the old routing information c0l , which only affects part of the network resources. This would mean that not all routers within the link state routing domain share the same network resource information. If we consider a link state routing domain as a trust domain (TD), via CI we can differentiate it as multiple sub-trust domains. Hence, if one of the subrouting systems is compromised, it does not affect others or can only cause minimal damage to other sub-trust domains. Since routers within a TD share the crypto key, the replay attack can still occur and updating the crypto key will not be helpful to prevent the subverted routers from replaying the old routing packets. Thus, building multiple trust domains through CI can only limit the effect of attack d-(ii). For insider substitution attack (e)-(i) and insider masquerading attack (e)-(iii): In the case of attacks (e)-(i) and (e)-(iii), IAE can prevent subverted routers from substituting the routing information and masquerading other routers when data origin authentication is provided for each LSA and is guaranteed end-to-end. For insider overload attack (f)-(ii): This scenario is to address the excessive routing information burden

R 1

α 1−2 c 1−2

1 TD1 µ 1−2

2 µ 1−2

TD 2

Communication link 1−2

Fig. 2.

R 2

7

α 2−3 c 2−3

2 µ 2−3

R TD2

3

Communication link 2−3

Communication link under attack

on routers by overloading the routers’ input buffer or CPU. It is different from outsider overload attack (c)-(ii) which only aims to overload the neighboring routers’ input buffers or CPU. Insider overload can cause more damage, because the attacked routers will forward the excessive routing information to the next hop due to flooding. Although some link state routing protocols set the minimal arrival interval to limit a router to receive any particular LSA, a subverted router can circumvent this protection via inventing new LSA instances constantly. Thus, the attacking traffic can be spread throughout the network due to flooding. In order to limit the routing data traffic overload attack, we again need to divide the link state routing domain into multiple small link state routing domains. We assume here that the network has the link bandwidth management capability. An illustrative example is shown in Fig. 2 which represents a network segment composed of three routers and two links. The capacity of a communication link 1-2 is c1−2 . T D1 and T D2 are configured to run through link 1-2. The bandwidth allocated for these two TDs are µ11−2 and µ21−2 (the superscript is the identifier of a TD and the subscript is the identifier of a link). The available bandwidth of link 1-2 is given by α1−2 . Then, we have c1−2 = µ11−2 + µ21−2 +α1−2 . Similarly, the capacity allocation of link 2-3 is c2−3 = µ22−3 +α2−3 . Note that the reserved bandwidth is guaranteed through both bandwidth management (such as scheduling) and confidentiality provided for each TD. A particular encryption/decryption session key is used to provide confidentiality for a TD. In our example, both routers R1 and R2 can decrypt LSAs for T D1 and T D2 , and R3 can only see the available bandwidth allocated for T D2 . R3 does not possess the session key used by T D2 , and it can not forge routing information to announce allocated bandwidth on link 2-3 for T D1 . When the subverted router R3 overloads R2, R2 would not forward the excessive routing traffic which exceeds µ21−2 . The traffic control is done through bandwidth management and the TD identification is done through providing confidentiality (CI ) to hide the network resources. For insider false denial of origin attack (g)-(i): In the case of attack (g)-(i), IAE can prevent insiders from denying the original sources which sent the false routing

information. The authentication code should provide evidence that the sender can not deny, e.g., the digital signature. For insider false denial of receipt attack (g)-(ii): The acknowledgement mechanism of a link state routing protocol is neighbor-to-neighbor based. Multiple LSAs can be acknowledged by a single link state acknowledgement packet. The acknowledgement packet can use a shared key between the communication peers to authenticate the received packet. But we know, using a shared key scheme and the neighbor-to-neighbor authentication mechanism, there is no way to explicitly tell who generates the packets due to key sharing. Use of IAE and IAH for acknowledgement of every LSA is impractical and unnecessary. Moreover, the receiver can stop sending back acknowledgements. Thus, using P AH for acknowledgement is optional and can only benefit from preventing the “man-in-the-middle” attack. For insider undeliberate exposure attack (h)-(i): An insider may unintentionally expose routing information to outsiders or other insiders that are not necessarily receiving the routing information (for example, the communication via wireless links). The analysis of this scenario is the same as scenario (a). CP ensures no outsider can reveal the content. Within the multiple TDs framework, CI ensures only eligible TD members can reveal the content within their TD. For insider deliberate exposure attack (h)-(ii): An insider can deliberately expose the routing information to anyone. But, with the routing information protected by CI , a subverted/compromised router can not expose the routing information of other TDs which it does not belong to. IV. I MPLEMENTATION I SSUES In this section, we highlight the implementation issues that are involved in secure link state network routing. Authentication is implemented by most of the current link state routing protocols. As shown in Table I, authentication can be broadly classified into four categories. Our discussion is focused on the labelled examples of Table I. Among them, P AH and IAE are widely accepted by the current Internet community. Using P AH , all routers within a routing domain can share one authentication key. In addition, a router can possess the same number of different authentication keys as the number of neighbors connected to it. When a router receives/sends a routing packet, the routing packet is verified/authenticated. The shared key can be preinstalled manually. As compared to P AH , IAE requires every router to have its own private key and public key pair as well as n − 1 other routers’ public keys (the size

8

of the link state routing domain is n). When a router forwards a routing packet, the routing packet is only verified. The digital signature is propagated along with the LSA to every router within the flooding region. IAE requires a third trust entity to distribute keys and provide certificate service. One advantage that P AH has over IAE is its simplicity, in the sense that it requires less number of keys to be retained by a router and less number of signing/verifying operations (Using P AH , a router only signs/verifies an LSU, which contains multiple LSAs). Furthermore, P AH uses keyed hash function (HMAC) [12] which is processed approximately three orders faster than a public key based authentication scheme (e.g., the digital signature) on the same router’s CPU. IAH presented in [7] provides data origin authentication by using two different keys on each router. Comparing with IAE , it costs less CPU power and consumes less bandwidth. The advantage of IAE over IAH is the security robustness provided by IAE , which can prevent any intermediate router from forging other routers’s routing information. There are no proposals for P AE as of now due to its improper security mechanism. OSPFv3 proposes CP by using IPSec. IPSec includes several Internet RFCs [11]: such as IP Authentication header (RFC2402), IP Encapsulating Security Payload (RFC2406), Key Management Framework (RFC2408), Key Exchange Protocol (RFC2409), etc. Since IPSec is implemented in the kernel of an operating system, to involve it we need to modify the operating system of a router. There are no proposals for CI as of now. As we summarized in Table II, CI can help to prevent or limit several attacks. We also show our attack countermeasures analysis in Section III-B. From the analysis, we infer that a network resource management system is required to inform a router to provide CI . In addition, to prevent certain types of attacks, such as the overload attack (scenario (f)-(ii)), a router is required to have link capacity management capabilities. These capacities may not be available for current network routers. V. C ONCLUSION

AND

F UTURE W ORK

In Table II, attacks marked with F ((e)-(i), (e)(ii), and (g)-(i)) can be foiled by using IAE or IAH . Attacks marked with FF ((a), (d)-(i), and (h)-(i)) can be thwarted by using CP , CI , or key management. We can use preventive cryptographic countermeasures to provide a degree of protection to the link state routing from the attacks marked with FFF. Limiting these attacks ((c)(i), (f)-(ii), and (h)-(ii)) is a challenging task.

We have given the security analysis of the preventive cryptographic countermeasures that can be used to guard against attacks marked with FF and FFF. We make the following observations: • Current network routing lacks a framework for survivability under security threats to routing protocols. • Since the fundamental functions among network routers are cooperation and coordination, the attacks marked with FFF, except (g)-(ii), can not be totally prevented via preventive cryptographic countermeasures. Thus, using confidentiality and key management (the use of CI ) provides a natural way for us to divide the routing domain into multiple small size trust domains (TDs). Each TD represents a subset of network resources. In this way, we can limit attacks within the corresponding TD. The philosophy behind this is that a router needs to know only the necessary routes that go through it. Within a routing domain, an attacker can easily exploit the system for security holes and deploy attacks that can go unchecked. The flat trust structure (as it exists now) for the entire intra-domain routing is extremely susceptible to such attacks. We propose to divide such a routing domain into multiple TDs. Building multiple TDs requires hiding network resource information for a particular subset network routers. Hiding routing information provides three-fold benefits. First, it provides a method that uses key management to control network traffic, such as using different keys to provide confidentiality for particular allocations of network resources. We know that key management is the foundation of security services, which makes it easier to integrate quality of services (for example, classes of services) and strong security services together. Our analysis of scenarios (d)-(ii) and (f)-(ii) shows the benefits for building multiple TDs to reduce the effect imposed by insider replay and overload attacks. Second, hiding a subset of network resources from other TD’s users can avoid exposing network information that can be used by some attackers to explore network vulnerabilities; this then increases the network robustness (as we had discussed in scenarios (a), (c)-(i) and (h)). Third, hiding via cryptography of unnecessary routing information can reduce the size of routing tables and link state databases of a router which, then, reduces the amount of network information that a router really needs to know. ACKNOWLEDGMENTS This work is supported by a grant from the University of Missouri System Research Board.

R EFERENCES

9

[1] A. Chakrabarti, G. Manimaran, “Internet Infrastructure Security: A Taxonomy”, IEEE Network, November/December 2002, Vol. 16 No. 6. [2] S. Cheung, “An efficient message authentication scheme for link state routing ”, 13th Annual Computer Security Applications Conference (ACSAC ’97). [3] R. Coltun, D. Ferguson and J. Moy “OSPF for IPv6”, RFC 2740, Dec 1999. [4] M. Gupta, N. Melam, “Authentication/Confidentiality for OSPFv3”, Internet draft, November, 2002. http://www.ietf.org/internet-drafts/ draft-ietf-ospf-ospfv3-auth-00.txt. [5] D. Harkins, D. Carrel, “The Internet Key Exchange (IKE)”, RFC 2409, November 1998. [6] R. Hauser, T. Przygenda, and G. Tsudik, “Lowering Security Overhead in Link State Routing”, Computer Networks (Amsterdam, Netherlands: 1999). [7] D. Huang, A. Sinha, D. Medhi, “A Double Authentication Scheme To Detect Impersonation Attack In Link State Routing Protocols”, IEEE International Conference on Communications (ICC), May, 2003. [8] K. J. Houle, G. M. Weaver, N. Long and R. Thomas“Trends in Denial of Service Attack Technology”, CERTr Coordination Center, 2001. http://www.cert.org/archive/ pdf/DoS_trends.pdf. [9] IETF Routing Protocol Security Requirements (rpsec) working group http://www.ietf.org/html.charters/ rpsec-charter.html. [10] “Intermediate System to Intermediate System Intra-Domain Routeing Exchange Protocol for use in Conjunction with the Protocol for Providing the Connectionless-mode Network Service (ISO 8473)”, ISO DP 10589, February 1990. [11] S. Kent, R. Atkinson, “Security Architecture for the Internet Protocol”, RFC 2401, November 1998. [12] H. Krawczyk, M. Bellare, R. Canetti “HMAC: Keyed-Hashing for Message Authentication”, RFC2104, February 1997. [13] J. Moy, “OSPF version 2”, RFC 2328, April 1998. [14] S. Murphy, M. Badger and W. Wellington, “OSPF with Digital Signatures”, RFC 2154, June 1997. [15] P. Papadimitratos, Z. J. Haas, “Securing the Internet Routing Infrastructure,” IEEE Communication, October 2002. [16] R. Perlman, “Network Layer Protocols With Byzantine Robustness,” MIT/LCS/TR-429, October, 1988. [17] R. Shirey “Internet Security Glossary”, RFC 2828, May 2000. [18] B. Vetter, F. Wang and S. Wu, ”an Experimental Study of Insider Attacks for OSPF Routing Protocol”, IEEE International Conference on Network Protocols, pp. 293 - 300, October 1997.