Network Working Group                                          A. Barbir
Request for Comments: 4593                                        Nortel
Category: Informational                                        S. Murphy
                                                            Sparta, Inc.
                                                                 Y. Yang
                                                           Cisco Systems
                                                            October 2006
Network Working Group                                          A. Barbir
Request for Comments: 4593                                        Nortel
Category: Informational                                        S. Murphy
                                                            Sparta, Inc.
                                                                 Y. Yang
                                                           Cisco Systems
                                                            October 2006

Generic Threats to Routing Protocols


Status of This Memo


This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.


Copyright Notice


Copyright (C) The Internet Society (2006).




Routing protocols are subject to attacks that can harm individual users or network operations as a whole. This document provides a description and a summary of generic threats that affect routing protocols in general. This work describes threats, including threat sources and capabilities, threat actions, and threat consequences, as well as a breakdown of routing functions that might be attacked separately.


Table of Contents


   1. Introduction ....................................................2
   2. Routing Functions Overview ......................................3
   3. Generic Routing Protocol Threat Model ...........................4
      3.1. Threat Definitions .........................................4
           3.1.1. Threat Sources ......................................4
         Adversary Motivations ......................5
         Adversary Capabilities .....................5
           3.1.2. Threat Consequences .................................7
         Threat Consequence Scope ...................9
         Threat Consequence Zone ...................10
         Threat Consequence Periods ................10
   4. Generally Identifiable Routing Threat Actions ..................11
      4.1. Deliberate Exposure .......................................11
      4.2. Sniffing ..................................................11
      4.3. Traffic Analysis ..........................................12
      4.4. Spoofing ..................................................12
      4.5. Falsification .............................................13
           4.5.1. Falsifications by Originators ......................13
         Overclaiming ..............................13
         Misclaiming ...............................16
           4.5.2. Falsifications by Forwarders .......................16
         Misstatement ..............................16
           4.6. Interference .........................................17
           4.7. Overload .............................................18
   5. Security Considerations ........................................18
   6. References .....................................................18
      6.1. Normative References ......................................18
   Appendix A. Acknowledgments .......................................20
   Appendix B. Acronyms ..............................................20
   1. Introduction ....................................................2
   2. Routing Functions Overview ......................................3
   3. Generic Routing Protocol Threat Model ...........................4
      3.1. Threat Definitions .........................................4
           3.1.1. Threat Sources ......................................4
         Adversary Motivations ......................5
         Adversary Capabilities .....................5
           3.1.2. Threat Consequences .................................7
         Threat Consequence Scope ...................9
         Threat Consequence Zone ...................10
         Threat Consequence Periods ................10
   4. Generally Identifiable Routing Threat Actions ..................11
      4.1. Deliberate Exposure .......................................11
      4.2. Sniffing ..................................................11
      4.3. Traffic Analysis ..........................................12
      4.4. Spoofing ..................................................12
      4.5. Falsification .............................................13
           4.5.1. Falsifications by Originators ......................13
         Overclaiming ..............................13
         Misclaiming ...............................16
           4.5.2. Falsifications by Forwarders .......................16
         Misstatement ..............................16
           4.6. Interference .........................................17
           4.7. Overload .............................................18
   5. Security Considerations ........................................18
   6. References .....................................................18
      6.1. Normative References ......................................18
   Appendix A. Acknowledgments .......................................20
   Appendix B. Acronyms ..............................................20
1. Introduction
1. 介绍

Routing protocols are subject to threats and attacks that can harm individual users or the network operations as a whole. The document provides a summary of generic threats that affect routing protocols. In particular, this work identifies generic threats to routing protocols that include threat sources, threat actions, and threat consequences. A breakdown of routing functions that might be separately attacked is provided.


This work should be considered a precursor to developing a common set of security requirements for routing protocols. While it is well known that bad, incomplete, or poor implementations of routing protocols may, in themselves, lead to routing problems or failures or may increase the risk of a network's being attacked successfully, these issues are not considered here. This document only considers


attacks against robust, well-considered implementations of routing protocols, such as those specified in Open Shortest Path First (OSPF) [4], Intermediate System to Intermediate System (IS-IS) [5][8], RIP [6] and BGP [7]. Attacks against implementation-specific weaknesses and vulnerabilities are out of scope for this document.


The document is organized as follows: Section 2 provides a review of routing functions. Section 3 defines threats. In Section 4, a discussion on generally identifiable routing threat actions is provided. Section 5 addresses security considerations.


2. Routing Functions Overview
2. 路由功能概述

This section provides an overview of common functions that are shared among various routing protocols. In general, routing protocols share the following functions:


o Transport Subsystem: The routing protocol transmits messages to its neighbors using some underlying protocol. For example, OSPF uses IP, while other protocols may run over TCP.

o 传输子系统:路由协议使用一些底层协议向其邻居传输消息。例如,OSPF使用IP,而其他协议可能通过TCP运行。

o Neighbor State Maintenance: Neighboring relationship formation is the first step for topology determination. For this reason, routing protocols may need to maintain state information. Each routing protocol may use a different mechanism for determining its neighbors in the routing topology. Some protocols have distinct exchanges through which they establish neighboring relationships, e.g., Hello exchanges in OSPF.

o 邻居状态维护:邻居关系的形成是拓扑确定的第一步。因此,路由协议可能需要维护状态信息。每个路由协议可以使用不同的机制来确定其在路由拓扑中的邻居。一些协议具有不同的交换,通过这些交换建立相邻关系,例如,OSPF中的Hello交换。

o Database Maintenance: Routing protocols exchange network topology and reachability information. The routers collect this information in routing databases with varying detail. The maintenance of these databases is a significant portion of the function of a routing protocol.

o 数据库维护:路由协议交换网络拓扑和可达性信息。路由器以不同的细节在路由数据库中收集这些信息。这些数据库的维护是路由协议功能的重要部分。

In a routing protocol, there are message exchanges that are intended for the control of the state of the protocol. For example, neighbor maintenance messages carry such information. On the other hand, there are messages that are used to exchange information that is intended to be used in the forwarding function, for example, messages that are used to maintain the database. These messages affect the data (information) part of the routing protocol.


3. Generic Routing Protocol Threat Model
3. 通用路由协议威胁模型

The model developed in this section can be used to identify threats to any routing protocol.


Routing protocols are subject to threats at various levels. For example, threats can affect the transport subsystem, where the routing protocol can be subject to attacks on its underlying protocol. An attacker may also attack messages that carry control information in a routing protocol to break a neighboring (e.g., peering, adjacency) relationship. This type of attack can impact the network routing behavior in the affected routers and likely the surrounding neighborhood as well. For example, in BGP, if a router receives a CEASE message, it will break its neighboring relationship to its peer and potentially send new routing information to any remaining peers.


An attacker may also attack messages that carry data information in order to break a database exchange between two routers or to affect the database maintenance functionality. For example, the information in the database must be authentic and authorized. An attacker who is able to introduce bogus data can have a strong effect on the behavior of routing in the neighborhood. For example, if an OSPF router sends LSAs with the wrong Advertising Router, the receivers will compute a Shortest Path First (SPF) tree that is incorrect and might not forward the traffic. If a BGP router advertises a Network Layer Reachability Information (NLRI) that it is not authorized to advertise, then receivers might forward that NLRI's traffic toward that router and the traffic would not be deliverable. A Protocol Independent Multicast (PIM) router might transmit a JOIN message to receive multicast data it would otherwise not receive.


3.1. Threat Definitions
3.1. 威胁定义

In [1], a threat is defined as a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Threats can be categorized as threat sources, threat actions, threat consequences, threat consequence zones, and threat consequence periods.


3.1.1. Threat Sources
3.1.1. 威胁源

In the context of deliberate attack, a threat source is defined as a motivated, capable adversary. By modeling the motivations (attack goals) and capabilities of the adversaries who are threat sources, one can better understand what classes of attacks these threats may mount and thus what types of countermeasures will be required to deal with these attacks.

在蓄意攻击的情况下,威胁源被定义为有动机、有能力的对手。通过对作为威胁源的对手的动机(攻击目标)和能力进行建模,可以更好地了解这些威胁可能发起的攻击类型,以及应对这些攻击所需的对策类型。 Adversary Motivations 对手动机

We assume that the most common goal of an adversary deliberately attacking routing is to cause inter-domain routing to malfunction. A routing malfunction affects data transmission such that traffic follows a path (sequence of autonomous systems in the case of BGP) other than one that would have been computed by the routing protocol if it were operating properly (i.e., if it were not under attack). As a result of an attack, a route may terminate at a router other than the one that legitimately represents the destination address of the traffic, or it may traverse routers other than those that it would otherwise have traversed. In either case, a routing malfunction may allow an adversary to wiretap traffic passively, or to engage in man-in-the-middle (MITM) active attacks, including discarding traffic (denial of service).


A routing malfunction might be effected for financial gain related to traffic volume (vs. the content of the routed traffic), e.g., to affect settlements among ISPs.


Another possible goal for attacks against routing can be damage to the network infrastructure itself, on a targeted or wide-scale basis. Thus, for example, attacks that cause excessive transmission of UPDATE or other management messages, and attendant router processing, could be motivated by these goals.


Irrespective of the goals noted above, an adversary may or may not be averse to detection and identification. This characteristic of an adversary influences some of the ways in which attacks may be accomplished.

无论上述目标是什么,对手可能会也可能不会反对检测和识别。对手的这一特点影响了攻击的某些实现方式。 Adversary Capabilities 敌方能力

Different adversaries possess varied capabilities.


o All adversaries are presumed to be capable of directing packets to routers from remote locations and can assert a false IP source address with each packet (IP address spoofing) in an effort to cause the targeted router to accept and process the packet as though it emanated from the indicated source. Spoofing attacks may be employed to trick routers into acting on bogus messages to effect misrouting, or these messages may be used to overwhelm the management processor in a router, to effect DoS. Protection from such adversaries must not rely on the claimed identity in routing packets that the protocol receives.

o 所有对手都被认为能够将数据包从远程位置定向到路由器,并且可以用每个数据包声明一个虚假的IP源地址(IP地址欺骗),以使目标路由器接受和处理数据包,就像它来自指定的源一样。欺骗攻击可用于欺骗路由器对虚假消息采取行动,从而造成错误路由,或者这些消息可用于压倒路由器中的管理处理器,从而造成拒绝服务。针对此类对手的保护不得依赖于协议接收的路由数据包中声明的身份。

o Some adversaries can monitor links over which routing traffic is carried and emit packets that mimic data contained in legitimate routing traffic carried over these links; thus, they can actively participate in message exchanges with the legitimate routers. This increases the opportunities for an adversary to generate bogus routing traffic that may be accepted by a router, to effect misrouting or DoS. Retransmission of previously delivered management traffic (replay attacks) exemplify this capability. As a result, protection from such adversaries ought not to rely on the secrecy of unencrypted data in packet headers or payloads.

o 一些对手可以监视承载路由流量的链路,并发射模拟这些链路承载的合法路由流量中包含的数据包;因此,他们可以积极参与与合法路由器的消息交换。这增加了对手产生路由器可能接受的虚假路由流量的机会,从而造成路由错误或拒绝服务。以前交付的管理流量的重传(重播攻击)就是这种能力的一个例子。因此,针对此类对手的保护不应依赖于包头或有效负载中未加密数据的保密性。

o Some adversaries can effect MITM attacks against routing traffic, e.g., as a result of active wiretapping on a link between two routers. This represents the ultimate wiretapping capability for an adversary. Protection from such adversaries must not rely on the integrity of inter-router links to authenticate traffic, unless cryptographic measures are employed to detect unauthorized modification.

o 一些对手可以对路由流量实施MITM攻击,例如,由于在两个路由器之间的链路上进行主动窃听。这代表了对手的终极窃听能力。除非采用加密措施检测未经授权的修改,否则防止此类对手的保护不得依赖路由器间链路的完整性来验证流量。

o Some adversaries can subvert routers, or the management workstations used to control these routers. These Byzantine failures represent the most serious form of attack capability in that they result in emission of bogus traffic by legitimate routers. As a result, protection from such adversaries must not rely on the correct operation of neighbor routers. Protection measures should adopt the principle of least privilege, to minimize the impact of attacks of this sort. To counter Byzantine attacks, routers ought not to trust management traffic (e.g., based on its source) but rather each router should independently authenticate management traffic before acting upon it.

o 一些对手可以破坏路由器,或用于控制这些路由器的管理工作站。这些拜占庭式故障代表了最严重的攻击能力,因为它们导致合法路由器发出虚假流量。因此,抵御此类对手的保护不能依赖于邻居路由器的正确操作。保护措施应采用最小特权原则,以尽量减少此类攻击的影响。为了对抗拜占庭式攻击,路由器不应该信任管理流量(例如,基于其来源),而是每个路由器应该在对其采取行动之前独立地验证管理流量。

We will assume that any cryptographic countermeasures employed to secure BGP will employ algorithms and modes that are resistant to attack, even by sophisticated adversaries; thus, we will ignore cryptanalytic attacks.


Deliberate attacks are mimicked by failures that are random and unintentional. In particular, a Byzantine failure in a router may occur because the router is faulty in hardware or software or is misconfigured. As described in [3], "A node with a Byzantine failure may corrupt messages, forge messages, delay messages, or send conflicting messages to different nodes". Byzantine routers, whether faulty, misconfigured, or subverted, have the context to provide


believable and very damaging bogus routing information. Byzantine routers may also claim another legitimate peer's identity. Given their status as peers, they may even elude the authentication protections, if those protections can only detect that a source is one of the legitimate peers (e.g., the router uses the same cryptographic key to authenticate all peers).


We therefore characterize threat sources into two groups:


Outsiders: These attackers may reside anywhere in the Internet, have the ability to send IP traffic to the router, may be able to observe the router's replies, and may even control the path for a legitimate peer's traffic. These are not legitimate participants in the routing protocol.


Byzantine: These attackers are faulty, misconfigured, or subverted routers; i.e., legitimate participants in the routing protocol.

拜占庭:这些攻击者是有缺陷、配置错误或被破坏的路由器;i、 例如,路由协议中的合法参与者。

3.1.2. Threat Consequences
3.1.2. 威胁后果

A threat consequence is a security violation that results from a threat action [1]. To a routing protocol, a security violation is a compromise of some aspect of the correct behavior of the routing system. The compromise can damage the data traffic intended for a particular network or host or can damage the operation of the routing infrastructure of the network as a whole.


There are four types of general threat consequences: disclosure, deception, disruption, and usurpation [1].


o Disclosure: Disclosure of routing information happens when an attacker successfully accesses the information without being authorized. Outsiders who can observe or monitor a link may cause disclosure, if routing exchanges lack confidentiality. Byzantine routers can cause disclosure, as long as they are successfully involved in the routing exchanges. Although inappropriate disclosure of routing information can pose a security threat or be part of a later, larger, or higher layer attack, confidentiality is not generally a design goal of routing protocols.

o 泄露:当攻击者未经授权成功访问路由信息时,就会泄露路由信息。如果路由交换缺乏保密性,可以观察或监视链接的外部人员可能会导致泄露。拜占庭式路由器可以导致泄露,只要它们成功参与路由交换。尽管路由信息的不适当披露可能会造成安全威胁,或者是稍后、更大或更高层攻击的一部分,但机密性通常不是路由协议的设计目标。

o Deception: This consequence happens when a legitimate router receives a forged routing message and believes it to be authentic. Both outsiders and Byzantine routers can cause this consequence if the receiving router lacks the ability to check routing message integrity or origin authentication.

o 欺骗:当合法的路由器收到伪造的路由消息并相信它是真实的时,就会产生这种后果。如果接收路由器缺乏检查路由消息完整性或源身份验证的能力,则外部路由器和拜占庭路由器都可能导致这种后果。

o Disruption: This consequence occurs when a legitimate router's operation is being interrupted or prevented. Outsiders can cause this by inserting, corrupting, replaying, delaying, or dropping routing messages, or by breaking routing sessions between legitimate routers. Byzantine routers can cause this consequence by sending false routing messages, interfering with normal routing exchanges, or flooding unnecessary routing protocol messages. (DoS is a common threat action causing disruption.)

o 中断:当合法路由器的操作被中断或阻止时,就会发生这种后果。外部人员可以通过插入、破坏、重放、延迟或丢弃路由消息,或者中断合法路由器之间的路由会话来造成这种情况。拜占庭路由器可以通过发送错误的路由消息、干扰正常的路由交换或淹没不必要的路由协议消息来造成这种后果。(常见的威胁是造成中断。)

o Usurpation: This consequence happens when an attacker gains control over the services/functions a legitimate router is providing to others. Outsiders can cause this by delaying or dropping routing exchanges, or fabricating or replaying routing information. Byzantine routers can cause this consequence by sending false routing information or interfering with routing exchanges.

o 篡夺:当攻击者获得对合法路由器提供给他人的服务/功能的控制权时,就会发生这种后果。外部人员可以通过延迟或放弃路由交换,或捏造或重播路由信息来造成这种情况。拜占庭路由器可以通过发送错误的路由信息或干扰路由交换来造成这种后果。

Note: An attacker does not have to control a router directly to control its services. For example, in Figure 1, Network 1 is dual-homed through Router A and Router B, and Router A is preferred. However, Router B is compromised and advertises a better metric. Consequently, devices on the Internet choose the path through Router B to reach Network 1. In this way, Router B steals the data traffic, and Router A loses its control of the services to Router B. This is depicted in Figure 1.


                   +-------------+   +-------+
                   |  Internet   |---| Rtr A |
                   +------+------+   +---+---+
                          |              |
                          |              |
                          |              |
                          |            *-+-*
                   +-------+           /     \
                   | Rtr B |----------*  N 1  *
                   +-------+           \     /
                   +-------------+   +-------+
                   |  Internet   |---| Rtr A |
                   +------+------+   +---+---+
                          |              |
                          |              |
                          |              |
                          |            *-+-*
                   +-------+           /     \
                   | Rtr B |----------*  N 1  *
                   +-------+           \     /

Figure 1. Dual-homed network


Several threat consequences might be caused by a single threat action. In Figure 1, there exist at least two consequences: routers using Router B to reach Network 1 are deceived, and Router A is usurped.

一次威胁行动可能会造成多个威胁后果。在图1中,至少存在两种后果:使用路由器B到达网络1的路由器被欺骗,路由器A被篡夺。 Threat Consequence Scope 威胁后果范围

As mentioned above, an attack might damage the data traffic intended for a particular network or host or damage the operation of the routing infrastructure of the network as a whole. Damage that might result from attacks against the network as a whole may include the following:


o Network congestion. More data traffic is forwarded through some portion of the network than would otherwise need to carry the traffic.

o 网络拥塞。通过网络的某个部分转发的数据流量比承载流量所需的数据流量更多。

o Blackhole. Large amounts of traffic are unnecessarily re-directed to be forwarded through one router and that router drops many/most/all packets.

o 黑洞。大量流量被不必要地重新定向,通过一个路由器转发,该路由器丢弃许多/大部分/所有数据包。

o Looping. Data traffic is forwarded along a route that loops, so that the data is never delivered (resulting in network congestion).

o 循环。数据流量沿着循环的路由转发,因此数据永远不会被传递(导致网络拥塞)。

o Partition. Some portion of the network believes that it is partitioned from the rest of the network when it is not.

o 隔断当网络的某些部分没有被划分时,它认为网络的某些部分是被划分的。

o Churn. The forwarding in the network changes (unnecessarily) at a rapid pace, resulting in large variations in the data delivery patterns (and adversely affecting congestion control techniques).

o 搅动网络中的转发(不必要地)以快速的速度变化,导致数据传输模式的巨大变化(并对拥塞控制技术产生不利影响)。

o Instability. The protocol becomes unstable so that convergence on a global forwarding state is not achieved.

o 不稳定。该协议变得不稳定,因此无法在全局转发状态上收敛。

o Overcontrol. The routing protocol messages themselves become a significant portion of the traffic the network carries.

o 过度控制。路由协议消息本身成为网络承载流量的重要部分。

o Clog. A router receives an excessive number of routing protocol messages, causing it to exhaust some resource (e.g., memory, CPU, battery).

o 阻塞路由器接收过多的路由协议消息,导致其耗尽一些资源(例如内存、CPU、电池)。

The damage that might result from attacks against a particular host or network address may include the following:


o Starvation. Data traffic destined for the network or host is forwarded to a part of the network that cannot deliver it.

o 饥饿网络的一部分或网络的一部分的数据不能被转发到该主机。

o Eavesdrop. Data traffic is forwarded through some router or network that would otherwise not see the traffic, affording an opportunity to see the data or at least the data delivery pattern.

o 窃听数据流量通过一些路由器或网络转发,否则这些路由器或网络将看不到流量,从而提供了查看数据或至少查看数据交付模式的机会。

o Cut. Some portion of the network believes that it has no route to the host or network when it is in fact connected.

o 切网络的某些部分认为,当它实际连接时,它没有到主机或网络的路由。

o Delay. Data traffic destined for the network or host is forwarded along a route that is in some way inferior to the route it would otherwise take.

o 延迟以网络或主机为目的地的数据流量沿着一条在某种程度上低于它将采用的路由的路由进行转发。

o Looping. Data traffic for the network or host is forwarded along a route that loops, so that the data is never delivered.

o 循环。网络或主机的数据流量沿着循环路由转发,因此数据永远不会被传递。

It is important to consider all consequences, because some security solutions can protect against one consequence but not against others. It might be possible to design a security solution that protects against eavesdropping on one destination's traffic without protecting against churn in the network. Similarly, it is possible to design a security solution that prevents a starvation attack against one host, but not a clogging attack against a router. The security requirements must be clear as to which consequences are being avoided and which consequences must be addressed by other means (e.g., by administrative means outside the protocol).

重要的是考虑所有的后果,因为一些安全解决方案可以保护一个后果,而不是对抗他人。也许可以设计一种安全解决方案,在不防止网络中的搅动的情况下,防止对一个目的地的流量进行窃听。类似地,可以设计一种安全解决方案,以防止针对一台主机的饥饿攻击,而不是针对路由器的阻塞攻击。安全要求必须明确哪些后果是可以避免的,哪些后果必须通过其他方式解决(例如,通过协议之外的管理方式)。 Threat Consequence Zone 威胁后果区

A threat consequence zone covers the area within which the network operations have been affected by threat actions. Possible threat consequence zones can be classified as a single link or router, multiple routers (within a single routing domain), a single routing domain, multiple routing domains, or the global Internet. The threat consequence zone varies based on the threat action and the position of the target of the attack. Similar threat actions that happen at different locations may result in totally different threat consequence zones. For example, when an outsider breaks the routing session between a distribution router and a stub router, only reachability to and from the network devices attached to the stub router will be impaired. In other words, the threat consequence zone is a single router. In another case, if the outsider is located between a customer edge router and its corresponding provider edge router, such an action might cause the whole customer site to lose its connection. In this case, the threat consequence zone might be a single routing domain.

威胁后果区包括网络操作受到威胁行动影响的区域。可能的威胁后果区域可分为单个链路或路由器、多个路由器(在单个路由域内)、单个路由域、多个路由域或全球互联网。威胁后果区根据威胁行动和攻击目标的位置而变化。在不同地点发生的类似威胁行动可能导致完全不同的威胁后果区。例如,当局外人中断分发路由器和存根路由器之间的路由会话时,只有连接到存根路由器的网络设备与之之间的可达性才会受损。换句话说,威胁后果区是一个路由器。在另一种情况下,如果外部用户位于客户边缘路由器与其对应的提供商边缘路由器之间,则此类操作可能会导致整个客户站点失去连接。在这种情况下,威胁后果区域可能是单个路由域。 Threat Consequence Periods 威胁后果期

A threat consequence period is defined as the portion of time during which the network operations are impacted by the threat consequences. The threat consequence period is influenced by, but not totally dependent on, the duration of the threat action. In some cases, the network operations will get back to normal as soon as the threat


action has been stopped. In other cases, however, threat consequences may persist longer than does the threat action. For example, in the original Advanced Research Projects Agency Network (ARPANET) link-state algorithm, some errors in a router introduced three instances of a Link-State Announcement (LSA). All of them flooded throughout the network continuously, until the entire network was power cycled [2].

行动已停止。然而,在其他情况下,威胁后果可能比威胁行动持续的时间更长。例如,在最初的Advanced Research Projects Agency Network(ARPANET)链路状态算法中,路由器中的一些错误引入了链路状态公告(LSA)的三个实例。在整个网络断电之前,它们都会源源不断地涌入整个网络[2]。

4. Generally Identifiable Routing Threat Actions
4. 一般可识别的路由威胁操作

This section addresses generally identifiable and recognized threat actions against routing protocols. The threat actions are not necessarily specific to individual protocols but may be present in one or more of the common routing protocols in use today.


4.1. Deliberate Exposure
4.1. 故意曝光

Deliberate exposure occurs when an attacker takes control of a router and intentionally releases routing information to other entities (e.g., the attacker, a web page, mail posting, other routers) that otherwise should not receive the exposed information.


The consequence of deliberate exposure is the disclosure of routing information.


The threat consequence zone of deliberate exposure depends on the routing information that the attackers have exposed. The more knowledge they have exposed, the bigger the threat consequence zone.


The threat consequence period of deliberate exposure might be longer than the duration of the action itself. The routing information exposed will not be outdated until there is a topology change of the exposed network.


4.2. Sniffing
4.2. 嗅

Sniffing is an action whereby attackers monitor and/or record the routing exchanges between authorized routers to sniff for routing information. Attackers can also sniff data traffic information (however, this is out of scope of the current work).


The consequence of sniffing is disclosure of routing information.


The threat consequence zone of sniffing depends on the attacker's location, the routing protocol type, and the routing information that has been recorded. For example, if the outsider is sniffing a link that is in an OSPF totally stubby area, the threat consequence zone should be limited to the whole area. An attacker that is sniffing a


link in an External Border Gateway Protocol (EBGP) session can gain knowledge of multiple routing domains.


The threat consequence period might be longer than the duration of the action. If an attacker stops sniffing a link, their acquired knowledge will not be out-dated until there is a topology change of the affected network.


4.3. Traffic Analysis
4.3. 流量分析

Traffic analysis is an action whereby attackers gain routing information by analyzing the characteristics of the data traffic on a subverted link. Traffic analysis threats can affect any data that is sent over a communication link. This threat is not peculiar to routing protocols and is included here for completeness.


The consequence of data traffic analysis is the disclosure of routing information. For example, the source and destination IP addresses of the data traffic and the type, magnitude, and volume of traffic can be disclosed.


The threat consequence zone of the traffic analysis depends on the attacker's location and what data traffic has passed through. An attacker at the network core should be able to gather more information than its counterpart at the edge and would therefore have to be able to analyze traffic patterns in a wider area.


The threat consequence period might be longer than the duration of the traffic analysis. After the attacker stops traffic analysis, its knowledge will not be outdated until there is a topology change of the disclosed network.


4.4. Spoofing
4.4. 欺骗

Spoofing occurs when an illegitimate device assumes the identity of a legitimate one. Spoofing in and of itself is often not the true attack. Spoofing is special in that it can be used to carry out other threat actions causing other threat consequences. An attacker can use spoofing as a means for launching other types of attacks. For example, if an attacker succeeds in spoofing the identity of a router, the attacker can send out unrealistic routing information that might cause the disruption of network services.


There are a few cases where spoofing can be an attack in and of itself. For example, messages from an attacker that spoof the identity of a legitimate router may cause a neighbor relationship to form and deny the formation of the relationship with the legitimate router.


The consequences of spoofing are as follows:


o The disclosure of routing information. The spoofing router will be able to gain access to the routing information.

o 路由信息的公开。欺骗路由器将能够访问路由信息。

o The deception of peer relationship. The authorized routers, which exchange routing messages with the spoofing router, do not realize that they are neighboring with a router that is faking another router's identity.

o 同伴关系的欺骗。与欺骗路由器交换路由消息的授权路由器没有意识到它们与伪造另一路由器身份的路由器相邻。

The threat consequence zone is as follows:


o The consequence zone of the fake peer relationship will be limited to those routers trusting the attacker's claimed identity.

o 伪造对等关系的后果区将限于那些信任攻击者声称的身份的路由器。

o The consequence zone of the disclosed routing information depends on the attacker's location, the routing protocol type, and the routing information that has been exchanged between the attacker and its deceived neighbors.

o 公开的路由信息的后果区取决于攻击者的位置、路由协议类型以及攻击者与其受骗邻居之间交换的路由信息。

Note: This section focuses on addressing spoofing as a threat on its own. However, spoofing creates conditions for other threats actions. The other threat actions are considered falsifications and are treated in the next section.


4.5. Falsification
4.5. 伪造

Falsification is an action whereby an attacker sends false routing information. To falsify the routing information, an attacker has to be either the originator or a forwarder of the routing information. It cannot be a receiver-only. False routing information describes the network in an unrealistic fashion, whether or not intended by the authoritative network administrator.


4.5.1. Falsifications by Originators
4.5.1. 发起者的伪造

An originator of routing information can launch the falsifications that are described in the next sections.

路由信息的发起者可以启动下一节中描述的伪造。 Overclaiming 漫天要价

Overclaiming occurs when a Byzantine router or outsider advertises its control of some network resources, while in reality it does not, or if the advertisement is not authorized. This is given in Figures 2 and 3.


           +-------------+   +-------+   +-------+
           | Internet    |---| Rtr B |---| Rtr A |
           +------+------+   +-------+   +---+---+
                  |                          .
                  |                          |
                  |                          .
                  |                        *-+-*
              +-------+                   /     \
              | Rtr C |------------------*  N 1  *
              +-------+                   \     /
           +-------------+   +-------+   +-------+
           | Internet    |---| Rtr B |---| Rtr A |
           +------+------+   +-------+   +---+---+
                  |                          .
                  |                          |
                  |                          .
                  |                        *-+-*
              +-------+                   /     \
              | Rtr C |------------------*  N 1  *
              +-------+                   \     /

Figure 2. Overclaiming-1


           +-------------+   +-------+   +-------+
           |  Internet   |---| Rtr B |---| Rtr A |
           +------+------+   +-------+   +-------+
                  |                        *---*
              +-------+                   /     \
              | Rtr C |------------------*  N 1  *
              +-------+                   \     /
           +-------------+   +-------+   +-------+
           |  Internet   |---| Rtr B |---| Rtr A |
           +------+------+   +-------+   +-------+
                  |                        *---*
              +-------+                   /     \
              | Rtr C |------------------*  N 1  *
              +-------+                   \     /

Figure 3. Overclaiming-2


The above figures provide examples of overclaiming. Router A, the attacker, is connected to the Internet through Router B. Router C is authorized to advertise its link to Network 1. In Figure 2, Router A controls a link to Network 1 but is not authorized to advertise it. In Figure 3, Router A does not control such a link. But in either case, Router A advertises the link to the Internet, through Router B.


Both Byzantine routers and outsiders can overclaim network resources. The consequences of overclaiming include the following:


o Usurpation of the overclaimed network resources. In Figures 2 and 3, usurpation of Network 1 can occur when Router B (or other routers on the Internet not shown in the figures) believes that Router A provides the best path to reach the Network 1. As a result, routers forward data traffic destined to Network 1 to Router A. The best result is that the data traffic uses an unauthorized path, as in Figure 2. The worst case is that the

o 盗用收费过高的网络资源。在图2和图3中,当路由器B(或图中未显示的Internet上的其他路由器)认为路由器A提供了到达网络1的最佳路径时,可能会发生网络1的篡夺。因此,路由器将目的地为网络1的数据流量转发给路由器a。最好的结果是数据流量使用未经授权的路径,如图2所示。最坏的情况是

data never reaches the destination Network 1, as in Figure 3. The ultimate consequence is that Router A gains control over Network 1's services, by controlling the data traffic.


o Usurpation of the legitimate advertising routers. In Figures 2 and 3, Router C is the legitimate advertiser of Network 1. By overclaiming, Router A also controls (partially or totally) the services/functions provided by the Router C. (This is NOT a disruption, as Router C is operating in a way intended by the authoritative network administrator.)

o 篡夺合法的广告路由器。在图2和图3中,路由器C是网络1的合法广告客户。通过过度计费,路由器A还控制(部分或全部)路由器C提供的服务/功能。(这不是中断,因为路由器C以权威网络管理员指定的方式运行。)

o Deception of other routers. In Figures 2 and 3, Router B, or other routers on the Internet, might be deceived into believing that the path through Router A is the best.

o 欺骗其他路由器。在图2和图3中,路由器B或Internet上的其他路由器可能被欺骗,认为通过路由器A的路径是最好的。

o Disruption of data planes on some routers. This might happen to routers that are on the path that is used by other routers to reach the overclaimed network resources through the attacker. In Figures 2 and 3, when other routers on the Internet are deceived, they will forward the data traffic to Router B, which might be overloaded.

o 某些路由器上的数据平面中断。这可能发生在路径上的路由器上,该路径被其他路由器用于通过攻击者访问过度计费的网络资源。在图2和图3中,当互联网上的其他路由器被欺骗时,它们会将数据流量转发给路由器B,这可能会过载。

The threat consequence zone varies based on the consequence:


o Where usurpation is concerned, the consequence zone covers the network resources that are overclaimed by the attacker (Network 1 in Figures 2 and 3), and the routers that are authorized to advertise the network resources but lose the competition against the attacker (Router C in Figures 2 and 3).

o 在涉及篡夺的情况下,后果区包括被攻击者过度索取的网络资源(图2和图3中的网络1)和被授权公布网络资源但失去与攻击者竞争的路由器(图2和图3中的路由器C)。

o Where deception is concerned, the consequence zone covers the routers that do believe the attacker's advertisement and use the attacker to reach the claimed networks (Router B and other deceived routers on the Internet in Figures 2 and 3).

o 在涉及欺骗的情况下,后果区包括确实相信攻击者的广告并利用攻击者到达声称的网络的路由器(图2和图3中的路由器B和互联网上其他被欺骗的路由器)。

o Where disruption is concerned, the consequence zone includes the routers that are on the path of misdirected data traffic (Router B in Figures 2 and 3 and other routers in the Internet on the path of the misdirected traffic).

o 就中断而言,后果区包括位于错误定向数据流量路径上的路由器(图2和图3中的路由器B以及互联网中位于错误定向流量路径上的其他路由器)。

The threat consequence will not cease when the attacker stops overclaiming and will totally disappear only when the routing tables are converged. As a result, the consequence period is longer than the duration of the overclaiming.

当攻击者停止过度欺骗时,威胁后果不会停止,只有当路由表聚合时,威胁才会完全消失。因此,后果期长于过度索赔的持续时间。 Misclaiming 误读

A misclaiming threat is defined as an action whereby an attacker is advertising some network resources that it is authorized to control, but in a way that is not intended by the authoritative network administrator. For example, it may be advertising inappropriate link costs in an OSPF LSA. An attacker can eulogize or disparage when advertising these network resources. Byzantine routers can misclaim network resources.

误报威胁被定义为攻击者发布其有权控制的某些网络资源的行为,但其发布方式并非权威网络管理员所希望的。例如,它可能在OSPF LSA中宣传不适当的链路成本。在宣传这些网络资源时,攻击者可以赞美或贬低这些资源。拜占庭式路由器可能会混淆网络资源。

The threat consequences of misclaiming are similar to the consequences of overclaiming.


The consequence zone and period are also similar to those of overclaiming.


4.5.2. Falsifications by Forwarders
4.5.2. 货代伪造

In each routing protocol, routers that forward routing protocol messages are expected to leave some fields unmodified and to modify other fields in certain circumscribed ways. The fields to be modified, the possible new contents of those fields and their computation from the original fields, the fields that must remain unmodified, etc. are all detailed in the protocol specification. They may vary depending on the function of the router or its network environment. For example, in RIP, the forwarder must modify the routing information by increasing the hop count by 1. On the other hand, a forwarder must not modify any field of the type 1 LSA in OSPF except the age field. In general, forwarders in distance vector routing protocols are authorized to and must modify the routing information, while most forwarders in link state routing protocols are not authorized to and must not modify most routing information.

在每种路由协议中,转发路由协议消息的路由器都会保留一些字段未修改,并以某些限定的方式修改其他字段。协议规范中详细说明了要修改的字段、这些字段可能的新内容及其从原始字段中进行的计算、必须保持未修改的字段等。它们可能因路由器的功能或其网络环境而异。例如,在RIP中,转发器必须通过将跃点计数增加1来修改路由信息。另一方面,转发器不得修改OSPF中类型1 LSA的任何字段(年龄字段除外)。一般来说,距离向量路由协议中的转发器有权且必须修改路由信息,而链路状态路由协议中的大多数转发器无权且不得修改大多数路由信息。

As a forwarder authorized to modify routing messages, an attacker might also falsify by not forwarding routing information to other authorized routers as required.

作为授权修改路由消息的转发器,攻击者还可能通过不根据需要将路由信息转发到其他授权路由器来进行伪造。 Misstatement 错报

This is defined as an action whereby the attacker modifies route attributes in an incorrect manner. For example, in RIP, the attacker might increase the path cost by two hops instead of one. In BGP, the attacker might delete some AS numbers from the AS PATH.


Where forwarding routing information should not be modified, an attacker can launch the following falsifications:


o Deletion. Attacker deletes valid data in the routing message.

o 删除。攻击者删除路由消息中的有效数据。

o Insertion. Attacker inserts false data in the routing message.

o 插入。攻击者在路由消息中插入错误数据。

o Substitution. Attacker replaces valid data in the routing message with false data.

o 替代。攻击者用虚假数据替换路由消息中的有效数据。

A forwarder can also falsify data by replaying out-dated data in the routing message as current data.


All types of attackers, outsiders and Byzantine routers, can falsify the routing information when they forward the routing messages.


The threat consequences of these falsifications by forwarders are similar to those caused by originators: usurpation of some network resources and related routers; deception of routers using false paths; and disruption of data planes of routers on the false paths. The threat consequence zone and period are also similar.


4.6. Interference
4.6. 干扰

Interference is a threat action whereby an attacker inhibits the exchanges by legitimate routers. The attacker can do this by adding noise, by not forwarding packets, by replaying out-dated packets, by inserting or corrupting messages, by delaying responses, by denial of receipts, or by breaking synchronization.


Byzantine routers can slow down their routing exchanges or induce flapping in the routing sessions of legitimate neighboring routers.


The consequence of interference is the disruption of routing operations.


The consequence zone of interference depends on the severity of the interference. If the interference results in consequences at the neighbor maintenance level, then there may be changes in the database, resulting in network-wide consequences.


The threat consequences might disappear as soon as the interference is stopped or might not totally disappear until the networks have converged. Therefore, the consequence period is equal to or longer than the duration of the interference.


4.7. Overload
4.7. 超载

Overload is defined as a threat action whereby attackers place excess burden on legitimate routers. For example, it is possible for an attacker to trigger a router to create an excessive amount of state that other routers within the network are not able to handle. In a similar fashion, it is possible for an attacker to overload database routing exchanges and thus to influence the routing operations.


5. Security Considerations
5. 安全考虑

This entire document is security related. Specifically, the document addresses security of routing protocols as associated with threats to those protocols. In a larger context, this work builds upon the recognition of the IETF community that signaling and control/management planes of networked devices need strengthening. Routing protocols can be considered part of that signaling and control plane. However, to date, routing protocols have largely remained unprotected and open to malicious attacks. This document discusses inter- and intra-domain routing protocol threats that are currently known and lays the foundation for other documents that will discuss security requirements for routing protocols. This document is protocol independent.


6. References
6. 工具书类
6.1. Normative References
6.1. 规范性引用文件

[1] Shirey, R., "Internet Security Glossary", RFC 2828, May 2000.

[1] Shirey,R.,“互联网安全词汇表”,RFC 2828,2000年5月。

[2] Rosen, E., "Vulnerabilities of network control protocols: An example", RFC 789, July 1981.

[2] Rosen,E.,“网络控制协议的漏洞:一个例子”,RFC 789,1981年7月。

[3] Perlman, R., "Network Layer Protocols with Byzantine Robustness", PhD thesis, MIT LCS TR-429, October 1988.

[3] Perlman,R.,“具有拜占庭鲁棒性的网络层协议”,博士论文,麻省理工学院LCS TR-429,1988年10月。

[4] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.

[4] Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月。

[5] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and dual environments", RFC 1195, December 1990.

[5] Callon,R.,“OSI IS-IS在TCP/IP和双环境中的路由使用”,RFC1195,1990年12月。

[6] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November 1998.

[6] Malkin,G.“RIP版本2”,标准56,RFC 2453,1998年11月。

[7] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.

[7] Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。

[8] ISO 10589, "Intermediate System to Intermediate System intra-domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473)", ISO/IEC 10589:2002.

[8] ISO 10589,“与提供无连接模式网络服务的协议一起使用的中间系统到中间系统域内路由信息交换协议(ISO 8473)”,ISO/IEC 10589:2002。

Appendix A. Acknowledgments

This document would not have been possible save for the excellent efforts and teamwork characteristics of those listed here.


o Dennis Beard, Nortel o Ayman Musharbash, Nortel o Jean-Jacques Puig, int-evry, France o Paul Knight, Nortel o Elwyn Davies, Nortel o Ameya Dilip Pandit, Graduate student, University of Missouri o Senthilkumar Ayyasamy, Graduate student, University of Missouri o Stephen Kent, BBN o Tim Gage, Cisco Systems o James Ng, Cisco Systems o Alvaro Retana, Cisco Systems

o Dennis Beard,北电O Ayman Musharbash,北电O Jean Jacques Puig,INT埃弗里,法国O Paul Knight,北电Elwyn Davies,北电奥Ameya Dilip Pandit,研究生,密苏里堪萨斯大学O Senthilkumar Ayyasamy,研究生,密苏里堪萨斯大学O SIP,BBN OO,思科系统O,思科系统O,思科系统

Appendix B. Acronyms

AS - Autonomous system. Set of routers under a single technical administration. Each AS normally uses a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routers. Also called routing domain.


AS-Path - In BGP, the route to a destination. The path consists of the AS numbers of all routers a packet must go through to reach a destination.


BGP - Border Gateway Protocol. Exterior gateway protocol used to exchange routing information among routers in different autonomous systems.


LSA - Link-State Announcement


NLRI - Network Layer Reachability Information. Information that is carried in BGP packets and is used by MBGP.


OSPF - Open Shortest Path First. A link-state IGP that makes routing decisions based on the shortest-path-first (SPF) algorithm (also referred to as the Dijkstra algorithm).


Authors' Addresses


Abbie Barbir Nortel 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada

加拿大安大略省内皮恩卡林大道3500号北电艾比芭比K2H 8E9


Sandy Murphy Sparta, Inc. 7110 Samuel Morse Drive Columbia, MD USA


Phone: 443-430-8000 EMail:


Yi Yang Cisco Systems 7025 Kit Creek Road RTP, NC 27709 USA

益阳思科系统美国北卡罗来纳州基特克里克路RTP 7025号,邮编27709


Full Copyright Statement


Copyright (C) The Internet Society (2006).


This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。



Intellectual Property


The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at


The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at




Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).