Network Working Group A. Barbir Request for Comments: 4593 Nortel Category: Informational S. Murphy Sparta, Inc. Y. Yang Cisco Systems October 2006
Network Working Group A. Barbir Request for Comments: 4593 Nortel Category: Informational S. Murphy Sparta, Inc. Y. Yang Cisco Systems October 2006
Generic Threats to Routing Protocols
路由协议的一般威胁
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
Abstract
摘要
Routing protocols are subject to attacks that can harm individual users or network operations as a whole. This document provides a description and a summary of generic threats that affect routing protocols in general. This work describes threats, including threat sources and capabilities, threat actions, and threat consequences, as well as a breakdown of routing functions that might be attacked separately.
路由协议会受到攻击,这些攻击可能会伤害单个用户或整个网络操作。本文档对影响路由协议的一般威胁进行了描述和总结。这项工作描述了威胁,包括威胁源和能力、威胁行动和威胁后果,以及可能被单独攻击的路由功能的分解。
Table of Contents
目录
1. Introduction ....................................................2 2. Routing Functions Overview ......................................3 3. Generic Routing Protocol Threat Model ...........................4 3.1. Threat Definitions .........................................4 3.1.1. Threat Sources ......................................4 3.1.1.1. Adversary Motivations ......................5 3.1.1.2. Adversary Capabilities .....................5 3.1.2. Threat Consequences .................................7 3.1.2.1. Threat Consequence Scope ...................9 3.1.2.2. Threat Consequence Zone ...................10 3.1.2.3. Threat Consequence Periods ................10 4. Generally Identifiable Routing Threat Actions ..................11 4.1. Deliberate Exposure .......................................11 4.2. Sniffing ..................................................11 4.3. Traffic Analysis ..........................................12 4.4. Spoofing ..................................................12 4.5. Falsification .............................................13 4.5.1. Falsifications by Originators ......................13 4.5.1.1. Overclaiming ..............................13 4.5.1.2. Misclaiming ...............................16 4.5.2. Falsifications by Forwarders .......................16 4.5.2.1. Misstatement ..............................16 4.6. Interference .........................................17 4.7. Overload .............................................18 5. Security Considerations ........................................18 6. References .....................................................18 6.1. Normative References ......................................18 Appendix A. Acknowledgments .......................................20 Appendix B. Acronyms ..............................................20
1. Introduction ....................................................2 2. Routing Functions Overview ......................................3 3. Generic Routing Protocol Threat Model ...........................4 3.1. Threat Definitions .........................................4 3.1.1. Threat Sources ......................................4 3.1.1.1. Adversary Motivations ......................5 3.1.1.2. Adversary Capabilities .....................5 3.1.2. Threat Consequences .................................7 3.1.2.1. Threat Consequence Scope ...................9 3.1.2.2. Threat Consequence Zone ...................10 3.1.2.3. Threat Consequence Periods ................10 4. Generally Identifiable Routing Threat Actions ..................11 4.1. Deliberate Exposure .......................................11 4.2. Sniffing ..................................................11 4.3. Traffic Analysis ..........................................12 4.4. Spoofing ..................................................12 4.5. Falsification .............................................13 4.5.1. Falsifications by Originators ......................13 4.5.1.1. Overclaiming ..............................13 4.5.1.2. Misclaiming ...............................16 4.5.2. Falsifications by Forwarders .......................16 4.5.2.1. Misstatement ..............................16 4.6. Interference .........................................17 4.7. Overload .............................................18 5. Security Considerations ........................................18 6. References .....................................................18 6.1. Normative References ......................................18 Appendix A. Acknowledgments .......................................20 Appendix B. Acronyms ..............................................20
Routing protocols are subject to threats and attacks that can harm individual users or the network operations as a whole. The document provides a summary of generic threats that affect routing protocols. In particular, this work identifies generic threats to routing protocols that include threat sources, threat actions, and threat consequences. A breakdown of routing functions that might be separately attacked is provided.
路由协议会受到威胁和攻击,这些威胁和攻击可能会损害单个用户或整个网络的运行。本文档总结了影响路由协议的一般威胁。特别是,这项工作确定了路由协议的一般威胁,包括威胁源、威胁行动和威胁后果。提供了可能被单独攻击的路由函数的分类。
This work should be considered a precursor to developing a common set of security requirements for routing protocols. While it is well known that bad, incomplete, or poor implementations of routing protocols may, in themselves, lead to routing problems or failures or may increase the risk of a network's being attacked successfully, these issues are not considered here. This document only considers
这项工作应被视为开发路由协议通用安全需求集的先驱。众所周知,路由协议的错误、不完整或较差的实现本身可能导致路由问题或故障,或可能增加网络成功受到攻击的风险,但此处不考虑这些问题。本文件仅考虑
attacks against robust, well-considered implementations of routing protocols, such as those specified in Open Shortest Path First (OSPF) [4], Intermediate System to Intermediate System (IS-IS) [5][8], RIP [6] and BGP [7]. Attacks against implementation-specific weaknesses and vulnerabilities are out of scope for this document.
针对路由协议的健壮且经过深思熟虑的实现的攻击,如开放最短路径优先(OSPF)[4]、中间系统到中间系统(IS-IS)[5][8]、RIP[6]和BGP[7]中指定的攻击。针对特定于实现的弱点和漏洞的攻击超出了本文档的范围。
The document is organized as follows: Section 2 provides a review of routing functions. Section 3 defines threats. In Section 4, a discussion on generally identifiable routing threat actions is provided. Section 5 addresses security considerations.
本文件组织如下:第2节回顾了路由功能。第3节定义了威胁。第4节讨论了一般可识别的路由威胁行动。第5节涉及安全考虑。
This section provides an overview of common functions that are shared among various routing protocols. In general, routing protocols share the following functions:
本节概述了各种路由协议之间共享的常见功能。通常,路由协议共享以下功能:
o Transport Subsystem: The routing protocol transmits messages to its neighbors using some underlying protocol. For example, OSPF uses IP, while other protocols may run over TCP.
o 传输子系统:路由协议使用一些底层协议向其邻居传输消息。例如,OSPF使用IP,而其他协议可能通过TCP运行。
o Neighbor State Maintenance: Neighboring relationship formation is the first step for topology determination. For this reason, routing protocols may need to maintain state information. Each routing protocol may use a different mechanism for determining its neighbors in the routing topology. Some protocols have distinct exchanges through which they establish neighboring relationships, e.g., Hello exchanges in OSPF.
o 邻居状态维护:邻居关系的形成是拓扑确定的第一步。因此,路由协议可能需要维护状态信息。每个路由协议可以使用不同的机制来确定其在路由拓扑中的邻居。一些协议具有不同的交换,通过这些交换建立相邻关系,例如,OSPF中的Hello交换。
o Database Maintenance: Routing protocols exchange network topology and reachability information. The routers collect this information in routing databases with varying detail. The maintenance of these databases is a significant portion of the function of a routing protocol.
o 数据库维护:路由协议交换网络拓扑和可达性信息。路由器以不同的细节在路由数据库中收集这些信息。这些数据库的维护是路由协议功能的重要部分。
In a routing protocol, there are message exchanges that are intended for the control of the state of the protocol. For example, neighbor maintenance messages carry such information. On the other hand, there are messages that are used to exchange information that is intended to be used in the forwarding function, for example, messages that are used to maintain the database. These messages affect the data (information) part of the routing protocol.
在路由协议中,存在用于控制协议状态的消息交换。例如,邻居维护消息携带此类信息。另一方面,存在用于交换预定在转发功能中使用的信息的消息,例如,用于维护数据库的消息。这些消息影响路由协议的数据(信息)部分。
The model developed in this section can be used to identify threats to any routing protocol.
本节中开发的模型可用于识别任何路由协议的威胁。
Routing protocols are subject to threats at various levels. For example, threats can affect the transport subsystem, where the routing protocol can be subject to attacks on its underlying protocol. An attacker may also attack messages that carry control information in a routing protocol to break a neighboring (e.g., peering, adjacency) relationship. This type of attack can impact the network routing behavior in the affected routers and likely the surrounding neighborhood as well. For example, in BGP, if a router receives a CEASE message, it will break its neighboring relationship to its peer and potentially send new routing information to any remaining peers.
路由协议受到不同级别的威胁。例如,威胁可能会影响传输子系统,其中路由协议可能会受到其底层协议的攻击。攻击者还可以攻击路由协议中携带控制信息的消息,以破坏相邻(例如对等、邻接)关系。这种类型的攻击可能会影响受影响路由器中的网络路由行为,也可能会影响周围邻居。例如,在BGP中,如果路由器接收到停止消息,它将中断与其对等方的相邻关系,并可能向任何剩余对等方发送新的路由信息。
An attacker may also attack messages that carry data information in order to break a database exchange between two routers or to affect the database maintenance functionality. For example, the information in the database must be authentic and authorized. An attacker who is able to introduce bogus data can have a strong effect on the behavior of routing in the neighborhood. For example, if an OSPF router sends LSAs with the wrong Advertising Router, the receivers will compute a Shortest Path First (SPF) tree that is incorrect and might not forward the traffic. If a BGP router advertises a Network Layer Reachability Information (NLRI) that it is not authorized to advertise, then receivers might forward that NLRI's traffic toward that router and the traffic would not be deliverable. A Protocol Independent Multicast (PIM) router might transmit a JOIN message to receive multicast data it would otherwise not receive.
攻击者还可能攻击携带数据信息的消息,以破坏两个路由器之间的数据库交换或影响数据库维护功能。例如,数据库中的信息必须是真实和授权的。能够引入虚假数据的攻击者会对邻居的路由行为产生强烈影响。例如,如果OSPF路由器使用错误的广告路由器发送LSA,则接收器将计算不正确的最短路径优先(SPF)树,该树可能不会转发流量。如果BGP路由器播发未经授权播发的网络层可达性信息(NLRI),则接收器可能会将NLRI的流量转发给该路由器,并且该流量将无法交付。独立于协议的多播(PIM)路由器可能会发送一条连接消息来接收它本来不会接收的多播数据。
In [1], a threat is defined as a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Threats can be categorized as threat sources, threat actions, threat consequences, threat consequence zones, and threat consequence periods.
在[1]中,威胁被定义为可能违反安全的情况,当存在可能违反安全并造成伤害的情况、能力、行动或事件时,威胁就存在。威胁可分为威胁源、威胁行动、威胁后果、威胁后果区和威胁后果期。
In the context of deliberate attack, a threat source is defined as a motivated, capable adversary. By modeling the motivations (attack goals) and capabilities of the adversaries who are threat sources, one can better understand what classes of attacks these threats may mount and thus what types of countermeasures will be required to deal with these attacks.
在蓄意攻击的情况下,威胁源被定义为有动机、有能力的对手。通过对作为威胁源的对手的动机(攻击目标)和能力进行建模,可以更好地了解这些威胁可能发起的攻击类型,以及应对这些攻击所需的对策类型。
We assume that the most common goal of an adversary deliberately attacking routing is to cause inter-domain routing to malfunction. A routing malfunction affects data transmission such that traffic follows a path (sequence of autonomous systems in the case of BGP) other than one that would have been computed by the routing protocol if it were operating properly (i.e., if it were not under attack). As a result of an attack, a route may terminate at a router other than the one that legitimately represents the destination address of the traffic, or it may traverse routers other than those that it would otherwise have traversed. In either case, a routing malfunction may allow an adversary to wiretap traffic passively, or to engage in man-in-the-middle (MITM) active attacks, including discarding traffic (denial of service).
我们假设对手故意攻击路由的最常见目标是导致域间路由故障。路由故障会影响数据传输,从而使流量遵循的路径(BGP情况下的自治系统序列)不同于路由协议在正常运行(即未受到攻击)情况下计算的路径。除此之外,另一个路由器可能会在另一个路由器上合法地终止攻击,而不是在另一个路由器上合法地终止攻击。在任何一种情况下,路由故障都可能允许对手被动窃听通信量,或参与中间人(MITM)主动攻击,包括丢弃通信量(拒绝服务)。
A routing malfunction might be effected for financial gain related to traffic volume (vs. the content of the routed traffic), e.g., to affect settlements among ISPs.
路由故障可能会影响与流量相关的财务收益(相对于路由流量的内容),例如影响ISP之间的结算。
Another possible goal for attacks against routing can be damage to the network infrastructure itself, on a targeted or wide-scale basis. Thus, for example, attacks that cause excessive transmission of UPDATE or other management messages, and attendant router processing, could be motivated by these goals.
针对路由的攻击的另一个可能目标是有针对性地或大规模地破坏网络基础设施本身。因此,例如,导致过度传输更新或其他管理消息以及伴随的路由器处理的攻击可能是由这些目标引起的。
Irrespective of the goals noted above, an adversary may or may not be averse to detection and identification. This characteristic of an adversary influences some of the ways in which attacks may be accomplished.
无论上述目标是什么,对手可能会也可能不会反对检测和识别。对手的这一特点影响了攻击的某些实现方式。
Different adversaries possess varied capabilities.
不同的对手拥有不同的能力。
o All adversaries are presumed to be capable of directing packets to routers from remote locations and can assert a false IP source address with each packet (IP address spoofing) in an effort to cause the targeted router to accept and process the packet as though it emanated from the indicated source. Spoofing attacks may be employed to trick routers into acting on bogus messages to effect misrouting, or these messages may be used to overwhelm the management processor in a router, to effect DoS. Protection from such adversaries must not rely on the claimed identity in routing packets that the protocol receives.
o 所有对手都被认为能够将数据包从远程位置定向到路由器,并且可以用每个数据包声明一个虚假的IP源地址(IP地址欺骗),以使目标路由器接受和处理数据包,就像它来自指定的源一样。欺骗攻击可用于欺骗路由器对虚假消息采取行动,从而造成错误路由,或者这些消息可用于压倒路由器中的管理处理器,从而造成拒绝服务。针对此类对手的保护不得依赖于协议接收的路由数据包中声明的身份。
o Some adversaries can monitor links over which routing traffic is carried and emit packets that mimic data contained in legitimate routing traffic carried over these links; thus, they can actively participate in message exchanges with the legitimate routers. This increases the opportunities for an adversary to generate bogus routing traffic that may be accepted by a router, to effect misrouting or DoS. Retransmission of previously delivered management traffic (replay attacks) exemplify this capability. As a result, protection from such adversaries ought not to rely on the secrecy of unencrypted data in packet headers or payloads.
o 一些对手可以监视承载路由流量的链路,并发射模拟这些链路承载的合法路由流量中包含的数据包;因此,他们可以积极参与与合法路由器的消息交换。这增加了对手产生路由器可能接受的虚假路由流量的机会,从而造成路由错误或拒绝服务。以前交付的管理流量的重传(重播攻击)就是这种能力的一个例子。因此,针对此类对手的保护不应依赖于包头或有效负载中未加密数据的保密性。
o Some adversaries can effect MITM attacks against routing traffic, e.g., as a result of active wiretapping on a link between two routers. This represents the ultimate wiretapping capability for an adversary. Protection from such adversaries must not rely on the integrity of inter-router links to authenticate traffic, unless cryptographic measures are employed to detect unauthorized modification.
o 一些对手可以对路由流量实施MITM攻击,例如,由于在两个路由器之间的链路上进行主动窃听。这代表了对手的终极窃听能力。除非采用加密措施检测未经授权的修改,否则防止此类对手的保护不得依赖路由器间链路的完整性来验证流量。
o Some adversaries can subvert routers, or the management workstations used to control these routers. These Byzantine failures represent the most serious form of attack capability in that they result in emission of bogus traffic by legitimate routers. As a result, protection from such adversaries must not rely on the correct operation of neighbor routers. Protection measures should adopt the principle of least privilege, to minimize the impact of attacks of this sort. To counter Byzantine attacks, routers ought not to trust management traffic (e.g., based on its source) but rather each router should independently authenticate management traffic before acting upon it.
o 一些对手可以破坏路由器,或用于控制这些路由器的管理工作站。这些拜占庭式故障代表了最严重的攻击能力,因为它们导致合法路由器发出虚假流量。因此,抵御此类对手的保护不能依赖于邻居路由器的正确操作。保护措施应采用最小特权原则,以尽量减少此类攻击的影响。为了对抗拜占庭式攻击,路由器不应该信任管理流量(例如,基于其来源),而是每个路由器应该在对其采取行动之前独立地验证管理流量。
We will assume that any cryptographic countermeasures employed to secure BGP will employ algorithms and modes that are resistant to attack, even by sophisticated adversaries; thus, we will ignore cryptanalytic attacks.
我们将假设,用于保护BGP的任何加密对抗措施将采用抗攻击的算法和模式,即使是复杂的对手;因此,我们将忽略密码分析攻击。
Deliberate attacks are mimicked by failures that are random and unintentional. In particular, a Byzantine failure in a router may occur because the router is faulty in hardware or software or is misconfigured. As described in [3], "A node with a Byzantine failure may corrupt messages, forge messages, delay messages, or send conflicting messages to different nodes". Byzantine routers, whether faulty, misconfigured, or subverted, have the context to provide
故意攻击被随机和无意的失败模仿。特别是,路由器中可能发生拜占庭式故障,因为路由器的硬件或软件有故障或配置错误。如[3]所述,“发生拜占庭式故障的节点可能会损坏消息、伪造消息、延迟消息或向不同节点发送冲突消息”。拜占庭式路由器,无论是有缺陷的、配置错误的还是被破坏的,都有上下文可提供
believable and very damaging bogus routing information. Byzantine routers may also claim another legitimate peer's identity. Given their status as peers, they may even elude the authentication protections, if those protections can only detect that a source is one of the legitimate peers (e.g., the router uses the same cryptographic key to authenticate all peers).
可信且极具破坏性的伪造路由信息。拜占庭路由器也可能要求另一个合法对等方的身份。考虑到它们作为对等方的状态,它们甚至可能逃避身份验证保护,如果这些保护只能检测到源是合法对等方之一(例如,路由器使用相同的加密密钥对所有对等方进行身份验证)。
We therefore characterize threat sources into two groups:
因此,我们将威胁源分为两类:
Outsiders: These attackers may reside anywhere in the Internet, have the ability to send IP traffic to the router, may be able to observe the router's replies, and may even control the path for a legitimate peer's traffic. These are not legitimate participants in the routing protocol.
局外人:这些攻击者可能居住在互联网的任何地方,能够向路由器发送IP流量,能够观察路由器的回复,甚至可以控制合法对等方流量的路径。它们不是路由协议的合法参与者。
Byzantine: These attackers are faulty, misconfigured, or subverted routers; i.e., legitimate participants in the routing protocol.
拜占庭:这些攻击者是有缺陷、配置错误或被破坏的路由器;i、 例如,路由协议中的合法参与者。
A threat consequence is a security violation that results from a threat action [1]. To a routing protocol, a security violation is a compromise of some aspect of the correct behavior of the routing system. The compromise can damage the data traffic intended for a particular network or host or can damage the operation of the routing infrastructure of the network as a whole.
威胁后果是威胁行为[1]导致的安全违规。对于路由协议而言,安全违规是对路由系统正确行为某些方面的妥协。这种危害可能会损害用于特定网络或主机的数据通信量,或者可能会损害整个网络的路由基础设施的运行。
There are four types of general threat consequences: disclosure, deception, disruption, and usurpation [1].
一般威胁后果有四种:披露、欺骗、破坏和篡夺[1]。
o Disclosure: Disclosure of routing information happens when an attacker successfully accesses the information without being authorized. Outsiders who can observe or monitor a link may cause disclosure, if routing exchanges lack confidentiality. Byzantine routers can cause disclosure, as long as they are successfully involved in the routing exchanges. Although inappropriate disclosure of routing information can pose a security threat or be part of a later, larger, or higher layer attack, confidentiality is not generally a design goal of routing protocols.
o 泄露:当攻击者未经授权成功访问路由信息时,就会泄露路由信息。如果路由交换缺乏保密性,可以观察或监视链接的外部人员可能会导致泄露。拜占庭式路由器可以导致泄露,只要它们成功参与路由交换。尽管路由信息的不适当披露可能会造成安全威胁,或者是稍后、更大或更高层攻击的一部分,但机密性通常不是路由协议的设计目标。
o Deception: This consequence happens when a legitimate router receives a forged routing message and believes it to be authentic. Both outsiders and Byzantine routers can cause this consequence if the receiving router lacks the ability to check routing message integrity or origin authentication.
o 欺骗:当合法的路由器收到伪造的路由消息并相信它是真实的时,就会产生这种后果。如果接收路由器缺乏检查路由消息完整性或源身份验证的能力,则外部路由器和拜占庭路由器都可能导致这种后果。
o Disruption: This consequence occurs when a legitimate router's operation is being interrupted or prevented. Outsiders can cause this by inserting, corrupting, replaying, delaying, or dropping routing messages, or by breaking routing sessions between legitimate routers. Byzantine routers can cause this consequence by sending false routing messages, interfering with normal routing exchanges, or flooding unnecessary routing protocol messages. (DoS is a common threat action causing disruption.)
o 中断:当合法路由器的操作被中断或阻止时,就会发生这种后果。外部人员可以通过插入、破坏、重放、延迟或丢弃路由消息,或者中断合法路由器之间的路由会话来造成这种情况。拜占庭路由器可以通过发送错误的路由消息、干扰正常的路由交换或淹没不必要的路由协议消息来造成这种后果。(常见的威胁是造成中断。)
o Usurpation: This consequence happens when an attacker gains control over the services/functions a legitimate router is providing to others. Outsiders can cause this by delaying or dropping routing exchanges, or fabricating or replaying routing information. Byzantine routers can cause this consequence by sending false routing information or interfering with routing exchanges.
o 篡夺:当攻击者获得对合法路由器提供给他人的服务/功能的控制权时,就会发生这种后果。外部人员可以通过延迟或放弃路由交换,或捏造或重播路由信息来造成这种情况。拜占庭路由器可以通过发送错误的路由信息或干扰路由交换来造成这种后果。
Note: An attacker does not have to control a router directly to control its services. For example, in Figure 1, Network 1 is dual-homed through Router A and Router B, and Router A is preferred. However, Router B is compromised and advertises a better metric. Consequently, devices on the Internet choose the path through Router B to reach Network 1. In this way, Router B steals the data traffic, and Router A loses its control of the services to Router B. This is depicted in Figure 1.
注意:攻击者不必直接控制路由器来控制其服务。例如,在图1中,网络1通过路由器A和路由器B双宿,路由器A是首选。然而,路由器B被破坏,并宣传一个更好的指标。因此,Internet上的设备选择通过路由器B到达网络1的路径。通过这种方式,路由器B窃取数据流量,路由器A失去对路由器B服务的控制。如图1所示。
+-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B |----------* N 1 * +-------+ \ / *---*
+-------------+ +-------+ | Internet |---| Rtr A | +------+------+ +---+---+ | | | | | | | *-+-* +-------+ / \ | Rtr B |----------* N 1 * +-------+ \ / *---*
Figure 1. Dual-homed network
图1。双宿网络
Several threat consequences might be caused by a single threat action. In Figure 1, there exist at least two consequences: routers using Router B to reach Network 1 are deceived, and Router A is usurped.
一次威胁行动可能会造成多个威胁后果。在图1中,至少存在两种后果:使用路由器B到达网络1的路由器被欺骗,路由器A被篡夺。
As mentioned above, an attack might damage the data traffic intended for a particular network or host or damage the operation of the routing infrastructure of the network as a whole. Damage that might result from attacks against the network as a whole may include the following:
如上所述,攻击可能会破坏特定网络或主机的数据通信量,或者破坏整个网络路由基础设施的运行。针对整个网络的攻击可能包括:
o Network congestion. More data traffic is forwarded through some portion of the network than would otherwise need to carry the traffic.
o 网络拥塞。通过网络的某个部分转发的数据流量比承载流量所需的数据流量更多。
o Blackhole. Large amounts of traffic are unnecessarily re-directed to be forwarded through one router and that router drops many/most/all packets.
o 黑洞。大量流量被不必要地重新定向,通过一个路由器转发,该路由器丢弃许多/大部分/所有数据包。
o Looping. Data traffic is forwarded along a route that loops, so that the data is never delivered (resulting in network congestion).
o 循环。数据流量沿着循环的路由转发,因此数据永远不会被传递(导致网络拥塞)。
o Partition. Some portion of the network believes that it is partitioned from the rest of the network when it is not.
o 隔断当网络的某些部分没有被划分时,它认为网络的某些部分是被划分的。
o Churn. The forwarding in the network changes (unnecessarily) at a rapid pace, resulting in large variations in the data delivery patterns (and adversely affecting congestion control techniques).
o 搅动网络中的转发(不必要地)以快速的速度变化,导致数据传输模式的巨大变化(并对拥塞控制技术产生不利影响)。
o Instability. The protocol becomes unstable so that convergence on a global forwarding state is not achieved.
o 不稳定。该协议变得不稳定,因此无法在全局转发状态上收敛。
o Overcontrol. The routing protocol messages themselves become a significant portion of the traffic the network carries.
o 过度控制。路由协议消息本身成为网络承载流量的重要部分。
o Clog. A router receives an excessive number of routing protocol messages, causing it to exhaust some resource (e.g., memory, CPU, battery).
o 阻塞路由器接收过多的路由协议消息,导致其耗尽一些资源(例如内存、CPU、电池)。
The damage that might result from attacks against a particular host or network address may include the following:
针对特定主机或网络地址的攻击可能造成的损害包括:
o Starvation. Data traffic destined for the network or host is forwarded to a part of the network that cannot deliver it.
o 饥饿网络的一部分或网络的一部分的数据不能被转发到该主机。
o Eavesdrop. Data traffic is forwarded through some router or network that would otherwise not see the traffic, affording an opportunity to see the data or at least the data delivery pattern.
o 窃听数据流量通过一些路由器或网络转发,否则这些路由器或网络将看不到流量,从而提供了查看数据或至少查看数据交付模式的机会。
o Cut. Some portion of the network believes that it has no route to the host or network when it is in fact connected.
o 切网络的某些部分认为,当它实际连接时,它没有到主机或网络的路由。
o Delay. Data traffic destined for the network or host is forwarded along a route that is in some way inferior to the route it would otherwise take.
o 延迟以网络或主机为目的地的数据流量沿着一条在某种程度上低于它将采用的路由的路由进行转发。
o Looping. Data traffic for the network or host is forwarded along a route that loops, so that the data is never delivered.
o 循环。网络或主机的数据流量沿着循环路由转发,因此数据永远不会被传递。
It is important to consider all consequences, because some security solutions can protect against one consequence but not against others. It might be possible to design a security solution that protects against eavesdropping on one destination's traffic without protecting against churn in the network. Similarly, it is possible to design a security solution that prevents a starvation attack against one host, but not a clogging attack against a router. The security requirements must be clear as to which consequences are being avoided and which consequences must be addressed by other means (e.g., by administrative means outside the protocol).
重要的是考虑所有的后果,因为一些安全解决方案可以保护一个后果,而不是对抗他人。也许可以设计一种安全解决方案,在不防止网络中的搅动的情况下,防止对一个目的地的流量进行窃听。类似地,可以设计一种安全解决方案,以防止针对一台主机的饥饿攻击,而不是针对路由器的阻塞攻击。安全要求必须明确哪些后果是可以避免的,哪些后果必须通过其他方式解决(例如,通过协议之外的管理方式)。
A threat consequence zone covers the area within which the network operations have been affected by threat actions. Possible threat consequence zones can be classified as a single link or router, multiple routers (within a single routing domain), a single routing domain, multiple routing domains, or the global Internet. The threat consequence zone varies based on the threat action and the position of the target of the attack. Similar threat actions that happen at different locations may result in totally different threat consequence zones. For example, when an outsider breaks the routing session between a distribution router and a stub router, only reachability to and from the network devices attached to the stub router will be impaired. In other words, the threat consequence zone is a single router. In another case, if the outsider is located between a customer edge router and its corresponding provider edge router, such an action might cause the whole customer site to lose its connection. In this case, the threat consequence zone might be a single routing domain.
威胁后果区包括网络操作受到威胁行动影响的区域。可能的威胁后果区域可分为单个链路或路由器、多个路由器(在单个路由域内)、单个路由域、多个路由域或全球互联网。威胁后果区根据威胁行动和攻击目标的位置而变化。在不同地点发生的类似威胁行动可能导致完全不同的威胁后果区。例如,当局外人中断分发路由器和存根路由器之间的路由会话时,只有连接到存根路由器的网络设备与之之间的可达性才会受损。换句话说,威胁后果区是一个路由器。在另一种情况下,如果外部用户位于客户边缘路由器与其对应的提供商边缘路由器之间,则此类操作可能会导致整个客户站点失去连接。在这种情况下,威胁后果区域可能是单个路由域。
A threat consequence period is defined as the portion of time during which the network operations are impacted by the threat consequences. The threat consequence period is influenced by, but not totally dependent on, the duration of the threat action. In some cases, the network operations will get back to normal as soon as the threat
威胁后果期定义为网络运行受威胁后果影响的时间部分。威胁后果期受威胁行动持续时间的影响,但不完全取决于威胁行动的持续时间。在某些情况下,一旦受到威胁,网络运行就会恢复正常
action has been stopped. In other cases, however, threat consequences may persist longer than does the threat action. For example, in the original Advanced Research Projects Agency Network (ARPANET) link-state algorithm, some errors in a router introduced three instances of a Link-State Announcement (LSA). All of them flooded throughout the network continuously, until the entire network was power cycled [2].
行动已停止。然而,在其他情况下,威胁后果可能比威胁行动持续的时间更长。例如,在最初的Advanced Research Projects Agency Network(ARPANET)链路状态算法中,路由器中的一些错误引入了链路状态公告(LSA)的三个实例。在整个网络断电之前,它们都会源源不断地涌入整个网络[2]。
This section addresses generally identifiable and recognized threat actions against routing protocols. The threat actions are not necessarily specific to individual protocols but may be present in one or more of the common routing protocols in use today.
本节介绍针对路由协议的一般可识别和可识别的威胁行动。威胁行为不一定特定于单个协议,但可能存在于当前使用的一个或多个通用路由协议中。
Deliberate exposure occurs when an attacker takes control of a router and intentionally releases routing information to other entities (e.g., the attacker, a web page, mail posting, other routers) that otherwise should not receive the exposed information.
当攻击者控制路由器并故意将路由信息释放给其他实体(例如,攻击者、网页、邮件投递、其他路由器)时,就会发生故意泄露,否则这些实体不应接收泄露的信息。
The consequence of deliberate exposure is the disclosure of routing information.
故意暴露的后果是泄露路由信息。
The threat consequence zone of deliberate exposure depends on the routing information that the attackers have exposed. The more knowledge they have exposed, the bigger the threat consequence zone.
故意暴露的威胁后果区取决于攻击者暴露的路由信息。他们暴露的知识越多,威胁后果区就越大。
The threat consequence period of deliberate exposure might be longer than the duration of the action itself. The routing information exposed will not be outdated until there is a topology change of the exposed network.
故意暴露的威胁后果期可能长于行动本身的持续时间。公开的路由信息不会过时,直到公开的网络发生拓扑更改。
Sniffing is an action whereby attackers monitor and/or record the routing exchanges between authorized routers to sniff for routing information. Attackers can also sniff data traffic information (however, this is out of scope of the current work).
嗅探是攻击者监视和/或记录授权路由器之间的路由交换以嗅探路由信息的行为。攻击者还可以嗅探数据流量信息(不过,这超出了当前工作的范围)。
The consequence of sniffing is disclosure of routing information.
嗅探的结果是泄露路由信息。
The threat consequence zone of sniffing depends on the attacker's location, the routing protocol type, and the routing information that has been recorded. For example, if the outsider is sniffing a link that is in an OSPF totally stubby area, the threat consequence zone should be limited to the whole area. An attacker that is sniffing a
嗅探的威胁后果区域取决于攻击者的位置、路由协议类型和已记录的路由信息。例如,如果外部人员正在嗅探OSPF完全短截区内的链路,则威胁后果区应限于整个区域。正在嗅到病毒的攻击者
link in an External Border Gateway Protocol (EBGP) session can gain knowledge of multiple routing domains.
外部边界网关协议(EBGP)会话中的链路可以获得多个路由域的知识。
The threat consequence period might be longer than the duration of the action. If an attacker stops sniffing a link, their acquired knowledge will not be out-dated until there is a topology change of the affected network.
威胁后果期可能长于行动的持续时间。如果攻击者停止嗅探链接,在受影响网络的拓扑发生变化之前,他们获取的知识不会过时。
Traffic analysis is an action whereby attackers gain routing information by analyzing the characteristics of the data traffic on a subverted link. Traffic analysis threats can affect any data that is sent over a communication link. This threat is not peculiar to routing protocols and is included here for completeness.
流量分析是攻击者通过分析被破坏链路上数据流量的特征来获取路由信息的行为。流量分析威胁可能会影响通过通信链路发送的任何数据。这种威胁并不是路由协议所特有的,为了完整起见,本文将其包括在内。
The consequence of data traffic analysis is the disclosure of routing information. For example, the source and destination IP addresses of the data traffic and the type, magnitude, and volume of traffic can be disclosed.
数据流量分析的结果是路由信息的泄露。例如,可以公开数据业务的源和目的地IP地址以及业务的类型、大小和容量。
The threat consequence zone of the traffic analysis depends on the attacker's location and what data traffic has passed through. An attacker at the network core should be able to gather more information than its counterpart at the edge and would therefore have to be able to analyze traffic patterns in a wider area.
流量分析的威胁后果区域取决于攻击者的位置和数据流量经过的位置。网络核心的攻击者应该能够比边缘的攻击者收集更多的信息,因此必须能够在更大的范围内分析流量模式。
The threat consequence period might be longer than the duration of the traffic analysis. After the attacker stops traffic analysis, its knowledge will not be outdated until there is a topology change of the disclosed network.
威胁后果期可能长于流量分析的持续时间。攻击者停止流量分析后,其知识不会过时,直到所公开网络的拓扑发生变化。
Spoofing occurs when an illegitimate device assumes the identity of a legitimate one. Spoofing in and of itself is often not the true attack. Spoofing is special in that it can be used to carry out other threat actions causing other threat consequences. An attacker can use spoofing as a means for launching other types of attacks. For example, if an attacker succeeds in spoofing the identity of a router, the attacker can send out unrealistic routing information that might cause the disruption of network services.
当非法设备具有合法设备的身份时,就会发生欺骗。欺骗本身往往不是真正的攻击。欺骗的特殊之处在于,它可用于执行其他威胁操作,造成其他威胁后果。攻击者可以使用欺骗作为发起其他类型攻击的手段。例如,如果攻击者成功欺骗路由器的身份,攻击者可以发送不现实的路由信息,这可能会导致网络服务中断。
There are a few cases where spoofing can be an attack in and of itself. For example, messages from an attacker that spoof the identity of a legitimate router may cause a neighbor relationship to form and deny the formation of the relationship with the legitimate router.
在一些情况下,欺骗本身就是一种攻击。例如,来自欺骗合法路由器身份的攻击者的消息可能会导致邻居关系形成,并拒绝与合法路由器形成关系。
The consequences of spoofing are as follows:
欺骗的后果如下:
o The disclosure of routing information. The spoofing router will be able to gain access to the routing information.
o 路由信息的公开。欺骗路由器将能够访问路由信息。
o The deception of peer relationship. The authorized routers, which exchange routing messages with the spoofing router, do not realize that they are neighboring with a router that is faking another router's identity.
o 同伴关系的欺骗。与欺骗路由器交换路由消息的授权路由器没有意识到它们与伪造另一路由器身份的路由器相邻。
The threat consequence zone is as follows:
威胁后果区如下所示:
o The consequence zone of the fake peer relationship will be limited to those routers trusting the attacker's claimed identity.
o 伪造对等关系的后果区将限于那些信任攻击者声称的身份的路由器。
o The consequence zone of the disclosed routing information depends on the attacker's location, the routing protocol type, and the routing information that has been exchanged between the attacker and its deceived neighbors.
o 公开的路由信息的后果区取决于攻击者的位置、路由协议类型以及攻击者与其受骗邻居之间交换的路由信息。
Note: This section focuses on addressing spoofing as a threat on its own. However, spoofing creates conditions for other threats actions. The other threat actions are considered falsifications and are treated in the next section.
注意:本节重点介绍如何将欺骗本身视为一种威胁。但是,欺骗为其他威胁行为创造了条件。其他威胁行为被视为伪造行为,将在下一节中处理。
Falsification is an action whereby an attacker sends false routing information. To falsify the routing information, an attacker has to be either the originator or a forwarder of the routing information. It cannot be a receiver-only. False routing information describes the network in an unrealistic fashion, whether or not intended by the authoritative network administrator.
伪造是攻击者发送虚假路由信息的行为。要伪造路由信息,攻击者必须是路由信息的发起人或转发器。它不能只是一个接收器。虚假路由信息以不现实的方式描述网络,无论权威网络管理员是否有意。
An originator of routing information can launch the falsifications that are described in the next sections.
路由信息的发起者可以启动下一节中描述的伪造。
Overclaiming occurs when a Byzantine router or outsider advertises its control of some network resources, while in reality it does not, or if the advertisement is not authorized. This is given in Figures 2 and 3.
当拜占庭路由器或局外人宣传其对某些网络资源的控制时,就会发生过度收费,而实际上它并没有这样做,或者如果广告未经授权。这在图2和图3中给出。
+-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +---+---+ | . | | | . | *-+-* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---*
+-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +---+---+ | . | | | . | *-+-* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---*
Figure 2. Overclaiming-1
图2。过度渲染-1
+-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +-------+ | | | | *---* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---*
+-------------+ +-------+ +-------+ | Internet |---| Rtr B |---| Rtr A | +------+------+ +-------+ +-------+ | | | | *---* +-------+ / \ | Rtr C |------------------* N 1 * +-------+ \ / *---*
Figure 3. Overclaiming-2
图3。过度渲染-2
The above figures provide examples of overclaiming. Router A, the attacker, is connected to the Internet through Router B. Router C is authorized to advertise its link to Network 1. In Figure 2, Router A controls a link to Network 1 but is not authorized to advertise it. In Figure 3, Router A does not control such a link. But in either case, Router A advertises the link to the Internet, through Router B.
上述数字提供了过度铺筑的例子。攻击者路由器A通过路由器B连接到Internet。路由器C有权公布其与网络1的链接。在图2中,路由器A控制到网络1的链接,但未被授权发布该链接。在图3中,路由器A不控制这样的链路。但在任何一种情况下,路由器A都会通过路由器B向互联网发布链接广告。
Both Byzantine routers and outsiders can overclaim network resources. The consequences of overclaiming include the following:
拜占庭式路由器和局外人都可以滥用网络资源。过度收费的后果包括:
o Usurpation of the overclaimed network resources. In Figures 2 and 3, usurpation of Network 1 can occur when Router B (or other routers on the Internet not shown in the figures) believes that Router A provides the best path to reach the Network 1. As a result, routers forward data traffic destined to Network 1 to Router A. The best result is that the data traffic uses an unauthorized path, as in Figure 2. The worst case is that the
o 盗用收费过高的网络资源。在图2和图3中,当路由器B(或图中未显示的Internet上的其他路由器)认为路由器A提供了到达网络1的最佳路径时,可能会发生网络1的篡夺。因此,路由器将目的地为网络1的数据流量转发给路由器a。最好的结果是数据流量使用未经授权的路径,如图2所示。最坏的情况是
data never reaches the destination Network 1, as in Figure 3. The ultimate consequence is that Router A gains control over Network 1's services, by controlling the data traffic.
数据永远不会到达目标网络1,如图3所示。最终的结果是路由器A通过控制数据流量获得对网络1服务的控制。
o Usurpation of the legitimate advertising routers. In Figures 2 and 3, Router C is the legitimate advertiser of Network 1. By overclaiming, Router A also controls (partially or totally) the services/functions provided by the Router C. (This is NOT a disruption, as Router C is operating in a way intended by the authoritative network administrator.)
o 篡夺合法的广告路由器。在图2和图3中,路由器C是网络1的合法广告客户。通过过度计费,路由器A还控制(部分或全部)路由器C提供的服务/功能。(这不是中断,因为路由器C以权威网络管理员指定的方式运行。)
o Deception of other routers. In Figures 2 and 3, Router B, or other routers on the Internet, might be deceived into believing that the path through Router A is the best.
o 欺骗其他路由器。在图2和图3中,路由器B或Internet上的其他路由器可能被欺骗,认为通过路由器A的路径是最好的。
o Disruption of data planes on some routers. This might happen to routers that are on the path that is used by other routers to reach the overclaimed network resources through the attacker. In Figures 2 and 3, when other routers on the Internet are deceived, they will forward the data traffic to Router B, which might be overloaded.
o 某些路由器上的数据平面中断。这可能发生在路径上的路由器上,该路径被其他路由器用于通过攻击者访问过度计费的网络资源。在图2和图3中,当互联网上的其他路由器被欺骗时,它们会将数据流量转发给路由器B,这可能会过载。
The threat consequence zone varies based on the consequence:
威胁后果区因后果而异:
o Where usurpation is concerned, the consequence zone covers the network resources that are overclaimed by the attacker (Network 1 in Figures 2 and 3), and the routers that are authorized to advertise the network resources but lose the competition against the attacker (Router C in Figures 2 and 3).
o 在涉及篡夺的情况下,后果区包括被攻击者过度索取的网络资源(图2和图3中的网络1)和被授权公布网络资源但失去与攻击者竞争的路由器(图2和图3中的路由器C)。
o Where deception is concerned, the consequence zone covers the routers that do believe the attacker's advertisement and use the attacker to reach the claimed networks (Router B and other deceived routers on the Internet in Figures 2 and 3).
o 在涉及欺骗的情况下,后果区包括确实相信攻击者的广告并利用攻击者到达声称的网络的路由器(图2和图3中的路由器B和互联网上其他被欺骗的路由器)。
o Where disruption is concerned, the consequence zone includes the routers that are on the path of misdirected data traffic (Router B in Figures 2 and 3 and other routers in the Internet on the path of the misdirected traffic).
o 就中断而言,后果区包括位于错误定向数据流量路径上的路由器(图2和图3中的路由器B以及互联网中位于错误定向流量路径上的其他路由器)。
The threat consequence will not cease when the attacker stops overclaiming and will totally disappear only when the routing tables are converged. As a result, the consequence period is longer than the duration of the overclaiming.
当攻击者停止过度欺骗时,威胁后果不会停止,只有当路由表聚合时,威胁才会完全消失。因此,后果期长于过度索赔的持续时间。
A misclaiming threat is defined as an action whereby an attacker is advertising some network resources that it is authorized to control, but in a way that is not intended by the authoritative network administrator. For example, it may be advertising inappropriate link costs in an OSPF LSA. An attacker can eulogize or disparage when advertising these network resources. Byzantine routers can misclaim network resources.
误报威胁被定义为攻击者发布其有权控制的某些网络资源的行为,但其发布方式并非权威网络管理员所希望的。例如,它可能在OSPF LSA中宣传不适当的链路成本。在宣传这些网络资源时,攻击者可以赞美或贬低这些资源。拜占庭式路由器可能会混淆网络资源。
The threat consequences of misclaiming are similar to the consequences of overclaiming.
误报的威胁后果与滥报的后果相似。
The consequence zone and period are also similar to those of overclaiming.
结果区和周期也与过度铺筑相似。
In each routing protocol, routers that forward routing protocol messages are expected to leave some fields unmodified and to modify other fields in certain circumscribed ways. The fields to be modified, the possible new contents of those fields and their computation from the original fields, the fields that must remain unmodified, etc. are all detailed in the protocol specification. They may vary depending on the function of the router or its network environment. For example, in RIP, the forwarder must modify the routing information by increasing the hop count by 1. On the other hand, a forwarder must not modify any field of the type 1 LSA in OSPF except the age field. In general, forwarders in distance vector routing protocols are authorized to and must modify the routing information, while most forwarders in link state routing protocols are not authorized to and must not modify most routing information.
在每种路由协议中,转发路由协议消息的路由器都会保留一些字段未修改,并以某些限定的方式修改其他字段。协议规范中详细说明了要修改的字段、这些字段可能的新内容及其从原始字段中进行的计算、必须保持未修改的字段等。它们可能因路由器的功能或其网络环境而异。例如,在RIP中,转发器必须通过将跃点计数增加1来修改路由信息。另一方面,转发器不得修改OSPF中类型1 LSA的任何字段(年龄字段除外)。一般来说,距离向量路由协议中的转发器有权且必须修改路由信息,而链路状态路由协议中的大多数转发器无权且不得修改大多数路由信息。
As a forwarder authorized to modify routing messages, an attacker might also falsify by not forwarding routing information to other authorized routers as required.
作为授权修改路由消息的转发器,攻击者还可能通过不根据需要将路由信息转发到其他授权路由器来进行伪造。
This is defined as an action whereby the attacker modifies route attributes in an incorrect manner. For example, in RIP, the attacker might increase the path cost by two hops instead of one. In BGP, the attacker might delete some AS numbers from the AS PATH.
这被定义为攻击者以不正确的方式修改路由属性的行为。例如,在RIP中,攻击者可能会将路径开销增加两跳而不是一跳。在BGP中,攻击者可能会从AS路径中删除一些AS编号。
Where forwarding routing information should not be modified, an attacker can launch the following falsifications:
在不应修改转发路由信息的情况下,攻击者可以启动以下伪造操作:
o Deletion. Attacker deletes valid data in the routing message.
o 删除。攻击者删除路由消息中的有效数据。
o Insertion. Attacker inserts false data in the routing message.
o 插入。攻击者在路由消息中插入错误数据。
o Substitution. Attacker replaces valid data in the routing message with false data.
o 替代。攻击者用虚假数据替换路由消息中的有效数据。
A forwarder can also falsify data by replaying out-dated data in the routing message as current data.
转发器还可以通过将路由消息中的过时数据作为当前数据重放来伪造数据。
All types of attackers, outsiders and Byzantine routers, can falsify the routing information when they forward the routing messages.
所有类型的攻击者,外人和拜占庭路由器,都可以在转发路由消息时伪造路由信息。
The threat consequences of these falsifications by forwarders are similar to those caused by originators: usurpation of some network resources and related routers; deception of routers using false paths; and disruption of data planes of routers on the false paths. The threat consequence zone and period are also similar.
转发商这些伪造行为的威胁后果与发起者造成的类似:篡夺某些网络资源和相关路由器;使用虚假路径欺骗路由器;以及在错误路径上中断路由器的数据平面。威胁后果区域和周期也类似。
Interference is a threat action whereby an attacker inhibits the exchanges by legitimate routers. The attacker can do this by adding noise, by not forwarding packets, by replaying out-dated packets, by inserting or corrupting messages, by delaying responses, by denial of receipts, or by breaking synchronization.
干扰是一种威胁行为,攻击者通过这种行为阻止合法路由器进行交换。攻击者可以通过添加噪音、不转发数据包、重放过时的数据包、插入或破坏消息、延迟响应、拒绝接收或中断同步来做到这一点。
Byzantine routers can slow down their routing exchanges or induce flapping in the routing sessions of legitimate neighboring routers.
拜占庭式路由器可以减慢它们的路由交换速度,或者在合法的相邻路由器的路由会话中引起抖动。
The consequence of interference is the disruption of routing operations.
干扰的后果是路由操作中断。
The consequence zone of interference depends on the severity of the interference. If the interference results in consequences at the neighbor maintenance level, then there may be changes in the database, resulting in network-wide consequences.
干扰的后果区取决于干扰的严重程度。如果干扰导致邻居维护级别的后果,则数据库中可能会有更改,从而导致网络范围的后果。
The threat consequences might disappear as soon as the interference is stopped or might not totally disappear until the networks have converged. Therefore, the consequence period is equal to or longer than the duration of the interference.
一旦干扰停止,威胁后果可能立即消失,或者在网络融合之前可能不会完全消失。因此,结果周期等于或长于干扰持续时间。
Overload is defined as a threat action whereby attackers place excess burden on legitimate routers. For example, it is possible for an attacker to trigger a router to create an excessive amount of state that other routers within the network are not able to handle. In a similar fashion, it is possible for an attacker to overload database routing exchanges and thus to influence the routing operations.
过载被定义为一种威胁行为,攻击者借此对合法路由器施加额外负担。例如,攻击者有可能触发路由器创建网络中其他路由器无法处理的过量状态。以类似的方式,攻击者可能会使数据库路由交换过载,从而影响路由操作。
This entire document is security related. Specifically, the document addresses security of routing protocols as associated with threats to those protocols. In a larger context, this work builds upon the recognition of the IETF community that signaling and control/management planes of networked devices need strengthening. Routing protocols can be considered part of that signaling and control plane. However, to date, routing protocols have largely remained unprotected and open to malicious attacks. This document discusses inter- and intra-domain routing protocol threats that are currently known and lays the foundation for other documents that will discuss security requirements for routing protocols. This document is protocol independent.
整个文档与安全相关。路由协议,特别是与安全协议相关的协议。在更大的背景下,这项工作建立在IETF社区认识到网络设备的信令和控制/管理平面需要加强的基础上。路由协议可以被认为是该信令和控制平面的一部分。然而,到目前为止,路由协议基本上没有受到保护,并且容易受到恶意攻击。本文讨论了当前已知的域间路由协议威胁,并为讨论路由协议的安全性要求的其他文档奠定基础。本文件与协议无关。
[1] Shirey, R., "Internet Security Glossary", RFC 2828, May 2000.
[1] Shirey,R.,“互联网安全词汇表”,RFC 2828,2000年5月。
[2] Rosen, E., "Vulnerabilities of network control protocols: An example", RFC 789, July 1981.
[2] Rosen,E.,“网络控制协议的漏洞:一个例子”,RFC 789,1981年7月。
[3] Perlman, R., "Network Layer Protocols with Byzantine Robustness", PhD thesis, MIT LCS TR-429, October 1988.
[3] Perlman,R.,“具有拜占庭鲁棒性的网络层协议”,博士论文,麻省理工学院LCS TR-429,1988年10月。
[4] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[4] Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月。
[5] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and dual environments", RFC 1195, December 1990.
[5] Callon,R.,“OSI IS-IS在TCP/IP和双环境中的路由使用”,RFC1195,1990年12月。
[6] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November 1998.
[6] Malkin,G.“RIP版本2”,标准56,RFC 2453,1998年11月。
[7] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.
[7] Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。
[8] ISO 10589, "Intermediate System to Intermediate System intra-domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473)", ISO/IEC 10589:2002.
[8] ISO 10589,“与提供无连接模式网络服务的协议一起使用的中间系统到中间系统域内路由信息交换协议(ISO 8473)”,ISO/IEC 10589:2002。
This document would not have been possible save for the excellent efforts and teamwork characteristics of those listed here.
除了这里列出的那些人的出色努力和团队合作特征,本文件是不可能的。
o Dennis Beard, Nortel o Ayman Musharbash, Nortel o Jean-Jacques Puig, int-evry, France o Paul Knight, Nortel o Elwyn Davies, Nortel o Ameya Dilip Pandit, Graduate student, University of Missouri o Senthilkumar Ayyasamy, Graduate student, University of Missouri o Stephen Kent, BBN o Tim Gage, Cisco Systems o James Ng, Cisco Systems o Alvaro Retana, Cisco Systems
o Dennis Beard,北电O Ayman Musharbash,北电O Jean Jacques Puig,INT埃弗里,法国O Paul Knight,北电Elwyn Davies,北电奥Ameya Dilip Pandit,研究生,密苏里堪萨斯大学O Senthilkumar Ayyasamy,研究生,密苏里堪萨斯大学O SIP,BBN OO,思科系统O,思科系统O,思科系统
AS - Autonomous system. Set of routers under a single technical administration. Each AS normally uses a single interior gateway protocol (IGP) and metrics to propagate routing information within the set of routers. Also called routing domain.
AS-自治系统。由单一技术管理机构管理的一组路由器。每个AS通常使用单个内部网关协议(IGP)和度量在路由器集中传播路由信息。也称为路由域。
AS-Path - In BGP, the route to a destination. The path consists of the AS numbers of all routers a packet must go through to reach a destination.
作为路径——在BGP中,到目的地的路由。路径由数据包到达目的地必须经过的所有路由器的数量组成。
BGP - Border Gateway Protocol. Exterior gateway protocol used to exchange routing information among routers in different autonomous systems.
边界网关协议。外部网关协议,用于在不同自治系统的路由器之间交换路由信息。
LSA - Link-State Announcement
LSA-链路状态公告
NLRI - Network Layer Reachability Information. Information that is carried in BGP packets and is used by MBGP.
NLRI-网络层可达性信息。在BGP数据包中携带并由MBGP使用的信息。
OSPF - Open Shortest Path First. A link-state IGP that makes routing decisions based on the shortest-path-first (SPF) algorithm (also referred to as the Dijkstra algorithm).
开放最短路径优先。一种链路状态IGP,它根据最短路径优先(SPF)算法(也称为Dijkstra算法)做出路由决策。
Authors' Addresses
作者地址
Abbie Barbir Nortel 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada
加拿大安大略省内皮恩卡林大道3500号北电艾比芭比K2H 8E9
EMail: abbieb@nortel.com
EMail: abbieb@nortel.com
Sandy Murphy Sparta, Inc. 7110 Samuel Morse Drive Columbia, MD USA
桑迪·墨菲·斯巴达公司,美国马里兰州哥伦比亚塞缪尔·莫尔斯大道7110号
Phone: 443-430-8000 EMail: sandy@sparta.com
电话:443-430-8000电子邮件:sandy@sparta.com
Yi Yang Cisco Systems 7025 Kit Creek Road RTP, NC 27709 USA
益阳思科系统美国北卡罗来纳州基特克里克路RTP 7025号,邮编27709
EMail: yiya@cisco.com
EMail: yiya@cisco.com
Full Copyright Statement
完整版权声明
Copyright (C) The Internet Society (2006).
版权所有(C)互联网协会(2006年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).
RFC编辑器功能的资金由IETF行政支持活动(IASA)提供。