Internet Engineering Task Force (IETF) S. Kent Request for Comments: 7132 BBN Category: Informational A. Chi ISSN: 2070-1721 UNC-CH February 2014
Internet Engineering Task Force (IETF) S. Kent Request for Comments: 7132 BBN Category: Informational A. Chi ISSN: 2070-1721 UNC-CH February 2014
Threat Model for BGP Path Security
BGP路径安全威胁模型
Abstract
摘要
This document describes a threat model for the context in which External Border Gateway Protocol (EBGP) path security mechanisms will be developed. The threat model includes an analysis of the Resource Public Key Infrastructure (RPKI) and focuses on the ability of an Autonomous System (AS) to verify the authenticity of the AS path info received in a BGP update. We use the term "PATHSEC" to refer to any BGP path security technology that makes use of the RPKI. PATHSEC will secure BGP, consistent with the inter-AS security focus of the RPKI.
本文档描述了外部边界网关协议(EBGP)路径安全机制开发环境下的威胁模型。威胁模型包括对资源公钥基础设施(RPKI)的分析,并侧重于自治系统(AS)验证BGP更新中接收的AS路径信息真实性的能力。我们使用术语“PATHSEC”来指代任何使用RPKI的BGP路径安全技术。PATHSEC将保护BGP,与作为RPKI安全重点的inter保持一致。
The document characterizes classes of potential adversaries that are considered to be threats and examines classes of attacks that might be launched against PATHSEC. It does not revisit attacks against unprotected BGP, as that topic has already been addressed in the BGP-4 standard. It concludes with a brief discussion of residual vulnerabilities.
该文档描述了被视为威胁的潜在对手的类别,并检查了可能针对PATHSEC发起的攻击类别。它不会重新讨论针对未受保护的BGP的攻击,因为BGP-4标准中已经讨论了该主题。最后简要讨论了剩余漏洞。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7132.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7132.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Threat Characterization . . . . . . . . . . . . . . . . . . . 6 4. Attack Characterization . . . . . . . . . . . . . . . . . . . 8 4.1. Active Wiretapping of Sessions between Routers . . . . . 8 4.2. Attacks on a BGP Router . . . . . . . . . . . . . . . . . 9 4.3. Attacks on Network Operator Management Computers (Non-CA Computers) . . . . . . . . . . . . . . . . . . . . . . . 11 4.4. Attacks on a Repository Publication Point . . . . . . . . 12 4.5. Attacks on an RPKI CA . . . . . . . . . . . . . . . . . . 14 5. Residual Vulnerabilities . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 8. Informative References . . . . . . . . . . . . . . . . . . . 18
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Threat Characterization . . . . . . . . . . . . . . . . . . . 6 4. Attack Characterization . . . . . . . . . . . . . . . . . . . 8 4.1. Active Wiretapping of Sessions between Routers . . . . . 8 4.2. Attacks on a BGP Router . . . . . . . . . . . . . . . . . 9 4.3. Attacks on Network Operator Management Computers (Non-CA Computers) . . . . . . . . . . . . . . . . . . . . . . . 11 4.4. Attacks on a Repository Publication Point . . . . . . . . 12 4.5. Attacks on an RPKI CA . . . . . . . . . . . . . . . . . . 14 5. Residual Vulnerabilities . . . . . . . . . . . . . . . . . . 16 6. Security Considerations . . . . . . . . . . . . . . . . . . . 18 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 8. Informative References . . . . . . . . . . . . . . . . . . . 18
This document describes the security context in which PATHSEC is intended to operate. The term "PATHSEC" (for path security) refers to any design used to preserve the integrity and authenticity of the AS_PATH attribute carried in a BGP update message [RFC4271]. The security context used throughout this document is established by the Secure Inter-Domain Routing (SIDR) working group charter [SIDR-CH]. The charter requires that solutions that afford PATHSEC make use of the Resource Public Key Infrastructure (RPKI) [RFC6480]. It also calls for protecting only the information required to verify that a received route traversed the Autonomous Systems (ASes) in question, and that the Network Layer Reachability Information (NLRI) in the route is what was advertised.
本文档描述了PATHSEC打算在其中操作的安全上下文。术语“PATHSEC”(用于路径安全)是指用于保护BGP更新消息[RFC4271]中携带的AS_路径属性的完整性和真实性的任何设计。本文档中使用的安全上下文由安全域间路由(SIDR)工作组章程[SIDR-CH]建立。宪章要求提供PATHSEC的解决方案利用资源公钥基础设施(RPKI)[RFC6480]。它还要求仅保护所需的信息,以验证接收到的路由是否穿越了所讨论的自治系统(ASE),以及路由中的网络层可达性信息(NLRI)是否是公布的信息。
Thus, the goal of PATHSEC is to enable a BGP speaker to verify that the ASes enumerated in this path attribute represent the sequence of ASes that the NLRI traversed. The term "PATHSEC" is thus consistent with the goal described above. (Other SIDR documents use the term "BGPSEC" to refer to a specific design; we avoid use of that term here.)
因此,PATHSEC的目标是使BGP演讲者能够验证此path属性中枚举的ASE是否表示NLRI所遍历的ASE序列。因此,术语“路径安全”与上述目标一致。(其他SIDR文件使用术语“BGPSEC”来指代特定设计;我们在此避免使用该术语。)
This document discusses classes of potential adversaries that are considered to be threats, and classes of attacks that might be launched against PATHSEC. Because PATHSEC will rely on the RPKI, threats and attacks against the RPKI are included. This model also takes into consideration classes of attacks that are enabled by the use of PATHSEC (e.g., based on use of the RPKI).
本文档讨论了被视为威胁的潜在对手类别,以及可能针对PATHSEC发起的攻击类别。由于PATHSEC将依赖RPKI,因此包括对RPKI的威胁和攻击。该模型还考虑了通过使用PATHSEC启用的攻击类别(例如,基于使用RPKI)。
The motivation for developing PATHSEC, i.e., residual security concerns for BGP, is well described in several documents, including "BGP Security Vulnerabilities Analysis" [RFC4272] and "Design and Analysis of the Secure Border Gateway Protocol (S-BGP)" [Kent2000]. All of these documents note that BGP does not include mechanisms that allow an AS to verify the legitimacy and authenticity of BGP route advertisements. (BGP now mandates support for mechanisms to secure peer-to-peer communication, i.e., for the links that connect BGP routers. There are several secure protocol options to address this security concern, e.g., IPsec [RFC4301] and TCP Authentication Option (TCP-AO) [RFC5925]. This document briefly notes the need to address this aspect of BGP security, but focuses on application layer BGP security issues that must be addressed by PATHSEC.)
开发PATHSEC的动机,即BGP的剩余安全问题,在多份文件中有详细描述,包括“BGP安全漏洞分析”[RFC4272]和“安全边界网关协议(S-BGP)的设计和分析”[2000]。所有这些文件都指出,BGP不包括允许AS验证BGP路由广告合法性和真实性的机制。(BGP现在要求支持保护点对点通信的机制,即连接BGP路由器的链路。有几个安全协议选项可解决此安全问题,例如IPsec[RFC4301]和TCP身份验证选项(TCP-AO)[RFC5925]。本文档简要说明了需要解决BGP安全性的这一方面,但重点介绍了PATHSEC必须解决的应用层BGP安全问题。)
RFC 4272 [RFC4272] succinctly notes:
RFC 4272[RFC4272]简要说明:
BGP speakers themselves can inject bogus routing information, either by masquerading as any other legitimate BGP speaker, or by distributing unauthorized routing information as themselves. Historically, misconfigured and faulty routers have been responsible for widespread disruptions in the Internet. The legitimate BGP peers have the context and information to produce believable, yet bogus, routing information, and therefore have the opportunity to cause great damage. The cryptographic protections of [TCPMD5] and operational protections cannot exclude the bogus information arising from a legitimate peer. The risk of disruptions caused by legitimate BGP speakers is real and cannot be ignored.
BGP演讲者自己可以通过伪装成任何其他合法BGP演讲者,或通过分发未经授权的路由信息作为自己,来注入伪造的路由信息。从历史上看,配置错误和有故障的路由器是造成互联网普遍中断的原因。合法的BGP对等方拥有产生可信但虚假的路由信息的上下文和信息,因此有机会造成重大损害。[TCPMD5]的加密保护和操作保护不能排除来自合法对等方的虚假信息。合法BGP扬声器造成中断的风险是真实存在的,不容忽视。
PATHSEC is intended to address the concerns cited above, to provide significantly improved path security, which builds upon the route origination validation capability offered by use of the RPKI [RFC6810]. Specifically, the RPKI enables relying parties (RPs) to determine if the origin AS for a path was authorized to advertise the
PATHSEC旨在解决上述问题,以提供显著改进的路径安全性,该安全性基于使用RPKI[RFC6810]提供的路由发起验证功能。具体而言,RPKI使依赖方(RPs)能够确定路径的源AS是否被授权发布该路径
prefix contained in a BGP update message. This security feature is enabled by the use of two types of digitally signed data: a PKI [RFC6487] that associates one or more prefixes with the public key(s) of an address space holder, and Route Origin Authorizations (ROAs) [RFC6482] that allow a prefix holder to specify one or more ASes that are authorized to originate routes for a prefix.
BGP更新消息中包含的前缀。通过使用两种类型的数字签名数据启用此安全功能:将一个或多个前缀与地址空间持有者的公钥相关联的PKI[RFC6487],以及允许前缀持有者指定一个或多个授权为前缀发起路由的路由来源授权(ROA)[RFC6482]。
The security model adopted for PATHSEC does not assume an "oracle" that can see all of the BGP inputs and outputs associated with every AS or every BGP router. Instead, the model is based on a local notion of what constitutes legitimate, authorized behavior by the BGP routers associated with an AS. This is an AS-centric model of secure operation, consistent with the AS-centric model that BGP employs for routing. This model forms the basis for the discussion that follows.
PATHSEC采用的安全模型不假设“oracle”可以查看与每个AS或每个BGP路由器相关的所有BGP输入和输出。相反,该模型基于本地概念,即与AS关联的BGP路由器的合法授权行为是什么。这是一个以AS为中心的安全操作模型,与BGP用于路由的以AS为中心的模型一致。该模型构成了下面讨论的基础。
This document begins with a brief set of definitions relevant to the subsequent sections. It then discusses classes of adversaries that are perceived as viable threats against routing in the public Internet. It continues to explore a range of attacks that might be effected by these adversaries against both path security and the infrastructure upon which PATHSEC relies. It concludes with a brief review of residual vulnerabilities, i.e., vulnerabilities that are not addressed by use of the RPKI and that appear likely to be outside the scope of PATHSEC mechanisms.
本文件以一组与后续章节相关的简短定义开始。然后讨论了被视为对公共互联网路由的可行威胁的各类对手。它将继续探索这些对手可能对路径安全和PATHSEC所依赖的基础设施实施的一系列攻击。最后简要回顾了剩余漏洞,即未使用RPKI解决的漏洞,以及可能超出PATHSEC机制范围的漏洞。
The following security and routing terminology definitions are employed in this document.
本文档中使用了以下安全和路由术语定义。
Adversary: An adversary is an entity (e.g., a person or an organization) that is perceived as malicious, relative to the security policy of a system. The decision to characterize an entity as an adversary is made by those responsible for the security of a system. Often, one describes classes of adversaries with similar capabilities or motivations rather than specific individuals or organizations.
对手:相对于系统的安全策略,对手是被视为恶意的实体(例如,个人或组织)。将实体定性为对手的决定由负责系统安全的人员做出。通常,我们描述的是具有相似能力或动机的对手类别,而不是特定的个人或组织。
Attack: An attack is an action that attempts to violate the security policy of a system, e.g., by exploiting a vulnerability. There is often a many-to-one mapping of attacks to vulnerabilities because many different attacks may be used to exploit a vulnerability.
攻击:攻击是指试图违反系统安全策略的行为,例如利用漏洞进行攻击。通常存在攻击与漏洞的多对一映射,因为可能会使用许多不同的攻击来利用漏洞。
Autonomous System (AS): An AS is a set of one or more IP networks operated by a single administrative entity.
自治系统(AS):AS是由单个管理实体操作的一个或多个IP网络的集合。
AS Number (ASN): An ASN is a 2- or 4-byte number issued by a registry to identify an AS in BGP.
AS编号(ASN):ASN是由注册表发出的2字节或4字节的编号,用于标识BGP中的AS。
Certification Authority (CA): An entity that issues digital certificates (e.g., X.509 certificates) and vouches for the binding between the data items in a certificate.
证书颁发机构(CA):颁发数字证书(如X.509证书)并为证书中的数据项之间的绑定提供担保的实体。
Countermeasure: A countermeasure is a procedure or technique that thwarts an attack, preventing it from being successful. Often, countermeasures are specific to attacks or classes of attacks.
对策:对策是阻止攻击成功的程序或技术。通常,对策是针对攻击或攻击类别的。
Border Gateway Protocol (BGP): A path vector protocol used to convey "reachability" information among ASes in support of inter-domain routing.
边界网关协议(BGP):一种路径向量协议,用于在ASE之间传递“可达性”信息,以支持域间路由。
False (Route) Origination: If a network operator originates a route for a prefix that the operator does not hold (and that has not been authorized to originate by the prefix holder), this is termed false route origination.
错误(路由)发起:如果网络运营商为其未持有的前缀(且未经前缀持有人授权发起)发起路由,则称为错误路由发起。
Internet Service Provider (ISP): An organization managing (and typically selling) Internet services to other organizations or individuals.
互联网服务提供商(ISP):向其他组织或个人管理(通常是销售)互联网服务的组织。
Internet Number Resources (INRs): IPv4 or IPv6 address space and ASNs.
Internet号码资源(INRs):IPv4或IPv6地址空间和ASN。
Internet Registry: An organization that manages the allocation or distribution of INRs. This encompasses the Internet Assigned Number Authority (IANA), Regional Internet Registries (RIRs), National Internet Registries (NIRs), and Local Internet Registries (LIRs) (network operators).
Internet注册表:管理INR分配或分发的组织。这包括互联网分配号码管理局(IANA)、区域互联网注册中心(RIR)、国家互联网注册中心(NIR)和地方互联网注册中心(LIR)(网络运营商)。
Man in the Middle (MITM): A MITM is an entity that is able to examine and modify traffic between two (or more) parties on a communication path.
中间人(MITM):MITM是一个能够在通信路径上检查和修改两个(或多个)方之间的通信的实体。
Network Operator: An entity that manages an AS and thus emits (E)BGP updates, e.g., an ISP.
网络运营商:管理AS并因此发出(E)BGP更新的实体,例如ISP。
Network Operations Center (NOC): A network operator employs a set of equipment and a staff to manage a network, typically on a 24/7 basis. The equipment and staff are often referred to as the NOC for the network.
网络运营中心(NOC):网络运营商雇佣一套设备和一名员工来管理网络,通常是全天候的。设备和人员通常被称为网络的NOC。
Prefix: A prefix is an IP address and a mask used to specify a set of addresses that are grouped together for purposes of routing.
前缀:前缀是一个IP地址和一个掩码,用于指定为路由目的而分组在一起的一组地址。
Public Key Infrastructure (PKI): A PKI is a collection of hardware, software, people, policies, and procedures used to create, manage, distribute, store, and revoke digital certificates.
公钥基础设施(PKI):PKI是用于创建、管理、分发、存储和吊销数字证书的硬件、软件、人员、策略和过程的集合。
Relying Parties (RPs): An RP is an entity that makes use of signed products from a PKI, i.e., it relies on signed data that is verified using certificates and Certificate Revocation Lists (CRLs) from a PKI.
依赖方(RPs):RP是一个实体,它使用来自PKI的签名产品,也就是说,它依赖于使用来自PKI的证书和证书撤销列表(CRL)验证的签名数据。
RPKI Repository System: The RPKI repository system consists of a distributed set of loosely synchronized databases.
RPKI存储库系统:RPKI存储库系统由一组分布式的松散同步数据库组成。
Resource PKI (RPKI): A PKI operated by the entities that manage INRs and that issue X.509 certificates (and CRLs) that attest to the holdings of INRs.
资源PKI(RPKI):由管理INR并颁发X.509证书(和CRL)以证明持有INR的实体运营的PKI。
RPKI Signed Object: An RPKI signed object is a data object encapsulated with Cryptographic Message Syntax (CMS) that complies with the format and semantics defined in [RFC6488].
RPKI签名对象:RPKI签名对象是用加密消息语法(CMS)封装的数据对象,符合[RFC6488]中定义的格式和语义。
Route: In the Internet, a route is a prefix and an associated sequence of ASNs that indicates a path via which traffic destined for the prefix can be directed. (The route includes the origin AS.)
路由:在Internet中,路由是一个前缀和一个关联的ASN序列,表示指向该前缀的流量可以通过的路径。(路线包括起点AS。)
Route Leak: A route leak is said to occur when AS-A advertises routes that it has received from AS-B to the neighbors of AS-A, but AS-A is not viewed as a transit provider for the prefixes in the route.
路由泄漏:当AS-A向AS-A的邻居播发从AS-B接收到的路由时,会发生路由泄漏,但AS-A不被视为路由前缀的传输提供者。
Threat: A threat is a motivated, capable adversary. An adversary that is not motivated to launch an attack is not a threat. An adversary that is motivated but not capable of launching an attack also is not a threat.
威胁:威胁是一个有动力、有能力的对手。没有发动攻击动机的对手不是威胁。有动机但不能发动攻击的对手也不是威胁。
Vulnerability: A vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the security policy of a system.
漏洞:漏洞是系统设计、实施或操作和管理中的缺陷或弱点,可被利用来违反系统的安全策略。
As noted in Section 2 above, a threat is defined as a motivated, capable adversary. The following classes of threats represent classes of adversaries viewed as relevant to this environment.
如上文第2节所述,威胁被定义为有动机、有能力的对手。以下威胁类别代表了被视为与此环境相关的对手类别。
Network Operators: A network operator may be a threat. An operator may be motivated to cause BGP routers it controls to emit update messages with inaccurate routing info, e.g., to cause traffic to flow via paths that are economically advantageous for the operator. Such updates might cause traffic to flow via paths that would otherwise be rejected as less advantageous by other network operators. Because an operator controls the BGP routers
网络运营商:网络运营商可能构成威胁。运营商可能会受到激励,使其控制的BGP路由器发出带有不准确路由信息的更新消息,例如,使流量通过对运营商有利的路径流动。此类更新可能会导致流量通过路径流动,否则会被其他网络运营商视为不利因素而拒绝。因为运营商控制着BGP路由器
in its network, it is in a position to modify their operation in arbitrary ways. Routers managed by a network operator are vehicles for mounting MITM attacks on both control and data plane traffic. If an operator participates in the RPKI, it will have at least one CA resource certificate and may be able to generate an arbitrary number of subordinate CA certificates and ROAs. It will be authorized to populate (and may even host) its own repository publication point. If it implements PATHSEC, and if PATHSEC makes use of certificates associated with routers or ASes, it will have the ability to issue such certificates for itself. If PATHSEC digitally signs updates, it will be able to do so in a fashion that will be accepted by PATHSEC-enabled neighbors.
在其网络中,它能够以任意方式修改它们的操作。由网络运营商管理的路由器是对控制面和数据面流量进行MITM攻击的工具。如果运营商参与RPKI,它将至少拥有一个CA资源证书,并且可以生成任意数量的从属CA证书和ROA。它将被授权填充(甚至可能托管)自己的存储库发布点。如果它实现PATHSEC,并且PATHSEC使用与路由器或ASE关联的证书,那么它将能够为自己颁发此类证书。如果PATHSEC对更新进行数字签名,它将能够以支持PATHSEC的邻居可以接受的方式进行签名。
Hackers: Hackers are considered a threat. A hacker might assume control of network management computers and routers controlled by operators, including operators that implement PATHSEC. In such cases, hackers would be able to act as rogue network operators (see above). It is assumed that hackers generally do not have the capability to effect MITM attacks on most links between networks (links used to transmit BGP and subscriber traffic). A hacker might be recruited, without his/her knowledge, by criminals or by nations, to act on their behalf. Hackers may be motivated by a desire for "bragging rights", for profit, or to express support for a cause ("hacktivists" [Sam04]). We view hackers as possibly distinct from criminals in that the former are presumed to effect attacks only remotely (not via a physical presence associated with a target) and not necessarily for monetary gain. Some hackers may commit criminal acts (depending on the jurisdiction), and thus there is a potential for overlap between this adversary group and criminals.
黑客:黑客被认为是一种威胁。黑客可能会控制由运营商控制的网络管理计算机和路由器,包括实施PATHSEC的运营商。在这种情况下,黑客可以充当流氓网络运营商(见上文)。假设黑客通常没有能力对网络之间的大多数链路(用于传输BGP和用户流量的链路)实施MITM攻击。黑客可能在不知情的情况下被犯罪分子或国家招募来代表他们行事。黑客的动机可能是为了“吹嘘权利”、为了利润或为了表达对某项事业的支持(“黑客行动主义者”[Sam04])。我们认为黑客可能不同于罪犯,因为前者被认为只进行远程攻击(不是通过与目标相关的物理存在),而不一定是为了金钱利益。一些黑客可能会实施犯罪行为(取决于管辖权),因此,该敌对集团与犯罪分子之间可能存在重叠。
Criminals: Criminals may be a threat. Criminals might persuade (via threats or extortion) a network operator to act as a rogue operator (see above) and thus be able to effect a wide range of attacks. Criminals might persuade the staff of a telecommunications provider to enable MITM attacks on links between routers. Motivations for criminals may include the ability to extort money from network operators or network operator clients, e.g., by adversely affecting routing for these network operators or their clients. Criminals also may wish to manipulate routing to conceal the sources of spam, DoS attacks, or other criminal activities.
罪犯:罪犯可能是一种威胁。犯罪分子可能(通过威胁或勒索)说服网络运营商充当流氓运营商(见上文),从而能够实施范围广泛的攻击。犯罪分子可能会说服电信提供商的工作人员对路由器之间的链路进行MITM攻击。犯罪动机可能包括向网络运营商或网络运营商客户勒索金钱的能力,例如,通过对这些网络运营商或其客户的路由产生不利影响。犯罪分子还可能希望操纵路由以隐藏垃圾邮件、拒绝服务攻击或其他犯罪活动的来源。
Registries: Any registry in the RPKI could be a threat. Staff at the registry are capable of manipulating repository content or mismanaging the RPKI certificates that they issue. These actions could adversely affect a network operator or a client of a network
注册表:RPKI中的任何注册表都可能构成威胁。注册中心的工作人员能够操纵存储库内容或管理他们颁发的RPKI证书。这些操作可能会对网络运营商或网络客户端产生不利影响
operator. The staff could be motivated to do this based on political pressure from the nation in which the registry operates (see below) or due to criminal influence (see above).
操作人员工作人员这样做的动机可能是来自登记处所在国的政治压力(见下文)或犯罪影响(见上文)。
Nations: A nation may be a threat. A nation may control one or more network operators that operate in the nation, and thus can cause them to act as rogue network operators. A nation may have a technical active wiretapping capability (e.g., within its territory) that enables it to effect MITM attacks on inter-network traffic. (This capability may be facilitated by control or influence over a telecommunications provider operating within the nation.) It may have an ability to attack and take control of routers or management network computers of network operators in other countries. A nation may control a registry (e.g., an RIR) that operates within its territory and might force that registry to act in a rogue capacity. National threat motivations include the desire to control the flow of traffic to/from the nation or to divert traffic destined for other nations (for passive or active wiretapping, including DoS).
国家:一个国家可能是一个威胁。一个国家可以控制一个或多个在该国运营的网络运营商,从而使他们成为流氓网络运营商。一个国家可能具有技术主动窃听能力(例如,在其领土内),使其能够对网络间流量实施MITM攻击。(这一能力可通过控制或影响国内运营的电信供应商来实现。)它可能具有攻击和控制其他国家网络运营商的路由器或管理网络计算机的能力。一个国家可以控制在其领土内运作的登记处(如RIR),并可能迫使该登记处以流氓身份行事。国家威胁动机包括控制进出该国的交通流量或转移目的地为其他国家的交通(被动或主动窃听,包括拒绝服务)。
This section describes classes of attacks that may be effected against Internet routing (relative to the context described in Section 1). Attacks are classified based on the target of the attack, an element of the routing system, or the routing security infrastructure on which PATHSEC relies. In general, attacks of interest are ones that attempt to violate the integrity or authenticity of BGP traffic or that violate the authorizations associated with entities participating in the RPKI. Attacks that violate the implied confidentiality of routing traffic, e.g., passive wiretapping attacks, are not considered a requirement for BGP security (see [RFC4272]).
本节描述了可能针对Internet路由的攻击类别(相对于第1节中描述的上下文)。攻击根据攻击目标、路由系统元素或PATHSEC所依赖的路由安全基础结构进行分类。一般来说,感兴趣的攻击是指试图破坏BGP流量的完整性或真实性,或违反与参与RPKI的实体相关的授权的攻击。违反路由流量隐含机密性的攻击,例如被动窃听攻击,不被视为BGP安全的要求(参见[RFC4272])。
An adversary may attack the BGP (TCP) session that connects a pair of BGP speakers. An active attack against a BGP (TCP) session can be effected by directing traffic to a BGP speaker from some remote point, or by being positioned as a MITM on the link that carries BGP session traffic. Remote attacks can be effected by any adversary. A MITM attack requires access to the link. Modern transport networks may be as complex as the packet networks that utilize them for inter-AS links. Thus, these transport networks may present significant attack surfaces. Nonetheless, only some classes of adversaries are assumed to be capable of MITM attacks against a BGP session. MITM attacks may be directed against BGP and PATHSEC-protected BGP, or against TCP or IP. Such attacks include replay of selected BGP
对手可以攻击连接一对BGP扬声器的BGP(TCP)会话。针对BGP(TCP)会话的主动攻击可以通过将流量从某个远程点定向到BGP扬声器,或者通过将流量定位为承载BGP会话流量的链路上的MITM来实现。远程攻击可以由任何对手实施。MITM攻击需要访问链接。现代传输网络可能与利用它们进行as间链路的分组网络一样复杂。因此,这些传输网络可能存在严重的攻击面。尽管如此,假设只有某些类别的对手能够对BGP会话进行MITM攻击。MITM攻击可以针对BGP和受PATHSEC保护的BGP,也可以针对TCP或IP。此类攻击包括重播选定的BGP
messages, selective modification of BGP messages, and DoS attacks against BGP routers. [RFC4272] describes several countermeasures for such attacks, and thus this document does not further address such attacks.
消息、选择性修改BGP消息以及针对BGP路由器的DoS攻击。[RFC4272]介绍了针对此类攻击的几种对策,因此本文档不进一步讨论此类攻击。
An adversary may attack a BGP router, whether or not it implements PATHSEC. Any adversary that controls routers legitimately, or that can assume control of a router, is assumed to be able to effect the types of attacks described below. Note that any router behavior that can be ascribed to a local routing policy decision is not considered to be an attack. This is because such behavior could be explained as a result of local policy settings and thus is beyond the scope of what PATHSEC can detect as unauthorized behavior. Thus, for example, a router may fail to propagate some or all route withdrawals or effect "route leaks". (These behaviors are not precluded by the specification for BGP and might be the result of a local policy that is not publicly disclosed. As a result, they are not considered attacks. See Section 5 for additional discussion.)
对手可以攻击BGP路由器,无论它是否实现PATHSEC。任何合法控制路由器或可以控制路由器的对手都被认为能够实施以下所述类型的攻击。请注意,任何可归因于本地路由策略决策的路由器行为都不被视为攻击。这是因为这种行为可以解释为本地策略设置的结果,因此超出了PATHSEC可以检测为未经授权行为的范围。因此,例如,路由器可能无法传播部分或全部路由撤回或造成“路由泄漏”。(BGP规范不排除这些行为,它们可能是未公开披露的本地策略的结果。因此,它们不被视为攻击。有关更多讨论,请参阅第5节。)
Attacks on a router are equivalent to active wiretapping attacks (in the most general sense) that manipulate (forge, tamper with, or suppress) data contained in BGP updates. The list below illustrates attacks of this type.
对路由器的攻击相当于操纵(伪造、篡改或抑制)BGP更新中包含的数据的主动窃听攻击(在最普遍的意义上)。下面的列表说明了这种类型的攻击。
AS Insertion: A router might insert one or more ASNs, other than its own ASN, into an update message. This violates the BGP spec and thus is considered an attack.
AS插入:路由器可以在更新消息中插入一个或多个ASN,而不是它自己的ASN。这违反了BGP规范,因此被视为攻击。
False (Route) Origination: A router might originate a route for a prefix when the AS that the router represents is not authorized to originate routes for that prefix. This is an attack, but it is addressed by the use of the RPKI [RFC6480].
False(Route)Origination(路由)发起:当路由器所代表的AS未被授权为前缀发起路由时,路由器可能会为前缀发起路由。这是一种攻击,但可以通过使用RPKI[RFC6480]来解决。
Secure Path Downgrade: A router might remove AS_PATH data from a PATHSEC-protected update that it receives when forwarding this update to a PATHSEC-enabled neighbor. This behavior violates the PATHSEC security goals and thus is considered an attack.
安全路径降级:路由器在将此更新转发给启用PATHSEC的邻居时,可能会从接收到的PATHSEC保护的更新中删除AS_路径数据。此行为违反了PATHSEC安全目标,因此被视为攻击。
Invalid AS_PATH Data Insertion: A router might emit a PATHSEC-protected update with "bad" data (such as a signature), i.e., PATHSEC data that cannot be validated by other PATHSEC routers. Such behavior is assumed to violate the PATHSEC goals and thus is considered an attack.
无效的AS_路径数据插入:路由器可能会发出带有“坏”数据(如签名)的受PATHSEC保护的更新,即无法由其他PATHSEC路由器验证的PATHSEC数据。这种行为被认为违反了PATHSEC目标,因此被视为攻击。
Stale Path Announcement: If PATHSEC-secured announcements can expire, such an announcement may be propagated with PATHSEC data that is "expired". This behavior would violate the PATHSEC goals and is considered a type of replay attack.
过时路径公告:如果PATHSEC安全公告可能过期,则可以使用“过期”的PATHSEC数据传播此类公告。此行为将违反PATHSEC目标,并被视为一种重播攻击。
Premature Path Announcement Expiration: If a PATHSEC-secured announcement has an associated expiration time, a router might emit a PATHSEC-secured announcement with an expiry time that is very short. Unless the PATHSEC protocol specification mandates a minimum expiry time, this is not an attack. However, if such a time is mandated, this behavior becomes an attack. BGP speakers along a path generally cannot determine if an expiry time is "suspiciously short" since they cannot know how long a route may have been held by an earlier AS, prior to being released.
过早路径公告过期:如果PATHSEC安全公告具有关联的过期时间,路由器可能会发出一个PATHSEC安全公告,其过期时间非常短。除非PATHSEC协议规范规定了最短到期时间,否则这不是攻击。但是,如果强制执行此时间,此行为将成为攻击。一条路径上的BGP扬声器通常无法确定到期时间是否“可疑地短”,因为他们不知道在释放之前,一条路径可能被较早的AS占用了多长时间。
MITM Attack: A cryptographic key used for point-to-point security (e.g., TCP-AO, TLS, or IPsec) between two BGP routers might be compromised (e.g., by extraction from a router). This would enable an adversary to effect MITM attacks on the link(s) where the key is used. Use of specific security mechanisms to protect inter-router links between ASes is outside the scope of PATHSEC.
MITM攻击:两个BGP路由器之间用于点对点安全(例如TCP-AO、TLS或IPsec)的加密密钥可能会受到损害(例如,通过从路由器提取)。这将使对手能够对使用密钥的链路实施MITM攻击。使用特定的安全机制来保护ASE之间的路由器间链路超出了PATHSEC的范围。
Compromised Router Private Key: If PATHSEC mechanisms employ public key cryptography, e.g., to digitally sign data in an update, then a private key associated with a router or an AS might be compromised by an attack against the router. An adversary with access to this key would be able to generate updates that appear to have passed through the AS that this router represents. Such updates might be injected on a link between the compromised router and its neighbors if that link is accessible to the adversary. If the adversary controls another network, it could use this key to forge signatures that appear to come from the AS or router(s) in question, with some constraints. So, for example, an adversary that controls another AS could use a compromised router/AS key to issue PATHSEC-signed data that includes the targeted router/AS. (Neighbors of the adversary's AS ought not accept a route that purports to emanate directly from the targeted AS. So, an adversary could take a legitimate, protected route that passes through the compromised AS, add itself as the next hop, and then forward the resulting route to neighbors.)
泄露的路由器私钥:如果PATHSEC机制采用公钥加密,例如,对更新中的数据进行数字签名,则与路由器或AS关联的私钥可能会因对路由器的攻击而泄露。具有此密钥访问权限的对手将能够生成更新,这些更新似乎已通过此路由器所代表的。如果对手可以访问受损路由器与其邻居之间的链路,则可以在该链路上注入此类更新。如果对手控制另一个网络,它可以使用此密钥伪造似乎来自相关AS或路由器的签名,但有一些限制。因此,例如,控制另一个AS的对手可以使用受损的路由器/AS密钥发布包含目标路由器/AS的PATHSEC签名数据。(敌方AS的邻居不应接受声称直接来自目标AS的路由。因此,敌方可以选择通过受损AS的合法受保护路由,将自身添加为下一跳,然后将生成的路由转发给邻居。)
Withdrawal Suppression Attack: A PATHSEC-protected update may be signed and announced, and later withdrawn. An adversary controlling intermediate routers could fail to propagate the withdrawal. BGP is already vulnerable to behavior of this sort, so withdrawal suppression is not characterized as an attack under the assumptions upon which this mode is based (i.e., no oracle).
撤回抑制攻击:受PATHSEC保护的更新可能会被签署和宣布,然后被撤回。控制中间路由器的对手可能无法传播撤退。BGP已经很容易受到这种行为的攻击,因此,在这种模式所基于的假设下(即,没有oracle),撤回抑制不属于攻击。
4.3. Attacks on Network Operator Management Computers (Non-CA Computers)
4.3. 对网络运营商管理计算机(非CA计算机)的攻击
An adversary may choose to attack computers used by a network operator to manage its network, especially its routers. Such attacks might be effected by an adversary who has compromised the security of these computers. This might be effected via remote attacks, extortion of network operations staff, etc. If an adversary compromises NOC computers, he can execute any management function that authorized network operations the staff would have performed. Thus, the adversary could modify the local routing policy to change preferences, to black-hole certain routes, etc. This type of behavior cannot be externally detected as an attack. Externally, this appears as a form of rogue operator behavior. (Such behavior might be perceived as accidental or malicious by other operators.)
对手可以选择攻击网络运营商用来管理其网络的计算机,尤其是路由器。此类攻击可能是由危害这些计算机安全的对手实施的。这可能通过远程攻击、勒索网络操作人员等方式实现。如果对手破坏NOC计算机,他可以执行授权网络操作人员将执行的任何管理功能。因此,对手可以修改本地路由策略以更改首选项、隐藏某些路由等。这种行为不能被外部检测为攻击。从外部看,这是一种流氓操作员行为。(其他运营商可能会认为此类行为是意外或恶意的。)
If a network operator participates in the RPKI, an adversary could manipulate the RP tools that extract data from the RPKI, causing the output of these tools to be corrupted in various ways. For example, an attack of this sort could cause the operator to view valid routes as not validated, which could alter its routing behavior.
如果网络运营商参与RPKI,对手可能操纵从RPKI提取数据的RP工具,导致这些工具的输出以各种方式损坏。例如,此类攻击可能导致操作员将有效路由视为未经验证,从而改变其路由行为。
If an adversary invoked the tool used to manage the repository publication point for this operator, it could delete any objects stored there (certificates, CRLs, manifests, ROAs, or subordinate CA certificates). This could affect the routing status of entities that have allocations/assignments from this network operator (e.g., by deleting their CA certificates).
如果对手调用用于管理此操作员的存储库发布点的工具,它可以删除存储在那里的任何对象(证书、CRL、清单、ROA或从属CA证书)。这可能会影响具有此网络运营商分配/分配的实体的路由状态(例如,通过删除其CA证书)。
An adversary could invoke the tool used to request certificate revocation, causing router certificates, ROAs, or subordinate CA certificates to be revoked. An attack of this sort could affect not only this operator but also any operators that receive allocations/ assignments from it, e.g., because their CA certificates were revoked.
对手可以调用用于请求证书撤销的工具,导致路由器证书、ROA或从属CA证书被撤销。此类攻击不仅会影响此操作员,还会影响从其接收分配/分配的任何操作员,例如,因为他们的CA证书已被吊销。
If an operator is PATHSEC-enabled, an attack of this sort could cause the affected operator to be viewed as not PATHSEC-enabled, possibly making routes it emits less preferable to other operators.
如果某个操作员启用了PATHSEC,则此类攻击可能会导致受影响的操作员被视为未启用PATHSEC,这可能会使其发出的路由不如其他操作员优先。
If an adversary invoked a tool used to request ROAs, it could effectively reallocate some of the prefixes allocated/assigned to the network operator (e.g., by modifying the origin AS in ROAs). This might cause other PATHSEC-enabled networks to view the affected network as no longer originating routes for these prefixes. Multi-homed subscribers of this operator who received an allocation from the operator might find that their traffic was routed via other connections.
如果对手调用用于请求ROA的工具,它可以有效地重新分配分配给网络运营商的一些前缀(例如,通过修改ROA中的来源)。这可能会导致其他启用PATHSEC的网络将受影响的网络视为不再是这些前缀的原始路由。此运营商的多宿订户收到该运营商的分配后,可能会发现他们的流量是通过其他连接路由的。
If the network operator is PATHSEC-enabled, and makes use of certificates associated with routers/ASes, an adversary could invoke a tool used to request such certificates. The adversary could then replace valid certificates for routers/ASes with ones that might be rejected by PATHSEC-enabled neighbors.
如果网络运营商启用了PATHSEC,并使用与路由器/ASE关联的证书,则对手可以调用用于请求此类证书的工具。然后,对手可以将路由器/ASE的有效证书替换为可能被启用PATHSEC的邻居拒绝的证书。
A critical element of the RPKI is the repository system. An adversary might attack a repository, or a publication point within a repository, to adversely affect routing.
RPKI的一个关键元素是存储库系统。对手可能会攻击存储库或存储库中的发布点,从而对路由产生不利影响。
This section considers only those attacks that can be launched by any adversary who controls a computer hosting one or more repository publication points, without access to the cryptographic keys needed to generate valid RPKI-signed products. Such attacks might be effected by an insider or an external threat. Because all repository objects are digitally signed, attacks of this sort translate into DoS attacks against the RPKI RPs. There are a few distinct forms of such attacks, as described below.
本节仅考虑控制承载一个或多个存储库发布点的计算机的任何对手可以发起的攻击,而无需访问生成有效RPKI签名产品所需的加密密钥。此类攻击可能由内部或外部威胁实施。由于所有存储库对象都经过数字签名,因此此类攻击转化为针对RPKI RPs的DoS攻击。这种攻击有几种不同的形式,如下所述。
Note first that the RPKI calls for RPs to cache the data they acquire and verify from the repository system [RFC6480][RFC6481]. Attacks that delete signed products, insert products with "bad" signatures, tamper with object signatures, or replace newer objects with older (valid) ones, can be detected by RPs (with a few exceptions). RPs are expected to make use of local caches. If repository publication points are unavailable or the retrieved data is corrupted, an RP can revert to using the cached data. This behavior helps insulate RPs from the immediate effects of DoS attacks on publication points.
首先请注意,RPKI调用RPs缓存从存储库系统[RFC6480][RFC6481]获取和验证的数据。RPs可以检测到删除已签名产品、插入带有“坏”签名的产品、篡改对象签名或将较新对象替换为较旧(有效)对象的攻击(少数例外)。RPs应使用本地缓存。如果存储库发布点不可用或检索到的数据已损坏,RP可以恢复使用缓存的数据。此行为有助于使RPs免受DoS攻击对发布点的直接影响。
Each RPKI data object has an associated date on which it expires or is considered stale (certificates expire and CRLs become stale). When an RP uses cached data, how to deal with stale or expired data is a local decision. It is common in PKIs to make use of stale certificate revocation status data when fresher data is not available. Use of expired certificates is less common, although not unknown. Each RP will decide, locally, whether to continue to make use of or ignore cached RPKI objects that are stale or expired.
每个RPKI数据对象都有一个相关日期,在该日期它将过期或被视为过时(证书过期,CRL变为过时)。当RP使用缓存数据时,如何处理过时或过期的数据是本地决定。在PKI中,当新的数据不可用时,通常使用过时的证书吊销状态数据。使用过期证书的情况不太常见,尽管并非未知。每个RP将在本地决定是否继续使用或忽略过时或过期的缓存RPKI对象。
If an adversary inserts an object into a publication point, and the object has a "bad" signature, the object will not be accepted and used by RPs.
如果对手将对象插入发布点,并且该对象具有“坏”签名,则该对象将不会被RPs接受和使用。
If an adversary modifies any signed product at a publication point, the signature on the product will fail, causing RPs to not accept it. This is equivalent to deleting the object, in many respects.
如果对手在发布点修改任何已签名产品,产品上的签名将失败,导致RPs不接受该签名。这在许多方面相当于删除对象。
If an adversary deletes one or more CA certificates, ROAs, or the CRL for a publication point, the manifest for that publication point will allow an RP to detect this attack. An RP can continue to use the last valid instance of the deleted object (as a local policy option), thus minimizing the impact of such an attack.
如果对手删除发布点的一个或多个CA证书、ROA或CRL,则该发布点的清单将允许RP检测此攻击。RP可以继续使用已删除对象的最后一个有效实例(作为本地策略选项),从而将此类攻击的影响降至最低。
If an adversary deletes a manifest (and does not replace it with an older instance), RPs are able to detect this action. Such behavior should result in the CA (or publication point maintainer) being notified of the problem. An RP can continue to use the last valid instance of the deleted manifest (a local policy option), thus minimizing the impact of such an attack.
如果对手删除清单(并且没有用旧实例替换),RPs能够检测到该操作。此类行为应导致CA(或发布点维护人员)收到问题通知。RP可以继续使用已删除清单的最后一个有效实例(本地策略选项),从而将此类攻击的影响降至最低。
If an adversary deletes newly added CA certificates or ROAs, and replaces the current manifest with the previous manifest, the manifest (and the CRL that it matches) will be "stale" (see [RFC6486]). This alerts an RP that there may be a problem. The RP should use the information from a Ghostbuster Record [RFC6493] to contact the entity responsible for the publication point and request a remedy to the problem (e.g., republish the missing CA certificates and/or ROAs). An RP cannot know the content of the new certificates or ROAs that are not present, but it can continue to use what it has cached. An attack of this sort will, at least temporarily, cause RPs to be unaware of the newly published objects. INRs associated with these objects will be treated as unauthenticated.
如果对手删除新添加的CA证书或ROA,并用以前的清单替换当前清单,则清单(及其匹配的CRL)将“过时”(请参阅[RFC6486])。这会提醒RP可能存在问题。RP应使用Ghostbuster记录[RFC6493]中的信息联系负责发布点的实体,并请求解决问题(例如,重新发布丢失的CA证书和/或ROA)。RP无法知道不存在的新证书或ROA的内容,但可以继续使用缓存的内容。此类攻击至少会暂时导致RPs不知道新发布的对象。与这些对象相关的INR将被视为未经验证。
If a CA revokes a CA certificate or a ROA (via deleting the corresponding End Entity (EE) certificate), and the adversary tries to reinstate that CA certificate or ROA, the adversary would have to rollback the CRL and the manifest to undo this action by the CA. As above, this would make the CRL and manifest stale, and this is detectable by RPs. An RP cannot know which CA certificates or ROAs were deleted. Depending on local policy, the RP might use the cached instances of the affected objects and thus be tricked into making decisions based on these revoked objects. Here too, the goal is that the CA will be notified of the problem (by RPs) and will remedy the error.
如果CA撤销CA证书或ROA(通过删除相应的终端实体(EE)证书),并且对手尝试恢复该CA证书或ROA,则对手必须回滚CRL和清单,以撤销CA的此操作。如上所述,这将使CRL和清单过时,并且RPs可以检测到。RP无法知道删除了哪些CA证书或ROA。根据本地策略,RP可能会使用受影响对象的缓存实例,因此会被诱骗根据这些已撤销对象做出决策。这里的目标也是将问题通知CA(通过RPs)并纠正错误。
In the attack scenarios above, when a CRL or manifest is described as stale, this means that the next issue date for the CRL or manifest has passed. Until the next issue date, an RP will not detect the attack. Thus, it behooves CAs to select CRL/manifest lifetimes (the two are linked) that represent an acceptable trade-off between risk and operational burdens.
在上述攻击场景中,当CRL或清单被描述为过时时,这意味着CRL或清单的下一个发布日期已经过去。直到下一个发布日期,RP才会检测到攻击。因此,CAs有必要选择CRL/舱单生命周期(两者相互关联),以在风险和运营负担之间进行可接受的权衡。
Attacks effected by adversaries that are legitimate managers of publication points can have much greater effects and are discussed below under attacks on or by CAs.
由作为发布点合法管理者的对手实施的攻击可能会产生更大的影响,下面将在CAs攻击或CAs攻击中讨论。
Every entity to which INRs have been allocated/assigned is a CA in the RPKI. Each CA is nominally responsible for managing the repository publication point for the set of signed products that it generates. (An INR holder may choose to outsource the operation of the RPKI CA function and the associated publication point. In such cases, the organization operating on behalf of the INR holder becomes the CA from an operational and security perspective. The following discussion does not distinguish such outsourced CA operations.)
已分配/分配INR的每个实体都是RPKI中的CA。每个CA名义上负责管理其生成的签名产品集的存储库发布点。(印度卢比持有人可选择将RPKI CA职能和相关发布点的运营外包。在这种情况下,代表印度卢比持有人运营的组织从运营和安全角度成为CA。以下讨论不区分此类外包CA运营。)
Note that attacks attributable to a CA may be the result of malice by the CA (i.e., the CA is the adversary), or they may result from a compromise of the CA.
请注意,可归因于CA的攻击可能是CA恶意的结果(即CA是对手),也可能是CA妥协的结果。
All of the adversaries listed in Section 2 are presumed to be capable of launching attacks against the computers used to perform CA functions. Some adversaries might effect an attack on a CA by violating personnel or physical security controls as well. The distinction between the CA as an adversary versus the CA as an attack victim is important. Only in the latter case should one expect the CA to remedy problems caused by an attack once the attack has been detected. (If a CA does not take such action, the effects are the same as if the CA is an adversary.)
第2节中列出的所有对手都被认为能够对用于执行CA功能的计算机发起攻击。一些对手也可能通过违反人员或物理安全控制来对CA进行攻击。CA作为对手与CA作为攻击受害者之间的区别很重要。只有在后一种情况下,当检测到攻击时,CA才能补救由攻击引起的问题。(如果CA不采取此类行动,其效果与CA是对手时相同。)
Note that most of the attacks described below do not require disclosure of a CA's private key to an adversary. If the adversary can gain control of the computer used to issue certificates, it can effect these attacks, even though the private key for the CA remains "secure" (i.e., not disclosed to unauthorized parties). However, if the CA is not the adversary, and if the CA's private key is not compromised, then recovery from these attacks is much easier. This motivates use of hardware security modules to protect CA keys, at least for higher tiers in the RPKI.
请注意,下面描述的大多数攻击不需要向对手披露CA的私钥。如果对手可以获得用于颁发证书的计算机的控制权,则即使CA的私钥保持“安全”(即未向未授权方披露),它也可以实施这些攻击。但是,如果CA不是对手,并且CA的私钥没有泄露,那么从这些攻击中恢复就容易得多。这促使使用硬件安全模块来保护CA密钥,至少对于RPKI中的更高层。
An attack by a CA can result in revocation or replacement of any of the certificates that the CA has issued. Revocation of a certificate should cause RPs to delete the (formerly) valid certificate (and associated signed object, in the case of a revoked EE certificate) that they have cached. This would cause repository objects (e.g., CA certificates and ROAs) that are verified under that certificate to be considered invalid, transitively. As a result, RPs would not consider any ROAs or PATHSEC-protected updates to be valid based on these certificates, which would make routes dependent on them less preferred. Because a CA that revokes a certificate is authorized to do so, this sort of attack cannot be detected, intrinsically, by most RPs. However, the entities affected by the revocation or replacement of CA certificates can be expected to detect the attack and contact
CA的攻击可能导致吊销或替换CA颁发的任何证书。证书的吊销应导致RPs删除其缓存的(以前的)有效证书(以及相关的签名对象,如果是吊销的EE证书)。这将导致在该证书下验证的存储库对象(例如CA证书和ROA)被视为无效的、可传递的。因此,RPs不会考虑基于这些证书的任何ROA或PATSEC保护更新是有效的,这会使路由依赖于它们而不是优选的。由于吊销证书的CA有权这样做,因此大多数RPs本质上无法检测到此类攻击。但是,受CA证书撤销或替换影响的实体可以检测到攻击和联系
the CA to effect remediation. If the CA was not the adversary, it should be able to issue new certificates and restore the publication point.
CA负责实施补救措施。如果CA不是对手,它应该能够颁发新证书并恢复发布点。
An adversary that controls the CA for a publication point can publish signed products that create more subtle types of DoS attacks against RPs. For example, such an attacker could create subordinate CA certificates with Subject Information Access (SIA) pointers that lead RPs on a "wild goose chase" looking for additional publication points and signed products. An attacker could publish certificates with very brief validity intervals or CRLs and manifests that become "stale" very quickly. This sort of attack would cause RPs to access repositories more frequently, and that might interfere with legitimate accesses by other RPs.
控制发布点CA的对手可以发布已签名的产品,这些产品会对RPs造成更微妙的DoS攻击。例如,此类攻击者可以创建具有主题信息访问(SIA)指针的从属CA证书,从而导致RPs进行“白鹅追逐”,寻找其他发布点和签名产品。攻击者可以发布有效期间隔很短的证书,或很快变得“过时”的CRL和清单。这种攻击会导致RPs更频繁地访问存储库,这可能会干扰其他RPs的合法访问。
An attacker with this capability could create very large numbers of ROAs to be processed (with prefixes that are consistent with the allocation for the CA) and correspondingly large manifests. An attacker could create very deep subtrees with many ROAs per publication point, etc. All of these types of DoS attacks against RPs are feasible within the syntactic and semantic constraints established for RPKI certificates, CRLs, and signed objects.
具有此功能的攻击者可以创建大量要处理的ROA(前缀与CA的分配一致)和相应的大清单。攻击者可以创建非常深的子树,每个发布点有许多ROA等。在为RPKI证书、CRL和签名对象建立的语法和语义约束范围内,所有这些类型的针对RPs的DoS攻击都是可行的。
An attack that results in revocation and replacement (e.g., key rollover or certificate renewal) of a CA certificate would cause RPs to replace the old, valid certificate with the new one. This new certificate might contain a public key that does not correspond to the private key held by the certificate subject. That would cause objects signed by that subject to be rejected as invalid, and prevent the affected subject from being able to sign new objects. As above, RPs would not consider any ROAs issued under the affected CA certificate to be valid, and updates based on router certificates issued by the affected CA would be rejected. This would make routes dependent on these signed products less preferred. However, the constraints imposed by the use of extensions detailed in [RFC3779] prevent a compromised CA from issuing (valid) certificates with INRs outside the scope of the CA, thus limiting the impact of the attack.
导致CA证书的吊销和替换(例如,密钥翻转或证书续订)的攻击将导致RPs用新证书替换旧的有效证书。此新证书可能包含与证书主体持有的私钥不对应的公钥。这将导致由该主体签名的对象被视为无效而拒绝,并阻止受影响的主体对新对象进行签名。如上所述,RPs不会考虑在受影响的CA证书下发布的任何ROA是有效的,并且基于受影响CA颁发的路由器证书的更新将被拒绝。这将减少对这些签名产品的依赖。但是,使用[RFC3779]中详细说明的扩展所施加的限制会阻止受损CA在CA范围之外使用INR颁发(有效)证书,从而限制攻击的影响。
An adversary that controls a CA could issue CA certificates with overlapping INRs to different entities when no transfer of INRs is intended. This could cause confusion for RPs as conflicting ROAs could be issued by the distinct (subordinate) CAs.
当不打算转让INR时,控制CA的对手可以向不同实体颁发具有重叠INR的CA证书。这可能会导致RPs混淆,因为冲突的ROA可能由不同(从属)CA发出。
An adversary could replace a CA certificate, use the corresponding private key to issue new signed products, and then publish them at a publication point controlled by the attacker. This would effectively transfer the affected INRs to the adversary or to a third party of his choosing. The result would be to cause RPs to view the entity
对手可以替换CA证书,使用相应的私钥发布新的签名产品,然后在攻击者控制的发布点发布这些产品。这将有效地将受影响的印度卢比转移给对手或其选择的第三方。结果将导致RPs查看实体
that controls the private key in question as the legitimate INR holder. Again, the constraints imposed by the use of the extensions in RFC 3779 prevent a compromised CA from issuing (valid) certificates with INRs outside the scope of the CA, thus limiting the impact of the attack.
作为合法的INR持有人控制相关私钥。同样,使用RFC 3779中的扩展所施加的约束防止受损CA在CA范围之外使用INR颁发(有效)证书,从而限制攻击的影响。
Finally, an entity that manages a repository publication point can inadvertently act as an attacker (an example of Walt Kelly's most famous "Pogo" quote [Kelly70]). For example, a CA might fail to replace its own certificate in a timely fashion (well before it expires). It might fail to issue its CRL and manifest prior to expiration, creating stale instances of these products that cause concern for RPs. A CA with many subordinate CAs (e.g., an RIR or NIR) might fail to distribute the expiration times for the CA certificates that it issues. A network with many ROAs might do the same for the EE certificates associated with the ROAs it generates. A CA could rollover its key but fail to reissue subordinate CA certificates under its new key. Poor planning with regard to rekey intervals for managed CAs could impose undue burdens for RPs, despite a lack of malicious intent. All of these examples of mismanagement could adversely affect RPs, despite the absence of malicious intent.
最后,管理存储库发布点的实体可能无意中充当攻击者(Walt Kelly最著名的“Pogo”引用[Kelly70]的一个例子)。例如,CA可能无法及时更换自己的证书(在证书到期之前)。它可能无法在到期之前发布其CRL和清单,从而创建这些产品的过时实例,从而导致RPs问题。具有多个从属CA(例如RIR或NIR)的CA可能无法分配其颁发的CA证书的过期时间。具有多个ROA的网络可能会对与其生成的ROA关联的EE证书执行相同的操作。CA可以滚动其密钥,但无法在其新密钥下重新颁发从属CA证书。尽管缺乏恶意意图,但管理CA的密钥更新间隔规划不当可能会给RPs带来不适当的负担。所有这些管理不善的例子都可能对RPs产生不利影响,尽管没有恶意意图。
The RPKI, upon which PATHSEC relies, has several residual vulnerabilities that were discussed in the preceding text (Sections 4.4 and 4.5). These vulnerabilities are of two principle forms:
PATHSEC所依赖的RPKI有几个剩余漏洞,这些漏洞在前面的文本(第4.4节和第4.5节)中讨论过。这些漏洞有两种主要形式:
o The RPKI repository system may be attacked in ways that make its contents unavailable, not current, or inconsistent. The principle defense against most forms of DoS attacks is the use of a local cache by each RP. The local cache ensures availability of previously acquired RPKI data in the event that a repository is inaccessible or if the repository contents are deleted (maliciously). Nonetheless, the system cannot ensure that every RP will always have access to up-to-date RPKI data. An RP, when it detects a problem with acquired repository data, has two options:
o RPKI存储库系统可能会受到攻击,使其内容不可用、不是最新或不一致。针对大多数形式的DoS攻击的主要防御措施是每个RP使用本地缓存。当存储库无法访问或存储库内容被(恶意)删除时,本地缓存可确保先前获取的RPKI数据的可用性。尽管如此,系统无法确保每个RP始终能够访问最新的RPKI数据。RP在检测到获取的存储库数据存在问题时,有两个选项:
1. The RP may choose to make use of its local cache, employing local configuration settings that tolerate expired or stale objects. (Such behavior is, nominally, always within the purview of an RP in PKI.) Using cached, expired, or stale data subjects the RP to attacks that take advantage of the RP's ignorance of changes to this data.
1. RP可以选择使用其本地缓存,使用本地配置设置来容忍过期或过时的对象。(名义上,此类行为始终在PKI中RP的权限范围内。)使用缓存、过期或过时的数据会使RP受到攻击,从而利用RP对该数据更改的无知。
2. The RP may chose to purge expired objects. Purging expired objects removes the security information associated with the real-world INRs to which the objects refer. This is equivalent to the affected INRs not having been afforded protection via the RPKI. Since use of the RPKI (and PATHSEC) is voluntary, there may always be a set of INRs that are not protected by these mechanisms. Thus, purging moves the affected INRs to the set of non-participating INR holders. This more conservative response enables an attacker to move INRs from the protected set to the unprotected set.
2. RP可以选择清除过期的对象。清除过期对象将删除与对象引用的真实INR关联的安全信息。这相当于未通过RPKI提供保护的受影响的INR。由于RPKI(和PATHSEC)的使用是自愿的,所以可能总是有一组INR不受这些机制的保护。因此,清除将受影响的INR移动到一组非参与的INR持有者。这种更保守的响应使攻击者能够将INR从受保护集移动到未受保护集。
o Any CA in the RPKI may misbehave within the bounds of the INRs allocated to it, e.g., it may issue certificates with duplicate resource allocations or revoke certificates inappropriately. This vulnerability is intrinsic in any PKI, but its impact is limited in the RPKI because of the use of extensions in RFC 3779. It is anticipated that RPs will deal with such misbehavior through administrative means once it is detected.
o RPKI中的任何CA都可能在分配给它的INR范围内行为不端,例如,它可能会发布具有重复资源分配的证书或不适当地撤销证书。此漏洞在任何PKI中都是固有的,但由于在RFC 3779中使用了扩展,因此在RPKI中其影响有限。预计一旦发现此类不当行为,RPs将通过行政手段处理。
PATHSEC has a separate set of residual vulnerabilities:
PATHSEC有一组单独的剩余漏洞:
o It has been stated that "route leaks" are viewed as a routing security problem by many operators. However, BGP itself does not include semantics that preclude what many perceive as route leaks, and there is no definition of the term in any RFC. This makes it inappropriate to address route leaks in this document. Additionally, route leaks are outside the scope of PATHSEC, consistent with the security context noted in Section 1 of this document. If, at a later time, the SIDR security context is revised to include route leaks, and an appropriate definition exists, this document should be revised.
o 据指出,“路由泄漏”被许多运营商视为路由安全问题。然而,BGP本身不包括排除许多人认为的路由泄漏的语义,并且在任何RFC中都没有定义该术语。这使得本文档中不适合处理路由泄漏问题。此外,路由泄漏不在PATHSEC的范围内,与本文档第1节中提到的安全上下文一致。如果以后修改SIDR安全上下文以包括路线泄漏,并且存在适当的定义,则应修改本文件。
o PATHSEC is not required to protect all attributes associated with an AS_PATH, even though some of these attributes may be employed as inputs to routing decisions. Thus, attacks that modify (or strip) these other attributes are not prevented/detected by PATHSEC. As noted in Section 1, the SIDR security context calls for protecting only the information needed to verify that a received route traversed the ASes in question, and that the NLRI in the route is what was advertised. (The AS_PATH data also may have traversed ASes within a confederation that are not represented. However, these ASes are not externally visible and thus do not influence route selection, so their omission in this context is not a security concern.) Thus, protection of other attributes is outside the scope of this document, as described in Section 1. If, at a later time, the SIDR security context is revised to include protection of additional BGP attributes, this document should be revised.
o PATHSEC不需要保护与AS_路径相关联的所有属性,即使其中一些属性可以用作路由决策的输入。因此,修改(或剥离)这些其他属性的攻击不会被PATHSEC阻止/检测。如第1节所述,SIDR安全上下文要求仅保护所需的信息,以验证接收到的路由是否穿越了相关的ASE,以及路由中的NLRI是否是公布的。(AS_路径数据也可能穿越了未表示的联盟内的ASE。但是,这些ASE在外部不可见,因此不会影响路由选择,因此在此上下文中省略它们不是安全问题。)因此,其他属性的保护不在本文档的范围内,如第1节所述。如果以后修改SIDR安全上下文以包括对附加BGP属性的保护,则应修改本文件。
o PATHSEC cannot ensure that an AS will withdraw a route when the AS no longer has a route for a prefix, as noted in Section 4.2. PATHSEC may incorporate features to limit the lifetime of an advertisement. Such lifetime limits provide an upper bound on the time that the failure to withdraw a route will remain effective.
o 如第4.2节所述,当AS不再具有前缀路由时,PATHSEC无法确保AS将撤回路由。PATHSEC可能包含限制广告生命周期的功能。这样的寿命限制提供了一个时间上限,即未能撤回路线将保持有效。
A threat model is, by definition, a security-centric document. Unlike a protocol description, a threat model does not create security problems nor does it purport to address security problems. This model postulates a set of threats (i.e., motivated, capable adversaries) and examines classes of attacks that these threats are capable of effecting, based on the motivations ascribed to the threats. It describes the impact of these types of attacks on PATHSEC, including the RPKI on which PATHSEC relies. It describes how the design of the RPKI (and the PATHSEC design goals) address classes of attacks, where applicable. It also notes residual vulnerabilities.
根据定义,威胁模型是以安全为中心的文档。与协议描述不同,威胁模型不会产生安全问题,也不会试图解决安全问题。该模型假设了一组威胁(即有动机的、有能力的对手),并根据这些威胁的动机检查这些威胁能够实施的攻击类别。它描述了这些类型的攻击对PATHSEC的影响,包括PATHSEC所依赖的RPKI。它描述了RPKI的设计(以及PATHSEC设计目标)如何在适用的情况下解决攻击类别。它还指出了剩余的漏洞。
The authors with to thank the members of the SIDR working group for the extensive feedback provided during the development of this document.
作者感谢SIDR工作组成员在编写本文件期间提供的广泛反馈。
[Kelly70] Kelly, W., "We Have Met The Enemy and He Is Us: Pogo Earth Day Poster", April 1970.
[Kelly70]Kelly,W.,“我们遇到了敌人,他就是我们:Pogo地球日海报”,1970年4月。
[Kent2000] Kent, S., Lynn, C., and K. Seo, "Design and Analysis of the Secure Border Gateway Protocol (S-BGP)", IEEE DISCEX Conference, June 2000.
[Kent2000]Kent,S.,Lynn,C.,和K.Seo,“安全边界网关协议(S-BGP)的设计和分析”,IEEE DISCEX会议,2000年6月。
[RFC3779] Lynn, C., Kent, S., and K. Seo, "X.509 Extensions for IP Addresses and AS Identifiers", RFC 3779, June 2004.
[RFC3779]Lynn,C.,Kent,S.,和K.Seo,“IP地址和AS标识符的X.509扩展”,RFC 3779,2004年6月。
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC4271]Rekhter,Y.,Li,T.,和S.Hares,“边境网关协议4(BGP-4)”,RFC 42712006年1月。
[RFC4272] Murphy, S., "BGP Security Vulnerabilities Analysis", RFC 4272, January 2006.
[RFC4272]Murphy,S.,“BGP安全漏洞分析”,RFC 4272,2006年1月。
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005.
[RFC4301]Kent,S.和K.Seo,“互联网协议的安全架构”,RFC 43012005年12月。
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP Authentication Option", RFC 5925, June 2010.
[RFC5925]Touch,J.,Mankin,A.,和R.Bonica,“TCP认证选项”,RFC 59252010年6月。
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support Secure Internet Routing", RFC 6480, February 2012.
[RFC6480]Lepinski,M.和S.Kent,“支持安全互联网路由的基础设施”,RFC 6480,2012年2月。
[RFC6481] Huston, G., Loomans, R., and G. Michaelson, "A Profile for Resource Certificate Repository Structure", RFC 6481, February 2012.
[RFC6481]Huston,G.,Loomans,R.,和G.Michaelson,“资源证书存储库结构的配置文件”,RFC 64812012年2月。
[RFC6482] Lepinski, M., Kent, S., and D. Kong, "A Profile for Route Origin Authorizations (ROAs)", RFC 6482, February 2012.
[RFC6482]Lepinski,M.,Kent,S.,和D.Kong,“路线原产地授权(ROA)的配置文件”,RFC 64822012年2月。
[RFC6486] Austein, R., Huston, G., Kent, S., and M. Lepinski, "Manifests for the Resource Public Key Infrastructure (RPKI)", RFC 6486, February 2012.
[RFC6486]Austein,R.,Huston,G.,Kent,S.,和M.Lepinski,“资源公钥基础设施(RPKI)清单”,RFC 64862012年2月。
[RFC6487] Huston, G., Michaelson, G., and R. Loomans, "A Profile for X.509 PKIX Resource Certificates", RFC 6487, February 2012.
[RFC6487]Huston,G.,Michaelson,G.,和R.Loomans,“X.509 PKIX资源证书的配置文件”,RFC 6487,2012年2月。
[RFC6488] Lepinski, M., Chi, A., and S. Kent, "Signed Object Template for the Resource Public Key Infrastructure (RPKI)", RFC 6488, February 2012.
[RFC6488]Lepinski,M.,Chi,A.,和S.Kent,“资源公钥基础设施(RPKI)的签名对象模板”,RFC 6488,2012年2月。
[RFC6493] Bush, R., "The Resource Public Key Infrastructure (RPKI) Ghostbusters Record", RFC 6493, February 2012.
[RFC6493]布什,R.,“资源公钥基础设施(RPKI)捉鬼记录”,RFC6493,2012年2月。
[RFC6810] Bush, R. and R. Austein, "The Resource Public Key Infrastructure (RPKI) to Router Protocol", RFC 6810, January 2013.
[RFC6810]Bush,R.和R.Austein,“资源公钥基础设施(RPKI)到路由器协议”,RFC 6810,2013年1月。
[SIDR-CH] "Secure Inter-Domain Routing: Charter for Working Group", September 2013, <http://tools.ietf.org/wg/sidr/ charters?item=charter-sidr-2013-09-20.txt>.
[SIDR-CH]“安全域间路由:工作组章程”,2013年9月<http://tools.ietf.org/wg/sidr/ 特许证?项目=charter-sidr-2013-09-20.txt>。
[Sam04] Samuel, A., "Hacktivism and the Future of Political Participation", Ph.D. dissertation, Harvard University, September 2004, <http://www.alexandrasamuel.com/ dissertation/pdfs/Samuel-Hacktivism-entire.pdf>.
[Sam04]Samuel,A.,“黑客行动主义与政治参与的未来”,博士。哈佛大学学位论文,2004年9月<http://www.alexandrasamuel.com/ 论文/pdfs/Samuel-Hacktivism-through.pdf>。
Authors' Addresses
作者地址
Stephen Kent BBN Technologies 10 Moulton St. Cambridge, MA 02138 USA
Stephen Kent BBN Technologies美国马萨诸塞州剑桥莫尔顿街10号,邮编02138
EMail: kent@bbn.com
EMail: kent@bbn.com
Andrew Chi University of North Carolina - Chapel Hill c/o Department of Computer Science CB 3175, Sitterson Hall Chapel Hill, NC 27599 USA
安得烈Cchi北卡罗来那大学-查珀尔希尔C/O计算机科学系CB 3175,Sttsern Hall教堂山,NC 27599美国
EMail: achi@cs.unc.edu
EMail: achi@cs.unc.edu