Master in Cybersecurity: Secure Communications

Lesson 4: Network layer security

Course 2022-2023

Antonio Pastor [email protected]

 Lesson outline

1. IP and ICMP:
v IPv4
v ICMP
v IPv6
v Attacks against IP and ICMP
2. Dynamic Host Configuration Protocol (DHCP):
v DHCP operation
v Attacks against DHCP
3. Address Resolution Protocol (ARP):
v ARP operation
v Attacks against ARP
4. Border Gateway Protocol (BGP):
v BGP operation
v RPKI
v BGPSec

2
IP and ICMP
 The Internet network layer

Hosts and routers network layer functions:

Transport layer: TCP, UDP

Routing protocols: Internet Protocol (IP):

• Path selection • Addressing conventions.
• RIP, OSPF, BGP • Datagram format.
Network • Packet forwarding.
Layer Forwarding
Table
ICMP protocol:
• Error reporting
• Router “signaling”

Link layer: PPP, Ethernet, 802.11

Physical layer

4
 IPv4 datagram format

IP protocol version 32 bits

number (4) Total datagram
Hdr. length (bytes)
Header length (4) (x4 bytes) Ver DSCP
len Length
Differentiated Services For
Quality of Service (QoS) Fragment fragmentation/
Fragment Id. Flgs
offset
Max number of Time To reassembly
Protocol Header
remaining hops Live (TTL) checksum
(decremented by each
router) Source IP address
Destination IP address
Upper layer protocol
to deliver payload to [Options (if any)] e.g. Timestamp,
Record route,
Payload Source routing.
(Variable length,
typically a TCP
or UDP segment)
[RFC791]

5
 IPv4 fragmentation and reassembly

v Network links have a

Maximum Transmission
Unit (MTU): largest
possible link-level
data frame:
§ Different link types à Fragmentation:

…
different MTUs. in: 1 large datagram
out: 3 smaller datagrams
§ 1500 for Ethernet
v Larger IPv4 datagrams
divided (“fragmented”)
within network (routers): Reassembly
§ A datagram becomes
several ones
§ “Reassembled” only …
at final destination
§ IP header bits used
to identify and order
related fragments.
6
 IPv4 fragmentation and reassembly example

Length ID Frag flag Offset

Example: =4000 =x =0 =0
v 4000 byte datagram
One large datagram becomes
v MTU: 1500 bytes several smaller datagrams

1480 bytes in Length ID MF Offset

data field =1500 =x =1 =0

Offset = Length ID MF Offset

1480/8 =1500 =x =1 =185

Length ID MF Offset
=1040 =x =0 =370

Notice that transport header (i.e. TCP/UDP ports) is only carried in first fragment
and that payload may be arbitrarily segmented (e.g. to evade IDS signatures).
7
 Internet Control Message Protocol (ICMP)

v Used by hosts & routers to Type Code Description

communicate network- 0 0 Echo reply (Ping)
level information: 0 Dest. network unreachable
§ Error reporting: E.g. 1 Dest. host unreachable
Destination unreachable.
§ Echo request/reply (used 2 Dest. protocol unreachable
3
by Ping). 3 Dest. port unreachable
v Control messages 4 Fragmentation required (DF=1)
“above” IP: 9 Dest. network prohibited
§ ICMP messages carried on 4 0 Source quench
IP datagrams (congestion control)
v ICMP message [RFC792]: 0 Redirect for network
5
1 Redirect for host
Type (8) Code (8) Checksum (16 bits)
8 0 Echo request (Ping)
[Type-specific data]
0 TTL exceeded in transit
20+8 bytes of IP datagram causing error 11 (Traceroute)
1 TTL exceeded in reassembly
8
 Traceroute

v Source sends series of v When ICMP messages

UDP segments to dest.
§ 1st set has TTL =1.
§ 2nd set has TTL=2, etc.
§ Random UDP port number
(or ICMP Echo)
v When i-th set of datagrams
arrive to i-th router:
§ Router discards datagrams
and sends ICMP TTL
Exceeded messages.
§ ICMP messages includes
router source IP address &
error-causing datagram.
arrives, source
measures RTTs.
Stopping criteria:
v UDP segment eventually
arrives at destination host.
v Destination returns ICMP
Port unreachable message
(or ICMP Echo Reply)
v Source stops.

3 probes 3 probes

3 probes
9
 IPv6: Motivation

v Initial and main motivation: 32-bit address space soon to be

completely allocated:
v Only AFRINIC has free addresses today
v Additional motivations:
§ Header format helps speed processing/forwarding:
§ 64-bit alignment of the packet, no header checksum.
§ Header changes to facilitate QoS (Traffic Class & Flow Label).

IPv6 datagram format:

§ Fixed-length, 40-byte header.
§ No router fragmentation:
§ Host based à MTU discovery

10
 IPv6 datagram format

Priority: Identify priority among datagrams in flow.

Flow Label: Identify datagrams in the same “flow”.
Next header: identify upper layer protocol for data, or
extension headers (like IPv4 options).

Ver. Pri. Flow label

Payload length Next hdr. Hop limit
Source address
(128 bits)
Destination address
(128 bits)

Payload

32 bits
11
 Other changes from IPv4

u Checksum: removed entirely to reduce processing

time at each hop.
u Options:Allowed, but outside of header, indicated
by “Next Header” field.
u ICMPv6: New version of ICMP.
v Additional message types, e.g. “Packet Too Big”.
v Stateless Address Autoconfiguration (SLAAC).
v Neighbor discovery protocol.
v Multicast group management functions.

12
 Internet Control Message Protocol (ICMPv6)

Control & L2
Error discover Autoconfig Multicast

IPv6
Ping SLAAC MLD
MAC

Traceroute

Node Info

MTU

13
StateLess Address Auto Configuration (SLAAC)

14
 Transition from IPv4 to IPv6

v Not all routers can be upgraded simultaneously:

§ No “flag day”.
§ How will network operate with mixed IPv4 and
IPv6 routers?
• Tunneling, Dual-Stack, NAT64.
v Tunneling: IPv6 datagram carried as payload in
IPv4 datagram among IPv4 routers

IPv4 header fields IPv6 header fields

IPv4 payload
IPv4 source, dest addr IPv6 source dest addr
UDP/TCP payload

IPv6 datagram
IPv4 datagram

15
 Tunneling

A B IPv4 tunnel E F
connecting IPv6 routers
Logical view:
IPv6 IPv6 IPv6 IPv6

A B C D E F
Physical view:
IPv6 IPv6 IPv4 IPv4 IPv6 IPv6
IPv4 IPv4

Routers B and E are Dual-Stack

16
 Tunneling

A B IPv4 tunnel E F
connecting IPv6 routers
Logical view:
IPv6 IPv6 IPv6 IPv6

A B C D E F
Physical view:
IPv6 IPv6 IPv4 IPv4 IPv6 IPv6

Flow: X Src:B src:B Flow: X

Src: A Dest: E Src: A
Dest: F
dest: E
Dest: F
Flow: X Flow: X
Src: A Src: A
Data Dest: F Dest: F Data

Data Data

A-to-B: E-to-F:
IPv6 B-to-C: D-to-E: IPv6
IPv6 inside IPv6 inside
IPv4 IPv4 17
Security Flaws & Attacks in IP
 IP-based authentication

u Recall how IP works…

v End hosts create IP packets, and routers process them
purely based on destination address alone.

u Problem: End hosts may lie about fields which do

not affect delivery:
v Source address – Host may trick destination into
believing that the packet is from a trusted source.
ü Especially for applications which use IP addresses as a simple
authentication method.
ü Solution: Use better authentication methods (e.g. IPSec, TLS).

19
 IP address spoofing

145.13.145.67 SA: 36.220.9.59 212.68.212.7

DA: 212.68.212.7

Attacker 36.220.9.59
Amplifier
SA: 212.68.212.7
DA: 36.220.9.59

[DoS victim]

u However attacker cannot interact with the amplifier or victim:

v Unless attacker is on path between victim and spoofed address
(i.e. Man-on-the-Middle).
u Countermeasure: Network ingress filtering [RFC2827]
(a.k.a. BCP38) to check proper source IP addresses:
v Only at network edges (not for Tier 1 transit providers ISPs).
v Deployment incentives? Costs on me but benefits on others:
ü Tragedy of Commons?

20
 Problems with some IP options

u IP Source Routing (Strict-source-route, Option type 137)

u Specifies the list of routers the packet must go through:

21
 IP Source Routing

Source: 67.34.30.6 Source: 67.34.30.6 Source: 67.34.30.6 Source: 67.34.30.6

Destination: 67.14.10.22 Destination:140.10.5.4 Destination:200.14.7.14 Destination:138.6.25.40
137 15 4 137 15 8 137 15 12 137 15 16
140.10.5.4 67.14.10.22 67.14.10.22 67.14.10.22
200.14.7.14 200.14.7.14 140.10.5.4 140.10.5.4
138.6.25.40 138.6.25.40 138.6.25.40 200.14.7.14

67.34.30.6 138.6.25.40
67.14.10.22

138.6.22.26
200.14.7.14
140.10.6.3

140.10.5.4

200.14.7.9
67.0.0.0/24 140.10.0.0/16 200.14.7.0/24 138.6.0.0/16
Network Network Network Network

22
 Source-Route MitM Attack
1. Eve generates packets with fake source route to Bob (destination), that claim to
come from Alice.
2. Source route includes Eve’s IP (Eve looks like a router between A and B).
3. Routers between Eve and Bob read source route and deliver packets to Bob via Eve
(in case of loose-source route, otherwise the delivery is straightforward)
4. Bob responds by sending packets to Alice through Eve (reverse order).
5. Eve could even not to forward packets to Alice (DoS is not required).
Comment Eve Packet with
This attack doesn’t work across Internet Route
Most routers block Source Routed packets. 1. Alice
2. Eve
Yet, not blocked on internal networks.
3. Bob
Alice
Packet with Bob
Route
1. Bob
2. Eve
3. Alice
23
 IP defenses

u Can block nearly all attacks at perimeter.

u Five best practices rules:

1. Block all inbound where SA from internal nets.

2. Block all outbound where SA not from internal nets.

3. Block all in/out where SA | DA in reserved address for IPv4* or

IPv6**

4. Block all source-routed datagrams or all IP options.

5. Block all datagram fragments or limit reassembly resources

*e.g: RFC 1918 or APIPA
** e.g : RFC 4193 (ULA - FC00::/7), documentation RFC3849 (2001:db8). Link-local (FE80::/10)
IANA register in RFC6890 all special use IP address
24
Security flaws & attacks to ICMP
 ICMP attacks

• ICMP also has no authentication mechanism.

• Ways in which ICMP can be used to compromise:
• ICMP Source Quench: (deprecated option)
– Slows down transmission of traffic essentially performing
a partial DoS on itself.
• ICMP DoS:
– Attacker could use either ICMP Time exceeded or
Destination unreachable messages. Both messages can
cause a host to drop the connection.
– Attacker can simply forge one of these ICMP messages,
and send it to one or both communicating hosts ... their
connection will then be broken:
Even if protected by upper protocols (e.g. TLS).
26
 Smurf DoS Attack

1 ICMP Echo Request 3 ICMP Echo Reply

Src: DoS victim Dest: DoS Target
Dest: Broadcast addr.

DoS
Router DoS
Source victim

Amplifiers

u Send ping (ICMP Echo Request) to subnet broadcast address

u Lots of responses:
v Every host on target network generates a ping reply to the victim
à Amplification attack
v Ping reply stream can overwhelm the victim.

Prevention: Reject external packets to broadcast addresses 27

 ICMP Redirect

u ICMP Redirect messages sent by

routers to solve routing problems.
u Host H sends a packet to host
10.1.1.1 on network 10.0.0.0/8.
u Since Host H is not directly 3
connected to 10.1.1.1, packet is sent
to its default gateway, Router R1. 2
u Router R1 looks for destination IP
address 10.1.1.1 in its routing table,
but path to the network is by Router 1 2 4
R2, back out the same interface
the packet came from.
u Router R1 forwards packet to R2
and sends an ICMP Redirect
message to host H telling it to use
Router R2 (172.16.1.100) as the
gateway to forward all future
requests to network 10.0.0.0/8.

28
 ICMP Redirect Attack

u The attacker sends a spoofed ICMP redirect message that appears

to come from the host‘s default gateway.

192.168.1.2

Victim 192.168.1.3 192.168.1.1 Internet

Default
Forged Gateway
packet

Attacker 192.168.1.4

u E.g. Attacker 192.168.1.4 sends a forged ICMP Redirect message

to victim 192.168.1.3, saying the route through 192.168.1.4 is a
better way to Internet (0.0.0.0/0). The source IP address of this
forged ICMP packet is the gateway’s IP address 192.168.1.1. Then
all the traffic from 192.168.1.3 to internet will go through 192.168.1.4.
u Then, trivial Man-in-the-Middle (MitM) attack!
29
 ICMPv6 attacks

u Fake Router Advertisement type

v Advertise attacker as the Gateway = Redirect =
MiTM
v Advertise victim as Gateway = DoS
v Advertise non-existing IPv6 as Gateway = DoS
u DoS using DAD (Neighbor Solicitation)
v SLAAC message
v Respond victim with NA stating address is taken
u Information Collection
v Type “Node Information”: hostname, IPv6 & IPv4
address
v SLAAC IPv6 address ID based on MAC address
u Equivalent to ARP attacks
https://www.cisco.com/c/en/us/about/security-center/ipv6-first-hop.html 30
 ICMP defenses

u Limit which ICMP types and codes you allow into your
network:
v Destination unreachable errors.
v Echo request/reply (for Ping)
v TTL Exceeded (for Traceroute).

u Avoid ICMP redirect messages, which are of little (legit) use

and have better alternatives:
v E.g. Static routes/RIP in end hosts

u Don’t allow “Unreachable” errors from outside your border?

v Let the absence of a reply imply a problem à Slower recovery.
v Never filter IPv6 “Packet Too Big” à Required for MTU discovery (i.e.
host-based fragmentation).

31
Dynamic Host Configuration Protocol
(DHCP)
 DHCP objectives
u DHCP [RFC2131] allows a host to obtain an IP address from a defined
(pool) range of IP addresses on a DHCP server.
v DHCP runs on top of UDP (UDP/67 Server, UDP/68 Client).
v DHCP and DNS are the key protocols for IP Address Management (IPAM)
u When a host comes online, it contacts DHCP server and requests an
IP address and other key network configuration parameters:

33
DHCP operation (I)

34
 DHCP operation (II)

u Dynamic Allocation is a 4-step process:

1. DHCPDISCOVER:
ü Client broadcasts a DHCPDISCOVER message to find all
DHCP server(s) on the network.
ü Client source IP address: 0.0.0.0

35
 DHCP operation (III)

2. DHCPOFFER:
ü DHCP server(s) responds with a DHCPOFFER.
ü DHCPOFFER message is sent in unicast and contains an
available IP address to lease.
ØIt also contains other parameters such as Subnet mask, DNS
server, Default gateway and duration of the lease.

36
 DHCP operation (IV)

3. DHCPREQUEST:
ü Client responds with a broadcast DHCPREQUEST message.
It identifies the explicit server and lease offer that the client is
accepting.
ü It serves as an acceptance notice to the selected DHCP
server and as an implicit decline to any other servers.
ü Also used for lease renewal and verification.

37
 DHCP operation (V)

4. DHCPACK:
ü The server verifies the lease information and responds with a
unicast DHCPACK message:
ØAssuming the IP address requested by the client is still valid.
ØIf no longer valid -due to timeout or another client accepting the
lease- then, selected DHCP server responds with a DHCP NAK
message, and the selection process must begin again.
ü The client stores the information and sends an ARP request to its
new IP address to verify that it is really unused.

38
 DHCP Operation (VI)

DHCP Relay agents (implemented by routers) may be employed to do not require

DHCP servers presence in all subnets (since hosts do not have an IP address), by
forwarding DHCP messages to/from DHCP servers.
39
 DHCPv6 Operation

(1) Client send SOLICIT to all-

DHCP-server-address multicast
(FF02::1:2) UDP 547
(1) Client send RENEW when (1) Client send RENEW when
(2) Servers available ADVERTISE lease time expire (unicast) lease time expire (unicast)
themselves (unicast)
(3) Client select one DHCPv6 (2) Server Reply with the new (2) Client search renew to all-
server and send request lease (unicast) DHCP-server-address multicast
(multicast): (FF02::1:2) UDP 547)
(1) stateless mode (3) Server Reply with the new
INFORMATION-
REQUEST (SLAAC but lease (unicast)
need info.e.g.:DNS)
(2) Stateful mode REQUEST
( all info is provided by
the server)
(4) Server Reply with the data
(unicast)
40
Source: http://www.h3c.com.hk
 DHCPv6 security

u Packet Integrity protection

v DHCPv6 option: Authentication option
ü HMAC-MD5 of the packet with a key
u Key management options
v Delayed (Preshared key)
v Reconfigure (non recommented)
ü Key transmited in cleartext

Source: http://what-when-how.com/ipv6-advanced-protocols-implementation/overview-of-the-dhcpv6-protocol-dhcpv6ipv6-part-4/ 41
Attacks and countermeasures in
DHCP
 DHCP Denial of Service attack

u In the first scenario, an attacker launches a DoS attack by

sending thousands of DHCP requests. The DHCP server
does not have the capability to determine whether the
request is genuine and therefore might end up exhausting
all available IPv4 addresses. This results in legitimate
clients not getting an IP address via DHCP.
u Countermeasure: DHCP snooping rate limit.
43
 DHCP Spoofing Attack (I)

u In a second DHCP scenario, attacker attaches a rogue DHCP server to

the network.
u This enables the intruder to give out false DHCP information for the
default gateway and DNS servers, which redirect clients towards the
attacker’s machine (or other machines under their control).
u This misdirection enables the hacker to become a man-in-the-middle and
to gain access to confidential information, while the end user is unaware
of the attack (if attacker keeps providing network access).
u In DHCPv6, reconfigure message, make it trivial
44
 DHCP Spoofing Attack (&II)

“Here you go, I

might be first!”
(Rogue) “I need an IP
address/mask, default
I can now MitM gateway, and DNS
client (Rogue) server.”

Rogue: “Got it, thanks!”

Legit: “No thanks, I

“Here you go.” already got the info.”
(Legitimate)
All default gateway
frames and DNS
requests sent to Rogue!

45
 Countermeasure: DHCP Snooping (I)

§ DHCP Snooping is feature implemented in switches that

determines which ports can respond to DHCP requests à Protects
against rogue DHCP servers.
§ Trusted ports (where DHCP Servers are located): Can source all
DHCP messages.
§ Untrusted ports (usually access ports): Can source only DHCP
requests:
§ Should not send any DHCP server responses, such as
DHCPOFFER, DHCPACK, or DHCPNAK.
§ If a device on an untrusted port attempts to send a DHCP response
packet into the network, the port is shutdown.
§ DHCP high availability:
§ Two DHCP servers with 70% / 30% IP address pool.
46
 Countermeasure: DHCP Snooping (&II)

• DHCP Snooping can further build a

MAC-to-IP binding table.
• It will be later employed for Dynamic
ARP Inspection (DAI).

47
Preventing IP spoofing attacks
 IP Spoofing and IP Source Guard (IPSG)

u Attacker impersonates a legitimate

host on the network by spoofing the
IP address of the victim.
u IP Source Guard (IPSG) prevents a
malicious host from sending packets
with a spoofed IP address.
u IPSG provides per-port traffic filtering
of assigned source IP.
u IPSG dynamically maintains per-port
ACL’s based on IP-to-MAC-to-switch
port bindings.
u The binding table is populated either
by the DHCP Snooping feature or
through static configuration of
entries.
u IPSG typically deployed for untrusted
ports at access layer.
49
 IP Source Guard Operations
u IPSG can be enabled on a DHCP
Snooping Untrusted layer 2 port
to prevent IP spoofing.
u At first, all IP traffic on the port
is blocked except for DHCP
messages monitored by DHCP
Snooping.
u This process restricts the client
IP traffic to those source IP
addresses configured in the
DHCP binding;
u Any IP traffic with a source IP
address other than that in the IP
source binding is filtered out.

50
Address Resolution Protocol
(ARP)
 Address Resolution Protocol (ARP)

• ARP [RFC826] enables a host to find the MAC address of another host, in
the same subnet, that is associated with a given IPv4 address.
• An ARP cache stores known IP-MAC bindings to increase performance:

52
 ARP operation

• All devices on the network receive the ARP Request message, but only one
device (should) responds with an ARP Reply:

INFORMATION

53
 Neighbor Discovery

ICMPv6 message Type Function

Acquires the link-layer
address of a neighbor on
the local link.
Neighbor Solicitation
135 Verifies the reachability of
(NS)
a neighbor.
Detects duplicate
addresses.
Responds to an NS
message.
Neighbor
136 Notifies the neighboring
Advertisement (NA)
nodes of link layer
changes.

u Remember: Integrated into ICMPv6 messages

u Next slides vulnerabilities applied to ND
v just change ARP message by ICMPv6 ND message.
v ARP request = ICMPv6 NS
v ARP reply = ICMPv6 NA

54
 Vulnerabilities of ARP

1. Since ARP does not authenticate requests or replies, ARP Requests and
Replies can be forged:
2. ARP is stateless: ARP Replies can be sent without a corresponding ARP
Request:
Gratuitous ARP Requests: A host sends an ARP request for its own IP
address. Useful for detecting if an IP address has already been assigned.
3. A node receiving an ARP packet (Request or Reply) must update its local
ARP cache with the information in the source fields, if the receiving node
already has an entry for the IP address of the source in its ARP cache.
(This applies for both ARP Request and Reply messages).

Typical exploitation of these vulnerabilities:

• A forged ARP Request or Reply can be used to update the ARP cache of
a remote system with a forged entry (ARP Cache Poisoning).
• This can be used to redirect IP traffic to other hosts.

55
 ARP Cache Poisoning

ARP Reply

ARP Cache Poisoning:

Step 1. Host A sends an ARP request for Router C MAC address.
Step 2. Router C replies with its MAC and IP addresses. C updates its ARP cache with A.
Step 3. Host A binds C MAC address to the requested C IP address in its ARP cache.
Step 4. Host B (attacker) sends ARP Reply binding B MAC address to C IP address.
Step 5. Host A updates ARP cache with B MAC address bound to C IP address.
Step 6. Host B sends ARP binding B MAC address to A IP address.
Step 7. Router C updates ARP cache with B MAC address bound to A IP address.
Step 8. Packets in both directions are diverted through attacker (B) [MitM] 56
 Preventing ARP attacks with DAI

Dynamic ARP Inspection (DAI)

takes these actions:
u Forwards ARP packets
received on a trusted interface
without any checks.
u Intercepts all ARP packets on
untrusted ports.
u Verifies that each intercepted
packet has a valid IP-to-MAC
address binding (database
built by DHCP snooping)
before forwarding packets that
can update the local ARP
cache.
u Drops and logs ARP packets
with invalid IP-to-MAC address
bindings.
57
 DAI recommended configuration

u DAI can also be used to

rate limit the ARP packets
and disable the interface if
the rate is exceeded.
u DAI associates each
interface with a trusted state
or an untrusted state.
u Trusted interfaces bypass
all DAI.
u Untrusted interfaces
undergo DAI validation.

58
Internet Routing Protocols
 Routing protocols outline

u Intra-domain routing:
v Routing Information Protocol (RIP):
ü Distance Vector protocol.
ü Plain-text authentication option.
ü RIPng (IPv6) delegate to IPSec.
v Open Shortest Path First (OSPF):
ü Link State protocol.
ü Plain-text or digest authentication option (MD5)
ü OSPFv3 (IPv6) delegate to IPSec.
u Inter-domain routing:
v Border Gateway Protocol (BGP):
ü Path Vector protocol.
ü TCP Authentication Option.
ü Resource Public Key Infrastructure (RPKI).
ü BGPsec.

60
 Border Gateway Protocol (BGP)

u Inter-Autonomous System routing protocol

v It is a critical piece of the Internet’s infrastructure
u UsesTCP port 179
u BGP version 4 [RFC 4271]
v Initially defined an optional authentication field:
ü Authentication was only in the "OPEN" message
ü Connection can be hijacked afterwards (and bad routes
injected):
ØTCP session hijacking.
v Later mandates TCP MD5 option [RFC2385]:
ü Shared password between peering BGP routers.
v Now TCP Authentication Option [RFC5925]:
ü MAC algorithms with Traffic Keys derived from shared
Master Key.
61
 BGP: Path Vector routing

¨ BGP is classified as a Path Vector routing protocol (see RFC1322)

¨ AS-path: sequence of ASes a route traverses:
¤ Like distance vector, plus additional information.
¤ No details about the inside of other ASes.
¨ Used for loop detection and to apply policies.
AS 4
¨ Default choice: Route with fewest # of ASes.
120.10.0.0/16

AS 3
130.10.0.0/16 AS 5
AS 2 110.10.0.0/16

120.10.0.0/16: AS 2 à AS 3 à AS 4
AS 1 130.10.0.0/16: AS 2 à AS 3
110.10.0.0/16: AS 2 à AS 5 62 62
 BGP operations (simplified)

Establish session
on TCP port
179
AS-1

Exchange active
routes

on
ssi
Se
AS-2
Exchange
P
BG

incremental
updates

63
 Shortest AS Path != Shortest Path

4 hops 9 hops
Source
4 ASs 2 ASs
?
?

Destination
64
 Four types of BGP messages

1. Open: Establish a peering session.

2. Keep alive: Handshake at regular intervals.
3. Notification: Shuts down a peering session.
4. Update: Announce new routes or withdraw previously
announced routes.

Announcement = IP prefix + attributes values

65
 BGP connections

u Oncea connection to another BGP router has

been established, it is expected to remain
open and stable:
v If it closes:
ü Allresources for that BGP connection are deallocated.
ü Routing table entries associated with the remote peer
are marked as invalid.
ü The fact that the routes have become invalid is passed
to other BGP peers before the routes are deleted from
the system.
u TCP RST attacks can be very dangerous!
v Cause routing instabilities.
v MUST use the TCP Authentication option:
ü Or IPSec, etc ... 66
 BGP (In)Security

u BGP update messages contain no

authentication or integrity protection:

v ASes can announce arbitrary prefixes.

v ASes can alter AS path:

ü Either attract traffic to attacker’s AS, or divert traffic away.

[1] Dan Goodin. “Russian-controlled telecom hijacks financial services’ Internet traffic”. Ars Technica. 27 April 2017
[2] BGP leaks and cryptocurrencies
[2] dashboards focus in BGP attacks https://bgpstream.com/, https://observatory.manrs.org 67
 Security issues of BGP

u Communication between peers is not protected from

eavesdropping:
v But modification can be prevented by using TCP AO.

u Subject to all vulnerabilities from lower layers.

u DoS / DDoS Attacks

v Can be used to target TCP port 179 used by BGP:
ü Potential to close connections.
ü Potential to result in dropped Update messages.

u Attacks may come from trusted routers that have been

compromised:
v Smaller ISPs with poor security become good targets.
v Mesh connected design means gaining access to any BGP
speaker that can have a significant impact on the Internet.
68
 Control Plane Security: Authentication

u Session Authentication / Integrity:

v Who’s on the other end of that BGP session?
ü Is it the one that claims to be?
v Are the routing messages correct?

u Path Authentication:
v Is the AS path correct?

u Origin Authentication:
v Does the route prefix correspond to the AS that
actually owns that prefix?

69
 Session Authentication: TCP AO

• Authenticate packets received from a peer using TCP AO.

70
 Session Authentication: TTL Hack

• Insight: Most eBGP sessions are only a single hop (adjacent);

attackers typically are remote.
• Remote packet injection can’t have a TTL == 255 (at ISP)
• Implement RFC5082 on BGP peerings:
– (Generalised TTL Security Mechanism).
– Neighbour sets TTL to 255.
– Local router expects TTL of incoming BGP packets to be 255
– No one apart from directly attached devices can send BGP
packets which arrive with TTL = 255, so any possible attack by a
remote miscreant is dropped due to TTL mismatch.

Attacker
AS 200 TTL 255 AS 100
R1 R2
TTL 254 TTL 255
71
 Traffic Attraction & Interception Attacks

April 2010 : China Telecom intercepts traffic

ChinaTel path is shorter

ChinaTel ? Level3, VZW, 22394

66.174.161.0/24 66.174.161.0/24
ISP 1 VZW, 22394
66.174.161.0/24
Level 3

Verizon
China Wireless
Telecom 22394
66.174.161.0/24

This prefix and 50K others were 22394

announced by China Telecom

Traffic for some prefixes was possibly intercepted 66.174.161.0/24

72
 Origin Authentication

u IRR (Internet Routing Registries)

v Record routes and associate it with the ASN that
will announce it.
v Multiples mirrored (RADB, RIR DBs..)
v Out-of-the band $ whois -h whois.radb.net AS766
aut-num: AS766
as-name: RedIRIS
org: ORG-RA6-RIPE
descr: RedIRIS Autonomous System
descr: SPAIN
import: from AS174 accept ANY
mp-import: from AS174 accept ANY
import: from AS288 accept {192.171.2.0/24,……, 131.176.171.0/24}

u RPKI (Resource Public Key Infrastructure)

v ROA (Route Origin Authorization) record.
ü Associate a route with an originating AS number.
v RIRs digital signs ROA with its public CA
73
 Securing the Internet: RPKI
Resource Public Key Infrastructure (RPKI): Certified
mapping from ASes to public keys and IP prefixes.
RPKI: Invalid!
?
X
ChinaTel Level3, VZW, 22394
66.174.161.0/24 66.174.161.0/24
ISP 1

Level 3

Verizon
China Wireless
Telecom

RPKI shows China Telecom is not a 22394

valid origin for this prefix.

74
 But RPKI alone is not enough!
Resource Public Key Infrastructure (RPKI): Certified
mapping from ASes to public keys and IP prefixes.

ChinaTel, 22394 ? Level3, VZW, 22394

66.174.161.0/24 66.174.161.0/24
ISP 1

Level 3

Verizon
China Wireless
Telecom

Malicious router can pretend to 22394

connect to the valid origin.

75
 To stop this attack, we need BGPsec
(path authentication)
BGPsec: RPKI + Cannot announce a path that was not
announced to you. VZW: (22394, Prefix)

Level3: (VZW, 22394, Prefix)

ISP 1: (Level3, VZW, 22394, Prefix)

ISP 1

Level 3

Verizon
China Wireless
VZW: (22394, Prefix)
Telecom
Level3: (VZW, 22394, Prefix)

22394
VZW: (22394, Prefix)

Public Key Signature: Anyone with 22394’s public key can validate
that the message was sent by 22394. 76
 To stop this attack, we need BGPsec
(path authentication)
BGPsec: RPKI + Cannot announce a path that was not
announced to you. VZW: (22394, Prefix)

Level3: (VZW, 22394, Prefix)

ISP 1: (Level3, VZW, 22394, Prefix)

ISP 1

Level 3

Verizon
China Wireless
Telecom

Malicious router can’t announce a direct 22394

path to 22394, since 22394 never said
ChinaTel: (22394, Prefix)
77
 The basic BGP security requirement

• For every UPDATE it receives, a BGP router should be

able to verify that the “owner” of each prefix
authorized the first (origin) AS to advertise the prefix
and that each subsequent AS in the path has been
authorized by the preceding AS to advertise a route to
the prefix.

• This requirement, if achieved, allows a BGP router to

detect and reject unauthorized routes, irrespective of
what sort of attack resulted in the bad routes.

• Conversely, if a security approach fails to achieve this

requirement, a BGP router will be vulnerable to attacks
that result in misrouting of traffic in some fashion.

78
 BGPsec design Overview

• BGPsec [RFC8206] makes use of:

– Public Key Infrastructure to provide an authorization
framework representing address space and AS # “ownership”.
– Attestations (digitally-signed data) to bind authorization
information to UPDATE messages.

• BGPsec requires routers to: (++ RAM, ++ CPU)

– Generate an attestation when generating an UPDATE for
another S-BGP router.
– Validate attestations associated with each UPDATE received
from another S-BGP router.

79
 Secure BGP Problems

v Requires global Public-Key Infrastructure.

v Lots of digital signatures to calculate and verify:
ü Message overhead.
ü CPU overhead à DoS.

v Each AS on the path must go to a certificate site to

verify the source of the route.
v To be effective, entire path must be secure, so every
AS must adopt it (a classic chicken-and-egg problem).
v No consensus, has not experienced widespread
adoption:
Why should I upgrade
if (security) benefits
don’t kick in unless
everyone else does? 8359
80