Active wiretapping of sessions between BGP routers

An adversary may attack the BGP (TCP) session that connects a pair of BGP speakers. An active attack against a BGP (TCP) session can be effected by directing traffic to a BGP speaker from some remote point, or by being positioned as a MITM on the link that carries BGP session traffic. Remote attacks can be effected by any adversary. A MITM attack requires access to the link. Modern transport networks may be as complex as the packet networks that utilize them for inter- AS links. Thus, these transport networks may present significant attack surfaces. Nonetheless, only some classes of adversaries are assumed to be capable of MITM attacks against a BGP session. MITM attacks may be directed against BGP and PATHSEC-protected BGP, or against TCP or IP. Such attacks include replay of selected BGP messages, selective modification of BGP messages, and DoS attacks against BGP routers. RFC4272 describes several countermeasures for such attacks, and thus this document does not further address such attacks.

Attacks on a BGP Router

An adversary may attack a BGP router, whether or not it implements PATHSEC. Any adversary that controls routers legitimately, or that can assume control of a router, is assumed to be able to effect the types of attacks described below. Note that any router behavior that can be ascribed to a local routing policy decision is not considered to be an attack. This is because such behavior could be explained as a result of local policy settings and thus is beyond the scope of what PATHSEC can detect as unauthorized behavior. Thus, for example, a router may fail to propagate some or all route withdrawals or effect "route leaks". (These behaviors are not precluded by the specification for BGP and might be the result of a local policy that is not publicly disclosed. As a result, they are not considered attacks.

Attacks on a router are equivalent to active wiretapping attacks (in the most general sense) that manipulate (forge, tamper with, or suppress) data contained in BGP updates. The list below illustrates attacks of this type.

AS Insertion: A router might insert one or more ASNs, other than its own ASN, into an update message. This violates the BGP spec and thus is considered an attack.

False (Route) Origination: A router might originate a route for a prefix when the AS that the router represents is not authorized to originate routes for that prefix. This is an attack, but it is addressed by the use of the RPKI [RFC6480].

Secure Path Downgrade: A router might remove AS_PATH data from a PATHSEC-protected update that it receives when forwarding this update to a PATHSEC-enabled neighbor. This behavior violates the PATHSEC security goals and thus is considered an attack.

Invalid AS_PATH Data Insertion: A router might emit a PATHSEC-protected update with "bad" data (such as a signature), i.e., PATHSEC data that cannot be validated by other PATHSEC routers. Such behavior is assumed to violate the PATHSEC goals and thus is considered an attack.

Stale Path Announcement: If PATHSEC-secured announcements can expire, such an announcement may be propagated with PATHSEC data that is "expired". This behavior would violate the PATHSEC goals and is considered a type of replay attack.

Premature Path Announcement Expiration: If a PATHSEC-secured announcement has an associated expiration time, a router might emit a PATHSEC-secured announcement with an expiry time that is very short. Unless the PATHSEC protocol specification mandates a minimum expiry time, this is not an attack. However, if such a time is mandated, this behavior becomes an attack. BGP speakers along a path generally cannot determine if an expiry time is "suspiciously short" since they cannot know how long a route may have been held by an earlier AS, prior to being released.

MiTM Attack: A cryptographic key used for point-to-point security (e.g., TCP-AO, TLS, or IPsec) between two BGP routers might be compromised (e.g., by extraction from a router). This would enable an adversary to effect MiTM attacks on the link(s) where the key is used. Use of specific security mechanisms to protect inter-router links between ASes is outside the scope of PATHSEC.

Compromised Router Private Key: If PATHSEC mechanisms employ public key cryptography, e.g., to digitally sign data in an update, then a private key associated with a router or an AS might be compromised by an attack against the router. An adversary with access to this key would be able to generate updates that appear to have passed through the AS that this router represents. Such updates might be injected on a link between the compromised router and its neighbors if that link is accessible to the adversary. If the adversary controls another network, it could use this key to forge signatures that appear to come from the AS or router(s) in question, with some constraints. So, for example, an adversary that controls another AS could use a compromised router/AS key to issue PATHSEC-signed data that includes the targeted router/AS. (Neighbors of the adversary's AS ought not accept a route that purports to emanate directly from the targeted AS. So, an adversary could take a legitimate, protected route that passes through the compromised AS, add itself as the next hop, and then forward the resulting route to neighbors.)

Withdrawal Suppression Attack: A PATHSEC-protected update may be signed and announced, and later withdrawn. An adversary controlling intermediate routers could fail to propagate the withdrawal. BGP is already vulnerable to behavior of this sort, so withdrawal suppression is not characterized as an attack under the assumptions upon which this mode is based (i.e., no oracle).