BGP MiTM and Routing security
BGP speakers themselves can inject bogus routing information, either by masquerading as any other legitimate BGP speaker, or by distributing unauthorized routing information as themselves.
Historically, misconfigured and faulty routers have been responsible for widespread disruptions in the Internet.
The legitimate BGP peers have the context and information to produce believable, yet bogus, routing information, and therefore have the opportunity to cause great damage.
The cryptographic protections of TCPMD5 and operational protections cannot exclude the bogus information arising from a legitimate peer.
The risk of disruptions caused by legitimate BGP speakers is real and cannot be ignored.
Adversary - An adversary is an entity (e.g., a person or an
organization) that is perceived as malicious, relative to the
security policy of a system. The decision to characterize an
entity as an adversary is made by those responsible for the
security of a system. Often, one describes classes of adversaries
with similar capabilities or motivations rather than specific
individuals or organizations.
Attack - An attack is an action that attempts to violate the security
policy of a system, e.g., by exploiting a vulnerability. There is
often a many-to-one mapping of attacks to vulnerabilities because
many different attacks may be used to exploit a vulnerability.
Autonomous System (AS) - An AS is a set of one or more IP networks
operated by a single administrative entity.
AS Number (ASN) - An ASN is a 2- or 4-byte number issued by a
registry to identify an AS in BGP.
Certification Authority (CA) - An entity that issues digital
certificates (e.g., X.509 certificates) and vouches for the
binding between the data items in a certificate.
Countermeasure - A countermeasure is a procedure or technique that
thwarts an attack, preventing it from being successful. Often,
countermeasures are specific to attacks or classes of attacks.
Border Gateway Protocol (BGP) - A path vector protocol used to convey
"reachability" information among ASes in support of inter-domain
False (Route) Origination - If a network operator originates a route
for a prefix that the operator does not hold (and that has not
been authorized to originate by the prefix holder), this is termed
false route origination.
Internet Service Provider (ISP) - An organization managing (and
typically selling) Internet services to other organizations or
Internet Number Resources (INRs) - IPv4 or IPv6 address space and
Internet Registry - An organization that manages the allocation or
distribution of INRs. This encompasses the Internet Assigned
Number Authority (IANA), Regional Internet Registries (RIRs),
National Internet Registries (NIRs), and Local Internet Registries
(LIRs) (network operators).
Man in the Middle (MITM) - A MITM is an entity that is able to
examine and modify traffic between two (or more) parties on a
Network Operator - An entity that manages an AS and thus emits (E)BGP
updates, e.g., an ISP.
Network Operations Center (NOC) - A network operator employs a set of
equipment and a staff to manage a network, typically on a 24/7
basis. The equipment and staff are often referred to as the NOC
for the network.
Prefix - A prefix is an IP address and a mask used to specify a set
of addresses that are grouped together for purposes of routing.
Public Key Infrastructure (PKI) - A PKI is a collection of hardware,
software, people, policies, and procedures used to create, manage,
distribute, store, and revoke digital certificates.
Relying Parties (RPs) - An RP is an entity that makes use of signed
products from a PKI, i.e., it relies on signed data that is
verified using certificates and Certificate Revocation Lists
(CRLs) from a PKI.
RPKI Repository System - The RPKI repository system consists of a
distributed set of loosely synchronized databases.
Resource PKI (RPKI) - A PKI operated by the entities that manage INRs
and that issue X.509 certificates (and CRLs) that attest to the
holdings of INRs.
RPKI Signed Object - An RPKI signed object is a data object
encapsulated with Cryptographic Message Syntax (CMS) that complies
with the format and semantics defined in [RFC6488].
Route - In the Internet, a route is a prefix and an associated
sequence of ASNs that indicates a path via which traffic destined
for the prefix can be directed. (The route includes the origin
Route Leak A route leak is said to occur when AS-A advertises
routes that it has received from AS-B to the neighbors of AS-A,
but AS-A is not viewed as a transit provider for the prefixes in
Threat - A threat is a motivated, capable adversary. An adversary
that is not motivated to launch an attack is not a threat. An
adversary that is motivated but not capable of launching an attack
also is not a threat.
Vulnerability - A vulnerability is a flaw or weakness in a system's
design, implementation, or operation and management that could be
exploited to violate the security policy of a system.
Network Operators: A network operator may be a threat. An
operator may be motivated to cause BGP routers it controls to emit
update messages with inaccurate routing info, e.g., to cause
traffic to flow via paths that are economically advantageous for
the operator. Such updates might cause traffic to flow via paths
that would otherwise be rejected as less advantageous by other
network operators. Because an operator controls the BGP routers
in its network, it is in a position to modify their operation in
arbitrary ways. Routers managed by a network operator are
vehicles for mounting MITM attacks on both control and data plane
traffic. If an operator participates in the RPKI, it will have at
least one CA resource certificate and may be able to generate an
arbitrary number of subordinate CA certificates and ROAs. It will
be authorized to populate (and may even host) its own repository
publication point. If it implements PATHSEC, and if PATHSEC makes
use of certificates associated with routers or ASes, it will have
the ability to issue such certificates for itself. If PATHSEC
digitally signs updates, it will be able to do so in a fashion
that will be accepted by PATHSEC-enabled neighbors.
Hackers: Hackers are considered a threat. A hacker might assume
control of network management computers and routers controlled by
operators, including operators that implement PATHSEC. In such
cases, hackers would be able to act as rogue network operators
(see above). It is assumed that hackers generally do not have the
capability to effect MITM attacks on most links between networks
(links used to transmit BGP and subscriber traffic). A hacker
might be recruited, without his/her knowledge, by criminals or by
nations, to act on their behalf. Hackers may be motivated by a
desire for "bragging rights", for profit, or to express support
for a cause "hacktivists". We view hackers as possibly
distinct from criminals in that the former are presumed to effect
attacks only remotely (not via a physical presence associated with
a target) and not necessarily for monetary gain. Some hackers may
commit criminal acts (depending on the jurisdiction), and thus
there is a potential for overlap between this adversary group and
Criminals: Criminals may be a threat. Criminals might persuade
(via threats or extortion) a network operator to act as a rogue
operator (see above) and thus be able to effect a wide range of
attacks. Criminals might persuade the staff of a
telecommunications provider to enable MITM attacks on links
between routers. Motivations for criminals may include the
ability to extort money from network operators or network operator
clients, e.g., by adversely affecting routing for these network
operators or their clients. Criminals also may wish to manipulate
routing to conceal the sources of spam, DoS attacks, or other
Registries: Any registry in the RPKI could be a threat. Staff at
the registry are capable of manipulating repository content or
mismanaging the RPKI certificates that they issue. These actions
could adversely affect a network operator or a client of a network
operator. The staff could be motivated to do this based on
political pressure from the nation in which the registry operates
(see below) or due to criminal influence (see above).
Nations: A nation may be a threat. A nation may control one or
more network operators that operate in the nation, and thus can
cause them to act as rogue network operators. A nation may have a
technical active wiretapping capability (e.g., within its
territory) that enables it to effect MITM attacks on inter-network
traffic. (This capability may be facilitated by control or
influence over a telecommunications provider operating within the
nation.) It may have an ability to attack and take control of
routers or management network computers of network operators in
other countries. A nation may control a registry (e.g., an RIR)
that operates within its territory and might force that registry
to act in a rogue capacity. National threat motivations include
the desire to control the flow of traffic to/from the nation or to
divert traffic destined for other nations (for passive or active
wiretapping, including DoS).
Attacks are classified based on the target of the
attack, an element of the routing system, or the routing security
infrastructure on which PATHSEC relies. In general, attacks of
interest are ones that attempt to violate the integrity or
authenticity of BGP traffic or that violate the authorizations
associated with entities participating in the RPKI. Attacks that
violate the implied confidentiality of routing traffic, e.g.,
wiretapping attacks, are not considered a requirement for BGP