Engineers hardly ever think of the control plane as an attack surface — from the new/old wave of centralized controllers (Rule 11!) to the middle term wave of distributed routing protocols, the control plane just hums along in the background without many people thinking about it from a security perspective. That is, until a big packet eating black hole sprouts someplace in the Internet, causing massive outages of well known services, or a service you really depend on. Like your company’s web site… But then we just blame it all on BGP and those silly operators and go get a good nights sleep, right?
Just because we’re not used to seeing a lot of attacks against the control plane, though, doesn’t mean we shouldn’t take control plane security a little more seriously. In fact, it would be nice to have a solid analysis of, say, IS-IS security, wouldn’t it?
Like, perhaps, draft-ietf-karp-isis-analysis? Or, perhaps, draft-decraene-isis-lsp-lifetime-problem-statement? Yes, just like that…
The KARP IS-IS analysis draft outlines multiple security issues with IS-IS, primarily replay and spoofing attacks. Consider a situation where a router running IS-IS restarts and builds a new session with each of its neighbors. What would stop another device connected to the same subnet from replaying a packet transmitted during the last session to either force the session to constantly reset, or to inject false information into the network? The KARP analysis draft considers this situation, where configuring some sort of cryptographic authentication will and won’t help, and further potential solutions. Current implementations of IS-IS have an intra-session replay protection mechanism based on a 32-bit session level sequence number covered by encryption headers; without this inter-session replay attacks can be a serious concern.
Creating a spoofed LSP with a lifetime set to 0 can cause the LSP to be purged from the entire network; this is mentioned in the analysis draft, and discussed with more detail in the lifetime draft. While enabling encryption on IS-IS can prevent this attack, the lifetime draft mentions a second form of this attack that enabling cryptographic hashes doesn’t protect against — spoofing an LSP with a very small lifetime. Since the lifetime is not 0, the IS-IS protections against a spoofed purge are not triggered. The result would be a “bidding war,” between the attacker and the actual owner of the LSP, eventually resulting in the LSP being purged — but not before a storm of flooded LSPs and potential SPF calculations.
If you’re interested in routing security outside the realm of BGPSEC, it would be useful to look at the old KARP working group page (the working group was concluded in March of 2014; while its no longer active, there is still a list of the drafts and RFCs available at https://datatracker.ietf.org/wg/karp/documents/). Security work in each protocol has now moved back into the protocol working groups.