1

GMPLS Network Security: Gap Analysis Vikram Ramakrishnan, Chris Wargo and Sherin John

Computer Networks & Software, Inc. (CNS) 7405 Alban Station Court, Suite B-215

Springfield, VA 22150 703-644-2103

Abstract As contrasted to the management plane of

today’s and emerging networks architectures, the control plane will not be as easy to secure. The control plane is an emerging concept that is part of most large scale, high-speed next generation networks. This may also include the architectures that are being researched to go beyond Internet2. Today the control plane originally defined for Generalized Multi-Protocol Label Switching (GMPLS) is being considered for implementations such as T-MPLS, MPLS-TE, and Ethernet PBB-PBT. In the future, these network switching techniques and the supporting control plane will be supporting the SWIM approach now advocated as part of the NextGen service oriented architecture. The security threats that are being defined and reviewed in the IETF are only part of the story. This paper organizes the categories of threats and provides an understanding of the defensive techniques and gaps to providing security for the control plane.

Introduction Internet2 provides the U.S. research and

education community with a dynamic and cost-effective hybrid optical and packet network. The network was designed to provide next-generation services as well as a platform for the development of new networking ideas and protocols. It provides mechanisms for dynamic and static wavelength services

Generalized Multiple Protocol Label Switching (GMPLS) extends Multi Protocol Label Switching (MPLS) to provide a control plane over which control messages for devices that can switch packet, time, wavelength, and fiber domains are

communicated. These techniques are emerging for use in high bandwidth networks similar to SONET. A common control plane promises to simplify network operation and management by automating end-to-end provisioning of connections, managing network resources, and providing the level of QoS that is expected in the new, sophisticated applications. The control plane protocols are vulnerable to attacks both from outside and within the network. SigSec™, an intrusion detection system being developed by CNS, Inc under a DOE-SBIR Phase II project, is intended to help detect and protect against such attacks.

New network technologies and impact on Aviation Networks

A primary goal of Internet2 is to ensure the transfer of new network technology and applications to the broader communities. Rather than replacing it, these networks aim to continually provide capabilities that are 3-5 years ahead of the commercial Internet, providing a proving ground for new technologies that eventually benefit every Internet user.

As the technology progresses it may be used to support NextGen service oriented architectures. Net-centricity provides for an interconnected network in which information is shared among users, applications, and platforms during all phases of aviation transportation efforts. Control planes are becoming more popular. They offer vendor independence, Interoperability, and standardized protocols.

It also provides the ability to perform automated and immediate recovery from network faults and dynamic reactivity which results in reduced operational costs, timescales, and risks

978-1-4244-2304-0/08/$25.00 ©2008 IEEE

2

A control plane based architecture allows for a single operator command to provision a whole connection end to end and the ability to optimize network usage more efficiently.

GMPLS and other control plane architecture enable advanced services such as System Wide Information Management (SWIM)

SWIM is an architecture that operates in the background to provide seamless information to users who have a valid need for the data. It promises to lower cost of information, Increase speed to establish new interfaces and improve the ability to share information with other providers

GMPLS GMPLS offers a potential alternate

approach to provisioning paths. GMPLS extends the forwarding and controls planes to include not only packet mode and cell mode but also synchronous optical network (SONET), DWDM, and fiber based network elements.

The IETF Specification for the GMPLS control plane lists RSVP-TE, BGP, LMP, OSPF and CR-LDP as the major protocols for implementation of the control plane (please refer to acronym list, if required)

An important economic impact of GMPLS is the ability to automate network resource management and service provisioning of end-to-end traffic engineering paths. Service provisioning has been a manual, lengthy and costly process. The deployment of control plane-based nodes allows carriers to automate the provisioning and management of network and promises to lower the cost of operation by several orders of magnitude (days or even minutes instead of weeks or months)

Security

As the volume of traffic increases, there is a greater dependency on data communications in all aspects of aviation operations. As a result service disruptions / degradation can have serious implications both financial and on physical safety/security of users. Reliance on automated procedures for routine operator tasks is on the

increase. A simple example would be automated baggage handling systems at airports, an attack on the system could result in widespread confusion in a system that has a propensity to misdirect baggage on its own, costing a fair amount of money to the airlines.

NextGen systems for aviation propose concepts such as Trajectory based tracking, Separation Management, Weather Integration and increased data link transactions with the aircraft resulting in increased data traffic which by nature opens up a larger target area individuals / organizations with malicious intent.

Higher bandwidth in individual connections means the individual users are capable of generating much larger streams of traffic also the number of logical sessions using the same physical connection is increased. An attack on such systems can result in disruptions to multiple users/applications

Concerns

Many protocols use MD5, which can be cracked. Some protocols use simple text-based passwords though keys are not always securely, frequently, or dynamically distributed. A post-it note with a password on it is surprisingly easy to “hack”

Attackers are becoming more sophisticated and there are ever-greater security risks from individuals and organized groups.

A successful attack on a network or on a Service Provider's infrastructure may cause one or more of the following ill effects:

- Observation, modification, or deletion of a provider or user's data.

- Injection of spurious data into a traffic stream.

- Traffic pattern analysis

- Disruption of connectivity.

- Degradation of quality of service.

- Denial of Service (DoS)

Implementations do not always provide security support

3

The control plane must include mechanisms that prevent or minimize the risk of attackers being able to inject and/or snoop on control traffic. These risks depend on the level of trust between nodes that exchange control messages, as well as the physical characteristics and implementation of the control channel.

Even with all the security mechanisms available today, the risk of service disruption increases simply by not securing the control plane with the right type of security. For example, the triggering of recovery actions under false failure indication messages can destabilize the core network. Label Switched Path (LSP) Pre-Emption is one such attack. Simply changing the priority level of an LSP can cause the network to try and re-establish a bunch of other LSP’s to reorganize the priorities again resulting in a priority arms-race.

Security mechanisms typically are geared towards providing authentication and confidentiality. Authentication can provide origin verification, message integrity and replay protection, while confidentiality ensures that a third party cannot decipher the contents of a message. However, just paying attention to these in the control plane implementation leaves a broad and exploitable “gap” in the security framework of GMPLS and related networks.

Vulnerabilities. An attack on the control plane of a network

is a doorway to attacking the data plane or even completely disabling data plane traffic. It could also result in loss of user confidentiality and prevention of new services.

Some implementations may use IPSec tunnels to provide security for the control plane traffic. IPSec tunnel encrypts contents of packet from view but in many implementations of IPSec unencrypted packets will be let through and passed on to the destination. IPSec only prevents the contents of the encrypted packet from being viewed or tampered with and not always for authentication. Most implementations do not filter out packets that are not encrypted.

The chain of trust model is very vulnerable to any illicit access into the network. If a rogue control

plane packet can be tunneled into the network, its effect will ripple out impacting all nodes.

- Creation of bogus LSPs in RSVP-TE

- False resource availability advertisements in OSPF/IS-IS

- Denial of Service attacks

The network is open to insider attacks such as a ‘pressured insider’ or a ‘disgruntled employee/ex-employee’.

A router or control plane node may be subverted by methods such as loading malware software or a virus. It is theoretically possible with routers and switches. An operator may gain full control giving him the ability to modify configuration or make network requests. It requires some form of security breach. An insider attack is most likely cause This is an attack at the center of the network. The chain of trust model provides no defense. All existing security techniques are useless. Also important to consider are what are known as “sleeper” implementations, these may be secret lines of code inserted in to firmware maliciously that stay dormant until a specified time is reached or a specific trigger is received. The effects may be devastating and hard to track. The node accepts configuration and participates in security and allows normal control plane behavior. It may insert fake control plane messages, cause theft of resources, diversion of traffic, DoS and service teardown

Unauthorized nodes can obtain a routing protocol adjacency on links where an IGP (Interior Gateway Protocol) has been enabled by mis-configuration, or where authentication is not used. This may result in many different kinds of attacks, for example traffic redirection.

Network snooping is another possible vulnerability. Encryption provides a lot of protection but watching a whole network control plane you can deduce LSP source and destination or all nodes (and so possibly links) used by each LSP. This is generally considered a low priority issue

4

Defensive Techniques

There are defensive mechanisms that maybe put in place to help improve security of the control plane. Some of them are listed below.

Physical security: Originally was a very strong tradition in transport networks but now broken by ubiquity of IP which poses a great risk for management networks and control plane networks. It is possible to protect sites and Switching equipment, but it is hard to protect fiber / cable runs (amplifiers, etc.)

Authentication: Authentication is a good technique, but there are issues. There are too many source - destination pairs to make end-to-end authentication practical. The result is that there are too many secrets / keys to maintain. Each network node would need relationship with all sources to catch attacks as early as possible.

Hence authentication is usually only with neighbors

Neighbor authentication: By maintaining Access lists a node may be able to keep track of its legitimate neighbors, helping to prevent man in the middle type attacks. This provides very low-level security since source identifiers are usually easy to spoof.

Digital signature on messages: Signatures may be applied hop-by-hop to the messages. The signature may use a key or may be a password

Message integrity: Provides tamper-protection for hop-by-hop messages. Simple methods such as CRC may provide some basic checks as to the integrity of the message. More complex / sophisticated methods may provide enhanced integrity check.

Encryption: Many types of encryption techniques are available (e.g. IPsec), although they are not used very often. It is important to consider why not. In most cases it is simply due to the difficulty in achieving interoperability between multiple encrypted systems.

Intrusion Detection Systems (IDS): Some of these shortcomings, particularly insider or malware attacks, are overcome by use of an autonomous intrusion detection system involving the detection of tampered packets. In a broader sense, what is required is the detection of attacks that appear to be perfectly legitimate control messages. Here the use of the right IDS can close the gap in the network security defenses.

The chain-of-trust model is only as strong as the weakest link. Authentication and integrity must be used in the entire network (or not at all), although secrets/key are still a nuisance to maintain. The passwords should be strong keys and changed frequently. In most network situations there are a non-trivial number of neighbors to manage /configure at every node. The result is that authentication and message integrity are rarely used in GMPLS control plane. An ideal solution for control plane based architectures is an IDS. CNS is developing an IDS intended to secure control plane transactions under the DOE SBIR program.

SigSec

GMPLS Specification documents lack an explicit description of a security framework to ensure the integrity and security of the control plane transactions.

Figure 1: SigSec Deployment Scenarios

5

The SigSec™ security framework to protect GMPLS control plane is based on the premise that the GMPLS management, signaling and routing protocols are similar to programming languages. A protocol is an agreement about the exchange of information in a distributed system and the protocol definition can be compared to a language definition: it contains a vocabulary and a syntax definition; the procedure rules collectively define a grammar; and the service specification defines the semantics of the language.

SigSec™ performs Intrusion Detection through multiple layers of checks and verifications. The deployment of SigSec™ is shown in Figure 1. The first and most basic check is the check for the authenticity and integrity of individual packets. This is accomplished by ensuring that the packet is valid as per the protocol specifications for the syntactic correctness of the corresponding message packet. SigSec™ verifies the correctness of the message header and proceeds to verify the validity of each of the succeeding fields. Along with verifying field lengths, SigSec™ checks to see that the value contained within the field is semantically correct by checking if it is within permissible ranges for that particular field. It may also check dependant sub-fields of the message to ensure that the intended receiver will parse the message accurately without errors. Any inconsistencies detected here trigger an alert to indicate a potential intrusion into the system. For example, if a BGP peer receives a message that contains a syntax error or an error in its header, intended or inadvertent, it will respond with an error notification and shutdown the session with the peer from whom the bad message was received and will flush all routes learned from that peer. SigSec™ can prevent such disruptions from occurring.

‘SigSec Core’ detects many known attacks that may pass through semantic and syntax analyzers.

Once the message is declared Syntactically and Semantically correct, it is passed to the SigSec™ FSM (Finite State Machine) engine. The FSM Engine tracks the State of the corresponding protocol based on the type of the incoming message. This change in state is compared to a set of legal state changes that are allowed by the

protocol Finite State Machine, any bad state changes are treated as indicative of an attack or potential attack. A bad state change maybe triggered by the receipt of a message that is not expected by the system in its current state causing the system to crash, reset itself or some such disruptive action. Unknown attacks are detected through unexpected protocol exchanges/state changes.

As part of the detailed analysis of the control plane protocols conducted under the DoE SBIR project, we have identified a number of potential network attacks that are be detected by our strategy. The attacks have been classified based on system Impact levels. At this point, SigSecTM detects and blocks 54 of the attacks classified as High to Critical.

Summary Control Plane based architectures are

increasing in popularity. Security of the control plane is becoming a top priority as they may soon be enabling mission critical services. Our analysis has shown there are gaps in securing the control plane. Intrusion Detection Systems, such as SigSecTM in addition to the traditional security techniques (e.g. firewalls, etc.) provide the most ideal approach to securing the control plane.

Email Addresses Vikram Ramakrishnan

Vikram.ramakrishnan@cnsw.com

Chris Wargo

Chris.wargo@cnsw.com

Sherin John

Sherin.john@cnsw.com

6

Acronyms

GMPLS : Generalized Multi Protocol Label Switching

IETF: Internet Engineering Task Force

CRC: Cyclic redundancy Check

MD5: Message Digest algorithm 5

MPLS-TE: Multi Protocol Label Switching – Traffic Engineering

RSVP-TE: Resource Reservation Protocol - Traffic Extension

BGP: Border Gateway Protocol

LMP: Link Management Protocol

OSPF: Open Shortest Path First

CR-LDP: Constraint-based Label Distribution Protocol

SONET: Synchronous Optical Network

DWDM: Dense Wavelength Division Multiplexing

LSP: Label Switched Path

7

Acknowledgement This work was supported by the Department of Energy under Small Business Innovation Research Phase II Grant DE-FG02-05ER84386. We would like to thank Adrian Farrel, Chair of the IETF CCAMP and a principal of Old Dog Consulting, Ltd., for his valuable insight, which helped us gain a better understanding of GMPLS and its working.

2008 ICNS Conference

5-7 May 2008

References

Mannie,E , October 2004, Generalized Multi-Protocol Label Switching (GMPLS) Architecture RFC 3945, The Internet Society.

Smit, H, June 2004, Intermediate System to Intermediate System (IS-IS) Extensions for Traffic Engineering (TE) RFC 3784, The Internet Society.

Kazt, D, K.Kompella, September 2003, Traffic Engineering (TE) Extensions to OSPF Version 2 RFC 3630, The Internet Society.

Rekhter, Y, T. Li, S. Hares, January 2006, A Border Gateway Protocol 4 (BGP-4) RFC 4271, The Internet Society.

Andersson, L, P. Doolan, N. Feldman, A. Fredette, B. Thomas, January 2001, LDP Specification RFC 3036, The Internet Society.

Awduche, D, Et Al, December 2001, RSVP-TE: Extensions to RSVP for LSP Tunnels RFC 3209, The Internet Society.

Lang, J, October 2005, Link Management Protocol (LMP)RFC 4204, The Internet Society.

Boscher, C, L. Wu, E. Gray, January 2002, LDP State Machine RFC 3215, The Internet Society.

Berger, L, January 2003, Generalized Multi-Protocol Label Switching (GMPLS) Signaling Functional Description RFC 3271, The Internet Society.

Ashwood-Smith, P, L. Berger, January 2003, Generalized Multi-Protocol Label Switching (GMPLS) Signaling - Constraint-based Routed Label Distribution Protocol (CR-LDP) Extensions RFC 3472, The Internet Society.

Savola, P, January 16, 2007,Backbone Infrastructure Attacks and Protections, IETF Trust www.internet2.edu