INTERNET-DRAFT V. Gill draft-gill-gtsh-01.txt J. Heasley D. Meyer Category Experimental Expires: March 2004 September 2003 The Generalized TTL Security Mechanism (GTSM) Status of this Document This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. The key words "MUST"", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC 2119]. This document is a product of an individual. Comments are solicited and should be addressed to the author(s). Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Gill, Heasley, and Meyer [Page 1] INTERNET-DRAFT Expires: March 2004 September 2003 Abstract The use of a packet's TTL to protect a protocol stack from CPU- utilization based attacks has been proposed in many settings (see for example, RFC 2461). This document generalizes these techniques for use by other protocols such as BGP (RFC 1771), MSDP, Bidirectional Forwarding Detection, and LDP (RFC 3036). While the Generalized TTL Security Mechanism (GTSM) is most effective in protecting directly connected protocol peers, it can also provide a lower level of protection to multi-hop sessions. Use of multi-hop GTSM should be considered on a case-by-case basis. Gill, Heasley, and Meyer [Page 2] INTERNET-DRAFT Expires: March 2004 September 2003 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Assumptions Underlying GTSM. . . . . . . . . . . . . . . . . . 3 2.1. Assumptions on Attack Sophistication. . . . . . . . . . . . 4 3. GTSM Procedure . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. Multi-hop Scenarios . . . . . . . . . . . . . . . . . . . . 5 3.1.1. Intra-domain Protocol Handling . . . . . . . . . . . . . 6 4. Intellectual Property. . . . . . . . . . . . . . . . . . . . . 6 5. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations. . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations. . . . . . . . . . . . . . . . . . . . . . 7 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References. . . . . . . . . . . . . . . . . . . . 8 8.2. Informative References. . . . . . . . . . . . . . . . . . . 8 9. Author's Addresses . . . . . . . . . . . . . . . . . . . . . . 9 10. Full Copyright Statement. . . . . . . . . . . . . . . . . . . 9 1. Introduction The Generalized TTL Security Mechanism (GTSM) is designed to protect a router's TCP/IP based control plane from CPU-utilization based attacks. In particular, while cryptographic techniques can protect the router-based infrastructure (.e.g., BGP [RFC1771]) from a wide variety of attacks, many attacks based on CPU overload can be prevented by the simple mechanism described in this document. Note that the same technique protects against other scarce-resource attacks involving a router's CPU, such as attacks against processor- line card bandwidth. GTSM is based on the fact that the vast majority of protocol peerings are established between routers that are adjacent [PEERING]. Thus most protocol peerings are either directly between connected interfaces or at the worst case, are between loopback and loopback, with static routes to loopbacks. Since TTL spoofing is considered nearly impossible [BALDWIN2001], a mechanism based on an expected TTL value can provide a simple and reasonably robust defense from infrastructure attacks based on forged protocol packets. 2. Assumptions Underlying GTSM GTSM is predicated upon the following assumptions: Gill, Heasley, and Meyer Section 2. [Page 3] INTERNET-DRAFT Expires: March 2004 September 2003 (i). The vast majority of protocol peerings are between adjacent routers [PEERING]. (ii). It is common practice for many service providers to ingress filter (deny) packets that have the provider's loopback addresses as the source IP address. (iii). Use of GTSM is OPTIONAL, and can be configured on a per-peer (group) basis. (iv). The router supports a method of classifying traffic destined for the route processor into interesting/control and not-control queues. (iv). The peer routers both implement GTSM. 2.1. Assumptions on Attack Sophistication Throughout this document, we assume that potential attackers have evolved in both sophistication and access to the point that they can send control traffic to a protocol session, and that this traffic appears to be valid control traffic (i.e., has the source/destination of configured peer routers). We also assume that each router in the path between the attacker and the victim protocol speaker decrements TTL properly (clearly, if the either the path or the adjacent peer is compromised, then there are worse problems to worry about). Since the vast majority of our peerings are between adjacent routers, we can set the TTL on the protocol packets to 255 (the maximum possible for IP) and then reject any protocol packets that come in from configured peers which do NOT have a TTL in the range 255-254. That is, the receive TTL is expected to be within a small range of 1 or 2 (254-255). The actual value depends upon the architecture, but is it is expected that the receiver will verify the range. GTSM can be disabled for applications such as route-servers and other large diameter multi-hop peerings. In the event that an the attack comes in from a compromised multi-hop peering, that peering can be shut down (a method to reduce exposure to multi-hop attacks is outlined below). Gill, Heasley, and Meyer Section 2.1. [Page 4] INTERNET-DRAFT Expires: March 2004 September 2003 3. GTSM Procedure GTSM SHOULD NOT be enabled by default. The following process describes the per-peer behavior: (i). If GTSM is enabled, an implementation performs the following procedure: (a). For directly connected routers, o Set the TCP TTL for the protocol connection a value in the range 255-254. o For each configured protocol peer: Update the receive path ACL/firewall to only allow protocol packets to pass onto the Route Processor (RP) that have the correct tuple. The TTL must either be in the range 255-254 (directly connected peer), or 255-(configured-range-of-hops) for a multi-hop peer. We specify a range here to achieve some robustness to changes in topology. Any directly connected check should be disabled for such non-direct peerings. It is assumed that a receive path ACL is an ACL that is designed to control which packets are allowed to go to the RP. This procedure will only allow protocol packets from adjacent router to pass onto the RP. (c). If the TTL is not in the range 255-254 (or 255-(configured-range-of-hops) for multi-hop peers), the packet is placed into a low priority queue, and subsequently logged and/or silently discarded. In this case, an ICMP message MUST NOT be generated. (ii). If GTSM is not enabled, normal protocol behavior is followed. 3.1. Multi-hop Scenarios When a multi-hop protocol session is required, we set the expected Gill, Heasley, and Meyer Section 3.1. [Page 5] INTERNET-DRAFT Expires: March 2004 September 2003 TTL value to be 255-(configured-range-of-acceptable-of-hops). While this approach provides a qualitatively lower degree of security for the protocol implementing GTSM (i.e., an DoS attack could be theoretically be launched by compromising some box in the path). However, GTSM will still catch the vast majority of observed DDoS attacks against a given protocol. Note that since the number of hops can change rapidly in real network situations, it is considered that GTSM may not be able to handle this scenario adequately and an implementation MAY provide OPTIONAL support. 3.1.1. Intra-domain Protocol Handling In general, GTSM is not used for intra-domain protocol peers or adjacencies. Current best practice is to protect such peers or adjacencies with an MD5 signature [RFC2385]. The special case of iBGP peers can be further protected by filtering at the network edge for any packet that has a source address of one of the loopbacks addresses used for the intra-domain peering. 4. Intellectual Property The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11 [RFC2028]. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. Gill, Heasley, and Meyer Section 4. [Page 6] INTERNET-DRAFT Expires: March 2004 September 2003 5. Acknowledgments The use of the TTL field to protect BGP originated with many different people, including Paul Traina and Jon Stewart. Ryan McDowell also suggested a similar idea. Steve Bellovin, Jay Borkenhagen and Randy Bush also provided useful feedback on early versions of this document. David Ward provided insight on the generalization of the original BGP-specific idea. 6. Security Considerations GTSM is a simple procedure that protects single hop protocol sessions, except in those cases where the directly connected peer has been compromised. While the method is less effective for multi-hop protocol sessions, it still closes the window on several forms of attack. In the multi-hop scenario it is an OPTIONAL extension. Protection of the protocol infrastructure beyond this method will likely require cryptographic machinery such as is envisioned by Secure BGP (S-BGP) [SBGP1,SBGP2], and/or other extensions. For example, consider the class of attacks based on forged SYN packets directed to port 179/tcp on a large core infrastructure routers. In this case, the routers respond with SYN/ACKs (or ICMP messages) towards the victim, resulting in flooding of the victim's link being flooded with SYN/ACK or ICMP traffic. Preventing such attacks will likely require that protocol speakers send SYN/ACKs only to configured neighbors, and they never send ICMP messages related to these events. Finally, note that in the multi-hop case described above, we specify a range of acceptable TTLs in order to achieve some robustness to topology changes. This robustness to topological change comes at the cost of the loss some robustness to different forms of attack. 7. IANA Considerations This document creates a no new requirements on IANA namespaces [RFC2434]. Gill, Heasley, and Meyer Section 7. [Page 7] INTERNET-DRAFT Expires: March 2004 September 2003 8. References 8.1. Normative References [RFC1771] Rekhter, Y., and T. Li (Editors), "A Border Gateway Protocol (BGP-4)", RFC 1771, March, 1995. [RFC1772] Rekhter, Y., and P. Gross, "Application of the Border Gateway Protocol in the Internet", RFC 1772, March, 1995. [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 Signature Option", RFC 2385, August, 1998. [RFC2461] Narten, T., E. Nordmark, and W. Simson, "Neighbor Discover for IP Version 6 (IPv6)", RFC 2461, December, 1998. [RFC3036] Andersson, L., et. al., "LDP Specification", RFC 3036, January, 2001. [SBGP1] Kent, S., C. Lynn, and K. Seo, "Secure Border Gateway Protocol (Secure-BGP)", IEEE Journal on Selected Areas in Communications, volume 18, number 4, April, 2000. [SBGP2] Kent, S., C. Lynn, J. Mikkelson, and K. Seo, "Secure Border Gateway Protocol (S-BGP) -- Real World Performance and Deployment Issues", Proceedings of the IEEE Network and Distributed System Security Symposium, February, 2000. 8.2. Informative References [BALDWIN2001] http://www.sekure.net/docs/detecting_spoof.txt [BFD] Katz, D. and D. Ward, "Bidirectional Forwarding Detection", draft-katz-ward-bfd-00.txt, June, 2003. Work in progress. Gill, Heasley, and Meyer Section 8.2. [Page 8] INTERNET-DRAFT Expires: March 2004 September 2003 [MSDP] Meyer, D., and W. Fenner (Editors), "The Multicast Source Discovery Protocol (MSDP)", draft-ietf-msdp-spec-20.txt, May 2003. Work in progress. [PEERING] Empirical data gathered from the Sprint and AOL backbones, October, 2002. [RFC2028] Hovey, R. and S. Bradner, "The Organizations Involved in the IETF Standards Process", RFC 2028/BCP 11, October, 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March, 1997. [RFC2434] Narten, T., and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", RFC 2434/BCP 0026, October, 1998. 9. Author's Addresses Vijay Gill Email: vijay@umbc.edu John Heasley Email: heas@shrubbery.net David Meyer Email: dmm@1-4-5.net 10. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Gill, Heasley, and Meyer Section 10. [Page 9] INTERNET-DRAFT Expires: March 2004 September 2003 Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Gill, Heasley, and Meyer Section 10. [Page 10]