Security Issues in PIM-SM Security Issues in PIM-SM Link-local MessagesLink-local Messages

<draft-atwood-pim-sm-linklocal-00.txt><draft-atwood-pim-sm-linklocal-00.txt>

J.W. Atwood, Salekul Islam J.W. Atwood, Salekul Islam

{bill, salek_is}@cse.concordia.ca

Department of Computer Science and Software Engineering

Concordia University

1. PIM Link-local Messages1. PIM Link-local Messages Protocol Independent Multicast-Sparse Mode (PIM-SM) is

very widely used, due to its scalability and flexibility. Most of the PIM-SM control messages (Hello, Join/Prune

and Assert) fall into the link-local category PIM link-local messages are sent to adjacent routers with

TTL = 1, source address = a link-local address of the interface on which

the message is being sent, and destination address = ALL_PIM_ROUTERS (a multicast address)

If a forged link-local message is sent by an attacker, it may affect the construction of the distribution tree.

The effects vary from very severe to minor for different types of forged messages.

Our goal is to protect the PIM link-local messages from all sorts of attacksOur goal is to protect the PIM link-local messages from all sorts of attacks

2. Security Issues in Present I-D2. Security Issues in Present I-D To authenticate PIM link-local messages, the PIM-SM I-D

recommends- IP security (IPsec) transport mode- Authentication Header (AH) protocol.

The key features of this proposal are:

1. The IPsec and AH specifications do not permit the anti-replay option when a Security Association (SA) is identified by a multicast destin-ation address (i.e., ALL_PIM_ROUTERS). Therefore, the PIM-SM I-D recommends that the anti-replay option be disabled for these SAs.

2. SAs will be configured manually, although the I-D does not preclude the use of a negotiation protocol such as the Internet Key Exchange.

3. A router is permitted to activate an SA per interface to use a different authentication method for each link. Although the destination address is the same for all link-local PIM packets, the selected SA for an inbound PIM packet can vary depending on the inbound interface.

4. The SPI will be assigned zero in all cases.

3. Limitations of Present I-D3. Limitations of Present I-D

Anti-replay is disabled

SA lookup process forinbound packets

1. Unable to differentiate an already received packet from a fresh one

2. Wastage of receiver’s resources

3. Vulnerable to DoS attack

4. An attacker may change any Join, Prune, Assert or Hello state within a router

1. Three parameters (Destination Address = ALL_PIM_ROUTERS, SPI = 0, Protocol used = AH) are used, and these are always fixed. It is not possible to distinguish an SA using the Security Association Database entries.

2. It is not possible to use a different authentication method for each router interface (assuming the rules of RFC 2402).

4. Our Proposal - Activating Anti-replay4. Our Proposal - Activating Anti-replay

Notes: we must establish one SA per peer sender in the case where more than one sender is connected through the same interface (rather than one SA per interface). This is possible because the new AH Internet-Draft permits using the sender address in the SA lookup.

Activate anti-replay mechanism & maintain a different sliding window for each peer Activate anti-replay mechanism & maintain a different sliding window for each peer

R5 will maintain 3 sliding windows

R7 will maintain 2 sliding windowsR1R1

R3R3

R2R2R6R6

R4R4

R5R5R7R7

5. Our Proposal – Refine SA Lookup5. Our Proposal – Refine SA Lookup

This eliminates the errors present in the SA lookup process of the PIM –SM Internet-Draft.

For an incoming packet, the sender address is unique. In conjunction with the SPI, it becomes possible to determine a specific SA for that sender from the SAD entries.

Use of the sender address to index SA lookup has been accepted in a recent version of the AH Internet-Draft.

Use (sender address, SPI) in the SA lookup process

instead of (destination address, SPI, protocol)

Note: SPI = 0 is forbidden by the AH Internet-Draft. A different value must be defined in the SIM-PM I-D.

6. Manual Key Config. & Use of ESN 6. Manual Key Config. & Use of ESN Manual key configuration will be more feasible than automatic

key configuration.

The Network Administrator will configure a router manually during its boot up process. He will configure a router with the SA that should be used to send link-local messages by creating the SAD and the SPD entries for each sender connected with this router.

In the AH Internet-Draft there is a provision for a 64-bit Extended Sequence Number (ESN) as the sequence number for the anti-replay mechanism.

If we use ESN, we can send up to 264-1 packets. This number is so large that, if we consider it from a PIM router's point of view, a PIM router can never exceed this number in its lifetime.

7. Validation & Conclusions7. Validation & Conclusions Validation

We have formally validated the proposal. Conclusions

We have proposed a very simple and complete solution to protect the PIM link-local messages.

It is possible to achieve protection once the new AH Internet-Draft is adopted.

We have been careful so that our solution does not add much overhead and is compatible with the original specification of PIM-SM.

8. Further Reading8. Further Reading

1. Islam, S. “Security Issues in PIM-SM Link-Local Messages”. Masters Thesis, Department of Computer Science and Software Engineering, Concordia University, December 2003.

2. Atwood, J.W., Islam, S. “Security Issues in PIM-SM Link-local Messages“. Internet Draft, <draft-atwood-pim-sm-linklocal-00.txt>, Work in Progress, October 2004.

3. Fenner, B., Handley, M., Holbrook, H., Kouvelas, I. “Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (Revised)”. Internet Draft, <draft-ietf-pim-sm-v2-new-11.txt>, Work in Progress, October 2004.

4. Kent, S. “IP Authentication Header”. Internet Draft, <draft-ietf-ipsec-rfc2402bis-09.txt>, Work in Progress, October 2004.