abstractions are:
• Path Element (PE): The different elements of the VPN service are abstracted into the concept of Path Element (PE). The PE provides unidirectional connectivity between two network nodes. A network node can represent a single device like an end-system, a router or a switch or a network domain like an autonomous system, IP net- work, or even a LAN. PE is the generalized class from which tech- nology dependant classes like the DiffServPathElement and the LSPPathElement classes are derived.
• Path Discovery: The process of path discovery is carried out by simple match making based on some Service Attributes. Different types of service attributes are Service Types, which indicates the type of service (a premium service for example); Time, which indi- cates the amount of reservation time; Application Type, and Service Properties.
8.4 Secure Routing
Routing tables are used to route packets over any network especially the Internet. Routing protocols like distance vector, link state, and path vector protocols have been designed to create routing tables through the exchange of routing packets. Routing table “poisoning” is a type of attack on the routing protocols where the routing updates are maliciously modified by the adversaries resulting in creation of wrong routing tables. A simple ex- ample of routing table “poisoning” leading to DoS attack has been de- scribed in Chap. 6.
8.4.1 Impacts of Routing Table “Poisoning”
Routing table “poisoning” can have impacts like suboptimal routing, con- gestion, partition, overwhelmed host, looping, and illegal access to data.
Suboptimal Routing
With the emergence of the Internet as a means of supporting soft real-time applications, optimality in routing assumes significant importance. Routing table poisoning attacks can result in suboptimal routing that can affect
Congestion
Routing table “poisoning” can lead to artificial congestion if packets are forwarded to only certain portions of the network. Artificial congestion, thus created, cannot be solved by traditional congestion control mecha- nisms.
Partition
The “poisoning” attack may result in the creation of artificial partitions in the network. This can become a significant problem since hosts residing in one partition will be unable to communicate with hosts residing in the other partition.
Overwhelmed Host
Routing table poisoning may be used as a weapon for DoS attacks. If a router sends updates that result in concentration of packets to one or more selected servers, the servers can be taken out of service because of huge amounts of traffic. This type of DoS attack is more potent as the attacker is not spoofing identity, and is thus impossible to detect by the detection techniques mentioned in Chap. 6.
Looping
The creation of triangle routing caused due to packet mistreatment attacks could also be simulated through improper updation of the routing table. Loops thus formed may result in packets getting dropped and hence lower- ing of the overall network throughput.
Access to Data
Adversaries may gain illegal access to data through the routing table poi- soning attack. This may lead to adversaries snooping packets which were not supposed to pass through that part of the network.
real-time applications. Similarly, in a grid scenario also this type of attack may lead to suboptimal routing resulting in a QoS violation.
8.4 Secure Routing 175
8.4.2 Different Routing Protocols
Routing protocols can be broadly categorized into three main categories: distance vector, link state, and path vector routing protocols.
Distance Vector
In this set of protocols, the nodes in the network create a vector of shortest paths distances to all the other nodes in the network. This distance vector information is exchanged between the nodes. After receiving the distance vector information from its neighbors, each node calculates its own dis- tance vector. One point to note about these protocols is that, no node has the full topology information and depends on its neighbors for creating its routing tables. It has been shown that several problems like the Count to Infinity problem can be a result of not having the full topology informa- tion. Routing Information Protocol (RIP) [159] is an example of distance vector protocol.
Link State
In link state protocols, each node sends its connectivity information to all other nodes in the network. Based on the information received from all other nodes, each node computes the shortest path tree by applying the Bellman Ford algorithm. Unlike the distance vector protocol, each node participating in the link state protocol has the full topology information. As a result, link state protocols are inherently robust. Open Shortest Path For- warding (OSPF) [160] is an example of the link state protocol.
Path Vector
This protocol is a variation of the distance vector. In this protocol, each node sends the full shortest path information of all the nodes in the net- work to its neighbors. It has been shown that problems associated with standard distance vector protocols can be avoided in the path vector proto- col. Border Gateway Protocol (BGP) [161] is an example of the path vec- tor protocol.
8.4.3 Routing Attacks and Countermeasures
Routing table poisoning can be broadly categorized into (a) link and (b) router attacks. Link attacks, unlike the router attacks, are similar in case of both link state and distance vector protocols.
Link Attacks - Interruption
Routing information can be intercepted by an adversary, and the informa- tion can be stopped from propagating further. However, interruption is not effective in practice. The reason for this is that, in the current Internet sce- nario there is generally more than one path between any two nodes, since the average degree of each node is quite high (around 3.7). Therefore, even if an adversary stops a routing update from propagating, the victim may still be able to obtain the information from other sources. Most routing protocols employ robust updates between neighbors [159, 160], by using acknowledgments. Link attacks are detected in those cases. However, if links are interrupted selectively, it is possible to have unsynchronized rout- ing tables throughout the network. The after-effects of such routing tables are looping and denial-of-service. Unsynchronized routing tables can also be created if a router drops the updates, but sends an acknowledgment. The problem of router dropping routing updates selectively has not been stud- ied in the literature.
Link Attack – Modification/Fabrication
Routing information packets can be modified/fabricated by an adversary who has access to a link in the network. As solutions for this problem, digital signatures are generally employed. In case of digital signatures, the routing updates increase by the size of the signature (typically between 128 to 1024 bits). This is a viable solution in link state routing protocols, since the LSAs are transmitted infrequently. This is also proposed as a solution for distance vector protocols. Distance vector protocols suffer from exces- sive bandwidth consumption as the distance vectors are exchanged quite frequently. Therefore, the addition of extra overhead in the form of a digi- tal signature has been looked upon by the research community with con- cern. Efforts have been undertaken to reduce the overhead through the use of efficient digital signatures [162]. Another problem with this approach is that it relies on the existence a public key infrastructure (PKI) for its func- tioning [163]. In the absence of a PKI, the proposed solutions are not vi- able.
Link Attack – Replication
Routing table “poisoning” can also be in the form of replication of old messages, where a malicious adversary gets hold of routing updates and replays them later. This type of attacks cannot be solved using digital sig- nature schemes, because the updates are valid, only they are time shifted. As a solution to this problem, sequence information are generally used.
8.4 Secure Routing 177 Sequence information can be in the form of sequence numbers or time- stamps. An update is accepted as a valid update if the sequence number in the packet is greater than or equal to the sequence number of the previ- ously received update from the same router.
Router Attacks – Link State
A router can be compromised, making it malicious in nature. Router at- tacks differ in their execution depending on the nature of the routing proto- col. In case of link state routing protocol, a router sends information about its neighbors. Hence, a malicious router can send incorrect updates about its neighbors, or remain silent if the link state of the neighbor has actually changed. A router attack can be proactive or inactive in nature. In case of proactive router attack, the malicious router can add a fictitious link, delete an already existing link, or change the cost of a link proactively. In case of inactive router attacks, a router ignores a change in link state of its neighbors. The solutions proposed for router attacks in link state protocols can be categorized into two types: intrusion detection and protocol-driven. The use of intrusion detection techniques have been suggested as a mecha- nism to detect router attacks [164]. In these techniques, a centralized attack analyzer module detects attacks based on some possible alarm events se- quences. Using an attack analyzer module in the Internet scenario is not a scalable solution. In a protocol-driven solution, the detection capability is embedded in the link state protocol itself. In [165], Secure Link State Pro- tocol (SLIP) has been proposed, where attack detection capability has been incorporated in the routing protocol itself. A router does not believe an up- date, unless it receives a “confirmation” link state update from the node supporting the questionable link. However, the solution is not complete as it works only in a symmetric network where both nodes supporting a link can identify the change in the link state. It also makes an assumption that no malicious collusion exist in the network.
Router Attacks – Distance Vector
Unlike the link state, in the case of distance vector protocols, routers can send wrong and potentially dangerous updates regarding any nodes in the network, since the nodes do not have the full network topology. In distance vector protocols, if a malicious router creates a wrong distance vector and sends it all its neighbors, the neighbors accept the update since there is no way to validate it. As the router itself is malicious, standard techniques like digital signatures do not work. In [166], the authors have proposed a vali- dation scheme through the addition of predecessor information in the
also being proposed. However, most of these solutions work under some assumptions. More research is needed before these solutions can be adopted in practice.