Routing protocols are used to exchange routing information between routers and dynamically advertise routes. While this has made it possible for us to scale networks, there are some security threats related to routing protocols and network infrastructure that needs to be taken into account when implementing a routing protocol in a network design. In this article I will be highligting a few of the potential security threats, as well as possible plans for mitigation.
Sniffing
Attackers monitor and sometimes record the routing exchanges between routers to sniff for routing information, resulting in the routing information being disclosed. This type of attack is not easy to detect in passive form, its impact can however be mitigated through the implementation of data encryption for all routing exchanges with a pre-defined encryption algorithm such as AES-128.
Spoofing
An Attacker’s router steals the identity of a legitimate router. It can have a severe impact on neighbour relationships, if the attacker succeeds in spoofing and forms a neighbour relationship, they are able to deny the information of the relationship to the legitimate router. This type of security threat affecting routing protocols can be mitigated through the use of either Layer 2 (data-link) or Layer 3 (network layer) authentication.
Misclaiming
An attacker advertises network resources that it is authorized to control but, in a way, not allowed by the network administrator. This could be advertising inappropriate link costs in an OSPF LSA. This can lead to deception of other routers making them believe one path is better than the other.
Overloading
An attacker can overload a legitimate router by means such as overloading database routing exchanges, substantially impacting routing operations. This threat can be mitigated through the use of security measures that add rate limiting.
Keeping these security threats related to routing protocols in mind is a key step in the journey of maintaining confidentiality, integrity and availability within an enterprise network.
My references for this article: