Table 4 SR security issues for zero-trust network environment.
From: A data plane security model of SR-BE/TE based on zero-trust architecture
Security issue | Specific description | Major threats | |
|---|---|---|---|
Untrusted network element | After the tag of source node and data packet is obtained by eavesdropping, the explicit path of downstream traffic of eavesdropping point will be obtained directly, and replay attack can be realized by replaying normal identity messages to access the network | Confidentiality and Authenticability | |
Message | SR is usually only verified at domain boundary devices. By means of routing protocol flooding mechanism, forging control plane protocol messages, or modifying packet headers, it can change critical flow paths or occupy specific link bandwidth, create routing loops, drop traffic, intentionally report errors and other consequences, and destroy link load balance or block network communication | Integrity | |
Denial of service attack2 | According to the SR protocol, when the "segment left" field is non-zero, the router in the domain needs to send ICMP messages to the source address of the data packet. Attackers can use this to force SR nodes to generate and send a large number of ICMP messages, thus realizing DoS/DDoS attacks | Usability | |
Identity Deception27 | Because all the nodes in the SR trust domain are under the unified control, it is usually impossible to implement identity deception in the domain, but the nodes outside the domain may access the SR network as nodes in the domain | Confidentiality and controllability | |
Intra-domain detection based on back door of device27 | By detecting and using the back door of network device, the tag information and data packet payload generated by control protocols such as OSPF for SR are obtained by grabbing packets or tampering with forwarding table entries, and the MPLS/IPv6 tag stack information in them is analyzed to obtain the node tags, link tags and topological relations of downstream device | Controllability and confidentiality | |
In-domain detection based on social engineering attack27 | Log in to the device in SR domain without credit by means of social engineering such as cheating passwords, obtain the label and topology information stored by the device by means of show command, CLI (Command-Line Interface), SNMP (Simple Network Management Protocol) and NETCONF (Network Configuration Protocol) with the help of device maintenance and management tools, and use the device as a sniffing springboard and OAM functions such as MPLS tracert and MPLS ping of SR-MPLS network. Construct attack messages with different label stacks and specific TTL to detect network topology, nodes and links hop by hop. In the network which multi-source manufacturers' devices using different control standards coexist, springboard detection is easier to succeed | Controllability and confidentiality | |
Failure of intra-domain node28 | Due to the lack of stable label release mechanism, modifying SRGB (SR Global Block) of SR router, assigning used labels to it or configuring MPLS label range will lead to service interruption, and the device needs to be restarted | Usability | |
PKI/CA failure | Failure of infrastructure29 | Attackers captured network security infrastructure such as PKI/CA (Public Key Infrastructure/Certificate Authority) through APT attacks, which led to the failure of traffic encryption in SR domain | Confidentiality and Authenticability |
