Results of Security Analysis of Openconfig Interface

[mihirra]

Dear All,

My name is Mihir Rajpal and I'm currently a Cybersecurity Masters student at Georgia Institute of Technology.

I recently completed a security analysis of Openconfig, seeing whether Unclassified Security Technical Implementation Guide (STIG) requirements (essentially the unclassified component of the security requirements to operate a switch or router on a government network or a network hosting Controlled Unclassified Information (CUI)) could be met with this interface. I found several deficiencies, and some points of confusion, which are detailed below. A question mark means I am unsure about whether something is true. I plan to propose updates to Openconfig to allow these STIG requirements to be met next (this will be a rough draft that can be modified if changes are desired).

Interface Missing:

• ACL:
  • PIM filtering.
  • IP options filtering.
  • IPv6:
    • Filter undetermined transport.
    • Filter specific option types based on where it is used and option type field.
• BGP:
  • Enforce peer as first AS.
  • Limit maximum number of prefixes.
• Multicast Source Discovery Protocol (MSDP) – Not supported:
  • Filter source-active multicast advertisements based on groups and sources.
  • Limit the number of source-active messages accepted on per-peer basis.
  • Authentication of packets.
  • Limit multicast forwarding cache.
  • Loopback address as source address.
• PIM:
  • Routing policies.
  • QoS support for specific types of messages.
• Routing policies:
  • Block static routes from being advertised.
• Disabling unused services:
  • Might be messy to implement, but is required.
• Routing protocols:
  • Can’t use keys from keychain despite documentation saying this is allowed.
  • Need a way to select cryptographic algorithms used for routing authentication.
• VPLS:
  • Set maximal mac table size.
  • Split-horizon rule.
• Unicast Reverse Path Forwarding (uRPF) – Not supported.
• IPSec tunnel creation - Not supported. ** I did a little bit of research and it looks like no switch or router currently supports this, so I'm open to removing this based on a general consensus
• LDP:
  • Crypto algorithms other than MD5.
• Disable zero-touch configuration loading.
• Disable IP directed broadcast on all interfaces.
• ICMP:
  • Disable unreachable notifications on all interfaces.
  • Disable mask replies on all external interfaces.
  • Disable redirects on all external interfaces.
• IGMP:
  • Snooping.
  • Limiting states.
  • Filter out packets that join unapproved groups.
• Multicast Listener Discovery (MLD) – Not supported:
  • Snooping.
  • Limiting states.
  • Filter out packets that join unapproved groups.
• Disable call home?
• IP Invalid Source filtering?
• IPv6:
  • Change hop limit advertisements.
  • Suppress Router Advertisements on all external interfaces (original way to do this was depreciated).
• Login:
  • Lockout after 3 invalid attempts for 15 minutes.
• Force logging to start on boot?
  • Might be default, in which case a flag would be nice.
• Flag indicating that full command should be logged.
• Password complexity requirements – Not supported:
  • Dictionary of commonly used passwords (needs to be updatable).
  • Minimum password length.
  • Number of uppercase characters.
  • Number of lowercase characters.
  • Number of digits.
  • Number of special characters.
  • Number of characters changed on password change.
  • Password expiration.
  • Forced password update.
  • Password character set.
• Routing passwords stored only in encrypted form.
• Way to ensure SNMP is authenticated.
  • I know the interface tries to avoid SNMP, but this would only ensure that it uses authentication if enabled.
• Backup of system configuration?
• AAA:
  • MAC RADIUS
  • Static MAC bypass
• VLAN Trunk Protocol:
  • Authentication (including the ability to specify cryptographic algorithms)
• Mirroring traffic to different interface
• DHCP:
  • Snooping
• ARP:
  • Snooping
• Dynamic Trunk Protocol (DTP) – Not supported:
  • Disable? (Might be done by default)

Might support:

• Different internal BGP instance for different network-instance.
  • These instances do not share routes between themselves.
• Proxy ARP disabled on all external interfaces.
  • Supported on a sub-interface level, not sure about interface level (a flag for interface level might be required).
• VPWS virtual circuit identification – connection-point id and endpoint id are the same
  • If not, need a better understanding of how virtual circuit identification is configured using this interface.
• Assign a VLAN to a disabled interface.
  • Need to be able to assign an unused VLAN to a disabled interface.

Nice to have:

• Device flag verifying underlying device meets various security requirements:
  • Router stops forwarding traffic or maintains configured security policies upon failure of system initialization, shutdown, or system abort.
  • Router fails securely (i.e. shuts down traffic on failure).
  • Signed software updates.
  • No authentication caching.
  • Protected storage for keys.
  • Audits:
    • Account creation.
    • Account modification.
    • Account disabling.
    • Account enabling.
    • Account removal.
    • Execution of privileged functions.
• IPv6 feature disabling site-local IP addresses.
• More secure version of authentication server.

Please let me know what feedback/clarifications/concerns you have. Also let me know if you are interested in my changes or not and any requests regarding the structure of the changes. Since I have a deadline for this project the sooner I get a response the more likely I can incorporate it in the final results in a timely fashion.

Sincerely, Mihir Rajpal