RE: Review of draft-ietf-manet-olsrv2-sec-threats-03

"Dearlove, Christopher (UK)" <chris.dearlove@baesystems.com> Mon, 19 December 2016 10:41 UTC

Return-Path: <chris.dearlove@baesystems.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04ABF12969B; Mon, 19 Dec 2016 02:41:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.127
X-Spam-Level:
X-Spam-Status: No, score=-6.127 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RDNS_NONE=0.793] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI4z6qgq1Tjo; Mon, 19 Dec 2016 02:41:06 -0800 (PST)
Received: from ukmta1.baesystems.com (unknown [20.133.0.55]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1E241296A4; Mon, 19 Dec 2016 02:40:13 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.33,373,1477958400"; d="scan'208";a="142209153"
Received: from unknown (HELO baemasmds016.greenlnk.net) ([10.15.207.101]) by ukmta1.baesystems.com with ESMTP; 19 Dec 2016 10:40:11 +0000
X-IronPort-AV: E=Sophos;i="5.33,373,1477958400"; d="scan'208";a="148456039"
Received: from glkxh0001v.greenlnk.net ([10.109.2.32]) by baemasmds016.greenlnk.net with ESMTP; 19 Dec 2016 10:40:12 +0000
Received: from GLKXM0003V.GREENLNK.net ([169.254.4.250]) by GLKXH0001V.GREENLNK.net ([10.109.2.32]) with mapi id 14.03.0248.002; Mon, 19 Dec 2016 10:40:11 +0000
From: "Dearlove, Christopher (UK)" <chris.dearlove@baesystems.com>
To: Elwyn Davies <elwynd@dial.pipex.com>, "gen-art@ietf.org" <gen-art@ietf.org>
Subject: RE: Review of draft-ietf-manet-olsrv2-sec-threats-03
Thread-Topic: Review of draft-ietf-manet-olsrv2-sec-threats-03
Thread-Index: AQHSWWjMPz9z731p2kWISNR37iythaEPD0tw
Date: Mon, 19 Dec 2016 10:40:10 +0000
Message-ID: <B31EEDDDB8ED7E4A93FDF12A4EECD30DA51A49AC@GLKXM0003v.GREENLNK.net>
References: <148209096399.6405.5288912281902695282.idtracker@ietfa.amsl.com>
In-Reply-To: <148209096399.6405.5288912281902695282.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.109.62.6]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/JTmdLhMBSZsLdvo1-fF5tlMBpMg>
Cc: "draft-ietf-manet-olsrv2-sec-threats.all@ietf.org" <draft-ietf-manet-olsrv2-sec-threats.all@ietf.org>, "manet@ietf.org" <manet@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Dec 2016 10:41:08 -0000

Elwyn Davies
> s3.2:  I do not know enough about the details of NHDP and OLSRv2 to know if this is a silly question:  Would it be possible for a compromised node to perform hop-limit or hop-count modification attacks even with RFC 6183 security in place just by modifying these fields and reforwarding the packet even if it wasn't actually in the network topology?   If so, it would be desirable to mention this if it can do any harm.

No, not a silly question at all. But there are details that make the answer longer than yes or no.

(Typo: RFC 6183 is RFC 7183.)

You need to distinguish packets from messages (this is RFC 5444 territory). And NHDP doesn't matter here, as its message (HELLO) is not forwarded and any hop count or limit is either ignored or possibly used as a reason to reject.

So OLSRv2 messages (TC) are forwarded, but at each hop they are put into a packet. That packet is assembled from one or more messages, and at each hop it is broken apart and a new packet formed. So the TC message may share a packet with different other messages at each hop.

RFC 7183, which forwards to RFC 7182 where the actual work is defined, allows you to protect either messages, or packets (or both). Packet protection protects hop count and hop limit, but has other limitations (it is not end to end). Message protection is applied to each message, and is end to end (or rather, originator to each processing/forwarding router) but does not protect hop count and hop limit.

So if using RFC 7183/7182 just to protect messages (it also covers sender addresses) then there is an attack. Attacker receives packet, sends new packet that resets hop count and limit in those messages it includes in a new packet to only one more hop before end of life. Sends quickly (normal forwarding may be delayed, especially if using RFC 5148) and possibly even elsewhere in network (wormhole attack). This "penultimate hop" message poisons the real message, if it arrives later, as it is seen before, and not forwarded, while the penultimate hop message will go one hop and stop. (Can we do this with a "last hop" message to poison even more successfully? That I would need to check some details in RFC 7181 to determine.)

Could this be prevented? I can imagine a revision of RFC 7181's forwarding rules that recorded hop count/limit, and if seeing a longer range message decided to forward that even if seen before with a lower range. But that introduces a new attack of creating a sequence of increasing range messages to add to the traffic load. Or you could use both packet and message ICVs, which does prevent this attack but increases overhead. Or (potential future that I know someone is working on, but is not a solution now as far as I know) find a form of aggregating signature that overcomes this problem efficiently.
********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************