Re: [karp] Supporting Authentication Trailer for OSPFv3 -- replays
Sam Hartman <hartmans-ietf@mit.edu> Wed, 20 October 2010 13:40 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9597C3A684D for <karp@core3.amsl.com>; Wed, 20 Oct 2010 06:40:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.968
X-Spam-Level:
X-Spam-Status: No, score=-102.968 tagged_above=-999 required=5 tests=[AWL=-0.703, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaUwPmGWJtD9 for <karp@core3.amsl.com>; Wed, 20 Oct 2010 06:40:37 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id A02B83A68B9 for <karp@ietf.org>; Wed, 20 Oct 2010 06:40:30 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id 9D34320178; Wed, 20 Oct 2010 09:41:56 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 7AB0141CE; Wed, 20 Oct 2010 09:41:23 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
References: <7C362EEF9C7896468B36C9B79200D8350CF3CBA6B4@INBANSXCHMBSA1.in.alcatel-lucent.com> <7C362EEF9C7896468B36C9B79200D8350CF3F39B29@INBANSXCHMBSA1.in.alcatel-lucent.com>
Date: Wed, 20 Oct 2010 09:41:23 -0400
In-Reply-To: <7C362EEF9C7896468B36C9B79200D8350CF3F39B29@INBANSXCHMBSA1.in.alcatel-lucent.com> (Manav Bhatia's message of "Fri, 15 Oct 2010 05:06:23 +0530")
Message-ID: <tslr5fl2d8c.fsf_-_@carter-zimmerman.suchdamage.org>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: karp@ietf.org
Subject: Re: [karp] Supporting Authentication Trailer for OSPFv3 -- replays
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2010 13:40:38 -0000
I've dropped the OSPF group from the CC list as I'm following up in part from a conversation at the last KARP meeting. Manav, your draft looks very interesting. I definitely think that protecting the IP address is an important addition to OSPF authentication. As you helped us point out in draft-hartman-ospf-analysis,an attacker who can observe packets can destroy an adjacency in at least one direction simply by flipping the IP addresses around. Your draft doesn't handle what you described as inter-connection replay protection. In particular, the same key is used for all traffic, and the sequence space is not subdivided. If you use a time stamp as a sequence number, you are vulnerable to significant denial of service attacks using intra-connection replays. However, if you use a per-packet sequence number, you will eventually run out of sequence numbers and wrap. One problem is that your adjacencies go down when you wrap. Another problem is that an attacker who captured one of your old packets with a higher sequence number can replay it after the wrap and bring down your adjacency. Your draft doesn't fix this problem. we could decide we're not going to fix inter-connection replay issues. I think that would be a huge mistake. We learned at the unwanted traffic workshop that DOS concerns with routing protocols are a huge concern and a powerful attacker tool. I think that is very much still true today. I think it is especially true on enterprise and campus networks. If we're going to solve this problem, we need to figure out where. Eric and Gregory were having a discussion about this during the last KARP meeting. Eric said that in order to use the key derivation process that Gregory favored, there would need to be some sort of nonce exchange. Eric was concerned that the routing protocols would not change/did not already have the mechanisms to make this possible. Let's take a look at how this could work in your draft. Let's assume that in addition to sending a sequence number you sent a random nonce that was constant until a peer reboots or needs to change its sequence number. Routers would need to keep track of the nonce in the neighbor table and would also need to have some exchange for proving liveness of a nonce. Here's how proving liveness would work. Router A receives a packet including nonce and sequence number from B. A will be able to use the nonce and sequence number to know if future packets from B are replays. However A needs to know if this nonce is really B's current nonce or if the initial packet is a replay. So, A needs to somehow get B to send it a packet including fresh information provided by A along with its current nonce. This could either be a new exchange or something integrated into the hello process. It's possible that aspects already present in the OSPF protocol could be used to accomplish this. For example, if we could convince ourselves that replays prior to an adjacency actually reaching database exchange are harmless, perhaps we could do something based off the database exchange or the like without introducing any new messages. It seems that if we're going to do this, we should do it in your draft. Alternatively we could decide that adding the sort of nonces Gregory is looking for is not something we can do. In that case, I think we can only get inter-connection replay with a KMP. Some of the reasoning here is discussed in section 2.1 of draft-hartman-karp-mrkmp. I'd appreciate your thoughts.
- [karp] Supporting Authentication Trailer for OSPF… Bhatia, Manav (Manav)
- Re: [karp] Supporting Authentication Trailer for … mark Brown
- Re: [karp] Supporting Authentication Trailer for … Uma Chunduri
- Re: [karp] Supporting Authentication Trailer for … mark Brown
- Re: [karp] Supporting Authentication Trailer for … Uma Chunduri
- Re: [karp] Supporting Authentication Trailer for … Bhatia, Manav (Manav)
- Re: [karp] Supporting Authentication Trailer for … Sam Hartman
- Re: [karp] Supporting Authentication Trailer for … Joel M. Halpern
- Re: [karp] Supporting Authentication Trailer for … Sam Hartman
- [karp] Mechanism to protect OSPFv2 authentication… Bhatia, Manav (Manav)
- Re: [karp] Mechanism to protect OSPFv2 authentica… Uma Chunduri
- Re: [karp] Mechanism to protect OSPFv2 authentica… mark Brown
- Re: [karp] Mechanism to protect OSPFv2 authentica… Glen Kent
- Re: [karp] Mechanism to protect OSPFv2 authentica… Uma Chunduri
- Re: [karp] Mechanism to protect OSPFv2 authentica… Sam Hartman
- Re: [karp] [OSPF] Supporting Authentication Trail… Alan Davey
- Re: [karp] [OSPF] Supporting Authentication Trail… shraddha
- Re: [karp] [OSPF] Supporting Authentication Trail… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Supporting Authentication Trail… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Supporting Authentication Trail… Michael Barnes
- Re: [karp] [OSPF] Supporting Authentication Trail… Glen Kent