[karp] Mechanism to protect OSPFv2 authentication from IP Layer Issues
"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Mon, 11 October 2010 13:09 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: karp@core3.amsl.com
Delivered-To: karp@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2D2F83A6A28 for <karp@core3.amsl.com>; Mon, 11 Oct 2010 06:09:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.459
X-Spam-Level:
X-Spam-Status: No, score=-2.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qWxE5p1OH6a5 for <karp@core3.amsl.com>; Mon, 11 Oct 2010 06:09:03 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id D17B73A69EB for <karp@ietf.org>; Mon, 11 Oct 2010 06:09:02 -0700 (PDT)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o9BDABq6021112 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL) for <karp@ietf.org>; Mon, 11 Oct 2010 08:10:13 -0500 (CDT)
Received: from INBANSXCHHUB03.in.alcatel-lucent.com (inbansxchhub03.in.alcatel-lucent.com [135.250.12.80]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o9BDAAtK017099 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT) for <karp@ietf.org>; Mon, 11 Oct 2010 18:40:11 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB03.in.alcatel-lucent.com ([135.250.12.80]) with mapi; Mon, 11 Oct 2010 18:40:10 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: "karp@ietf.org" <karp@ietf.org>
Date: Mon, 11 Oct 2010 18:40:14 +0530
Thread-Topic: Mechanism to protect OSPFv2 authentication from IP Layer Issues
Thread-Index: ActpRaTXa2e1xggtSPmUYGjXyDNzVw==
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CF3E839FF@INBANSXCHMBSA1.in.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33
Subject: [karp] Mechanism to protect OSPFv2 authentication from IP Layer Issues
X-BeenThere: karp@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for key management for routing and transport protocols <karp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/karp>
List-Post: <mailto:karp@ietf.org>
List-Help: <mailto:karp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/karp>, <mailto:karp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Oct 2010 13:09:07 -0000
Hi, Both draft-ietf-opsec-routing-protocols-crypto-issues-07.txt and draft-hartman-ospf-analysis-01.txt describe certain attacks that OSPFv2 is vulnerable to because of OSPFv2 not covering some fields from the IP header in its crypto computation. This draft describes a very simple mechanism to fix such auth vulnerabilities. Would be great if the WG members can go through this and provide some feedback. Cheers, Manav ----- Forwarded Message ---- From: "Internet-Drafts@ietf.org" <Internet-Drafts@ietf.org> To: i-d-announce@ietf.org Sent: Mon, October 11, 2010 6:30:02 PM Subject: I-D Action:draft-bhatia-karp-ospf-ip-layer-protection-00.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Mechanism to protect OSPFv2 authentication from IP Layer Issues Author(s) : M. Bhatia Filename : draft-bhatia-karp-ospf-ip-layer-protection-00.txt Pages : 10 Date : 2010-10-06 The IP header is not covered by the MAC in the cryptographic authentication scheme as described in RFC 2328 and RFC 5709, and an attack can be made to exploit this omission. This draft proposes a simple change in how the authentication is computed to eliminate most of such attacks. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-bhatia-karp-ospf-ip-layer-protection-00.txt Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India -- Manav Bhatia, IP Division, Alcatel-Lucent, Bangalore - India
- [karp] Mechanism to protect OSPFv2 authentication… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Joel M. Halpern
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Uma Chunduri
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Uma Chunduri
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Vishwas Manral
- [karp] OSPF Crypto for Checksum (was RE: [OSPF] M… Bhatia, Manav (Manav)
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Uma Chunduri
- Re: [karp] OSPF Crypto for Checksum (was RE: [OSP… Joel Jaeggli
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… Venkatesh Sriram
- Re: [karp] [OSPF] Mechanism to protect OSPFv2 aut… mark Brown
- Re: [karp] OSPF Crypto for Checksum (was RE: [OSP… mark Brown
- Re: [karp] OSPF Crypto for Checksum (was RE: [OSP… Glen Kent
- Re: [karp] OSPF Crypto for Checksum (was RE: [OSP… Joel Jaeggli
- Re: [karp] OSPF Crypto for Checksum (was RE: [OSP… Glen Kent