[MBONED] draft-eitf-mboned-auto-multicast: Defending against DoS via Teardown
Greg Bumgardner <gbumgard@cisco.com> Thu, 04 August 2011 21:49 UTC
Return-Path: <gbumgard@cisco.com>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9EBA21F8A30 for <mboned@ietfa.amsl.com>; Thu, 4 Aug 2011 14:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.498
X-Spam-Level:
X-Spam-Status: No, score=-8.498 tagged_above=-999 required=5 tests=[AWL=-2.100, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_55=0.6, J_CHICKENPOX_63=0.6, J_CHICKENPOX_66=0.6, J_CHICKENPOX_83=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1rs+mU13VHV for <mboned@ietfa.amsl.com>; Thu, 4 Aug 2011 14:49:10 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id A59CD21F8788 for <mboned@ietf.org>; Thu, 4 Aug 2011 14:49:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gbumgard@cisco.com; l=3588; q=dns/txt; s=iport; t=1312494566; x=1313704166; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=uV3VeR57JjDOHqcx4T1ZiPbo6caS7fGTMzn+WuW7L9c=; b=I0trBrn76hbOBVCy6+zk9c88UOIZImDlGzaXgQiaHJjn6eChQxj+UaTN VshOncvusENvqGDX7gT3mQU4NXiOgX3qXmNCvWvukA/dUV2rBKJboG9r5 CFSWW/oO2S/BiOUNfF/fjZRtGJSg4MKZXrypIvsbf/ZHb9eWMCGp6tOTk w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAEMTO05Io8UQ/2dsb2JhbABDp2p3gVkBJUA9FhgDAgECAVgIAQEXB6kZgSMBnlyGQgSHWoshhQeLfQ
X-IronPort-AV: E=Sophos;i="4.67,319,1309737600"; d="scan'208";a="46700427"
Received: from bgl-core-1.cisco.com ([72.163.197.16]) by ams-iport-2.cisco.com with ESMTP; 04 Aug 2011 21:49:24 +0000
Received: from [10.20.185.146] (sjc-gbumgard-8911.cisco.com [10.20.185.146]) by bgl-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p74LnMF9010742 for <mboned@ietf.org>; Thu, 4 Aug 2011 21:49:23 GMT
Message-ID: <4E3B1299.9060006@cisco.com>
Date: Thu, 04 Aug 2011 14:43:53 -0700
From: Greg Bumgardner <gbumgard@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: mboned@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [MBONED] draft-eitf-mboned-auto-multicast: Defending against DoS via Teardown
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mboned>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 21:49:11 -0000
All, The protocol described in the latest draft does not provide any defense against a denial-of-service attack on a gateway in which an eavesdropper forges a Teardown message to terminate a session and thereby interrupt any active multicast streams. I believe we can make it much more difficult for another entity to send a valid teardown message by changing how a request nonce is generated and used in the Request, Membership Update and Teardown messages. The solution involves sending a hashed value as the request nonce in the request and update messages, but sending the un-hashed value in the Teardown message. If both the relay and gateway use the same hash function, the relay can obtain the hashed nonce value used in MAC generation by applying the hash function to the nonce value sent in the Teardown message. If a cryptographic hash is used (e.g. MD5), an eavesdropper will not (easily) be able to guess what nonce value must be sent in the Teardown message to produce a valid MAC value. What follows is some simplistic pseudo-code that describes the procedure: H(): Hash function used by relay to generate MAC values HKr = Secret hash key used by relay to generate MAC values MD5(): MD5 Hash function N: nonce (random value) ---- Gateway ---- GatewayInterface gif; gif.last_address = null gif.last_port = null gif.last_mac = null gif.last_nonce = null; gif.nonce = rand(); gif.hashed_nonce = MD5(nonce); Request request; request.hashed_nonce = gif.hashed_nonce; send(request); ---- Relay ---- Message message = receive(); if (message.type == REQUEST) { Request request = (Request)message; Query query; query.nonce = request.nonce; query.mac = H(HKr, request.src_addr, request.src_port, request.hashed_nonce); query.gateway_addr = request.src_addr; query.gateway_port = request.src_port; send(query); } ---- Gateway ---- Query query = receive(); if (last_addr != null && (query.gateway_addr != last_addr || query.gateway_port != last_port)) { // Send Teardown Teardown teardown; teardown.mac = gif.last_mac; teardown.nonce = gif.last_nonce; // Not hashed! teardown.orig_addr = gif.last_addr; teardown.orig_port = gif.last_port; send(teardown); } gif.last_nonce = nonce; gif.last_mac = query.mac; gif.last_addr = query.gateway_addr; gif.last_port = query.gateway_port; Update update; update.hashed_nonce = gif.hashed_nonce; update.mac = query.mac; update.report = <igmp/mld report> send(update); ---- Relay ---- Message message = receive(); if (message.type == UPDATE) { Update update = (Update)message; if (update.mac == H(HKr, update.src_addr, update.src_port, update.hashed_nonce)) { if (!session_exists(update.src_addr, update.src_port)) { create_session(update.src_addr, update.src_port); } update_session(update.src_addr, update.src_port, update.report); } else { // MAC validation failed - ignore message } } else if (message.type == TEARDOWN) { Teardown teardown = (Teardown)message; if (teardown.mac == H(HKr, teardown.orig_addr, teardown.orig_port, MD5(teardown.nonce))) { if (session_exists(teardown.orig_addr, teardown.src_port)) { destroy_session(update.src_address, update.src_port); } } else { // MAC validation failed - ignore message } } ====================== Thanks, -g.b. Greg Bumgardner Cisco Systems
- [MBONED] draft-eitf-mboned-auto-multicast: Defend… Greg Bumgardner
- Re: [MBONED] draft-eitf-mboned-auto-multicast: De… Greg Bumgardner