IETF Logo Mail Archive

[MBONED] draft-eitf-mboned-auto-multicast: Defending against DoS via Teardown

Greg Bumgardner <gbumgard@cisco.com> Thu, 04 August 2011 21:49 UTC

Return-Path: <gbumgard@cisco.com>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9EBA21F8A30 for <mboned@ietfa.amsl.com>; Thu, 4 Aug 2011 14:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.498
X-Spam-Level:
X-Spam-Status: No, score=-8.498 tagged_above=-999 required=5 tests=[AWL=-2.100, BAYES_00=-2.599, J_CHICKENPOX_13=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_53=0.6, J_CHICKENPOX_55=0.6, J_CHICKENPOX_63=0.6, J_CHICKENPOX_66=0.6, J_CHICKENPOX_83=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N1rs+mU13VHV for <mboned@ietfa.amsl.com>; Thu, 4 Aug 2011 14:49:10 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id A59CD21F8788 for <mboned@ietf.org>; Thu, 4 Aug 2011 14:49:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=gbumgard@cisco.com; l=3588; q=dns/txt; s=iport; t=1312494566; x=1313704166; h=message-id:date:from:mime-version:to:subject: content-transfer-encoding; bh=uV3VeR57JjDOHqcx4T1ZiPbo6caS7fGTMzn+WuW7L9c=; b=I0trBrn76hbOBVCy6+zk9c88UOIZImDlGzaXgQiaHJjn6eChQxj+UaTN VshOncvusENvqGDX7gT3mQU4NXiOgX3qXmNCvWvukA/dUV2rBKJboG9r5 CFSWW/oO2S/BiOUNfF/fjZRtGJSg4MKZXrypIvsbf/ZHb9eWMCGp6tOTk w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EAEMTO05Io8UQ/2dsb2JhbABDp2p3gVkBJUA9FhgDAgECAVgIAQEXB6kZgSMBnlyGQgSHWoshhQeLfQ
X-IronPort-AV: E=Sophos;i="4.67,319,1309737600"; d="scan'208";a="46700427"
Received: from bgl-core-1.cisco.com ([72.163.197.16]) by ams-iport-2.cisco.com with ESMTP; 04 Aug 2011 21:49:24 +0000
Received: from [10.20.185.146] (sjc-gbumgard-8911.cisco.com [10.20.185.146]) by bgl-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id p74LnMF9010742 for <mboned@ietf.org>; Thu, 4 Aug 2011 21:49:23 GMT
Message-ID: <4E3B1299.9060006@cisco.com>
Date: Thu, 04 Aug 2011 14:43:53 -0700
From: Greg Bumgardner <gbumgard@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: mboned@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [MBONED] draft-eitf-mboned-auto-multicast: Defending against DoS via Teardown
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mboned>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Aug 2011 21:49:11 -0000

  All,

The protocol described in the latest draft does not provide any defense 
against a denial-of-service attack on a gateway in which an eavesdropper 
forges a Teardown message to terminate a session and thereby interrupt 
any active multicast streams.

I believe we can make it much more difficult for another entity to send 
a valid teardown message by changing how a request nonce is generated 
and used in the Request, Membership Update and Teardown messages.

The solution involves sending a hashed value as the request nonce in the 
request and update messages, but sending the un-hashed value in the 
Teardown message. If both the relay and gateway use the same hash 
function, the relay can obtain the hashed nonce value used in MAC 
generation by applying the hash function to the nonce value sent in the 
Teardown message. If a cryptographic hash is used (e.g. MD5), an 
eavesdropper will not (easily) be able to guess what nonce value must be 
sent in the Teardown message to produce a valid MAC value.

What follows is some simplistic pseudo-code that describes the procedure:

H(): Hash function used by relay to generate MAC values
HKr = Secret hash key used by relay to generate MAC values
MD5(): MD5 Hash function
N: nonce (random value)

---- Gateway ----
GatewayInterface gif;
gif.last_address = null
gif.last_port = null
gif.last_mac = null
gif.last_nonce = null;
gif.nonce = rand();
gif.hashed_nonce = MD5(nonce);
Request request;
request.hashed_nonce = gif.hashed_nonce;
send(request);

---- Relay ----
Message message = receive();
if (message.type == REQUEST) {
     Request request = (Request)message;
     Query query;
     query.nonce = request.nonce;
     query.mac = H(HKr, request.src_addr, request.src_port, 
request.hashed_nonce);
     query.gateway_addr = request.src_addr;
     query.gateway_port = request.src_port;
     send(query);
}

---- Gateway ----
Query query = receive();
if (last_addr != null && (query.gateway_addr != last_addr || 
query.gateway_port != last_port)) {
     // Send Teardown
     Teardown teardown;
     teardown.mac = gif.last_mac;
     teardown.nonce = gif.last_nonce; // Not hashed!
     teardown.orig_addr = gif.last_addr;
     teardown.orig_port = gif.last_port;
     send(teardown);
}
gif.last_nonce = nonce;
gif.last_mac = query.mac;
gif.last_addr = query.gateway_addr;
gif.last_port = query.gateway_port;
Update update;
update.hashed_nonce = gif.hashed_nonce;
update.mac = query.mac;
update.report = <igmp/mld report>
send(update);

---- Relay ----
Message message = receive();
if (message.type == UPDATE) {
     Update update = (Update)message;
     if (update.mac == H(HKr, update.src_addr, update.src_port, 
update.hashed_nonce)) {
         if (!session_exists(update.src_addr, update.src_port)) {
             create_session(update.src_addr, update.src_port);
         }
         update_session(update.src_addr, update.src_port, update.report);
     }
     else {
         // MAC validation failed - ignore message
     }
}
else if (message.type == TEARDOWN) {
     Teardown teardown = (Teardown)message;
     if (teardown.mac == H(HKr, teardown.orig_addr, teardown.orig_port, 
MD5(teardown.nonce))) {
         if (session_exists(teardown.orig_addr, teardown.src_port)) {
             destroy_session(update.src_address, update.src_port);
         }
     }
     else {
         // MAC validation failed - ignore message
     }
}


======================


Thanks,

-g.b.

Greg Bumgardner
Cisco Systems

v2.23.0 | Report a Bug | By Email