Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
lizhong.jin@zte.com.cn Thu, 28 October 2010 12:37 UTC
Return-Path: <lizhong.jin@zte.com.cn>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FDBA3A69B4 for <mpls@core3.amsl.com>; Thu, 28 Oct 2010 05:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.19
X-Spam-Level:
X-Spam-Status: No, score=-102.19 tagged_above=-999 required=5 tests=[AWL=-0.352, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UMq2gRIxyexj for <mpls@core3.amsl.com>; Thu, 28 Oct 2010 05:37:52 -0700 (PDT)
Received: from mx5.zte.com.cn (mx6.zte.com.cn [63.218.89.70]) by core3.amsl.com (Postfix) with ESMTP id 80F5D3A69B9 for <mpls@ietf.org>; Thu, 28 Oct 2010 05:37:48 -0700 (PDT)
Received: from [10.34.0.130] by mx5.zte.com.cn with surfront esmtp id 3510806486374; Thu, 28 Oct 2010 20:38:13 +0800 (CST)
Received: from [10.32.0.74] by [192.168.168.16] with StormMail ESMTP id 25731.3779601808; Thu, 28 Oct 2010 20:36:14 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse3.zte.com.cn with ESMTP id o9SCdl4V006099; Thu, 28 Oct 2010 20:39:47 +0800 (CST) (envelope-from lizhong.jin@zte.com.cn)
In-Reply-To: <4D27355721B24E2D88BD17261507DD91@m55527c>
To: Mach Chen <mach@huawei.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF46494E6E.771D7FE1-ON482577CA.00454EA2-482577CA.0045891B@zte.com.cn>
From: lizhong.jin@zte.com.cn
Date: Thu, 28 Oct 2010 20:38:41 +0800
X-MIMETrack: S/MIME Sign by Notes Client on JinLiZhong127666/user/zte_ltd(Release 6.5.6|March 06, 2007) at 2010-10-28 20:39:30, Serialize by Notes Client on JinLiZhong127666/user/zte_ltd(Release 6.5.6|March 06, 2007) at 2010-10-28 20:39:30, Serialize complete at 2010-10-28 20:39:30, S/MIME Sign failed at 2010-10-28 20:39:30: The cryptographic key was not found, Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2010-10-28 20:39:30
Content-Type: multipart/alternative; boundary="=_alternative 0045891A482577CA_="
X-MAIL: mse3.zte.com.cn o9SCdl4V006099
Cc: mpls@ietf.org, lamberto.sterling@gmail.com
Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 12:37:54 -0000
Hi Mach, Yes, I think it is it is reasonable to bring down the session, if operator wants to change the hello parameter after the session is already setup. Anyway, need more comments from operators. Thanks. Lizhong Mach Chen <mach@huawei.com> wrote on 2010-10-28 20:13:28: > Hi Lizhong, > > If allowing operators to change parameters, the potential attackers also can > change it by sending spoofing hellos, then security threat is there. > > If changing hello parameters can not tear an existing LDP session, how do > the operators make the changes to take effect? I guess you probably have to > disable all relevant configuration, then change the parameters, afterward > enable again. IMHO, this is not what the operators want. > > In addition, normally, changing hold time will not tear down the existing > session and is natural thing. > > Best regards, > Mach > > > -------------------------------------------------- > From: <lizhong.jin@zte.com.cn> > Sent: Thursday, October 28, 2010 6:59 PM > To: <mach@huawei.com>; <erosen@cisco.com>; <lamberto.sterling@gmail.com> > Cc: <mpls@ietf.org> > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > > > Hi Mach, > > LDP Hello's function is to establish session and keepalive. After session > > is established, node should not be allowed to change hold time or > > transport address dynamically (although not explicitly said in RFC5036). > > If operator wants to change the hello hold time, it is reasonable to bring > > down the session. > > If we do not allow hello parameters to be changed dynamically (that's easy > > to implement), is there any other security threat? > > > > Thanks > > Lizhong > > > >> > >> > >> ------------------------------ > >> > >> Message: 2 > >> Date: Wed, 27 Oct 2010 11:40:18 -0400 > >> From: Eric Rosen <erosen@cisco.com> > >> Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > >> To: Mach Chen <mach@huawei.com> > >> Cc: mpls@ietf.org, Lamberto Sterling <lamberto.sterling@gmail.com> > >> Message-ID: <8822.1288194018@erosen-linux> > >> > >> > >> > if there is no hello authentication, an established LDP session can > > be > >> > torn down by a spoofing Hello with a smaller Hold Time interval > > ordifferent > >> > Transport Address. > >> > >> Do you think we really need replay protection to protect against this? > > To > >> exploit this vulnerability with a replay attack, an attacker would have > > to > >> wait patiently until a router is reconfigured with a longer hold time > > and > >> hello interval, and then replay that router's old hellos. This would be > > a > >> very sophisticated attack. > >> > >> If we do want router R1 to be able to discard replays of old Hellos from > >> router R2, I don't think the proposed mechanism is adequate. At any > > moment > >> when R1 does not have a Hello adjacency to R2, the replays of R2's old > >> packets would be acceptable to R1, unless the shared secret has changed. > >> For targeted LDP Hellos, it might be better to have each peer include > >> something it learned from the other peer's recent Hellos. E.g., R2 > > could > >> include in its Hello the sequence number from R1's most recent Hello. > > Then > >> R1 could easily distinguish recently generated R2-Hellos from replayed > >> R2-Hellos, and it wouldn't have to know anything about R2's hello > > interval > >> or sequence number selection algorithm. (A few details to be worked > > out.) > >> Of course, something like this wouldn't work on a LAN, but the LAN > >> environment is not where the vulnerability is. > >> > >> I am also curious as to why your proposal does not include the IP source > > and > >> destination addresses, or the transport (UDP) header, in the hash. Most > >> similar proposals seem to do so, but I don't understand all the security > >> issues well enough to know whether that is required or desirable in this > >> case. > >> > >> Frankly, I don't think there is enough security expertise on this > > mailing > >> list to be able to properly a security proposal of this sort. If the WG > >> decides to pursue the issue of LDP Hello authentication, the chairs > > should > >> ask the Security ADs to assign a security advisor. But then we'd > > probably > >> be told that this work conflicts with the KARP WG ;-) > >> > >> > > > > -------------------------------------------------------- > > ZTE Information Security Notice: The information contained in this mail is > > solely property of the sender's organization. This mail communication is > > confidential. Recipients named above are obligated to maintain secrecy and > > are not permitted to disclose the contents of this communication to > > others. > > This email and any files transmitted with it are confidential and intended > > solely for the use of the individual or entity to whom they are addressed. > > If you have received this email in error please notify the originator of > > the message. Any views expressed in this message are those of the > > individual sender. > > This message has been scanned for viruses and Spam by ZTE Anti-Spam > > system. > > -------------------------------------------------------- ZTE Information Security Notice: The information contained in this mail is solely property of the sender's organization. This mail communication is confidential. Recipients named above are obligated to maintain secrecy and are not permitted to disclose the contents of this communication to others. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender. This message has been scanned for viruses and Spam by ZTE Anti-Spam system.
- [mpls] [MPLS] HELP: Need your opinion on LDP secu… Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mallette, Edwin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Lamberto Sterling
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Ronald Bonica
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Thomas Morin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Dave Katz
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … iLya
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Nitin Bahadur
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Adrian Farrel
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Gray
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)