IETF Logo Mail Archive

Re: [OSPF] Fw: New Version Notification for draft-manjuldtv-ospf-sequence-number-00.txt

Manav Bhatia <manavbhatia@gmail.com> Thu, 12 May 2016 05:11 UTC

Return-Path: <manavbhatia@gmail.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A58A912D149 for <ospf@ietfa.amsl.com>; Wed, 11 May 2016 22:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id muuDF4TL2WVk for <ospf@ietfa.amsl.com>; Wed, 11 May 2016 22:11:26 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C6DD12B031 for <ospf@ietf.org>; Wed, 11 May 2016 22:11:26 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id j74so63255384ywg.1 for <ospf@ietf.org>; Wed, 11 May 2016 22:11:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=MQdY/vE/HE0Eh4wDbScCNL5bnKU4Kyx+mXDvFtQoYGg=; b=l1VatKVwuQ1RQEQgjgJfToNDxAifUIV3/Ocrvnwn01BQJpr3V66VC1BXW1FOGFsnPX ylgsSCX1N8luCnMpHNGsxIzUkVAFSUo56JWWESz0hElSkLHIg7pHhZLAKTdRoEv7LvSa RHOpxyvl4RGgBZZiCL/LfHJqjCZ/jWfA91rF+ARVUMcshHYxq8X390lafnxs1rMWo099 X/maM4g5nxV2Eb4qX9tOnTKqKMezpOAfEZzHQZeg/snslYrX8Lz3MJkXmPOKmCoRjz4Q N2aaS1tz9lG8WElr2uU42ITFQwIatnSmok5LDW3d0RkJJuvrKp4LbkVOuT2/E6JXVqjg Bq4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=MQdY/vE/HE0Eh4wDbScCNL5bnKU4Kyx+mXDvFtQoYGg=; b=EJFBROCa/QymQz3xtwh+bO1oXsVOEJBH8xP5tjn6QDUf87d5TaGAI9sr6HB/+e2Lkl KkkKxl7KgpXr+exnnP/qdpjJeWsYlnJgeaPASbJOtIywzAZTqR4G8WuJiGlxWTQbVXPM 1tS2vcqW9JRlf4DCevnVVf26TgKBoQjftnopYsgzBq+u+b9gDLqAWQ9XNpVEMOT4k4gz 3S3kl0Eu98LYMee7XS/wUlhcOU4YQXkacCOliChK9FdotCmGDFLeqcrYDiDFUrN5l2rD opEVx6rFMua5twxlX6BBeHFD21mLS/EKi65YQPAfGK+IgcSWCNgJ6aGK52XJFlJimqkq 0xww==
X-Gm-Message-State: AOPr4FXkqjx0+UITupTzyasW35MKQ9otiLjVvs1YtYirVU7eGpoU881HiU0tUazfgD4AB3LO39nGzSZ5wgQODA==
MIME-Version: 1.0
X-Received: by 10.129.111.196 with SMTP id k187mr3590894ywc.11.1463029885276; Wed, 11 May 2016 22:11:25 -0700 (PDT)
Received: by 10.13.216.129 with HTTP; Wed, 11 May 2016 22:11:25 -0700 (PDT)
In-Reply-To: <KL1PR0401MB1544349FCF40E95494CC1D4EA3730@KL1PR0401MB1544.apcprd04.prod.outlook.com>
References: <D358C4E4.607A9%acee@cisco.com> <KL1PR0401MB1544944FE1E375A8FB7A31C0A3730@KL1PR0401MB1544.apcprd04.prod.outlook.com> <CAG1kdoiyj_s_gzHibrmomPJAZo28bCLDxqPRnbeS6-ooJzb_MQ@mail.gmail.com> <KL1PR0401MB1544349FCF40E95494CC1D4EA3730@KL1PR0401MB1544.apcprd04.prod.outlook.com>
Date: Thu, 12 May 2016 10:41:25 +0530
Message-ID: <CAG1kdogZhHgGxbL5caBkAVypncnA3yTtb5+ZebV1m2Yzj0r+jA@mail.gmail.com>
From: Manav Bhatia <manavbhatia@gmail.com>
To: Ramakrishna DTV <ramakrishnadtv@nivettisystems.com>
Content-Type: multipart/alternative; boundary="001a1141ab889b9a0005329e301e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ospf/-B-n6IGvAFi4NgPYWIG74x5Ix0Q>
Cc: "ospf@ietf.org" <ospf@ietf.org>, Manjul Khandelwal <manjul@nivettisystems.com>
Subject: Re: [OSPF] Fw: New Version Notification for draft-manjuldtv-ospf-sequence-number-00.txt
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 05:11:29 -0000

Hi DTV,

Aha. Thanks for the catch !

In that case, i dont understand why the "victim" will NOT generate a new
LSA with LS sequence number one past the received LS sequence number. I see
that the new attack tries to do something by updating the sequence number
and the checksum -- did not spend too much time on trying to understand
what exactly its doing there. However, OSPF also has provisions to get
around that, and i wrote about this many years ago here:

https://routingfreak.wordpress.com/2010/07/02/using-checksum-in-determining-the-newer-lsa/

So i have the same question as Acee -- why will the natural fight-back
mechanism not work here?

Cheers, Manav

On Thu, May 12, 2016 at 10:18 AM, Ramakrishna DTV <
ramakrishnadtv@nivettisystems.com> wrote:

> Hi Manav,
>
> Thank you for your comments.
>
> Gabi has published multiple attacks against OSPF.
>
> The attack we are targeting is published in
>
> @inproceedings{nakibly2012persistent,
>   title={Persistent OSPF Attacks.},
>   author={Nakibly, Gabi and Kirshon, Alex and Gonikman, Dima and Boneh,
> Dan},
>   booktitle={NDSS},
>   year={2012}
> }
>
> This attack indeed depends on predictability of sequence numbers.
> On a side note, we even verified that fact with Gabi Nakibly himself
> over a private mail.
>
> The attack you are discussing in your article is a different attack.
> It was described by Gabi in great detail in a different paper:
>
> @inproceedings{nakibly2014ospf,
>   title={OSPF vulnerability to persistent poisoning attacks: a systematic
> analysis},
>   author={Nakibly, Gabi and Sosnovich, Adi and Menahem, Eitan and Waizel,
> Ariel and Elovici, Yuval},
>   booktitle={Proceedings of the 30th Annual Computer Security Applications
> Conference},
>   pages={336--345},
>   year={2014},
>   organization={ACM}
> }
>
> As you rightly mentioned, this attack does not depend upon sequence number
> predictability. But our draft is *not* targeting *this* attack.
>
> Thanks and regards,
> Ramakrishna DTV.
>
>
>
> ------------------------------
> *From:* Manav Bhatia <manavbhatia@gmail.com>
> *Sent:* Thursday, May 12, 2016 9:16 AM
> *To:* Ramakrishna DTV
> *Cc:* Acee Lindem (acee); Manjul Khandelwal; ospf@ietf.org
> *Subject:* Re: [OSPF] Fw: New Version Notification for
> draft-manjuldtv-ospf-sequence-number-00.txt
>
> Hi DTV,
>
> I dont agree to your assessment of how the attack evades the "natural
> fight-back mechanism" in OSPF.
>
> Its got *nothing* to do with the sequence numbers being predictable, etc.
> I have explained in depth how the Gaby attack works here:
>
>
> https://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulnerability-exposed-by-black-hat/
> How bad is the OSPF vulnerability exposed by Black Hat ...
> <https://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulnerability-exposed-by-black-hat/>
> routingfreak.wordpress.com
> I was asked a few weeks ago by our field engineers to provide a fix for
> the OSPF vulnerability exposed by Black Hat last month. Prima facie there
> appeared ...
>
>
> Clipped from the blog:
>
> "This attack exploits a potential omission (or a bug if you will) in the
> standard where it does not mandate that the receiving router verifies that
> the Link State ID and the Advertising Router fields in the Router LSA are
> the exact same value.
>
> This attack sends malacious Router LSAs with two different values in the
> LS header. The Link State ID carries the Router ID of the router that is
> being attacked (the victim) and the Advertising Router is set to some
> different (any) value.
>
> When the victim receives the malacious Router LSA, it does not refresh
> this LSA as it doesnt recognize this as its own self generated LSA. This is
> because the OSPF spec clearly says in Sec 13.4 that “A self-originated LSA
> is detected when either 1) The LSA’s Advertising Router is equal to the
> router’s own Router ID or 2) the LSA is a network LSA .. “.
>
> This means that OSPF’s natural fight back mechanism is NOT triggered by
> the victim router as long as the field ‘Advertising Router’ of a LSA is NOT
> equal to the victim’s Router ID. This is true even if the ‘Link State ID’
> of that LSA is equal to the victim’s Router ID. Going further it means no
> LSA refresh is triggered even if the malacious LSA claims to describe the
> links of the victim router!"
>
> I describe further in the blog that not all router implementations are
> susceptible to the attack. Its dependent on how the LSA is picked up from
> the LSDB.
>
> Cheers, Manav
>
> On Thu, May 12, 2016 at 7:59 AM, Ramakrishna DTV <
> ramakrishnadtv@nivettisystems.com> wrote:
>
>> Hi Acee,
>>
>> We currently provided the following description of this attack in the
>> draft:
>>
>>  "The paper refers to the attack as "Disguised LSA" and is of
>>    persistent nature.  This attack is launched from a compromised router
>>    inside a routing domain.  In this attack, the compromised router
>>    alters the LSA of an uncompromised router (victim).  Normally, such
>>    an attempt does not have persistence because the victim generates a
>>    new LSA when it sees such self-originated LSAs (referred to as
>>    "fight-back" mechanism in the paper).  But the paper makes disguised
>>    LSA persistent because all the fields { LS sequence number, checksum}
>>    are predictable.  It alters the existing LSA of victim to suit its
>>    needs but sets the sequence number to +1 of the existing LSA and
>>    alters the LSA so that checksum matches with checksum that would be
>>    generated by the victim when it generates the new LSA.  When this
>>    disguised LSA reaches the victim, it does not fight back because it
>>    compares only the fields { LS sequence number, checksum, age} to
>>    check for duplicates and not the actual content of LSA.
>>
>>    This attack enables an insider attacker to fully control the entire
>>    content of an LSA.  We think this attack is powerful."
>>
>> These details are currently present in Section 4, which is titled
>> "Implementation advice".
>> We can probably move it to a different section (e.g., "Introduction") to
>> make it clear.
>>
>> If you think even more additional details about the attack are useful to
>> the working group,
>> please let us know. We will add.
>>
>> Thank you.
>>
>> Regards,
>> Ramakrishna DTV.
>>
>>
>> ________________________________________
>> From: Acee Lindem (acee) <acee@cisco.com>
>> Sent: Wednesday, May 11, 2016 8:49 PM
>> To: Manjul Khandelwal; ospf@ietf.org
>> Cc: Ramakrishna DTV
>> Subject: Re: [OSPF] Fw: New Version Notification for
>> draft-manjuldtv-ospf-sequence-number-00.txt
>>
>> Hi Manjul,
>>
>> Would it be possible to succinctly describe these “certain security
>> attacks” in the draft rather than expecting everyone to read the
>> referenced paper?
>>
>> Thanks,
>> Acee
>>
>> On 5/11/16, 10:19 AM, "OSPF on behalf of Manjul Khandelwal"
>> <ospf-bounces@ietf.org on behalf of manjul@nivettisystems.com> wrote:
>>
>> >Hi,
>> >
>> >We have recently submitted a draft which deals with OSPF LS sequence
>> >number
>> >generation mechanism.
>> >
>> >Abstract of the draft:
>> >   The mechanism for LS sequence number generation as specified in RFC
>> >   2328 and RFC 5340 is completely predictable.  This makes it prone to
>> >   certain security attacks which exploit the predictable nature of LS
>> >   sequence numbers.  This draft updates the RFC 2328 to make LS
>> >   sequence number generation an implementation choice rather than a
>> >   fixed increment by 1 for successive LSAs.
>> >
>> >https://datatracker.ietf.org/doc/draft-manjuldtv-ospf-sequence-number/
>> >
>> >We solicit feedback/comments on the draft and request for adoption by the
>> >OSPF working group.
>> >
>> >Regards,
>> >Manjul Khandelwal
>> >DTV Ramakrishna Rao
>> >________________________________________
>> >From: internet-drafts@ietf.org <internet-drafts@ietf.org>
>> >Sent: Monday, May 9, 2016 7:22 PM
>> >To: Manjul Khandelwal; Ramakrishna DTV
>> >Subject: New Version Notification for
>> >draft-manjuldtv-ospf-sequence-number-00.txt
>> >
>> >A new version of I-D, draft-manjuldtv-ospf-sequence-number-00.txt
>> >has been successfully submitted by Manjul Khandelwal and posted to the
>> >IETF repository.
>> >
>> >Name:           draft-manjuldtv-ospf-sequence-number
>> >Revision:       00
>> >Title:          OSPF LSA sequence number generation
>> >Document date:  2016-05-09
>> >Group:          Individual Submission
>> >Pages:          10
>> >URL:
>> >
>> https://www.ietf.org/internet-drafts/draft-manjuldtv-ospf-sequence-number-
>> >00.txt
>> >Status:
>> >https://datatracker.ietf.org/doc/draft-manjuldtv-ospf-sequence-number/
>> >Htmlized:
>> >https://tools.ietf.org/html/draft-manjuldtv-ospf-sequence-number-00
>> >
>> >
>> >Abstract:
>> >   The mechanism for LS sequence number generation as specified in RFC
>> >   2328 and RFC 5340 is completely predictable.  This makes it prone to
>> >   certain security attacks which exploit the predictable nature of LS
>> >   sequence numbers.  This draft updates the RFC 2328 to make LS
>> >   sequence number generation an implementation choice rather than a
>> >   fixed increment by 1 for successive LSAs.
>> >
>> >
>> >
>> >
>> >Please note that it may take a couple of minutes from the time of
>> >submission
>> >until the htmlized version and diff are available at tools.ietf.org.
>> >
>> >The IETF Secretariat
>> >
>> >_______________________________________________
>> >OSPF mailing list
>> >OSPF@ietf.org
>> >https://www.ietf.org/mailman/listinfo/ospf
>>
>> _______________________________________________
>> OSPF mailing list
>> OSPF@ietf.org
>> https://www.ietf.org/mailman/listinfo/ospf
>>
>
>

v2.23.0 | Report a Bug | By Email