IETF Logo Mail Archive

Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Acee Lindem <acee.lindem@ericsson.com> Thu, 12 September 2013 22:10 UTC

Return-Path: <acee.lindem@ericsson.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A964111E8197 for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 15:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3FZyxGYu32e for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 15:10:12 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id 9D51711E80F2 for <ospf@ietf.org>; Thu, 12 Sep 2013 15:10:12 -0700 (PDT)
X-AuditID: c6180641-b7fe28e000000d82-10-52323bc32ae2
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 28.16.03458.4CB32325; Fri, 13 Sep 2013 00:10:12 +0200 (CEST)
Received: from EUSAAMB101.ericsson.se ([147.117.188.118]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.02.0328.009; Thu, 12 Sep 2013 18:10:11 -0400
From: Acee Lindem <acee.lindem@ericsson.com>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOr8mgairws3t0mUyN6Ip72NhCAZnC7SqA
Date: Thu, 12 Sep 2013 22:10:11 +0000
Message-ID: <94A203EA12AECE4BA92D42DBFFE0AE470304C7DC@eusaamb101.ericsson.se>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com> <5231A28C.5030102@cisco.com> <20211F91F544D247976D84C5D778A4C32E4B4924@SG70YWXCHMBA05.zap.alcatel-lucent.com> <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com> <20211F91F544D247976D84C5D778A4C32E4B4A42@SG70YWXCHMBA05.zap.alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E4B4A42@SG70YWXCHMBA05.zap.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.134]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <32522CF35A21814DB58B69F4031EAF4B@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDLMWRmVeSWpSXmKPExsUyuXRPrO4Ra6Mggz+HxSym3ZrOZjHn3j1W i5Z799gdmD1an+1l9Viy5CeTx4dFF1gDmKO4bFJSczLLUov07RK4Mp7/4Ch4pFlx6+EJpgbG n4pdjJwcEgImEs+vzmWDsMUkLtxbD2RzcQgJHGWU2NA1GSwhJLCcUeLKhhAQm01AR+L5o3/M ILaIgK3E8827WEBsZgEniSkX1wDZHBzCAtESky6EQJTESCy58JYRwjaS+D9zGnsXIzsHi4Cq xDVZkCivgK/Ewi3XGCG2TmOReLB2Bth0ToFYiVsd+8BsRqDTvp9awwSxSVzi1pP5TBAnC0gs 2XOeGcIWlXj5+B8rhK0sseTJfqjLdCQW7P7EBmFbS/x4fIoVwtaWWLbwNTPEEYISJ2c+YZnA KD4LyYpZSNpnIWmfhaR9FpL2BYysqxg5SotTy3LTjQw3MQJj7JgEm+MOxgWfLA8xSnOwKInz btA7EygkkJ5YkpqdmlqQWhRfVJqTWnyIkYmDU6qBUeLlbPEZ1Q8WPXWuNEmOOqgv2cJ0X1/v z6q1Cb3xJ+YwVZwylX+qq+pyNtTnQk3ohSMeL5+zfDA1Pu7tPtlG4DbL4ciOV8syEyMnz79w eav8piVz5z06xfKw3mzqiSPV/44cLGrLsdylrnzx6znvc5emft13rZLvztbkrIslbx68eWn1 8M2PiqVKLMUZiYZazEXFiQD2n898fwIAAA==
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 22:10:17 -0000

Hi Manav, 

On Sep 12, 2013, at 11:05 AM, Bhatia, Manav (Manav) wrote:

> Hi Acee,
> 
>> There is NO bug in RFC 2328. The RFC clearly states that a 
> 
> While I did use the "b" word, I did not mean a "bug" -- have always referred to it as an ommission.
> 
>> Router-LSA will be advertised with the same Router-ID for 
>> both the LSID and the Advertising router. I don't think it is 
> 
> This is at the sending side. What about the RX side? I guess that's where the omission was.

Note that if you use a simplistic reference implementation and do the LSDB lookups during your SPF, you will have no problems. It is only optimized implementations that have a problem. For example, my implementation would have had the problem had I not ignored the malformed LSA while the public domain ZebOS would not have a problem. I won't speak for any other vendor's implementation on this list.  Hence, there is no omission from RFC 2328 since it describes a simplistic SPF intra-area computation in section 16.1. 


> 
>> productive to write "short" RFCs for every attack and believe 
>> the CERT Alert is a better and swifter mechanism for 
>> disseminating information on attacks. 
>> Note that my implementation was not susceptible to this 
>> attack as the vulnerability was identified in a packet 
>> mutation suite many years back.
>> 
>> I spoke to Gabi offline about authoring an informational RFC 
>> that discusses classes of OSPF attacks and possible 
>> mechanisms to thwart them. 
> 
> I am fine with that as well. I just want the different kids of attacks to get documented somewhere.

A think a single OSPF(v3) vulnerabilities document would be much more useful than short RFCs documenting very specific attacks. One was started in RPSEC but never finished due to the demise of the author's company and the RPSEC WG itself. 

Thanks,
Acee 




> 
> Cheers, Manav
> 
>> 
>> Thanks,
>> Acee
>> 
>>> 
>>> I have written a short post on what the issue in 2328 is 
>> and how it can be exploited to launch an attack.
>>> 
>> http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulne
>>> rability-exposed-by-black-hat/
>>> 
>>> Cheers, Manav
>>> 
>>>> -----Original Message-----
>>>> From: Anton Smirnov [mailto:asmirnov@cisco.com]
>>>> Sent: Thursday, September 12, 2013 4:46 PM
>>>> To: Bhatia, Manav (Manav)
>>>> Cc: Gabi Nakibly; Acee Lindem; ospf@ietf.org
>>>> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - 
>> Owning the 
>>>> Routing Table Attack)
>>>> 
>>>>   If attacker has joined flooding domain and can inject 
>> an LSA into 
>>>> LSDB then it can screw up routing in the domain.
>>>> Methods such as pretending being an ABR/ASBR and advertise 
>>>> destinations with good metric are almost impossible to combat once 
>>>> authentication barrier is penetrated.
>>>>   This particular vulnerability allows attacker to bring network 
>>>> down in style but if this vulnerability is not present in the 
>>>> particular network then attacker will simply resort to 
>> other numerous 
>>>> possibilities to affect routing via LSA injection. If attacker can 
>>>> inject LSA into LSDB then your network is at his mercy. 
>> Give or take 
>>>> one particular method is a detail.
>>>>   So IMO we don't need a draft on this particular 
>> vulnerability. It 
>>>> might be of some limited interest to document all known methods to 
>>>> exploit LSA injection which would include this 
>> vulnerability but what 
>>>> value would this RFC bring? Such methods are regularly 
>> published in 
>>>> academic literature since 90-th.
>>>> 
>>>>   IMO we need good (reliable, secure, manageable etc) methods of 
>>>> authenticating adjacencies. KARP group is working on that. 
>> We *might* 
>>>> benefit from a work on mechanism to prevent any router to 
>> originate 
>>>> reachable LSA on behalf of any other router (kind of LSA signing). 
>>>> But work on what will go wrong when intended security barriers are 
>>>> broken IMO is not needed.
>>>> 
>>>> Anton
>>>> 
>>>> 
>>>> 
>>>> On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote:
>>>>> Hi Gabi,
>>>>> 
>>>>> [clipped]
>>>>> 
>>>>>> Nonetheless, I am sure that there are more OSPF vendors 
>> out there 
>>>>>> that are still vulnerable to the attack and do not check 
>> for this.
>>>>>> Moreover, since this check is not part of the standard, in most 
>>>>>> likelihood future OSPF implementations will also be vulnerable.
>>>>>> 
>>>>> [clipped]
>>>>> 
>>>>>> I am willing to write a draft describing this mitigation
>>>> measure. I
>>>>>> would appreciate the list's thoughts on this.
>>>>> I think it's a good idea to write a draft that describes
>>>> the attack and what implementations MUST do to avoid it.
>>>>> 
>>>>> Cheers, Manav
>>>>> 
>>>> 
>>>> 
>>> _______________________________________________
>>> OSPF mailing list
>>> OSPF@ietf.org
>>> https://www.ietf.org/mailman/listinfo/ospf
>> 
>> 
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email