Re: OSPF WG Minutes

Vishwas Manral <Vishwas@SINETT.COM> Tue, 16 August 2005 11:50 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E4zxm-0006x3-2J for ospf-archive@megatron.ietf.org; Tue, 16 Aug 2005 07:50:38 -0400
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA04688 for <ospf-archive@LISTS.IETF.ORG>; Tue, 16 Aug 2005 07:50:36 -0400 (EDT)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <14.010CE53A@cherry.ease.lsoft.com>; Tue, 16 Aug 2005 7:50:36 -0400
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.4) with spool id 82752165 for OSPF@PEACH.EASE.LSOFT.COM; Tue, 16 Aug 2005 07:50:33 -0400
Received: from 63.197.255.158 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0m) with TCP; Tue, 16 Aug 2005 07:50:32 -0400
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Thread-Topic: OSPF WG Minutes
Thread-Index: AcWiWBZsFb6gojuHQqqUcEYZ+sATbgAAFBug
Message-ID: <BB6D74C75CC76A419B6D6FA7C38317B290E96C@sinett-sbs.SiNett.LAN>
Date: Tue, 16 Aug 2005 04:51:59 -0700
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Vishwas Manral <Vishwas@SINETT.COM>
Subject: Re: OSPF WG Minutes
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: quoted-printable

Hi Acee,

> You don't mean all the packets do you? You mean all the packets with
> the last sequence number. So, if the last packet was a hello, the 
> session could be kept up indefinitely.
I think there are two parts to it. The first as you are stating it.
Another is when a router has gone down, all the packets from the
beginning could be replayed and the adjacency could be brought up (the
receiver cannot anyway does not check for sequence number before and
after an adjacency has broken).

Thanks,
Vishwas
-----Original Message-----
From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Acee
Lindem
Sent: Tuesday, August 16, 2005 5:16 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Re: OSPF WG Minutes

Vishwas Manral wrote:
Hi Vishwas,

>Hi Acee,
>
>  
>
>>Acee: In practice, for OSPFv2 the sequence numbers are not monotically
>>increasing; Usage of router's clock for cryptographic sequence number 
>>generation reduces the chance for replay attacks across restarts. 
>>?: OSPF spec does not say it ...
>>    
>>
>Acee, what I meant was that although the OSPF spec does not state that
>we need to use clocks. 
>  
>
Ok - got the update.


>I think the vulnerabilities draft is the right place to state the
>problems that can happen if we do not use a clock (or something
>equivalent which increments even when a system goes down).
>  
>
Ok. I was just state that in practice it is not as easy to exploit as it

appears.

>Another issue is that even if the sender uses clock for the "sequence
>number" and goes down, all the packets of a previous session can still
>be replayed by another router. So the chance of replay attacks is still
>there.
>  
>
You don't mean all the packets do you? You mean all the packets with the

last sequence number. So,
if the last packet was a hello, the session could be kept up
indefinitely.

Thanks,
Acee

>Thanks,
>Vishwas
>-----Original Message-----
>From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Acee
>Lindem
>Sent: Monday, August 15, 2005 7:50 PM
>To: OSPF@PEACH.EASE.LSOFT.COM
>Subject: OSPF WG Minutes
>
>Attached are the minutes from the Paris OSPF WG meeting. Thanks to
>Dimitri for taking them.
>
>Acee
>
>  
>