IETF Logo Mail Archive

Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Uma Chunduri <uma.chunduri@ericsson.com> Thu, 12 September 2013 17:46 UTC

Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 590B421E8151 for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 10:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N0VlHF--PFtz for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 10:46:47 -0700 (PDT)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) by ietfa.amsl.com (Postfix) with ESMTP id EF39B21E8056 for <ospf@ietf.org>; Thu, 12 Sep 2013 10:46:25 -0700 (PDT)
X-AuditID: c618062d-b7fda8e0000024c6-ba-5231fdef12d2
Received: from EUSAAHC006.ericsson.se (Unknown_Domain [147.117.188.90]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id C1.78.09414.FEDF1325; Thu, 12 Sep 2013 19:46:23 +0200 (CEST)
Received: from EUSAAMB105.ericsson.se ([147.117.188.122]) by EUSAAHC006.ericsson.se ([147.117.188.90]) with mapi id 14.02.0328.009; Thu, 12 Sep 2013 13:46:19 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Acee Lindem <acee@lindem.com>, "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOr8jmYtD8kEBdl021iddA6tiarJnCW7aw
Date: Thu, 12 Sep 2013 17:46:18 +0000
Message-ID: <1B502206DFA0C544B7A6046915200863174B866E@eusaamb105.ericsson.se>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com> <5231A28C.5030102@cisco.com> <20211F91F544D247976D84C5D778A4C32E4B4924@SG70YWXCHMBA05.zap.alcatel-lucent.com> <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
In-Reply-To: <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [155.53.73.29]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrBLMWRmVeSWpSXmKPExsUyuXRPlO77v4ZBBt+2qllMuzWdzWLOvXus Fi337rE7MHu0PtvL6rFkyU8mjw+LLrAGMEdx2aSk5mSWpRbp2yVwZSzsX8FWsEy7YsLhLUwN jL3KXYycHBICJhK3Oo+wQthiEhfurWfrYuTiEBI4yiix59o2FghnOaPEvk3PmECq2AT0JD5O /ckOYosIxEm0zprHAmIzCyhLPO5azQZiCwtESyzoOMrYxcgBVBMjMfs5M0S5kUTP6hNgrSwC qhLXth8Ci/MK+EpMfzgdatdhZokVG++D7eIUsJPY0L8NzGYEuu77qTVMELvEJW49mc8EcbWA xJI955khbFGJl4//QX2jIHHgxxyo23QkFuz+xAZha0ssW/gaarGgxMmZT1gmMIrNQjJ2FpKW WUhaZiFpWcDIsoqRo7Q4tSw33chgEyMwdo5JsOnuYNzz0vIQozQHi5I47yq9M4FCAumJJanZ qakFqUXxRaU5qcWHGJk4OKUaGKdPPpJzepquUOjnKwv+yS5xiIxfvo6DoYTTQtZzZ6rWHnGF 4D0l21ZrVd5Z+XybVsoRJfa9B6VneS7TseBjjT1zYNaNJHn5FIlp83+/XX8upuJUypvex4tf VB+J7Xhh13xHhe3Agd4d5gGFOvePfHrjYDPz4r+AXfEzJ3zbdHJBu9BW2Z6CI6eUWIozEg21 mIuKEwGYVYFXawIAAA==
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 17:46:52 -0000

Manav,

The premise of the attack is still somebody know the AUTH keys of the router.
If private keys of the router can be possibly subverted/leaked/stolen,  then we all agree lot of things in lot of
protocols can break (not only in OSPF or this is not specific to OSPF issue). 

One can definitely try to introduce protocol mechanisms to thwart some of these attacks to a certain extent,
but the point is the problem is not still addressable this way.

The question is how far it's real (I know KARP WG is contending with this) and what are 
the other mechanism one can adopt to solve the issue at the root instead of introducing 
more complicated protocol machinery.

I also feel this should be analyzed more from KARP protocol threat documents...
-- 
Uma C. 


-----Original Message-----
From: ospf-bounces@ietf.org [mailto:ospf-bounces@ietf.org] On Behalf Of Acee Lindem
Sent: Thursday, September 12, 2013 7:59 AM
To: Bhatia, Manav (Manav)
Cc: ospf@ietf.org
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Manav - 


On Sep 12, 2013, at 10:40 AM, Bhatia, Manav (Manav) wrote:

> Anton,
> 
> I understand that once the attacker can insert LSAs in the flooding domain then there are several things that can be done. However, in most cases the attacks can be easily identified and a corrective action can be easily taken. In this particular case, the attack is a little more insidious and its not straight forward catching the erring LSA.
> 
> Since its something that's missing in rfc 2328 we will keep having newer implementations that will carry this bug. A short one page RFC that updates 2328 imo would do no harm. Do you see any issue in publishing such an RFC?

There is NO bug in RFC 2328. The RFC clearly states that a Router-LSA will be advertised with the same Router-ID for both the LSID and the Advertising router. I don't think it is productive to write "short" RFCs for every attack and believe the CERT Alert is a better and swifter mechanism for disseminating information on attacks. 
Note that my implementation was not susceptible to this attack as the vulnerability was identified in a packet mutation suite many years back.

I spoke to Gabi offline about authoring an informational RFC that discusses classes of OSPF attacks and possible mechanisms to thwart them. 

Thanks,
Acee

> 
> I have written a short post on what the issue in 2328 is and how it can be exploited to launch an attack.
> http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulne
> rability-exposed-by-black-hat/
> 
> Cheers, Manav
> 
>> -----Original Message-----
>> From: Anton Smirnov [mailto:asmirnov@cisco.com]
>> Sent: Thursday, September 12, 2013 4:46 PM
>> To: Bhatia, Manav (Manav)
>> Cc: Gabi Nakibly; Acee Lindem; ospf@ietf.org
>> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the 
>> Routing Table Attack)
>> 
>>    If attacker has joined flooding domain and can inject an LSA into 
>> LSDB then it can screw up routing in the domain.
>> Methods such as pretending being an ABR/ASBR and advertise 
>> destinations with good metric are almost impossible to combat once 
>> authentication barrier is penetrated.
>>    This particular vulnerability allows attacker to bring network 
>> down in style but if this vulnerability is not present in the 
>> particular network then attacker will simply resort to other numerous 
>> possibilities to affect routing via LSA injection. If attacker can 
>> inject LSA into LSDB then your network is at his mercy. Give or take 
>> one particular method is a detail.
>>    So IMO we don't need a draft on this particular vulnerability. It 
>> might be of some limited interest to document all known methods to 
>> exploit LSA injection which would include this vulnerability but what 
>> value would this RFC bring? Such methods are regularly published in 
>> academic literature since 90-th.
>> 
>>    IMO we need good (reliable, secure, manageable etc) methods of 
>> authenticating adjacencies. KARP group is working on that. We *might* 
>> benefit from a work on mechanism to prevent any router to originate 
>> reachable LSA on behalf of any other router (kind of LSA signing). 
>> But work on what will go wrong when intended security barriers are 
>> broken IMO is not needed.
>> 
>> Anton
>> 
>> 
>> 
>> On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote:
>>> Hi Gabi,
>>> 
>>> [clipped]
>>> 
>>>> Nonetheless, I am sure that there are more OSPF vendors out there 
>>>> that are still vulnerable to the attack and do not check for this.
>>>> Moreover, since this check is not part of the standard, in most 
>>>> likelihood future OSPF implementations will also be vulnerable.
>>>> 
>>> [clipped]
>>> 
>>>> I am willing to write a draft describing this mitigation
>> measure. I
>>>> would appreciate the list's thoughts on this.
>>> I think it's a good idea to write a draft that describes
>> the attack and what implementations MUST do to avoid it.
>>> 
>>> Cheers, Manav
>>> 
>> 
>> 
> _______________________________________________
> OSPF mailing list
> OSPF@ietf.org
> https://www.ietf.org/mailman/listinfo/ospf

_______________________________________________
OSPF mailing list
OSPF@ietf.org
https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email