Re: OSPFv3 Destination Address Filter
Anand Oswal <aoswal@REDBACK.COM> Fri, 27 February 2004 23:37 UTC
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA03699 for <ospf-archive@LISTS.IETF.ORG>; Fri, 27 Feb 2004 18:37:40 -0500 (EST)
Received: from PEAR.EASE.LSOFT.COM (209.119.0.19) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <16.00D07DAF@cherry.ease.lsoft.com>; Fri, 27 Feb 2004 18:37:41 -0500
Received: from PEACH.EASE.LSOFT.COM by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 1.8e) with spool id 4273382 for OSPF@PEACH.EASE.LSOFT.COM; Fri, 27 Feb 2004 18:37:40 -0500
Received: from 155.53.12.9 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0i) with TCP; Fri, 27 Feb 2004 18:37:39 -0500
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id E609EA1E0A3 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 27 Feb 2004 15:37:38 -0800 (PST)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25021-08 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 27 Feb 2004 15:37:38 -0800 (PST)
Received: from redback.com (dhcp-41-22.redback.com [155.53.41.22]) by prattle.redback.com (Postfix) with ESMTP id B12E1A1E0A2 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 27 Feb 2004 15:37:38 -0800 (PST)
X-Mailer: Mozilla 4.7 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
References: <39469E08BD83D411A3D900204840EC55FB7201@vie-msgusr-01.dc.fore.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: by amavisd-new at redback.com
Message-ID: <403FD44D.B4BAC5E8@redback.com>
Date: Fri, 27 Feb 2004 15:35:41 -0800
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: Anand Oswal <aoswal@REDBACK.COM>
Organization: Redback Networks
Subject: Re: OSPFv3 Destination Address Filter
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Content-Transfer-Encoding: 7bit
Hi Venkata, Are you talking about a socket per interface ? Thanks Anand "Naidu, Venkata" wrote: > > Hi Acee, > > -> We've implemented the subject draft to mitigate some of the > -> OSPFv3 vulnerabilities. While the solution isn't perfect, it is > -> lightweight, easy to deploy, and fully compatible with the current > -> OSPFv3 specification (RFC 2740). > -> > -> http://www.ietf.org/internet-drafts/draft-lindem-ospfv3-dest- > -> filter-00.txt > > After a quick look, here are few comments: > > 1. Check should be: > if (((first-two-octets & 0xffc0) != 0xfe80) && > <<<< > ((first-two-octets & 0xff0f) != 0xff02)) { > ==== > ((first-two-octets & 0xffff) != 0xff02)) { > >>>> > drop the packet; > } > > I think, OSPFv3 SHOULD work on permanently flagged multicast > addresses not with T flag on'ed ones. > > 2. The draft reads: > > The granularity of the check will limit the usage of virtual > links at the granularity which it is applied. For example, if > it is applied at the BSD socket level, virtual links may not > be used by any OSPF instance utilizing that socket. > Alternately, additional configuration and checking could be > added at the socket level so that the destination filter is > only applied to certain instances, areas, or interfaces. > > There is another way to support what this draft does with out > loss of generality. If these checks are applied at the Raw-IPv6 > stack level (using local address binding socket options) > virtual link support will not be jeopardized. > > Doing below steps will solve DOS attack for IPv4 applications > (i.e., OSPFv2, RSVP-TE etc) and IPv6 applications (i.e., OSPFv3 > etc.) - at least for the ones which operate on per interface > basis. > > 1. Bind to the local interface (either using link-layer address/ > ifindex) and make it strong-end socket. That is the socket > will accept incoming packets only from the binded interface. > > 2. Listen only for appropriate multicast address groups using > various MULTICAST socket options. This will make sure the > above checks are done at the Raw-IP level instead of at the > OSPF level. > > 3. Open another INADDR_ANY socket ONLY when virtual links are > operational. Note that, this socket will receive all types > of OSPF packets. But, that is fine, OSPF will anyway make > sure (have to make sure) validity of every packet received > on this socket. > > It is a good idea to enhance socket APIs to have filters based > on list of IP addresses instead of all-or-one (i.e., multiple > bindings like). May be, Bill Fenner can answer why it is not > incorporated in IPv6 at least. I expected this in his recent > Book. :) > > Venakta.
- OSPFv3 Destination Address Filter Acee Lindem
- Re: OSPFv3 Destination Address Filter Naidu, Venkata
- Re: OSPFv3 Destination Address Filter Anand Oswal