Re: [OSPF] Fw: New Version Notification for draft-manjuldtv-ospf-sequence-number-00.txt
Manav Bhatia <manavbhatia@gmail.com> Thu, 12 May 2016 03:46 UTC
Return-Path: <manavbhatia@gmail.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F5D12B048 for <ospf@ietfa.amsl.com>; Wed, 11 May 2016 20:46:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fO74GVIrZ_lE for <ospf@ietfa.amsl.com>; Wed, 11 May 2016 20:46:37 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EABC12D5C9 for <ospf@ietf.org>; Wed, 11 May 2016 20:46:34 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id j74so62089526ywg.1 for <ospf@ietf.org>; Wed, 11 May 2016 20:46:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=Jbxdk2SkK0drN6mvmLAI07XAPthTyG8dPn4JQhmzaKg=; b=A1WaCP6SNY9MxxaHpsl+vxP0ulT5uWTEKl7fcyJw/Krp8PSOkyzsA6zf8fzbqZt3dT X+2bNF2sFAMVWsrVs++z5imaKlx8lmONlfFrnKblXnFJVS6IfCmxob79eRWCLXhbIBoN ktTawW6vE/yH0LS+Eg5k9jxTAit0wxGHdbIXawcGc6dsZgOtge2xlEfPXJX+pX/VHdoo 3ssSBoZPBZ3p/dmvUYf8Di538rwywIqu+zDwsGtI3wXV0MLM4GeLlNMV3fpdgwepZxXC iFXIqLzV/aB+gB09N+OkzEPr1Ej169bsIWr6uWuWqn3n24psURz+3OVtFhWbW+NPC7lC 1YAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=Jbxdk2SkK0drN6mvmLAI07XAPthTyG8dPn4JQhmzaKg=; b=hZAY2rv2UBM31WHxCnfeK3RuPLhzTGNilPXbZBKrY+rVxhuIkWWvfud2Utf0nN0oeu Pq0pdIPCd0v7N1VTI9TQLq63dePfcuphu1+1W10l+U6sUEeTyGOw1trY93pj+TTipIFx 6vQR6k85Qevh6MEItsCw2lXskNHAfhuD1VB6OqVYXYlLO9LE6DUTq8hcaRW/WyNRVcx5 nPjxEvcUQS8HNeR8nT6/xJ7w7VWd3U2iHfbFRWVpHL8E86JdjLQQdKCUPGbrIf4aB8CB CYe3RQkXynKfZbHMtctraCGrsbH7R8jzvNqMlqhBe2FsypXHYZcYPhPvkRTsTRiw8TXB wYLg==
X-Gm-Message-State: AOPr4FWdn3Z//iGVnBZOgFEnk0EPAWEc5OY8+e1uYL3t+ZIe6xwrbL5I6YE5/yO4G9R8oJJoUWbQRI0ySNUvlw==
MIME-Version: 1.0
X-Received: by 10.37.47.85 with SMTP id v82mr3475064ybv.75.1463024793427; Wed, 11 May 2016 20:46:33 -0700 (PDT)
Received: by 10.13.216.129 with HTTP; Wed, 11 May 2016 20:46:33 -0700 (PDT)
In-Reply-To: <KL1PR0401MB1544944FE1E375A8FB7A31C0A3730@KL1PR0401MB1544.apcprd04.prod.outlook.com>
References: <D358C4E4.607A9%acee@cisco.com> <KL1PR0401MB1544944FE1E375A8FB7A31C0A3730@KL1PR0401MB1544.apcprd04.prod.outlook.com>
Date: Thu, 12 May 2016 09:16:33 +0530
Message-ID: <CAG1kdoiyj_s_gzHibrmomPJAZo28bCLDxqPRnbeS6-ooJzb_MQ@mail.gmail.com>
From: Manav Bhatia <manavbhatia@gmail.com>
To: Ramakrishna DTV <ramakrishnadtv@nivettisystems.com>
Content-Type: multipart/alternative; boundary="001a1140be9e1c2a0705329d01d5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ospf/QyAROZknuJpXSOGE6wL7jjxYWwA>
Cc: "ospf@ietf.org" <ospf@ietf.org>, Manjul Khandelwal <manjul@nivettisystems.com>
Subject: Re: [OSPF] Fw: New Version Notification for draft-manjuldtv-ospf-sequence-number-00.txt
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 03:46:40 -0000
Hi DTV, I dont agree to your assessment of how the attack evades the "natural fight-back mechanism" in OSPF. Its got *nothing* to do with the sequence numbers being predictable, etc. I have explained in depth how the Gaby attack works here: https://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulnerability-exposed-by-black-hat/ Clipped from the blog: "This attack exploits a potential omission (or a bug if you will) in the standard where it does not mandate that the receiving router verifies that the Link State ID and the Advertising Router fields in the Router LSA are the exact same value. This attack sends malacious Router LSAs with two different values in the LS header. The Link State ID carries the Router ID of the router that is being attacked (the victim) and the Advertising Router is set to some different (any) value. When the victim receives the malacious Router LSA, it does not refresh this LSA as it doesnt recognize this as its own self generated LSA. This is because the OSPF spec clearly says in Sec 13.4 that “A self-originated LSA is detected when either 1) The LSA’s Advertising Router is equal to the router’s own Router ID or 2) the LSA is a network LSA .. “. This means that OSPF’s natural fight back mechanism is NOT triggered by the victim router as long as the field ‘Advertising Router’ of a LSA is NOT equal to the victim’s Router ID. This is true even if the ‘Link State ID’ of that LSA is equal to the victim’s Router ID. Going further it means no LSA refresh is triggered even if the malacious LSA claims to describe the links of the victim router!" I describe further in the blog that not all router implementations are susceptible to the attack. Its dependent on how the LSA is picked up from the LSDB. Cheers, Manav On Thu, May 12, 2016 at 7:59 AM, Ramakrishna DTV < ramakrishnadtv@nivettisystems.com> wrote: > Hi Acee, > > We currently provided the following description of this attack in the > draft: > > "The paper refers to the attack as "Disguised LSA" and is of > persistent nature. This attack is launched from a compromised router > inside a routing domain. In this attack, the compromised router > alters the LSA of an uncompromised router (victim). Normally, such > an attempt does not have persistence because the victim generates a > new LSA when it sees such self-originated LSAs (referred to as > "fight-back" mechanism in the paper). But the paper makes disguised > LSA persistent because all the fields { LS sequence number, checksum} > are predictable. It alters the existing LSA of victim to suit its > needs but sets the sequence number to +1 of the existing LSA and > alters the LSA so that checksum matches with checksum that would be > generated by the victim when it generates the new LSA. When this > disguised LSA reaches the victim, it does not fight back because it > compares only the fields { LS sequence number, checksum, age} to > check for duplicates and not the actual content of LSA. > > This attack enables an insider attacker to fully control the entire > content of an LSA. We think this attack is powerful." > > These details are currently present in Section 4, which is titled > "Implementation advice". > We can probably move it to a different section (e.g., "Introduction") to > make it clear. > > If you think even more additional details about the attack are useful to > the working group, > please let us know. We will add. > > Thank you. > > Regards, > Ramakrishna DTV. > > > ________________________________________ > From: Acee Lindem (acee) <acee@cisco.com> > Sent: Wednesday, May 11, 2016 8:49 PM > To: Manjul Khandelwal; ospf@ietf.org > Cc: Ramakrishna DTV > Subject: Re: [OSPF] Fw: New Version Notification for > draft-manjuldtv-ospf-sequence-number-00.txt > > Hi Manjul, > > Would it be possible to succinctly describe these “certain security > attacks” in the draft rather than expecting everyone to read the > referenced paper? > > Thanks, > Acee > > On 5/11/16, 10:19 AM, "OSPF on behalf of Manjul Khandelwal" > <ospf-bounces@ietf.org on behalf of manjul@nivettisystems.com> wrote: > > >Hi, > > > >We have recently submitted a draft which deals with OSPF LS sequence > >number > >generation mechanism. > > > >Abstract of the draft: > > The mechanism for LS sequence number generation as specified in RFC > > 2328 and RFC 5340 is completely predictable. This makes it prone to > > certain security attacks which exploit the predictable nature of LS > > sequence numbers. This draft updates the RFC 2328 to make LS > > sequence number generation an implementation choice rather than a > > fixed increment by 1 for successive LSAs. > > > >https://datatracker.ietf.org/doc/draft-manjuldtv-ospf-sequence-number/ > > > >We solicit feedback/comments on the draft and request for adoption by the > >OSPF working group. > > > >Regards, > >Manjul Khandelwal > >DTV Ramakrishna Rao > >________________________________________ > >From: internet-drafts@ietf.org <internet-drafts@ietf.org> > >Sent: Monday, May 9, 2016 7:22 PM > >To: Manjul Khandelwal; Ramakrishna DTV > >Subject: New Version Notification for > >draft-manjuldtv-ospf-sequence-number-00.txt > > > >A new version of I-D, draft-manjuldtv-ospf-sequence-number-00.txt > >has been successfully submitted by Manjul Khandelwal and posted to the > >IETF repository. > > > >Name: draft-manjuldtv-ospf-sequence-number > >Revision: 00 > >Title: OSPF LSA sequence number generation > >Document date: 2016-05-09 > >Group: Individual Submission > >Pages: 10 > >URL: > > > https://www.ietf.org/internet-drafts/draft-manjuldtv-ospf-sequence-number- > >00.txt > >Status: > >https://datatracker.ietf.org/doc/draft-manjuldtv-ospf-sequence-number/ > >Htmlized: > >https://tools.ietf.org/html/draft-manjuldtv-ospf-sequence-number-00 > > > > > >Abstract: > > The mechanism for LS sequence number generation as specified in RFC > > 2328 and RFC 5340 is completely predictable. This makes it prone to > > certain security attacks which exploit the predictable nature of LS > > sequence numbers. This draft updates the RFC 2328 to make LS > > sequence number generation an implementation choice rather than a > > fixed increment by 1 for successive LSAs. > > > > > > > > > >Please note that it may take a couple of minutes from the time of > >submission > >until the htmlized version and diff are available at tools.ietf.org. > > > >The IETF Secretariat > > > >_______________________________________________ > >OSPF mailing list > >OSPF@ietf.org > >https://www.ietf.org/mailman/listinfo/ospf > > _______________________________________________ > OSPF mailing list > OSPF@ietf.org > https://www.ietf.org/mailman/listinfo/ospf >
- [OSPF] Fw: New Version Notification for draft-man… Manjul Khandelwal
- Re: [OSPF] Fw: New Version Notification for draft… Acee Lindem (acee)
- Re: [OSPF] Fw: New Version Notification for draft… Ramakrishna DTV
- Re: [OSPF] Fw: New Version Notification for draft… Acee Lindem (acee)
- Re: [OSPF] Fw: New Version Notification for draft… Manav Bhatia
- Re: [OSPF] Fw: New Version Notification for draft… Ramakrishna DTV
- Re: [OSPF] Fw: New Version Notification for draft… Manav Bhatia
- Re: [OSPF] Fw: New Version Notification for draft… Acee Lindem
- Re: [OSPF] Fw: New Version Notification for draft… Ramakrishna DTV
- Re: [OSPF] Fw: New Version Notification for draft… Acee Lindem (acee)
- Re: [OSPF] Fw: New Version Notification for draft… Jeff Tantsura