Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Thu, 12 September 2013 15:05 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E45511E820D for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 08:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSqmMfAKoX+i for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 08:05:33 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id DEB3011E821E for <ospf@ietf.org>; Thu, 12 Sep 2013 08:05:31 -0700 (PDT)
Received: from us70uusmtp3.zam.alcatel-lucent.com (h135-5-2-65.lucent.com [135.5.2.65]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id r8CF5TdH008319 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Sep 2013 10:05:30 -0500 (CDT)
Received: from US70TWXCHHUB04.zam.alcatel-lucent.com (us70twxchhub04.zam.alcatel-lucent.com [135.5.2.36]) by us70uusmtp3.zam.alcatel-lucent.com (GMO) with ESMTP id r8CF5R1i007729 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 12 Sep 2013 11:05:29 -0400
Received: from SG70YWXCHHUB04.zap.alcatel-lucent.com (135.253.2.38) by US70TWXCHHUB04.zam.alcatel-lucent.com (135.5.2.36) with Microsoft SMTP Server (TLS) id 14.2.247.3; Thu, 12 Sep 2013 11:05:27 -0400
Received: from SG70YWXCHMBA05.zap.alcatel-lucent.com ([169.254.5.83]) by SG70YWXCHHUB04.zap.alcatel-lucent.com ([135.253.2.38]) with mapi id 14.02.0247.003; Thu, 12 Sep 2013 23:05:25 +0800
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Acee Lindem <acee@lindem.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOr8it0FQ/Zi+/Tk+kM9fPB35RJJnCMjjA
Date: Thu, 12 Sep 2013 15:05:24 +0000
Message-ID: <20211F91F544D247976D84C5D778A4C32E4B4A42@SG70YWXCHMBA05.zap.alcatel-lucent.com>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com> <5231A28C.5030102@cisco.com> <20211F91F544D247976D84C5D778A4C32E4B4924@SG70YWXCHMBA05.zap.alcatel-lucent.com> <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
In-Reply-To: <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.253.19.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 15:05:45 -0000
Hi Acee, > There is NO bug in RFC 2328. The RFC clearly states that a While I did use the "b" word, I did not mean a "bug" -- have always referred to it as an ommission. > Router-LSA will be advertised with the same Router-ID for > both the LSID and the Advertising router. I don't think it is This is at the sending side. What about the RX side? I guess that's where the omission was. > productive to write "short" RFCs for every attack and believe > the CERT Alert is a better and swifter mechanism for > disseminating information on attacks. > Note that my implementation was not susceptible to this > attack as the vulnerability was identified in a packet > mutation suite many years back. > > I spoke to Gabi offline about authoring an informational RFC > that discusses classes of OSPF attacks and possible > mechanisms to thwart them. I am fine with that as well. I just want the different kids of attacks to get documented somewhere. Cheers, Manav > > Thanks, > Acee > > > > > I have written a short post on what the issue in 2328 is > and how it can be exploited to launch an attack. > > > http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulne > > rability-exposed-by-black-hat/ > > > > Cheers, Manav > > > >> -----Original Message----- > >> From: Anton Smirnov [mailto:asmirnov@cisco.com] > >> Sent: Thursday, September 12, 2013 4:46 PM > >> To: Bhatia, Manav (Manav) > >> Cc: Gabi Nakibly; Acee Lindem; ospf@ietf.org > >> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - > Owning the > >> Routing Table Attack) > >> > >> If attacker has joined flooding domain and can inject > an LSA into > >> LSDB then it can screw up routing in the domain. > >> Methods such as pretending being an ABR/ASBR and advertise > >> destinations with good metric are almost impossible to combat once > >> authentication barrier is penetrated. > >> This particular vulnerability allows attacker to bring network > >> down in style but if this vulnerability is not present in the > >> particular network then attacker will simply resort to > other numerous > >> possibilities to affect routing via LSA injection. If attacker can > >> inject LSA into LSDB then your network is at his mercy. > Give or take > >> one particular method is a detail. > >> So IMO we don't need a draft on this particular > vulnerability. It > >> might be of some limited interest to document all known methods to > >> exploit LSA injection which would include this > vulnerability but what > >> value would this RFC bring? Such methods are regularly > published in > >> academic literature since 90-th. > >> > >> IMO we need good (reliable, secure, manageable etc) methods of > >> authenticating adjacencies. KARP group is working on that. > We *might* > >> benefit from a work on mechanism to prevent any router to > originate > >> reachable LSA on behalf of any other router (kind of LSA signing). > >> But work on what will go wrong when intended security barriers are > >> broken IMO is not needed. > >> > >> Anton > >> > >> > >> > >> On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote: > >>> Hi Gabi, > >>> > >>> [clipped] > >>> > >>>> Nonetheless, I am sure that there are more OSPF vendors > out there > >>>> that are still vulnerable to the attack and do not check > for this. > >>>> Moreover, since this check is not part of the standard, in most > >>>> likelihood future OSPF implementations will also be vulnerable. > >>>> > >>> [clipped] > >>> > >>>> I am willing to write a draft describing this mitigation > >> measure. I > >>>> would appreciate the list's thoughts on this. > >>> I think it's a good idea to write a draft that describes > >> the attack and what implementations MUST do to avoid it. > >>> > >>> Cheers, Manav > >>> > >> > >> > > _______________________________________________ > > OSPF mailing list > > OSPF@ietf.org > > https://www.ietf.org/mailman/listinfo/ospf > >
- [OSPF] OSPF - Owning the Routing Table Attack Glen Kent
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Mitchell Erblich
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Orhan Ergün
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- [OSPF] Dropping malformed LSAs (was: OSPF - Ownin… David Lamparter
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Yi Yang (yiya)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Anton Smirnov
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Glen Kent
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Mitchell Erblich