IETF Logo Mail Archive

Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Thu, 12 September 2013 15:05 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E45511E820D for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 08:05:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OSqmMfAKoX+i for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 08:05:33 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by ietfa.amsl.com (Postfix) with ESMTP id DEB3011E821E for <ospf@ietf.org>; Thu, 12 Sep 2013 08:05:31 -0700 (PDT)
Received: from us70uusmtp3.zam.alcatel-lucent.com (h135-5-2-65.lucent.com [135.5.2.65]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id r8CF5TdH008319 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Thu, 12 Sep 2013 10:05:30 -0500 (CDT)
Received: from US70TWXCHHUB04.zam.alcatel-lucent.com (us70twxchhub04.zam.alcatel-lucent.com [135.5.2.36]) by us70uusmtp3.zam.alcatel-lucent.com (GMO) with ESMTP id r8CF5R1i007729 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 12 Sep 2013 11:05:29 -0400
Received: from SG70YWXCHHUB04.zap.alcatel-lucent.com (135.253.2.38) by US70TWXCHHUB04.zam.alcatel-lucent.com (135.5.2.36) with Microsoft SMTP Server (TLS) id 14.2.247.3; Thu, 12 Sep 2013 11:05:27 -0400
Received: from SG70YWXCHMBA05.zap.alcatel-lucent.com ([169.254.5.83]) by SG70YWXCHHUB04.zap.alcatel-lucent.com ([135.253.2.38]) with mapi id 14.02.0247.003; Thu, 12 Sep 2013 23:05:25 +0800
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Acee Lindem <acee@lindem.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOr8it0FQ/Zi+/Tk+kM9fPB35RJJnCMjjA
Date: Thu, 12 Sep 2013 15:05:24 +0000
Message-ID: <20211F91F544D247976D84C5D778A4C32E4B4A42@SG70YWXCHMBA05.zap.alcatel-lucent.com>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com> <5231A28C.5030102@cisco.com> <20211F91F544D247976D84C5D778A4C32E4B4924@SG70YWXCHMBA05.zap.alcatel-lucent.com> <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
In-Reply-To: <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.253.19.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 15:05:45 -0000

Hi Acee,
 
> There is NO bug in RFC 2328. The RFC clearly states that a 

While I did use the "b" word, I did not mean a "bug" -- have always referred to it as an ommission.

> Router-LSA will be advertised with the same Router-ID for 
> both the LSID and the Advertising router. I don't think it is 

This is at the sending side. What about the RX side? I guess that's where the omission was.

> productive to write "short" RFCs for every attack and believe 
> the CERT Alert is a better and swifter mechanism for 
> disseminating information on attacks. 
> Note that my implementation was not susceptible to this 
> attack as the vulnerability was identified in a packet 
> mutation suite many years back.
> 
> I spoke to Gabi offline about authoring an informational RFC 
> that discusses classes of OSPF attacks and possible 
> mechanisms to thwart them. 

I am fine with that as well. I just want the different kids of attacks to get documented somewhere.

Cheers, Manav

> 
> Thanks,
> Acee
> 
> > 
> > I have written a short post on what the issue in 2328 is 
> and how it can be exploited to launch an attack.
> > 
> http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulne
> > rability-exposed-by-black-hat/
> > 
> > Cheers, Manav
> > 
> >> -----Original Message-----
> >> From: Anton Smirnov [mailto:asmirnov@cisco.com]
> >> Sent: Thursday, September 12, 2013 4:46 PM
> >> To: Bhatia, Manav (Manav)
> >> Cc: Gabi Nakibly; Acee Lindem; ospf@ietf.org
> >> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - 
> Owning the 
> >> Routing Table Attack)
> >> 
> >>    If attacker has joined flooding domain and can inject 
> an LSA into 
> >> LSDB then it can screw up routing in the domain.
> >> Methods such as pretending being an ABR/ASBR and advertise 
> >> destinations with good metric are almost impossible to combat once 
> >> authentication barrier is penetrated.
> >>    This particular vulnerability allows attacker to bring network 
> >> down in style but if this vulnerability is not present in the 
> >> particular network then attacker will simply resort to 
> other numerous 
> >> possibilities to affect routing via LSA injection. If attacker can 
> >> inject LSA into LSDB then your network is at his mercy. 
> Give or take 
> >> one particular method is a detail.
> >>    So IMO we don't need a draft on this particular 
> vulnerability. It 
> >> might be of some limited interest to document all known methods to 
> >> exploit LSA injection which would include this 
> vulnerability but what 
> >> value would this RFC bring? Such methods are regularly 
> published in 
> >> academic literature since 90-th.
> >> 
> >>    IMO we need good (reliable, secure, manageable etc) methods of 
> >> authenticating adjacencies. KARP group is working on that. 
> We *might* 
> >> benefit from a work on mechanism to prevent any router to 
> originate 
> >> reachable LSA on behalf of any other router (kind of LSA signing). 
> >> But work on what will go wrong when intended security barriers are 
> >> broken IMO is not needed.
> >> 
> >> Anton
> >> 
> >> 
> >> 
> >> On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote:
> >>> Hi Gabi,
> >>> 
> >>> [clipped]
> >>> 
> >>>> Nonetheless, I am sure that there are more OSPF vendors 
> out there 
> >>>> that are still vulnerable to the attack and do not check 
> for this.
> >>>> Moreover, since this check is not part of the standard, in most 
> >>>> likelihood future OSPF implementations will also be vulnerable.
> >>>> 
> >>> [clipped]
> >>> 
> >>>> I am willing to write a draft describing this mitigation
> >> measure. I
> >>>> would appreciate the list's thoughts on this.
> >>> I think it's a good idea to write a draft that describes
> >> the attack and what implementations MUST do to avoid it.
> >>> 
> >>> Cheers, Manav
> >>> 
> >> 
> >> 
> > _______________________________________________
> > OSPF mailing list
> > OSPF@ietf.org
> > https://www.ietf.org/mailman/listinfo/ospf
> 
>

v2.23.0 | Report a Bug | By Email