Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Anton Smirnov <asmirnov@cisco.com> Thu, 12 September 2013 11:16 UTC
Return-Path: <asmirnov@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A0C21E813E for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 04:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F21M8txrdOrq for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 04:16:34 -0700 (PDT)
Received: from ams-iport-4.cisco.com (ams-iport-4.cisco.com [144.254.224.147]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA6521E81DE for <ospf@ietf.org>; Thu, 12 Sep 2013 04:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2029; q=dns/txt; s=iport; t=1378984594; x=1380194194; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=4Bmosg1YkExD1YULLymME9wG27iZbm67Vlze1nf4nV4=; b=hGeeM9EeoOBuD9bfC7ludo0jhbyWhzcocCZ3SB0l9nvbEFnyHtktuAiL OTBdtTzLMt5beWjIKbqspsuTKrGDjL36YyBwN0gggO3fWmjvsEFaukd52 SYgDAb0DiSxjka+90WeTDuRnXLOlIJFcC196ifXkEGhaRw5E8QqnEjHUg A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAEWiMVKQ/khL/2dsb2JhbABbgwe+bIJ0gRsWdIIlAQEBBDhAARALGAkWDwkDAgECAUUGDQEHAQGHfrwejiyBPweEHQOXeZFygWWBPzqBLA
X-IronPort-AV: E=Sophos;i="4.90,890,1371081600"; d="scan'208";a="17958495"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-4.cisco.com with ESMTP; 12 Sep 2013 11:16:30 +0000
Received: from asm-lnx.cisco.com (ams-asmirnov-8712.cisco.com [10.55.140.83]) by ams-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r8CBGSuo012241; Thu, 12 Sep 2013 11:16:28 GMT
Message-ID: <5231A28C.5030102@cisco.com>
Date: Thu, 12 Sep 2013 13:16:28 +0200
From: Anton Smirnov <asmirnov@cisco.com>
Organization: Cisco Systems
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121025 Thunderbird/16.0.2
MIME-Version: 1.0
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 11:16:39 -0000
If attacker has joined flooding domain and can inject an LSA into LSDB then it can screw up routing in the domain. Methods such as pretending being an ABR/ASBR and advertise destinations with good metric are almost impossible to combat once authentication barrier is penetrated. This particular vulnerability allows attacker to bring network down in style but if this vulnerability is not present in the particular network then attacker will simply resort to other numerous possibilities to affect routing via LSA injection. If attacker can inject LSA into LSDB then your network is at his mercy. Give or take one particular method is a detail. So IMO we don't need a draft on this particular vulnerability. It might be of some limited interest to document all known methods to exploit LSA injection which would include this vulnerability but what value would this RFC bring? Such methods are regularly published in academic literature since 90-th. IMO we need good (reliable, secure, manageable etc) methods of authenticating adjacencies. KARP group is working on that. We *might* benefit from a work on mechanism to prevent any router to originate reachable LSA on behalf of any other router (kind of LSA signing). But work on what will go wrong when intended security barriers are broken IMO is not needed. Anton On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote: > Hi Gabi, > > [clipped] > >> Nonetheless, I am sure that there are more OSPF vendors out >> there that are still vulnerable to the attack and do not >> check for this. Moreover, since this check is not part of the >> standard, in most likelihood future OSPF implementations will >> also be vulnerable. >> > [clipped] > >> I am willing to write a draft describing this mitigation >> measure. I would appreciate the list's thoughts on this. > I think it's a good idea to write a draft that describes the attack and what implementations MUST do to avoid it. > > Cheers, Manav >
- [OSPF] OSPF - Owning the Routing Table Attack Glen Kent
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Mitchell Erblich
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Orhan Ergün
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- [OSPF] Dropping malformed LSAs (was: OSPF - Ownin… David Lamparter
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Yi Yang (yiya)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Anton Smirnov
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Glen Kent
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Mitchell Erblich