IETF Logo Mail Archive

Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Anton Smirnov <asmirnov@cisco.com> Thu, 12 September 2013 11:16 UTC

Return-Path: <asmirnov@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2A0C21E813E for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 04:16:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F21M8txrdOrq for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 04:16:34 -0700 (PDT)
Received: from ams-iport-4.cisco.com (ams-iport-4.cisco.com [144.254.224.147]) by ietfa.amsl.com (Postfix) with ESMTP id 5CA6521E81DE for <ospf@ietf.org>; Thu, 12 Sep 2013 04:16:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2029; q=dns/txt; s=iport; t=1378984594; x=1380194194; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=4Bmosg1YkExD1YULLymME9wG27iZbm67Vlze1nf4nV4=; b=hGeeM9EeoOBuD9bfC7ludo0jhbyWhzcocCZ3SB0l9nvbEFnyHtktuAiL OTBdtTzLMt5beWjIKbqspsuTKrGDjL36YyBwN0gggO3fWmjvsEFaukd52 SYgDAb0DiSxjka+90WeTDuRnXLOlIJFcC196ifXkEGhaRw5E8QqnEjHUg A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAEWiMVKQ/khL/2dsb2JhbABbgwe+bIJ0gRsWdIIlAQEBBDhAARALGAkWDwkDAgECAUUGDQEHAQGHfrwejiyBPweEHQOXeZFygWWBPzqBLA
X-IronPort-AV: E=Sophos;i="4.90,890,1371081600"; d="scan'208";a="17958495"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-4.cisco.com with ESMTP; 12 Sep 2013 11:16:30 +0000
Received: from asm-lnx.cisco.com (ams-asmirnov-8712.cisco.com [10.55.140.83]) by ams-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r8CBGSuo012241; Thu, 12 Sep 2013 11:16:28 GMT
Message-ID: <5231A28C.5030102@cisco.com>
Date: Thu, 12 Sep 2013 13:16:28 +0200
From: Anton Smirnov <asmirnov@cisco.com>
Organization: Cisco Systems
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121025 Thunderbird/16.0.2
MIME-Version: 1.0
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 11:16:39 -0000

    If attacker has joined flooding domain and can inject an LSA into 
LSDB then it can screw up routing in the domain. Methods such as 
pretending being an ABR/ASBR and advertise destinations with good metric 
are almost impossible to combat once authentication barrier is penetrated.
    This particular vulnerability allows attacker to bring network down 
in style but if this vulnerability is not present in the particular 
network then attacker will simply resort to other numerous possibilities 
to affect routing via LSA injection. If attacker can inject LSA into 
LSDB then your network is at his mercy. Give or take one particular 
method is a detail.
    So IMO we don't need a draft on this particular vulnerability. It 
might be of some limited interest to document all known methods to 
exploit LSA injection which would include this vulnerability but what 
value would this RFC bring? Such methods are regularly published in 
academic literature since 90-th.

    IMO we need good (reliable, secure, manageable etc) methods of 
authenticating adjacencies. KARP group is working on that. We *might* 
benefit from a work on mechanism to prevent any router to originate 
reachable LSA on behalf of any other router (kind of LSA signing). But 
work on what will go wrong when intended security barriers are broken 
IMO is not needed.

Anton



On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote:
> Hi Gabi,
>
> [clipped]
>
>> Nonetheless, I am sure that there are more OSPF vendors out
>> there that are still vulnerable to the attack and do not
>> check for this. Moreover, since this check is not part of the
>> standard, in most likelihood future OSPF implementations will
>> also be vulnerable.
>>
> [clipped]
>
>> I am willing to write a draft describing this mitigation
>> measure. I would appreciate the list's thoughts on this.
> I think it's a good idea to write a draft that describes the attack and what implementations MUST do to avoid it.
>
> Cheers, Manav
>

v2.23.0 | Report a Bug | By Email