Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Uma Chunduri <uma.chunduri@ericsson.com> Thu, 12 September 2013 21:52 UTC
Return-Path: <uma.chunduri@ericsson.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D55411E81B0 for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 14:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMAcKTpfwS73 for <ospf@ietfa.amsl.com>; Thu, 12 Sep 2013 14:52:52 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id 3137211E80F2 for <ospf@ietf.org>; Thu, 12 Sep 2013 14:52:51 -0700 (PDT)
X-AuditID: c6180641-b7fe28e000000d82-71-523237b3d2a9
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id AA.25.03458.3B732325; Thu, 12 Sep 2013 23:52:51 +0200 (CEST)
Received: from EUSAAMB105.ericsson.se ([147.117.188.122]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.02.0328.009; Thu, 12 Sep 2013 17:52:51 -0400
From: Uma Chunduri <uma.chunduri@ericsson.com>
To: Glen Kent <glen.kent@gmail.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOsAGAA5zyPXY+7Ui1XVcJW/ibY5nCo/5g
Date: Thu, 12 Sep 2013 21:52:50 +0000
Message-ID: <1B502206DFA0C544B7A6046915200863174B8891@eusaamb105.ericsson.se>
References: <1375736635.93585.YahooMailNeo@web165005.mail.bf1.yahoo.com> <DC74E46E9699A84EB0E1183B90FD160928F2C192@xmb-aln-x11.cisco.com> <1376248961.41754.YahooMailNeo@web165004.mail.bf1.yahoo.com> <20211F91F544D247976D84C5D778A4C32E4B3B43@SG70YWXCHMBA05.zap.alcatel-lucent.com> <5231A28C.5030102@cisco.com> <20211F91F544D247976D84C5D778A4C32E4B4924@SG70YWXCHMBA05.zap.alcatel-lucent.com> <9F1F84B6-9A14-4C6E-84C3-2D2A26754C7E@lindem.com> <1B502206DFA0C544B7A6046915200863174B866E@eusaamb105.ericsson.se> <CAPLq3UOXkSOcRq3=CgRvLxUQQjB3XD+K6_RWLLh5e++4S8nEvg@mail.gmail.com>
In-Reply-To: <CAPLq3UOXkSOcRq3=CgRvLxUQQjB3XD+K6_RWLLh5e++4S8nEvg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [155.53.73.29]
Content-Type: multipart/alternative; boundary="_000_1B502206DFA0C544B7A6046915200863174B8891eusaamb105erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRmVeSWpSXmKPExsUyuXRPrO5mc6MggxuPlSym3ZrOZrHnxHsW izn37rFatNy7x+7A4tH6bC+rx85Zd9k9liz5yeTxYdEF1gCWKC6blNSczLLUIn27BK6Ml+sn Mxe8amGs+Hp0AUsD4+r8LkZODgkBE4mXR3cxQdhiEhfurWfrYuTiEBI4yihxe+pVJghnOaPE gQ+rWEGq2AT0JD5O/cnexcjBISKgLPHmZgpImFmgXuJM105GEFtYIFpixf2HLCC2iECMxJIL bxkhbCOJPf83gsVZBFQlvqzeyQ5i8wr4Ssw+sJQZYtc5FonPPdfAGjgFAiVm7r4HZjMCXff9 1BomiGXiEreezIe6WkBiyZ7zzBC2qMTLx/9YIWwFiQM/5rBA1OdLTHq8iA1imaDEyZlPWCYw is5CMmoWkrJZSMog4joSC3Z/YoOwtSWWLXzNDGOfOfCYCVl8ASP7KkaO0uLUstx0I8NNjMAI PCbB5riDccEny0OM0hwsSuK8G/TOBAoJpCeWpGanphakFsUXleakFh9iZOLglGpg3H3PxufW rjTjaSwf3vGJPkhIjzy17N5JnxmxYcd7uCq+iyiuXjw3ZPEcoR0bl9yQNfSX+6jy7GG0UrDR vNNv0rdd4NbynnV4hofD8RfX+1rmywsLffdb4XZU7aGQmilvf01IVdDiSZ6z3+1SfazWeWTC mx+SDRsi7hQF7H3FxP6v4LfBvcOHGpRYijMSDbWYi4oTARKxIgeOAgAA
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Sep 2013 21:52:57 -0000
>> In this case the attack was done in the absence of any authentication being used. One should worry for attack, if one configures some form of existing AUTH protections (we have) in the network. ..else we should not spend time on this topic! -- Uma C. ________________________________ From: Glen Kent [mailto:glen.kent@gmail.com] Sent: Thursday, September 12, 2013 2:46 PM To: Uma Chunduri Cc: Acee Lindem; Bhatia, Manav (Manav); ospf@ietf.org Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack) No, this is not the premise. Yes, somebody could do this if he has access to the keys. In this case the attack was done in the absence of any authentication being used. Glen On Thu, Sep 12, 2013 at 11:16 PM, Uma Chunduri <uma.chunduri@ericsson.com<mailto:uma.chunduri@ericsson.com>> wrote: Manav, The premise of the attack is still somebody know the AUTH keys of the router. If private keys of the router can be possibly subverted/leaked/stolen, then we all agree lot of things in lot of protocols can break (not only in OSPF or this is not specific to OSPF issue). One can definitely try to introduce protocol mechanisms to thwart some of these attacks to a certain extent, but the point is the problem is not still addressable this way. The question is how far it's real (I know KARP WG is contending with this) and what are the other mechanism one can adopt to solve the issue at the root instead of introducing more complicated protocol machinery. I also feel this should be analyzed more from KARP protocol threat documents... -- Uma C. -----Original Message----- From: ospf-bounces@ietf.org<mailto:ospf-bounces@ietf.org> [mailto:ospf-bounces@ietf.org<mailto:ospf-bounces@ietf.org>] On Behalf Of Acee Lindem Sent: Thursday, September 12, 2013 7:59 AM To: Bhatia, Manav (Manav) Cc: ospf@ietf.org<mailto:ospf@ietf.org> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack) Manav - On Sep 12, 2013, at 10:40 AM, Bhatia, Manav (Manav) wrote: > Anton, > > I understand that once the attacker can insert LSAs in the flooding domain then there are several things that can be done. However, in most cases the attacks can be easily identified and a corrective action can be easily taken. In this particular case, the attack is a little more insidious and its not straight forward catching the erring LSA. > > Since its something that's missing in rfc 2328 we will keep having newer implementations that will carry this bug. A short one page RFC that updates 2328 imo would do no harm. Do you see any issue in publishing such an RFC? There is NO bug in RFC 2328. The RFC clearly states that a Router-LSA will be advertised with the same Router-ID for both the LSID and the Advertising router. I don't think it is productive to write "short" RFCs for every attack and believe the CERT Alert is a better and swifter mechanism for disseminating information on attacks. Note that my implementation was not susceptible to this attack as the vulnerability was identified in a packet mutation suite many years back. I spoke to Gabi offline about authoring an informational RFC that discusses classes of OSPF attacks and possible mechanisms to thwart them. Thanks, Acee > > I have written a short post on what the issue in 2328 is and how it can be exploited to launch an attack. > http://routingfreak.wordpress.com/2013/09/09/how-bad-is-the-ospf-vulne > rability-exposed-by-black-hat/ > > Cheers, Manav > >> -----Original Message----- >> From: Anton Smirnov [mailto:asmirnov@cisco.com<mailto:asmirnov@cisco.com>] >> Sent: Thursday, September 12, 2013 4:46 PM >> To: Bhatia, Manav (Manav) >> Cc: Gabi Nakibly; Acee Lindem; ospf@ietf.org<mailto:ospf@ietf.org> >> Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the >> Routing Table Attack) >> >> If attacker has joined flooding domain and can inject an LSA into >> LSDB then it can screw up routing in the domain. >> Methods such as pretending being an ABR/ASBR and advertise >> destinations with good metric are almost impossible to combat once >> authentication barrier is penetrated. >> This particular vulnerability allows attacker to bring network >> down in style but if this vulnerability is not present in the >> particular network then attacker will simply resort to other numerous >> possibilities to affect routing via LSA injection. If attacker can >> inject LSA into LSDB then your network is at his mercy. Give or take >> one particular method is a detail. >> So IMO we don't need a draft on this particular vulnerability. It >> might be of some limited interest to document all known methods to >> exploit LSA injection which would include this vulnerability but what >> value would this RFC bring? Such methods are regularly published in >> academic literature since 90-th. >> >> IMO we need good (reliable, secure, manageable etc) methods of >> authenticating adjacencies. KARP group is working on that. We *might* >> benefit from a work on mechanism to prevent any router to originate >> reachable LSA on behalf of any other router (kind of LSA signing). >> But work on what will go wrong when intended security barriers are >> broken IMO is not needed. >> >> Anton >> >> >> >> On 09/12/2013 05:42 AM, Bhatia, Manav (Manav) wrote: >>> Hi Gabi, >>> >>> [clipped] >>> >>>> Nonetheless, I am sure that there are more OSPF vendors out there >>>> that are still vulnerable to the attack and do not check for this. >>>> Moreover, since this check is not part of the standard, in most >>>> likelihood future OSPF implementations will also be vulnerable. >>>> >>> [clipped] >>> >>>> I am willing to write a draft describing this mitigation >> measure. I >>>> would appreciate the list's thoughts on this. >>> I think it's a good idea to write a draft that describes >> the attack and what implementations MUST do to avoid it. >>> >>> Cheers, Manav >>> >> >> > _______________________________________________ > OSPF mailing list > OSPF@ietf.org<mailto:OSPF@ietf.org> > https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org<mailto:OSPF@ietf.org> https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list OSPF@ietf.org<mailto:OSPF@ietf.org> https://www.ietf.org/mailman/listinfo/ospf
- [OSPF] OSPF - Owning the Routing Table Attack Glen Kent
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Mitchell Erblich
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- Re: [OSPF] OSPF - Owning the Routing Table Attack Uma Chunduri
- Re: [OSPF] OSPF - Owning the Routing Table Attack Orhan Ergün
- Re: [OSPF] OSPF - Owning the Routing Table Attack Michael Barnes
- [OSPF] Dropping malformed LSAs (was: OSPF - Ownin… David Lamparter
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Yi Yang (yiya)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Gabi Nakibly
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Anton Smirnov
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Bhatia, Manav (Manav)
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Glen Kent
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Uma Chunduri
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Acee Lindem
- Re: [OSPF] Dropping malformed LSAs A. Przygienda
- Re: [OSPF] Dropping malformed LSAs (was: OSPF - O… Mitchell Erblich