Re: OSPF WG Minutes

ashok <ashok_ch@HUAWEI.COM> Tue, 16 August 2005 12:11 UTC

Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E50IN-00026x-B1 for ospf-archive@megatron.ietf.org; Tue, 16 Aug 2005 08:11:55 -0400
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA06059 for <ospf-archive@LISTS.IETF.ORG>; Tue, 16 Aug 2005 08:11:53 -0400 (EDT)
Received: from vms.dc.lsoft.com (209.119.0.2) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <9.010CE570@cherry.ease.lsoft.com>; Tue, 16 Aug 2005 8:11:53 -0400
Received: by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 14.4) with spool id 82752764 for OSPF@PEACH.EASE.LSOFT.COM; Tue, 16 Aug 2005 08:11:52 -0400
Received: from 61.144.161.54 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0m) with TCP; Tue, 16 Aug 2005 08:01:52 -0400
Received: from huawei.com (szxga02-in [172.24.2.6]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0ILB001WJDQV1G@szxga02-in.huawei.com> for OSPF@PEACH.EASE.LSOFT.COM; Tue, 16 Aug 2005 20:08:55 +0800 (CST)
Received: from szxml01-in ([172.24.1.3]) by szxga02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTP id <0ILB00DK6DQVFN@szxga02-in.huawei.com> for OSPF@PEACH.EASE.LSOFT.COM; Tue, 16 Aug 2005 20:08:55 +0800 (CST)
Received: from Ashokc1721 ([10.18.4.127]) by szxml01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 1.25 (built Mar 3 2004)) with ESMTPA id <0ILB00H9IDVX08@szxml01-in.huawei.com> for OSPF@PEACH.EASE.LSOFT.COM; Tue, 16 Aug 2005 20:11:58 +0800 (CST)
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Mailer: Microsoft Outlook, Build 10.0.6626
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
Importance: Normal
X-Priority: 3 (Normal)
X-MSMail-priority: Normal
Message-ID: <000001c5a25a$633aee50$7f04120a@china.huawei.com>
Date: Tue, 16 Aug 2005 17:32:33 +0530
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: ashok <ashok_ch@HUAWEI.COM>
Subject: Re: OSPF WG Minutes
To: OSPF@PEACH.EASE.LSOFT.COM
In-Reply-To: <BB6D74C75CC76A419B6D6FA7C38317B290E96C@sinett-sbs.SiNett.LAN>
Precedence: list
Content-Transfer-Encoding: 7BIT

Hi Vishwas,

-----Original Message-----
From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Vishwas
Manral
Sent: Tuesday, August 16, 2005 5:22 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Re: OSPF WG Minutes

Hi Acee,

> You don't mean all the packets do you? You mean all the packets with
> the last sequence number. So, if the last packet was a hello, the 
> session could be kept up indefinitely.
I think there are two parts to it. The first as you are stating it.
Another is when a router has gone down, all the packets from the
beginning could be replayed and the adjacency could be brought up (the
receiver cannot anyway does not check for sequence number before and
after an adjacency has broken).



For this to happen, ALL ospf packets sent by the router which is now down,
has to be stored by the malicious router and it has to be replayed in the
same sequence. However, the LSAs will eventually maxage as the malicious
router cannot possibly refresh the lsas. So the condition is bounded by OSPF
max-age. But, this still does pose a seemingly improbable problem.

Thanks,
Ashok



Thanks,
Vishwas
-----Original Message-----
From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Acee
Lindem
Sent: Tuesday, August 16, 2005 5:16 PM
To: OSPF@PEACH.EASE.LSOFT.COM
Subject: Re: OSPF WG Minutes

Vishwas Manral wrote:
Hi Vishwas,

>Hi Acee,
>
>  
>
>>Acee: In practice, for OSPFv2 the sequence numbers are not monotically
>>increasing; Usage of router's clock for cryptographic sequence number 
>>generation reduces the chance for replay attacks across restarts. 
>>?: OSPF spec does not say it ...
>>    
>>
>Acee, what I meant was that although the OSPF spec does not state that
>we need to use clocks. 
>  
>
Ok - got the update.


>I think the vulnerabilities draft is the right place to state the
>problems that can happen if we do not use a clock (or something
>equivalent which increments even when a system goes down).
>  
>
Ok. I was just state that in practice it is not as easy to exploit as it

appears.

>Another issue is that even if the sender uses clock for the "sequence
>number" and goes down, all the packets of a previous session can still
>be replayed by another router. So the chance of replay attacks is still
>there.
>  
>
You don't mean all the packets do you? You mean all the packets with the

last sequence number. So,
if the last packet was a hello, the session could be kept up
indefinitely.

Thanks,
Acee

>Thanks,
>Vishwas
>-----Original Message-----
>From: Mailing List [mailto:OSPF@PEACH.EASE.LSOFT.COM] On Behalf Of Acee
>Lindem
>Sent: Monday, August 15, 2005 7:50 PM
>To: OSPF@PEACH.EASE.LSOFT.COM
>Subject: OSPF WG Minutes
>
>Attached are the minutes from the Paris OSPF WG meeting. Thanks to
>Dimitri for taking them.
>
>Acee
>
>  
>