IETF Logo Mail Archive

Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

Acee Lindem <acee.lindem@ericsson.com> Mon, 05 August 2013 02:28 UTC

Return-Path: <acee.lindem@ericsson.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 209C421E80C9 for <ospf@ietfa.amsl.com>; Sun, 4 Aug 2013 19:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 84j9n16lN4VN for <ospf@ietfa.amsl.com>; Sun, 4 Aug 2013 19:28:24 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) by ietfa.amsl.com (Postfix) with ESMTP id 99DB421E80C7 for <ospf@ietf.org>; Sun, 4 Aug 2013 19:28:21 -0700 (PDT)
X-AuditID: c6180641-b7f986d000007a82-5f-51ff0dc4fe38
Received: from EUSAAHC001.ericsson.se (Unknown_Domain [147.117.188.75]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 5A.AC.31362.4CD0FF15; Mon, 5 Aug 2013 04:28:20 +0200 (CEST)
Received: from EUSAAMB101.ericsson.se ([147.117.188.118]) by EUSAAHC001.ericsson.se ([147.117.188.75]) with mapi id 14.02.0328.009; Sun, 4 Aug 2013 22:28:20 -0400
From: Acee Lindem <acee.lindem@ericsson.com>
To: David Lamparter <equinox@diac24.net>, Glen Kent <glen.kent@gmail.com>
Thread-Topic: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
Thread-Index: AQHOkYNzswj2Iqvcb0CzsjXPhXr4xQ==
Date: Mon, 05 Aug 2013 02:28:19 +0000
Message-ID: <94A203EA12AECE4BA92D42DBFFE0AE4702FE6F29@eusaamb101.ericsson.se>
In-Reply-To: <20130804130603.GV67612@jupiter.n2.diac24.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.5.121010
x-originating-ip: [147.117.188.134]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <79EFAB8D2DA48049AFC7471C162EA345@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDLMWRmVeSWpSXmKPExsUyuXSPt+4R3v+BBjt7TS3WNG5gtthz4j2L Rcu9e+wOzB5f9kp57Jx1l91jyZKfTAHMUVw2Kak5mWWpRfp2CVwZjU+mMBZs563Y+tCmgfEv VxcjJ4eEgIlE//55zBC2mMSFe+vZuhi5OIQEjjJKHJi0jBXCWcYosXHWchaQKjYBHYnnj/6B dYgIeEos7/vEBGIzCyhLPO5aDdTNwSEsEC0x6UIIREmMxJILbxkhbD2J6XfWgNksAioS93/9 ZQIp5xXwldg0vwQkzClgLTF5wVs2EJsR6J7vp9ZATReXuPVkPhPEnQISS/ach7pZVOLl43+s ILYo0Pi2Y2fYIeLKEkue7GeB6NWRWLD7ExuEbS3xZ94NRghbW2LZwtdgc3gFBCVOznzCMoFR fBaSdbOQtM9C0j4LSfssJO0LGFlXMXKUFqeW5aYbGW5iBMbYMQk2xx2MCz5ZHmKU5mBREufd oHcmUEggPbEkNTs1tSC1KL6oNCe1+BAjEwenVAPjoUUrRROm6jU+1nqz794FAYaqx/c0tt3I nrBz/+9N7XIWRbudBc6pn/9o0jnnbuvkyP0G8SfS5p+dq2fjH/qC5e8tfrOj8eynXPL/nXNP qz8yn/kmm/m8ma+PfJRmMzCa82ljDU/M7uOzFua25ukdu/zB+9s2zddsWbN3VabUO69u2vF9 knzlYyWW4oxEQy3mouJEAPfAceN/AgAA
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2013 02:28:35 -0000

On 8/4/13 6:06 AM, "David Lamparter" <equinox@diac24.net> wrote:

>On Fri, Aug 02, 2013 at 10:11:01PM +0530, Glen Kent wrote:
>> Does anybody have details on what this OSPF vulnerability is?
>> 
>> https://www.blackhat.com/us-13/briefings.html#Nakibly
>
>As people may have noticed by now (the embargo on providing details has
>expired as the talk was presented), this issue consists of Router LSAs
>where the Router ID is different from the Link State ID.  As such, this
>attack is implementable from any router in an OSPF area against any
>other router in the OSPF.
>
>(Quite honestly, IMHO this is seriously far fetched.  If your control
>plane got compromised this far you have other problems.)

I agree that once the OSPF control plane is open, you are susceptible to
many attacks. However, this attack is a bit more insidious than most since
the actual OSPF router corresponding to the link state ID will most likely
not recognize the LSA as self-originated and re-originate a more recent
version when the malformed one is received. Hence, the malicious LSA will
remain in the routing domain and, depending upon the OSPF implementation,
could result in traffic being redirected.

>
>While Quagga is unaffected by this, we've implemented a warning.  We're
>also considering dropping the LSA outright, but I'm somewhat split on
>that (tilted towards dropping).  I'd be interested if the WG has
>comments on that?

I can't speak for the WG but my implementation will skip the LSA in the
Link-State Update packet.

Thanks,
Acee


>
>
>-David
>_______________________________________________
>OSPF mailing list
>OSPF@ietf.org
>https://www.ietf.org/mailman/listinfo/ospf

v2.23.0 | Report a Bug | By Email