Re: OSPFv3 Destination Address Filter
"Naidu, Venkata" <Venkata.Naidu@MARCONI.COM> Fri, 27 February 2004 22:59 UTC
Received: from cherry.ease.lsoft.com (cherry.ease.lsoft.com [209.119.0.109]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA00805 for <ospf-archive@LISTS.IETF.ORG>; Fri, 27 Feb 2004 17:59:36 -0500 (EST)
Received: from PEAR.EASE.LSOFT.COM (209.119.0.19) by cherry.ease.lsoft.com (LSMTP for Digital Unix v1.1b) with SMTP id <6.00D07CBC@cherry.ease.lsoft.com>; Fri, 27 Feb 2004 17:59:35 -0500
Received: from PEACH.EASE.LSOFT.COM by PEACH.EASE.LSOFT.COM (LISTSERV-TCP/IP release 1.8e) with spool id 4267881 for OSPF@PEACH.EASE.LSOFT.COM; Fri, 27 Feb 2004 17:59:33 -0500
Received: from 169.144.68.6 by WALNUT.EASE.LSOFT.COM (SMTPL release 1.0i) with TCP; Fri, 27 Feb 2004 17:59:33 -0500
Received: from mailman.pit.comms.marconi.com (mailman.pit.comms.marconi.com [169.144.2.12]) by mailgate.pit.comms.marconi.com (8.12.10+Sun/8.12.10) with ESMTP id i1RMxXUG014847 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 27 Feb 2004 17:59:33 -0500 (EST)
Received: from uspitsmsgrtr01.pit.comms.marconi.com (uspitsmsgrtr01.pit.comms.marconi.com [169.144.2.221]) by mailman.pit.comms.marconi.com (8.9.3/8.9.3) with ESMTP id RAA03914 for <OSPF@PEACH.EASE.LSOFT.COM>; Fri, 27 Feb 2004 17:59:34 -0500 (EST)
Received: by uspitsmsgrtr01.pit.comms.marconi.com with Internet Mail Service (5.5.2653.19) id <FY69VQ2A>; Fri, 27 Feb 2004 17:59:32 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain; charset="iso-8859-1"
Message-ID: <39469E08BD83D411A3D900204840EC55FB7201@vie-msgusr-01.dc.fore.com>
Date: Fri, 27 Feb 2004 17:59:29 -0500
Reply-To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Sender: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
From: "Naidu, Venkata" <Venkata.Naidu@MARCONI.COM>
Subject: Re: OSPFv3 Destination Address Filter
To: OSPF@PEACH.EASE.LSOFT.COM
Precedence: list
Hi Acee, -> We've implemented the subject draft to mitigate some of the -> OSPFv3 vulnerabilities. While the solution isn't perfect, it is -> lightweight, easy to deploy, and fully compatible with the current -> OSPFv3 specification (RFC 2740). -> -> http://www.ietf.org/internet-drafts/draft-lindem-ospfv3-dest- -> filter-00.txt After a quick look, here are few comments: 1. Check should be: if (((first-two-octets & 0xffc0) != 0xfe80) && <<<< ((first-two-octets & 0xff0f) != 0xff02)) { ==== ((first-two-octets & 0xffff) != 0xff02)) { >>>> drop the packet; } I think, OSPFv3 SHOULD work on permanently flagged multicast addresses not with T flag on'ed ones. 2. The draft reads: The granularity of the check will limit the usage of virtual links at the granularity which it is applied. For example, if it is applied at the BSD socket level, virtual links may not be used by any OSPF instance utilizing that socket. Alternately, additional configuration and checking could be added at the socket level so that the destination filter is only applied to certain instances, areas, or interfaces. There is another way to support what this draft does with out loss of generality. If these checks are applied at the Raw-IPv6 stack level (using local address binding socket options) virtual link support will not be jeopardized. Doing below steps will solve DOS attack for IPv4 applications (i.e., OSPFv2, RSVP-TE etc) and IPv6 applications (i.e., OSPFv3 etc.) - at least for the ones which operate on per interface basis. 1. Bind to the local interface (either using link-layer address/ ifindex) and make it strong-end socket. That is the socket will accept incoming packets only from the binded interface. 2. Listen only for appropriate multicast address groups using various MULTICAST socket options. This will make sure the above checks are done at the Raw-IP level instead of at the OSPF level. 3. Open another INADDR_ANY socket ONLY when virtual links are operational. Note that, this socket will receive all types of OSPF packets. But, that is fine, OSPF will anyway make sure (have to make sure) validity of every packet received on this socket. It is a good idea to enhance socket APIs to have filters based on list of IP addresses instead of all-or-one (i.e., multiple bindings like). May be, Bill Fenner can answer why it is not incorporated in IPv6 at least. I expected this in his recent Book. :) Venakta.
- OSPFv3 Destination Address Filter Acee Lindem
- Re: OSPFv3 Destination Address Filter Naidu, Venkata
- Re: OSPFv3 Destination Address Filter Anand Oswal