[OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)

David Lamparter <equinox@diac24.net> Sun, 04 August 2013 13:06 UTC

Return-Path: <equinox@diac24.net>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C80721F99B7 for <ospf@ietfa.amsl.com>; Sun, 4 Aug 2013 06:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0XUwbWsgF9at for <ospf@ietfa.amsl.com>; Sun, 4 Aug 2013 06:06:19 -0700 (PDT)
Received: from spaceboyz.net (spaceboyz.net [IPv6:2001:8d8:870:1000::1]) by ietfa.amsl.com (Postfix) with ESMTP id B3B4521F99A1 for <ospf@ietf.org>; Sun, 4 Aug 2013 06:06:19 -0700 (PDT)
Received: from [2001:8d8:81:5c2::] (helo=jupiter.n2.diac24.net) by spaceboyz.net with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.80.1) (envelope-from <equinox@diac24.net>) id 1V5y0m-0003xv-CW; Sun, 04 Aug 2013 15:06:16 +0200
Received: from equinox by jupiter.n2.diac24.net with local (Exim 4.80.1) (envelope-from <equinox@diac24.net>) id 1V5y0Z-000Nuw-B6; Sun, 04 Aug 2013 15:06:05 +0200
Date: Sun, 04 Aug 2013 15:06:03 +0200
From: David Lamparter <equinox@diac24.net>
To: Glen Kent <glen.kent@gmail.com>
Message-ID: <20130804130603.GV67612@jupiter.n2.diac24.net>
References: <CAPLq3UNWoff2pSe9fkWsBmfW3b-CfKe9iUiPMWBNZKe=jXn0KQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAPLq3UNWoff2pSe9fkWsBmfW3b-CfKe9iUiPMWBNZKe=jXn0KQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: [OSPF] Dropping malformed LSAs (was: OSPF - Owning the Routing Table Attack)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Aug 2013 13:06:20 -0000

On Fri, Aug 02, 2013 at 10:11:01PM +0530, Glen Kent wrote:
> Does anybody have details on what this OSPF vulnerability is?
> 
> https://www.blackhat.com/us-13/briefings.html#Nakibly

As people may have noticed by now (the embargo on providing details has
expired as the talk was presented), this issue consists of Router LSAs
where the Router ID is different from the Link State ID.  As such, this
attack is implementable from any router in an OSPF area against any
other router in the OSPF.

(Quite honestly, IMHO this is seriously far fetched.  If your control
plane got compromised this far you have other problems.)

While Quagga is unaffected by this, we've implemented a warning.  We're
also considering dropping the LSA outright, but I'm somewhat split on
that (tilted towards dropping).  I'd be interested if the WG has
comments on that?


-David