[RPSEC] Re: OSPFv3 Destination Address Filter
"Acee Lindem" <acee@redback.com> Mon, 01 March 2004 15:21 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA02125 for <rpsec-archive@odin.ietf.org>; Mon, 1 Mar 2004 10:21:39 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxpEE-00082x-R3 for rpsec-archive@odin.ietf.org; Mon, 01 Mar 2004 10:21:11 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i21FLA6w030925 for rpsec-archive@odin.ietf.org; Mon, 1 Mar 2004 10:21:10 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxpEE-00082f-Ms for rpsec-web-archive@optimus.ietf.org; Mon, 01 Mar 2004 10:21:10 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01972 for <rpsec-web-archive@ietf.org>; Mon, 1 Mar 2004 10:21:07 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AxpEC-0005uF-00 for rpsec-web-archive@ietf.org; Mon, 01 Mar 2004 10:21:08 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Axoei-0005cJ-00 for rpsec-web-archive@ietf.org; Mon, 01 Mar 2004 09:44:32 -0500
Received: from [65.246.255.50] (helo=mx2.foretec.com) by ietf-mx with esmtp (Exim 4.12) id 1AxoW2-0003KS-00 for rpsec-web-archive@ietf.org; Mon, 01 Mar 2004 09:35:30 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by mx2.foretec.com with esmtp (Exim 4.24) id 1AxoRq-0005TX-MX for rpsec-web-archive@ietf.org; Mon, 01 Mar 2004 09:31:10 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxoRi-0006IL-DH; Mon, 01 Mar 2004 09:31:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxoRV-0006GR-SY for rpsec@optimus.ietf.org; Mon, 01 Mar 2004 09:30:49 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA25107 for <rpsec@ietf.org>; Mon, 1 Mar 2004 09:30:47 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AxoRT-00029O-00 for rpsec@ietf.org; Mon, 01 Mar 2004 09:30:47 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AxoE6-0006QY-00 for rpsec@ietf.org; Mon, 01 Mar 2004 09:17:02 -0500
Received: from prattle.redback.com ([155.53.12.9]) by ietf-mx with esmtp (Exim 4.12) id 1Axo2Y-0003YU-00 for rpsec@ietf.org; Mon, 01 Mar 2004 09:05:02 -0500
Received: from localhost (localhost [127.0.0.1]) by prattle.redback.com (Postfix) with ESMTP id D0E23313B28; Mon, 1 Mar 2004 06:05:00 -0800 (PST)
Received: from prattle.redback.com ([127.0.0.1]) by localhost (prattle [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04796-02; Mon, 1 Mar 2004 06:05:00 -0800 (PST)
Received: from aceeinspiron (unknown [172.31.253.196]) by prattle.redback.com (Postfix) with SMTP id 7C2C0313B34; Mon, 1 Mar 2004 06:04:59 -0800 (PST)
Message-ID: <004f01c3ff96$2ba07860$0302a8c0@aceeinspiron>
From: Acee Lindem <acee@redback.com>
To: Mailing List <OSPF@PEACH.EASE.LSOFT.COM>
Cc: RPSEC WG List <rpsec@ietf.org>
References: <39469E08BD83D411A3D900204840EC55FB7201@vie-msgusr-01.dc.fore.com>
Date: Mon, 01 Mar 2004 09:04:52 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Virus-Scanned: by amavisd-new at redback.com
Content-Transfer-Encoding: 7bit
Subject: [RPSEC] Re: OSPFv3 Destination Address Filter
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
----- Original Message ----- From: "Naidu, Venkata" <Venkata.Naidu@MARCONI.COM> To: <OSPF@PEACH.EASE.LSOFT.COM> Sent: Friday, February 27, 2004 5:59 PM Subject: Re: OSPFv3 Destination Address Filter Hi Venkata, > Hi Acee, > > -> We've implemented the subject draft to mitigate some of the > -> OSPFv3 vulnerabilities. While the solution isn't perfect, it is > -> lightweight, easy to deploy, and fully compatible with the current > -> OSPFv3 specification (RFC 2740). > -> > -> http://www.ietf.org/internet-drafts/draft-lindem-ospfv3-dest- > -> filter-00.txt > > After a quick look, here are few comments: > > 1. Check should be: > if (((first-two-octets & 0xffc0) != 0xfe80) && > <<<< > ((first-two-octets & 0xff0f) != 0xff02)) { > ==== > ((first-two-octets & 0xffff) != 0xff02)) { > >>>> > drop the packet; > } > > I think, OSPFv3 SHOULD work on permanently flagged multicast > addresses not with T flag on'ed ones. We used our IPv6 stack macro that checks for a link scoped multicast. It may be somewhat better to check the flags field as well since in the case we envision usage non-zero flags will result in the packet being dropped anyway. However, strictly speaking, one does not need to check the flags in order to check for a link scoped IPv6 multicast address. I'll update either to allow both options or include the flag dependent on which seems to fit better. > > 2. The draft reads: > > The granularity of the check will limit the usage of virtual > links at the granularity which it is applied. For example, if > it is applied at the BSD socket level, virtual links may not > be used by any OSPF instance utilizing that socket. > Alternately, additional configuration and checking could be > added at the socket level so that the destination filter is > only applied to certain instances, areas, or interfaces. > > There is another way to support what this draft does with out > loss of generality. If these checks are applied at the Raw-IPv6 > stack level (using local address binding socket options) > virtual link support will not be jeopardized. > > Doing below steps will solve DOS attack for IPv4 applications > (i.e., OSPFv2, RSVP-TE etc) and IPv6 applications (i.e., OSPFv3 > etc.) - at least for the ones which operate on per interface > basis. > > 1. Bind to the local interface (either using link-layer address/ > ifindex) and make it strong-end socket. That is the socket > will accept incoming packets only from the binded interface. > > 2. Listen only for appropriate multicast address groups using > various MULTICAST socket options. This will make sure the > above checks are done at the Raw-IP level instead of at the > OSPF level. > > 3. Open another INADDR_ANY socket ONLY when virtual links are > operational. Note that, this socket will receive all types > of OSPF packets. But, that is fine, OSPF will anyway make > sure (have to make sure) validity of every packet received > on this socket. > > It is a good idea to enhance socket APIs to have filters based > on list of IP addresses instead of all-or-one (i.e., multiple > bindings like). May be, Bill Fenner can answer why it is not > incorporated in IPv6 at least. I expected this in his recent > Book. :) One could certainly support virtual links with a separate socket. However, as long as a globally routable address is used, it is subject to DOS attack and one would have to deal with substantially more complexity in terms of perferring protect socket, etc. I don't like #3 at all since my experience has been that OSPF scaling is I/O bound and receiving a given OSPF packet on more than one socket is not a good idea. If someone did want to do this I'd think the separate socket would need to support a list of bind addresses (one for each virtual link endpoint). However, IMHO, virtual links aren't that widely deployed and administrative ACLs can be used to protect OSPFv3 routers where they are used. > > Venakta. _______________________________________________ RPSEC mailing list RPSEC@ietf.org https://www1.ietf.org/mailman/listinfo/rpsec
- [RPSEC] OSPFv3 Destination Address Filter Acee Lindem
- [RPSEC] Re: OSPFv3 Destination Address Filter Acee Lindem