Re: Attacking BFD with NULL auth
Reshad Rahman <reshad@yahoo.com> Wed, 07 February 2024 22:37 UTC
Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9641BC14F713 for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 14:37:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn-zGu6xl2Kz for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 14:37:16 -0800 (PST)
Received: from sonic313-14.consmr.mail.bf2.yahoo.com (sonic313-14.consmr.mail.bf2.yahoo.com [74.6.133.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE038C14F70C for <rtg-bfd@ietf.org>; Wed, 7 Feb 2024 14:37:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707345434; bh=Fx3t1yALacDZa1LTV1TMCY/A+pqQSNrOUUJwA2zJQ20=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=l1+HD0OO9C1JJ9RklZgMEBP2qH4SA+W2UOhCFnheaX+7CEBN6bRncH5w2TtOL5DQsSA4/1lj7Xf8+z9/isvLmT54mSNiqAXLuvbVybOsTZHItH+fKgBoR4JDLFGdKxHnoc5mITuuIBGktN8qAmtl9BK/J5bEB//2P5zvewdKYTCYit3SXCfntguGtJssiyP8VmYIMe7ZCO11sRjxX7shKOe0kaES5sw45otVeaKBwuE9hjLlXS65pyov/e+4E4qZ4XRRIxH2HyoiyYAZDu8pqsLSmSJj22j3Nbvo5S46bCZqzAU/EsdGSPztxh06qhhJcxEKZADfdCrAT4ley0EDcQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707345434; bh=SxzzGbrqXsqRlnVtNYx627og5GY8xXUkC0D5RhVZt3Z=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=sTFH3PERxleQFYMgJJXIjV1vKRDJ9zwtpDnSVyi5dVwFx/dqB1YklwdOWgYHVs+dJe8x+t9Gh3Wa2UXdEMdf20RHDlMvftGcWIoE7Qnt34GYW6q1mW48RWHnixqamuctPa9AG7SHpvDsTQakdvo+TPRSmnnPhYyT1XyZO+WlnN23fPQpzERYmMpHqo03AtdERhRiZxw2VGkli+6tUgbLUUrCGTAAQ44m2+iTDHsQjk6/XE6PnZ2CtbL0eWLNJx6yDxeaKYYGil9DAwL2GVmi3guudIdQcLknSCh/pu99GiYAut7CjiKZhlGGCYKO5OOoV1NSaXP+g50lhijaXZErNg==
X-YMail-OSG: aD61cEcVM1mr1R4u4_gsG6alGZkZMwwfNodU4cgVjo7cyXpprKKDiIB8dCxeWHv MORaNa89akUDo3.z9Ji5w2Wky2Cscco31cf4c008ajzGDoLAZ2vGG5WNmyg1GeMNoQXxvaq5vvBI rHfxrPjxBgZ66LUQxs.GI7z_M9J3OlMFXXpT6pRPSPjzPXhzp5xkhV0c6Z5DHkNiaqggtH6s.7m6 0lbddza.eqfQn1A4FtCA3ohKkX5lqr.DLCc35H207PlkbCXY8GvyK2A3X1aWjbs1JxOWnvzgUphE 0GnbQO2nJqaGCTgNeHJDrLbCtnxb7mn3wosHauTYnav4BXSSEz4702RXA.5_UHQVKo5h78bREKQa yu4TuXAfSFWfNrgGqWZXJoAEedVvn6c.SQ3dKJBMS0MnkIRn3_iMj8zA5_ShDt2MI8T9wQ.7NMJm nXzyB1JTAa85ON_6_fz3ggrdhHn_s.G7_HTESexhA1a6poycyTIeKW7JtSOujkRGoXpaTSpEvqjL ey4D2r42JxI_CiNAaoVR4cQ129CdN7OAkjLpmKMST6fU38m1n2q8.Ru.sze1kX373sVXfolfcEfx J4zohAABsnHYUjMyRsAMLhIZmH2xVVDSq7XRzOKuIX.WGjGZVOZuY.aJnQ8r.iIVjTPZQh8Cicj1 mFryikv7he_V.vHsg_GQGL8qDLRsm27bi57eDaRxnKq3Id4_uPMHAy.YOuT8dENz2I1iVYDGbbyg C9vkJlS41SU7_6ofJitFyGDkQ77fwJ46JDNGUizNMSJCM3uEugScORs.u8jh70nXoP7G4SW66Eec gZ0Gm9YRkWhKcsc0ALeCdoVbAlM4jD953ethQ.0g4ih037Cs59C1HzIOeGDVAZpacvkw1LYgcoOj 3zkq9XszJL0Q8YctV18FWeU1GAzW_9kUS86DfTKRHW9vCaML_xXe.lJ33wQ49fMvc3SWOxylxMhZ MPrJB9_oeq9bFiFX5aM6kxZ1UcMiY5T3uBXkeHO2QXaXPPI7z3N6.E_OPXow0Ek0VW1Hh4..W4Hn FOasNXa1xr3imLc6V2Wiia4WaWNSlFSlYY6GgDn0sFQFOd0IuM_w6fnnid_TbzO79r1OfOqDUp5A rYbJx4Nm2NLShCgdgOaNUrB3MBiTETUygzhYDADZw9QaNId0jpwy3c4nxSkIItgJfRPWPmEOMcMC XKDlg7bren4o91aPnEYSV4Ouk.MxUfxXm9j_.9rZbo8aySJPq0oAIDP5NBFI4oNOH_uNfIACfUUP W3jSdsF9jXJk68dmOrWvvzx73C2MAKmglm3y3K_DI6EllimJyUMC9qVsb_pXxIo79JaRgYfGjxaR gAy3j42tLWCRMgchKDFTjKSz.yzq6o3znati1g.K8YcLlK0SJ4joQECisn7.IwI5BGfuHS_.bx09 VNVgpYgBIkfkH49Nr0Semkc_2F.nOLi7CnANtqGEYBtxNjZIRsfuROGueUzBQv6o2BnDDFX98avK A8Sxgyx49qP5VPY3CPE5Zcmn6xxOhEM.dSFsCV1OhgkYJako7iPSPavCERgpQcPFNyK30gahvwgJ ZrIULGox2xY4nFfow0mZGWkEDtp1OxIygQkXPlh8NXPXk7dXp3X0OdGvPZm5vlkiVrcYAltyu4iH 9oUcA.mJ9XP75.S6TI1ISDROo1Y3tVXRs.q1NwMM0ggj.IIa1t.Le7bWeD3wR8LdH.4GD2pF0bKo Sd.dLQRHrTKdp81AKnTL9dOvzXuST26OAoxm1kAW6bNioLXq.rp9CmQyPD4ZYRbdAOatoMM.tLLs DvRDmDAnZwhOskxq2wChtM59XSJoYK1rTz2lZCwFY6kAwpdbBg9qSfMTAnPl7pmRr1iDzb08.Mk8 BBHLgQpxd1fRVTAiEX0eVHFpn4vgz8kxLeHDG_hHuH1lE5HQ5kGYfdXwBYT6BonwEooJEYVVxh2o flVF8OXA_rG6AqnFJZwIcxrZJIygazSvCCzjr..9bKlu7HvchJGo3N3NLPxl3DQHpXzqhoQw7WXC tOFdfc4fCdU0LcpwzH4gXII7NzYK15Xc_s1RUcXPxWSNgj6S7Ov97SiIzjE2NDfFUTaKN0tdMFLy n3ezGA8NDf3YR8798BxFaf6bqG24ELO7G_q5F7pB2_fiRCS3j5mMZFxPc3PAXkdosCWEizQSxoNG z5Qgu.JPhi.w1ojPdo2lPuelckKooYFgNY4G8ow0cvD5GaodnbPT87zHMsf4wC_COj_QWPUvVPM4 _XNP.oyr4USDqvFGVtMmkhct_iX9UPtIJt_ApGgBgpQHmbhvvEV7aw04LsPMiInuo.AhpkUuuftZ 0dT0a_xKVJmW_r6IBXHHB3Fxf
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: 282cfc57-c8d5-4a5c-ba75-61153eb20bb3
Received: from sonic.gate.mail.ne1.yahoo.com by sonic313.consmr.mail.bf2.yahoo.com with HTTP; Wed, 7 Feb 2024 22:37:14 +0000
Date: Wed, 07 Feb 2024 22:37:13 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Message-ID: <538545949.3733255.1707345433229@mail.yahoo.com>
In-Reply-To: <FCF00A96-9383-4CD3-90A9-DC90F6706CFF@pfrc.org>
References: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org> <189423773.3335904.1707238309952@mail.yahoo.com> <955C0C79-FCB3-4FFA-AFA9-C43697E08927@pfrc.org> <1060883557.3646248.1707326519734@mail.yahoo.com> <6E4A650D-49BB-4164-83CA-1D02ABA3E6BD@pfrc.org> <1364271043.3638553.1707328102005@mail.yahoo.com> <FCF00A96-9383-4CD3-90A9-DC90F6706CFF@pfrc.org>
Subject: Re: Attacking BFD with NULL auth
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3733254_42386968.1707345433227"
X-Mailer: WebService/1.1.22046 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/Db7XKqms2rOwrUH9YT-i2MVMz7E>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 22:37:16 -0000
"Thus, if we're in no-auth, injecting anything other than "I'm still up!" gets ignored. You can keep the session up, but you can't change parameters or take the session down. State changes require strong auth anyway."
Ah right, I forgot about that. I think the text you're referring might be in section 1 now, at least part of it.
Regards,Reshad.
On Wednesday, February 7, 2024, 12:59:13 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote:
On Feb 7, 2024, at 12:48 PM, Reshad Rahman <reshad@yahoo.com> wrote:
Jeff,
"No authentication also thus means you can't attack the system by sending a sequence number".
I agree. But you don't need a seq number with no auth, you just attack by sending a packet to take the session down. That's why I still view NULL auth as (slightly) better than no auth.
I think I see the problem. At some point in the github merges, we lost text that effectively asserts that in the Up state, you cannot change the BFD control packet contents excluding the auth section without flipping to the strong auth mode.
Basically:If state is Up: If authentication is Optimized mode: Validate authentication, if any, and discard on fail. Validate control packet contents have not changed. We are still Up and haven't been convinced to change BFD parameters.
Thus, if we're in no-auth, injecting anything other than "I'm still up!" gets ignored. You can keep the session up, but you can't change parameters or take the session down. State changes require strong auth anyway. The clarification is we don't let other parameters get tweaked because portions of the 5880 state machinery didn't require either a state change or a poll sequence to happen.
I'll open a github issue to track this point.
I see also that we have some zombie text:"Implementations supporting this feature will send BFD packets with authentications that always carry a meticulously increasing sequence number. This meticulously increasing sequence number prevents replay attacks"
Since we're deciding to support no-auth, this sentence is wrong. I'll pen a second issue.
-- Jeff
- Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth John Scudder
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Reshad Rahman