IETF Logo Mail Archive

Re: Attacking BFD with NULL auth

Jeffrey Haas <jhaas@pfrc.org> Tue, 06 February 2024 18:52 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254B2C151088 for <rtg-bfd@ietfa.amsl.com>; Tue, 6 Feb 2024 10:52:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yQ-hVT-aXa7l for <rtg-bfd@ietfa.amsl.com>; Tue, 6 Feb 2024 10:51:58 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id AF835C14F748 for <rtg-bfd@ietf.org>; Tue, 6 Feb 2024 10:51:58 -0800 (PST)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id 2FDAF1E039; Tue, 6 Feb 2024 13:51:58 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1624761E-D38C-4A8D-8602-A35AB56C57C5"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Subject: Re: Attacking BFD with NULL auth
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <189423773.3335904.1707238309952@mail.yahoo.com>
Date: Tue, 06 Feb 2024 13:51:57 -0500
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Message-Id: <955C0C79-FCB3-4FFA-AFA9-C43697E08927@pfrc.org>
References: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org> <189423773.3335904.1707238309952@mail.yahoo.com>
To: Reshad Rahman <reshad@yahoo.com>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/N8kHiZ8niVwwLftE99oETExplsg>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 18:52:03 -0000

Reshad,


> On Feb 6, 2024, at 11:51 AM, Reshad Rahman <reshad@yahoo.com> wrote:
> 
> Jeff, you mention below that NULL auth with sequence numbers is impractical to use for optimizing authentication. I agree that NULL auth doesn't help with an active attacker, but it still gives protection against "random" attacks?

Unfortunately not in all circumstances.  The attack in this case is a form of "blind injection" attack.  As John notes in other bit of the thread, when sessions are protected via GTSM, this limits where the attack can come from.  So, this would apply to whomever can inject packets that successfully get past the other necessary checks.

TCP is vulnerable vs. some flavors of this as well.  Long lived tcp sessions, such as BGP, need the protections covered by tcp-md5/ao or other protection such as ipsec to guard against such things.


> ISAAC works for active attacks but I don't understand why no-auth still works, no-auth is weaker than NULL auth: you don't need to be an active attacker to knock over a session with no-auth?

With no-auth, the only thing you can say is "the session is still up".  In the optimized case we're guarding against parameter changes so that's all we get to do.

It's the introduction of sequence number checks vs. the existing meticulous sequence number procedures we see similar to md5 or sha-1 that introduce the problematic edge case.

-- Jeff

v2.23.0 | Report a Bug | By Email