Re: Attacking BFD with NULL auth
Reshad Rahman <reshad@yahoo.com> Wed, 07 February 2024 17:48 UTC
Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A028C14CEE3 for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 09:48:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KeBNLsVcwudu for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 09:48:25 -0800 (PST)
Received: from sonic316-11.consmr.mail.bf2.yahoo.com (sonic316-11.consmr.mail.bf2.yahoo.com [74.6.130.121]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63369C14F74E for <rtg-bfd@ietf.org>; Wed, 7 Feb 2024 09:48:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707328104; bh=/gvgjBT000gRZvsTshtFBxoTvg8WRsHq3SLbk37mjhM=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=II+1WERLlcjZjCot+GzzGzJfBaENw5mSF4xZb0U8LhSy2rytfKLgiTnunK9XfbP0gI6pKglW/OY+wg1d3idCPt2p/if6zEkLjQN6mNWQr790eaRd5/yk+I68efofY71jDTAUoDTHvMIzttSlSnT8iAaSxk0xky/YhlNvHbTosrND4JCfdjy+K8h+KRfVTC97fEr7EUPQapZ8PlbR7xxHVNlxwQ1sJ2UbeweZUIWXiGciZc+nMLhbaKbQR316CQxaq9FJhi47KH9Ye2lwBZ9xD7rj++nWtQcwtxM2BFegnOKYJgZ10ulC55xMHqV9VjjC6BJzo6acSKp83jxnuOwD7A==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707328104; bh=QPzmmetab+1rSVzJjWFC7CahjrHXnRaRal2GviBCPP6=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=jUbUk/hIAVo6WJOjHjuRpPmjd9feUYmG8b+KQSwOGllA8dgXdPUoHdTI6gtb5bCkQchJwv9jecJlnuss0g5W5XPtbfzRHcc1Ut1TrPJu+f+zA+GSPvrBKBCdV7xkBWAqGlX3mqXB/H9NWEOdI7JFNyXZZoLHAKGftVH6tzv3H8XDexmYwvwRBIlpDU5ics4syeRLWxUZ7R5m/e3vQINsLXiFe+PyZFqqS9z1gw+/O7jD0pzlYyUK1Ir7z4RjKJn440gyMdOKWJl7xmzYi/G3BXChR+sVmGLRvhJMsueJ1xcCXworSv25MPvz6jjyuXefv+oSwJBFWK7TVp76SW2eCg==
X-YMail-OSG: SArCAFEVM1nGsM1ukApXLFAf1wJbvWaVkbw7siOYK3W9w.BB.FggVi911aZA6tr IBO6HBSoSm9ZBTIapNeTvGvQPEvJvH.mREkUL_ikhhoXNkkAd.dmywnWWvV5_NbRo0CXb6pBjIMT v.IB8OC55dNWACZOZzLpgEzGtyMoybH3KL.dlKjbe8jvKw0GnZFVRaTgXkc5AshYVVPWzsfaM1QZ Rf_xaZe7z7mxE22cLLLdgt52ZTPZ7TJ_9LLcAIUn7RlJL6vE04_9tJRE7QBSIGb._cJeRPt6XFHS 9rn9EjdA6tyRfGCx6.D7FXp0Eqh38BgiXj9R4RPgAJBnT2SA9GgZQaDQX5OaOff_PUmSxwvX_cV8 cfDZ1UtysE.E4SpP95ZDijs9iUIGgQq5JtkZHFNp.oESljbWWBiNGXxmPNTGlGZwgGHOu5E5R.6y m1Lp34zUCqedzb31RAsd.CogApp89yq6ICUHqGbEFmKomkhDAcQe4KnRW.lXSro.IJloN8VqXhAx BPyfXEFpaifetpa5qFHOEEDRKWGq4HtvJFzFItLOd_lz.RLZr5wnDwCYYehyJ2zargqh0g66.pj8 k20llkS7R42EMcIK6KXBG.pdEAfcncMWdH3hBc0_aLASUPZNEm95hY2BW6PNyHFu.xsjQs1HF5qh LIoUMnPwrpGC9QyBtW4fYTqtDTrAbLtEp.ugwgMlw9dtvceV7AP6Myp6hqVh6_SLrLuVPRY2CQ8m fQRrRFEhz2VMfZOp990UJcUQ.HYKwm7SFv1yA3OX2EWh4V.bCT1E9L.wtbivZpUP_JnDhSiNJxWi prxEuZDQEUn4qzYgV3xPN77PtvgKyplf94ADF7KSgV42HOkzR0p.S8bsjZQ0PU0nKN8B4uthoCGx .6rIXzjkQ77yt0Hhh6nWg2ttOEtT7Yz9vyoJUft._nrt9Rs7Unx3uMSUJXiohiLkyqfQ5R5M2ZWk zzav_irTio68A2GhQsVK.Z4lb9Fmd5ApUf3jxcKZYGpY3l8VlJuJZqjB7sPxGJuzRR8Th_xs3SDR nYOtfQQhNgey8UoI4LMJCAVc5gBOHAmZ.iU5XQxJDOvdKCuhjbqgce5c_v_JIF40oGmDOBWB6do3 vRpAM46T2fy7ohz1z9gg99WG036xCupS8F2cY1DRliRR3DmEOmTWFdzF25KK6pXh7wa5QvnyRmqH 2y66kKz3c16FduUVAObqbXz_xK97L0XxMZaX2JlWdprdas0.OBqy7NieUZcAYxm85qjNzLIfRs_n 0rjy7nyVGU_16tsTQnJs1uIUT1Jrmp8.qkAXgXDX6r6KF0GaIhuoEE1wJAG8CDWLiL2cc98b1kx2 1sFjLX9BoiTvBi3jW5bMAfaCSWHn1PtjURgFh3QemHykJp7kcjmpCgslZXgLjRKVLQJRdfofsD59 sspIGZaa6JdctBKodoemzacll39kPVoJ607G5daj2G8_UcsAEXvKwgU2f9WBgMYR7z8UcV5VhtIS UaKIJHehT.8FSVOOl0mFQQ2N43sDed2IlJv8Ha_ISOoEBpkvcNWQrndvvTYr_FA7bHubr8lkq0qD 96w6vp.qOIMOZpm4uYXtesham9bPcpVWIaLR5RI_hGI56YPE0MOeyovMIK.ax2n1V8S72OIwbtY3 t1rPa2U9lKgkL8H.gh28sQIsYWeonhekCSzFiAwX5MU95dBu8ayhv_T5QqMDQQFxBuQW0OGI6JlG 7MBJBsc3RDS17mFm03dfX1SjBmWBzniP52TAhzPFaBkFRba7QLZzVU87ibTZuiXkhf67jRfjW2LS Jc1r9ZtSB0qbapUYG8DyqbVj1i097dB8HA7aBpkvIqawnCFLCmaCOBCFGMAzLvsDpO9t3D9523ef cLW5HPPHOFhOIXQZkbPFOJ.ViPjxaWRODNKSFzHekcp99R9HH_AWOhtrQk3v7BxMdbMSqm2XZ..k IJauZ2nMkAtCPWp666w_aJAt1RX7FtoznJsopUsLAWJ98QrT.5CWGT5baeJPYmWIQ9aSRF.I2sfY enxfdgun6DFyRet4AREj2rLStJc8QboCrSuqVV3j0PfShcIFx.zsQQec142m7QYu8LtTn5hbuSZI Svfs9oHAdJfwg4XYkvaH4fOeHoODDqVpImaKReLYPdCMdUQIkzvLkWWuZxLgRjHwoGUXm4fO4lTg i_ObjFOR79gf0vwhZfJO3XFtFmLOq8Xk3RRPE.eajPLH5.tyGDQk9ufVOPYdDYHy3r_8RnFQ22ix ep98C9XaacA43L5vINpQJ8fo8xWcdwrKYKcDeIM4stk_y8zUH7YsYzfqa8y7S7_ejpPkyMz2.aTS zE43IZIJ.rgNB4BLY02qmNDi85_4VnDs9N.efLey0XxenIAvOI4RkL.oJYoU-
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: 6e2c2fa3-1b3a-48eb-9235-404149a55157
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.bf2.yahoo.com with HTTP; Wed, 7 Feb 2024 17:48:24 +0000
Date: Wed, 07 Feb 2024 17:48:21 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Message-ID: <1364271043.3638553.1707328102005@mail.yahoo.com>
In-Reply-To: <6E4A650D-49BB-4164-83CA-1D02ABA3E6BD@pfrc.org>
References: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org> <189423773.3335904.1707238309952@mail.yahoo.com> <955C0C79-FCB3-4FFA-AFA9-C43697E08927@pfrc.org> <1060883557.3646248.1707326519734@mail.yahoo.com> <6E4A650D-49BB-4164-83CA-1D02ABA3E6BD@pfrc.org>
Subject: Re: Attacking BFD with NULL auth
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3638552_1127082746.1707328102003"
X-Mailer: WebService/1.1.22046 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/cCZpNYhhTgf2v-71bM3L7OaDFGY>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:48:26 -0000
Jeff,
"No authentication also thus means you can't attack the system by sending a sequence number".
I agree. But you don't need a seq number with no auth, you just attack by sending a packet to take the session down. That's why I still view NULL auth as (slightly) better than no auth.
I agree 100% with the rest.
Regards,Reshad.
On Wednesday, February 7, 2024, 12:30:00 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote:
Reshad,
On Feb 7, 2024, at 12:21 PM, Reshad Rahman <reshad@yahoo.com> wrote:
ISAAC works for active attacks but I don't understand why no-auth still works, no-auth is weaker than NULL auth: you don't need to be an active attacker to knock over a session with no-auth?
With no-auth, the only thing you can say is "the session is still up". In the optimized case we're guarding against parameter changes so that's all we get to do.<RR> What I don't understand is no-auth still works in the statement below: if NULL auth is impractical, so should no-auth. What I am missing?"1. NULL auth and using the sequence numbers becomes impractical to use for optimizing authentication procedures. ISAAC and no-auth still work. "
No authentication doesn't have sequence numbers. This means that sequence number operations for incrementing are paused at last exchanged sequence number in the strong authentication.
No authentication also thus means you can't attack the system by sending packets with a sequence number. The system will be expecting authentication types of either the strong auth (protected vs. blind injection by computing the digest over the entire PDU), or the expected no-auth. If you send packets with an unexpected auth type, they'll be dropped.
With ISAAC, blind injection can't work unless the injector has access to the shared secret, BFD discriminator values, initial sequence number for the ISAAC sequence base, and seed. Discriminator and seed can be discovered by intercepting the ISAAC authenticated PDUs. The initial sequence value has to be observed, or inferred by being able to compute the ISAAC table that will have the outputs. The shared secret is thus the core protecting item.
Thus, with ISAAC, you can't push the sequence numbers ahead without being able to satisfy ISAAC authentication, even if it's not a digest vs. the entire BFD PDU.
With NULL auth, you just need to be able to convince the implementation to accept the PDU with a higher sequence number. This can be done with blind injection once you know enough of the BFD session state like discriminators. The random discriminator makes this very low likelihood and pushes the attack case to someone that is PITM.
-- Jeff
- Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth John Scudder
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Jeffrey Haas
- Re: Attacking BFD with NULL auth Reshad Rahman
- Re: Attacking BFD with NULL auth Reshad Rahman