IETF Logo Mail Archive

Re: ttl and authentication

Pekka Savola <pekkas@netcore.fi> Thu, 24 February 2005 07:02 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA17125; Thu, 24 Feb 2005 02:02:48 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4DOD-0003r7-7G; Thu, 24 Feb 2005 02:26:26 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4Cz9-0001Wu-1g; Thu, 24 Feb 2005 02:00:31 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1D4Cz7-0001Vw-NZ for rtg-bfd@megatron.ietf.org; Thu, 24 Feb 2005 02:00:29 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA14909 for <rtg-bfd@ietf.org>; Thu, 24 Feb 2005 02:00:28 -0500 (EST)
Received: from netcore.fi ([193.94.160.1]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1D4DLw-0003fx-Qf for rtg-bfd@ietf.org; Thu, 24 Feb 2005 02:24:06 -0500
Received: from localhost (pekkas@localhost) by netcore.fi (8.11.6/8.11.6) with ESMTP id j1O70Ee23475; Thu, 24 Feb 2005 09:00:14 +0200
Date: Thu, 24 Feb 2005 09:00:14 +0200
From: Pekka Savola <pekkas@netcore.fi>
To: Dave Katz <dkatz@juniper.net>
In-Reply-To: <eb091c568763bfdd10f3c04ae3c9677c@juniper.net>
Message-ID: <Pine.LNX.4.61.0502240855100.22843@netcore.fi>
References: <200502222036.PAA16786@ietf.org> <Pine.LNX.4.61.0502232111590.6499@netcore.fi> <eb091c568763bfdd10f3c04ae3c9677c@juniper.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0bc60ec82efc80c84b8d02f4b0e4de22
Cc: rtg-bfd@ietf.org
Subject: Re: ttl and authentication
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
Sender: rtg-bfd-bounces@ietf.org
Errors-To: rtg-bfd-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 9466e0365fc95844abaf7c3f15a05c7d

On Wed, 23 Feb 2005, Dave Katz wrote:
> On Feb 23, 2005, at 12:15 PM, Pekka Savola wrote:
>> If I interpret this correctly, the routers can not simply drop BFD session 
>> which are sent to the router with a bogus TTL and bogus authentication 
>> (e.g., wrong password) based on the TTL check?
>
> I should have been a bit more specific here.  The intent was that an 
> appropriately authenticated packet needn't be "authenticated" based on the 
> TTL.  I don't quite understand your concern;  obviously if the packet fails 
> authentication, it must be discarded, so it's not as though the MUST NOT 
> language forces you to accept the packet.

The concern is which is done first: TTL check or authentication check.

Compare the situation to BGP with MD5.  Folks can easily DoS a router 
by sending bogus MD5-signed BGP packets to spend all the CPU's 
computational resources.  Using TTL=255 check _first_ prevents this 
particular attack vector, except from the on-link neighbors.

The same argument seems to apply here.  Speaking as an operator who's 
using BFD, I will not be happy if the TTL is not checked first as this 
opens a resource exhaustion attack vector which could be easily 
prevented.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

v2.31.3 | Report a Bug | By Email | System Status