IETF Logo Mail Archive

Re: Attacking BFD with NULL auth

Reshad Rahman <reshad@yahoo.com> Wed, 07 February 2024 17:22 UTC

Return-Path: <reshad@yahoo.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 058D8C14F618 for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 09:22:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id swDVW3p23eRl for <rtg-bfd@ietfa.amsl.com>; Wed, 7 Feb 2024 09:22:02 -0800 (PST)
Received: from sonic311-14.consmr.mail.bf2.yahoo.com (sonic311-14.consmr.mail.bf2.yahoo.com [74.6.131.124]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6594CC14F601 for <rtg-bfd@ietf.org>; Wed, 7 Feb 2024 09:22:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707326521; bh=JZUHrEmuHFFbfblkOOoiXCcmT8ZdVB4Lh6qsLz2IO/g=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject:Reply-To; b=Ab+9f+4qAxfD0lGyeQ8DHIB9OU4kHrdr8J5v9873o4kRg+U/Tpb1tZ97khYWzIZUWPjvwUEOEBrM66fKiCcmHUJPrIfoxFh6fc6csSdtWrpf2Gr7mRHNLfsl0lPUgpeMqBM0kKDCqaQkGGfRlYgFrk9JG0wj9ODDBmwBR1puNj00AkxJ0P2g7Nq7RzNukmuEyvIG38g02cnEvk4KMl2elB9HoY2Q9RcINctJKxHlDfQggCMfw1eG+Xu9ygz0GqiZbyNVQfvox8YlxUUuge50feA/dHBNxJfvWvip+isUuFdgWq/jcNytCO2U3LbMplTisnCapgzcbFL7oGEGWpFzEg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1707326521; bh=WxtV7xB0lPVEM7eEXCOIaeSQzCAFWY5oX2LG/FgvDCT=; h=X-Sonic-MF:Date:From:To:Subject:From:Subject; b=sE0s3JHWad7NyaflAVsr0Bk4ghdb+6wU6hW/n95B358RpyE7WtgFjC+Dxky+GGBRby7WKnwOP8vTJG6QCQ0JKPRIBw+shFdlIIoQxCCAUSisWCDA8WH/lJIp1jsNkqpI+lXbmlAiFzG3D9EA4Zv0Mre4LueUarT6gvOSrSxDu8gwfhv4f6H9t0VZY3lKI5MBLtpp4cC+vl+Qb/7uKXpkgShELD/bHppRKtDB4M+TYUPmP2GdF2vckG5GuGobBMHLI/ImYb8cSeU2391BiJFHEwEBYPUT1lWqbb+TgtUXr+YXt1IExNfIvdU/4fs6BDpBPjxZBb4cIZ/Kyt+Ci+grWg==
X-YMail-OSG: aaCb4N8VM1kzBZ8b7TlHMxYodpVQG7VtnqmDvjjKEmGP1FVuH7eQZnYdhP7Pv8K lALCp.ZoinLaZ3eAKBEFPv4kgI0orxk3Bfu8kr6GjTsunKMQoSxV4Mc.mGNGw8_huzaZouwlZgec YW8nXhq_wu4lPvnwrcswIUYDyb6OH547SW4OQ_E4pbweox9bRq12V1pvax2lTR9J2sSVfuM0CiT_ uAPspvM2FugoTx45tJEIM9KPuVPgS4UdBl.5gRbKN9Sv1VO.M.vkwCP93kL0bs2oEy.JRiiOCXW_ ElcrGYq9THafUFGheeDO1PcBBr9MMDsw4e676EEvcwNQ8UpDCCDIAGjZMLu8XlxHIg2UQElv5BVC 4O4zghGKPl1JdA0JaBg9vrundh4LKSer5mddsdDMgmw6kyIfUGJ_Mxe7ZzE3_hbiPn5l2MWWJ0l4 SPYYddVVMjG5iutfgGz0EtFV8oyxO0svEQfqpz0LrZdOHySwEKtvdl_l0xtuW7qni_6Rww9qEbFO 63cm0HrN3BHBJkPDAGfY6qbsPpu3_moSaYLggzDso.cN3hZQeDkdU0IlP9hbKQkYPQXmTK6h778S PUp5BkfkdtNNHOetz06sIVynP1_GS2mXUjeF4PcUFd_OjkuJm_3QD7n32c5TpbXA2uGXchUlpjif L9Ie9b6.ycgICHh0tccGNXuf3iIUHhubD2n34UW2MxHTocl3nDlJuX0O9U13SEBlFQP_FdeoTAWb PejeDpGXlEdTW4MwFP3s4nObsUHvWwWkw71itXJn7l9tTacnn2Z8ZxmQfb5YcKQHgFn2gRd3rkcp 19S6Wxczbwa2gyTRpA8rASYcpqaF36JuQHI2vQTsZKD.dixNHWGRIBPVzAA.fUFmrv7nu2fb5VKr hMfWGSKi.xl2SQW4liOk3PRAo3RxXmyO0NnijlQpZRWjCV1tAZHi5ltXUaBKOwBF3KDWSVpmA1na Onyg9xP2QGfv8kxBHOvRR5DmiqP7JO66HtvBDJcMA70NGeizUdn6vhZ_GvZurCIwk4Mt46twg6cH zugbZs3bbL5pMGOunQyiGzGn3lJkRVvsKonYjuP5J.T3.Hb.D3alVfJJAKMTg3LdwbXMJ7r2pC0D pTY0SX9UdG.Cf6si996YDWIEborjUYOoZYSVuiW_Fca2mGqvK7OUrNO0Ts1cGGzU0CDYEPu5TWsG U5iseWKL.D8zvAfc.zYurSLrIYbxLFqbdmRCu5rWNorMKOu3sN2BS3mqGVsHgwFst3wEau1uYUr7 LztcRUvkiIGk7uq_I9f1NpXwtE2XZgKPpZmTznknyHjaLC9I361d45M5C9tLKS4TiUl96EP7DciB _lT82SsvANv.U2FcfTLX2TWo3M2wycosGnTg1RX8Hp8EHa4d59R8DUg_.7hHgqL.fCZCM707ViWJ v00kpazwFZOFr0dfj2shpS.q93O8U60MFUrbgIgxnLx3rt8yX_sr0_cEbfwijSNJ4u7un2isW8np h9JOjeBOQ8AiXO6vLmslhLrOgkHshFg7sn4Gg4Jl.6I9bsMyR7mamzwh8YM6tpmw8BaxqJdjPx.Z ec6TFiofVJ9IBkNtufDcCGVRQXewcu1ZuutxGuhxwVTHPuGL1WZLzt_6b5cHZy1JgDdm7Z4Ryag7 lxCTWtr2IxZTM3F0cmHR5GoVSN3tG3Y4..8G_5YB84mxspeKh7gcpyCeaqR587ogk5vaqMc8ecVs XskEuAVVlM3Zlid13QUEugaXYcwafBuJIjvyDVr2GVP6XZN4za6aJc6ABb7kwmnkBXhVdFqi08lK GjG_eQqfQQcRq3km27tZ_sy6IE.XUJMQbKUr3uXcD48ZfaBNoF2SDbLqvLIs0xgCYdxDkr92CV32 HrozuKr8xyMlxXEbWfK3ks0R9kGuODMsaIu7AN.at7vEaqdghrDJdAv2AVaIz_vSOmeckZ5lal9R mddhJVX5g1Xgl7vK2vl2_M_JMPYj65Mgl2maWLlPvich4O2I95l.S4m1uOBD9Z_DKHqdsZzCQCEy gEYjcGtfK3bd95qwGvcX_8mUKn_auaeMljE8xTBKovZScoHyvteoF06vG8NjqVuRbQVl.Vaw7NRW .zPHGdTHxkbIF3z80O1BMKa1RwBu_NS2ANpyCuOXTaL0AJB.mggrq1mtKI0UQUshYlvrWtwmIybE d2pC4lj5jaV6o8hJA87kt6jHEh4.xcO08Q_JiW39hjIu3fsHPSZgf4cezchXVnlSA1IfMY51a70h qw2RrqtLVuHGnsqmD0IqMDv.qrfUVLA2w7t0.TfcDGSA2nTM88GSxlKECHlDRGL0jzGORdiitz0G 9Su42rwe0g5bIqHvec5XX4afflYP3GXqGKxvoC2Oeoy.cbQDYS3ySCX2UnyVxXHLXvgWyJHkM7QI 5cA--
X-Sonic-MF: <reshad@yahoo.com>
X-Sonic-ID: 5665ae79-23d1-44fe-bd59-29b92a115b0f
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.bf2.yahoo.com with HTTP; Wed, 7 Feb 2024 17:22:01 +0000
Date: Wed, 07 Feb 2024 17:21:59 +0000
From: Reshad Rahman <reshad@yahoo.com>
Reply-To: Reshad Rahman <reshad@yahoo.com>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Message-ID: <1060883557.3646248.1707326519734@mail.yahoo.com>
In-Reply-To: <955C0C79-FCB3-4FFA-AFA9-C43697E08927@pfrc.org>
References: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org> <189423773.3335904.1707238309952@mail.yahoo.com> <955C0C79-FCB3-4FFA-AFA9-C43697E08927@pfrc.org>
Subject: Re: Attacking BFD with NULL auth
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3646247_734892386.1707326519733"
X-Mailer: WebService/1.1.22046 YMailNorrin
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/e0xJOMpM1hpQPW0NBeclA2Ac148>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2024 17:22:03 -0000

 Jeff,
    On Tuesday, February 6, 2024, 01:51:59 PM EST, Jeffrey Haas <jhaas@pfrc.org> wrote:  
 
 Reshad,


On Feb 6, 2024, at 11:51 AM, Reshad Rahman <reshad@yahoo.com> wrote:
 Jeff, you mention below that NULL auth with sequence numbers is impractical to use for optimizing authentication. I agree that NULL auth doesn't help with an active attacker, but it still gives protection against "random" attacks? 

Unfortunately not in all circumstances.  The attack in this case is a form of "blind injection" attack.  As John notes in other bit of the thread, when sessions are protected via GTSM, this limits where the attack can come from.  So, this would apply to whomever can inject packets that successfully get past the other necessary checks.<RR> Ack, I get that part. I should have said "some protection" but yes the blind injection can get lucky.
TCP is vulnerable vs. some flavors of this as well.  Long lived tcp sessions, such as BGP, need the protections covered by tcp-md5/ao or other protection such as ipsec to guard against such things.


ISAAC works for active attacks but I don't understand why no-auth still works, no-auth is weaker than NULL auth: you don't need to be an active attacker to knock over a session with no-auth?

With no-auth, the only thing you can say is "the session is still up".  In the optimized case we're guarding against parameter changes so that's all we get to do.<RR> What I don't understand is no-auth still works in the statement below: if NULL auth is impractical, so should no-auth. What I am missing?"1. NULL auth and using the sequence numbers becomes impractical to use for optimizing authentication procedures.  ISAAC and no-auth still work. "

v2.23.0 | Report a Bug | By Email