IETF Logo Mail Archive

Re: Attacking BFD with NULL auth

John Scudder <jgs@juniper.net> Tue, 06 February 2024 16:01 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BE02C14F70E for <rtg-bfd@ietfa.amsl.com>; Tue, 6 Feb 2024 08:01:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b="wfD2Ni1j"; dkim=pass (1024-bit key) header.d=juniper.net header.b="KpOL7GVK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id co6bmBkT-0HQ for <rtg-bfd@ietfa.amsl.com>; Tue, 6 Feb 2024 08:00:57 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 325B6C15109E for <rtg-bfd@ietf.org>; Tue, 6 Feb 2024 08:00:56 -0800 (PST)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 416FkVCn006125; Tue, 6 Feb 2024 08:00:55 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-id:content-transfer-encoding:mime-version; s=PPS1017; bh=eI7WGDM9jI3pBSyac+YnOSYL3gG0jwzjWsTcCd3tPWY=; b=w fD2Ni1jAWIIQb/Gq36yDjSnkrlYi2Gha/9NIxJ5CXB1Mps7n5XrIIqiAHlIu8G28 1Knj2nInMua/CKp8f6wT/yK5EnMedwXhPMMcjiZdu0DcQvs+3vd7tLVs9ba3rVY3 3wj4Dt4Z+C8SzWXZ6acHL0G42D4/qJVULM/DrchN/F16vDJMu8WlrnN+61DpZoUz TOWUSnmglZqhX3oJO5iSRzC/8gSWJHw4O+LxmIl504tHikUtvgWsK0MbLZTRYDf8 T0rQ/QzxnZEjAETxPvStlCoUikQAqRYepQc0rz3YMw7F0y9+UhjATjS9aFHgxsgL xbKxIyZ7R5SOat41WLtng==
Received: from sn4pr2101cu001.outbound.protection.outlook.com (mail-southcentralusazlp17010002.outbound.protection.outlook.com [40.93.14.2]) by mx0b-00273201.pphosted.com (PPS) with ESMTPS id 3w3022w911-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 Feb 2024 08:00:53 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eQcpQ85n4q3Z6lVjioKyS8u6d8yvfQdhtl7kDTZ0jh27x+wVxVuEJ8olmCgJQpMyRx8dyxE6JyERjVOo3noaArNAF1VxfMh6KlP34pUywdeSpsKvo/t48LsA1sLSMGKNCnS5606ToUNfUjAOfHap3iV4oOFgqDG/r62K7q80ikJ9Jr4JwUq6WuRqk15DpK7/Vc0eKgpu795m1XvvwmuCx742cmpqhrtV50SDTaiNRygyaDHyGK5ph8WTxCm8VhCu/sQug1vri5zQI48gjXgVDeEJ6Cbj2c6rJTTudxFj7TWQ8PeV+jnEUubkkobmhi2T/bHXeLNZ8peZ/t1DXylCcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eI7WGDM9jI3pBSyac+YnOSYL3gG0jwzjWsTcCd3tPWY=; b=e06PxJYv/S/87Cmt+ALXUK3V8x0MVJS+wbDU6BnybqYQlHH0jIFfJbCBLHlBXgmvJMZBI7cTo/pL2qlGYSeUI5OSTQc7bh2sHutpYjpWW+1Ycd2J5PiApWz6jdeDbpwv0YvW8CTnDkI1ON7St4NS38zwulTV5wn1g1Ndf9GqPA9oYB9zX0r1Dy615ZTFKpVZV8HSftRKuWH84hupPJPfUWT1ltJDrkXebdqKRQm0lZbYjvqUrGfruAsEJLGGYGeA3dEFfdg1VeIkH2TWzwI1FewqILVswkJl7HIe7RpQ5NMixpzNh4YE8ZXCiC3k5OAG8v5sFy68G45fEvHfP4Dj1g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eI7WGDM9jI3pBSyac+YnOSYL3gG0jwzjWsTcCd3tPWY=; b=KpOL7GVK+rqVRwyq5BxuwIl6iV175ykJebiCkzS2p7JTGxSX35tGbedSEXDokFn5ock3/KevdcG5fKL8725ykQWLYXvwD7QOgX53non2pbK5WK+Fu611Vj0G8vGdYZEkpPQ4ua27TyDLcfTdnLomZUVl0XFSXgW5e9HVmC039ZA=
Received: from CH2PR05MB6856.namprd05.prod.outlook.com (2603:10b6:610:3e::11) by PH0PR05MB8011.namprd05.prod.outlook.com (2603:10b6:510:92::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.36; Tue, 6 Feb 2024 16:00:41 +0000
Received: from CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::a344:aaa5:e6ee:461e]) by CH2PR05MB6856.namprd05.prod.outlook.com ([fe80::a344:aaa5:e6ee:461e%5]) with mapi id 15.20.7249.035; Tue, 6 Feb 2024 16:00:41 +0000
From: John Scudder <jgs@juniper.net>
To: Jeffrey Haas <jhaas@pfrc.org>
CC: "rtg-bfd@ietf. org" <rtg-bfd@ietf.org>
Subject: Re: Attacking BFD with NULL auth
Thread-Topic: Attacking BFD with NULL auth
Thread-Index: AQHaWQRUZqRcI0TfeE60X/LOgw9OMrD9eToA
Date: Tue, 06 Feb 2024 16:00:41 +0000
Message-ID: <3CB1BECB-D162-48DF-A5C0-FC230B8109CF@juniper.net>
References: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org>
In-Reply-To: <336054A1-4729-446B-BE73-832650B75BED@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.4)
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH2PR05MB6856:EE_|PH0PR05MB8011:EE_
x-ms-office365-filtering-correlation-id: d12bc934-75a5-4f94-d935-08dc272cc4b8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qivnXd6JJmzrEh5aFMjsQN4QpjhSiuq1A4h5R6QaU2xrrxdqeQMsV1iewUcTZ9ApI3Hq+R56P/c2IpqtPUQ3Ukmr6VqBemvmDQJBfnMIZDXO+9a4CgICG4besG4f7lV7+Tf3ydf0tD4w/VPCP3hOD/o3Wl6mGLFRaotklY7dSCJtflCPGV3M+cWXfMvcG+38A+jJ8plXmAF1zAWx+8oHF01UE4/EEHRsEEOXCXYAt1o4XCcTRd8ARq8Ozb8A/rPDi676twmY0h13TUCutnBjfejFkh3Ga507yZXXzGW7ASuwlV9Da47wURv8A9fwsXRVoHlGViO57T60QtBX50rja8zXrZV0AN6W5nxqqjt1Y448dRxlzkOkKegHcVs6LqycF75pJr1aeDCCJUYINP/byUBnlpV/SSvyqgj7Vs2d8hunkYdTyPMcvRQt9kLTXgKCK1Ov8Np1Vwe1IcNzuorX8lsRyXP6AzZl7xi9AMQlxUsVGSN/t/m1R8peIDpbpoHkE4aaiup3e2jewOmA8fzfPnPSzHNp8DjVrcB37LK55oS1xjKaC5G+wthN70kXklM6O/2aDjHrTYTxR5gGlMMjap0X3HmvMWlj6PrdE/8ytrFvZ12eMJqMEx888loL1ZkUxOjtM3x1JdphRS77754CaA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR05MB6856.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(346002)(136003)(376002)(39860400002)(366004)(230922051799003)(1800799012)(186009)(64100799003)(451199024)(38100700002)(33656002)(6506007)(53546011)(122000001)(83380400001)(26005)(86362001)(6512007)(41300700001)(2616005)(4326008)(8676002)(8936002)(36756003)(71200400001)(2906002)(6486002)(5660300002)(66556008)(64756008)(6916009)(66446008)(316002)(66476007)(76116006)(478600001)(66946007)(38070700009)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rHF1SG78EYfNM9ptqkBAuYwo9HVs6iZ5DKSQ5LKjQFkX9unxb1xDUwBAXIw12IuwJKBFFwnuN380rm7qWkYlFohQGlLRA+Ke5JEVxoXX9lI2XK6W8nE667W6VSPGEtHqxsxq0rEpCopy/OZ/qG17hiBDRm/qMaFPHUYVpBOpYpvNATI1epNRw8TE35nW19eD3qtoPaAxO1JAetFR/UxjzY1tSj36N5jDZnmhvKl33zXsEQbsn30BCfvgUlvwUb/8vS7psRjPkJagiyPFNUE40dkZBD8XFqLbp5GA55/bqPhJFFB+HvgHw1s9VwICvRSEkqZlupfSY3H0yJspB8uwdq70qBq6VBDtGZCRjz8syGo4RrUbsj8TplsXeNq2DAncxaVS19KO7pNx3faME5DxO1iPIQSKIIYH4MrpgPdHSrHiVMFfU7qqkQeo+JS3ARGVHvh5QZkOf5mBy/wJXce1yNi9d/NVQX72INw7x2sXu9grZWsGmHouP0G+8rZBq55VpkiGKak3zlZ7Z7mCDZ3h5kauRqhrh+tgDNrmDcN9DT0wjkiWdA3J5tVLicxUQnfsGUWTFuw+cobg2siHEG8F2kbh/fHyEmHCLI4wcJVv712ot04agJcLY/9Zd4EESMsScothTIUHjs41JMy2ZeA2kGLBI0dqTARfVgBqTYr0U3AFvTRThNVCSEOODZ64ZMdKu2g2RSxxPQJ676pSpGaW8rvDSl6XDbkAUJLKX1QZoLYkrkZNOcZOFjsBkzXus90JEmX/Mpstxyt4xbwaGkx1yxIUy79av4jG35afPnxGlcK3bXZ1q0VszCJw16LCoB+5cVzPwMkFJZhiujgRQPaHbgCzU3GSBrVxv4dj3apNsocFXUxmQkLXm0kYMsygahSFvmSPtKyu6/53CkXFFe3JvvKvGD9DkrmoUzVX4kSdVeRMQvJ9rXiEFp5W3kVRAAQCGizLHvDFzcf0JQWPU5b0IFGk+jQW2xGYJhJJd4G51DCgSeCP81YdTn0Of9Jf8y7VzBO/NttuEf1Fm95cTo3KC9i5PDcrs6OwoKeitsXneo0XtVE/83vARATvGWLIf+mYoZI8xdRblmLdPYJY6m4Bwov3zP3N6Gs124U6ChnkXR/xh1eVFtikFyY9Ynus3xBI/mvh5cnpGZcn0+BH4LNdET+HhFy/Mng8ghVTqXlFChVVwL37FsuPnXSiS2dr4ki7hGJuerVwxVsTw6RAyRAqYI8N/DflEnt4VyH4z70Kyq62zBC4sKp0iuciswQEyw2eVv9rdN0DWyikghMm3yZ/5SNWKt45W5vqRC+5zxR4uH/tFcFwc8GUZO5Q6sgP1YKoEHywxv8lmM+CDtgxV6RiB0yJ2E3EThpJWdGBFEgwjq2mmanbGyQTiEHXwqnPupmFp0WPfBCMPhAQROhhYyT0zcWpUn6x6/5xYI0XnK6vSziCFbgi8J51gQXKkcoslwYYX5owL0nI5k0mJNzVYb0C8nF056MczZGaL+HoGkCiIoWR4KrFsqpgsXT3kI+ksX7xgJyWocyKpPZQQrSqAQTKjWLxnD4JrhSQZtl0Ke9VB3bTmoLNj+ANEk+LF5exZJU1
Content-Type: text/plain; charset="utf-8"
Content-ID: <58E9B7D101D93244851C97715F1D9B92@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR05MB6856.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d12bc934-75a5-4f94-d935-08dc272cc4b8
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Feb 2024 16:00:41.1830 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: S19sGQx6OdZfHeJf3A3Q9rygfI+C8ZSJy5SI+iKc3EjygsUR/UjMolmzJ8euVCvA
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR05MB8011
X-Proofpoint-ORIG-GUID: n6ymgoASAlHWfnpP5l920v9P3rIgpe32
X-Proofpoint-GUID: n6ymgoASAlHWfnpP5l920v9P3rIgpe32
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-02-06_09,2024-01-31_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 adultscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 spamscore=0 suspectscore=0 malwarescore=0 mlxscore=0 impostorscore=0 mlxlogscore=686 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2401310000 definitions=main-2402060112
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/nJlmxVGlGsEqxNhajyOZwXOSu9E>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2024 16:01:02 -0000

You’re assuming either an on-LAN attacker (and therefore, that BFD is being used on a multiaccess medium) or multihop BFD here, I take it? Because RFC 5881 tells me GTSM is required if there’s no other authentication.

—John

> On Feb 6, 2024, at 8:56 AM, Jeffrey Haas <jhaas@pfrc.org> wrote:
> 
> 
> My thought over first cup of caffeine for the morning: You can have an active attacker attack a session using NULL auth and knock over a BFD session.  This is counter to the usual "silly" attack of keeping BFD Up.
> 
> Presume the session is in the Up state between A and B and using NULL auth.  The current expected sequence number at A from B is 100.
> 
> An active attacker, seeing that 100 is the sequence number, spoofs packets rapidly in order 101..200.
> 
> Sequence number procedures are, tersely, "accept the larger sequence number as long as it's bigger".  Presume that some portion of that spray of packets gets through and moves the sequence number > 100 + 3 before B would have sent sequence 101.
> 
> B then continues happily sending the meticulously increasing packets, 101, 102, 103.  These packets are discarded because the sequence number is under the "last seen" sequence number.
> 
> The session drops.
> 
> I don't believe there is any mitigation against this attack in NULL auth.
> 
> The impacts of this, if so:
> 1. NULL auth and using the sequence numbers becomes impractical to use for optimizing authentication procedures.  ISAAC and no-auth still work.
> 2. BFD stability really wants that increasing sequence number.  This leads to using either meticulous types from the strong authentication mechanisms, or ISAAC.
> 
> Counter observation 1: Stability doesn't really care about the sequence numbers from a security standpoint, just a dropped packet standpoint.  The attack against stability if the sequence numbers aren't used for authentication of the session to drop the session is to trigger an "unstable" event and whatever trigger might be tied to that mechanism as a client.
> 
> Counter observation 2: If the sequence numbers are ignored as a mechanism for taking the session down, you can't use it to prevent PITM attacks, but it's no worse than no-auth.  The periodic strong authentication becomes more important.
> 
> 
> -- Jeff
> 
> 
>

v2.23.0 | Report a Bug | By Email