Re: [secdir] Review of draft-ietf-opsec-routing-protocols-crypto-issues-04

[Sandra Murphy <Sandra.Murphy@sparta.com>]

On Thu, 27 May 2010, Vishwas Manral wrote:

> Hi Sandra,
>
>> I really did mean what I said - if you can think of cases where
>> routing protocols could be damaged by a collision attack, speak up.
> I am sorry if you anywhere felt that I did not feel you really meant what
> you said.

Here I was, trying to be reassuring that there really was no sly subtext 
to what I said, and you seem to have taken it as a complaint, so I 
further confused things.  Sorry.


>
> What you seem to be saying is pretty well known. I have given you an example
> where if we can get a changed valid packet with a different topology, we can
> cause blackholes, loops and redirection.
>
> Are you trying to figure out how a wrong topology description packet can
> cause problems?

Certainly wrong topology descriptions are a bad thing.

I'm trying to distinguish damage that can be caused by collision attacks 
only.

To be a collision attack, the attacker must be able to produce two packets 
that have the same hash.  Since the use here is a keyed crypto hash, the 
hash also has to be validatable by the recipient - or there's no problem.

Since we are NOT discussing failures in keyed MD5 that would permit 
someone who did not know the key to produce a valid digest, it must be the 
case that the attacker is someone who knows the key - in other words a 
valid participant.

So.  What would a collision attack allow a valid participant to do that a 
valid participant could not already do?  We know for sure that valid 
participants can transmit "wrong topology descriptions" without resorting 
to the trouble of finding a hash collision between packets.

I'm not taking potshots.  I'm genuinely interested in the answer.  Do you 
see any new damage that could be done only with a collision attack?

--Sandy

>
> Thanks,
> Vishwas
>
> -----Original Message-----
> From: Sandra Murphy [mailto:Sandra.Murphy@sparta.com]
> Sent: Thursday, May 27, 2010 12:30 PM
> To: Vishwas Manral
> Cc: 'Sam Hartman'; 'Nicolas Williams'; shares@nexthop.com;
> jjaeggli@checkpoint.com; manav.bhatia@alcatel-lucent.com; secdir@ietf.org
> Subject: RE: [secdir] Review of
> draft-ietf-opsec-routing-protocols-crypto-issues-04
>
>
>
> On Thu, 27 May 2010, Vishwas Manral wrote:
>
>> Hi Sam/ Sandra,
>>
>> I agree with what you guys have said, we can work to refine the wording to
>> make it clear that there are no known attacks.
>>
>> There may not be known attacks based on collision, but that does not
>> preclude future issues that may result. One thing I can see is if we can
>> change the topology field and still have the right/ same hash, it could
> lead
>> to basic issues like traffic redirection, black holes and routing loops. I
>> agree the fact that the packet needs to be a valid format packet makes the
>> attack considerably harder.
>
> I really did mean what I said - if you can think of cases where routing
> protocols could be damaged by a collision attack, speak up.
>
> Most of the things I could think of were attacks that resulted from a
> legitimate participant behaving badly, and we all know just how much
> risk routing protocols face from legitimate participants behaving badly
> anyway - collisions would be no more risk.
>
> --Sandy
>
>
>>
>> Thanks,
>> Vishwas
>>
>> -----Original Message-----
>> From: Sandra Murphy [mailto:Sandra.Murphy@sparta.com]
>> Sent: Thursday, May 27, 2010 11:56 AM
>> To: Sam Hartman
>> Cc: Nicolas Williams; shares@nexthop.com; jjaeggli@checkpoint.com;
>> manav.bhatia@alcatel-lucent.com; vishwas@ipinfusion.com; secdir@ietf.org
>> Subject: Re: [secdir] Review of
>> draft-ietf-opsec-routing-protocols-crypto-issues-04
>>
>> I was discussing this just this morning with a colleague.
>>
>> The discussion of pre-image and collision points out that using collisions
>> as an attack on a routing protocol is not that easy since routing
>> protocols have format requirements - the attacker would have to find a
>> collision that is also a validly formatted protocol packet.
>>
>> Even beyond that, if the authors can point to some damage an attacker
>> could do in a routing protocol using a collision, that would be very
>> interesting.
>>
>>
>> --Sandy
>>
>> On Thu, 27 May 2010, Sam Hartman wrote:
>>
>>>>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams@oracle.com> writes:
>>>
>>>    Nicolas> I have reviewed this document as part of the security
>>>    Nicolas> directorate's ongoing effort to review all IETF documents
>>>    Nicolas> being processed by the IESG. Document editors and WG chairs
>>>    Nicolas> should treat these comments just like any other last call
>>>    Nicolas> comments.
>>>
>>>    Nicolas> This document aims to be an Informational RFC describing
>>>    Nicolas> security problems with various routing protocols.
>>>
>>>    Nicolas> Aside from various spelling and other nits that the
>>>    Nicolas> RFC-Editor can easily handle, I have no issues with this
>>>    Nicolas> document and it is ready for publication.
>>>
>>> This document talks a lot about collision attacks against MD5 and then
>>> draws the conclusion that MD5 should not be used as part of a MAC.  I
>>> agree that it is prudent to provide alternatives to MD5.  However, I
>>> think the current text implies that collision attacks against MD5 are
>>> applicable to attacks against the use of MD5 in routing protocols.
>>>
>>> There is an introductory section that describes the difference between
>>> pre image and collision attacks, but the rest of the document seems to
>>> ignore the advice of that section.
>>> _______________________________________________
>>> secdir mailing list
>>> secdir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/secdir
>>>
>>
>>
>
>