I have three related concerns with this.
First, if I understand the drafts properly, the threat being addressed
is that a rogue device on-link can reinject old hellos so as to disrupt
established adjacencies on that link. The attack affects only the link
it is on, and causes visible and immediate effects. It seems to me that
if an attacker is present on enough links for this to be a problem, then
one has a lot more issues than just the preservation of adjacencies. In
fact, using this attack calls immediate attention to the presence of the
attacker. (It is not like a remote DoS or DDoS where the attack can
continue once the victim is aware. network operators will be able to
track this VERY fast.)
Second, how would this be deployed? It requests a modification in the
sender and receiver behavior for authentication. Is your assumption
that this would be handled like a key change? First you upgrade every
router on the LAN to be able to receive this, then you turn on sending
it on the LAN? It seems to me that in terms of diagnosing communication
failures one needs to be able to tell from packet traces which behavior
is actually being used.
The third question is actually the most important. Given that operators
would ahve to choose to enable this new behavior, is there any
indication that they would do so? I have heard reports that some
operators have started turning off IGP authentication, or using it only
as a stronger packet checksum. In either case, this does not add value
for those operators.
Yours,
Joel M. Halpern
On 10/11/2010 9:09 AM, Bhatia, Manav (Manav) wrote:
Hi,
Both draft-ietf-opsec-routing-protocols-crypto-issues-07.txt and
draft-hartman-ospf-analysis-01.txt describe certain attacks that OSPFv2 is
vulnerable to because of OSPFv2 not covering some fields from the IP header in
its crypto computation. This draft describes a very simple mechanism to fix
such auth vulnerabilities.
Would be great if the WG members can go through this and provide some feedback.
Cheers, Manav
----- Forwarded Message ----
From: "[email protected]"<[email protected]>
To: [email protected]
Sent: Mon, October 11, 2010 6:30:02 PM
Subject: I-D Action:draft-bhatia-karp-ospf-ip-layer-protection-00.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Mechanism to protect OSPFv2 authentication from IP Layer
Issues
Author(s) : M. Bhatia
Filename : draft-bhatia-karp-ospf-ip-layer-protection-00.txt
Pages : 10
Date : 2010-10-06
The IP header is not covered by the MAC in the cryptographic
authentication scheme as described in RFC 2328 and RFC 5709, and an
attack can be made to exploit this omission. This draft proposes a
simple change in how the authentication is computed to eliminate most
of such attacks.
A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-bhatia-karp-ospf-ip-layer-protection-00.txt
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OSPF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ospf
