Re: [OSPF] Working Group last Call on "Security Extension for OSPFv2 when using Manual Key Management" - draft-ietf-ospf-security-extension-manual-keying-07

Wed, 23 Apr 2014 23:39:27 -0700 

Hi,
I think this document is a significant step forward for the security of OSPF. I 
do have one comment, though. It is concerned with the case in which the same 
key is configured on different links. If such a situation occurs then an 
attacker might be able to record an OSPF message on one link and replay it on 
another. This is particularly relevant for cases where one router uses the same 
source address in multiple links (e.g. a virtual link and a physical link). So 
the attacker can record a packet sent by that router on one of the links and 
replay it over the other as if it was sent by the router itself. This may allow 
an attacker to cause an adjacency to be brought down.
Moreover, a recorded Hello message may be replayed on arbitrary links (even 
those that do not share a router using the same source address). If I am not 
mistaken, RFC2328 does not mandate to discard an Hello message having a source 
address that is not part of the subnet of the interface on which the message 
was received. Therefore, the recipient of the replayed message would allocate a 
new neighbor entry, thus giving rise to a DoS attack.

I know that the OSPF standard allows to configure different keys for different 
links, nonetheless in most of the OSPF deployments I have seen the same key is 
configured for all links in the AS (or area). I do not know if this is 
representative of OSPF deployments worldwide, but it might be prudent to 
analyse the security of the proposed extensions in the context of such cases as 
well.

Gabi



>________________________________
> From: Abhay Roy <[email protected]>
>To: "[email protected]" <[email protected]> 
>Sent: Friday, April 11, 2014 9:30 AM
>Subject: [OSPF] Working Group last Call on "Security Extension for OSPFv2 when 
>using Manual Key Management" - 
>draft-ietf-ospf-security-extension-manual-keying-07
> 
>
>All,
>
>We are starting a WG LC on the subject document. Document has been 
>stable for a while, and Manav was kind enough to present it one last 
>time in IETF89 (London). LC will end at 9am PST on 25th April 2014.
>
>Please review the document and send any final comments prior to the LC 
>deadline.
>
>Regards,
>-Abhay
>
>_______________________________________________
>OSPF mailing list
>[email protected]
>https://www.ietf.org/mailman/listinfo/ospf
>
>
>
_______________________________________________
OSPF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ospf

Reply via email to