Hi, The latest version documents in this scenario.
Abhay - We are well past the WG LC and we've addressed all comments received till date. Can you please move the draft ahead? Cheers, Manav From: OSPF [mailto:[email protected]] On Behalf Of Acee Lindem Sent: Friday, May 02, 2014 6:41 AM To: Gabi Nakibly Cc: OSPF List Subject: Re: [OSPF] Working Group last Call on "Security Extension for OSPFv2 when using Manual Key Management" - draft-ietf-ospf-security-extension-manual-keying-07 Hi Gabi, Sorry for the delay - I agree that a replay could be accomplished in this scenario if it is captured on one interface and replayed on another before any other packets are sent. Interfaces having the same source address are limited to unnumbered links which are inherently P2P. At a minimum, we will document this case. Thanks, Acee On Apr 29, 2014, at 9:18 AM, Gabi Nakibly <[email protected]<mailto:[email protected]>> wrote: Hi Acee, Thanks for the reply. Just to clarify my thoughts, I believe that the use of a single sequence number space per router does not prevent the attack. Here is an example. Let's say a router is attached to two links (A and B) while using the same IP address. Let's say the attacker has recorded an Hello message the router just sent on link A. When the router sends this message its SN is higher than any other packet sent on any other link by that router. The attacker would now be able successfully replay the recorded Hello message on link B as long as it does so before the router sends another OSPF message on link B. Such an attack will probably bring down all adjacencies of the router on link B. I think it would be good to document this type of attacks as many network operators configure the same key on different links. It would be good to bring to their attention the consequences of such configurations. If you wish, I can assist in writing this. Gabi ________________________________ From: Acee Lindem <[email protected]<mailto:[email protected]>> To: Gabi Nakibly <[email protected]<mailto:[email protected]>> Cc: Abhay Roy <[email protected]<mailto:[email protected]>>; OSPF List <[email protected]<mailto:[email protected]>> Sent: Monday, April 28, 2014 6:06 PM Subject: Re: [OSPF] Working Group last Call on "Security Extension for OSPFv2 when using Manual Key Management" - draft-ietf-ospf-security-extension-manual-keying-07 Hi Gabi, Thanks much for your review and comment. On Apr 24, 2014, at 2:39 AM, Gabi Nakibly <[email protected]<mailto:[email protected]>> wrote: Hi, I think this document is a significant step forward for the security of OSPF. I do have one comment, though. It is concerned with the case in which the same key is configured on different links. If such a situation occurs then an attacker might be able to record an OSPF message on one link and replay it on another. This is particularly relevant for cases where one router uses the same source address in multiple links (e.g. a virtual link and a physical link). So the attacker can record a packet sent by that router on one of the links and replay it over the other as if it was sent by the router itself. This may allow an attacker to cause an adjacency to be brought down. Note that in section 2 we are recommending one sequence number space for the OSPF router as opposed to one per interface. Hence, this would have to be a replayed packet received from another router with the same source address since the OSPF Router ID in the OSPF header would be protected by the authentication hash. I would consider this to be a misconfiguration. Moreover, a recorded Hello message may be replayed on arbitrary links (even those that do not share a router using the same source address). If I am not mistaken, RFC2328 does not mandate to discard an Hello message having a source address that is not part of the subnet of the interface on which the message was received. RFC 2328 does mandate source subnet checking on multi-access networks but not P2P networks. On P2P networks, this could be a problem but would require the attacker to have an active tap on both the P2P interface and another interface using the same key. Again, this would have to be a replayed packet received from another router due to the OSPF router's use a single sequence number space. There really isn't a good solution for this problem on P2P links since the routers don't share any common identifier for the P2P link. They have an ifIndex but this is a locally unique interface identifier. We can document the problem and recommend use of different keys if the possibility of active taps on P2P interfaces exists. Thanks, Acee Therefore, the recipient of the replayed message would allocate a new neighbor entry, thus giving rise to a DoS attack. I know that the OSPF standard allows to configure different keys for different links, nonetheless in most of the OSPF deployments I have seen the same key is configured for all links in the AS (or area). I do not know if this is representative of OSPF deployments worldwide, but it might be prudent to analyse the security of the proposed extensions in the context of such cases as well. Gabi ________________________________ From: Abhay Roy <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Sent: Friday, April 11, 2014 9:30 AM Subject: [OSPF] Working Group last Call on "Security Extension for OSPFv2 when using Manual Key Management" - draft-ietf-ospf-security-extension-manual-keying-07 All, We are starting a WG LC on the subject document. Document has been stable for a while, and Manav was kind enough to present it one last time in IETF89 (London). LC will end at 9am PST on 25th April 2014. Please review the document and send any final comments prior to the LC deadline. Regards, -Abhay _______________________________________________ OSPF mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/ospf
_______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
