OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt IETF 58 – RPSEC Working Group.

Slides:



Advertisements
Similar presentations
Introduction to OSPF.
Advertisements

Lonnie Decker Multiarea OSPF for CCNA Department Chair, Networking/Information Assurance Davenport University, Michigan August 2013 Elaine Horn Cisco Academy.
Designing OSPF Networks
RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Multiarea OSPF Scaling Networks.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Update to: The OSPF Opaque LSA Option draft-berger-ospf-rfc2370bis Lou Berger Igor Bryskin Alex Zinin
1 AS-scope (type 11) Opaque LSA Validation ( draft-bryskin-ospf-lsa-type11-validation-00.txt ) Igor Bryskin (Movaz Networks) : Alex.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn
CCNA 2 v3.1 Module 6.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Unicast Routing Protocols: RIP, OSPF, and BGP
CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5#-1 MPLS VPN Implementation Configuring OSPF as the Routing Protocol Between PE and CE Routers.
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
Objectives After completing this chapter you will be able to: Describe hierarchical routing in OSPF Describe the 3 protocols in OSPF, the Hello, Exchange.
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Routing in the Internet Internal Routing Protocols.
Chapter 12 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Read a routing table  Configure a static route 
Open Shortest Path First (OSPF) -Sheela Anand -Kalyani Ravi -Saroja Gadde.
Routing and Routing Protocols Dynamic Routing Overview.
Unicast Routing Protocols  A routing protocol is a combination of rules and procedures that lets routers in the internet inform each other of changes.
OSPF Security Vulnerabilities Analysis draft-ietf-rpsec-ospf-vuln-02.txt IETF 66 – RPSEC Working.
Carl Bergenhem Multi Area OSPF Carl Bergenhem
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
M.Menelaou CCNA2 ROUTING. M.Menelaou ROUTING Routing is the process that a router uses to forward packets toward the destination network. A router makes.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 6 Routing and Routing Protocols.
Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)
TCOM 515 Lecture 2. Lecture 2 Objectives Dynamic Routing Distance Vector Routing Link State Routing Interior vs Exterior RIP - Routing Information Protocol.
© Synergon Informatika Rt., 1999 Chapter 9 Configuring Open Shortest Path First.
Network Architecture and Design
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Unicast Routing Protocols.
Introduction to OSPF Nishal Goburdhan. Routing and Forwarding Routing is not the same as Forwarding Routing is the building of maps Each routing protocol.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSPF Routing Protocols and Concepts – Chapter 11.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 2 Single-Area OSPF.
CCNA 3 Week 2 Link State Protocols OSPF. Copyright © 2005 University of Bolton Distance Vector vs Link State Distance Vector –Copies Routing Table to.
1 Module 4: Implementing OSPF. 2 Lessons OSPF OSPF Areas and Hierarchical Routing OSPF Operation OSPF Routing Tables Designing an OSPF Network.
Link State Routing NETE0521 Presented by Dr.Apichan Kanjanavapastit.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -0/35- OfficeServ 7x00 Enterprise IP Solutions Quick Install Guide.
 Development began in 1987  OSPF Working Group (part of IETF)  OSPFv2 first established in 1991  Many new features added since then  Updated OSPFv2.
1 OSPF in Multiple Areas. 2 2 Scalability Problems in Large OSPF Areas Scalability problems in large OSPF areas include Large routing tables Large routing.
Chapter 14 1 Unicast Routing Protocols There isn’t a person anywhere that isn’t capable of doing more than he thinks he can. - Henry Ford.
Interior Gateway Protocols (RIP, OSPF) continued….
Dynamic Routing Protocols II OSPF
LINK STATE ROUTING PROTOCOLS Dr. Rocky K. C. Chang 22 November
Routing in the Inernet Outcomes: –What are routing protocols used for Intra-ASs Routing in the Internet? –The Working Principle of RIP and OSPF –What is.
© 2002, Cisco Systems, Inc. All rights reserved..
TCP/IP Protocol Suite 1 Chapter 14 Upon completion you will be able to: Unicast Routing Protocols: RIP, OSPF, and BGP Distinguish between intra and interdomain.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—3-1 Implementing a Scalable Multiarea Network OSPF-Based Solution Planning Routing Implementations.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
CCNP Routing Semester 5 Chapter 4 OSPF.
RPSEC WG Issues with Routing Protocols security mechanisms Vishwas Manral, SiNett Russ White, Cisco Sue Hares, Next Hop IETF 63, Paris, France.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Routing Protocols and Concepts OSPF Chapter 11 Modified by Pete Brierley.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Dynamic Routing Protocols II OSPF
RPSEC WG Issues with Routing Protocols security mechanisms
OSPF (Open Shortest Path First)
Dynamic routing Routing Algorithm (Dijkstra / Bellman-Ford) – idealization All routers are identical Network is flat. Not true in Practice Hierarchical.
13.3 OSPF: Open Shortest Path First.
© 2002, Cisco Systems, Inc. All rights reserved.
Chapter 9: Multiarea OSPF
Dynamic Routing Protocols II OSPF
Cisco networking, CNET-448
Chapter 9: Multiarea OSPF
Routing Protocols and Concepts – Chapter 11
Chapter 9: Multiarea OSPF
Novel Attacks in OSPF Networks to Poison Routing Table
Presentation transcript:

OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt IETF 58 – RPSEC Working Group November 2003 Minneapolis, MN, USA

Draft’s Purpose > Provide a complete vulnerability analysis coverage for OSPF > Leverage OSPF vulnerabilities assessment: Outline areas of intervention to harden the overall security of OSPF Provide a reference to better mandate requirements for security of future routing protocols

Draft’s Approach > The draft is a systematic analysis of all OSPF mechanisms and messages to identify potential security vulnerabilities > The Internet Draft is divided in three sections: General Vulnerabilities not tied to any specific OSPF message Per-Message Vulnerabilities Resource Consumption (DoS) Vulnerabilities > The draft is not intended to encompass implementation specific vulnerabilities although a few pointers to observed critical implementation resources are provided

Draft’s Outline > Vulnerabilities due to the design and nature of OSPF – Attacker’s Location – Disabling of OSPF Fight Back – Leveraging Fight Back as intrinsic source for DoS – External Routes propagation > Vulnerabilities for each of the 5 OSPF messages: – Hello – Link State Update – Link State Request – Link State Acknowledge – Link State Database Description > Vulnerabilities due to Resource Consumption – Vulnerabilities due to Cryptographic Resources > Vulnerabilities through other protocols (e.g. IP, Management…)

Three Examples from the Draft > Three examples of vulnerabilities presented in the draft and how to exploit them : Vulnerability Outcome ID’s Reference LSA Modification Topology Changes “Phantom” LSAs Database Overflow3.3.5 External LSA Forwarding Data-Traffic Loop

Exploit #1 – Topology Changes > Vulnerability: LSA Information Modification [ ] Pre-condition: – Being able to CONSTANTLY inject valid OSPF messages – Weak MD5 key choice/Compromised Router – No Cryptographic Authentication, etc… Possible Impact: Topology Changes – Allow Eavesdropping – Starve/Overload a network Expected Outcome: – Highly unstable topology (loops, route-flapping) due to Fight Back of LSAs between attacker and legitimate owner Observed Outcome (as supported by the RFC!) – PERMANENT or SEMI-PERMANENT topology changes due to ineffective Fight Back

Fight Back > What is fight back? Every LSA that is circulating containing wrong information will be corrected by its owner > Papers on OSPF security suggest that Fight Back corrects the damage of most attacks Many theoretical attacks are not worth the effort just to cause a brief topology change [ “An Experimental Study of Insider Attacks for the OSPF Routing Protocol”, Vetter et al. “On the Vulnerabilities and Protection of OSPF Routing Protocol”, Wang and Wu ]

Disabling Fight Back > OSPF Fight Back can be Disabled Heavily Diluted > Attacks on LSA information are then SUCCESFUL > HOW? 1. Periodic Injection > Exploiting an architectural “flaw” in the OSPF flooding algorithm > [ RFC 2328, 13.5 (a) (b) and (f) ] > MinLSInterval (5 seconds) 2. Prevent information from reaching the router legitimate owner > Subverted router that partitions the network 3. Inject information on behalf of non-existing routers

Exploit #2 - Resource Consumption > “Phantom LSAs” are Router/Network LSAs sent on behalf of non-existing OSPF peers > These entries are ignored by the Shortest Path First (SPF) algorithm (do not produce topology changes) > “Phantom LSAs” are entered in the Link State Database Each entry is kept for MaxAge (1hour) No fight back is triggered since there is no legitimate owner > Exhausting Link-State Database resources will put OSPF in a very delicate state and stress implementation’s robustness

Exploit #3 - Creating a Data-Traffic Loop > Vulnerability: Modifying External LSA Forwarding Field [ ] Pre-Condition: – Being able to inject valid OSPF messages – Weak MD5 key choice/Compromised Router – No Cryptographic Authentication, etc… – E-Bit Enabled on advertising peer’s Router LSA – Change Forwarding Address to a router (host) in any Stub Area Possible Impact: – Data never gets to its destination because it is stuck in a loop. – Outgoing External Traffic forwarded to a Stub Area router (host) will LOOP between the ABR and its next hop towards the forwarding point. [RFC 2328, 3.6]

Conclusions > OSPF presents significant security vulnerabilities, which should not be overlooked in future routing protocols (IGP) requirements. > OSPF is generally associated with some misconceptions about the protocol’s security and its intrinsic resilience to attacks: Lead to a false security threat analysis

Next Steps > Would like to receive more feedback from the group > Could this document become a WG item? Addresses charter item: “Submit I-Ds documenting threats to routing systems for publication as Informational RFC.” for OSPF

?

Back up slides

Periodic Injection > When a legitimate owner receives a malicious copy of its own LSAs: SINCE – the malicious LSA has higher sequence number – a copy of the LSA is already present in the LinkStateDB and this copy was not received by flooding but installed by the router itself THEN Flood the malicious LSA and AFTER check ownership THEN TRY to update the malicious LSA [RFC 2328, 13, p.143-6] Why try? – Because a router cannot inject two same LSAs faster than MinLSInterval (5 seconds) BUT it will immediately flood any LSA received. [RFC 2328, 12.4, p.125] If the attacker is injecting malicious LSAs with a rate higher than MinLSInterval, the legitimate owner will not only NOT fight back but it will ALSO collaborate in the flooding

Data-Traffic Loop Compromised Router  E F  E  D D  direct F  direct  E D  E F  direct FF AA BB CC EE DD GG BACKBONEBACKBONE STUB AREA Ext. LSA Forward F is present in LinkStateDB Ext. LSA Forward F is present in LinkStateDB NO Ext. LSAs: is pointed to DEFAULT ROUTE Attacker is advertising External Route to with Forward to F DATA Traffic TO: DATA Traffic TO:

> An OSPF router could be attacked from ANYWHERE in the internet if the router’s IP address is known. Extremely easy to mount DDoS attacks for outsider attackers. Extremely difficult to trace back the attacker Attacker’s Location Physical access to the link Attacker “On the Path” Physical access to the link Attacker “On the Path” Access to the link’s password Access to a router Telnet or SSH Session Session OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFDomainOSPFDomain OSPFDomainOSPFDomain ATTACKERATTACKER ATTACKERATTACKER ATTACKERATTACKER INTERNETINTERNET INTERNETINTERNET

Remote Attacker Backup “The IP destination address for the packet is selected as follows. On physical point-to-point networks, the IP destination is always set to the address AllSPFRouters. On all other network types (including virtual links), the majority of OSPF packets are sent as unicasts, i.e., sent directly to the other end of the adjacency. In this case, the IP destination is just the Neighbor IP address associated with the other end of the adjacency (see Section 10).” RFC 2328, 8.1

Hop-by-hop OSPF’s Security > All OSPF peers (on the same network) share the same secret key. > If the attacker compromises ONE single link it can now attack the entire domain. From the compromised link attacker can inject LSAs on behalf of every other OSPF router (even if other links use a different secret!) > Security Consequences: Local Intrusion Global Impact – Attacker that compromises one link/peer can possibly then attack anywhere in the entire domain Never know which is the compromised/malicious router – Even if an attack/suspicious behaviour is detected, it may not be immediate to identify the malicious router

Stub-Area Default Route “One or more of the stub area's area border routers must advertise a default route into the stub area via summary-LSAs. These summary defaults are flooded throughout the stub area, but no further.” “These summary default routes will be used for any destination that is not explicitly reachable by an intra-area or inter-area path (i.e., AS external destinations).” “An area can be configured as a stub when there is a single exit point from the area, or when the choice of exit point need not be made on a per-external-destination basis” RFC 2328, 3.6, pag. 37 “Forwarding address Data traffic for the advertised destination will be forwarded to this address. If the Forwarding address is set to , data traffic will be forwarded instead to the LSA's originator (i.e., the responsible AS boundary router).” RFC 2328, A.4.5, pag. 215

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.