Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,

Published byAlexzander Gafford Modified over 10 years ago

Similar presentations

Presentation on theme: "IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,"— Presentation transcript:

1 IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83, Paris, France March 26-30, 2012 83 rd IETF @ Paris 1

2 Problem Briefly described in Sec. considerations section of [RFC5304] Sec 3.1 - This mechanism does not prevent replay attacks; however, in most cases, such attacks would trigger existing mechanisms in the IS-IS protocol that would effectively reject old information. [RFC5310] Sec 4 - The mechanism detailed in this document does not protect IS-IS against replay attacks. An adversary could in theory replay old IIHs and bring down the adjacency [CRYPTO]…. OPSec WG [RFC6039] Sec 4.2 - IS-IS does not provide a sequence number. IS-IS packets are vulnerable to replay attacks; any packet can be replayed at any point of time. So long as the keys used are the same, protocol elements that would not be rejected will affect existing sessions. 2 83 rd IETF @ Paris IS-IS ESN TLV

3 IS-IS Gap analysis draft presented in KARP WG (Taipei-IETF82) per RFC 6518 - KARP WG design guide Karp Threat Requirements Also discussed the replay threat in various broadcast networks and also this particular (ESN TLV) draft KARP WG asked for applicability statement in the draft IS-IS is not only restricted to few Tier-1 ISP backbones but..has been adopted widely in various L2 and L3 routing deployment of the data centers for critical business operations. Captured the same in current 01 version 3 83 rd IETF @ Paris

4 Problem?? Replay attacks with IS-IS protocol messages to create churn in the broadcast networks 4 83 rd IETF @ Paris

5 How? IIH ADJ flaps in broadcast by replying empty neighbor list (TLV 6) SNP Can mount DoS attacks by sending old CSNP/PSNP packets 5 83 rd IETF @ Paris

6 How? (Contd.) LSP Already protected from intra session replay attacks with header seq. no But still vulnerable for inter session attacks Les Ginsberg has raised few questions/scenarios how this is possible (in IS-IS WG) Issue is acked. but felt impact is smaller (as new Seq. is originated eventually) and claimed, its not repeatable for multiple times How ever.. both the above are subjective as by that time all the nodes in the network see the churn (impact also depends on what info is missing in the replayed LSPs) this can be done for multiple nodes in the network which has area/domain wide impact every time 6 83 rd IETF @ Paris

7 ESN TLV (Type – IANA TBD) 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+ | Type | +-+-+-+-+-+-+-+-+ | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extended Session Sequence Number (High Order 32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extended Session Sequence Number (Low Order 32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | (optional) Packet Sequence Number (32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ESSN Starts with non-zero and incremented in PSN wrap scenario, session refresh, cold restarts etc.. PSN Incremented per packet (only applicable for IIH and SNPs) 7 83 rd IETF @ Paris

8 Processing IIH Maintained per interface (per level) and can be stored in ADJ state Tx: ESSN can be encoded as 64-bit time or boot count, PSN starts with 1 and increases per packet Rx: ESSN same or higher that the stored vale in ADJ and PSN is higher LSP If present ESSN encoding/processing is similar to IIH No changes to current header Sequence no processing CSNP/PSNP Based on Broadcast or P2P network encoding and processing similar to above (refer draft for further details) 8 83 rd IETF @ Paris

9 ESSN encoding - Guidelines as described in Appendix A REQ: It should be ever increasing quantity 64-bit system timestamp encoding as of NTP long format (MUST not go to previous value after cold restart) Battery backed RTC Boot count in non-volatile storage Similar to proposed in OSPF non-volatile storage: if repaired, keys MUST be changed to avoid the attacks 9 83 rd IETF @ Paris

10 KARP IS-IS security gap analysis draft-chunduri-karp-is-is-gap-analysis-01 Presented in KARP WG (IETF82) - We welcome feedback 83 rd IETF @PARIS 10

11 Questions & Comments? Thank You! 83rd IETF @PARIS 11

Download ppt "IS-IS ESN TLV draft-chunduri-isis-extended-sequence-no-tlv-01 Uma Chunduri, Wenhu Lu, Albert Tian Ericsson Inc. Naiming Shen Cisco Systems, Inc. IETF 83,"

Similar presentations

MPLS Multiple Topology Support draft-zhao-mpls-ldp-multiple-topology-01 draft-zhao-mpls-rsvp-te-multiple-topology-01 IETF 80 – Prague.

MPLS Multiple Topology Support draft-zhao-mpls-ldp-multiple-topology-01 draft-zhao-mpls-rsvp-te-multiple-topology-01 IETF 80 – Prague.
Advertising Generic Information in IS-IS draft-ietf-isis-genapp-00.txt Les Ginsberg Stefano Previdi Mike Shand.

Advertising Generic Information in IS-IS draft-ietf-isis-genapp-00.txt Les Ginsberg Stefano Previdi Mike Shand.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt draft-lu-ldp-igp-sync-bcast-00 by Wenhu Lu & Sriganesh Kini 75th IETF – Stockholm, Sweden (July 26-31,

Slide title In CAPITALS 50 pt Slide subtitle 32 pt draft-lu-ldp-igp-sync-bcast-00 by Wenhu Lu & Sriganesh Kini 75th IETF – Stockholm, Sweden (July 26-31,
Seamless MPLS draft-leymann-mpls-seamless-mpls-01.txt

Seamless MPLS draft-leymann-mpls-seamless-mpls-01.txt
OSPF WG - IETF 66 OSPF Protocol Evolution WG Re-Charter Acee Lindem/Cisco Systems.

OSPF WG - IETF 66 OSPF Protocol Evolution WG Re-Charter Acee Lindem/Cisco Systems.
1 Introduction to ISIS SI-E Workshop AfNOG 2012 - The Gambia Noah Maina.

1 Introduction to ISIS SI-E Workshop AfNOG The Gambia Noah Maina.
Protection Mechanisms for LDP P2MP/MP2MP LSP draft-zhao-mpls-mldp-protections-02.txt Quintin Zhao, Emily Chen, Tao Chou Huawei Technology Daniel King OldDog.

Protection Mechanisms for LDP P2MP/MP2MP LSP draft-zhao-mpls-mldp-protections-02.txt Quintin Zhao, Emily Chen, Tao Chou Huawei Technology Daniel King OldDog.
NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.

NORM PI Update draft-ietf-rmt-pi-norm-revised-04 68th IETF - Prague Brian Adamson NRL.
Www.huawei.com BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)

BGP Extensions for BIER draft-xu-idr-bier-extensions-01 Xiaohu Xu (Huawei) Mach Chen (Huawei) Keyur Patel (Cisco) IJsbrand Wijnands (Cisco)
MAC Withdraw Signaling for static PW draft-boutros-l2vpn-mac-wd-03.txt Himanshu Shah - Ciena Siva Sivabalan, Sami Boutros – Cisco Sam Aldrin - Huwei.

MAC Withdraw Signaling for static PW draft-boutros-l2vpn-mac-wd-03.txt Himanshu Shah - Ciena Siva Sivabalan, Sami Boutros – Cisco Sam Aldrin - Huwei.
OSPF Operator Defined TLVs for Agile Service Deployment (previous name self-defined TLVs) draft-chunduri-ospf-operator-defined-tlvs-00 (previously: draft-chunduri-ospf-self-defined-sub-tlvs-03)

OSPF Operator Defined TLVs for Agile Service Deployment (previous name self-defined TLVs) draft-chunduri-ospf-operator-defined-tlvs-00 (previously: draft-chunduri-ospf-self-defined-sub-tlvs-03)
Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.

Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.
1 LSP-Trace over MPLS tunnels draft-nitinb-lsp-ping-over-mpls-tunnel-00 Nitin BahadurJuniper Networks Kireeti KompellaJuniper Networks IETF 69, MPLS WG,

1 LSP-Trace over MPLS tunnels draft-nitinb-lsp-ping-over-mpls-tunnel-00 Nitin BahadurJuniper Networks Kireeti KompellaJuniper Networks IETF 69, MPLS WG,
Protocol Topology Support for IS-IS Kay Noguchi draft-ietf-noguchi-isis-protocol-topology-01.txt 56th IETF San Francisco, CA, USA March 18, 2003.

Protocol Topology Support for IS-IS Kay Noguchi draft-ietf-noguchi-isis-protocol-topology-01.txt 56th IETF San Francisco, CA, USA March 18, 2003.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.

Security Issues in PIM-SM Link-local Messages J.W. Atwood, Salekul Islam {bill, Department.
86th IETF, Orlando, March 2013 IS-IS Support for Unidirectional Links draft-ginsberg-isis-udl-00.txt Les Ginsberg

86th IETF, Orlando, March 2013 IS-IS Support for Unidirectional Links draft-ginsberg-isis-udl-00.txt Les Ginsberg
ICMP https://store.theartofservice.com/itil-2011-foundation-complete-certification-kit-fourth-edition-study-guide-ebook-and-online-course.html.

ICMP
IS-IS An introduction to IGP routing protocols Hagai Kahana.

IS-IS An introduction to IGP routing protocols Hagai Kahana.
57 th IETF VIENNA draft-sheng-ppvpn-isis-bgp-mpls vpn-01.txt 57 th IETF meeting IS-IS as the PE/CE Protocol in BGP/MPLS VPN draft-sheng-ppvpn-isis-bgp-mpls-00.txt.

57 th IETF VIENNA draft-sheng-ppvpn-isis-bgp-mpls vpn-01.txt 57 th IETF meeting IS-IS as the PE/CE Protocol in BGP/MPLS VPN draft-sheng-ppvpn-isis-bgp-mpls-00.txt.

Similar presentations

Ads by Google