Presentation is loading. Please wait.

Presentation is loading. Please wait.

OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt IETF 58 – RPSEC Working Group.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt IETF 58 – RPSEC Working Group."— Presentation transcript:

1 OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt emanuele.jones@alcatel.com olivier.le_moigne@alcatel.com IETF 58 – RPSEC Working Group November 2003 Minneapolis, MN, USA

2 Draft’s Purpose > Provide a complete vulnerability analysis coverage for OSPF > Leverage OSPF vulnerabilities assessment: Outline areas of intervention to harden the overall security of OSPF Provide a reference to better mandate requirements for security of future routing protocols

3 Draft’s Approach > The draft is a systematic analysis of all OSPF mechanisms and messages to identify potential security vulnerabilities > The Internet Draft is divided in three sections: General Vulnerabilities not tied to any specific OSPF message Per-Message Vulnerabilities Resource Consumption (DoS) Vulnerabilities > The draft is not intended to encompass implementation specific vulnerabilities although a few pointers to observed critical implementation resources are provided

4 Draft’s Outline > Vulnerabilities due to the design and nature of OSPF – Attacker’s Location – Disabling of OSPF Fight Back – Leveraging Fight Back as intrinsic source for DoS – External Routes propagation > Vulnerabilities for each of the 5 OSPF messages: – Hello – Link State Update – Link State Request – Link State Acknowledge – Link State Database Description > Vulnerabilities due to Resource Consumption – Vulnerabilities due to Cryptographic Resources > Vulnerabilities through other protocols (e.g. IP, Management…)

5 Three Examples from the Draft > Three examples of vulnerabilities presented in the draft and how to exploit them : Vulnerability Outcome ID’s Reference LSA Modification Topology Changes3.2.4.3-4 “Phantom” LSAs Database Overflow3.3.5 External LSA Forwarding Data-Traffic Loop3.2.4.6

6 Exploit #1 – Topology Changes > Vulnerability: LSA Information Modification [3.2.4.3-4] Pre-condition: – Being able to CONSTANTLY inject valid OSPF messages – Weak MD5 key choice/Compromised Router – No Cryptographic Authentication, etc… Possible Impact: Topology Changes – Allow Eavesdropping – Starve/Overload a network Expected Outcome: – Highly unstable topology (loops, route-flapping) due to Fight Back of LSAs between attacker and legitimate owner Observed Outcome (as supported by the RFC!) – PERMANENT or SEMI-PERMANENT topology changes due to ineffective Fight Back

7 Fight Back > What is fight back? Every LSA that is circulating containing wrong information will be corrected by its owner > Papers on OSPF security suggest that Fight Back corrects the damage of most attacks Many theoretical attacks are not worth the effort just to cause a brief topology change [ “An Experimental Study of Insider Attacks for the OSPF Routing Protocol”, Vetter et al. “On the Vulnerabilities and Protection of OSPF Routing Protocol”, Wang and Wu ]

8 Disabling Fight Back > OSPF Fight Back can be Disabled Heavily Diluted > Attacks on LSA information are then SUCCESFUL > HOW? 1. Periodic Injection > Exploiting an architectural “flaw” in the OSPF flooding algorithm > [ RFC 2328, 13.5 (a) (b) and (f) ] > MinLSInterval (5 seconds) 2. Prevent information from reaching the router legitimate owner > Subverted router that partitions the network 3. Inject information on behalf of non-existing routers

9 Exploit #2 - Resource Consumption > “Phantom LSAs” are Router/Network LSAs sent on behalf of non-existing OSPF peers > These entries are ignored by the Shortest Path First (SPF) algorithm (do not produce topology changes) > “Phantom LSAs” are entered in the Link State Database Each entry is kept for MaxAge (1hour) No fight back is triggered since there is no legitimate owner > Exhausting Link-State Database resources will put OSPF in a very delicate state and stress implementation’s robustness

10 Exploit #3 - Creating a Data-Traffic Loop > Vulnerability: Modifying External LSA Forwarding Field [3.2.4.6] Pre-Condition: – Being able to inject valid OSPF messages – Weak MD5 key choice/Compromised Router – No Cryptographic Authentication, etc… – E-Bit Enabled on advertising peer’s Router LSA – Change Forwarding Address 0.0.0.0 to a router (host) in any Stub Area Possible Impact: – Data never gets to its destination because it is stuck in a loop. – Outgoing External Traffic forwarded to a Stub Area router (host) will LOOP between the ABR and its next hop towards the forwarding point. [RFC 2328, 3.6]

11 Conclusions > OSPF presents significant security vulnerabilities, which should not be overlooked in future routing protocols (IGP) requirements. > OSPF is generally associated with some misconceptions about the protocol’s security and its intrinsic resilience to attacks: Lead to a false security threat analysis

12 Next Steps > Would like to receive more feedback from the group > Could this document become a WG item? Addresses charter item: “Submit I-Ds documenting threats to routing systems for publication as Informational RFC.” for OSPF

13 ?

14 Back up slides

15 Periodic Injection > When a legitimate owner receives a malicious copy of its own LSAs: SINCE – the malicious LSA has higher sequence number – a copy of the LSA is already present in the LinkStateDB and this copy was not received by flooding but installed by the router itself THEN Flood the malicious LSA and AFTER check ownership THEN TRY to update the malicious LSA [RFC 2328, 13, p.143-6] Why try? – Because a router cannot inject two same LSAs faster than MinLSInterval (5 seconds) BUT it will immediately flood any LSA received. [RFC 2328, 12.4, p.125] If the attacker is injecting malicious LSAs with a rate higher than MinLSInterval, the legitimate owner will not only NOT fight back but it will ALSO collaborate in the flooding

16 Data-Traffic Loop Compromised Router 123.1.2.0  E...... F  E 0.0.0.0  D D  direct F  direct 0.0.0.0  E D  E F  direct FF AA BB CC EE DD GG 11 22 33 BACKBONEBACKBONE STUB AREA 123.1.2.0123.1.2.0 Ext. LSA 123.1.2.0 Forward F is present in LinkStateDB Ext. LSA 123.1.2.0 Forward F is present in LinkStateDB NO Ext. LSAs: 123.1.2.0 is pointed to DEFAULT ROUTE Attacker is advertising External Route to 123.1.2.0 with Forward to F DATA Traffic TO: 123.1.2.0 DATA Traffic TO: 123.1.2.0

17 > An OSPF router could be attacked from ANYWHERE in the internet if the router’s IP address is known. Extremely easy to mount DDoS attacks for outsider attackers. Extremely difficult to trace back the attacker Attacker’s Location Physical access to the link Attacker “On the Path” Physical access to the link Attacker “On the Path” Access to the link’s password Access to a router Telnet or SSH Session Session OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFRouterOSPFRouter OSPFDomainOSPFDomain OSPFDomainOSPFDomain ATTACKERATTACKER ATTACKERATTACKER ATTACKERATTACKER INTERNETINTERNET INTERNETINTERNET

18 Remote Attacker Backup “The IP destination address for the packet is selected as follows. On physical point-to-point networks, the IP destination is always set to the address AllSPFRouters. On all other network types (including virtual links), the majority of OSPF packets are sent as unicasts, i.e., sent directly to the other end of the adjacency. In this case, the IP destination is just the Neighbor IP address associated with the other end of the adjacency (see Section 10).” RFC 2328, 8.1

19 Hop-by-hop OSPF’s Security > All OSPF peers (on the same network) share the same secret key. > If the attacker compromises ONE single link it can now attack the entire domain. From the compromised link attacker can inject LSAs on behalf of every other OSPF router (even if other links use a different secret!) > Security Consequences: Local Intrusion Global Impact – Attacker that compromises one link/peer can possibly then attack anywhere in the entire domain Never know which is the compromised/malicious router – Even if an attack/suspicious behaviour is detected, it may not be immediate to identify the malicious router

20 Stub-Area Default Route “One or more of the stub area's area border routers must advertise a default route into the stub area via summary-LSAs. These summary defaults are flooded throughout the stub area, but no further.” “These summary default routes will be used for any destination that is not explicitly reachable by an intra-area or inter-area path (i.e., AS external destinations).” “An area can be configured as a stub when there is a single exit point from the area, or when the choice of exit point need not be made on a per-external-destination basis” RFC 2328, 3.6, pag. 37 “Forwarding address Data traffic for the advertised destination will be forwarded to this address. If the Forwarding address is set to 0.0.0.0, data traffic will be forwarded instead to the LSA's originator (i.e., the responsible AS boundary router).” RFC 2328, A.4.5, pag. 215

Download ppt "OSPF Security Vulnerabilities Analysis draft-jones-OSPF-vuln-01.txt IETF 58 – RPSEC Working Group."

Similar presentations

Introduction to OSPF.

Introduction to OSPF.
Lonnie Decker Multiarea OSPF for CCNA Department Chair, Networking/Information Assurance Davenport University, Michigan August 2013 Elaine Horn Cisco Academy.

Lonnie Decker Multiarea OSPF for CCNA Department Chair, Networking/Information Assurance Davenport University, Michigan August 2013 Elaine Horn Cisco Academy.
Designing OSPF Networks

Designing OSPF Networks
RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.

RIP V2 W.lilakiatsakun.  RFC 2453 (obsoletes –RFC 1723 /1388)  Extension of RIP v1 (Classful routing protocol)  Classless routing protocol –VLSM is.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Multiarea OSPF Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 6: Multiarea OSPF Scaling Networks.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Update to: The OSPF Opaque LSA Option draft-berger-ospf-rfc2370bis Lou Berger Igor Bryskin Alex Zinin

Update to: The OSPF Opaque LSA Option draft-berger-ospf-rfc2370bis Lou Berger Igor Bryskin Alex Zinin
1 AS-scope (type 11) Opaque LSA Validation ( draft-bryskin-ospf-lsa-type11-validation-00.txt ) Igor Bryskin (Movaz Networks) : Alex.

1 AS-scope (type 11) Opaque LSA Validation ( draft-bryskin-ospf-lsa-type11-validation-00.txt ) Igor Bryskin (Movaz Networks) : Alex.
By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.

By Alex Kirshon and Dima Gonikman Under the Guidance of Gabi Nakibly.
Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn 2004-2005.

Nov 11, 2004CS573: Network Protocols and Standards1 IP Routing: OSPF Network Protocols and Standards Autumn
CCNA 2 v3.1 Module 6.

CCNA 2 v3.1 Module 6.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
Unicast Routing Protocols: RIP, OSPF, and BGP

Unicast Routing Protocols: RIP, OSPF, and BGP
CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim 02.18.2009.

CSEE W4140 Networking Laboratory Lecture 5: IP Routing (OSPF and BGP) Jong Yul Kim
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5#-1 MPLS VPN Implementation Configuring OSPF as the Routing Protocol Between PE and CE Routers.

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v2.2—5#-1 MPLS VPN Implementation Configuring OSPF as the Routing Protocol Between PE and CE Routers.
1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)

1 ECE453 – Introduction to Computer Networks Lecture 10 – Network Layer (Routing II)
Objectives After completing this chapter you will be able to: Describe hierarchical routing in OSPF Describe the 3 protocols in OSPF, the Hello, Exchange.

Objectives After completing this chapter you will be able to: Describe hierarchical routing in OSPF Describe the 3 protocols in OSPF, the Hello, Exchange.
1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen

1 Semester 2 Module 6 Routing and Routing Protocols YuDa college of business James Chen
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
© Janice Regan, CMPT 128, 2007-2012 0 CMPT 371 Data Communications and Networking Routing in the Internet Internal Routing Protocols.

© Janice Regan, CMPT 128, CMPT 371 Data Communications and Networking Routing in the Internet Internal Routing Protocols.

Similar presentations

Ads by Google