Dear All, possible security threats in the sequence space exhaust scenario.Please check.
Pre-Condition: Nonce stable in the network (no new neighbors) and single key ID with infinite life time is used. Scenario: Initially Session ID X is used between router A and Router B and when sequence space exhausts in router A, router A will start sending the packet with Session ID Y. On receiving packet with Session ID Y, Router B will Update Y as router A Session ID (after validating Nonce and auth checksum. Sequence number cannot be checked since wrap around scenario). Now attacker Replays session ID X Packet and brings the adjacency down in the below sequence. Attacker Replays two way Hello which is having Session ID X to Router B.On receiving packet with Session ID X, Router B will Update X as router A Session ID(after checking Nonce and auth checksum.sequence number cannot be checked). Now attacker sends Initial DD Packet having Session ID X and brings the adjacency down. FYI: As per the draft:"When the sequence space is exhausted, a router simply chooses a new session ID". Thanks Rajesh This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bhatia, Manav (Manav) Sent: Thursday, January 20, 2011 6:52 AM To: Glen Kent; Michael Barnes Cc: [email protected]; Sam Hartman; [email protected] Subject: Re: [OSPF] [karp] Security Extension for OSPFv2 when using Manual KeyManagement Hi Glen, > Can i request the authors to post a revised ID fixing the > Authentication details in the OSPF header. At present, i am confused > as i dont see the Key ID, Sequence Numbers anywhere in the packets. The revised draft has been updated and posted. Its available here: http://www.ietf.org/id/draft-bhatia-karp-ospf-ip-layer-protection-02.txt > > I agree that some discussion on overloading of the Hellos must happen. > However, i would also like to see some discussion on whether the > proposed mechanism of Nonces and Session IDs would work. I think that > is the key element in this work. If that is verified then everything > else can be built around that. Yup, I agree! Cheers, Manav > > Glen _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
