Hi Rajesh, > Pre-Condition: Nonce stable in the network (no new > neighbors) and single > key ID with infinite life time is used.
Sure! > > Scenario: > Initially Session ID X is used between router A and Router B and when > sequence space exhausts in router A, router A will start > sending the packet > with Session ID Y. On receiving packet with Session ID Y, Router A will also change the Nonce from N to N' when it changes the Session ID. > Router B will > Update Y as router A Session ID (after validating Nonce and > auth checksum. > Sequence number cannot be checked since wrap around scenario). Router B will also change its own Nonce from Nold to Nnew. It has to do this because it will need to challenge A when it sees a new Session ID from A. It needs to know if its indeed A or somebody else replaying an old packet from A. When it sees the new Session ID from A, B will include a new Nonce in its HELLOs and still carry the old Session ID and Nonce values that it had heard from A. A upon receiving this would respond with a HELLO citing the new Nonce that it has heard from B. B upon seeing its new Nonce in A's HELLO would update its HELLO to include the new Session ID and Nonce from A. > > Now attacker Replays session ID X Packet and brings the > adjacency down in > the below sequence. Attacker Replays two way Hello which is > having Session > ID X to Router B.On receiving packet with Session ID X, When somebody replays this packet B will again challenge it with a new Nonce value. You will not be able to attack as you need to use the new nonce value in your subsequent packets. This is also one reason why we were keeping both the Nonce and the Session IDs in all the packets. > Router B will Update > X as router A Session ID(after checking Nonce and auth > checksum.sequence > number cannot be checked). Now attacker sends Initial DD Packet having > Session ID X and brings the adjacency down. > > FYI: As per the draft:"When the sequence space is exhausted, > a router simply > chooses a new session ID". .. and a new Nonce. If this isnt there in the draft then it must be added. Cheers, Manav _______________________________________________ OSPF mailing list [email protected] https://www.ietf.org/mailman/listinfo/ospf
