1 / 6

OSPF WG

OSPF WG. Mechanism to protect OSPFv2 Auth from IP Layer Issues Manav Bhatia, Alcatel-Lucent IETF 79, Beijing. Introduction (1/2). OSPFv2 authentication was extended by RFC 5709.

ivan
Download Presentation

OSPF WG

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSPF WG Mechanism to protect OSPFv2 Auth from IP Layer Issues Manav Bhatia, Alcatel-Lucent IETF 79, Beijing

  2. Introduction (1/2) • OSPFv2 authentication was extended by RFC 5709. • Despite using authentication mechanism as described in 5709, OSPFv2 is vulnerable to some attacks which can be caused by changing the IP address of the incoming OSPF packet - Read RFC 6039 for more details

  3. Current Auth Mechanism • RFC 5709 defines Apad to be a constant 0x878fe1f3 repeated L/4 times, where L is length of hash being used • OSPF Auth data is filled with Apad before crypto computations begin

  4. Proposed Auth Mechanism • Redefines Apad to be the source IP in the OSPF packet instead of the constant that it currently is • No other change in the crypto mechanism • With this, the source IP address is factored in when computing the crypto hash, thus attacks which change this, will not be successful now

  5. 1. OSPF Packet replayed and source IP changed from X to X' A B Source IP - X' Authentication has been computed assuming source IP as X OSPFv2 Data 2. B computes the digest assuming the source IP as X' Authentication Data 3. B rejects the packet as the computed digest does NOT match the digest carried in the packet!

  6. Feedback!

More Related