1. Defeating OSPF with authentication enabled
IPv6 or die
Francois Ropert
LAN Big One of the year (or not)
http://stack.packetfault.org
2008
Francois Ropert Defeating OSPF security mechanisms
2. OSPF insecurity 101
Part I
OSPF insecurity 101
Francois Ropert Defeating OSPF security mechanisms
3. OSPF insecurity 101 OSPF attacks state of the art
OSPF attacks state of the art
Before this paper
OSPF attacks on clear-text OSPF messages exchanges:
insertion/remove/modify routes
Past attacks mitigation => OSPF MD5 authentication
interface Ethernet0
ip address 192.168.0.101 255.255.255.0
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 GotBlackholeDbyOSPF
Note: Whatever routing protocol used, routing updates
authentication are not Confidentiality (CIA)
Francois Ropert Defeating OSPF security mechanisms
4. OSPF attack
Part II
OSPF attack
Francois Ropert Defeating OSPF security mechanisms
5. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPF Today Attack
The attack steps
Disrupt OSPF router on a switched LAN segment
Only for OSPF HELLO messages. LS messages use
Sequence authentication but not the same algorithm
Packets replayed over LAN are those sent by other alive
routers
Timeframe attack in the best case (for the victim)
Not timeframe in the worst case
Attack blackhole the network
Francois Ropert Defeating OSPF security mechanisms
7. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPF Hello header
OSPF Hello Packet
Network Mask: 255.255.255.0
Hello Interval: 10 seconds
...
Router Dead Interval: 40 seconds
Designated Router: 192.168.0.101
Backup Designated Router: 192.168.0.100
Active Neighbor: 192.168.0.101
Auth Data (previous slide) is placed after Active Neighbors in
the Ethernet frame
Francois Ropert Defeating OSPF security mechanisms
8. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPFv2 HELLO packets
HELLO packet ?
"Router is present and ready to receive/send Link state(LS)
messages"
Adjacency need to be bi-directional in order to begin LS
packets exchange
Francois Ropert Defeating OSPF security mechanisms
9. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPFv2 HELLO packets
HELLO packets and MD5
Packets with higher sequence number will be processed
Packet with lower sequence number will be discarded or not
Sequence number can’t be changed before injecting packet
because it will break authentication data sequence
ˆ
Sequence number are circular and restart to 0: 232 and
step of 4
Sequence number are reset to 0 when reboot is done on
some OSPF software implementations
Sequence check rely on RID not on IP source address =>
IP spoofing is useless
Replayed packet can works everywhere the password and
RID are the same
Francois Ropert Defeating OSPF security mechanisms
10. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPF adjacency before attack
192.168.0.101#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 FULL/DROTHER 00:00:31 192.168.0.100
Ethernet0
192.168.0.1 1 FULL/DR 00:00:34 192.168.0.1 Ethernet0
Francois Ropert Defeating OSPF security mechanisms
11. OSPF Today Attack 101
OSPF attack
OSPF attack
Breaking an adjacency
When breaking an adjacency ?
When the Auth crypto seqnumber is very high and before
rollover
It’s easy in a lab environment
Pull the plug
or shutdown an interface
At least for 40 seconds (default DEAD interval) waiting
clearing of Active Neighbor list (Victim’s router)
Be smart ass in production environment
DoS, Cisco IOS HTTP Administrative Interface CSRF
Vulnerability, etc...
Francois Ropert Defeating OSPF security mechanisms
12. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPF adjacency after break
DEAD time is refreshed each time we sent a packet over
the wire
Router is not flagged DOWN but stuck in INIT
A router is going DOWN when Layer 1 is broken
In the attack, Layer 1 is connected and stable but it deny
router to get something else
Router will never get 2WAY state which need to be
bidirectional in order to exchange DBD (Database
Descriptors) packets
Prevent a router from sending LS packets
#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100
Ethernet0
192.168.0.1 1 FULL/DR 00:00:35 192.168.0.1 Ethernet0
Francois Ropert Defeating OSPF security mechanisms
13. OSPF Today Attack 101
OSPF attack
OSPF attack
OSPF adjacency after attack
When the miscreant is done, the attack is stopped and
adjacency comes back after dead interval
The OSPF neighbor go to Init => Down => Init => 2-Way
=> Exstart => Exchange => Loading => Full
192.168.0.101#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 FULL/DROTHER 00:00:38 192.168.0.100
Ethernet0
192.168.0.1 1 FULL/DR 00:00:36 192.168.0.1 Ethernet0
Francois Ropert Defeating OSPF security mechanisms
14. Impact on the network
Part III
Impact on the network
Francois Ropert Defeating OSPF security mechanisms
15. IP routing table impact
Impact on the network
OSPF routing domain impact
IP routing table impact
Routes learned from the victim’s router are cleared
192.168.5.0/32
Routers learned from other OSPF routers still in the IP
routing table
192.168.4.0/30 is subnetted, 1 subnets
C 192.168.4.0 is directly connected, Loopback2
192.168.7.0/32 is subnetted, 1 subnets
O 192.168.7.1 [110/11] via 192.168.0.1, 00:00:45, Ethernet0
192.168.0.1 router is not under attack
C 192.168.0.0/24 is directly connected, Ethernet0
192.168.1.0/30 is subnetted, 2 subnets
C 192.168.1.0 is directly connected, Loopback0
C 192.168.1.4 is directly connected, Loopback1
Francois Ropert Defeating OSPF security mechanisms
16. IP routing table impact
Impact on the network
OSPF routing domain impact
OSPF routing domain impact
OSPF is a tree and not flat
Threat level depends of the OSPF and network design
Attacker needs to be located between at least two routers
Break local area router break your broadcast domain
Break ABR (Area Border Router) disrupt neighbors area
links
Break a router in collapsed core/distribution design break
more than your LAN
The Network Consultant "‘de base"’ prefers EIGRP
Growing companies generally go for EIGRP to OSPF
migration due to scaling
An attack collateral can lead to BGP epic FAIL
Francois Ropert Defeating OSPF security mechanisms
17. IP routing table impact
Impact on the network
OSPF routing domain impact
OSPF routing domain impact
Francois Ropert Defeating OSPF security mechanisms
18. Demo
Part IV
Demo
Francois Ropert Defeating OSPF security mechanisms
19. Attack mitigation
Part V
Attack mitigation
Francois Ropert Defeating OSPF security mechanisms
20. The poor way
Attack mitigation
Save the planet
Weak workarounds
Crap way
Change OSPF Router-ID on the interface-level command
Router-ID has no relation with a physical or loopback interface
it will works until miscreant detect it => MouseCat game
#sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
192.168.0.100 1 INIT/DROTHER 00:00:39 192.168.0.100
Ethernet0
192.168.5.1 1 FULL/DROTHER 00:00:38 192.168.0.100
Ethernet0
What about frequently changes message-digest-key => Mouse
and Cat game
Root problem still there
Francois Ropert Defeating OSPF security mechanisms
21. The poor way
Attack mitigation
Save the planet
Mitigation techniques
No mitigation techniques today offered by the industry
Except OSPF version 3 but requirement is ..
IPv6
Upgrade or die
The design way
If customer network is hub and spoke, forget dynamic
routing
REAL NBMA networks are safe (OSPF HELLO messages
can’t be unicast on a switched LAN)
Francois Ropert Defeating OSPF security mechanisms
22. The poor way
Attack mitigation
Save the planet
Annexe
F. Ropert
MISC magazine 44 - OSPF crypto sequence numbers
attack
D. Bauer research
Understanding OSPF and BGP interactions Using Efficient
Design
http://www.cs.rpi.edu/ bauerd/wsc-2006/PADS06-BGP-
OSPF.pdf
2006
IETF rpsec (Routing Protocol Security) group
Security discussions part of RFCs about OSPFv2 MD5 and
SHA-1 are updated
http://www.ietf.org/html.charters/rpsec-charter.html
Francois Ropert Defeating OSPF security mechanisms
