milo
Uploaded by
6 SLIDES
210 VIEWS
60LIKES

Enhancing OSPFv2 Authentication: Protecting Against IP Layer Attacks

DESCRIPTION

This paper discusses enhancements to OSPFv2 authentication mechanisms to mitigate vulnerabilities related to IP layer issues. It highlights the limitations of the current authentication method outlined in RFC 5709, particularly how changes to the source IP address in incoming OSPF packets can lead to security breaches. The proposed solution involves redefining the Apad constant to be the source IP address rather than a static value, ensuring that authentication calculations are robust against such attacks. The results demonstrate improved integrity verification in OSPFv2 packet handling.

1 / 6

Download Presentation

Enhancing OSPFv2 Authentication: Protecting Against IP Layer Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OSPF WG Mechanism to protect OSPFv2 Auth from IP Layer Issues Manav Bhatia, Alcatel-Lucent IETF 79, Beijing

  2. Introduction (1/2) • OSPFv2 authentication was extended by RFC 5709. • Despite using authentication mechanism as described in 5709, OSPFv2 is vulnerable to some attacks which can be caused by changing the IP address of the incoming OSPF packet - Read RFC 6039 for more details

  3. Current Auth Mechanism • RFC 5709 defines Apad to be a constant 0x878fe1f3 repeated L/4 times, where L is length of hash being used • OSPF Auth data is filled with Apad before crypto computations begin

  4. Proposed Auth Mechanism • Redefines Apad to be the source IP in the OSPF packet instead of the constant that it currently is • No other change in the crypto mechanism • With this, the source IP address is factored in when computing the crypto hash, thus attacks which change this, will not be successful now

  5. 1. OSPF Packet replayed and source IP changed from X to X' A B Source IP - X' Authentication has been computed assuming source IP as X OSPFv2 Data 2. B computes the digest assuming the source IP as X' Authentication Data 3. B rejects the packet as the computed digest does NOT match the digest carried in the packet!

  6. Feedback!

More Related