[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ms-ospf
Subject:    Re: (Reply) Re: Denial Of Service Attacks.
From:       Alex Zinin <azinin () NEXSI ! COM>
Date:       2001-10-13 1:05:43
[Download RAW message or body]


To add to the list of advantages of using the L3 proto as
the transport---implicit L3 functionality check. I've had
a case where IP traffic was blackwholed in an ISIS network
(not saying ISIS is bad in any form ;). The reason was
that a router's line card had a bug in the IP processing
code, while the ISIS packets went through just fine,
so the adjacency stayed up, but there was in fact no
IP connectivity through the link.

Having said that, choice of the transport protocol is
an architectural decision. We have two IGPs using different
approaches, both work fine, both got widely deployed.
>From the DoS perspective, yes, an IP-based protocol is
more vulnerable. On the other hand, this should be considered
as part of a bigger picture, where a number of methods
can be used to detect and prevent the attacks at different
levels.

--
Alex Zinin

Thursday, October 11, 2001, 2:39:27 AM, S Seema Rao wrote:

> Swati,

> Let's consider the advantages and dis-advantages of L3 routing protocols

> Advantages:
> 1] Complete L2 transparency
> 2] Fragmentation

> Disadvantage:
> 1] Can travel multiple hops and can be spoofed
> This can be over come by setting appropriate filters. In fact routing
> protocols need not be the only means to spoof IP packets.. The best way
> to deal with this is to set up filters.

> As for generating multiple router-LSAs, if you select the lowest
> network-wide MTU, you will be generating many unnecessary router LSAs
> over a larger MTU sized link.. Also, if a new link is added with a lower
> MTU, a new set of router LSAs need to be originated with this MTU
> throughout the network. The problem becomes worse on link flapping.

> You cannot obviously have different set of router-lsas over each link,
> as the database will not be synchronized.

> Considering the above I think filtering is a good tradeoff to overcome
> all the disadvantages of L2 routing protocols.

> /Seema



> Swati Rastogi wrote:
>>
>> I was watching the things unfold on this mail thread and this is the
>> impression i gathered. Everyone is trying to defend and justify the design
>> specifications of OSPF and taking into account how OSPF works, its being
>> said that a routing protocol must be run over the IP. We know that a router
>> can issue just one router-lsa and it has to stuff whatever it wants to stuff
>> into just that much. Now, since only one router-lsa has to be issued, the
>> maximum size which it can take is that of the max sized IP packet. Now there
>> can be links not supporting that much MTU. In such an eventuality, the
>> packet (router-lsa) needs to be fragmented by the IP. And hence running OSPF
>> over IP is justified!
>>
>> What i want to point out is the fact that its deficiency on part of the
>> design of the protocol (viiz OSPF) that we are struck to making it run over
>> IP. If we were to remove the limitation that a router can issue multiple
>> router-lsa's then we can manage with smaller MTU links without
>> fragmentation.
>>
>> Configuring and discovering network wide MTU is also not much of a trouble.
>> As ISIS sends its hello packet, the MTU is negotiated there itself. If my
>> neighbor doesn't support my max MTU then i send smaller MTU sized packets.
>> There is no configuration overhead involved the way i see it.
>>
>> Agreed ISIS does not exactly solve the fragmentation problem but yes, it
>> does provide an end to end solution, which somehow clicks!
>> IS-IS is running on one of the probably biggest and the scariest of the
>> networks, and i have never heard it fail.
>>
>> The fact that OSPF is IETF backed makes it more preferred, and generally
>> more accepted.
>>
>> Regards,
>> Swati
>>
>> ----- Original Message -----
>> From: "Moy, John" <John.Moy@SYCAMORENET.COM>
>> To: <OSPF@DISCUSS.MICROSOFT.COM>
>> Sent: Wednesday, October 10, 2001 8:11 PM
>> Subject: Re: (Reply) Re: Denial Of Service Attacks.
>>
>> > I don't want to beat a dead horse, but without fragmentation
>> > your maximum LSA size *must not* exceed the network-wide MTU
>> > (i.e., the smallest MTU of any of the links in the network).
>> > Aside from the awkwardness of configuring or discovering the
>> > network-wide MTU, this doesn't work for OSPF router-LSAs, which
>> > sometimes exceed the commonly used MTU values (like 1500 bytes).
>> >
>> > John
>> >
>> > > -----Original Message-----
>> > > From: Manav Bhatia [mailto:manav@SAMSUNG.CO.KR]
>> > > Sent: Wednesday, October 10, 2001 12:40 AM
>> > > To: OSPF@DISCUSS.MICROSOFT.COM
>> > > Subject: (Reply) Re: Denial Of Service Attacks.
>> > >
>> > >
>> > > Everybody seems to be harping on the fragmentation
>> > > and reassembly benefits one gets by running OSPF over IP.
>> > > IS-IS is run over the data link layer and it has a mechanism
>> > > (i'll prefer to call it a hack!) wherein the HELLO packet is
>> > > padded with arbitrary valued octets (PAD field) so that
>> > > the ISIS datagram is of the maximum size.
>> > > This is done to ensure that an adjacency will only be formed
>> > > between systems which are capable of exchanging packets
>> > > of only "maxsize" octets. This is done to avoid the possibility
>> > > of for an adjacency to exist with some lower maximum block
>> > > size, with the result that some ISIS packets are not exchanged.
>> > >
>> > > This mechanism obviates the need for fragmentation and
>> > > reassembly. The "maxsize" the link supports, is determined
>> > > at the neighbour discovery stage itself.
>> > >
>> > > Thus the *only* advantage which remains of running OSPF over
>> > > IP is that of complete L2 transparency.
>> > >
>> > > Support for virtual links has it own set of (dis)advantages
>> > > (read as DDOS attacks). I can never launch a DDOS attack
>> > > by spoofing ISIS packets (or a protocol which runs over L2)
>> > >
>> > > -Manav
>> > >
>> > > ----- Original Message -----
>> > > From: Rao, Satya
>> > > To: OSPF@DISCUSS.MICROSOFT.COM
>> > > Sent: Tuesday, October 09, 2001 8:48 PM
>> > > Subject: Re: Denial Of Service Attacks.
>> > >
>> > >
>> > > i agree. However small the processing it is, it still puts
>> > > a burden on the router both interms of processing as well
>> > > as memory, as all these to be junked packets have to received
>> > > and queued up and held till they are dropped.
>> > >
>> > > I think The shortcomings of not running on IP  such as inability
>> > > to support virtual links and fragmentation and reassembly can
>> > > be worked around by proper netwrok design and negotiating
>> > > a max packet size etc.
>> > >
>> > > Biggest advantage of running over IP is complete L2
>> > > transparency.
>> > >
>> > > -satya.
>> > >
>> > > > -----Original Message-----
>> > > > From: Swati Rastogi [mailto:swatirstogi@YAHOO.COM]
>> > > > Sent: Tuesday, October 09, 2001 6:33 AM
>> > > > To: OSPF@DISCUSS.MICROSOFT.COM
>> > > > Subject: Denial Of Service Attacks.
>> > > >
>> > > >
>> > > > Hi,
>> > > > We can inject spurious OSPF packets destined to a router
>> > > > multiple hops away
>> > > > as it runs on top of IP. I can send an OSPF packet from my
>> > > > desktop to some
>> > > > router in some remote corner of the world [if i have its IP
>> > > > address]. This
>> > > > way i can combine a lot of compromised systems to inject such
>> > > > malformed OSPF
>> > > > packets and bombard them to a vulnerable victim. This way i
>> > > > can exploit the
>> > > > protocol wherein some amount of time would be spent in
>> > > > processing all such
>> > > > spurious packets.
>> > > >
>> > > > All this is because i run OSPF over IP, the upside is that we
>> > > > have virtual
>> > > > links in OSPF.
>> > > >
>> > > > Why not design a link state routing protocol which runs over
>> > > > data link layer
>> > > > [something similar to ISIS]. This way i may not be able to
>> > > > support virtual
>> > > > links but i am protecting myself from such noxious attacks.
>> > > > What advantages
>> > > > does OSPF offer in running over IP, except probably that it
>> > > > doesn't need to
>> > > > take care of fragmentation, etc.
>> > > >
>> > > > Regards,
>> > > > Swati
>> > > >
>> > > >
>> > > >
>> > > > _________________________________________________________
>> > > > Do You Yahoo!?
>> > > > Get your free @yahoo.com address at http://mail.yahoo.com
>> > > >
>> > >
>> > > ----- Original Message -----
>> > > From: Rao, Satya
>> > > To: OSPF@DISCUSS.MICROSOFT.COM
>> > > Sent: Tuesday, October 09, 2001 8:48 PM
>> > > Subject: Re: Denial Of Service Attacks.
>> > >
>> > >
>> > > i agree. However small the processing it is, it still puts
>> > > a burden on the router both interms of processing as well
>> > > as memory, as all these to be junked packets have to received
>> > > and queued up and held till they are dropped.
>> > >
>> > > I think The shortcomings of not running on IP  such as inability
>> > > to support virtual links and fragmentation and reassembly can
>> > > be worked around by proper netwrok design and negotiating
>> > > a max packet size etc.
>> > >
>> > > Biggest advantage of running over IP is complete L2
>> > > transparency.
>> > >
>> > > -satya.
>> > >
>> > > > -----Original Message-----
>> > > > From: Swati Rastogi [mailto:swatirstogi@YAHOO.COM]
>> > > >
>> > >
>>
>> _________________________________________________________
>> Do You Yahoo!?
>> Get your free @yahoo.com address at http://mail.yahoo.com

> --
> S Seema Rao                             seemarao@lucent.com
> Infosys - India Development Team        Phone Office: 91-80-8520902 Ext: 6354

[prev in list] [next in list] [prev in thread] [next in thread]