OSPF Vulnerability - Owning the Routing Table

Jimmy Hess mysidia at gmail.com
Sun Aug 4 10:01:00 UTC 2013

On 8/4/13, Saku Ytti <saku at ytti.fi> wrote:
> On (2013-08-03 18:38 -0500), Jimmy Hess wrote:
>> That's not news to me, but fully expected.
>> Do the vendors /really/  have a code fix to  what would seem to be an
>> inherent problem;  if you failed to properly secure your OSPF
>> implementation (via MD5 authentication)?
> It is news to me. It's design flaw in the protocol itself which has gone
> unnoticed for two decades and I would have naively fully expected that this
> flaw does not exist in standard.

I would say the risk score of the advisory is overstated.   And if you
think "ospf is secure" against LAN activity after any patch,  that
would be wishful thinking. Someone just rediscovered one of the
countless innumerable holes in the back of the cardboard box and tried
covering it with duck tape...

What is the rationale for overlooking  or ignoring  the possibility
that an attacker can introduce a device with /faithful/  correct
implementation of   the protocol  with bad/malicious data
intentionally advertised  by the "Rogue speaker" ?

This could be as simple as  inserting a real router  (which can be
just a piece of software) on a broadcast LAN with a proper OSPF
implementation but  malicious configuration -- in that routes
configured for advertisement are bogus ones,   or a router ID is
intentionally chosen to conflict with the router ID  of another

In addition, the rogue router, can be configured such that it forces
an election and becomes the DR.

Just a few examples


More information about the NANOG mailing list