OSPF Vulnerability - Owning the Routing Table
mysidia at gmail.com
Sun Aug 4 10:01:00 UTC 2013
On 8/4/13, Saku Ytti <saku at ytti.fi> wrote:
> On (2013-08-03 18:38 -0500), Jimmy Hess wrote:
>> That's not news to me, but fully expected.
>> Do the vendors /really/ have a code fix to what would seem to be an
>> inherent problem; if you failed to properly secure your OSPF
>> implementation (via MD5 authentication)?
> It is news to me. It's design flaw in the protocol itself which has gone
> unnoticed for two decades and I would have naively fully expected that this
> flaw does not exist in standard.
I would say the risk score of the advisory is overstated. And if you
think "ospf is secure" against LAN activity after any patch, that
would be wishful thinking. Someone just rediscovered one of the
countless innumerable holes in the back of the cardboard box and tried
covering it with duck tape...
What is the rationale for overlooking or ignoring the possibility
that an attacker can introduce a device with /faithful/ correct
implementation of the protocol with bad/malicious data
intentionally advertised by the "Rogue speaker" ?
This could be as simple as inserting a real router (which can be
just a piece of software) on a broadcast LAN with a proper OSPF
implementation but malicious configuration -- in that routes
configured for advertisement are bogus ones, or a router ID is
intentionally chosen to conflict with the router ID of another
In addition, the rogue router, can be configured such that it forces
an election and becomes the DR.
Just a few examples
More information about the NANOG