OSPF Vulnerability - Owning the Routing Table

Saku Ytti saku at ytti.fi
Sun Aug 4 10:12:00 UTC 2013

On (2013-08-04 05:01 -0500), Jimmy Hess wrote:

> I would say the risk score of the advisory is overstated.   And if you
> think "ospf is secure" against LAN activity after any patch,  that
> would be wishful thinking. Someone just rediscovered one of the
> countless innumerable holes in the back of the cardboard box and tried
> covering it with duck tape...

I tend to agree. OTOH I'm not 100% sure if it's unexploitable outside LAN
via unicast OSPF packets.
But like you say MD5 offers some level of protection. I wish there would be
some KDF for IGP KARP so that each LSA would actually have unique
not-to-be-repeated password, so even if someone gets copy of one LSA and
calculates out the MD5 it won't be relevant anymore.

L2 is very dangerous in any platform I've tried, access to L2 and you can
usually DoS the neighbouring router, even when optimally configured
CoPP/Lo0 filter.


More information about the NANOG mailing list