http://www.networkworld.com/news/2011/0 ... ml?hpg1=bn



Discuss

Looks old actually more info here:
http://webcourse.cs.technion.ac.il/2363 ... ation.pptx.

Hmm, so even authenticating your links is no good?

_________________
www.mellowd.co.uk/ccie/

No, authenticating your links will mitigate this. It says down lower down:



Well no shit Sherlock. If you compromise a router first, and get all the info you need to join yourself to the routing domain, of course you can inject false information.

This isn't news, or an exploit. It's FUD.

_________________
blog.brokennetwork.ca

Ah I see.

Well that isn't as bad an issue as I thought it would be. You should be authenticating your OSPF links by default anyway.

Unless you're running IPv6 of course: http://mellowd.co.uk/ccie/?p=1421

_________________
www.mellowd.co.uk/ccie/

Yeah thats pretty much what I managed to dig out from the presentation - in fact I think you even need to run the attack from router that already has a adjacency.

i.e. even if you dont have authentication simply sending crafted hellos wont work either.

So simply making sure you have "passive" by default and only enabling on trusted segments works too.

Thats on the same note as being able to hack someones computer if you get their password! Sure it might be a little harder to obtain the OPPF encyrption key but still. If you get the golden key then you own the network, no mater what technologies are being used

_________________
http://blog.movingonesandzeros.net/

No, that's what the author is calling the "exploit" here. You send updates that appear to be coming from a legitimate neighbour. You would spoof your source IP/MAC and pretend that you are the DR (for example).

_________________
blog.brokennetwork.ca

Attacker adjacent to an OSPF router? passive interface, anyone? I don't even recommend authentication to customers who aren't using it, because what's the point? If the attacker is in the MDF, unplugging wires plugged into active OSPF interfaces, the game is already over.

Furthermore, what's the application for even having DRs in a modern network? I've got a few, where I'm adjacent with a clustered firewall, but even those make me uncomfortable. <opinion>If your LSDB is full of 'network' LSAs, you're doing it wrong</opinion>

Well. Running a DR will be default on broadcast and non broadcast networks even though most Ethernet interfaces are P2P if used for transit links etc. I guess you could set all links to P2P manually but easy to forget it on one side then.

_________________
http://lostintransit.se

That's what I'm getting at.

I always configure routed links as /31 subnets with 'ip ospf network point-to-point'. It speeds up forming of adjacencies, lowers the LSA count, and simplifies the SPF topology.

'network' LSAs count as nodes from Dijkstra's perspective, complicate path selection.

Unless you've got single-subnet frame relay (nobody does this), or you really have several routers plugged into an L2 broadcast domain (more common, requires tweaking to speed up convergence), there's no reason to run things as a multiaccess network node.

If you mismatch the types, well... Don't do that

I do a lot of VPLS solutions so running OSPF broadcast on the CPEs back into the core so they each speak to each other is extremely common

_________________
www.mellowd.co.uk/ccie/

Mmm.. That's a good use case. I don't think this particular OSPF security issue will be your primary concern if an attacker is L2 adjacent with your VPLS core

Indeed. We still use ospf authentication as it's a good practice regardless.

_________________
www.mellowd.co.uk/ccie/

If I remember correctly, it is stated by the RFCs that any IPv6 device should support IPsec (not implement, but support). Cisco is violating this guideline then?

_________________
http://reggle.wordpress.com

If it is a guideline, it's been violated


Sent on the move...

_________________
www.mellowd.co.uk/ccie/

Yup, exactly my thoughts ... no one should build adjancies on host vlans for 9 million reasons. Absolutely terrible practice.