The MPLS WG Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] My comment on draft-chen-ldp-ttl
A more elaborate version of the comment I made at the mic today: The draft uses the LDP Hello message to negotiate enabling of the TTL check. Though the draft says that only Link Hellos (T=0) should be used for this, it does not say anything about securing those Hellos. Neither RFC3036 nor the draft _require_ the receiving LSR to drop Link Hellos that are sent to an address other than the AllRouters multicast (e.g. an LSR's unicast address). So if a spoofed Link Hello is accepted, the receiver may mistakenly apply the TTL check to a session with a peer that does not support it, and hence prevent it from coming up. Similarly, if a Hello without the new parameter is spoofed, the attacker may cause the LSR to disable the check and mount a overloading DoS attack against an existing session. I would suggest that the draft is modified to recommend that Link Hellos (with or without the new optional parameter) MUST be sent to the unroutable AllRouters multicast address and MUST be dropped by the receiver if they are not. This should make the Link Hellos at least as secure as the session packets. The Security Consideration section should also be extended to describe the potential Link Hello spoofing attack possible by an on-the-wire adversary, and then point out that given the current network operational practices, the risk of such exposure is considered to be sufficiently low. -- Alex
|
|