Network Working Group J. Etienne Internet-Draft May 2001 Expires: October 30, 2001 Flaws in RIPv2 packet's authentication draft-etienne-ripv2-auth-flaws-00.txt Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on October 30, 2001. Copyright Notice Copyright (C) The Internet Society (2001). All Rights Reserved. Abstract The current strongest authentication method for RIPv2 (RFC2453[6]) is the MD5 authentication (RFC2082[5]) which uses shared secret key to authenticate the packets. This memo explains the different security flaws we found in the anti-replay and the MACs calculation. The second part presents practical exploitations of these weaknesses: an attacker directly connected to a link, can (i) break neighborhood, (ii) flap routes and (iii) inject obsolete routes. Etienne Expires October 30, 2001 [Page 1] Internet-Draft RIPv2 authentication flaws May 2001 Table of Contents 1. Threat model . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Current authentications . . . . . . . . . . . . . . . . . . 4 2.1 Description . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Anti Replay Protection . . . . . . . . . . . . . . . . . . . 5 2.2.1 a timestamp as sequence number . . . . . . . . . . . . . . . 5 2.2.2 a counter as sequence number . . . . . . . . . . . . . . . . 5 2.3 MAC calculation . . . . . . . . . . . . . . . . . . . . . . 6 2.3.1 secret-suffix method . . . . . . . . . . . . . . . . . . . . 6 2.3.2 Unprotected IP header . . . . . . . . . . . . . . . . . . . 6 2.3.3 Unprotected UDP header . . . . . . . . . . . . . . . . . . . 6 2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3. Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.1 breaking neighborhood . . . . . . . . . . . . . . . . . . . 8 3.1.1 Higher sequence number . . . . . . . . . . . . . . . . . . . 8 3.2 Route flapping . . . . . . . . . . . . . . . . . . . . . . . 8 3.2.1 route flapping by repeatdely breaking the neighborhood . . . 9 3.2.2 route flapping thanks to poisoned reverse . . . . . . . . . 9 3.3 Inject obsolete routes . . . . . . . . . . . . . . . . . . . 9 3.3.1 higher sequence number . . . . . . . . . . . . . . . . . . . 10 3.3.2 lower sequence number . . . . . . . . . . . . . . . . . . . 10 4. Security considerations . . . . . . . . . . . . . . . . . . 11 References . . . . . . . . . . . . . . . . . . . . . . . . . 12 Author's Address . . . . . . . . . . . . . . . . . . . . . . 12 Full Copyright Statement . . . . . . . . . . . . . . . . . . 13 Etienne Expires October 30, 2001 [Page 2] Internet-Draft RIPv2 authentication flaws May 2001 1. Threat model In this memo, we assume the attacker can read and write packets on the network link. He hasn't the secret key and he is unable to produce a valid MAC without it. If the attacker knows the secret key of a link, he becomes an insider and the security of the whole routing domain is compromised. Resisting to insider's attacks requires deep modifications of the protocol and it is outside the scope of this memo. Etienne Expires October 30, 2001 [Page 3] Internet-Draft RIPv2 authentication flaws May 2001 2. Current authentications The RIPv2's authentication is configured on a per-interface basis. Each router connected to a given link shares the same parameters (i.e. key value, key lifetime and authentication algorithm). RIP has 3 authentication methods: 1. The NULL authentication which doesnt authenticate the packet. 2. The Simple password authentication (RFC2453.4.1[6]) uses a password sent in clear in each packet. If the attacker can read the packets, he has the password and can freely forge new packets. 3. The MD5 authentication(RFC2082[5]) which uses a shared secret key to include a MAC in each packet. Because the null and the simple password authentication are already known to be weak, we focus on the MD5 authentication. 2.1 Description The MD5 authentication provides a secure way to authenticate the packet's generator as a key owner and some protections against packet's replay. The packets include a Message Authentication Code(MAC) calculated with the secret suffix method using MD5 (RFC1321[3]). The MAC is obtained by applying MD5 over the payload and, then, the secret key : MAC = MD5( RIP payload | secret key ). An external attacker can't generate a valid MAC because we assume it ignores the secret key and it is believed to be infeasible to recompute the key from the MAC and the packet. The anti-replay is handled by a sequence number set in sent packets and verified during packet reception. The sequence number must be non-decreasing and is suggested to be a counter, or a timestamp (RFC2082.3.2.1[5]). A received packet is accepted only if its sequence number is greater or equal to the last one accepted from the same source. In brief, when a router sends a packet, it sets the sequence number, stores it in a routing entry with a special address family for compatibility reason(RFC2453.5.2[6]), then computes the MAC and appends it to the packet. When a router receives a packet, it is accepted only if the MAC and the sequence number are valid. Unfortunately, the MD5 authentication has flaws in the anti-replay, the MAC algorithm, and the MAC coverage. Etienne Expires October 30, 2001 [Page 4] Internet-Draft RIPv2 authentication flaws May 2001 2.2 Anti Replay Protection The following features of the MD5 authentication allow a packet to be replayed: o A received packet is accepted if its sequence number is greater than or equal to the previous one (RFC2082.3.2.2[5]). For example, a packet can be replayed just after itself. o The sequence numbers can be reused after a roll over or a boot (e.g. a packet counter RFC2082.3.2.1[5]). o The keying is static and the sequence numbers aren't necessarily stored in a non-volatile memory. When a router goes off-line, its neighbors forget its sequence numbers and an attacker can replay its packets. Each reason is independently sufficient to permit a packet's replay. The sequence number is the base of the anti-replay mechanism, so we present the different possibilities. RFC2082.3.2.1[5] suggests to use a timestamp or a packet counter. 2.2.1 a timestamp as sequence number Using a timestamp as sequence number forces one to either accept several successive packets with the same sequence numbers or to assume that no more than one packet is sent during a clock period.It would unnecessarily create a dependency between the clock frequency and the network throughput. RIPv2 has chosen the former and this likely causes the "greater than or equal to" vulnerability (RFC2082.3.2.2[5]). RFC2082[5] doesn't require to store the timestamp on a stable storage. If it is, it will roll over in the future. The implementations i have seen use the number of seconds since the first january 1970, so the roll over would happen in 2038. RIPv2 will likely no more be used at this time. Nevertheless it is still possible to successfully replay a packet multiple times until the destination accepts a higher sequence number. This delay can be up to 30 seconds (default periodical update interval from RFC2453.3.8[6]) and more in case of packet loss. Not having the time on a stable storage, doesn't solve the previous vulnerability and adds a new one because sequences numbers are reused after each reboot. 2.2.2 a counter as sequence number With a timestamp, packets played in the same time slice (e.g. pkt1 then pkt2) can be replayed in disorder (i.e. pkt2, then pkt1). Using Etienne Expires October 30, 2001 [Page 5] Internet-Draft RIPv2 authentication flaws May 2001 a packet counter makes this impossible. Nevertheless the last packet (pkt2) can still be replayed. If the counter isn't stored on a stable storage it will be reused across reboot. Even if it is, a large router may send 2^32 RIP packets during its lifetime and the sequence number would roll over. So a packet counter still has flaws. 2.3 MAC calculation The MAC calculation of the MD5 authentication has two problems: it uses the secret-suffix method which is known to be weak and applies it only on the RIP payload, leaving the UDP and IP headers unprotected. Surprisingly, RFC2082[5] doesn't specify where the coverage starts but the implementations we checked start at the beginning of the RIP payload. We consider this behavior as a De-facto standard. 2.3.1 secret-suffix method [9] considers the secret-suffix method possibly weak. [8] and [7] explains that an attacker may search for MD5( RIP packet ) collisions, and then use them for any key. This search is efficient because it can be parallelized and done off-line. Nevertheless, this weakness is theoretical and unlikely to be turned into an practical attack. 2.3.2 Unprotected IP header The IP header(RFC0791.3.1[2]) isn't covered by the MAC so a modification would not be detected. If the protocol relies on its fields, it may be the base of an attack. We focus on the fields that may influence RIP and not prevent the packet from reaching the RIP layer (i.e. pass the UDP/IP layers). The matching fields are: o The source address indicates the origin of the packet and is used by RIP to know which neighbor sent the packet(RFC2453.3.9.2[6]). o The destination address indicates the destination of the packet. The IP layer uses it to accept or reject the packets. 2.3.3 Unprotected UDP header An attacker can modify the UDP header (RFC0768[1]) without being detected as well. Nevertheless, the only field used by RIP is the length and any modification, shorter or longer, will cause the authentication verification to fail. Etienne Expires October 30, 2001 [Page 6] Internet-Draft RIPv2 authentication flaws May 2001 2.4 Summary In short, a RIPv2 packet authenticated by RFC2082[5], the current strongest method, can be replayed and it can be done between routers which aren't necessarily the original ones. The anti replay protection has several flaws (see Section 2.2) and the MAC don't cover the UDP and IP headers (see Section 2.3). The next section describes the attacks we found based on these vulnerabilities. Etienne Expires October 30, 2001 [Page 7] Internet-Draft RIPv2 authentication flaws May 2001 3. Exploits Using the weaknesses described in Section 2.2 and in Section 2.3, an attacker directly connected to a single link, can (i) break neighborhood (A neighborhood is the term we use to designate 2 routers seeing each other), (ii) flap routes and (iii) inject obsolete routes. 3.1 breaking neighborhood The router's neighborhood is the base of the anti-replay of MD5 authentication in RIPv2 and we present an attack able to break it using packet replay and ip address spoofing. An attacker can break the neighborhood between R1 and R2 by preventing R1 from seeing R2: 1. The attacker obtains a packet with a sequence number higher than R2 one (see Section 3.1.1). 2. It replays it to R1 faking the R2 source address, R1 accepts it. 3. R1 no more accepts legitimates packets from R2 as their sequence numbers are lower than the last accepted one. 4. R1 eventually breaks the neighborhood considering R2 unreachable. 3.1.1 Higher sequence number As this attack assumes the attacker has a packet with a higher sequence number, this section explains how to obtain such packet. o If the R2 sequence number is a time since a fixed date (typically number of second since 01/01/70), it will likely be much higher than sequences numbers reset at each reboot (e.g. packet counter or time since reboot). If R2 hasn't the highest time of the router connected to the link, an attacker can take a packet from a source with a time ahead from the R2 one. Else an attacker may hope the R2 clock will drift and the R2 administrator will adjust it, but it is unlikely. o If the R2 sequence number is reset as each reboot (e.g. packet counter or time since reboot), the attacker may use a packet from a previous boot or from another router with a higher sequence number (e.g. longer boot or time since a fixed date). 3.2 Route flapping It is possible to flap routes by (i) repeatdely breaking neighborhood (see Section 3.2.1) if the attacker has a packet with a higher sequence number or by (ii) using poisoned reverse (see Etienne Expires October 30, 2001 [Page 8] Internet-Draft RIPv2 authentication flaws May 2001 Section 3.2.2) if all the routers have similar sequence numbers. The consequences of flapping a route is to have suboptimal routing. Moreover, in the AS(autonomous system), each trigger update consumes network when it is flooded, and CPU when it triggers a route recalculation. Outside the AS, the cost of this attack will depend on the protocols used. If the route is exported with BGP, it may be dampened (RFC1771.apx6[4]). 3.2.1 route flapping by repeatdely breaking the neighborhood If an attacker uses the Section 3.1 method, it may break the neighborhood between R1 and R2, so all the R1 routes using R2 as next hop will be timed out and advertised as infinite. R1 will send triggered update on each of the connected links and the AS will try to converge to a slower route no more using R2. After a short moment (WORK: how long), R1 forgets the fake R2 sequence number, accepts again the R2 packets. As R2 offers a faster route, R1 uses it as next hop and sends a triggered update to announce the change. then the attacker breaks the neighborhood again and the route is flapping. 3.2.2 route flapping thanks to poisoned reverse If the all routers have similar values of sequences number, an attacker can't use them for breaking a neighborhood but can still do route flapping thanks to the poisoned reverse(RFC2453.3.4.3[6]). If the router R1 uses a router R2 as next hop for a route, it will advertise this route with a infinite metric on the link between R1 and R2. It prevents from creating 2 hops loop. An attacker can replay the packet with infinite metric back to R1 and fakes the R2 source address, so R1 will accept the packet and update its metric to infinite. The next periodic update from R2 will be accepted as well and R1 will update again with a real metric. If the attacker does it again, the route is flapping. 3.3 Inject obsolete routes An attacker can inject obsolete routes by (i) capturing a packet advertising a route with a given metric (say X), (ii) then waiting for this route to be announced with a metric Y different than X, and (iii) replays the packet with the metric X. The effect of this attack depends on the sequence number of the replayed packet compared to the current one of the connected routers: (i) if the replayed packet has a smaller sequence number, Y needs to be greater than X or (ii) if it has a greaters one, it can be done independantly of Y. Etienne Expires October 30, 2001 [Page 9] Internet-Draft RIPv2 authentication flaws May 2001 3.3.1 higher sequence number If the sequence number of the replayed packet is greater than the current one of connected routers, the attacker sends the packet faking the source address of the current next hop. The packet will be accepted and the new metric will be used, even if it is higher than the former one. 3.3.2 lower sequence number If the sequence number of the replayed packet is lower, the attacker can still fake an unused source address. The destination will accept it because they have no memory of a sequence number. If the replayed metric X is lower than the current one Y, they will use the new fake router as next hop and the attacker can perform any man in the middle attacks (e.g. traffic analysis, black-holes). The attraction of the black-hole depends on the metric delta (i.e Y-X). Etienne Expires October 30, 2001 [Page 10] Internet-Draft RIPv2 authentication flaws May 2001 4. Security considerations This memo presents weaknesses in the current strongest method of authentication. The MD5 authentication anti-replay was known to be weak but its flaws were believed harmless. We found a new flaw in the MAC calculation which allows an attacker to fake the source and destination IP addresses. Combined, these weaknesses allow efficient DoS and the injection of obsolete routes. We present some of the attacks but we strongly suspect there are others as well. We have designed the "anti-replay authentication" (WORK: ref) that fixes these flaws, without, to the best of our knowledge, adding new ones. This method isn't described in this draft, because it isn't yet fully specified in the RIP context. The MAC covers the IP header preventing an attacker from forging it. This method provides a new way to handle anti-replay with static key which is safe across reset. Keeping the core structure of the MD5 authentication, it can be easily plugged in an existing implementation so we think it may be a good replacement of the MD5 authentication. Etienne Expires October 30, 2001 [Page 11] Internet-Draft RIPv2 authentication flaws May 2001 References [1] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 28 August 1980. [2] Postel, J., "Internet Protocol", STD 5, RFC 791, Sep 1981. [3] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April 1992. [4] Rekhter, Y. and T. Li, "A Border Gateway Protocol 4 (BGP-4)", RFC 1771, March 1995. [5] Baker, F. and R. Atkinson, "RIP-2 MD5 Authentication", RFC 2082, January 1997. [6] Malkin, G.S., "RIP Version 2", STD 56, RFC 2453, November 1998. [7] Bellare, M., Canetti, R. and H. Crawczyk, "Keying hash function for Message Authentication", Advances in cryptology Crypto 96 vol 1109, 1996. [8] Preneel, B. and P. Van Oorshot, "MDX-MAC and building fast MACs from hash functions", Advances in cryptology Crypto 96 , 1995. [9] Kaliski, B. and M. Robshaw, "Message authentication with MD5", Cryptobyte Vol1 no1, 1995. Author's Address Jerome Etienne EMail: jme@off.net URI: http://w3.arobas.net/~jetienne Etienne Expires October 30, 2001 [Page 12] Internet-Draft RIPv2 authentication flaws May 2001 Full Copyright Statement Copyright (C) The Internet Society (2001). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Acknowledgement Funding for the RFC editor function is currently provided by the Internet Society. Etienne Expires October 30, 2001 [Page 13]