summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2082.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc2082.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc2082.txt')
-rw-r--r--doc/rfc/rfc2082.txt675
1 files changed, 675 insertions, 0 deletions
diff --git a/doc/rfc/rfc2082.txt b/doc/rfc/rfc2082.txt
new file mode 100644
index 0000000..a09d49c
--- /dev/null
+++ b/doc/rfc/rfc2082.txt
@@ -0,0 +1,675 @@
+
+
+
+
+
+
+Network Working Group F. Baker
+Request for Comments: 2082 R. Atkinson
+Category: Standards Track Cisco Systems
+ January 1997
+
+
+ RIP-2 MD5 Authentication
+
+Status of this Memo
+
+ This document specifies an Internet standards track protocol for the
+ Internet community, and requests discussion and suggestions for
+ improvements. Please refer to the current edition of the "Internet
+ Official Protocol Standards" (STD 1) for the standardization state
+ and status of this protocol. Distribution of this memo is unlimited.
+
+Table of Contents
+
+ 1 Use of Imperatives ........................................... 1
+ 2 Introduction ................................................. 2
+ 3 Implementation Approach ...................................... 3
+ 3.1 RIP-2 PDU Format ........................................... 3
+ 3.2 Processing Algorithm ....................................... 5
+ 3.2.1 Message Generation ....................................... 6
+ 3.2.2 Message Reception ........................................ 7
+ 4 Management Procedures ........................................ 7
+ 4.1 Key Management Requirements ................................ 7
+ 4.2 Key Management Procedures .................................. 8
+ 4.3 Pathological Cases ......................................... 9
+ 5 Conformance Requirements ..................................... 9
+ 6 Acknowledgments .............................................. 10
+ 7 References ................................................... 10
+ 8 Security Considerations ...................................... 11
+ 9 Chairman's Address ........................................... 11
+ 10 Authors' Addresses .......................................... 12
+
+1. Use of Imperatives
+
+ Throughout this document, the words that are used to define the
+ significance of particular requirements are capitalized. These words
+ are:
+
+ MUST
+
+ This word or the adjective "REQUIRED" means that the item is an
+ absolute requirement of this specification.
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 1]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ MUST NOT
+
+ This phrase means that the item is an absolute prohibition of this
+ specification.
+
+ SHOULD
+
+ This word or the adjective "RECOMMENDED" means that there may
+ exist valid reasons in particular circumstances to ignore this
+ item, but the full implications should be understood and the case
+ carefully weighed before choosing a different course.
+
+ SHOULD NOT
+
+ This phrase means that there may exist valid reasons in particular
+ circumstances when the listed behavior is acceptable or even
+ useful, but the full implications should be understood and the
+ case carefully weighed before implementing any behavior described
+ with this label.
+
+ MAY
+ This word or the adjective "OPTIONAL" means that this item is
+ truly optional. One vendor may choose to include the item because
+ a particular marketplace requires it or because it enhances the
+ product, for example; another vendor may omit the same item.
+
+2. Introduction
+
+ Growth in the Internet has made us aware of the need for improved
+ authentication of routing information. RIP-2 provides for
+ unauthenticated service (as in classical RIP), or password
+ authentication. Both are vulnerable to passive attacks currently
+ widespread in the Internet. Well-understood security issues exist in
+ routing protocols [4]. Clear text passwords, currently specified for
+ use with RIP-2, are no longer considered sufficient [5].
+
+ If authentication is disabled, then only simple misconfigurations are
+ detected. Simple passwords transmitted in the clear will further
+ protect against the honest neighbor, but are useless in the general
+ case. By simply capturing information on the wire - straightforward
+ even in a remote environment - a hostile process can learn the
+ password and overcome the network.
+
+ We propose that RIP-2 use an authentication algorithm, as was
+ originally proposed for SNMP Version 2, augmented by a sequence
+ number. Keyed MD5 is proposed as the standard authentication
+ algorithm for RIP-2, but the mechanism is intended to be algorithm-
+ independent. While this mechanism is not unbreakable (no known
+
+
+
+Baker & Atkinson Standards Track [Page 2]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ mechanism is), it provides a greatly enhanced probability that a
+ system being attacked will detect and ignore hostile messages. This
+ is because we transmit the output of an authentication algorithm
+ (e.g., Keyed MD5) rather than the secret RIP-2 Authentication Key.
+ This output is a one-way function of a message and a secret RIP-2
+ Authentication Key. This RIP-2 Authentication Key is never sent over
+ the network in the clear, thus providing protection against the
+ passive attacks now commonplace in the Internet.
+
+ In this way, protection is afforded against forgery or message
+ modification. It is possible to replay a message until the sequence
+ number changes, but the sequence number makes replay in the long term
+ less of an issue. The mechanism does not afford confidentiality,
+ since messages stay in the clear; however, the mechanism is also
+ exportable from most countries, which test a privacy algorithm would
+ fail.
+
+ Other relevant rationales for the approach are that Keyed MD5 is
+ being used for OSPF cryptographic authentication, and is therefore
+ present in routers already, as is some form of password management.
+ A similar approach has been standardized for use in IP-layer
+ authentication. [7]
+
+3. Implementation Approach
+
+ Implementation requires three issues to be addressed:
+
+ (1) A changed packet format,
+
+ (2) Authentication procedures, and
+
+ (3) Management controls.
+
+3.1. RIP-2 PDU Format
+
+ The basic RIP-2 message format provides for an 8 byte header with an
+ array of 20 byte records as its data content. When Keyed MD5 is
+ used, the same header and content are used, except that the 16 byte
+ "authentication key" field is reused to describe a "Keyed Message
+ Digest" trailer. This consists in five fields:
+
+ (1) The "Authentication Type" is Keyed Message Digest Algorithm,
+ indicated by the value 3 (1 and 2 indicate "IP Route" and
+ "Password", respectively).
+
+ (2) A 16 bit offset from the RIP-2 header to the MD5 digest (if no
+ other trailer fields are ever defined, this value equals the
+ RIP-2 Data Length).
+
+
+
+Baker & Atkinson Standards Track [Page 3]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ (3) An unsigned 8-bit field that contains the Key Identifier
+ or Key-ID. This identifies the key used to create the
+ Authentication Data for this RIP-2 message. In
+ implementations supporting more than one authentication
+ algorithm, the Key-ID also indicates the authentication
+ algorithm in use for this message. A key is associated with
+ an interface.
+
+ (4) An unsigned 8-bit field that contains the length in octets of the
+ trailing Authentication Data field. The presence of this field
+ permits other algorithms (e.g., Keyed SHA) to be substituted for
+ Keyed MD5 if desired.
+
+ (5) An unsigned 32 bit sequence number. The sequence number MUST be
+ non-decreasing for all messages sent with the same Key ID.
+
+ The trailer consists of the Authentication Data, which is the output
+ of the Keyed Message Digest Algorithm. When the Authentication
+ Algorithm is Keyed MD5, the output data is 16 bytes; during digest
+ calculation, this is effectively followed by a pad field and a length
+ field as defined by RFC 1321.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 4]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+3.2. Processing Algorithm
+
+ When the authentication type is "Keyed Message Digest", message
+ processing is changed in message creation and reception.
+
+ 0 1 2 3 3
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Command (1) | Version (1) | Routing Domain (2) |
+ +---------------+---------------+-------------------------------+
+ | 0xFFFF | AuType=Keyed Message Digest |
+ +-------------------------------+-------------------------------+
+ | RIP-2 Packet Length | Key ID | Auth Data Len |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | Sequence Number (non-decreasing) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | reserved must be zero |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | reserved must be zero |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | |
+ / (RIP-2 Packet Length - 24) bytes of Data /
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 0xFFFF | 0x01 |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ / Authentication Data (var. length; 16 bytes with Keyed MD5) /
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+ In memory, the following trailer is appended by the MD5 algorithm and
+ treated as though it were part of the message.
+
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | sixteen octets of MD5 "secret" |
+ / /
+ | |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | zero or more pad bytes (defined by RFC 1321 when MD5 is used) |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 64 bit message length MSW |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ | 64 bit message length LSW |
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+
+
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 5]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+3.2.1. Message Generation
+
+ The RIP-2 Packet is created as usual, with these exceptions:
+
+ (1) The UDP checksum need not be calculated, but MAY be set to
+ zero.
+
+ (2) The authentication type field indicates the Keyed Message Digest
+ Algorithm (3).
+
+ (3) The authentication "password" field is reused to store a packet
+ offset to the Authentication Data, a Key Identifier, the
+ Authentication Data Length, and a non-decreasing sequence number.
+
+ The value used in the sequence number is arbitrary, but two
+ suggestions are the time of the message's creation or a simple
+ message counter.
+
+ The RIP-2 Authentication Key is selected by the sender based on the
+ outgoing interface. Each key has a lifetime associated with it. No
+ key is ever used outside its lifetime. Since the key's algorithm is
+ related to the key itself, stored in the sender and receiver along
+ with it, the Key ID effectively indicates which authentication
+ algorithm is in use if the implementation supports more than one
+ authentication algorithm.
+
+ (1) The RIP-2 header's packet length field indicates the standard
+ RIP-2 portion of the packet.
+
+ (2) The Authentication Data Offset, Key Identifier, and
+ Authentication Data size fields are filled in appropriately.
+
+ (3) The RIP-2 Authentication Key, which is 16 bytes long when the
+ Keyed MD5 algorithm is used, is now appended to the data. For
+ all algorithms, the RIP-2 Authentication Key is never longer than
+ the output of the algorithm in use.
+
+ (4) Trailing pad and length fields are added and the digest
+ calculated using the indicated algorithm. When Keyed MD5 is the
+ algorithm in use, these are calculated per RFC 1321.
+
+ (5) The digest is written over the RIP-2 Authentication Key. When
+ MD5 is used, this digest will be 16 bytes long.
+
+ The trailing pad is not actually transmitted, as it is entirely
+ predictable from the message length and algorithm in use.
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 6]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+3.2.2. Message Reception
+
+ When the message is received, the process is reversed:
+
+ (1) The digest is set aside,
+
+ (2) The appropriate algorithm and key are determined from the value
+ of the Key Identifier field,
+
+ (3) The RIP-2 Authentication Key is written into the appropriate
+ number (16 when Keyed MD5 is used) of bytes starting at the
+ offset indicated,
+
+ (4) Appropriate padding is added as needed, and
+
+ (5) A new digest calculated using the indicated algorithm.
+
+ If the calculated digest does not match the received digest, the
+ message is discarded unprocessed. If the neighbor has been heard
+ from recently enough to have viable routes in the route table and the
+ received sequence number is less than the last one received, the
+ message likewise is discarded unprocessed. When connectivity to the
+ neighbor has been lost, the receiver SHOULD be ready to accept
+ either:
+ - a message with a sequence number of zero
+ - a message with a higher sequence number than the last received
+ sequence number.
+
+ A router that has forgotten its current sequence number but remembers
+ its key and Key-ID MUST send its first packet with a sequence number
+ of zero. This leaves a small opening for a replay attack. Router
+ vendors are encouraged to provide stable storage for keys, key
+ lifetimes, Key-IDs, and the related sequence numbers.
+
+ Acceptable messages are now truncated to RIP-2 message itself and
+ treated normally.
+
+4. Management Procedures
+
+4.1. Key Management Requirements
+
+ It is strongly desirable that a hypothetical security breach in one
+ Internet protocol not automatically compromise other Internet
+ protocols. The Authentication Key of this specification SHOULD NOT
+ be stored using protocols or algorithms that have known flaws.
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 7]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ Implementations MUST support the storage of more than one key at the
+ same time, although it is recognized that only one key will normally
+ be active on an interface. They MUST associate a specific lifetime
+ (i.e., date/time first valid and date/time no longer valid) and a key
+ identifier with each key, and MUST support manual key distribution
+ (e.g., the privileged user manually typing in the key, key lifetime,
+ and key identifier on the router console). The lifetime may be
+ infinite. If more than one algorithm is supported, then the
+ implementation MUST require that the algorithm be specified for each
+ key at the time the other key information is entered. Keys that are
+ out of date MAY be deleted at will by the implementation without
+ requiring human intervention. Manual deletion of active keys SHOULD
+ also be supported.
+
+ It is likely that the IETF will define a standard key management
+ protocol. It is strongly desirable to use that key management
+ protocol to distribute RIP-2 Authentication Keys among communicating
+ RIP-2 implementations. Such a protocol would provide scalability and
+ significantly reduce the human administrative burden. The Key ID can
+ be used as a hook between RIP-2 and such a future protocol. Key
+ management protocols have a long history of subtle flaws that are
+ often discovered long after the protocol was first described in
+ public. To avoid having to change all RIP-2 implementations should
+ such a flaw be discovered, integrated key management protocol
+ techniques were deliberately omitted from this specification.
+
+4.2. Key Management Procedures
+
+ As with all security methods using keys, it is necessary to change
+ the RIP-2 Authentication Key on a regular basis. To maintain routing
+ stability during such changes, implementations MUST be able to store
+ and use more than one RIP-2 Authentication Key on a given interface
+ at the same time.
+
+ Each key will have its own Key Identifier, which is stored locally.
+ The combination of the Key Identifier and the interface associated
+ with the message uniquely identifies the Authentication Algorithm and
+ RIP-2 Authentication Key in use.
+
+ As noted above in Section 2.2.1, the party creating the RIP-2 message
+ will select a valid key from the set of valid keys for that
+ interface. The receiver will use the Key Identifier and interface to
+ determine which key to use for authentication of the received
+ message. More than one key may be associated with an interface at
+ the same time.
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 8]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ Hence it is possible to have fairly smooth RIP-2 Authentication Key
+ rollovers without losing legitimate RIP-2 messages because the stored
+ key is incorrect and without requiring people to change all the keys
+ at once. To ensure a smooth rollover, each communicating RIP-2
+ system must be updated with the new key several minutes before the
+ current key will expire and several minutes before the new key
+ lifetime begins. The new key should have a lifetime that starts
+ several minutes before the old key expires. This gives time for each
+ system to learn of the new RIP-2 Authentication Key before that key
+ will be used. It also ensures that the new key will begin being used
+ and the current key will go out of use before the current key's
+ lifetime expires. For the duration of the overlap in key lifetimes,
+ a system may receive messages using either key and authenticate the
+ message. The Key-ID in the received message is used to select the
+ appropriate key for authentication.
+
+4.3. Pathological Cases
+
+ Two pathological cases exist which must be handled, which are
+ failures of the network manager. Both of these should be exceedingly
+ rare.
+
+ During key switchover, devices may exist which have not yet been
+ successfully configured with the new key. Therefore, routers SHOULD
+ implement (and would be well advised to implement) an algorithm that
+ detects the set of keys being used by its neighbors, and transmits
+ its messages using both the new and old keys until all of the
+ neighbors are using the new key or the lifetime of the old key
+ expires. Under normal circumstances, this elevated transmission rate
+ will exist for a single update interval.
+
+ In the event that the last key associated with an interface expires,
+ it is unacceptable to revert to an unauthenticated condition, and not
+ advisable to disrupt routing. Therefore, the router should send a
+ "last authentication key expiration" notification to the network
+ manager and treat the key as having an infinite lifetime until the
+ lifetime is extended, the key is deleted by network management, or a
+ new key is configured.
+
+5. Conformance Requirements
+
+ To conform to this specification, an implementation MUST support all
+ of its aspects. The Keyed MD5 authentication algorithm MUST be
+ implemented by all conforming implementations. MD5 is defined in
+ RFC-1321. A conforming implementation MAY also support other
+ authentication algorithms such as Keyed Secure Hash Algorithm (SHA).
+ Manual key distribution as described above MUST be supported by all
+ conforming implementations. All implementations MUST support the
+
+
+
+Baker & Atkinson Standards Track [Page 9]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+ smooth key rollover described under "Key Change Procedures."
+
+ The user documentation provided with the implementation MUST contain
+ clear instructions on how to ensure that smooth key rollover occurs.
+
+ Implementations SHOULD support a standard key management protocol for
+ secure distribution of RIP-2 Authentication Keys once such a key
+ management protocol is standardized by the IETF.
+
+6. Acknowledgments
+
+ This work was done by the RIP-2 Working Group, of which Gary Malkin
+ is the Chair. This suggestion was originally made by Christian
+ Huitema on behalf of the IAB. Jeff Honig (Cornell) and Dennis
+ Ferguson (ANS) built the first operational prototype, proving out the
+ algorithms. The authors gladly acknowledge significant inputs from
+ each of these sources.
+
+7. References
+
+ [1] Malkin, G., "RIP Version 2 Carrying Additional Information",
+ RFC 1388, January 1993.
+
+ [2] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, April
+ 1992.
+
+ [3] Malkin, G., and F. Baker, "RIP Version 2 MIB Extension",
+ RFC 1389, Xylogics, Inc., Advanced Computer Communications,
+ January 1993.
+
+ [4] S. Bellovin, "Security Problems in the TCP/IP Protocol Suite",
+ ACM Computer Communications Review, Volume 19, Number 2,
+ pp.32-48, April 1989.
+
+ [5] Haller, N., and R. Atkinson, "Internet Authentication
+ Guidelines", RFC 1704, October 1994.
+
+ [6] Braden, R., Clark, D., Crocker, S., and C. Huitema, "Report
+ of IAB Workshop on Security in the Internet Architecture",
+ RFC 1636, June 1994.
+
+ [7] Atkinson, R., "IP Authentication Header", RFC 1826, August 1995.
+
+ [8] Atkinson, R., "IP Encapsulating Security Payload", RFC 1827,
+ August 1995.
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 10]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+8. Security Considerations
+
+ This entire memo describes and specifies an authentication mechanism
+ for the RIP-2 routing protocol that is believed to be secure against
+ active and passive attacks. Passive attacks are clearly widespread in
+ the Internet at present. Protection against active attacks is also
+ needed because active attacks are becoming more common.
+
+ Users need to understand that the quality of the security provided by
+ this mechanism depends completely on the strength of the implemented
+ authentication algorithms, the strength of the key being used, and
+ the correct implementation of the security mechanism in all
+ communicating RIP-2 implementations. This mechanism also depends on
+ the RIP-2 Authentication Key being kept confidential by all parties.
+ If any of these incorrect or insufficiently secure, then no real
+ security will be provided to the users of this mechanism.
+
+ Specifically with respect to the use of SNMP, compromise of SNMP
+ security has the necessary result that the various RIP-2
+ configuration parameters (e.g. routing table, RIP-2 Authentication
+ Key) manageable via SNMP could be compromised as well. Changing
+ Authentication Keys using non-encrypted SNMP is no more secure than
+ sending passwords in the clear.
+
+ Confidentiality is not provided by this mechanism. Recent work in
+ the IETF provides a standard mechanism for IP-layer encryption. [8]
+ That mechanism might be used to provide confidentiality for RIP-2 in
+ the future. Protection against traffic analysis is also not
+ provided. Mechanisms such as bulk link encryption might be used when
+ protection against traffic analysis is required.
+
+ The memo is written to address a security consideration in RIP
+ Version 2 that was raised during the IAB's recent security review
+ [6].
+
+9. Chairman's Address
+
+ Gary Scott Malkin
+ Xylogics, Inc.
+ 53 Third Avenue
+ Burlington, MA 01803
+
+ Phone: (617) 272-8140
+ EMail: gmalkin@Xylogics.COM
+
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 11]
+
+RFC 2082 RIP-2 MD5 Authentication January 1997
+
+
+10. Authors' Addresses
+
+ Fred Baker
+ cisco Systems
+ 519 Lado Drive
+ Santa Barbara, California 93111
+
+ Phone: (805) 681 0115
+ Email: fred@cisco.com
+
+
+ Randall Atkinson
+ cisco Systems
+ 170 West Tasman Drive
+ San Jose, CA 95134-1706
+
+ Phone: (408) 526-6566
+ EMail: rja@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Baker & Atkinson Standards Track [Page 12]
+