summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6039.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc6039.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc6039.txt')
-rw-r--r--doc/rfc/rfc6039.txt1179
1 files changed, 1179 insertions, 0 deletions
diff --git a/doc/rfc/rfc6039.txt b/doc/rfc/rfc6039.txt
new file mode 100644
index 0000000..7070c2a
--- /dev/null
+++ b/doc/rfc/rfc6039.txt
@@ -0,0 +1,1179 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) V. Manral
+Request for Comments: 6039 IP Infusion
+Category: Informational M. Bhatia
+ISSN: 2070-1721 Alcatel-Lucent
+ J. Jaeggli
+ Nokia Inc.
+ R. White
+ Cisco Systems
+ October 2010
+
+
+ Issues with Existing Cryptographic Protection Methods
+ for Routing Protocols
+
+Abstract
+
+ Routing protocols have been extended over time to use cryptographic
+ mechanisms to ensure that data received from a neighboring router has
+ not been modified in transit and actually originated from an
+ authorized neighboring router.
+
+ The cryptographic mechanisms defined to date and described in this
+ document rely on a digest produced with a hash algorithm applied to
+ the payload encapsulated in the routing protocol packet.
+
+ This document outlines some of the limitations of the current
+ mechanism, problems with manual keying of these cryptographic
+ algorithms, and possible vectors for the exploitation of these
+ limitations.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6039.
+
+
+
+
+
+
+Manral, et al. Informational [Page 1]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+Copyright Notice
+
+ Copyright (c) 2010 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Problem Statement ...............................................3
+ 1.1. Pre-Image vs. Collision Attacks ............................4
+ 1.2. Concerns about MD5 and the SHA-1 Algorithm .................4
+ 2. Open Shortest Path First Version 2 (OSPFv2) .....................5
+ 2.1. Management Issues with OSPFv2 ..............................5
+ 2.2. Technical Issues with OSPFv2 ...............................6
+ 3. Open Shortest Path First Version 3 (OSPFv3) .....................7
+ 3.1. Management Issues with OSPFv3 ..............................7
+ 3.2. Technical Issues with OSPFv3 ...............................8
+ 4. Intermediate System to Intermediate System Routing
+ Protocol (IS-IS) ................................................9
+ 4.1. Management Issues with IS-IS ...............................9
+ 4.2. Technical Issues with IS-IS ...............................10
+ 5. Border Gateway Protocol (BGP-4) ................................11
+ 5.1. Management Issues with BGP-4 ..............................12
+ 5.2. Technical Issues with BGP-4 ...............................13
+ 6. The Routing Information Protocol (RIP) .........................13
+ 6.1. Technical Issues with RIP .................................14
+ 7. Bidirectional Forwarding Detection (BFD) .......................15
+ 7.1. Technical Issues with BFD .................................15
+ 8. Security Considerations ........................................17
+ 9. Acknowledgements ...............................................17
+ 10. References ....................................................17
+ 10.1. Normative References .....................................17
+ 10.2. Informative References ...................................18
+ 11. Contributor's Address .........................................21
+
+
+
+
+
+
+
+
+Manral, et al. Informational [Page 2]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+1. Problem Statement
+
+ Protocols, such as OSPF version 2 [RFC2328], version 3 [RFC5340],
+ IS-IS [RFC1195], BGP-4 [RFC4271], and BFD [RFC5880], employ various
+ mechanisms to create a cryptographic digest of each transmitted
+ protocol packet. Traditionally, these digests are the results of a
+ one-way hash algorithm, such as Message Digest 5 (MD5) [RFC1321],
+ across the contents of the packet being transmitted. A secret key is
+ used as the hash base (or seed). The digest is then recomputed by
+ the receiving router, using the same key as the original router used
+ to create the hash, then compared with the transmitted digest to
+ verify:
+
+ o That the router originating this packet is authorized via the
+ shared key mechanism to peer with the local router and exchange
+ routing data. The implicit trust of the routing protocol exchange
+ protected by a shared secret is intended to protect against the
+ injection of falsely generated routing data into the routing
+ system by unauthorized systems.
+
+ o That the data has not been altered in transit between the two
+ neighboring routers.
+
+ Digest verification schemes are not intended to protect the
+ confidentiality of information being exchanged between routers. The
+ information (entries in the routing table) is potentially available
+ through other mechanisms. Moreover, access to the physical media
+ between two routers exchanging routing data will confer the ability
+ to capture or otherwise discover the contents of the routing tables
+ in those routers.
+
+ Authentication mechanisms defined today have notable limitations:
+
+ o Manual configuration of shared secret keys, especially in large
+ networks and between networks, poses a major management problem.
+ In many cases, it is challenging to replace keys without
+ significant coordination or disruption.
+
+ o In some cases, when manual keys are configured, some forms of
+ replay protection are no longer possible, allowing the routing
+ protocol to be attacked through the replay of captured routing
+ messages.
+
+ This document outlines some of the problems with manual keying of
+ these cryptographic algorithms.
+
+
+
+
+
+
+Manral, et al. Informational [Page 3]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+1.1. Pre-Image vs. Collision Attacks
+
+ A pre-image attack (an attempt to find new data with the same hash
+ value) would enable someone to find an input message that causes a
+ hash function to produce a particular output. In contrast, a
+ collision attack finds two messages with the same hash, but the
+ attacker can't pick what the message will be. Feasible collision
+ attacks against MD4, MD5, HAVAL-128, and RIPEMD have been documented
+ in [Crypto2004].
+
+ The ability to produce a collision does not currently introduce any
+ obvious or known attacks on routing protocols. Pre-image attacks
+ have the potential to cause problems in the future; however, due to
+ the message length, there are serious limitations to the feasibility
+ of mounting such an attack.
+
+ Protocols themselves have some built-in protection against collision
+ attacks. This is because a lot of values for fields in a protocol
+ packet are invalid or will produce an unusable packet. For example,
+ in OSPF the Link State Advertisement (LSA) type can be from 1 to 11.
+ Any other value in the field will result in the packet being
+ discarded.
+
+ Assume two packets M and M' are generated and have the same hash.
+ The above condition will further reduce the ability to produce a
+ message that is also a correct message from the protocol perspective,
+ as a lot of potential values are themselves not valid.
+
+1.2. Concerns about MD5 and the SHA-1 Algorithm
+
+ There are published concerns about the overall strength of the MD5
+ algorithm ([Dobb96a], [Dobb96b], [Wang04]). While those published
+ concerns apply to the use of MD5 in other modes (e.g., use of MD5
+ X.509v3/PKIX digital certificates), they are not an attack upon Keyed
+ MD5 and Hash-based Message Authentication Code MD5 (HMAC-MD5), which
+ is what the current routing protocols have specified. There are also
+ published concerns about the Secure Hash Algorithm (SHA) algorithm
+ ([Wang05], [Philip01], [Prav01], [Prav02], [Arjen05]) and also
+ concerns about the MD5 and SHA algorithms in the HMAC [RFC2104] mode
+ ([RR07], [RR08]). The National Institute of Standards and Technology
+ (NIST) will be supporting HMAC-SHA-1 even after 2010 [NISTHmacSHA],
+ whereas it will drop support for SHA-1 in digital signatures. NIST
+ also recommends application and protocol designers move to the SHA-2
+ family of hash functions (i.e., SHA-224, SHA-256, SHA-384 and
+ SHA-512) for all new applications and protocols.
+
+
+
+
+
+
+Manral, et al. Informational [Page 4]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ However, as explained above, such attacks are currently not
+ applicable to the routing protocols. Separately, some organizations
+ (e.g., the US government) prefer NIST algorithms, such as the SHA
+ family, over other algorithms (like MD5) for local policy reasons.
+
+2. Open Shortest Path First Version 2 (OSPFv2)
+
+ OSPF [RFC2328] describes the use of an MD5 digest with OSPF packets.
+ MD5 keys are manually configured. The OSPF packet header includes an
+ authentication type field as well as 64 bits of data for use by the
+ appropriate authentication scheme. OSPF also provides for a non-
+ decreasing sequence number to be included in each OSPF protocol
+ packet to protect against replay attacks.
+
+ "OSPF with Digital Signatures" [RFC2154] is an Experimental RFC that
+ describes extensions to OSPF to digitally sign its Link State
+ Advertisements (LSAs). It is believed that if stronger
+ authentication and security is required, then OSPF (and the other
+ routing protocols) must migrate to using full digital signatures.
+ Doing this would enable precise authentication of the OSPF router
+ originating each OSPF link-state advertisement, and thereby provide
+ much stronger integrity protection for the OSPF routing domain.
+ However, since there have been no deployments, there is precious
+ little operational experience with this specification, and hence it
+ is not covered in this document.
+
+2.1. Management Issues with OSPFv2
+
+ According to the OSPF specification [RFC2328], digests are applied to
+ packets transmitted between adjacent neighbors, rather than being
+ applied to the routing information originated by a router (digests
+ are not applied at the LSA level, but rather at the packet level).
+ [RFC2328] states that any set of OSPF routers adjacent across a
+ single link may use a different key to build MD5 digests than the key
+ used to build MD5 digests on any other link. Thus, MD5 keys may be
+ configured, and changed, on a per-link basis in an OSPF network.
+
+ OSPF does not specify a mechanism to negotiate keys, nor does it
+ specify any mechanism to negotiate the hash algorithms to be used.
+
+ With the proliferation of the number of hash algorithms, as well as
+ the need to continuously upgrade the algorithms, manually configuring
+ the information becomes very tedious. It should also be noted that
+ rekeying OSPF requires coordination among the adjacent routers.
+
+
+
+
+
+
+
+Manral, et al. Informational [Page 5]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+2.2. Technical Issues with OSPFv2
+
+ While OSPF provides relatively strong protection through the
+ inclusion of MD5 digests, with additional data and sequence numbers
+ in transmitted packets, there are still attacks against OSPF:
+
+ o The sequence number is initialized to zero when forming an
+ adjacency with a newly discovered neighbor. When an adjacency is
+ brought down, the sequence number is also set to zero. If the
+ cryptographically protected packets of a router that is brought
+ down (for administrative or other reasons) are replayed by a
+ malicious router, traffic could be forced through the malicious
+ router. A malicious router might then induce routing loops, or
+ intercept or blackhole the traffic.
+
+ o OSPF allows multiple packets with the same sequence number. This
+ means that it's possible to replay the same packet many times
+ before the next legitimate packet is sent. An attacker may resend
+ the same packet repeatedly until the next Hello packet is
+ transmitted and received. The Hello interval, which is unknown,
+ determines the attack window.
+
+ o OSPF does not require the use of any particular hash algorithm;
+ however, only the use of MD5 digests for authentication and replay
+ protection is specified in RFC 2328. Most OSPF implementations
+ only support MD5 in addition to Null and Simple Password
+ authentication.
+
+ Recently, limitations in collision-resistance properties of the
+ MD5 and SHA-1 hash functions have been discovered; [RFC4270]
+ summarizes the discoveries. There have been attacks against the
+ use of MD5 as a hash; while these attacks do not directly apply to
+ the use of MD5 in routing protocols, it is prudent to have other
+ options available. For this reason, the general use of these
+ algorithms should be discouraged, and [RFC5709] adds support for
+ using SHA-1 and SHA-2 with the HMAC construct for OSPF.
+
+ o OSPF on a broadcast network shares the same key between all
+ neighbors on that broadcast network. Some OSPF packets are sent
+ to a multicast address.
+
+ Spoofing by any malicious neighbor possessing credentials or
+ replayable packets is therefore very easy. Possession of the key
+ itself is used as an identity validation, and no other identity
+ check is used. A malicious neighbor could send a packet, forging
+ the identity of the sender as being from another neighbor. There
+ would be no way in which the victim could distinguish the identity
+ of the packet sender.
+
+
+
+Manral, et al. Informational [Page 6]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ o In some OSPF implementations, neighbors on broadcast, non-
+ broadcast multi-access (NBMA), and point-to-multipoint networks
+ are identified by the IP address in the IP header. The IP header
+ is not covered by the MAC in the cryptographic authentication
+ scheme as described in RFC 2328, and an attack can be made to
+ exploit this omission.
+
+ Assume the following scenario.
+
+ R1 sends an authenticated HELLO to R2. This HELLO is captured and
+ replayed back to R1. The source IP in the IP header of the
+ replayed packet is changed to that of R2.
+
+ R1, not finding itself in the HELLO, would deduce that the
+ connection is not bidirectional and would bring down the
+ adjacency.
+
+3. Open Shortest Path First Version 3 (OSPFv3)
+
+ OSPFv3 [RFC5340] relies on the IP Authentication Header (AH)
+ [RFC4302] and the IP Encapsulating Security Payload (ESP) [RFC4303]
+ to cryptographically sign routing information passed between routers.
+
+ When using ESP, the null encryption algorithm [RFC2410] is used, so
+ the data carried in the OSPFv3 packets is signed, but not encrypted.
+ This provides data origin authentication for adjacent routers, and
+ data integrity (which gives the assurance that the data transmitted
+ by a router has not changed in transit). However, it does not
+ provide confidentiality of the information transmitted; this is
+ acceptable because the privacy of the information being carried in
+ the routing protocols need not be kept secret.
+
+ "Authentication/Confidentiality for OSPFv3" [RFC4552] mandates the
+ use of ESP with null encryption for authentication and also does
+ encourage the use of confidentiality to protect the privacy of the
+ routing information transmitted, using ESP encryption. However, it
+ only specifies the use of manual keying of routing information as
+ discussed in the following section.
+
+3.1. Management Issues with OSPFv3
+
+ The OSPFv3 security document ("Authentication/Confidentiality for
+ OSPFv3" [RFC4552]) discusses, at length, the reasoning behind using
+ manually configured keys, rather than some automated key management
+ protocol such as IKEv2 [RFC4306]. The primary problem is the lack of
+ a suitable key management mechanism, as OSPF adjacencies are formed
+ on a one-to-many basis and most key management mechanisms are
+ designed for a one-to-one communication model. This forces the
+
+
+
+Manral, et al. Informational [Page 7]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ system administrator to use manually configured security associations
+ (SAs) and cryptographic keys to provide the authentication and, if
+ desired, confidentiality services.
+
+ Regarding replay protection, [RFC4552] states that:
+
+ Since it is not possible using the current standards to provide
+ complete replay protection while using manual keying, the proposed
+ solution will not provide protection against replay attacks.
+
+ In the OSPFv3 case, the primary administrative issue with manually
+ configured SAs and keys is the management issue -- maintaining shared
+ sets of keys on all routers within a network. As with OSPFv2,
+ rekeying is an infrequent event requiring coordination. [RFC4552]
+ does not require that all OSPFv3 routers have the same key configured
+ for every neighbor, so each set of neighbors connected to a given
+ link could have a different key configured. While this makes it
+ easier to change the keys (by forcing the system administrator to
+ only change the keys on the routers on a single link), the process of
+ manual configuration for all the routers in a network to change the
+ keys used for OSPFv3 digests and confidentiality on a periodic basis
+ can be difficult.
+
+3.2. Technical Issues with OSPFv3
+
+ The primary technical concern with the current specifications for
+ OSPFv3 is that when manual SA and key management is used as specified
+ in "Sequence Number Generation", Section 3.3.2 of [RFC4302]: "The
+ sender assumes anti-replay is enabled as a default, unless otherwise
+ notified by the receiver (see Section 3.4.3) or if the SA was
+ configured using manual key management". Replaying OSPFv3 packets
+ can induce several failures in a network, including:
+
+ o Replaying Hello packets with an empty neighbor list can cause all
+ the neighbor adjacencies with the sending router to be reset,
+ disrupting network communications.
+
+ o Replaying Hello packets from early in the designated router
+ election process on broadcast links can cause all the neighbor
+ adjacencies with the sending router to be reset, disrupting
+ network communications.
+
+ o Replaying database description (DB-Description) packets can cause
+ all FULL neighbor adjacencies with the sending router to be reset,
+ disrupting network communications.
+
+
+
+
+
+
+Manral, et al. Informational [Page 8]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ o Replaying link state request (LS-Request) packets can cause all
+ FULL neighbor adjacencies with the sending router to be reset,
+ disrupting network communications.
+
+ o Capturing a full adjacency process (from two-way all the way to
+ FULL state), and then replaying this process when the router is no
+ longer attached can cause a false adjacency to be formed, allowing
+ an attacker to attract traffic.
+
+ o OSPFv3 on a broadcast network shares the same key between all
+ neighbors on that network. Some OSPF packets are sent to a
+ multicast address.
+
+ Spoofing by a malicious neighbor is very easy. Possession of the
+ key itself is used as an identity check. There is no other
+ identity check used. A neighbor could send a packet specifying
+ the packet came from some other neighbor and there would be no way
+ in which the attacked router could figure out the identity of the
+ packet sender.
+
+4. Intermediate System to Intermediate System Routing Protocol (IS-IS)
+
+ Integrated IS-IS [RFC1195] uses HMAC-MD5 authentication with manual
+ keying, as described in [RFC5304], and has recently been extended to
+ provide support for using the HMAC construct along with the SHA
+ family of cryptographic hash functions [RFC5310]. There is no
+ provision within IS-IS to encrypt the body of a routing protocol
+ message.
+
+4.1. Management Issues with IS-IS
+
+ [RFC5304] states that each Link State Protocol Data Unit (LSP)
+ generated by an intermediate system is signed with the HMAC-MD5
+ algorithm using a key manually defined by the network administrator.
+ Since authentication is performed on the LSPs transmitted by an
+ intermediate system, rather than on the packets transmitted to a
+ specific neighbor, it is implied that all the intermediate systems
+ within a single flooding domain must be configured with the same key
+ in order for authentication to work correctly.
+
+ The initial configuration of manual keys for authentication within an
+ IS-IS network is simplified by a state where LSPs containing
+ HMAC-MD5/HMAC-SHA authentication TLVs are accepted by intermediate
+ systems without the keys, but the digest is not validated. Once keys
+ are configured on all routers, changing those keys becomes much more
+ difficult.
+
+
+
+
+
+Manral, et al. Informational [Page 9]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ IS-IS [RFC1195] does not specify a mechanism to negotiate keys, nor
+ does it specify any mechanism to negotiate the hash algorithms to be
+ used.
+
+ With the proliferation of available hash algorithms, as well as the
+ need to upgrade the algorithms, manual configuration requires
+ coordination among intermediate systems, which can become tedious.
+
+4.2. Technical Issues with IS-IS
+
+ [RFC5304] states: "This mechanism does not prevent replay attacks;
+ however, in most cases, such attacks would trigger existing
+ mechanisms in the IS-IS protocol that would effectively reject old
+ information".
+
+ The few cases where existing mechanisms in the IS-IS protocol would
+ not effectively reject old information are:
+ - the Hello packets or the IS-IS Hellos (IIHs) that are used to
+ discover neighbors, and
+ - the Sequence Number Packets (SNPs).
+
+ As described in IS-IS [RFC1195], a list of known neighbors is
+ included in each Hello transmitted by an intermediate system to
+ ensure two-way communications with any specific neighbor before
+ exchanging link state databases.
+
+ IS-IS does not provide a sequence number. IS-IS packets are
+ vulnerable to replay attacks; any packet can be replayed at any point
+ of time. So long as the keys used are the same, protocol elements
+ that would not be rejected will affect existing sessions.
+
+ A Hello packet containing a digest within a TLV and an empty neighbor
+ list could be replayed, resulting in all adjacencies with the
+ original transmitting intermediate system to be restarted.
+
+ A replay of an old Complete Sequence Number Packet (CSNP) could cause
+ LSPs to be flooded, resulting in an LSP storm.
+
+ IS-IS specifies the use of the HMAC-MD5 and HMAC-SHA-1 to protect
+ IS-IS packets.
+
+ IS-IS does not have a notion of Key ID. During key rollover, each
+ message received has to be checked for integrity against all keys
+ that are valid. A denial-of-service (DoS) attack may be induced by
+ sending IS-IS packets with random hashes. This will cause the IS-IS
+ packet to be checked for authentication with all possible keys,
+
+
+
+
+
+Manral, et al. Informational [Page 10]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ increasing the amount of processing required. This issue, however,
+ has been fixed in the recent [RFC5310], which introduces the concept
+ of Key IDs in IS-IS.
+
+ Recently, limitations in collision-resistance properties of the MD5
+ and SHA-1 hash functions have been discovered; [RFC4270] summarizes
+ the discoveries. There have been attacks against the use of MD5 as a
+ hash; while these attacks do not directly apply to the use of
+ HMAC-MD5 in IS-IS, it is prudent to have other options available.
+ For this reason, the general use of these algorithms should be
+ discouraged, and [RFC5310] adds support for using HMAC-SHA with
+ IS-IS.
+
+ IS-IS on a broadcast network shares the same key between all
+ neighbors on that network.
+
+ This makes spoofing by a malicious neighbor easy since IS-IS packets
+ are sent to a link-layer multicast address. Possession of the key
+ itself is used as an authorization check. A neighbor could send a
+ packet spoofing the identity of a neighbor, and there would be no way
+ in which the attacked router could discern the identity of the
+ malicious packet sender.
+
+ The Remaining Lifetime field in the LSP is not covered by the
+ authentication. An IS-IS router can receive its own self-generated
+ LSP segment with zero lifetime remaining. In that case, if it has a
+ copy with non-zero lifetime, it purges that LSP, i.e., it increments
+ the current sequence number and floods all the segments again. This
+ is much worse in IS-IS than in OSPF because there is only one LSP
+ other than the pseudonode LSPs for the LANs on which the IS-IS router
+ is the Designated Intermediate System (DIS).
+
+ In this way, an attacker can force the router to flood all segments
+ -- potentially a large number if the number of routes is large. It
+ also causes the sequence number of all the LSPs to increase fast. If
+ the sequence number increases to the maximum (0xFFFFFFFF), the IS-IS
+ process must shut down for around 20 minutes (the product of MaxAge +
+ ZeroAgeLifetime) to allow the old LSPs to age out of all the router
+ databases.
+
+5. Border Gateway Protocol (BGP-4)
+
+ BGP-4 [RFC4271] uses TCP [RFC0793] for transporting routing
+ information between BGP speakers that have formed an adjacency.
+
+ [RFC2385] describes the use of the TCP MD5 digest option for
+ providing packet origin authentication and data integrity protection
+ of BGP packets. [RFC3562] provides suggestions for choosing the key
+
+
+
+Manral, et al. Informational [Page 11]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ length of the ad hoc Keyed MD5 mechanism specified in [RFC2385].
+ There is no provision for confidentiality for any of these BGP
+ messages.
+
+ TCP MD5 [RFC2385] has recently been obsoleted by a new TCP
+ Authentication Option (TCP-AO) [RFC5925]. [RFC5925] specifies the
+ use of stronger Message Authentication Codes (MACs), protects against
+ replays even for long-lived TCP connections, and provides more
+ details than TCP-MD5 on the association of security with TCP
+ connections. It allows rekeying during a TCP connection, assuming
+ that an out-of-band protocol or manual mechanism provides the new
+ keys. Note that TCP MD5 does not preclude rekeying during a
+ connection, but does not require its support either. Further, TCP-AO
+ supports key changes with zero segment loss, whereas key changes in
+ TCP MD5 can lose segments in transit during the changeover or require
+ trying multiple keys on each received segment during key use overlap
+ because TCP MD5 lacks an explicit Key ID. Although TCP recovers lost
+ segments through retransmission, loss can have a substantial impact
+ on performance.
+
+ However, this document covers only TCP MD5, as all current
+ deployments are still using BGP with TCP MD5 and have not upgraded to
+ [RFC5925]. There isn't enough operational experience present to
+ evaluate the technical and management issues with this proposal yet.
+
+ Compared to previously described IGP protocols, BGP has additional
+ exposure due to the nature of the environment where it is typically
+ used -- namely, between autonomous networks (under different
+ administrative control). While routers running interior gateway
+ protocols may all be configured with the same administrative
+ authority, two BGP peers may be in different administrative domains,
+ having different policies for key strength, rollover frequency, etc.
+ An autonomous system must often support a large number of keys at
+ different BGP boundaries, as each connecting AS represents a
+ different administrative entity. In practice, once set, shared
+ secrets between BGP peers are rarely, if ever, changed.
+
+5.1. Management Issues with BGP-4
+
+ Each pair of BGP speakers forming a peering may have a different MD5
+ shared key that facilitates the independent configuration and
+ changing of keys across a large-scale network. Manual configuration
+ and maintenance of cryptographic keys across all BGP sessions is a
+ challenge in any large-scale environment.
+
+ Most BGP implementations will accept BGP packets with a bad digest up
+ to the hold interval negotiated between BGP peers at peering startup,
+ in order to allow for MD5 keys to be changed with minimal impact on
+
+
+
+Manral, et al. Informational [Page 12]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ operation of the network. This technique does, however, allow some
+ short period of time during which an attacker may inject BGP packets
+ with false MD5 digests into the network and can expect those packets
+ to be accepted, even though the MD5 digests are not valid.
+
+5.2. Technical Issues with BGP-4
+
+ BGP relies on TCP [RFC0793] for transporting data between BGP
+ speakers. BGP can rely on TCP's protection against data corruption
+ and replay to preclude replay attacks against BGP sessions. A great
+ deal of research has gone into the feasibility of an attacker
+ overcoming these protections, including [TcpWindow] and [Conv01].
+ Most router and operating system (OS) vendors have modified their TCP
+ implementations to resolve the security vulnerabilities described in
+ these references, where possible.
+
+ As mentioned earlier, MD5 is vulnerable to collision attacks and can
+ be attacked through several means, such as those explored in
+ [Wang04].
+
+ Though it can be argued that the collision attacks do not have a
+ practical application in this scenario, the use of MD5 should be
+ discouraged.
+
+ Routers performing cryptographic processing of packets in software
+ may be exposed to additional opportunities for DoS attacks. An
+ attacker may be able to transmit enough spoofed traffic with false
+ digests that the router's processor and memory resources are
+ consumed, causing the router to be unable to perform normal
+ processing. This exposure is particularly problematic between
+ routers not under unified administrative control.
+
+6. The Routing Information Protocol (RIP)
+
+ The initial version of RIP was specified in STD 34 [RFC1058]. This
+ version did not provide for any authentication or authorization of
+ routing data, and thus was vulnerable to any of a number of attacks
+ against routing protocols. This limitation was one reason why this
+ protocol was moved to Historic status [RFC1923].
+
+ RIPv2, originally specified in [RFC1388], then [RFC1723], was
+ finalized in STD 56 [RFC2453]. This version of the protocol provides
+ for authenticating packets with a digest. The details thereof have
+ initially been provided in "RIP-2 MD5 Authentication" [RFC2082];
+ "RIPv2 Cryptographic Authentication" [RFC4822] obsoletes [RFC2082]
+ and adds details of how the SHA family of hash algorithms can be used
+ to protect RIPv2. [RFC2082] only specified the use of Keyed MD5.
+
+
+
+
+Manral, et al. Informational [Page 13]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+6.1. Technical Issues with RIP
+
+ o The sequence number used by a router is initialized to zero at
+ startup, and is also set to zero whenever the neighbor is brought
+ down. If the cryptographically protected packets of a router that
+ is brought down (for administrative or other reasons) are stored
+ by a malicious router, the new router could replay the packets
+ from the previous session, thus forcing traffic through the
+ malicious router. Dropping of such packets by the router could
+ result in blackholes. Also, forwarding wrong packets could result
+ in routing loops.
+
+ o RIPv2 allows multiple packets with the same sequence number. This
+ could mean the same packet may be replayed many times before the
+ next legitimate packet is sent. An attacker may resend the same
+ packet repeatedly until the next Hello packet is transmitted and
+ received, which means the Hello interval therefore determines the
+ attack window.
+
+ o RIPv2 [RFC2453] did not specify the use of any particular hash
+ algorithm. RFC 4822 introduced HMAC-SHA1 as mandatory to
+ implement, along with Keyed MD5 as specified in [RFC2082].
+ Support for Keyed MD5 was mandated to ensure compatability with
+ legacy implementations.
+
+ o "RIPv2 Cryptographic Authentication" [RFC4822] does not cover the
+ UDP and the IP headers. It is therefore possible for an attacker
+ to modify some fields in the above headers without routers
+ becoming aware of it.
+
+ There is limited exposure to modification of the UDP header, as
+ the RIP protocol uses only it to compute the length of the RIP
+ packet. Changes introduced in the UDP header would cause RIP
+ authentication to fail the RIP authentication, thereby limiting
+ exposure.
+
+ RIP uses the source IP address from the IP header to determine
+ which RIP neighbor it has learnt the RIP Update from. Changing
+ the source IP address can be used by an attacker to disrupt the
+ RIP routing sessions between two routers R1 and R2, as shown in
+ the following examples.
+
+ Scenario 1:
+
+ R1 sends an authenticated RIP message to R2 with a cryptographic
+ sequence number X.
+
+
+
+
+
+Manral, et al. Informational [Page 14]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ The attacker then needs a packet with a higher sequence number
+ originated by R2 either, from this session or from some earlier
+ session.
+
+ The attacker can then replay this packet to R2 by changing the
+ source IP to that of R1.
+
+ R2 would then no longer accept any more RIP Updates from R1, as
+ those would have a lower cryptographic sequence number. After 180
+ seconds (or less), R2 would consider R1 timed out and bring down
+ the RIP session.
+
+ Scenario 2:
+
+ R1 announces a route with cost C1 to R2. This packet can be
+ captured by an attacker. Later, if this cost changes and R1
+ announces this with a different cost C2, the attacker can replay
+ the captured packet, modifying the source IP to a new arbitrary IP
+ address, thereby masquerading as a different router.
+
+ R2 will accept this route and the router as a new gateway, and R2
+ would then use the non-existent router as a next hop for that
+ network. This would only be effective if the cost C1 is less than
+ C2.
+
+7. Bidirectional Forwarding Detection (BFD)
+
+ BFD is specified in [RFC5880]. Extensions to BFD for multihop
+ [RFC5883] and single hop [RFC5881] are defined for IPv4 and IPv6. It
+ is designed to detect failure with the forwarding plane next hop.
+
+ The BFD base specification specifies an optional authentication
+ mechanism that can be used by the receiver of a packet to be able to
+ authenticate the source of the packet. It relies on the facts that
+ the keys are shared between the peers and no mechanism is defined for
+ the actual key generation.
+
+7.1. Technical Issues with BFD
+
+ o The level of security provided is based on the Authentication Type
+ used. However, the authentication algorithms defined are MD5 or
+ SHA-1 based. As mentioned earlier, MD5 and SHA-1 are both known
+ to be vulnerable to collision attacks.
+
+ o The BFD specification mentions mechanisms to allow for the change
+ of authentication state based on the state of a received packet.
+ This can cause a denial-of-service attack where a malicious
+ authenticated packet (stored from a past session) can be relayed
+
+
+
+Manral, et al. Informational [Page 15]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ over a session that does not use authentication. This causes one
+ end to assume that authentication is enabled at the other end, and
+ hence the BFD adjacency is dropped. This would be a harder attack
+ to put forth when meticulously keyed authentication is in use.
+
+ o BFD works on microsecond timers. When malicious packets are sent
+ at short intervals, with the authentication bit set, it can cause
+ a DoS attack.
+
+ o BFD allows a mode called the echo mode. Echo packets are not
+ defined in the BFD specification, though they can keep the BFD
+ session up. There are no guidelines on the properties of the echo
+ packets beyond the choice of the source and destination addresses.
+ While the BFD specification recommends applying security
+ mechanisms to prevent spoofing of these packets, there are no
+ guidelines on what type of mechanisms are appropriate.
+
+ Any security issues in the echo mode will directly affect the BFD
+ protocol and session states, and hence the network stability. The
+ potential effects and remedies as understood today are somewhat
+ limited, however. For instance, any replay attacks would be
+ indistinguishable from normal forwarding of the tested router. An
+ attack would still cause a faulty link to be believed to be up,
+ but there is little that can be done about it. However, if the
+ echo packets are guessable, it may be possible to spoof from an
+ external source and cause BFD to believe that a one-way link is
+ really bidirectional. As a result, it is important that the echo
+ packets contain random material that is also checked upon
+ reception.
+
+ o BFD packets can be sent at millisecond intervals (the protocol
+ uses timers at microsecond intervals). When using authentication,
+ this can cause frequent sequence number wrap-around as a 32-bit
+ sequence number is used, thus considerably reducing the security
+ of the authentication algorithms.
+
+ o Recently, limitations in collision-resistance properties of the
+ MD5 and SHA-1 hash functions have been discovered; [RFC4270]
+ summarizes the discoveries. There have been attacks against the
+ use of MD5 as a hash; while these attacks do not directly apply to
+ the use of HMAC-MD5 and keyed SHA-1 in BFD, it is prudent to have
+ other options available. Such attacks do not mean that BFD using
+ SHA-1 for authentication is at risk. However, it does mean that
+ SHA-1 should be replaced as soon as possible and should not be
+ used for new applications.
+
+
+
+
+
+
+Manral, et al. Informational [Page 16]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ It should be noted that if SHA-1 is used in the Hashed Message
+ Authentication Code (HMAC) [RFC2104] construction, then collision
+ attacks currently known against SHA-1 do not apply. The new
+ attacks on SHA-1 have no impact on the security of HMAC-SHA-1.
+
+ There are already proposals [GenBFDAuth] that add support for HMAC
+ with the SHA-1 and SHA-2 family of hash functions for BFD.
+
+8. Security Considerations
+
+ This document outlines security issues arising from the current
+ methodology for manual keying of various routing protocols. No
+ specific changes to routing protocols are proposed in this document;
+ likewise, no new security requirements result.
+
+9. Acknowledgements
+
+ We would like to acknowledge Sam Hartman, Ran Atkinson, Stephen Kent
+ and Brian Weis for their initial comments on this document. Thanks
+ to Merike Kaeo and Alfred Hoenes for reviewing many sections of the
+ document and providing lot of useful comments.
+
+10. References
+
+10.1. Normative References
+
+ [RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
+ RFC 793, September 1981.
+
+ [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP
+ and dual environments", RFC 1195, December 1990.
+
+ [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April
+ 1998.
+
+ [RFC2385] Heffernan, A., "Protection of BGP Sessions via the
+ TCP MD5 Signature Option", RFC 2385, August 1998.
+
+ [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
+ November 1998.
+
+ [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
+ Border Gateway Protocol 4 (BGP-4)", RFC 4271, January
+ 2006.
+
+ [RFC4302] Kent, S., "IP Authentication Header", RFC 4302,
+ December 2005. Kent, S., "IP Authentication Header",
+
+
+
+
+Manral, et al. Informational [Page 17]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)",
+ RFC 4303, December 2005.
+
+ [RFC4552] Gupta, M. and N. Melam,
+ "Authentication/Confidentiality for OSPFv3", RFC
+ 4552, June 2006.
+
+ [RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic
+ Authentication", RFC 4822, February 2007.
+
+ [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem,
+ "OSPF for IPv6", RFC 5340, July 2008.
+
+ [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic
+ Authentication", RFC 5304, October 2008.
+
+ [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White,
+ R., and M. Fanto, "IS-IS Generic Cryptographic
+ Authentication", RFC 5310, February 2009.
+
+10.2. Informative References
+
+ [Arjen05] Arjen K. Lenstra, "Further progress in Hashing
+ cryptanalysis", Lucent Bell Laboratories, February
+ 26, 2005.
+
+ [Conv01] Convery, et al., "BGP Vulnerability Testing:
+ Separating Fact from FUD v1.00", NANOG 28, pp. 1-61,
+ June 2003.
+
+ [Crypto2004] Xiaoyun Wang, Xuejia Lai, Dengguo Feng, and Hongbo
+ Yu, "Collisions for hash functions MD4, MD5,
+ HAVAL-128, and RIPEMD", Crypto 2004 Rump Session.
+
+ [Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress",
+ Technical Report, 2 May 1996. (Presented at the Rump
+ Session of EuroCrypt 1996.)
+
+ [Dobb96b] Dobbertin, H., "The Status of MD5 After a Recent
+ Attack", CryptoBytes, Vol. 2, No. 2, Summer 1996.
+
+ [GenBFDAuth] Bhatia, M. and V. Manral, "BFD Generic Cryptographic
+ Authentication", Work in Progress, June 2010.
+
+ [NISTHmacSHA] "NIST's Policy on Hash Functions", 2006,
+ http://csrc.nist.gov/groups/ST/hash/policy.html.
+
+
+
+
+
+Manral, et al. Informational [Page 18]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ [Philip01] Philip Hawkes, Michael Paddon, and Gregory G. Rose,
+ "On Corrective Patterns for the SHA-2 Family", IACR
+ ePrint Archive, 2004,
+ http://eprint.iacr.org/2004/207.
+
+ [Prav01] Praveen Gauravaram, et al., "Collision Attacks on MD5
+ and SHA-1: Is this the 'Sword of Domocles' for
+ Electronic Commerce?", Information Security Institue
+ (ISI), Queensland University of Technology (QUT),
+ Australia.
+
+ [Prav02] Praveen Gauravaram, et al., "Some thoughts on
+ Collision Attacks in the Hash Functions Md5, SHA-0
+ and SHA-1", Information Security Institue (ISI),
+ Queensland University of Technology (QUT), Australia.
+
+ [RFC1058] Hedrick, C., "Routing Information Protocol", RFC
+ 1058, June 1988.
+
+ [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC
+ 1321, April 1992.
+
+ [RFC1388] Malkin, G., "RIP Version 2 Carrying Additional
+ Information", RFC 1388, January 1993.
+
+ [RFC1723] Malkin, G., "RIP Version 2 - Carrying Additional
+ Information", RFC 1723, November 1994.
+
+ [RFC1923] Halpern, J. and S. Bradner, "RIPv1 Applicability
+ Statement for Historic Status", RFC 1923, March 1996.
+
+ [RFC2082] Baker, F. and R. Atkinson, "RIP-2 MD5
+ Authentication", RFC 2082, January 1997.
+
+ [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC:
+ Keyed-Hashing for Message Authentication", RFC 2104,
+ February 1997.
+
+ [RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with
+ Digital Signatures", RFC 2154, June 1997.
+
+ [RFC2410] Glenn, R. and S. Kent, "The NULL Encryption Algorithm
+ and Its Use With IPsec", RFC 2410, November 1998.
+
+ [RFC3562] Leech, M., "Key Management Considerations for the TCP
+ MD5 Signature Option", RFC 3562, July 2003.
+
+
+
+
+
+Manral, et al. Informational [Page 19]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ [RFC4270] Hoffman, P. and B. Schneier, "Attacks on
+ Cryptographic Hashes in Internet Protocols", RFC
+ 4270, November 2005.
+
+ [RFC4306] Kaufman, C., Ed., "Internet Key Exchange (IKEv2)
+ Protocol", RFC 4306, December 2005.
+
+ [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes,
+ M., Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA
+ Cryptographic Authentication", RFC 5709, October
+ 2009.
+
+ [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding
+ Detection (BFD)", RFC 5880, June 2010.
+
+ [RFC5881] Katz, D. and D. Ward, "Bidirectional Forwarding
+ Detection (BFD) for IPv4 and IPv6 (Single Hop)", RFC
+ 5881, June 2010.
+
+ [RFC5883] Katz, D. and D. Ward, "Bidirectional Forwarding
+ Detection (BFD) for Multihop Paths", RFC 5883, June
+ 2010.
+
+ [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
+ Authentication Option", RFC 5925, June 2010.
+
+ [RR07] Rechberger, C. and V. Rijmen, "On Authentication with
+ HMAC and Non-random Properties", Financial
+ Cryptography and Data Security, Lecture Notes in
+ Computer Science, Volume 4886/2008, Springer-Verlag,
+ Berlin, December 2007.
+
+ [RR08] Rechberger, C. and V. Rijmen, "New Results on
+ NMAC/HMAC when Instantiated with Popular Hash
+ Functions", Journal of Universal Computer Science,
+ Volume 14, Number 3, pp. 347-376, 1 February 2008.
+
+ [TcpWindow] Watson, P., "Slipping in the Window: TCP Reset
+ attacks", Presentation at 2004 CanSecWest,
+ http://cansecwest.com/csw04archive.html.
+
+ [Wang04] Wang, X., et al., "Collisions for Hash Functions MD4,
+ MD5, HAVAL-128 and RIPEMD", August 2004, IACR ePrint
+ Archive, http://eprint.iacr.org/2004/199.
+
+
+
+
+
+
+
+Manral, et al. Informational [Page 20]
+
+RFC 6039 Routing Protocol Protection Issues October 2010
+
+
+ [Wang05] Wang, X., et al., "Finding Collisions in the Full
+ SHA-1", Proceedings of Crypto 2005, Lecture Notes in
+ Computer Science, Volume 3621, pp. 17-36, Springer-
+ Verlag, Berlin, August 31, 2005.
+
+11. Contributor's Address
+
+ Sue Hares
+ NextHop
+ USA
+ EMail: shares@nexthop.com
+
+Authors' Addresses
+
+ Vishwas Manral
+ IP Infusion, Inc.
+ 1188 E. Arques Ave.
+ Sunnyvale, CA 94085
+ EMail: vishwas@ipinfusion.com
+
+ Manav Bhatia
+ Alcatel-Lucent
+ Bangalore
+ India
+ EMail: manav.bhatia@alcatel-lucent.com
+
+ Joel P. Jaeggli
+ Nokia Inc.
+ EMail: joel.jaeggli@nokia.com
+
+ Russ White
+ Cisco Systems
+ RTP North Carolina
+ USA
+ EMail: riw@cisco.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Manral, et al. Informational [Page 21]
+