summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6518.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc6518.txt')
-rw-r--r--doc/rfc/rfc6518.txt1683
1 files changed, 1683 insertions, 0 deletions
diff --git a/doc/rfc/rfc6518.txt b/doc/rfc/rfc6518.txt
new file mode 100644
index 0000000..a07a174
--- /dev/null
+++ b/doc/rfc/rfc6518.txt
@@ -0,0 +1,1683 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) G. Lebovitz
+Request for Comments: 6518 M. Bhatia
+Category: Informational Alcatel-Lucent
+ISSN: 2070-1721 February 2012
+
+ Keying and Authentication for Routing Protocols (KARP)
+ Design Guidelines
+
+Abstract
+
+ This document is one of a series concerned with defining a roadmap of
+ protocol specification work for the use of modern cryptographic
+ mechanisms and algorithms for message authentication in routing
+ protocols. In particular, it defines the framework for a key
+ management protocol that may be used to create and manage session
+ keys for message authentication and integrity.
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6518.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 1]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+Copyright Notice
+
+ Copyright (c) 2012 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+Table of Contents
+
+ 1. Introduction ....................................................3
+ 1.1. Conventions Used in This Document ..........................4
+ 2. Categorizing Routing Protocols ..................................5
+ 2.1. Category: Message Transaction Type .........................5
+ 2.2. Category: Peer versus Group Keying .........................6
+ 3. Consider the Future Existence of a Key Management Protocol ......6
+ 3.1. Consider Asymmetric Keys ...................................7
+ 3.2. Cryptographic Keys Life Cycle ..............................8
+ 4. Roadmap .........................................................9
+ 4.1. Work Phases on Any Particular Protocol .....................9
+ 4.2. Work Items per Routing Protocol ...........................11
+ 5. Routing Protocols in Categories ................................13
+ 6. Supporting Incremental Deployment ..............................16
+ 7. Denial-of-Service Attacks ......................................17
+ 8. Gap Analysis ...................................................18
+ 9. Security Considerations ........................................20
+ 9.1. Use Strong Keys ...........................................21
+ 9.2. Internal versus External Operation ........................22
+ 9.3. Unique versus Shared Keys .................................22
+ 9.4. Key Exchange Mechanism ....................................24
+ 10. Acknowledgments ...............................................26
+ 11. References ....................................................26
+ 11.1. Normative References ....................................26
+ 11.2. Informative References ..................................26
+
+
+
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 2]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+1. Introduction
+
+ In March 2006, the Internet Architecture Board (IAB) held a workshop
+ on the topic of "Unwanted Internet Traffic". The report from that
+ workshop is documented in RFC 4948 [RFC4948]. Section 8.1 of that
+ document states that "A simple risk analysis would suggest that an
+ ideal attack target of minimal cost but maximal disruption is the
+ core routing infrastructure". Section 8.2 calls for "[t]ightening
+ the security of the core routing infrastructure". Four main steps
+ were identified for that tightening:
+
+ o Increase the security mechanisms and practices for operating
+ routers.
+
+ o Clean up the Internet Routing Registry [IRR] repository, and
+ securing both the database and the access, so that it can be used
+ for routing verifications.
+
+ o Create specifications for cryptographic validation of routing
+ message content.
+
+ o Secure the routing protocols' packets on the wire.
+
+ The first bullet is being addressed in the OPSEC working group. The
+ second bullet should be addressed through liaisons with those running
+ the IRR's globally. The third bullet is being addressed in the SIDR
+ working group.
+
+ This document addresses the last bullet, securing the packets on the
+ wire of the routing protocol exchanges. Thus, it is concerned with
+ guidelines for describing issues and techniques for protecting the
+ messages between directly communicating peers. This may overlap
+ with, but is strongly distinct from, protection designed to ensure
+ that routing information is properly authorized relative to sources
+ of this information. Such authorizations are provided by other
+ mechanisms and are outside the scope of this document and the work
+ that relies on it.
+
+ This document uses the terminology "on the wire" to talk about the
+ information used by routing systems. This term is widely used in
+ RFCs, but is used in several different ways. In this document, it is
+ used to refer both to information exchanged between routing protocol
+ instances and to underlying protocols that may also need to be
+ protected in specific circumstances. Other documents that will
+ analyze individual protocols will need to indicate how they use the
+ term "on the wire".
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 3]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ The term "routing transport" is used to refer to the layer that
+ exchanges the routing protocols. This can be TCP, UDP, or even
+ direct link-level messaging in the case of some routing protocols.
+ The term is used here to allow a referent for discussing both common
+ and disparate issues that affect or interact with this dimension of
+ the routing systems. The term is used here to refer generally to the
+ set of mechanisms and exchanges underneath the routing protocol,
+ whatever that is in specific cases.
+
+ Keying and Authentication for Routing Protocols (KARP) will focus on
+ an abstraction for keying information that describes the interface
+ between routing protocols, operators, and automated key management.
+ Conceptually, when routing protocols send or receive messages, they
+ will look up the key to use in this abstract key table.
+ Conceptually, there will be an interface for a routing protocol to
+ make requests of automated key management when it is being used; when
+ keys become available, they will be made available in the key table.
+ There is no requirement that this abstraction be used for
+ implementation; the abstraction serves the needs of standardization
+ and management. Specifically, as part of the KARP work plan:
+
+ 1) KARP will design the key table abstraction, the interface between
+ key management protocols and routing protocols, and possibly
+ security protocols at other layers.
+
+ 2) For each routing protocol, KARP will define the mapping between
+ how the protocol represents key material and the protocol-
+ independent key table abstraction. When routing protocols share a
+ common mechanism for authentication, such as the TCP
+ Authentication Option, the same mapping is likely to be reused
+ between protocols. An implementation may be able to move much of
+ the keying logic into code related to this shared authentication
+ primitive rather than code specific to routing protocols.
+
+ 3) When designing automated key management for both symmetric keys
+ and group keys, we will only use the abstractions designed in
+ point 1 above to communicate between automated key management and
+ routing protocols.
+
+ Readers must refer to [THTS-REQS] for a clear definition of the
+ scope, goals, non-goals, and the audience for the design work being
+ undertaken in the KARP WG.
+
+1.1. Conventions Used in This Document
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in RFC 2119 [RFC2119].
+
+
+
+Lebovitz & Bhatia Informational [Page 4]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+2. Categorizing Routing Protocols
+
+ This document places the routing protocols into two categories
+ according to their requirements for authentication. We hope these
+ categories will allow design teams to focus on security mechanisms
+ for a given category. Further, we hope that each protocol in the
+ group will be able to reuse the authentication mechanism. It is also
+ hoped that, down the road, we can create one Key Management Protocol
+ (KMP) per category (if not for several categories), so that the work
+ can be easily leveraged for use in the various routing protocol
+ groupings. KMPs are useful for allowing simple, automated updates of
+ the traffic keys used in a base protocol. KMPs replace the need for
+ humans, or operational support systems (OSS) routines, to
+ periodically replace keys on running systems. It also removes the
+ need for a chain of manual keys to be chosen or configured on such
+ systems. When configured properly, a KMP will enforce the key
+ freshness policy among peers by keeping track of the key's lifetime
+ and negotiating a new key at the defined interval.
+
+2.1. Category: Message Transaction Type
+
+ The first category defines three types of messaging transactions used
+ on the wire by the base routing protocol. They are as follows:
+
+ One-to-One
+
+ One peer router directly and intentionally delivers a route
+ update specifically to one other peer router. Examples are BGP
+ [RFC4271]; LDP [RFC5036]; BFD [RFC5880]; and RSVP-TE [RFC3209],
+ [RFC3473], [RFC4726], and [RFC5151]. Point-to-point modes of
+ both IS-IS [RFC1195] and OSPF [RFC2328], when sent over both
+ traditional point-to-point links and when using multi-access
+ layers, may both also fall into this category.
+
+ One-to-Many
+
+ A router peers with multiple other routers on a single network
+ segment -- i.e., on link local -- such that it creates and
+ sends one route update message that is intended for multiple
+ peers. Examples would be OSPF and IS-IS in their broadcast,
+ non-point-to-point mode and Routing Information Protocol (RIP)
+ [RFC2453].
+
+ Multicast
+
+ Multicast protocols have unique security properties because
+ they are inherently group-based protocols; thus, they have
+ group keying requirements at the routing level where link-local
+
+
+
+Lebovitz & Bhatia Informational [Page 5]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ routing messages are multicasted. Also, at least in the case
+ of Protocol Independent Multicast - Sparse Mode (PIM-SM)
+ [RFC4601], some messages are sent unicast to a given peer(s),
+ as is the case with router-close-to-sender and the "Rendezvous
+ Point". Some work for application-layer message security has
+ been done in the Multicast Security (MSEC) working group and
+ may be helpful to review, but it is not directly applicable.
+
+ These categories affect both the routing protocol view of the
+ communication and the actual message transfer. As a result, some
+ message transaction types for a few routing protocols may be
+ mixtures, for example, using broadcast where multicast might be
+ expected or using unicast to deliver what looks to the routing
+ protocol like broadcast or multicast.
+
+ Protocol security analysis documents produced in the KARP working
+ group need to pay attention both to the semantics of the
+ communication and the techniques that are used for the message
+ exchanges.
+
+2.2. Category: Peer versus Group Keying
+
+ The second category is the keying mechanism that will be used to
+ distribute the session keys to the routing transports. They are as
+ follows:
+
+ Peer Keying
+
+ One router sends the keying messages only to one other router,
+ such that a one-to-one, uniquely keyed security association (SA)
+ is established between the two routers (e.g., BGP, BFD and LDP).
+
+ Group Keying
+
+ One router creates and distributes a single keying message to
+ multiple peers. In this case, a group SA will be established and
+ used among multiple peers simultaneously. Group keying exists for
+ protocols like OSPF [RFC2328] and for multicast protocols like
+ PIM-SM [RFC4601].
+
+3. Consider the Future Existence of a Key Management Protocol
+
+ When it comes time for the KARP WG to design a reusable model for a
+ Key Management Protocol (KMP), [RFC4107] should be consulted.
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 6]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ When conducting the design work on a manually keyed version of a
+ routing protocol's authentication mechanism, consideration must be
+ made for the eventual use of a KMP. In particular, design teams must
+ consider what parameters would need to be handed to the routing
+ protocols by a KMP.
+
+ Examples of parameters that might need to be passed are as follows: a
+ security association identifier (e.g., IPsec Security Parameter Index
+ (SPI) or the TCP Authentication Option's (TCP-AO's) KeyID), a key
+ lifetime (which may be represented in either bytes or seconds), the
+ cryptographic algorithms being used, the keys themselves, and the
+ directionality of the keys (i.e., receiving versus the sending keys).
+
+3.1. Consider Asymmetric Keys
+
+ The use of asymmetric keys can be a very powerful way to authenticate
+ machine peers as used in routing protocol peer exchanges. If
+ generated on the machine, and never moved off the machine, these keys
+ will not need to be changed if an administrator leaves the
+ organization. Since the keys are random, they are far less
+ susceptible to off-line dictionary and guessing attacks.
+
+ An easy and simple way to use asymmetric keys is to start by having
+ the router generate a public/private key pair. At the time of this
+ writing, the recommended key size for algorithms based on integer
+ factorization cryptography like RSA is 1024 bits and 2048 bits for
+ extremely valuable keys like the root key pair used by a
+ certification authority. It is believed that a 1024-bit RSA key is
+ equivalent in strength to 80-bit symmetric keys and 2048-bit RSA keys
+ to 112-bit symmetric keys [RFC3766]. Elliptic Curve Cryptography
+ (ECC) [RFC4492] appears to be secure with shorter keys than those
+ needed by other asymmetric key algorithms. National Institute of
+ Standards and Technology (NIST) guidelines [NIST-800-57] state that
+ ECC keys should be twice the length of equivalent strength symmetric
+ key algorithms. Thus, a 224-bit ECC key would roughly have the same
+ strength as a 112-bit symmetric key.
+
+ Many routers have the ability to be remotely managed using Secure
+ Shell (SSH) Protocol [RFC4252] and [RFC4253]. As such, routers will
+ also have the ability to generate and store an asymmetric key pair,
+ because this is the common authentication method employed by SSH when
+ an administrator connects to a router for management sessions.
+
+
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 7]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Once an asymmetric key pair is generated, the KMP generating security
+ association parameters and keys for routing protocol may use the
+ machine's asymmetric keys for the authentication mechanism. The form
+ of the identity proof could be raw keys, the more easily
+ administrable self-signed certificate format, or a PKI-issued
+ [RFC5280] certificate credential.
+
+ Regardless of which credential is standardized, the authentication
+ mechanism can be as simple as a strong hash over a string of human-
+ readable and transferable form of ASCII characters. More complex,
+ but also more secure, the identity proof could be verified through
+ the use of a PKI system's revocation checking mechanism, (e.g.,
+ Certificate Revocation List (CRL) or Online Certificate Status
+ Protocol (OCSP) responder). If the SHA-1 fingerprint is used, the
+ solution could be as simple as loading a set of neighbor routers'
+ peer ID strings into a table and listing the associated fingerprint
+ string for each ID string. In most organizations or peering points,
+ this list will not be longer than a thousand or so routers, and often
+ the list will be much shorter. In other words, the entire list for a
+ given organization's router ID and hash could be held in a router's
+ configuration file, uploaded, downloaded, and moved about at will.
+ Additionally, it doesn't matter who sees or gains access to these
+ fingerprints, because they can be distributed publicly as it needn't
+ be kept secret.
+
+3.2. Cryptographic Keys Life Cycle
+
+ Cryptographic keys should have a limited lifetime and may need to be
+ changed when an operator who had access to them leaves. Using a key
+ chain, a set of keys derived from the same keying material and used
+ one after the other, also does not help as one still has to change
+ all the keys in the key chain when an operator having access to all
+ those keys leaves the company. Additionally, key chains will not
+ help if the routing transport subsystem does not support rolling over
+ to the new keys without bouncing the routing sessions and
+ adjacencies. So the first step is to fix the routing stack so that
+ routing protocols can change keys without breaking or bouncing the
+ adjacencies.
+
+ An often cited reason for limiting the lifetime of a key is to
+ minimize the damage from a compromised key. It could be argued that
+ it is likely a user will not discover an attacker has compromised the
+ key if the attacker remains "passive"; thus, relatively frequent key
+ changes will limit any potential damage from compromised keys.
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 8]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Another threat against the long-lived key is that one of the systems
+ storing the key, or one of the users entrusted with the key, will be
+ subverted. So, while there may not be cryptographic motivations of
+ changing the keys, there could be system security motivations for
+ rolling the key.
+
+ Although manual key distribution methods are subject to human error
+ and frailty, more frequent manual key changes might actually increase
+ the risk of exposure, as it is during the time that the keys are
+ being changed that they are likely to be disclosed. In these cases,
+ especially when very strong cryptography is employed, it may be more
+ prudent to have fewer, well-controlled manual key distributions
+ rather than more frequent, poorly controlled manual key
+ distributions. In general, where strong cryptography is employed,
+ physical, procedural, and logical access protection considerations
+ often have more impact on the key life than do algorithm and key size
+ factors.
+
+ For incremental deployments, we could start by associating life times
+ with the send and the receive keys in the key chain for the long-
+ lived keys. This is an incremental approach that we could use until
+ the cryptographic keying material for individual sessions is derived
+ from the keying material stored in a database of long-lived
+ cryptographic keys as described in [CRPT-TAB]. A key derivation
+ function (KDF) and its inputs are also specified in the database of
+ long-lived cryptographic keys; session-specific values based on the
+ routing protocol are input to the KDF. Protocol-specific key
+ identifiers may be assigned to the cryptographic keying material for
+ individual sessions if needed.
+
+ The long-lived cryptographic keys used by the routing protocols can
+ either be inserted manually in a database or make use of an automated
+ key management protocol to do this.
+
+4. Roadmap
+
+4.1. Work Phases on Any Particular Protocol
+
+ It is believed that improving security for any routing protocol will
+ be a two-phase process. The first phase would be to modify routing
+ protocols to support modern cryptography algorithms and key agility.
+ The second phase would be to design and move to an automated key
+ management mechanism. This is like a crawl, walk, and run process.
+ In order for operators to accept these phases, we believe that the
+ key management protocol should be clearly separated from the routing
+ transport. This would mean that the routing transport subsystem is
+ oblivious to how the keys are derived, exchanged, and downloaded as
+ long as there is something that it can use. It is like having a
+
+
+
+Lebovitz & Bhatia Informational [Page 9]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ routing-protocol-configuration switch that requests the security
+ module for the "KARP security parameters" so that it can refer to
+ some module written, maintained, and operated by security experts and
+ insert those parameters in the routing exchange.
+
+ The desired end state for the KARP work contains several items.
+ First, the people desiring to deploy securely authenticated and
+ integrity validated packets between routing peers have the tools
+ specified, implemented, and shipped in order to deploy. These tools
+ should be fairly simple to implement and not more complex than the
+ security mechanisms to which the operators are already accustomed.
+ (Examples of security mechanisms to which router operators are
+ accustomed include: the use of asymmetric keys for authentication in
+ SSH for router configuration, the use of pre-shared keys (PSKs) in
+ TCP MD5 for BGP protection, the use of self-signed certificates for
+ HTTP Secure (HTTPS) access to device Web-based user interfaces, the
+ use of strongly constructed passwords and/or identity tokens for user
+ identification when logging into routers and management systems.)
+ While the tools that we intend to specify may not be able to stop a
+ deployment from using "foobar" as an input key for every device
+ across their entire routing domain, we intend to make a solid, modern
+ security system that is not too much more difficult than that. In
+ other words, simplicity and deployability are keys to success. The
+ routing protocols will specify modern cryptographic algorithms and
+ security mechanisms. Routing peers will be able to employ unique,
+ pair-wise keys per peering instance, with reasonable key lifetimes,
+ and updating those keys on a regular basis will be operationally
+ easy, causing no service interruption.
+
+ Achieving the above described end state using manual keys may be
+ pragmatic only in very small deployments. However, manual keying in
+ larger deployments will be too burdensome for operators. Thus, the
+ second goal is to support key life cycle management with a KMP. We
+ expect that both manual and automated key management will coexist in
+ the real world.
+
+ In accordance with the desired end state just described, we define
+ two main work phases for each routing protocol:
+
+ 1. Enhance the routing protocol's current authentication
+ mechanism(s). This work involves enhancing a routing protocol's
+ current security mechanisms in order to achieve a consistent,
+ modern level of security functionality within its existing key
+ management framework. It is understood and accepted that the
+ existing key management frameworks are largely based on manual
+ keys. Since many operators have already built operational
+ support systems (OSS) around these manual key implementations,
+ there is some automation available for an operator to leverage in
+
+
+
+Lebovitz & Bhatia Informational [Page 10]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ that way, if the underlying mechanisms are themselves secure. In
+ this phase, we explicitly exclude embedding or creating a KMP.
+ Refer to [THTS-REQS] for the list of the requirements for Phase 1
+ work.
+
+ 2. Develop an automated key management framework. The second phase
+ will focus on the development of an automated keying framework to
+ facilitate unique pair-wise (group-wise, where applicable) keys
+ per peering instance. This involves the use of a KMP. The use
+ of automatic key management mechanisms offers a number of
+ benefits over manual keying. Most important, it provides fresh
+ traffic keying material for each session, thus helping to prevent
+ inter-connection replay attacks. In an inter-connection replay
+ attack, protocol packets from the earlier protocol session are
+ replayed affecting the current execution of the protocol. A KMP
+ is also helpful because it negotiates unique, pair-wise, random
+ keys, without administrator involvement. It negotiates several
+ SA parameters like algorithms, modes, and parameters required for
+ the secure connection, thus providing interoperability between
+ endpoints with disparate capabilities and configurations. In
+ addition it could also include negotiating the key lifetimes.
+ The KMP can thus keep track of those lifetimes using counters and
+ can negotiate new keys and parameters before they expire, again,
+ without administrator interaction. Additionally, in the event of
+ a breach, changing the KMP key will immediately cause a rekey to
+ occur for the traffic key, and those new traffic keys will be
+ installed and used in the current connection. In summary, a KMP
+ provides a protected channel between the peers through which they
+ can negotiate and pass important data required to exchange proof
+ of identities, derive traffic keys, determine rekeying,
+ synchronize their keying state, signal various keying events,
+ notify with error messages, etc.
+
+4.2. Work Items per Routing Protocol
+
+ Each routing protocol will have a team (the Routing_Protocol-KARP
+ team, e.g., the OSPF-KARP team) working on incrementally improving
+ the security of a routing protocol. These teams will have the
+ following main work items:
+
+ PHASE 1:
+
+ Characterize the Routing Protocol
+
+ Assess the routing protocol to see what authentication and
+ integrity mechanisms it has today. Does it need significant
+ improvement to its existing mechanisms or not? This will
+
+
+
+
+Lebovitz & Bhatia Informational [Page 11]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ include determining if modern, strong security algorithms and
+ parameters are present and if the protocol supports key agility
+ without bouncing adjacencies.
+
+ Define Optimal State
+
+ List the requirements for the routing protocol's session key
+ usage and format to contain modern, strong security algorithms
+ and mechanisms, per the Requirements document [THTS-REQS]. The
+ goal here is to determine what is needed for the routing
+ protocol to be used securely with at least manual key
+ management.
+
+ Gap Analysis
+
+ Enumerate the requirements for this protocol to move from its
+ current security state, the first bullet, to its optimal state,
+ as listed just above.
+
+ Transition and Deployment Considerations
+
+ Document the operational transition plan for moving from the
+ old to the new security mechanism. Will adjacencies need to
+ bounce? What new elements/servers/services in the
+ infrastructure will be required? What is an example work flow
+ that an operator will take? The best possible case is if the
+ adjacency does not break, but this may not always be possible.
+
+ Define, Assign, Design
+
+ Create a deliverables list of the design and specification
+ work, with milestones. Define owners. Release one or more
+ documents.
+
+ PHASE 2:
+
+ KMP Analysis
+
+ Review requirements for KMPs. Identify any nuances for this
+ particular routing protocol's needs and its use cases for a
+ KMP. List the requirements that this routing protocol has for
+ being able to be used in conjunction with a KMP. Define the
+ optimal state and check how easily it can be decoupled from the
+ KMP.
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 12]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Gap Analysis
+
+ Enumerate the requirements for this protocol to move from its
+ current security state to its optimal state, with respect to
+ the key management.
+
+ Define, Assign, Design
+
+ Create a deliverables list of the design and specification
+ work, with milestones. Define owners. Generate the design and
+ document work for a KMP to be able to generate the routing
+ protocol's session keys for the packets on the wire. These
+ will be the arguments passed in the API to the KMP in order to
+ bootstrap the session keys for the routing protocol.
+
+ There will also be a team formed to work on the base framework
+ mechanisms for each of the main categories.
+
+5. Routing Protocols in Categories
+
+ This section groups the routing protocols into categories according
+ to attributes set forth in the Categories' Section (Section 2). Each
+ group will have a design team tasked with improving the security of
+ the routing protocol mechanisms and defining the KMP requirements for
+ their group, then rolling both into a roadmap document upon which
+ they will execute.
+
+ BGP, LDP, PCEP, and MSDP
+
+ These routing protocols fall into the category of the one-to-one
+ peering messages and will use peer keying protocols. Border
+ Gateway Protocol (BGP) [RFC4271], Path Computation Element
+ Communication Protocol (PCEP) [RFC5440], and Multicast Source
+ Discovery Protocol (MSDP) [RFC3618] messages are transmitted over
+ TCP, while Label Distribution Protocol (LDP) [RFC5036] uses both
+ UDP and TCP. A team will work on one mechanism to cover these TCP
+ unicast protocols. Much of the work on the routing protocol
+ update for its existing authentication mechanism has already
+ occurred in the TCPM working group, on the TCP-AO [RFC5925]
+ document, as well as its cryptography-helper document, TCP-AO-
+ CRYPTO [RFC5926]. However, TCP-AO cannot be used for discovery
+ exchanges carried in LDP as those are carried over UDP. A
+ separate team might want to look at LDP. Another exception is the
+ mode where LDP is used directly on the LAN. The work for this may
+ go into the group keying category (along with OSPF) as mentioned
+ below.
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 13]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ OSPF, IS-IS, and RIP
+
+ The routing protocols that fall into the category group keying
+ (with one-to-many peering) includes OSPF [RFC2328], IS-IS
+ [RFC1195] and RIP [RFC2453]. Not surprisingly, all these routing
+ protocols have two other things in common. First, they are run on
+ a combination of the OSI datalink Layer 2, and the OSI network
+ Layer 3. By this we mean that they have a component of how the
+ routing protocol works, which is specified in Layer 2 as well as
+ in Layer 3. Second, they are all internal gateway protocols
+ (IGPs). The keying mechanisms will be much more complicated to
+ define for these than for a one-to-one messaging protocol.
+
+ BFD
+
+ Because it is less of a routing protocol, per se, and more of a
+ peer liveness detection mechanism, Bidirectional Forwarding
+ Detection (BFD) [RFC5880] will have its own team. BFD is also
+ different from the other protocols covered here as it works on
+ millisecond timers and would need separate considerations to
+ mitigate the potential for Denial-of-Service (DoS) attacks. It
+ also raises interesting issues [RFC6039] with respect to the
+ sequence number scheme that is generally deployed to protect
+ against replay attacks as this space can roll over quite
+ frequently because of the rate at which BFD packets are generated.
+
+ RSVP and RSVP-TE
+
+ The Resource reSerVation Protocol (RSVP) [RFC2205] allows hop-by-
+ hop authentication of RSVP neighbors, as specified in [RFC2747].
+ In this mode, an integrity object is attached to each RSVP message
+ to transmit a keyed message digest. This message digest allows
+ the recipient to verify the identity of the RSVP node that sent
+ the message and to validate the integrity of the message. Through
+ the inclusion of a sequence number in the scope of the digest, the
+ digest also offers replay protection.
+
+ [RFC2747] does not dictate how the key for the integrity operation
+ is derived. Currently, most implementations of RSVP use a
+ statically configured key, on a per-interface or per-neighbor
+ basis.
+
+ RSVP relies on a per-peer authentication mechanism where each hop
+ authenticates its neighbor using a shared key or a certificate.
+
+ Trust in this model is transitive. Each RSVP node trusts,
+ explicitly, only its RSVP next-hop peers through the message
+ digest contained in the INTEGRITY object [RFC2747]. The next-hop
+
+
+
+Lebovitz & Bhatia Informational [Page 14]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ RSVP speaker, in turn, trusts its own peers, and so on. See also
+ the document "RSVP Security Properties" [RFC4230] for more
+ background.
+
+ The keys used for protecting the RSVP messages can be group keys
+ (for example, distributed via the Group Domain of Interpretation
+ (GDOI) [RFC6407], as discussed in [GDOI-MAC]).
+
+ The trust an RSVP node has with another RSVP node has an explicit
+ and implicit component. Explicitly, the node trusts the other
+ node to maintain the integrity (and, optionally, the
+ confidentiality) of RSVP messages depending on whether
+ authentication or encryption (or both) are used. This means that
+ the message has not been altered or its contents seen by another,
+ non-trusted node. Implicitly, each node trusts the other node to
+ maintain the level of protection specified within that security
+ domain. Note that in any group key management scheme, like GDOI,
+ each node trusts all the other members of the group with regard to
+ data origin authentication.
+
+ RSVP-TE [RFC3209], [RFC3473], [RFC4726], and [RFC5151] is an
+ extension of the RSVP protocol for traffic engineering. It
+ supports the reservation of resources across an IP network and is
+ used for establishing MPLS label switch paths (LSPs), taking into
+ consideration network constraint parameters such as available
+ bandwidth and explicit hops. RSVP-TE signaling is used to
+ establish both intra- and inter-domain TE LSPs.
+
+ When signaling an inter-domain RSVP-TE LSP, operators may make use
+ of the security features already defined for RSVP-TE [RFC3209].
+ This may require some coordination between domains to share keys
+ ([RFC2747][RFC3097]), and care is required to ensure that the keys
+ are changed sufficiently frequently. Note that this may involve
+ additional synchronization, should the domain border nodes be
+ protected with Fast Reroute, since the merge point (MP) and point
+ of local repair (PLR) should also share the key.
+
+ For inter-domain signaling for MPLS-TE, the administrators of
+ neighboring domains must satisfy themselves as to the existence of
+ a suitable trust relationship between the domains. In the absence
+ of such a relationship, the administrators should decide not to
+ deploy inter-domain signaling and should disable RSVP-TE on any
+ inter-domain interfaces.
+
+ KARP will currently be working only on RSVP-TE, as the native RSVP
+ lies outside the scope of the WG charter.
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 15]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ PIM-SM and PIM-DM
+
+ Finally, the multicast protocols Protocol Independent Multicast -
+ Sparse Mode (PIM-SM) [RFC4601] and Protocol Independent Multicast
+ - Dense Mode (PIM-DM) [RFC3973] will be grouped together. PIM-SM
+ multicasts routing information (Hello, Join/Prune, Assert) on a
+ link-local basis, using a defined multicast address. In addition,
+ it specifies unicast communication for exchange of information
+ (Register, Register-Stop) between the router closest to a group
+ sender and the "Rendezvous Point". The Rendezvous Point is
+ typically not "on-link" for a particular router. While much work
+ has been done on multicast security for application-layer groups,
+ little has been done to address the problem of managing hundreds
+ or thousands of small one-to-many groups with link-local scope.
+ Such an authentication mechanism should be considered along with
+ the router-to-Rendezvous Point authentication mechanism. The most
+ important issue is ensuring that only the "authorized neighbors"
+ get the keys for source/group (S,G), so that rogue routers cannot
+ participate in the exchanges. Another issue is that some of the
+ communication may occur intra-domain, e.g., the link-local
+ messages in an enterprise, while others for the same (*,G) may
+ occur inter-domain, e.g., the router-to-Rendezvous Point messages
+ may be from one enterprise's router to another.
+
+ One possible solution proposes a region-wide "master" key server
+ (possibly replicated), and one "local" key server per speaking
+ router. There is no issue with propagating the messages outside
+ the link, because link-local messages, by definition, are not
+ forwarded. This solution is offered only as an example of how
+ work may progress; further discussion should occur in this work
+ team. Specification of a link-local protection mechanism for PIM-
+ SM is defined in [RFC4601], and this mechanism has been updated in
+ PIM-SM-LINKLOCAL [RFC5796]. However, the KMP part is completely
+ unspecified and will require work outside the expertise of the PIM
+ working group to accomplish, another example of why this roadmap
+ is being created.
+
+6. Supporting Incremental Deployment
+
+ It is imperative that the new authentication and security mechanisms
+ defined support incremental deployment, as it is not feasible to
+ deploy a new routing protocol authentication mechanism throughout the
+ network instantaneously. One of the goals of the KARP WG is to add
+ incremental security to existing mechanisms rather than replacing
+ them. Delivering better deployable solutions to which vendors and
+ operators can migrate is more important than getting a perfect
+ security solution. It may also not be possible to deploy such a
+ mechanism to all routers in a large Autonomous System (AS) at one
+
+
+
+Lebovitz & Bhatia Informational [Page 16]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ time. This means that the designers must work on this aspect of the
+ authentication mechanism for the routing protocol on which they are
+ working. The mechanisms must provide backward compatibility in the
+ message formatting, transmission, and processing of routing
+ information carried through a mixed security environment.
+
+7. Denial-of-Service Attacks
+
+ DoS attacks must be kept in mind when designing KARP solutions.
+ [THTS-REQS] describes DoS attacks that are in scope for the KARP
+ work. Protocol designers should ensure that the new cryptographic
+ validation mechanisms must not provide an attacker with an
+ opportunity for DoS attacks. Cryptographic validation, while
+ typically cheaper than signing, is still an incremental cost. If an
+ attacker can force a system to validate many packets multiple times,
+ then this could be a potential DoS attack vector. On the other hand,
+ if the authentication procedure is itself quite CPU intensive, then
+ overwhelming the CPU with multiple bogus packets can bring down the
+ system. In this case, the authentication procedure itself aids the
+ DoS attack.
+
+ There are some known techniques to reduce the cryptographic
+ computation load. Packets can include non-cryptographic consistency
+ checks. For example, [RFC5082] provides a mechanism that uses the IP
+ header to limit the attackers that can inject packets that will be
+ subject to cryptographic validation. In the design, Phase 2, once an
+ automated key management protocol is developed, it may be possible to
+ determine the peer IP addresses that are valid participants. Only
+ the packets from the verified sources could be subject to
+ cryptographic validation.
+
+ Protocol designers must ensure that a device never needs to check
+ incoming protocol packets using multiple keys, as this can overwhelm
+ the CPU, leading to a DoS attack. KARP solutions should indicate the
+ checks that are appropriate prior to performing cryptographic
+ validation. KARP solutions should indicate where information about
+ valid neighbors can be used to limit the scope of the attacks.
+
+ Particular care needs to be paid to the design of automated key
+ management schemes. It is often desirable to force a party
+ attempting to authenticate to do work and to maintain state until
+ that work is done. That is, the initiator of the authentication
+ should maintain the cost of any state required by the authentication
+ for as long as possible. This also helps when an attacker sends an
+ overwhelming load of keying protocol initiations from bogus sources.
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 17]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Another important class of attack is denial of service against the
+ routing protocol where an attacker can manipulate either the routing
+ protocol or the cryptographic authentication mechanism to disrupt
+ routing adjacencies.
+
+ Without KARP solutions, many routing protocols are subject to
+ disruption simply by injecting an invalid packet or a packet for the
+ wrong state. Even with cryptographic validation, replay attacks are
+ often a vector where a previously valid packet can be injected to
+ create a denial of service. KARP solutions should prevent all cases
+ where packet replays or other packet injections by an outsider can
+ disrupt routing sessions.
+
+ Some residual denial-of-service risk is always likely. If an
+ attacker can generate a large enough number of packets, the routing
+ protocol can get disrupted. Even if the routing protocol is not
+ disrupted, the loss rate on a link may rise to a point where claiming
+ that traffic can successfully be routed across the link will be
+ inaccurate.
+
+8. Gap Analysis
+
+ The [THTS-REQS] document lists the generic requirements for the
+ security mechanisms that must exist for the various routing protocols
+ that come under the purview of KARP. There will be different design
+ teams working for each of the categories of routing protocols
+ defined.
+
+ To start, design teams must review the "Threats and Requirements for
+ Authentication of routing protocols" document [THTS-REQS]. This
+ document contains detailed descriptions of the threat analysis for
+ routing protocol authentication and integrity in general. Note that
+ it does not contain all the authentication-related threats for any
+ one routing protocol, or category of routing protocols. The design
+ team must conduct a protocol-specific threat analysis to determine if
+ threats beyond those in the [THTS-REQS] document arise in the context
+ of the protocol (group) and to describe those threats.
+
+ The [THTS-REQS] document also contains many security requirements.
+ Each routing protocol design team must walk through each section of
+ the requirements and determine one by one how its protocol either
+ does or does not relate to each requirement.
+
+ Examples include modern, strong, cryptographic algorithms, with at
+ least one such algorithm listed as a MUST, algorithm agility, secure
+ use of simple PSKs, intra-connection replay protection, inter-
+ connection replay protection, etc.
+
+
+
+
+Lebovitz & Bhatia Informational [Page 18]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ When doing the gap analysis, we must first identify the elements of
+ each routing protocol that we wish to protect. In case of protocols
+ riding on top of IP, we might want to protect the IP header and the
+ protocol headers, while for those that work on top of TCP, it will be
+ the TCP header and the protocol payload. There is patently value in
+ protecting the IP header and the TCP header if the routing protocols
+ rely on these headers for some information (for example, identifying
+ the neighbor that originated the packet).
+
+ Then, there will be a set of cryptography requirements that we might
+ want to look at. For example, there must be at least one set of
+ cryptographic algorithms (MD5, SHA, etc.) or constructions (Hashed
+ MAC (HMAC), etc.) whose use is supported by all implementations and
+ can be safely assumed to be supported by any implementation of the
+ authentication option. The design teams should look for the protocol
+ on which they are working. If such algorithms or constructions are
+ not available, then some should be defined to support
+ interoperability by having a single default.
+
+ Design teams must ensure that the default cryptographic algorithms
+ and constructions supported by the routing protocols are accepted by
+ the community. This means that the protocols must not rely on non-
+ standard or ad hoc hash functions, keyed-hash constructions,
+ signature schemes, or other functions, and they must use published
+ and standard schemes.
+
+ Care should also be taken to ensure that the routing protocol
+ authentication scheme has algorithm agility (i.e., it is capable of
+ supporting algorithms other than its defaults). Ideally, the
+ authentication mechanism should not be affected by packet loss and
+ reordering.
+
+ Design teams should ensure that their protocol's authentication
+ mechanism is able to accommodate rekeying. This is essential since
+ it is well known that keys must periodically be changed. Also, what
+ the designers must ensure is that this rekeying event should not
+ affect the functioning of the routing protocol. For example, OSPF
+ rekeying requires coordination among the adjacent routers, while IS-
+ IS requires coordination among routers in the entire domain.
+
+ If new authentication and security mechanisms are needed, then the
+ design teams must design in such a manner that the routing protocol
+ authentication mechanism remains oblivious to how the keying material
+ is derived. This decouples the authentication mechanism from the key
+ management system that is employed.
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 19]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Design teams should also note that many routing protocols require
+ prioritized treatment of certain protocol packets and authentication
+ mechanisms should honor this.
+
+ Not all routing protocol authentication mechanisms provide support
+ for replay attacks, and the design teams should identify such
+ authentication mechanisms and work on them so that this can get
+ fixed. The design teams must look at the protocols that they are
+ working on and see if packets captured from the previous/stale
+ sessions can be replayed.
+
+ What might also influence the design is the rate at which the
+ protocol packets are originated. In case of protocols like BFD,
+ where packets are originated at millisecond intervals, there are some
+ special considerations that must be kept in mind when defining the
+ new authentication and security mechanisms.
+
+ The designers should also consider whether the current authentication
+ mechanisms impose considerable processing overhead on a router that's
+ doing authentication. Most currently deployed routers do not have
+ hardware accelerators for cryptographic processing and these
+ operations can impose a significant processing burden under some
+ circumstances. The proposed solutions should be evaluated carefully
+ with regard to the processing burden that they will impose, since
+ deployment may be impeded if network operators perceive that a
+ solution will impose a processing burden which either entails
+ substantial capital expenses or threatens to destabilize the routers.
+
+9. Security Considerations
+
+ As mentioned in the Introduction, RFC 4948 [RFC4948] identifies
+ additional steps needed to achieve the overall goal of improving the
+ security of the core routing infrastructure. Those include
+ validation of route origin announcements, path validation, cleaning
+ up the IRR databases for accuracy, and operational security practices
+ that prevent routers from becoming compromised devices. The KARP
+ work is but one step needed to improve core routing infrastructure.
+
+ The security of cryptographic-based systems depends on both the
+ strength of the cryptographic algorithms chosen and the strength of
+ the keys used with those algorithms. The security also depends on
+ the engineering of the protocol used by the system to ensure that
+ there are no non-cryptographic ways to bypass the security of the
+ overall system.
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 20]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+9.1. Use Strong Keys
+
+ Care should be taken to ensure that the selected key is
+ unpredictable, avoiding any keys known to be weak for the algorithm
+ in use. [RFC4086] contains helpful information on both key
+ generation techniques and cryptographic randomness.
+
+ Care should also be taken when choosing the length of the key.
+ [RFC3766] provides some additional information on asymmetric and
+ symmetric key sizes and how they relate to system requirements for
+ attack resistance.
+
+ In addition to using a key of appropriate length and randomness,
+ deployers of KARP should use different keys between different routing
+ peers whenever operationally possible. This is especially true when
+ the routing protocol takes a static traffic key as opposed to a
+ traffic key derived on a per-connection basis using a KDF. The
+ burden for doing so is understandably much higher than using the same
+ static traffic key across all peering routers. Depending upon the
+ specific KMP, it can be argued that generally using a KMP network-
+ wide increases peer-wise security. Consider an attacker that learns
+ or guesses the traffic key used by two peer routers: if the traffic
+ key is only used between those two routers, then the attacker has
+ only compromised that one connection not the entire network.
+
+ However whenever using manual keys, it is best to design a system
+ where a given pre-shared key (PSK) will be used in a KDF mixed with
+ connection-specific material, in order to generate session unique --
+ and therefore peer-wise -- traffic keys. Doing so has the following
+ advantages: the traffic keys used in the per-message authentication
+ mechanism are peer-wise unique, it provides inter-connection replay
+ protection, and if the per-message authentication mechanism covers
+ some connection counter, intra-connection replay protection.
+
+ Note that certain key derivation functions (e.g., KDF_AES_128_CMAC)
+ as used in TCP-AO [RFC5926], the pseudorandom function (PRF) used in
+ the KDF may require a key of a certain fixed size as an input.
+
+ For example, AES_128_CMAC requires a 128-bit (16-byte) key as the
+ seed. However, for the convenience of the administrators, a
+ specification may not want to require the entry of a PSK be of
+ exactly 16 bytes. Instead, a specification may call for a key prep
+ routine that could handle a variable-length PSK, one that might be
+ less or more than 16 bytes (see [RFC4615], Section 3, as an example).
+ That key prep routine would derive a key of exactly the required
+ length, thus, be suitable as a seed to the PRF. This does NOT mean
+ that administrators are safe to use weak keys. Administrators are
+ encouraged to follow [RFC4086] [NIST-800-118]. We simply attempted
+
+
+
+Lebovitz & Bhatia Informational [Page 21]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ to "put a fence around stupidity", as much as possible as it's hard
+ to imagine administrators putting in a password that is, say 16 bytes
+ in length.
+
+ A better option, from a security perspective, is to use some
+ representation of a device-specific asymmetric key pair as the
+ identity proof, as described in section "Unique versus Shared Keys"
+ section.
+
+9.2. Internal versus External Operation
+
+ Design teams must consider whether the protocol is an internal
+ routing protocol or an external one, i.e., does it primarily run
+ between peers within a single domain of control or between two
+ different domains of control? Some protocols may be used in both
+ cases, internally and externally, and as such, various modes of
+ authentication operation may be required for the same protocol.
+ While it is preferred that all routing exchanges run with the best
+ security mechanisms enabled in all deployment contexts, this
+ exhortation is greater for those protocols running on inter-domain
+ point-to-point links. It is greatest for those on shared access link
+ layers with several different domains interchanging together, because
+ the volume of attackers are greater from the outside. Note however,
+ that the consequences of internal attacks maybe no less severe -- in
+ fact, they may be quite a bit more severe -- than an external attack.
+ An example of this internal versus external consideration is BGP,
+ which has both EBGP and IBGP modes. Another example is a multicast
+ protocol where the neighbors are sometimes within a domain of control
+ and sometimes at an inter-domain exchange point. In the case of PIM-
+ SM running on an internal multi-access link, it would be acceptable
+ to give up some security to get some convenience by using a group key
+ among the peers on the link. On the other hand, in the case of PIM-
+ SM running over a multi-access link at a public exchange point,
+ operators may favor security over convenience by using unique pair-
+ wise keys for every peer. Designers must consider both modes of
+ operation and ensure the authentication mechanisms fit both.
+
+ Operators are encouraged to run cryptographic authentication on all
+ their adjacencies, but to work from the outside in, i.e., External
+ BGP (EBGP) links are a higher priority than the Internal BGP (IBGP)
+ links because they are externally facing, and, as a result, more
+ likely to be targeted in an attack.
+
+9.3. Unique versus Shared Keys
+
+ This section discusses security considerations regarding when it is
+ appropriate to use the same authentication key inputs for multiple
+ peers and when it is not. This is largely a debate of convenience
+
+
+
+Lebovitz & Bhatia Informational [Page 22]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ versus security. It is often the case that the best secured
+ mechanism is also the least convenient mechanism. For example, an
+ air gap between a host and the network absolutely prevents remote
+ attacks on the host, but having to copy and carry files using the
+ "sneaker net" is quite inconvenient and does not scale.
+
+ Operators have erred on the side of convenience when it comes to
+ securing routing protocols with cryptographic authentication. Many
+ do not use it at all. Some use it only on external links, but not on
+ internal links. Those that do use it often use the same key for all
+ peers in a network. It is common to see the same key in use for
+ years, e.g., the key was entered when authentication mechanisms were
+ originally configured or when the routing gear was deployed.
+
+ One goal for designers is to create authentication and integrity
+ mechanisms that are easy for operators to deploy and manage, and
+ still use unique keys between peers (or small groups on multi-access
+ links) and for different sessions among the same peers. Operators
+ have the impression that they NEED one key shared across the network,
+ when, in fact, they do not. What they need is the relative
+ convenience they experience from deploying cryptographic
+ authentication with one key (or a few keys) compared to the
+ inconvenience they would experience if they deployed the same
+ authentication mechanism using unique pair-wise keys. An example is
+ BGP route reflectors. Here, operators often use the same
+ authentication key between each client and the route reflector. The
+ roadmaps defined from this guidance document should allow for unique
+ keys to be used between each client and the peer, without sacrificing
+ much convenience. Designers should strive to deliver peer-wise
+ unique keying mechanisms with similar ease-of-deployment properties
+ as today's one-key method.
+
+ Operators must understand the consequences of using the same key
+ across many peers. One argument against using the same key is that
+ if the same key that is used in multiple devices, then a compromise
+ of any one of the devices will expose the key. Also, since the same
+ key is supported on many devices, this is known by many people, which
+ affects its distribution to all of the devices.
+
+ Consider also the attack consequence size, the amount of routing
+ adjacencies that can be negatively affected once a breach has
+ occurred, i.e., once the keys have been acquired by the attacker.
+
+ Again, if a shared key is used across the internal domain, then the
+ consequence size is the whole network. Ideally, unique key pairs
+ would be used for each adjacency.
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 23]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ In some cases, use of shared keys is needed because of the problem
+ space. For example, a multicast packet is sent once but then
+ consumed by several routing neighbors. If unique keys were used per
+ neighbor, the benefit of multicast would be erased because the sender
+ would have to create a different announcement packet for each
+ receiver. Though this may be desired and acceptable in some small
+ number of use cases, it is not the norm. Shared (i.e., group) keys
+ are an acceptable solution here, and much work has been done already
+ in this area (by the MSEC working group).
+
+9.4. Key Exchange Mechanism
+
+ This section discusses the security and use case considerations for
+ key exchange for routing protocols. Two options exist: an out-of-
+ band mechanism or a KMP. An out-of-band mechanism involves operators
+ configuring keys in the device through a configuration tool or
+ management method (e.g., Simple Network Management Protocol (SNMP),
+ Network Configuration Protocol (NETCONF)). A KMP is an automated
+ protocol that exchanges keys without operator intervention. KMPs can
+ occur either in-band to the routing protocol or out-of-band to the
+ routing protocol (i.e., a different protocol).
+
+ An example of an out-of-band configuration mechanism could be an
+ administrator who makes a remote management connection (e.g., using
+ SSH) to a router and manually enters the keying information, e.g.,
+ the algorithm, the key(s), the key lifetimes, etc. Another example
+ could be an OSS system that inputs the same information by using a
+ script over an SSH connection or by pushing configuration through
+ some other management connection, standard (NETCONF-based) or
+ proprietary.
+
+ The drawbacks of an out-of-band configuration mechanism include lack
+ of scalability, complexity, and speed of changing if a security
+ breach is suspected. For example, if an employee who had access to
+ keys was terminated, or if a machine holding those keys was believed
+ to be compromised, then the system would be considered insecure and
+ vulnerable until new keys were generated and distributed. Those keys
+ then need to be placed into the OSS system, and the OSS system then
+ needs to push the new keys -- often during a very limited change
+ window -- into the relevant devices. If there are multiple
+ organizations involved in these connections, because the protected
+ connections are inter-domain, this process is very complicated.
+
+ The principle benefit of out-of-band configuration mechanism is that
+ once the new keys/parameters are set in OSS system, they can be
+ pushed automatically to all devices within the OSS's domain.
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 24]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Operators have mechanisms in place for this already for managing
+ other router configuration data. In small environments with few
+ routers, a manual system is not difficult to employ.
+
+ We further define a peer-to-peer KMP as using cryptographically
+ protected identity verification, session key negotiation, and
+ security association parameter negotiation between the two routing
+ peers. The KMP among peers may also include the negotiation of
+ parameters, like cryptographic algorithms, cryptographic inputs
+ (e.g., initialization vectors), key lifetimes, etc.
+
+ There are several benefits of a peer-to-peer KMP versus centrally
+ managed and distributing keys. It results in key(s) that are
+ privately generated, and it need not be recorded permanently
+ anywhere. Since the traffic keys used in a particular connection are
+ not a fixed part of a device configuration, no security sensitive
+ data exists anywhere else in the operator's systems that can be
+ stolen, e.g., in the case of a terminated or turned employee. If a
+ server or other data store is stolen or compromised, the thieves gain
+ limited or no access to current traffic keys. They may gain access
+ to key derivation material, like a PSK, but may not be able to access
+ the current traffic keys in use. In this example, these PSKs can be
+ updated in the device configurations (either manually or through an
+ OSS) without bouncing or impacting the existing session at all. In
+ the case of using raw asymmetric keys or certificates, instead of
+ PSKs, the data theft (from the data store) would likely not result in
+ any compromise, as the key pairs would have been generated on the
+ routers and never leave those routers. In such a case, no changes
+ are needed on the routers; the connections will continue to be
+ secure, uncompromised. Additionally, with a KMP, regular rekey
+ operations occur without any operator involvement or oversight. This
+ keeps keys fresh.
+
+ There are a few drawbacks to using a KMP. First, a KMP requires more
+ cryptographic processing for the router at the beginning of a
+ connection. This will add some minor start-up time to connection
+ establishment versus a purely manual key management approach. Once a
+ connection with traffic keys has been established via a KMP, the
+ performance is the same in the KMP and the out-of-band configuration
+ case. KMPs also add another layer of protocol and configuration
+ complexity, which can fail or be misconfigured. This was more of an
+ issue when these KMPs were first deployed, but less so as these
+ implementations and operational experience with them have matured.
+
+ One of the goals for KARP is to develop a KMP; an out-of-band
+ configuration protocol for key exchange is out of scope.
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 25]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ Within this constraint, there are two approaches for a KMP:
+
+ The first is to use a KMP that runs independent of the routing and
+ the signaling protocols. It would run on its own port and use its
+ own transport (to avoid interfering with the routing protocol that it
+ is serving). When a routing protocol needs a key, it would contact
+ the local instance of this key management protocol and request a key.
+ The KMP generates a key that is delivered to the routing protocol for
+ it to use for authenticating and integrity verification of the
+ routing protocol packets. This KMP could either be an existing key
+ management protocol such as ISAKMP/IKE, GKMP, etc., extended for the
+ routing protocols, or it could be a new KMP, designed for the routing
+ protocol context.
+
+ The second approach is to define an in-band KMP extension for
+ existing routing protocols putting the key management mechanisms
+ inside the protocol itself. In this case, the key management
+ messages would be carried within the routing protocol packets,
+ resulting in very tight coupling between the routing protocols and
+ the key management protocol.
+
+10. Acknowledgments
+
+ Much of the text for this document came originally from "Roadmap for
+ Cryptographic Authentication of Routing Protocol Packets on the
+ Wire", authored by Gregory M. Lebovitz.
+
+ We would like to thank Sam Hartman, Eric Rescorla, Russ White, Sean
+ Turner, Stephen Kent, Stephen Farrell, Adrian Farrel, Russ Housley,
+ Michael Barnes, and Vishwas Manral for their comments on the
+ document.
+
+11. References
+
+11.1. Normative References
+
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [RFC4948] Andersson, L., Davies, E., and L. Zhang, "Report from
+ the IAB workshop on Unwanted Traffic March 9-10,
+ 2006", RFC 4948, August 2007.
+
+11.2. Informative References
+
+ [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP
+ and dual environments", RFC 1195, December 1990.
+
+
+
+
+Lebovitz & Bhatia Informational [Page 26]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S.,
+ and S. Jamin, "Resource ReSerVation Protocol (RSVP) --
+ Version 1 Functional Specification", RFC 2205,
+ September 1997.
+
+ [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April
+ 1998.
+
+ [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
+ November 1998.
+
+ [RFC2747] Baker, F., Lindell, B., and M. Talwar, "RSVP
+ Cryptographic Authentication", RFC 2747, January 2000.
+
+ [RFC3097] Braden, R. and L. Zhang, "RSVP Cryptographic
+ Authentication -- Updated Message Type Value", RFC
+ 3097, April 2001.
+
+ [RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan,
+ V., and G. Swallow, "RSVP-TE: Extensions to RSVP for
+ LSP Tunnels", RFC 3209, December 2001.
+
+ [RFC3473] Berger, L., Ed., "Generalized Multi-Protocol Label
+ Switching (GMPLS) Signaling Resource ReserVation
+ Protocol-Traffic Engineering (RSVP-TE) Extensions",
+ RFC 3473, January 2003.
+
+ [RFC3618] Fenner, B., Ed., and D. Meyer, Ed., "Multicast Source
+ Discovery Protocol (MSDP)", RFC 3618, October 2003.
+
+ [RFC3766] Orman, H. and P. Hoffman, "Determining Strengths For
+ Public Keys Used For Exchanging Symmetric Keys", BCP
+ 86, RFC 3766, April 2004.
+
+ [RFC3973] Adams, A., Nicholas, J., and W. Siadak, "Protocol
+ Independent Multicast - Dense Mode (PIM-DM): Protocol
+ Specification (Revised)", RFC 3973, January 2005.
+
+ [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker,
+ "Randomness Requirements for Security", BCP 106, RFC
+ 4086, June 2005.
+
+ [RFC4107] Bellovin, S. and R. Housley, "Guidelines for
+ Cryptographic Key Management", BCP 107, RFC 4107, June
+ 2005.
+
+ [RFC4230] Tschofenig, H. and R. Graveman, "RSVP Security
+ Properties", RFC 4230, December 2005.
+
+
+
+Lebovitz & Bhatia Informational [Page 27]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ [RFC4252] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell
+ (SSH) Authentication Protocol", RFC 4252, January
+ 2006.
+
+ [RFC4253] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell
+ (SSH) Transport Layer Protocol", RFC 4253, January
+ 2006.
+
+ [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
+ Border Gateway Protocol 4 (BGP-4)", RFC 4271, January
+ 2006.
+
+ [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C.,
+ and B. Moeller, "Elliptic Curve Cryptography (ECC)
+ Cipher Suites for Transport Layer Security (TLS)", RFC
+ 4492, May 2006.
+
+ [RFC4601] Fenner, B., Handley, M., Holbrook, H., and I.
+ Kouvelas, "Protocol Independent Multicast - Sparse
+ Mode (PIM-SM): Protocol Specification (Revised)", RFC
+ 4601, August 2006.
+
+ [RFC4615] Song, J., Poovendran, R., Lee, J., and T. Iwata, "The
+ Advanced Encryption Standard-Cipher-based Message
+ Authentication Code-Pseudo-Random Function-128 (-
+ AES-CMAC-PRF-128) Algorithm for the Internet Key
+ Exchange Protocol (IKE)", RFC 4615, August 2006.
+
+ [RFC4726] Farrel, A., Vasseur, J.-P., and A. Ayyangar, "A
+ Framework for Inter-Domain Multiprotocol Label
+ Switching Traffic Engineering", RFC 4726, November
+ 2006.
+
+ [RFC5036] Andersson, L., Ed., Minei, I., Ed., and B. Thomas,
+ Ed., "LDP Specification", RFC 5036, October 2007.
+
+ [RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., Ed., and
+ C. Pignataro, "The Generalized TTL Security Mechanism
+ (GTSM)", RFC 5082, October 2007.
+
+ [RFC5151] Farrel, A., Ed., Ayyangar, A., and JP. Vasseur,
+ "Inter-Domain MPLS and GMPLS Traffic Engineering --
+ Resource Reservation Protocol-Traffic Engineering
+ (RSVP-TE) Extensions", RFC 5151, February 2008.
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 28]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
+ Housley, R., and W. Polk, "Internet X.509 Public Key
+ Infrastructure Certificate and Certificate Revocation
+ List (CRL) Profile", RFC 5280, May 2008.
+
+ [RFC5440] Vasseur, JP., Ed., and JL. Le Roux, Ed., "Path
+ Computation Element (PCE) Communication Protocol
+ (PCEP)", RFC 5440, March 2009.
+
+ [RFC5796] Atwood, W., Islam, S., and M. Siami, "Authentication
+ and Confidentiality in Protocol Independent Multicast
+ Sparse Mode (PIM-SM) Link-Local Messages", RFC 5796,
+ March 2010.
+
+ [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding
+ Detection (BFD)", RFC 5880, June 2010.
+
+ [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
+ Authentication Option", RFC 5925, June 2010.
+
+ [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic
+ Algorithms for the TCP Authentication Option (TCP-
+ AO)", RFC 5926, June 2010.
+
+ [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White,
+ "Issues with Existing Cryptographic Protection Methods
+ for Routing Protocols", RFC 6039, October 2010.
+
+ [RFC6407] Weis, B., Rowles, S., and T. Hardjono, "The Group
+ Domain of Interpretation", RFC 6407, October 2011.
+
+ [THTS-REQS] Lebovitz, G., "The Threat Analysis and Requirements
+ for Cryptographic Authentication of Routing Protocols'
+ Transports", Work in Progress, June 2011.
+
+ [CRPT-TAB] Housley, R. and Polk, T., "Database of Long-Lived
+ Symmetric Cryptographic Keys", Work in Progress,
+ October 2011
+
+ [GDOI-MAC] Weis, B. and S. Rowles, "GDOI Generic Message
+ Authentication Code Policy", Work in Progress,
+ September 2011.
+
+ [IRR] Merit Network Inc , "Internet Routing Registry Routing
+ Assets Database", 2006, http://www.irr.net/.
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 29]
+
+RFC 6518 KARP Design Guidelines February 2012
+
+
+ [NIST-800-57] US National Institute of Standards & Technology,
+ "Recommendation for Key Management Part 1: General
+ (Revised)", March 2007
+
+ [NIST-800-118] US National Institute of Standards & Technology,
+ "Guide to Enterprise Password Management (Draft)",
+ April 2009
+
+Authors' Addresses
+
+ Gregory M. Lebovitz
+ Aptos, California
+ USA 95003
+
+ EMail: gregory.ietf@gmail.com
+
+
+ Manav Bhatia
+ Alcatel-Lucent
+ Bangalore
+ India
+
+ EMail: manav.bhatia@alcatel-lucent.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Lebovitz & Bhatia Informational [Page 30]
+