diff options
Diffstat (limited to 'doc/rfc/rfc7211.txt')
-rw-r--r-- | doc/rfc/rfc7211.txt | 1011 |
1 files changed, 1011 insertions, 0 deletions
diff --git a/doc/rfc/rfc7211.txt b/doc/rfc/rfc7211.txt new file mode 100644 index 0000000..a83e1cb --- /dev/null +++ b/doc/rfc/rfc7211.txt @@ -0,0 +1,1011 @@ + + + + + + +Internet Engineering Task Force (IETF) S. Hartman +Request for Comments: 7211 Painless Security +Category: Informational D. Zhang +ISSN: 2070-1721 Huawei Technologies Co. Ltd. + June 2014 + + + Operations Model for Router Keying + +Abstract + + The IETF is engaged in an effort to analyze the security of routing + protocol authentication according to design guidelines discussed in + RFC 6518, "Keying and Authentication for Routing Protocols (KARP) + Design Guidelines". Developing an operational and management model + for routing protocol security that works with all the routing + protocols will be critical to the deployability of these efforts. + This document gives recommendations to operators and implementors + regarding management and operation of router authentication. These + recommendations will also assist protocol designers in understanding + management issues they will face. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc7211. + + + + + + + + + + + + + + +Hartman & Zhang Informational [Page 1] + +RFC 7211 Operations Model for Router Keying June 2014 + + +Copyright Notice + + Copyright (c) 2014 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 3 + 3. Breakdown of KARP Configuration . . . . . . . . . . . . . . . 3 + 3.1. Integrity of the Key Table . . . . . . . . . . . . . . . 5 + 3.2. Management of Key Table . . . . . . . . . . . . . . . . . 5 + 3.3. Interactions with Automated Key Management . . . . . . . 6 + 3.4. Virtual Routing and Forwarding Instances (VRFs) . . . . . 6 + 4. Credentials and Authorization . . . . . . . . . . . . . . . . 6 + 4.1. Preshared Keys . . . . . . . . . . . . . . . . . . . . . 8 + 4.1.1. Sharing Keys and Zones of Trust . . . . . . . . . . . 9 + 4.1.2. Key Separation and Protocol Design . . . . . . . . . 10 + 4.2. Asymmetric Keys . . . . . . . . . . . . . . . . . . . . . 10 + 4.3. Public Key Infrastructure . . . . . . . . . . . . . . . . 11 + 4.4. The Role of Central Servers . . . . . . . . . . . . . . . 12 + 5. Grouping Peers Together . . . . . . . . . . . . . . . . . . . 12 + 6. Administrator Involvement . . . . . . . . . . . . . . . . . . 14 + 6.1. Enrollment . . . . . . . . . . . . . . . . . . . . . . . 14 + 6.2. Handling Faults . . . . . . . . . . . . . . . . . . . . . 15 + 7. Upgrade Considerations . . . . . . . . . . . . . . . . . . . 16 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 + 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 17 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 17 + 10.2. Informative References . . . . . . . . . . . . . . . . . 18 + + + + + + + + + + +Hartman & Zhang Informational [Page 2] + +RFC 7211 Operations Model for Router Keying June 2014 + + +1. Introduction + + The Keying and Authentication of Routing Protocols (KARP) working + group is designing improvements to the cryptographic authentication + of IETF routing protocols. These improvements include enhancing how + integrity functions are handled within each protocol as well as + designing an automated key management solution. + + This document discusses issues to consider when thinking about the + operational and management model for KARP. Each implementation will + take its own approach to management; this is one area for vendor + differentiation. However, it is desirable to have a common baseline + for the management objects allowing administrators, security + architects, and protocol designers to understand what management + capabilities they can depend on in heterogeneous environments. + Similarly, designing and deploying the protocol will be easier when + thought is paid to a common operational model. This will also help + with the design of NETCONF schemas or MIBs later. This document + provides recommendations to help establish such a baseline. + + This document also gives recommendations for how management and + operational issues can be approached as protocols are revised and as + support is added for the key table [RFC7210]. + + Routing security faces interesting challenges not present with some + other security domains. Routers need to function in order to + establish network connectivity. As a result, centralized services + cannot typically be used for authentication or other security tasks; + see Section 4.4. In addition, routers' roles affect how new routers + are installed and how problems are handled; see Section 6. + +2. Requirements Notation + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +3. Breakdown of KARP Configuration + + Routing authentication configuration includes configuration of key + material used to authenticate routers as well as parameters needed to + use these keys. Configuration also includes information necessary to + use an automated key management protocol to configure router keying. + The key table [RFC7210] describes configuration needed for manual + keying. Configuration of automated key management is a work in + progress. + + + + + +Hartman & Zhang Informational [Page 3] + +RFC 7211 Operations Model for Router Keying June 2014 + + + There are multiple ways of structuring configuration information. + One factor to consider is the scope of the configuration information. + Several protocols are peer-to-peer routing protocols where a + different key could potentially be used for each neighbor. Other + protocols require that the same group key be used for all nodes in an + administrative domain or routing area. In other cases, the same + group key needs to be used for all routers on an interface, but + different group keys can be used for each interface. + + Within situations where a per-interface, per-area, or per-peer key + can be used for manually configured long-term keys, that flexibility + may not be desirable from an operational standpoint. For example, + consider OSPF [RFC2328]. Each router on an OSPF link needs to use + the same authentication configuration, including the set of keys used + for reception and the set of keys used for transmission, but it may + use different keys for different links. The most general management + model would be to configure keys per link. However, for deployments + where the area uses the same key, it would be strongly desirable to + configure the key as a property of the area. If the keys are + configured per link, they can get out of sync. In order to support + generality of configuration and common operational situations, it + would be desirable to have some sort of inheritance where default + configurations are made per area unless overridden per interface. + + As described in [RFC7210], the cryptographic keys are separated from + the interface configuration into their own configuration store. Each + routing protocol is responsible for defining the form of the peer + specification used by that protocol. Thus, each routing protocol + needs to define the scope of keys. For group keying, the peer + specification names the group. A protocol could define a peer + specification indicating the key had a link scope and also a peer + specification for scoping a key to a specific area. For link-scoped + keys, it is generally best to define a single peer specification + indicating the key has a link scope and to use interface restrictions + to restrict the key to the appropriate link. + + Operational Requirements: implementations of this model MUST support + configuration of keys at the most general scope for the underlying + protocol; protocols supporting per-peer keys MUST permit + configuration of per-peer keys, protocols supporting per-interface + keys MUST support configuration of per-interface keys, and so on for + any additional scopes. Implementations MUST NOT permit configuration + of an inappropriate key scope. For example, configuration of + separate keys per interface would be inappropriate to support for a + protocol requiring per-area keys. This restriction can be enforced + by rules specified by each routing protocol for validating key table + + + + + +Hartman & Zhang Informational [Page 4] + +RFC 7211 Operations Model for Router Keying June 2014 + + + entries. As such, these implementation requirements are best + addressed by care being taken in how routing protocols specify the + use of the key tables. + +3.1. Integrity of the Key Table + + The routing key table [RFC7210] provides a very general mechanism to + abstract the storage of keys for routing protocols. To avoid + misconfiguration and simplify problem determination, the router MUST + verify the internal consistency of entries added to the table. + Routing protocols describe how their protocol interacts with the key + table including what validation MUST be performed. At a minimum, the + router MUST verify: + + o The cryptographic algorithms are valid for the protocol. + + o The key derivation function is valid for the protocol. + + o The direction is valid for the protocol. For example, if a + protocol requires the same session key be used in both directions, + the direction field in the key table entry associated with the + session key MUST be specified as "both". + + o The peer specification is consistent with the protocol. + + Other checks are possible. For example, the router could verify that + if a key is associated with a peer, that peer is a configured peer + for the specified protocol. However, this may be undesirable. It + may be desirable to load a key table when some peers have not yet + been configured. Also, it may be desirable to share portions of a + key table across devices even when their current configuration does + not require an adjacency with a particular peer in the interest of + uniform configuration or preparing for fail-over. For these reasons, + these additional checks are generally undesirable. + +3.2. Management of Key Table + + Several management interfaces will be quite common. For service + provider deployments, the configuration management system can simply + update the key table. However, for smaller deployments, efficient + management interfaces that do not require a configuration management + system are important. In these environments, configuration + interfaces (such as web interfaces and command-line interfaces) + provided directly by the router will be important for easy management + of the router. + + + + + + +Hartman & Zhang Informational [Page 5] + +RFC 7211 Operations Model for Router Keying June 2014 + + + As part of adding a new key, it is typically desirable to set an + expiration time for an old key. The management interface SHOULD + provide a mechanism to easily update the expiration time for a + current key used with a given peer or interface. Also, when adding a + key, it is desirable to push the key out to nodes that will need it, + allowing use for receiving packets and then later for enabling + transmit. This can be accomplished automatically by providing a + delay between when a key becomes valid for reception and + transmission. However, some environments may not be able to predict + when all the necessary changes will be made. In these cases, having + a mechanism to enable a key for sending is desirable. The management + interface SHOULD provide an easy mechanism to update the direction of + an existing key or to enable a disabled key. + + Implementations SHOULD permit a configuration in which if no + unexpired key is available, existing security associations continue + using the expired key with which they were established. + Implementations MUST support a configuration in which security + associations fail if no unexpired key is available for them. See + Section 6.2 for a discussion of reporting and managing security + faults including those related to key expiration. + +3.3. Interactions with Automated Key Management + + Consideration is required for how an automated key management + protocol will assign key IDs for group keys. All members of the + group may need to use the same key ID. This requires careful + coordination of global key IDs. Interactions with the peer key ID + field may make this easier; this requires additional study. + + Automated key management protocols also assign keys for single peers. + If the key ID is global and needs to be coordinated between the + receiver and transmitter, then there is complexity in key management + protocols that can be avoided if key IDs are not global. + +3.4. Virtual Routing and Forwarding Instances (VRFs) + + Many core and enterprise routers support multiple routing instances. + For example, a router serving multiple VPNs is likely to have a + forwarding/routing instance for each of these VPNs. Each VRF will + require its own routing key table. + +4. Credentials and Authorization + + Several methods for authentication have been proposed for KARP. The + simplest is preshared keys used directly as traffic keys. In this + mode, the traffic integrity keys are directly configured. This is + the mode supported by most of today's routing protocols. + + + +Hartman & Zhang Informational [Page 6] + +RFC 7211 Operations Model for Router Keying June 2014 + + + As discussed in [RTG-AUTH], preshared keys can be used as the input + to a key derivation function (KDF) to generate traffic keys. For + example, the TCP Authentication Option (TCP-AO) [RFC5925] derives + keys based on the initial TCP session state. Typically, a KDF will + combine a long-term key with public inputs exchanged as part of the + protocol to form fresh session keys. A KDF could potentially be used + with some inputs that are configured along with the long-term key. + Also, it's possible that inputs to a KDF will be private and + exchanged as part of the protocol, although this will be uncommon in + KARP's uses of KDFs. + + Preshared keys could also be used by an automated key management + protocol. In this mode, preshared keys would be used for + authentication. However, traffic keys would be generated by some + key-agreement mechanism or transported in a key encryption key + derived from the preshared key. This mode may provide better replay + protection. Also, in the absence of active attackers, key-agreement + strategies such as Diffie-Hellman can be used to produce high-quality + traffic keys even from relatively weak preshared keys. These key- + agreement mechanisms are valuable even when active attackers are + present, although an active attacker can mount a man-in-the-middle + attack if the preshared key is sufficiently weak. + + Public keys can be used for authentication within an automated key + management protocol. The KARP design guide [RFC6518] describes a + mode in which routers have the hashes of peer routers' public keys. + In this mode, a traditional public-key infrastructure is not + required. The advantage of this mode is that a router only contains + its own keying material, limiting the scope of a compromise. The + disadvantage is that when a router is added or deleted from the set + of authorized routers, all routers in that set need to be updated. + Note that self-signed certificates are a common way of communicating + public keys in this style of authentication. + + Certificates signed by a certification authority or some other PKI + could be used for authentication within an automated key management + protocol. The advantage of this approach is that routers may not + need to be directly updated when peers are added or removed. The + disadvantage is that more complexity and cost are required. + + Each of these approaches has a different set of management and + operational requirements. Key differences include how authorization + is handled and how identity works. This section discusses these + differences. + + + + + + + +Hartman & Zhang Informational [Page 7] + +RFC 7211 Operations Model for Router Keying June 2014 + + +4.1. Preshared Keys + + In the protocol, manual preshared keys are either unnamed or named by + a key ID (which is a small integer -- typically 16 or 32 bits). + Implementations that support multiple keys for protocols that have no + names for keys need to try all possible keys before deciding a packet + cannot be validated [RFC4808]. Typically key IDs are names used by + one group or peer. + + Manual preshared keys are often known by a group of peers rather than + just one other peer. This is an interesting security property: + unlike with digitally signed messages or protocols where symmetric + keys are known only to two parties, it is impossible to identify the + peer sending a message cryptographically. However, it is possible to + show that the sender of a message is one of the parties who knows the + preshared key. Within the routing threat model, the peer sending a + message can be identified only because peers are trusted and thus can + be assumed to correctly label the packets they send. This contrasts + with a protocol where cryptographic means such as digital signatures + are used to verify the origin of a message. As a consequence, + authorization is typically based on knowing the preshared key rather + than on being a particular peer. Note that once an authorization + decision is made, the peer can assert its identity; this identity is + trusted just as the routing information from the peer is trusted. + Doing an additional check for authorization based on the identity + included in the packet would provide little value: an attacker who + somehow had the key could claim the identity of an authorized peer, + and an attacker without the key should be unable to claim the + identity of any peer. Such a check is not required by the KARP + threat model: inside attacks are not in scope. + + Preshared keys used with key derivation work similarly to manual + preshared keys. However, to form the actual traffic keys, session- + or peer-specific information is combined with the key. From an + authorization standpoint, the derivation key works the same as a + manual key. An additional routing protocol step or transport step + forms the key that is actually used. + + Preshared keys that are used via automatic key management have not + yet been specified for KARP, although ongoing work suggests they will + be needed. Their naming and authorization may differ from existing + uses of preshared keys in routing protocols. In particular, such + keys may end up being known only by two peers. Alternatively, they + may also be known by a group of peers. Authorization could + potentially be based on peer identity, although it is likely that + knowing the right key will be sufficient. There does not appear to + + + + + +Hartman & Zhang Informational [Page 8] + +RFC 7211 Operations Model for Router Keying June 2014 + + + be a compelling reason to decouple the authorization of a key for + some purpose from the authorization of peers holding that key to + perform the authorized function. + +4.1.1. Sharing Keys and Zones of Trust + + Care needs to be taken when symmetric keys are used for multiple + purposes. Consider the implications of using the same preshared key + for two interfaces: it becomes impossible to cryptographically + distinguish a router on one interface from a router on another + interface. So, a router that is trusted to participate in a routing + protocol on one interface becomes implicitly trusted for the other + interfaces that share the key. For many cases, such as link-state + routers in the same routing area, there is no significant advantage + that an attacker could gain from this trust within the KARP threat + model. However, other protocols, such as BGP and RIP, permit routes + to be filtered across a trust boundary. For these protocols, + participation in one interface might be more advantageous than + another. Operationally, when this trust distinction is important to + a deployment, different keys need to be used on each side of the + trust boundary. Key derivation can help prevent this problem in + cases of accidental misconfiguration. However, key derivation cannot + protect against a situation where a system was incorrectly trusted to + have the key used to perform the derivation. This question of trust + is important to the KARP threat model because it is essential to + determining whether a party is an insider for a particular routing + protocol. A customer router that is an insider for a BGP peering + relationship with a service provider is not typically an insider when + considering the security of that service provider's IGP. Similarly, + to the extent that there are multiple zones of trust and a routing + protocol is determining whether a particular router is within a + certain zone, the question of untrusted actors is within the scope of + the routing threat model. + + Key derivation can be part of a management solution for having + multiple keys for different zones of trust. A master key could be + combined with peer, link, or area identifiers to form a router- + specific preshared key that is loaded onto routers. Provided that + the master key lives only on the management server and not the + individual routers, trust is preserved. However, in many cases, + generating independent keys for the routers and storing the result is + more practical. If the master key were somehow compromised, all the + resulting keys would need to be changed. However, if independent + keys are used, the scope of a compromise may be more limited. + + + + + + + +Hartman & Zhang Informational [Page 9] + +RFC 7211 Operations Model for Router Keying June 2014 + + +4.1.2. Key Separation and Protocol Design + + More subtle problems with key separation can appear in protocol + design. Two protocols that use the same traffic keys may work + together in unintended ways permitting one protocol to be used to + attack the other. Consider two hypothetical protocols. Protocol A + starts its messages with a set of extensions that are ignored if not + understood. Protocol B has a fixed header at the beginning of its + messages but ends messages with extension information. It may be + that the same message is valid both as part of protocol A and + protocol B. An attacker may be able to gain an advantage by getting + a router to generate this message with one protocol under situations + where the other protocol would not generate the message. This + hypothetical example is overly simplistic; real-world attacks + exploiting key separation weaknesses tend to be complicated and + involve specific properties of the cryptographic functions involved. + The key point is that whenever the same key is used in multiple + protocols, attacks may be possible. All the involved protocols need + to be analyzed to understand the scope of potential attacks. + + Key separation attacks interact with the KARP operational model in a + number of ways. Administrators need to be aware of situations where + using the same manual traffic key with two different protocols (or + the same protocol in different contexts) creates attack + opportunities. Design teams should consider how their protocol might + interact with other routing protocols and describe any attacks + discovered so that administrators can understand the operational + implications. When designing automated key management or new + cryptographic authentication within routing protocols, we need to be + aware that administrators expect to be able to use the same preshared + keys in multiple contexts. As a result, we should use appropriate + key derivation functions so that different cryptographic keys are + used even when the same initial input key is used. + +4.2. Asymmetric Keys + + Outside of a PKI, public keys are expected to be known by the hash of + a key or (potentially self-signed) certificate. The Session + Description Protocol provides a standardized mechanism for naming + keys (in that case, certificates) based on hashes (Section 5 of + [RFC4572]). KARP SHOULD adopt this approach or another approach + already standardized within the IETF rather than inventing a new + mechanism for naming public keys. + + A public key is typically expected to belong to one peer. As a peer + generates new keys and retires old keys, its public key may change. + For this reason, from a management standpoint, peers should be + + + + +Hartman & Zhang Informational [Page 10] + +RFC 7211 Operations Model for Router Keying June 2014 + + + thought of as associated with multiple public keys rather than as + containing a single public-key hash as an attribute of the peer + object. + + Authorization of public keys could be done either by key hash or by + peer identity. Performing authorizations by peer identity should + make it easier to update the key of a peer without risk of losing + authorizations for that peer. However, management interfaces need to + be carefully designed to avoid making this extra level of indirection + complicated for operators. + +4.3. Public Key Infrastructure + + When a PKI is used, certificates are used. The certificate binds a + key to a name of a peer. The key management protocol is responsible + for exchanging certificates and validating them to a trust anchor. + + Authorization needs to be done in terms of peer identities not in + terms of keys. One reason for this is that when a peer changes its + key, the new certificate needs to be sufficient for authentication to + continue functioning even though the key has never been seen before. + + Potentially, authorization could be performed in terms of groups of + peers rather than single peers. An advantage of this is that it may + be possible to add a new router with no authentication-related + configuration of the peers of that router. For example, a domain + could decide that any router with a particular keyPurposeID signed by + the organization's certificate authority is permitted to join the + IGP. Just as in configurations where cryptographic authentication is + not used, automatic discovery of this router can establish + appropriate adjacencies. + + Assuming that self-signed certificates are used by routers that wish + to use public keys but that do not need a PKI, then PKI and the + "infrastructure-less" mode of public-key operation described in the + previous section can work well together. One router could identify + its peers based on names and use certificate validation. Another + router could use hashes of certificates. This could be very useful + for border routers between two organizations. Smaller organizations + could use public keys and larger organizations could use PKI. + + A PKI has significant operational concerns including certification + practices, handling revocation, and operational practices around + certificate validation. The Routing PKI (RPKI) has addressed these + concerns within the scope of BGP and the validation of address + ownership. Adapting these practices to routing protocol + authentication is outside the scope of this document. + + + + +Hartman & Zhang Informational [Page 11] + +RFC 7211 Operations Model for Router Keying June 2014 + + +4.4. The Role of Central Servers + + An area to explore is the role of central servers like RADIUS or + directories. Routers need to securely operate in order to provide + network routing services. Routers cannot generally contact a central + server while establishing routing because the router might not have a + functioning route to the central service until after routing is + established. As a result, a system where keys are pushed by a + central management system is an undesirable result for router keying. + However, central servers may play a role in authorization and key + rollover. For example, a node could send a hash of a public key to a + RADIUS server. + + If central servers do play a role, it will be critical to make sure + that they are not required during routine operation or a cold-start + of a network. They are more likely to play a role in enrollment of + new peers or key migration/compromise. + + Another area where central servers may play a role is for group key + agreement. As an example, [OSPF-AUTO] discusses the potential need + for key-agreement servers in OSPF. Other routing protocols that use + multicast or broadcast such as IS-IS are likely to need a similar + approach. Multicast key-agreement protocols need to allow operators + to choose which key servers will generate traffic keys. The quality + of random numbers [RFC4086] is likely to differ between systems. As + a result, operators may have preferences for where keys are + generated. + +5. Grouping Peers Together + + One significant management consideration will be the grouping of + management objects necessary to determine who is authorized to act as + a peer for a given routing action. As discussed previously, the + following objects are potentially required: + + o Key objects are required. Symmetric keys may be preshared, and + knowledge of the key may be used as the decision factor in + authorization. Knowledge of the private key corresponding to + asymmetric public keys may be used directly for authorization as + well. During key transitions, more than one key may refer to a + given peer. Group preshared keys may refer to multiple peers. + + o Peer objects are required. A peer is a router that this router + might wish to communicate with. Peers may be identified by names + or keys. + + o Objects representing peer groups are required. Groups of peers + may be authorized for a given routing protocol. + + + +Hartman & Zhang Informational [Page 12] + +RFC 7211 Operations Model for Router Keying June 2014 + + + Establishing a management model is difficult because of the complex + relationships between each set of objects. As discussed, there may + be more than one key for a peer. However, in the preshared key case, + there may be more than one peer for a key. This is true both for + group security association protocols such as an IGP or one-to-one + protocols where the same key is used administratively. In some of + these situations, it may be undesirable to explicitly enumerate the + peers in the configuration; for example, IGP peers are auto- + discovered for broadcast links but not for non-broadcast multi-access + links. + + Peers may be identified either by name or key. If peers are + identified by key, it is strongly desirable from an operational + standpoint to consider any peer identifiers or names to be a local + matter and not require the identifiers or names to be synchronized. + Obviously, if peers are identified by names (for example, with + certificates in a PKI), identifiers need to be synchronized between + the authorized peer and the peer making the authorization decision. + + In many cases, peers will explicitly be identified in routing + protocol configuration. In these cases, it is possible to attach the + authorization information (keys or identifiers) to the peer's + configuration object. Two cases do not involve enumerating peers. + The first is the case where preshared keys are shared among a group + of peers. It is likely that this case can be treated from a + management standpoint as a single peer representing all the peers + that share the keys. The other case is one where certificates in a + PKI are used to introduce peers to a router. In this case, rather + than configuring peers, the router needs to be configured with + information on which certificates represent acceptable peers. + + Another consideration is which routing protocols share peers. For + example, it may be common for LDP peers to also be peers of some + other routing protocol. Also, RSVP - Traffic Engineering (RSVP-TE) + may be associated with some TE-based IGP. In some of these cases, it + would be desirable to use the same authorization information for both + routing protocols. + + Finally, as discussed in Section 7, it is sometimes desirable to + override some aspect of the configuration for a peer in a group. As + an example, when rotating to a new key, it is desirable to be able to + roll that key out to each peer that will use the key, even if in the + stable state the key is configured for a peer group. + + In order to develop a management model for authorization, the working + group needs to consider several questions. What protocols support + auto-discovery of peers? What protocols require more configuration + of a peer than simply the peer's authorization information and + + + +Hartman & Zhang Informational [Page 13] + +RFC 7211 Operations Model for Router Keying June 2014 + + + network address? What management operations are going to be common + as security information for peers is configured and updated? What + operations will be common while performing key transitions or while + migrating to new security technologies? + +6. Administrator Involvement + + One key operational question is what areas will administrator + involvement be required. Likely areas where involvement may be + useful include enrollment of new peers. Fault recovery should also + be considered. + +6.1. Enrollment + + One area where the management of routing security needs to be + optimized is the deployment of a new router. In some cases, a new + router may be deployed on an existing network where routing to + management servers is already available. In other cases, routers may + be deployed as part of connecting or creating a site. Here, the + router and infrastructure may not be available until the router has + securely authenticated. + + In general, security configuration can be treated as an additional + configuration item that needs to be set up to establish service. + There is no significant security value in protecting routing protocol + keys more than administrative password or Authentication, + Authorization, and Accounting (AAA) secrets that can be used to gain + login access to a router. These existing secrets can be used to make + configuration changes that impact routing protocols as much as + disclosure of a routing protocol key. Operators already have + procedures in place for these items. So, it is appropriate to use + similar procedures for routing protocol keys. It is reasonable to + improve existing configuration procedures and the routing protocol + procedures over time. However, it is more desirable to deploy KARP + with security similar to that used for managing existing secrets than + to delay deploying KARP. + + Operators MAY develop higher assurance procedures for dealing with + keys. For example, asymmetric keys can be generated on a router and + never exported from the router. Operators can evaluate the cost vs. + security and the availability tradeoffs of these procedures. + + + + + + + + + + +Hartman & Zhang Informational [Page 14] + +RFC 7211 Operations Model for Router Keying June 2014 + + +6.2. Handling Faults + + Faults may interact with operational practice in at least two ways. + First, security solutions may introduce faults. For example, if + certificates expire in a PKI, previous adjacencies may no longer + form. Operational practice will require a way of repairing these + errors. This may end up being very similar to repairing other faults + that can partition a network. + + Notifications will play a critical role in avoiding security faults. + Implementations SHOULD use appropriate mechanisms to notify operators + as security resources are about to expire. Notifications can include + messages to consoles, logged events, Simple Network Management + Protocol (SNMP) traps, or notifications within a routing protocol. + One strategy is to have increasing escalations of notifications. + + Monitoring will also play an important role in avoiding security + faults such as certificate expiration. Some classes of security + fault, including issues with certificates, will affect only key + management protocols. Other security faults can affect routing + protocols directly. However, the protocols MUST still have adequate + operational mechanisms to recover from these situations. Also, some + faults, such as those resulting from a compromise or actual attack on + a facility, are inherent and may not be prevented. + + A second class of faults is equipment faults that impact security. + For example, if keys are stored on a router and never exported from + that device, failure of a router implies a need to update security + provisioning on the replacement router and its peers. + + One approach, recommended by work on securing BGP [KEYING] is to + maintain the router's keying material so that when a router is + replaced the same keys can be used. Router keys can be maintained on + a central server. These approaches permit the credentials of a + router to be recovered. This provides valuable options in case of + hardware fault. The failing router can be recovered without changing + credentials on other routers or waiting for keys to be certified. + One disadvantage of this approach is that even if public-key + cryptography is used, the private keys are located on more than just + the router. A system in which keys were generated on a router and + never exported from that router would typically make it more + difficult for an attacker to obtain the keys. For most environments, + the ability to quickly replace a router justifies maintaining keys + centrally. + + More generally, keying is another item of configuration that needs to + be restored to reestablish service when equipment fails. Operators + typically perform the minimal configuration necessary to get a router + + + +Hartman & Zhang Informational [Page 15] + +RFC 7211 Operations Model for Router Keying June 2014 + + + back in contact with the management server. The same would apply for + keys. Operators who do not maintain copies of key material for + performing key recovery on routers would need to perform a bit more + work to regain contact with the management server. It seems + reasonable to assume that management servers will be able to cause + keys to be generated or distributed sufficiently to fully restore + service. + +7. Upgrade Considerations + + It needs to be possible to deploy automated key management in an + organization without either having to disable existing security or + disrupting routing. As a result, it needs to be possible to perform + a phased upgrade from manual keying to automated key management. + This upgrade procedure needs to be easy and have a very low risk of + disrupting routing. Today, many operators do not update keys because + the perceived risk of an attack is lower than the cost of an update + combined with the potential cost of routing disruptions during the + update. Even when a routing protocol has technical mechanisms that + permit an update with no disruption in service, there is still a + potential cost of service disruptions as operational procedures and + practices need to correctly use the technical mechanisms. + + For peer-to-peer protocols such as BGP, upgrading to automated key + management can be relatively easy. First, code that supports + automated key management needs to be loaded on both peers. Then, the + adjacency can be upgraded. The configuration can be updated to + switch to automated key management when the second router reboots. + Alternatively, if the key management protocols involved can detect + that both peers now support automated key management, then a key can + potentially be negotiated for an existing session. + + The situation is more complex for organizations that have not + upgraded from TCP MD5 [RFC2385] to the TCP Authentication Option + [RFC5925]. Today, routers typically need to understand whether a + given peer supports TCP MD5 or TCP-AO before opening a TCP + connection. In addition, many implementations support grouping + configuration (including security configuration) of related peers + together. Implementations make it challenging to move from TCP MD5 + to TCP-AO before all peers in the group are ready. Operators + perceive it as high risk to update the configuration of a large + number of peers. One particularly risky situation is upgrading the + configuration of Internal BGP (iBGP) peers. + + The situation is more complicated for multicast protocols. It's + typically not desirable to bring down an entire link to reconfigure + it as using automated key management. Two approaches should be + considered. One is to support key table rows that enable the + + + +Hartman & Zhang Informational [Page 16] + +RFC 7211 Operations Model for Router Keying June 2014 + + + automated key management and manually configured keying for the same + link at the same time. Coordinating this may be challenging from an + operational standpoint. Another possibility is for the automated key + management protocol to actually select the same traffic key that is + being used manually. This could be accomplished by having an option + in the key management protocol to export the current manual group key + through the automated key management protocol. Then after all nodes + are configured with automated key management, manual key entries can + be removed. The next re-key after all nodes have manual entries + removed will generate a new fresh key. Group key management + protocols are RECOMMENDED to support an option to export existing + manual keys during initial deployment of automated key management. + +8. Security Considerations + + This document does not define a protocol. It does discuss the + operational and management implications of several security + technologies. + + Close synchronization of time can impact the security of routing + protocols in a number of ways. Time is used to control when keys MAY + begin being used and when they MUST NOT be used any longer as + described in [RFC7210]. Routers need to have tight enough time + synchronization that receivers permit a key to be utilized for + validation prior to the first use of that key for generation of + integrity-protected messages; otherwise, availability will be + impacted. If time synchronization is too loose, then a key can be + used beyond its intended lifetime. The Network Time Protocol (NTP) + can be used to provide time synchronization. For some protocols, + time synchronization is also important for replay detection. + +9. Acknowledgments + + Funding for Sam Hartman's work on this memo is provided by Huawei. + + The authors would like to thank Bill Atwood, Randy Bush, Wes George, + Gregory Lebovitz, and Russ White for valuable reviews. + +10. References + +10.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC7210] Housley, R., Polk, T., Hartman, S., and D. Zhang, + "Database of Long-Lived Symmetric Cryptographic Keys", RFC + 7210, April 2014. + + + +Hartman & Zhang Informational [Page 17] + +RFC 7211 Operations Model for Router Keying June 2014 + + +10.2. Informative References + + [KEYING] Turner, S., Patel, K., and R. Bush, "Router Keying for + BGPsec", Work in Progress, May 2014. + + [OSPF-AUTO] + Liu, Y., "OSPFv3 Automated Group Keying Requirements", + Work in Progress, July 2007. + + [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. + + [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 + Signature Option", RFC 2385, August 1998. + + [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness + Requirements for Security", BCP 106, RFC 4086, June 2005. + + [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the + Transport Layer Security (TLS) Protocol in the Session + Description Protocol (SDP)", RFC 4572, July 2006. + + [RFC4808] Bellovin, S., "Key Change Strategies for TCP-MD5", RFC + 4808, March 2007. + + [RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP + Authentication Option", RFC 5925, June 2010. + + [RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for + Routing Protocols (KARP) Design Guidelines", RFC 6518, + February 2012. + + [RTG-AUTH] Polk, T. and R. Housley, "Routing Authentication Using A + Database of Long-Lived Cryptographic Keys", Work in + Progress, November 2010. + +Authors' Addresses + + Sam Hartman + Painless Security + + EMail: hartmans-ietf@mit.edu + + + Dacheng Zhang + Huawei Technologies Co. Ltd. + + EMail: zhangdacheng@huawei.com + + + + +Hartman & Zhang Informational [Page 18] + |