From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc6094.txt | 619 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 619 insertions(+) create mode 100644 doc/rfc/rfc6094.txt (limited to 'doc/rfc/rfc6094.txt') diff --git a/doc/rfc/rfc6094.txt b/doc/rfc/rfc6094.txt new file mode 100644 index 0000000..c915581 --- /dev/null +++ b/doc/rfc/rfc6094.txt @@ -0,0 +1,619 @@ + + + + + + +Internet Engineering Task Force (IETF) M. Bhatia +Request for Comments: 6094 Alcatel-Lucent +Category: Informational V. Manral +ISSN: 2070-1721 IP Infusion + February 2011 + + + Summary of Cryptographic Authentication Algorithm Implementation + Requirements for Routing Protocols + +Abstract + + The routing protocols Open Shortest Path First version 2 (OSPFv2), + Intermediate System to Intermediate System (IS-IS), and Routing + Information Protocol (RIP) currently define cleartext and MD5 + (Message Digest 5) methods for authenticating protocol packets. + Recently, effort has been made to add support for the SHA (Secure + Hash Algorithm) family of hash functions for the purpose of + authenticating routing protocol packets for RIP, IS-IS, and OSPF. + + To encourage interoperability between disparate implementations, it + is imperative that we specify the expected minimal set of algorithms, + thereby ensuring that there is at least one algorithm that all + implementations will have in common. + + Similarly, RIP for IPv6 (RIPng) and OSPFv3 support IPsec algorithms + for authenticating their protocol packets. + + This document examines the current set of available algorithms, with + interoperability and effective cryptographic authentication + protection being the principal considerations. Cryptographic + authentication of these routing protocols requires the availability + of the same algorithms in disparate implementations. It is desirable + that newly specified algorithms should be implemented and available + in routing protocol implementations because they may be promoted to + requirements at some future time. + +Status of This Memo + + This document is not an Internet Standards Track specification; it is + published for informational purposes. + + This document is a product of the Internet Engineering Task Force + (IETF). It represents the consensus of the IETF community. It has + received public review and has been approved for publication by the + Internet Engineering Steering Group (IESG). Not all documents + approved by the IESG are a candidate for any level of Internet + Standard; see Section 2 of RFC 5741. + + + +Bhatia & Manral Informational [Page 1] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + Information about the current status of this document, any errata, + and how to provide feedback on it may be obtained at + http://www.rfc-editor.org/info/rfc6094. + +Copyright Notice + + Copyright (c) 2011 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction ....................................................3 + 2. Intermediate System to Intermediate System (IS-IS) ..............4 + 2.1. Authentication Scheme Selection ............................4 + 2.2. Authentication Algorithm Selection .........................5 + 3. Open Shortest Path First Version 2 (OSPFv2) .....................5 + 3.1. Authentication Scheme Selection ............................6 + 3.2. Authentication Algorithm Selection .........................6 + 4. Open Shortest Path First Version 3 (OSPFv3) .....................7 + 5. Routing Information Protocol Version 2 (RIPv2) ..................7 + 5.1. Authentication Scheme Selection ............................7 + 5.2. Authentication Algorithm Selection .........................8 + 6. Routing Information Protocol for IPv6 (RIPng) ...................8 + 7. Security Considerations .........................................9 + 8. Acknowledgements ................................................9 + 9. References .....................................................10 + 9.1. Normative References ......................................10 + 9.2. Informative References ....................................10 + + + + + + + + + + + + + +Bhatia & Manral Informational [Page 2] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + +1. Introduction + + Most routing protocols include three different types of + authentication schemes: Null authentication, cleartext password, and + cryptographic authentication. Null authentication is equivalent to + having no authentication scheme at all. + + In a cleartext scheme, also known as a "simple password" scheme, the + password is exchanged completely unprotected, and anyone with + physical access to the network can learn the password and compromise + the integrity of the routing domain. The simple password scheme + protects against accidental establishment of routing sessions in a + given domain, but beyond that it offers no additional protection. + + In a cryptographic authentication scheme, routers share a secret key + that is used to generate a message authentication code for each of + the protocol packets. Today, routing protocols that implement + message authentication codes often use a Keyed-MD5 [RFC1321] digest. + The recent escalating series of attacks on MD5 raise concerns about + its remaining useful lifetime. + + These attacks may not necessarily result in direct vulnerabilities + for Keyed-MD5 digests as message authentication codes because the + colliding message may not correspond to a syntactically correct + protocol packet. The known collision, pre-image, and second + pre-image attacks [RFC4270] on MD5 may not increase the effectiveness + of the key recovery attacks on HMAC-MD5. Regardless, there is a need + felt to deprecate MD5 [RFC1321] as the basis for the Hashed Message + Authentication Code (HMAC) algorithm in favor of stronger digest + algorithms. + + In light of these considerations, there are proposals to replace + HMAC-MD5 with keyed HMAC-SHA [SHS] digests where HMAC-MD5 is + currently mandated in RIPv2 [RFC2453] IS-IS [ISO] [RFC1195], and + Keyed-MD5 in OSPFv2 [RFC2328]. + + OSPFv3 [RFC5340] and RIPng [RFC2080] rely on the IPv6 Authentication + Header (AH) [RFC4302] and IPv6 Encapsulating Security Payload (ESP) + [RFC4303] in order to provide integrity, authentication, and/or + confidentiality. + + However, the nature of cryptography is that algorithmic improvement + is an ongoing process, as is the exploration and refinement of attack + vectors. An algorithm believed to be strong today may be + demonstrated to be weak tomorrow. Given this, the choice of + preferred algorithm should favor the minimization of the likelihood + of it being compromised quickly. + + + + +Bhatia & Manral Informational [Page 3] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + It should be recognized that preferred algorithm(s) will change over + time to adapt to the evolving threats. At any particular time, the + mandatory-to-implement algorithm(s) might not be specified in the + base protocol specification. As protocols are extended, the + preference for presently stronger algorithms presents a problem + regarding the question of interoperability of existing and future + implementations with respect to standards, and also regarding + operational preference for the configuration as deployed. + + It is expected that an implementation should support the changing of + security (authentication) keys. Changing the symmetric key used in + any HMAC algorithm on a periodic basis is good security practice. + Operators need to plan for this. + + Implementations can support in-service key change so that no control + packets are lost. During an in-service/in-band key change, more than + one key can be active for receiving packets for a session. Some + protocols support a key identifier that allows the two peers of a + session to have multiple keys simultaneously for a session. + + However, these protocols currently manage keys manually (i.e., via + operator intervention) or dynamically based on some timer or security + protocol. + +2. Intermediate System to Intermediate System (IS-IS) + + The IS-IS specification allows for authentication of its Protocol + Data Units (PDUs) via the authentication TLV (TLV 10) in the PDU. + The base specification [ISO] had provisions only for cleartext + passwords. [RFC5304] extends the authentication capabilities by + providing cryptographic authentication for IS-IS PDUs. It mandates + support for HMAC-MD5. + + [RFC5310] adds support for the use of any cryptographic hash function + for authenticating IS-IS PDUs. In addition to this, [RFC5310] also + details how IS-IS can use the HMAC construct along with the Secure + Hash Algorithm (SHA) family of cryptographic hash functions to secure + IS-IS PDUs. + +2.1. Authentication Scheme Selection + + In order for IS-IS implementations to securely interoperate, they + must support one or more authentication schemes in common. This + section specifies the preference for standards-conformant IS-IS + implementations that use accepted authentication schemes. + + The earliest interoperability requirement for authentication as + stated by [ISO] [RFC1195] required all implementations to support a + + + +Bhatia & Manral Informational [Page 4] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + cleartext password. This authentication scheme's utility is limited + to precluding the accidental introduction of a new IS into a + broadcast domain. Operators should not use this scheme, as it + provides no protection against an attacker with access to the + broadcast domain: anyone can determine the secret password through + inspection of the PDU. This mechanism does not provide any + significant level of security and should be avoided. + + [RFC5304] defined the cryptographic authentication scheme for IS-IS. + HMAC-MD5 was the only algorithm specified; hence, it is mandated. + [RFC5310] defined a generic cryptographic scheme and added support + for additional algorithms. Implementations should support [RFC5310], + as it defines the generic cryptographic authentication scheme. + +2.2. Authentication Algorithm Selection + + For IS-IS implementations to securely interoperate, they must have + support for one or more authentication algorithms in common. + + This section details the authentication algorithm requirements for + standards-conformant IS-IS implementations. + + The following are the available options for authentication + algorithms: + + o [RFC5304] mandates the use of HMAC-MD5. + + o [RFC5310] does not require a particular algorithm but instead + supports any digest algorithm (i.e., cryptographic hash + functions). + + As noted earlier, there is a desire to deprecate MD5. IS-IS + implementations will likely migrate to an authentication scheme + supported by [RFC5310], because it is algorithm agnostic. Possible + digest algorithms include SHA-1, SHA-224, SHA-256, SHA-384, and + SHA-512. Picking at least one mandatory-to-implement algorithm is + imperative to ensuring interoperability. + +3. Open Shortest Path First Version 2 (OSPFv2) + + [RFC2328] includes three different types of authentication schemes: + Null authentication, cleartext password (defined as "simple password" + in [RFC2328]), and cryptographic authentication. Null authentication + is semantically equivalent to no authentication. + + In the cryptographic authentication scheme, the OSPFv2 routers on a + common network/subnet are configured with a shared secret that is + used to generate a Keyed-MD5 digest for each packet. A monotonically + + + +Bhatia & Manral Informational [Page 5] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + increasing sequence number scheme is used to protect against replay + attacks. + + [RFC5709] adds support for the use of the SHA family of hash + algorithms for authentication of OSPFv2 packets. + +3.1. Authentication Scheme Selection + + For OSPF implementations to securely interoperate, they must have one + or more authentication schemes in common. + + While all implementations will have Null authentication since it's + mandated by [RFC2328], its use is not appropriate in any context + where the operator wishes to authenticate OSPFv2 packets in their + network. + + While all implementations will also support a cleartext password + since it's mandated by [RFC2328], its use is only appropriate when + the operator wants to preclude the accidental introduction of a + router into the domain. This scheme is patently not useful when an + operator wants to authenticate the OSPFv2 packets. + + Cryptographic authentication is a mandatory scheme defined in + [RFC2328], and all conformant implementations must support this. + +3.2. Authentication Algorithm Selection + + For OSPFv2 implementations to securely interoperate, they must + support one or more cryptographic authentication algorithms in + common. + + The following are the available options for authentication + algorithms: + + o [RFC2328] specifies the use of Keyed-MD5. + + o [RFC5709] specifies the use of HMAC-SHA-1, HMAC-SHA-256, + HMAC-SHA-384, and HMAC-SHA-512, and also mandates support for + HMAC-SHA-256 (HMAC-SHA-1 is optional). + + As noted earlier, there is a desire to deprecate MD5. Some + alternatives for MD5 are listed in [RFC5709]. + + Possible digest algorithms include SHA-1, SHA-256, SHA-384, and + SHA-512. Picking one mandatory-to-implement algorithm is imperative + to ensuring interoperability. + + + + + +Bhatia & Manral Informational [Page 6] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + +4. Open Shortest Path First Version 3 (OSPFv3) + + OSPFv3 [RFC5340] relies on the IPv6 Authentication Header (AH) + [RFC4302] and IPv6 Encapsulating Security Payload (ESP) [RFC4303] in + order to provide integrity, authentication, and/or confidentiality. + + [RFC4552] mandates the use of ESP for authenticating OSPFv3 packets. + The implementations could also provide support for using AH to + protect these packets. + + The algorithm requirements for AH and ESP are described in [RFC4835] + as follows: + + o [RFC2404] mandates HMAC-SHA-1-96. + + o [RFC3566] indicates AES-XCBC-MAC-96 as a "should", but it's likely + that this will be mandated at some future time. + +5. Routing Information Protocol Version 2 (RIPv2) + + RIPv2, originally specified in [RFC1388] and then in [RFC1723], has + been updated and published as STD 56, [RFC2453]. If the Address + Family Identifier of the first (and only the first) entry in the + RIPv2 message is 0xFFFF, then the remainder of the entry contains the + authentication information. The [RFC2453] version of the protocol + provides for authenticating packets using a cleartext password + (defined as "simple password" in [RFC2453]) not more than 16 octets + in length. + + [RFC2082] added support for Keyed-MD5 authentication, where a digest + is appended to the end of the RIP packet. [RFC4822] obsoleted + [RFC2082] and added the SHA family of hash algorithms to the list of + cryptographic authentications that can be used to protect RIPv2, + whereas [RFC2082] previously specified only the use of Keyed-MD5. + +5.1. Authentication Scheme Selection + + For RIPv2 implementations to securely interoperate, they must support + one or more authentication schemes in common. + + While all implementations will support a cleartext password since + it's mandated by [RFC2453], its use is only appropriate when the + operator wants to preclude the accidental introduction of a router + into the domain. This scheme is patently not useful when an operator + wants to authenticate the RIPv2 packets. + + + + + + +Bhatia & Manral Informational [Page 7] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + [RFC2082] mandates the use of an authentication scheme that uses + Keyed-MD5. However, [RFC2082] has been obsoleted by [RFC4822]. + Compliant implementations must provide support for an authentication + scheme that uses Keyed-MD5 but should recognize that this is + superseded by cryptographic authentication as defined in [RFC4822]. + + Implementations should provide support for [RFC4822], as it specifies + the RIPv2 cryptographic authentication schemes. + +5.2. Authentication Algorithm Selection + + For RIPv2 implementations to securely interoperate, they must support + one or more authentication algorithms in common. + + The following are the available options for authentication + algorithms: + + o [RFC2082] specifies the use of Keyed-MD5. + + o [RFC4822] specifies the use of Keyed-MD5, HMAC-SHA-1, + HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512. + + As noted earlier, there is a desire to deprecate MD5. Some + alternatives for MD5 are listed in [RFC4822]. Possible digest + algorithms include SHA-1, SHA-256, SHA-384, and SHA-512. Picking one + mandatory-to-implement algorithm is imperative to ensuring + interoperability. + +6. Routing Information Protocol for IPv6 (RIPng) + + RIPng [RFC2080] relies on the IPv6 Authentication Header (AH) + [RFC4302] and IPv6 Encapsulating Security Payload (ESP) [RFC4303] in + order to provide integrity, authentication, and/or confidentiality. + + The algorithm requirements for AH and ESP are described in [RFC4835] + as follows: + + o [RFC2404] mandates HMAC-SHA-1-96. + + o [RFC3566] indicates AES-XCBC-MAC-96 as a "should", but it's likely + that this will be mandated at some future time. + + + + + + + + + + +Bhatia & Manral Informational [Page 8] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + +7. Security Considerations + + The cryptographic mechanisms referenced in this document provide only + authentication algorithms. These algorithms do not provide + confidentiality. Encrypting the content of the packet and thereby + providing confidentiality is not considered in the definition of the + routing protocols. + + The cryptographic strength of the HMAC depends upon the cryptographic + strength of the underlying hash function and on the size and quality + of the key. The feasibility of attacking the integrity of routing + protocol messages protected by keyed digests may be significantly + more limited than that of other data; however, preference for one + family of algorithms over another may also change independently of + the perceived risk to a particular protocol. + + To ensure greater security, the keys used should be changed + periodically, and implementations must be able to store and use more + than one key at the same time. Operational experience suggests that + the lack of periodic rekeying is a source of significant exposure and + that the lifespan of shared keys in the network is frequently + measured in years. + + While simple password schemes are well represented in the document + series and in conformant implementations of the protocols, the + inability to offer either integrity or identity protection are + sufficient reason to strongly discourage their use. + + This document concerns itself with the selection of cryptographic + algorithms for use in the authentication of routing protocol packets + being exchanged between adjacent routing processes. The + cryptographic algorithms identified in this document are not known to + be broken at the current time, and ongoing cryptographic research so + far leads us to believe that they will likely remain secure in the + foreseeable future. We expect that new revisions of this document + will be issued in the future to reflect current thinking on the + algorithms that various routing protocols should employ to ensure + interoperability between disparate implementations. + +8. Acknowledgements + + We would like to thank Joel Jaeggli, Sean Turner, and Adrian Farrel + for their comments and feedback on this document, which resulted in + significant improvement of the same. + + + + + + + +Bhatia & Manral Informational [Page 9] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + +9. References + +9.1. Normative References + + [ISO] "Intermediate system to Intermediate system routing + information exchange protocol for use in conjunction with + the protocol for providing the connectionless-mode + network service", ISO/IEC 10589:1992 (ISO 8473). + + [RFC1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and + dual environments", RFC 1195, December 1990. + + [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, + January 1997. + + [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. + + [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, + November 1998. + + [RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic + Authentication", RFC 4822, February 2007. + + [RFC4835] Manral, V., "Cryptographic Algorithm Implementation + Requirements for Encapsulating Security Payload (ESP) and + Authentication Header (AH)", RFC 4835, April 2007. + + [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic + Authentication", RFC 5304, October 2008. + + [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., + and M. Fanto, "IS-IS Generic Cryptographic + Authentication", RFC 5310, February 2009. + + [RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF + for IPv6", RFC 5340, July 2008. + + [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M., + Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic + Authentication", RFC 5709, October 2009. + +9.2. Informative References + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, + April 1992. + + [RFC1388] Malkin, G., "RIP Version 2 Carrying Additional + Information", RFC 1388, January 1993. + + + +Bhatia & Manral Informational [Page 10] + +RFC 6094 Crypto Reqs for Routing Protocols February 2011 + + + [RFC1723] Malkin, G., "RIP Version 2 - Carrying Additional + Information", RFC 1723, November 1994. + + [RFC2082] Baker, F. and R. Atkinson, "RIP-2 MD5 Authentication", + RFC 2082, January 1997. + + [RFC2404] Madson, C. and R. Glenn, "The Use of HMAC-SHA-1-96 within + ESP and AH", RFC 2404, November 1998. + + [RFC3566] Frankel, S. and H. Herbert, "The AES-XCBC-MAC-96 + Algorithm and Its Use With IPsec", RFC 3566, + September 2003. + + [RFC4270] Hoffman, P. and B. Schneier, "Attacks on Cryptographic + Hashes in Internet Protocols", RFC 4270, November 2005. + + [RFC4302] Kent, S., "IP Authentication Header", RFC 4302, + December 2005. + + [RFC4303] Kent, S., "IP Encapsulating Security Payload (ESP)", + RFC 4303, December 2005. + + [RFC4552] Gupta, M. and N. Melam, "Authentication/Confidentiality + for OSPFv3", RFC 4552, June 2006. + + [SHS] "Secure Hash Standard (SHS)", National Institute of + Standards and Technology (NIST) FIPS Publication 180-3, + October 2008. + +Authors' Addresses + + Manav Bhatia + Alcatel-Lucent + Bangalore + India + + EMail: manav.bhatia@alcatel-lucent.com + + + Vishwas Manral + IP Infusion + 1188 E. Arques Ave. + Sunnyvale, CA 94089 + USA + + Phone: 408-400-1900 + EMail: vishwas@ipinfusion.com + + + + +Bhatia & Manral Informational [Page 11] + -- cgit v1.2.3