1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
|
Internet Engineering Task Force (IETF) M. Jethanandani
Request for Comments: 6952 Ciena Corporation
Category: Informational K. Patel
ISSN: 2070-1721 Cisco Systems, Inc
L. Zheng
Huawei Technologies
May 2013
Analysis of BGP, LDP, PCEP, and MSDP Issues According to the
Keying and Authentication for Routing Protocols (KARP) Design Guide
Abstract
This document analyzes TCP-based routing protocols, the Border
Gateway Protocol (BGP), the Label Distribution Protocol (LDP), the
Path Computation Element Communication Protocol (PCEP), and the
Multicast Source Distribution Protocol (MSDP), according to
guidelines set forth in Section 4.2 of "Keying and Authentication for
Routing Protocols Design Guidelines", RFC 6518.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6952.
Jethanandani, et al. Informational [Page 1]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 4
2. Current Assessment of BGP, LDP, PCEP, and MSDP . . . . . . . 5
2.1. Transport Layer . . . . . . . . . . . . . . . . . . . . . 5
2.2. Keying Mechanisms . . . . . . . . . . . . . . . . . . . . 6
2.3. BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4. LDP . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.4.1. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7
2.4.2. Denial-of-Service Attacks . . . . . . . . . . . . . . 8
2.5. PCEP . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.6. MSDP . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3. Optimal State for BGP, LDP, PCEP, and MSDP . . . . . . . . . 10
3.1. LDP . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Gap Analysis for BGP, LDP, PCEP, and MSDP . . . . . . . . . . 11
4.1. LDP . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
4.2. PCEP . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5. Transition and Deployment Considerations . . . . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . 14
Jethanandani, et al. Informational [Page 2]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
1. Introduction
In their "Report from the IAB Workshop on Unwanted Traffic March
9-10, 2006" [RFC4948], the Internet Architecture Board (IAB)
described an attack on core routing infrastructure as an ideal attack
that would inflict the greatest amount of damage and suggested steps
to tighten the infrastructure against the attack. Four main steps
were identified for that tightening:
1. Create secure mechanisms and practices for operating routers.
2. Clean up the Internet Routing Registry (IRR) repository, and
secure both the database and the access, so that it can be used
for routing verifications.
3. Create specifications for cryptographic validation of routing
message content.
4. Secure the routing protocols' packets on the wire.
In order to secure the routing protocols, this document performs an
initial analysis of the current state of four TCP-based protocols --
BGP [RFC4271], LDP [RFC5036], PCEP [RFC5440], and MSDP [RFC3618] --
according to the requirements of the KARP Design Guidelines
[RFC6518]. Section 4.2 of that document uses the term "state", which
will be referred to as the "state of the security method". Thus, a
term like "Define Optimal State" would be referred to as "Define
Optimal State of the Security Method".
This document builds on several previous efforts into routing
security:
o "Issues with Existing Cryptographic Protection Methods for Routing
Protocols" [RFC6039], describes issues with existing cryptographic
protection methods for routing protocols.
o Analysis of OSPF Security According to the KARP Design Guide
[RFC6863] analyzes Open Shortest Path First (OSPF) security
according to the KARP Design Guide.
Section 2 of this document looks at the current state of the security
method for the four routing protocols: BGP, LDP, PCEP, and MSDP.
Section 3 examines what the optimal state of the security method
would be for the four routing protocols according to the KARP Design
Guidelines [RFC6518], and Section 4 does an analysis of the gap
between the existing state of the security method and the optimal
state of the security method for the protocols and suggests some
areas where improvement is needed.
Jethanandani, et al. Informational [Page 3]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
1.1. Abbreviations
AES - Advanced Encryption Standard
AO - Authentication Option
AS - Autonomous System
BGP - Border Gateway Protocol
CMAC - Cipher-Based Message Authentication Code
DoS - Denial of Service
GTSM - Generalized Time-to-Live (TTL) Security Mechanism
HMAC - Hash-Based MAC
KARP - Key and Authentication for Routing Protocols
KDF - Key Derivation Function
KEK - Key Encrypting Key
KMP - Key Management Protocol
LDP - Label Distribution Protocol
LSR - Label Switching Routers
MAC - Message Authentication Code
MKT - Master Key Table
MSDP - Multicast Source Distribution Protocol
MD5 - Message Digest Algorithm 5
OSPF - Open Shortest Path First
PCEP - Path Computation Element Communication Protocol
PCC - Path Computation Client
PCE - Path Computation Element
SHA - Secure Hash Algorithm
Jethanandani, et al. Informational [Page 4]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
TCP - Transmission Control Protocol
TTL - Time-to-Live
UDP - User Datagram Protocol
WG - Working Group
2. Current Assessment of BGP, LDP, PCEP, and MSDP
This section assesses the transport protocols for any authentication
or integrity mechanisms used by the protocol. It describes the
current security mechanisms, if any, used by BGP, LDP, PCEP, and
MSDP.
2.1. Transport Layer
At the transport layer, routing protocols are subject to a variety of
DoS attacks, as outlined in "Internet Denial-of-Service
Considerations" [RFC4732]. Such attacks can cause the routing
protocol to become congested, resulting in the routing updates being
supplied too slowly to be useful. In extreme cases, these attacks
prevent routers from converging after a change.
Routing protocols use several methods to protect themselves. Those
that use TCP as a transport protocol use access lists to accept
packets only from known sources. These access lists also help
protect edge routers from attacks originating outside the protected
domain. In addition, for edge routers running the External Border
Gateway Protocol (eBGP), TCP LISTEN is run only on interfaces on
which its peers have been discovered or via which routing sessions
are expected (as specified in router configuration databases).
"Generalized TTL Security Mechanism (GTSM)" [RFC5082] describes a
generalized Time-to-Live (TTL) security mechanism to protect a
protocol stack from CPU-utilization-based attacks. TCP Robustness
[RFC5961] recommends some TCP-level mitigations against spoofing
attacks targeted towards long-lived routing protocol sessions.
Even when BGP, LDP, PCEP, and MSDP sessions use access lists, they
are vulnerable to spoofing and man-in-the-middle attacks.
Authentication and integrity checks allow the receiver of a routing
protocol update to know that the message genuinely comes from the
node that claims to have sent it and to know whether the message has
been modified. Sometimes routers can be subjected to a large number
of authentication and integrity requests, exhausting connection
resources on the router in a way that could lead to the denial of
genuine requests.
Jethanandani, et al. Informational [Page 5]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
TCP MD5 [RFC2385] has been obsoleted by TCP-AO [RFC5925]. However,
it is still widely used to authenticate TCP-based routing protocols
such as BGP. It provides a way for carrying a MD5 digest in a TCP
segment. This digest is computed using information known only to the
endpoints, and this ensures authenticity and integrity of messages.
The MD5 key used to compute the digest is stored locally on the
router. This option is used by routing protocols to provide for
session-level protection against the introduction of spoofed TCP
segments into any existing TCP streams, in particular, TCP Reset
segments. TCP MD5 does not provide a generic mechanism to support
key rollover. It also does not support algorithm agility.
The Message Authentication Codes (MACs) used by TCP MD5 are
considered too weak both because of the use of the hash function and
because of the way the secret key used by TCP MD5 is managed.
Furthermore, TCP MD5 does not support any algorithm agility. TCP-AO
[RFC5925] and its companion document Cryptographic Algorithms for
TCP-AO [RFC5926], describe steps towards correcting both the MAC
weakness and the management of secret keys. Those steps require that
two MAC algorithms be supported. They are HMAC-SHA-1-96, as
specified in HMAC [RFC2104], and AES-128-CMAC-96, as specified in
NIST-SP800-38B [NIST-SP800-38B]. Cryptographic research suggests
that both these MAC algorithms are fairly secure. By supporting
multiple MAC algorithms, TCP-AO supports algorithm agility. TCP-AO
also allows additional MACs to be added in the future.
2.2. Keying Mechanisms
For TCP-AO [RFC5925], there is no Key Management Protocol (KMP) used
to manage the keys that are employed to generate the MAC. TCP-AO
talks about coordinating keys derived from the Master Key Table (MKT)
between endpoints and allows for a master key to be configured
manually or for it to be managed via an out-of-band mechanism.
It should be noted that most routers configured with static keys have
not seen the key changed ever. The common reason given for not
changing the key is the difficulty in coordinating the change between
pairs of routers when using TCP MD5. It is well known that the
longer the same key is used, the greater the chance that it can be
guessed or exposed, e.g., when an administrator with knowledge of the
keys leaves the company.
For point-to-point key management, the IKEv2 protocol [RFC5996]
provides for automated key exchange under a Security Association (SA)
and can be used for a comprehensive KMP solution for routers. IKEv2
can be used for both IPsec SAs [RFC4301] and other types of SAs. For
example, Fibre Channel SAs [RFC4595] are currently negotiated with
IKEv2. Using IKEv2 to negotiate TCP-AO is a possible option.
Jethanandani, et al. Informational [Page 6]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
2.3. BGP
All BGP communications take place over TCP. Therefore, all security
vulnerabilities for BGP can be categorized as relating to the
security of the transport protocol itself, or to the compromising of
individual routers and the data they handle. This document examines
the issues for the transport protocol, while the SIDR Working Group
(WG) looks at ways to sign and secure the data exchanged in BGP as
described in "An Infrastructure to Support Secure Internet Protocol"
[RFC6480].
2.4. LDP
"Security Framework for MPLS and GMPLS Networks" [RFC5920] outlines
security aspects that are relevant in the context of MPLS and GMPLS.
It describes the security threats, the related defensive techniques,
and the mechanism for detection and reporting.
Section 5 of LDP [RFC5036] states that LDP is subject to two
different types of attacks: spoofing and denial-of-service attacks.
2.4.1. Spoofing Attacks
A spoofing attack against LDP can occur both during the discovery
phase and during the session communication phase.
2.4.1.1. Discovery Exchanges using UDP
Label Switching Routers (LSRs) indicate their willingness to
establish and maintain LDP sessions by periodically sending Hello
messages. Reception of a Hello message serves to create a new "Hello
adjacency", if one does not already exist, or to refresh an existing
one.
There are two variants of the discovery mechanism. A Basic Discovery
mechanism is used to discover LSR neighbors that are directly
connected at the link level, and an Extended Discovery mechanism is
used by LSRs that are more than one hop away.
Unlike all other LDP messages, the Hello messages are sent using UDP.
This means that they cannot benefit from the security mechanisms
available with TCP. LDP [RFC5036] does not provide any security
mechanisms for use with Hello messages except for some configuration
that may help protect against bogus discovery events. These
configurations include directly connected links and interfaces.
Routers that do not use directly connected links have to use the
Extended Discovery mechanism and will not be able to use
configuration to protect against bogus discovery events.
Jethanandani, et al. Informational [Page 7]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
Spoofing a Hello packet for an existing adjacency can cause the
adjacency to time out and result in termination of the associated
session. This can occur when the spoofed Hello message specifies a
small Hold Time, causing the receiver to expect Hello messages within
this interval, while the true neighbor continues sending Hello
messages at the lower, previously agreed to frequency.
Spoofing a Hello packet can also cause the LDP session to be
terminated. This can occur when the spoofed Hello specifies a
different Transport Address from the previously agreed one between
neighbors. Spoofed Hello messages are observed and reported as a
real problem in production networks.
2.4.1.2. Session Communication using TCP
LDP, like other TCP-based routing protocols, specifies use of the TCP
MD5 Signature Option to provide for the authenticity and integrity of
session messages. As stated in Section 2.1 of this document and in
Section 2.9 of LDP [RFC5036], MD5 authentication is considered too
weak for this application as outlined in MD5 and HMAC-MD5 Security
Considerations [RFC6151]. It also does not support algorithm
agility. A stronger hashing algorithm, e.g., SHA1, which is
supported by TCP-AO [RFC5925], could be deployed to take care of the
weakness.
Alternatively, one could move to using TCP-AO, which provides for
stronger MAC algorithms, makes it easier to set up manual keys, and
protects against replay attacks.
2.4.2. Denial-of-Service Attacks
LDP is subject to Denial-of-Service (DoS) attacks both in discovery
mode and session mode. The potential targets are documented in
Section 5.3 of LDP [RFC5036].
2.5. PCEP
For effective selection by Path Computation Clients (PCCs), a PCC
needs to know the location of Path Computation Elements (PCEs) in its
domain along with some information relevant for PCE selection. Such
PCE information could be learned through manual configuration, on
each PCC, along with the capabilities of the PCE or automatically
through a PCE discovery mechanism as outlined in Requirements for PCE
Discovery [RFC4674].
Attacks on PCEP [RFC5440] may result in damage to active networks.
These include computation responses, which if changed can cause
protocols like RSVP-TE [RFC3209] to set up suboptimal or
Jethanandani, et al. Informational [Page 8]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
inappropriate LSPs. In addition, PCE itself can be a target for a
variety of DoS attacks. Such attacks can cause path computations to
be supplied too slowly to be of any value, particularly as it relates
to recovery or establishment of LSPs.
Finally, PCE discovery, as outlined in OSPF Protocol Extensions for
PCE Discovery [RFC5088] and IS-IS Protocol Extensions for PCE
Discovery [RFC5089], is a significant feature for the successful
deployment of PCEP in large networks. These mechanisms allow PCC to
discover the existence of PCEs within the network. If the discovery
mechanism is compromised, it will impair the ability of the nodes to
function as described below.
As RFC 5440 states, PCEP (which makes use of TCP as a transport)
could be the target of the following attacks:
o Spoofing (PCC or PCE implementation)
o Snooping (message interception)
o Falsification
o Denial of Service
In inter-Autonomous System (inter-AS) scenarios where PCE-to-PCE
communication is required, attacks may be particularly significant
with commercial implications as well as service-level agreement
implications.
Additionally, snooping of PCEP requests and responses may give an
attacker information about the operation of the network. By viewing
the PCEP messages, an attacker can determine the pattern of service
establishment in the network and can know where traffic is being
routed, thereby making the network susceptible to targeted attacks
and the data within specific LSPs vulnerable.
Ensuring PCEP communication privacy is of key importance, especially
in an inter-AS context, where PCEP communication endpoints do not
reside in the same AS. An attacker that intercepts a PCE message
could obtain sensitive information related to computed paths and
resources.
At the time PCEP was documented in [RFC5440], TCP-AO had not been
fully specified. Therefore, [RFC5440] mandates that PCEP
implementations include support for TCP MD5 and that use of the
function should be configurable by the operator. [RFC5440] also
describes the vulnerabilities and weaknesses of TCP MD5 as noted in
this document. [RFC5440] goes on to state that PCEP implementations
Jethanandani, et al. Informational [Page 9]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
should include support for TCP-AO as soon as that specification is
complete. Since TCP-AO [RFC5925] has now been published, new PCEP
implementations should fully support TCP-AO.
2.6. MSDP
Similar to BGP and LDP, the Multicast Source Distribution Protocol
(MSDP) uses TCP MD5 [RFC2385] to protect TCP sessions via the TCP MD5
option. But with a weak MD5 authentication, TCP MD5 is not
considered strong enough for this application. It also does not
support algorithm agility.
MSDP advocates imposing a limit on the number of source address and
group addresses (S,G) that can be cached within the protocol in order
to mitigate state explosion due to any denial of service and other
attacks.
3. Optimal State for BGP, LDP, PCEP, and MSDP
The ideal state of the security method for BGP, LDP, PCEP, and MSDP
protocols is when they can withstand any of the known types of
attacks. The protocols also need to support algorithm agility, i.e.,
they must not hardwire themselves to one algorithm.
Additionally, the KMP for the routing sessions should help negotiate
unique, pair-wise random keys without administrator involvement. It
should also negotiate Security Association (SA) parameters required
for the session connection, including key lifetimes. It should keep
track of those lifetimes and negotiate new keys and parameters before
they expire and do so without administrator involvement. In the
event of a breach, including when an administrator with knowledge of
the keys leaves the company, the keys should be changed immediately.
The DoS attacks for BGP, LDP, PCEP, and MSDP are attacks to the
transport protocol -- TCP for the most part, and UDP in case of the
discovery phase of LDP. TCP and UDP should be able to withstand any
of the DoS scenarios by dropping packets that are attack packets in a
way that does not impact legitimate packets.
The routing protocols should provide a mechanism to authenticate the
routing information carried within the payload, and administrators
should enable it.
3.1. LDP
To mitigate LDP's current vulnerability to spoofing attacks, LDP
needs to be upgraded such that an implementation is able to determine
the authenticity of the neighbors sending the Hello message.
Jethanandani, et al. Informational [Page 10]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
Labels are similar to routing information, which is distributed in
the clear. However, there is currently no requirement that the
labels be encrypted. Such a requirement is out of scope for this
document.
Similarly, it is important to ensure that routers exchanging labels
are mutually authenticated, and that there are no rogue peers or
unauthenticated peers that can compromise the stability of the
network.
4. Gap Analysis for BGP, LDP, PCEP, and MSDP
This section outlines the differences between the current state of
the security methods for routing protocols and the desired state of
the security methods as outlined in Section 4.2 of the KARP Design
Guidelines [RFC6518]. As that document states, these routing
protocols fall into the category of one-to-one peering messages and
will use peer keying protocols. This section covers issues that are
common to the four protocols, leaving protocol-specific issues to
sub-sections.
At a transport level, these routing protocols are subject to some of
the same attacks that TCP applications are subject to. These include
DoS and spoofing attacks. "Internet Denial-of-Service
Considerations" [RFC4732] outlines some solutions. "Defending TCP
Against Spoofing Attacks" [RFC4953] recommends ways to prevent
spoofing attacks. In addition, the recommendations in [RFC5961]
should also be followed and implemented to strengthen TCP.
Routers lack comprehensive key management and keys derived that they
can use to authenticate data. As an example, TCP-AO [RFC5925], talks
about coordinating keys derived from the Master Key Table (MKT)
between endpoints, but the MKT itself has to be configured manually
or through an out-of-band mechanism. Also, TCP-AO does not address
the issue of connectionless reset, as it applies to routers that do
not store MKT across reboots.
Authentication, integrity protection, and encryption all require the
use of keys by sender and receiver. An automated KMP, therefore has
to include a way to distribute key material between two endpoints
with little or no administrative overhead. It has to cover automatic
key rollover. It is expected that authentication will cover the
packet, i.e., the payload and the TCP header, and will not cover the
frame, i.e., the layer 2 header.
There are two methods of automatic key rollover. Implicit key
rollover can be initiated after a certain volume of data gets
exchanged or when a certain time has elapsed. This does not require
Jethanandani, et al. Informational [Page 11]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
explicit signaling nor should it result in a reset of the TCP
connection in a way that the links/adjacencies are affected. On the
other hand, explicit key rollover requires an out-of-band key
signaling mechanism. It can be triggered by either side and can be
done anytime a security parameter changes, e.g., an attack has
happened, or a system administrator with access to the keys has left
the company. An example of this is IKEv2 [RFC5996], but it could be
any other new mechanisms also.
As stated earlier, TCP-AO [RFC5925] and its accompanying document,
Cryptographic Algorithms for TCP-AO [RFC5926], require that two MAC
algorithms be supported, and they are HMAC-SHA-1-96, as specified in
HMAC [RFC2104], and AES-128-CMAC-96, as specified in NIST-SP800-38B
[NIST-SP800-38B]. Therefore, TCP-AO meets the algorithm agility
requirement.
There is a need to protect authenticity and validity of the routing/
label information that is carried in the payload of the sessions.
However, that is outside the scope of this document and is being
addressed by the SIDR WG. Similar mechanisms could be used for
intra-domain protocols.
Finally, replay protection is required. The replay mechanism needs
to be sufficient to prevent an attacker from creating a denial of
service or disrupting the integrity of the routing protocol by
replaying packets. It is important that an attacker not be able to
disrupt service by capturing packets and waiting for replay state to
be lost.
4.1. LDP
As described in LDP [RFC5036], the threat of spoofed Basic Hellos can
be reduced by only accepting Basic Hellos on interfaces that LSRs
trust, employing GTSM [RFC5082], and ignoring Basic Hellos not
addressed to the "all routers on this subnet" multicast group.
Spoofing attacks via Targeted Hellos are potentially a more serious
threat. An LSR can reduce the threat of spoofed Extended Hellos by
filtering them and accepting Hellos from sources permitted by access
lists. However, performing the filtering using access lists requires
LSR resources, and the LSR is still vulnerable to the IP source
address spoofing. Spoofing attacks can be solved by being able to
authenticate the Hello messages, and an LSR can be configured to only
accept Hello messages from specific peers when authentication is in
use.
LDP Hello Cryptographic Authentication [HELLO-CRYPTO] suggest a new
Cryptographic Authentication TLV that can be used as an
authentication mechanism to secure Hello messages.
Jethanandani, et al. Informational [Page 12]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
4.2. PCEP
Path Computation Element (PCE) discovery, according to [RFC5440], is
a significant feature for the successful deployment of PCEP in large
networks. This mechanism allows a Path Computation Client (PCC) to
discover the existence of suitable PCEs within the network without
the necessity of configuration. It should be obvious that, where
PCEs are discovered and not configured, the PCC cannot know the
correct key to use. There are different approaches to retain some
aspect of security, but all of them require use of a keys and a
keying mechanism, the need for which has been discussed above.
5. Transition and Deployment Considerations
As stated in the KARP Design Guidelines [RFC6518], it is imperative
that the new authentication, security mechanisms, and key management
protocol support incremental deployment, as it is not feasible to
deploy the new routing protocol authentication mechanism overnight.
Typically, authentication and security in a peer-to-peer protocol
requires that both parties agree to the mechanisms that will be used.
If an agreement is not reached, the setup of the new mechanism will
fail or will be deferred. Upon failure, the routing protocols can
fall back to the mechanisms that were already in place, e.g., use
static keys if that was the mechanism in place. The fallback should
be configurable on a per-node or per-interface basis. It is usually
not possible for one end to use the new mechanism while the other end
uses the old. Policies can be put in place to retry upgrading after
a said period of time, so that manual coordination is not required.
If the automatic KMP requires use of Public Key Infrastructure
Certificates [RFC5280] to exchange key material, the required
Certificate Authority (CA) root certificates may need to be installed
to verify the authenticity of requests initiated by a peer. Such a
step does not require coordination with the peer, except to decide
which CA authority will be used.
6. Security Considerations
This section describes security considerations that BGP, LDP, PCEP,
and MSDP should try to meet.
As with all routing protocols, they need protection from both on-path
and off-path blind attacks. A better way to protect them would be
with per-packet protection using a cryptographic MAC. In order to
provide for the MAC, keys are needed.
Jethanandani, et al. Informational [Page 13]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
The routing protocols need to support algorithm agility, i.e., they
must not hardwire themselves to one algorithm.
Once keys are used, mechanisms are required to support key rollover.
They should cover both manual and automatic key rollover. Multiple
approaches could be used. However, since the existing mechanisms
provide a protocol field to identify the key as well as management
mechanisms to introduce and retire new keys, focusing on the existing
mechanism as a starting point is prudent.
Furthermore, it is strongly suggested that these routing protocols
support algorithm agility. It has been proven that algorithms weaken
over time. Supporting algorithm agility assists in smooth
transitions from old to new algorithms.
7. Acknowledgements
We would like to thank Brian Weis for encouraging us to write this
document, and thanks to Anantha Ramaiah and Mach Chen for providing
comments on it.
8. References
8.1. Normative References
[RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms
for the TCP Authentication Option (TCP-AO)", RFC 5926,
June 2010.
[RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for
Routing Protocols (KARP) Design Guidelines", RFC 6518,
February 2012.
[RFC6863] Hartman, S. and D. Zhang, "Analysis of OSPF Security
According to the Keying and Authentication for Routing
Protocols (KARP) Design Guide", RFC 6863, March 2013.
8.2. Informative References
[HELLO-CRYPTO]
Zheng, L., Chen, M., and M. Bhatia, "LDP Hello
Cryptographic Authentication", Work in Progress, January
2013.
[NIST-SP800-38B]
Dworking, , "Recommendation for Block Cipher Modes of
Operation: The CMAC Mode for Authentication", May 2005.
Jethanandani, et al. Informational [Page 14]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
[RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, February
1997.
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, August 1998.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V.,
and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP
Tunnels", RFC 3209, December 2001.
[RFC3618] Fenner, B. and D. Meyer, "Multicast Source Discovery
Protocol (MSDP)", RFC 3618, October 2003.
[RFC4271] Rekhter, Y., Li, T., and S. Hares, "A Border Gateway
Protocol 4 (BGP-4)", RFC 4271, January 2006.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC4595] Maino, F. and D. Black, "Use of IKEv2 in the Fibre Channel
Security Association Management Protocol", RFC 4595, July
2006.
[RFC4674] Le Roux, J.L., "Requirements for Path Computation Element
(PCE) Discovery", RFC 4674, October 2006.
[RFC4732] Handley, M., Rescorla, E., IAB, "Internet Denial-of-
Service Considerations", RFC 4732, December 2006.
[RFC4948] Andersson, L., Davies, E., and L. Zhang, "Report from the
IAB workshop on Unwanted Traffic March 9-10, 2006", RFC
4948, August 2007.
[RFC4953] Touch, J., "Defending TCP Against Spoofing Attacks", RFC
4953, July 2007.
[RFC5036] Andersson, L., Minei, I., and B. Thomas, "LDP
Specification", RFC 5036, October 2007.
[RFC5082] Gill, V., Heasley, J., Meyer, D., Savola, P., and C.
Pignataro, "The Generalized TTL Security Mechanism
(GTSM)", RFC 5082, October 2007.
[RFC5088] Le Roux, JL., Vasseur, JP., Ikejiri, Y., and R. Zhang,
"OSPF Protocol Extensions for Path Computation Element
(PCE) Discovery", RFC 5088, January 2008.
Jethanandani, et al. Informational [Page 15]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
[RFC5089] Le Roux, JL., Vasseur, JP., Ikejiri, Y., and R. Zhang,
"IS-IS Protocol Extensions for Path Computation Element
(PCE) Discovery", RFC 5089, January 2008.
[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
Housley, R., and W. Polk, "Internet X.509 Public Key
Infrastructure Certificate and Certificate Revocation List
(CRL) Profile", RFC 5280, May 2008.
[RFC5440] Vasseur, JP. and JL. Le Roux, "Path Computation Element
(PCE) Communication Protocol (PCEP)", RFC 5440, March
2009.
[RFC5920] Fang, L., "Security Framework for MPLS and GMPLS
Networks", RFC 5920, July 2010.
[RFC5925] Touch, J., Mankin, A., and R. Bonica, "The TCP
Authentication Option", RFC 5925, June 2010.
[RFC5961] Ramaiah, A., Stewart, R., and M. Dalal, "Improving TCP's
Robustness to Blind In-Window Attacks", RFC 5961, August
2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010.
[RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues
with Existing Cryptographic Protection Methods for Routing
Protocols", RFC 6039, October 2010.
[RFC6151] Turner, S. and L. Chen, "Updated Security Considerations
for the MD5 Message-Digest and the HMAC-MD5 Algorithms",
RFC 6151, March 2011.
[RFC6480] Lepinski, M. and S. Kent, "An Infrastructure to Support
Secure Internet Routing", RFC 6480, February 2012.
Jethanandani, et al. Informational [Page 16]
^L
RFC 6952 BGP, LDP, PCEP, and MSDP Analysis May 2013
Authors' Addresses
Mahesh Jethanandani
Ciena Corporation
1741 Technology Drive
San Jose, CA 95110
USA
Phone: +1 (408) 436-3313
EMail: mjethanandani@gmail.com
Keyur Patel
Cisco Systems, Inc
170 Tasman Drive
San Jose, CA 95134
USA
Phone: +1 (408) 526-7183
EMail: keyupate@cisco.com
Lianshu Zheng
Huawei Technologies
China
Phone: +86 (10) 82882008
EMail: vero.zheng@huawei.com
Jethanandani, et al. Informational [Page 17]
^L
|
