draft-ietf-mpls-ldp-hello-crypto-auth-02.txt   draft-ietf-mpls-ldp-hello-crypto-auth-03.txt 
Network Working Group L. Zheng Network Working Group L. Zheng
Internet-Draft M. Chen Internet-Draft M. Chen
Intended status: Standards Track Huawei Technologies Intended status: Standards Track Huawei Technologies
Expires: March 2, 2014 M. Bhatia Expires: September 20, 2014 M. Bhatia
Alcatel-Lucent Alcatel-Lucent
August 29, 2013 March 19, 2014
LDP Hello Cryptographic Authentication LDP Hello Cryptographic Authentication
draft-ietf-mpls-ldp-hello-crypto-auth-02.txt draft-ietf-mpls-ldp-hello-crypto-auth-03.txt
Abstract Abstract
This document introduces a new optional Cryptographic Authentication This document introduces a new optional Cryptographic Authentication
TLV that LDP can use to secure its Hello messages. It secures the TLV that LDP can use to secure its Hello messages. It secures the
Hello messages against spoofing attacks and some well known attacks Hello messages against spoofing attacks and some well known attacks
against the IP header. This document describes a mechanism to secure against the IP header. This document describes a mechanism to secure
the LDP Hello messages using National Institute of Standards and the LDP Hello messages using National Institute of Standards and
Technology (NIST) Secure Hash Standard family of algorithms. Technology (NIST) Secure Hash Standard family of algorithms.
skipping to change at page 2, line 26 skipping to change at page 2, line 26
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 2, 2014. This Internet-Draft will expire on September 20, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Cryptographic Authentication TLV . . . . . . . . . . . . . . . 6 2. Cryptographic Authentication TLV . . . . . . . . . . . . . . . 6
2.1. Optional Parameter for Hello Message . . . . . . . . . . . 6 2.1. Optional Parameter for Hello Message . . . . . . . . . . . 6
2.2. Cryptographic Authentication TLV Encoding . . . . . . . . 6 2.2. LDP Security Association . . . . . . . . . . . . . . . . . 6
2.3. Sequence Number Wrap . . . . . . . . . . . . . . . . . . . 7 2.3. Cryptographic Authentication TLV Encoding . . . . . . . . 8
2.4. Sequence Number Wrap . . . . . . . . . . . . . . . . . . . 9
3. Cryptographic Authentication Procedure . . . . . . . . . . . . 8 3. Cryptographic Authentication Procedure . . . . . . . . . . . . 10
4. Cross Protocol Attack Mitigation . . . . . . . . . . . . . . . 9 4. Cross Protocol Attack Mitigation . . . . . . . . . . . . . . . 11
5. Cryptographic Aspects . . . . . . . . . . . . . . . . . . . . 10 5. Cryptographic Aspects . . . . . . . . . . . . . . . . . . . . 12
5.1. Preparing the Cryptographic Key . . . . . . . . . . . . . 10 5.1. Preparing the Cryptographic Key . . . . . . . . . . . . . 12
5.2. Computing the Hash . . . . . . . . . . . . . . . . . . . . 11 5.2. Computing the Hash . . . . . . . . . . . . . . . . . . . . 13
5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6. Processing Hello Message Using Cryptographic Authentication . 12 6. Processing Hello Message Using Cryptographic Authentication . 14
6.1. Transmission Using Cryptographic Authentication . . . . . 12 6.1. Transmission Using Cryptographic Authentication . . . . . 14
6.2. Receipt Using Cryptographic Authentication . . . . . . . . 12 6.2. Receipt Using Cryptographic Authentication . . . . . . . . 14
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 16
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 15 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
10.2. Informative References . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . . 19
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21
1. Introduction 1. Introduction
The Label Distribution Protocol (LDP) [RFC5036] sets up LDP sessions The Label Distribution Protocol (LDP) [RFC5036] sets up LDP sessions
that runs between LDP peers. The peers could either be directly that run between LDP peers. The peers could either be directly
connected at the link level or could be multiple hops away. An LDP connected at the link level or could be multiple hops away. An LDP
Label Switching Router (LSR) could either be configured with the Label Switching Router (LSR) could either be configured with the
identity of its peers or could discover them using LDP Hello identity of its peers or could discover them using LDP Hello
messages. These messages are sent encapsulated in UDP addressed to messages. These messages are sent encapsulated in UDP addressed to
"all routers on this subnet" or to a specific IP address. Periodic "all routers on this subnet" or to a specific IP address. Periodic
Hello messages are also used to maintain the relationship between LDP Hello messages are also used to maintain the relationship between LDP
peers necessary to keep the LDP session active. peers necessary to keep the LDP session active.
Unlike other LDP messages, the Hello messages are sent using UDP and Since the Hello messages are sent using UDP and not TCP, these
not TCP. This implies that these messages cannot use the security messages cannot use the security mechanisms defined for TCP
mechanisms defined for TCP [RFC5926]. Besides a note that some [RFC5926]. While some configuration guidance is given in [RFC5036]
configuration may help protect against bogus discovery messages, to help protect against false discovery messages, it does not provide
[RFC5036] does not really provide any security mechanism to protect an explicit security mechanism to protect the Hello messages
the Hello messages.
Spoofing a Hello packet for an existing adjacency can cause the valid Spoofing a Hello packet for an existing adjacency can cause the valid
adjacency to time out and in turn can result in termination of the adjacency to time out and in turn can result in termination of the
associated session. This can occur when the spoofed Hello specifies associated session. This can occur when the spoofed Hello specifies
a smaller Hold Time, causing the receiver to expect Hellos within a smaller Hold Time, causing the receiver to expect Hellos within
this smaller interval, while the true neighbor continues sending this smaller interval, while the true neighbor continues sending
Hellos at the previously agreed lower frequency. Spoofing a Hello Hellos at the previously agreed lower frequency. Spoofing a Hello
packet can also cause the LDP session to be terminated directly, packet can also cause the LDP session to be terminated directly,
which can occur when the spoofed Hello specifies a different which can occur when the spoofed Hello specifies a different
Transport Address, other than the previously agreed one between Transport Address, other than the previously agreed one between
neighbors. Spoofed Hello messages have been observed and reported as neighbors. Spoofed Hello messages have been observed and reported as
a real problem in production networks a real problem in production networks
[I-D.ietf-karp-routing-tcp-analysis]. [I-D.ietf-karp-routing-tcp-analysis].
[RFC5036] describes that the threat of spoofed Basic Hellos can be [RFC5036] states that the threat of spoofed Hellos can be reduced by
reduced by accepting Basic Hellos only on interfaces to which LSRs accepting Hellos only on interfaces to which LSRs that can be trusted
that can be trusted are directly connected, and ignoring Basic Hellos are directly connected, and ignoring Hellos not addressed to the "all
not addressed to the "all routers on this subnet" multicast group. routers on this subnet" multicast group. Spoofing attacks via
Spoofing attacks via Extended Hellos are a potentially more serious Targeted Hellos are a potentially more serious threat. An LSR can
threat. An LSR can reduce the threat of spoofed Extended Hellos by reduce the threat of spoofed Targeted Hellos by filtering them and
filtering them and accepting only those originating at sources accepting only those originating at sources permitted by an access
permitted by an access list. However, filtering using access lists list. However, filtering using access lists requires LSR resource,
requires LSR resource, and does not prevent IP-address spoofing. and does not prevent IP-address spoofing.
This document introduces a new Cryptographic Authentication TLV which This document introduces a new Cryptographic Authentication TLV which
is used in LDP Hello message as an optional parameter. It enhances is used in LDP Hello messages as an optional parameter. It enhances
the authentication mechanism for LDP by securing the Hello message the authentication mechanism for LDP by securing the Hello message
against spoofing attack. It also introduces a cryptographic sequence against spoofing attack. It also introduces a cryptographic sequence
number carried in the Hello messages that can be used to protect number carried in the Hello messages that can be used to protect
against replay attacks. The LSRs could be configured to only accept against replay attacks. The LSRs could be configured to only accept
Hello messages from specific peers when authentication is in use. Hello messages from specific peers when authentication is in use.
Using this Cryptographic Authentication TLV, one or more secret keys Using this Cryptographic Authentication TLV, one or more secret keys
(with corresponding key IDs) are configured in each system. For each (with corresponding key IDs) are configured in each system. For each
LDP Hello packet, the key is used to generate and verify a HMAC Hash LDP Hello message, the key is used to generate and verify a HMAC Hash
that is stored in the LDP Hello packet. For cryptographic hash that is stored in the LDP Hello message. For cryptographic hash
function, this document proposes to use SHA-1, SHA-256, SHA-384, and function, this document proposes to use SHA-1, SHA-256, SHA-384, and
SHA-512 defined in US NIST Secure Hash Standard (SHS) [FIPS-180-3]. SHA-512 defined in US NIST Secure Hash Standard (SHS) [FIPS-180-3].
The HMAC authentication mode defined in NIST FIPS 198 is used The HMAC authentication mode defined in NIST FIPS 198 is used
[FIPS-198]. Of the above, implementations MUST include support for [FIPS-198]. Of the above, implementations MUST include support for
at least HMAC-SHA-256 and SHOULD include support for HMAC-SHA-1 and at least HMAC-SHA-256 and SHOULD include support for HMAC-SHA-1 and
MAY include support for either of HMAC-SHA-384 or HMAC-SHA-512. MAY include support for either of HMAC-SHA-384 or HMAC-SHA-512.
2. Cryptographic Authentication TLV 2. Cryptographic Authentication TLV
2.1. Optional Parameter for Hello Message 2.1. Optional Parameter for Hello Message
skipping to change at page 6, line 25 skipping to change at page 6, line 25
Optional Parameter Type Optional Parameter Type
------------------------------- -------- ------------------------------- --------
IPv4 Transport Address 0x0401 (RFC5036) IPv4 Transport Address 0x0401 (RFC5036)
Configuration Sequence Number 0x0402 (RFC5036) Configuration Sequence Number 0x0402 (RFC5036)
IPv6 Transport Address 0x0403 (RFC5036) IPv6 Transport Address 0x0403 (RFC5036)
Cryptographic Authentication 0x0404 (this document, TBD by IANA) Cryptographic Authentication 0x0404 (this document, TBD by IANA)
The Cryptographic Authentication TLV Encoding is described in section The Cryptographic Authentication TLV Encoding is described in section
2.2. 2.2.
2.2. Cryptographic Authentication TLV Encoding 2.2. LDP Security Association
0 1 2 3 An LDP Security Association (SA) contains a set of parameters shared
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 between any two legitimate LDP speakers.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0|0| Auth (TBD) | Length | Parameters associated with an LDP SA are as follows:
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Key ID | o Security Association Identifier (SA ID)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cryptographic Sequence Number (High Order 32 Bits) | This is a 32-bit unsigned integer used to uniquely identify an LDP
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SA, as manually configured by the network operator.
| Cryptographic Sequence Number (Low Order 32 Bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The receiver determines the active SA by looking at the SA ID
| | field in the incoming Hello message.
| Authentication Data (Variable) |
~ ~ The sender, based on the active configuration, selects an SA to
| | use and puts the correct Key ID value associated with the SA in
| | the LDP Hello message. If multiple valid and active LDP SAs exist
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ for a given interface, the sender may use any of those SAs to
protect the packet.
Using SA IDs makes changing keys while maintaining protocol
operation convenient. Each SA ID specifies two independent parts,
the authentication algorithm and the authentication key, as
explained below.
Normally, an implementation would allow the network operator to
configure a set of keys in a key chain, with each key in the chain
having fixed lifetime. The actual operation of these mechanisms
is outside the scope of this document.
Note that each SA ID can indicate a key with a different
authentication algorithm. This allows the introduction of new
authentication mechanisms without disrupting existing LDP
sessions.
o Authentication Algorithm
This signifies the authentication algorithm to be used with the
LDP SA. This information is never sent in clear text over the
wire. Because this information is not sent on the wire, the
implementer chooses an implementation specific representation for
this information.
Currently, the following algorithms are supported:
HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512.
o Authentication Key
This value denotes the cryptographic authentication key associated
with the LDP SA. The length of this key is variable and depends
upon the authentication algorithm specified by the LDP SA.
o KeyStartAccept
The time that this OSPFv3 router will accept packets that have
been created with this OSPFv3 Security Association.
o KeyStartGenerate
The time that this LDP router will begin using this LDP Security
Association for LDP Hello message generation.
o KeyStopGenerate
The time that this LDP router will stop using this LDP Security
Association for LDP Hello message generation.
o KeyStopAccept
The time that this LDP router will stop accepting packets
generated with this LDP Security Association.
In order to achieve smooth key transition, KeyStartAccept SHOULD be
less than KeyStartGenerate and KeyStopGenerate SHOULD be less than
KeyStopAccept. If KeyStartGenerate or KeyStartAccept are left
unspecified, the time will default to 0 and the key will be used
immediately. If KeyStopGenerate or KeyStopAccept are left
unspecified, the time will default to infinity and the key's lifetime
will be infinite. When a new key replaces an old, the
KeyStartGenerate time for the new key MUST be less than or equal to
the KeyStopGenerate time of the old key.
Key storage SHOULD persist across a system restart, warm or cold, to
avoid operational issues. In the event that the last key associated
with an interface expires, it is unacceptable to revert to an
unauthenticated condition, and not advisable to disrupt routing.
Therefore, the router SHOULD send a "last Authentication Key
expiration" notification to the network manager and treat the key as
having an infinite lifetime until the lifetime is extended, the key
is deleted by network management, or a new key is configured
2.3. Cryptographic Authentication TLV Encoding
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|0|0| Auth (TBD) | Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Security Association ID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cryptographic Sequence Number (High Order 32 Bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Cryptographic Sequence Number (Low Order 32 Bits) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| Authentication Data (Variable) |
~ ~
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Type: TBD, Cryptographic Authentication - Type: TBD, Cryptographic Authentication
- Length: Specifying the length in octets of the value field. - Length: Specifying the length in octets of the value field.
- Auth Key ID: 32 bit field that identifies the algorithm and the - Security Association ID: 32 bit field that maps to the
secret key used to create the message digest carried in LDP payload. authentication algorithm and the secret key used to create the
message digest carried in LDP payload.
Though the SA ID implies the algorithm, the HMAC output size should
not be used by implementers as an implicit hint, because additional
algorithms may be defined in the future that have the same output
size.
- Cryptographic Sequence Number: 64-bit strictly increasing sequence - Cryptographic Sequence Number: 64-bit strictly increasing sequence
number that is used to guard against replay attacks. The 64-bit number that is used to guard against replay attacks. The 64-bit
sequence number MUST be incremented for every LDP Hello packet sent sequence number MUST be incremented for every LDP Hello packet sent
by the LDP router. Upon reception, the sequence number MUST be by the LDP router. Upon reception, the sequence number MUST be
greater than the sequence number in the last LDP Hello packet greater than the sequence number in the last LDP Hello packet
accepted from the sending LDP neighbor. Otherwise, the LDP packet is accepted from the sending LDP neighbor. Otherwise, the LDP packet is
considered a replayed packet and dropped. considered a replayed packet and dropped.
LDP routers implementing this specification MUST use available LDP routers implementing this specification MUST use existing
mechanisms to preserve the sequence number's strictly increasing mechanisms to preserve the sequence number's strictly increasing
property for the deployed life of the LDP router (including cold property for the deployed life of the LDP router (including cold
restarts). One mechanism for accomplishing this could be to use the restarts). One mechanism for accomplishing this could be to use the
high-order 32 bits of the sequence number as a wrap/boot count that high-order 32 bits of the sequence number as a boot count that is
is incremented anytime the LDP router loses its sequence number incremented anytime the LDP router loses its sequence number state.
state. Techniques such as sequence number space partitioning Techniques such as sequence number space partitioning described above
described above or non-volatile storage preservation can be used but or non-volatile storage preservation can be used but are beyond the
are really beyond the scope of this specification. Sequence number scope of this specification. Sequence number wrap is described in
wrap is described in Section 2.3. Section 2.4.
- Authentication Data: - Authentication Data:
This field carries the digest computed by the Cryptographic This field carries the digest computed by the Cryptographic
Authentication algorithm in use. The length of the Authentication Authentication algorithm in use. The length of the Authentication
Data varies based on the cryptographic algorithm in use, which is Data varies based on the cryptographic algorithm in use, which is
shown as below: shown as below:
Auth type Length Auth type Length
--------------- ---------- --------------- ----------
HMAC-SHA1 20 bytes HMAC-SHA1 20 bytes
HMAC-SHA-256 32 bytes HMAC-SHA-256 32 bytes
HMAC-SHA-384 48 bytes HMAC-SHA-384 48 bytes
HMAC-SHA-512 64 bytes HMAC-SHA-512 64 bytes
2.3. Sequence Number Wrap 2.4. Sequence Number Wrap
When incrementing the sequence number for each transmitted LDP When incrementing the sequence number for each transmitted LDP
packet, the sequence number should be treated as an unsigned 64-bit packet, the sequence number should be treated as an unsigned 64-bit
value. If the lower order 32-bit value wraps, the higher order 32- value. If the lower order 32-bit value wraps, the higher order 32-
bit value should be incremented and saved in non-volatile storage. bit value should be incremented and saved in non-volatile storage.
If by some chance the LDP router is deployed long enough that there If the LDP router is deployed long enough that the 64-bit sequence
is a possibility that the 64-bit sequence number may wrap, all keys, number wraps, all keys, independent of key distribution mechanism
independent of key distribution mechanism, MUST be reset to avoid the MUST be reset. This is done to avoid the possibility of replay
possibility of replay attacks. Once the keys have been changed, the attacks. Once the keys have been changed, the higher order sequence
higher order sequence number can be reset to 0 and saved to non- number can be reset to 0 and saved to non-volatile storage.
volatile storage.
3. Cryptographic Authentication Procedure 3. Cryptographic Authentication Procedure
As noted earlier, the Auth Key ID maps to the authentication As noted earlier, the Security Association ID maps to the
algorithm and the secret key used to generate and verify the message authentication algorithm and the secret key used to generate and
digest. This specification discusses the computation of LDP verify the message digest. This specification discusses the
Cryptographic Authentication data when any of the NIST SHS family of computation of LDP Cryptographic Authentication data when any of the
algorithms is used in the Hashed Message Authentication Code (HMAC) NIST SHS family of algorithms is used in the Hashed Message
mode. Authentication Code (HMAC) mode.
The currently valid algorithms (including mode) for LDP Cryptographic The currently valid algorithms (including mode) for LDP Cryptographic
Authentication include: Authentication include:
HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and HMAC-SHA-512 HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384 and HMAC-SHA-512
Of the above, implementations of this specification MUST include Of the above, implementations of this specification MUST include
support for at least HMAC-SHA-256 and SHOULD include support for support for at least HMAC-SHA-256 and SHOULD include support for
HMAC-SHA-1 and MAY also include support for HMAC-SHA-384 and HMAC- HMAC-SHA-1 and MAY also include support for HMAC-SHA-384 and HMAC-
SHA-512. SHA-512.
skipping to change at page 10, line 51 skipping to change at page 12, line 51
(L-16)/4 times. This implies that hash output is always a length of (L-16)/4 times. This implies that hash output is always a length of
at least 16 octets. at least 16 octets.
5.1. Preparing the Cryptographic Key 5.1. Preparing the Cryptographic Key
The LDP Cryptographic Protocol ID is appended to the Authentication The LDP Cryptographic Protocol ID is appended to the Authentication
Key (K) yielding a Protocol Specific Authentication Key (Ks). In Key (K) yielding a Protocol Specific Authentication Key (Ks). In
this application, Ko is always L octets long. While [RFC2104] this application, Ko is always L octets long. While [RFC2104]
supports a key that is up to B octets long, this application uses L supports a key that is up to B octets long, this application uses L
as the Ks length consistent with [RFC4822], [RFC5310], [RFC5709] and as the Ks length consistent with [RFC4822], [RFC5310], [RFC5709] and
[RFC6506]. According to [FIPS-180-3], Section 3, keys greater than L [RFC6506] [RFC7166]. According to [FIPS-180-3], Section 3, keys
octets do not significantly increase the function strength. Ks is greater than L octets do not significantly increase the function
computed as follows: strength. Ks is computed as follows:
If the Protocol Specific Authentication Key (Ks) is L octets long, If the Protocol Specific Authentication Key (Ks) is L octets long,
then Ko is equal to Ks. If the Protocol Specific Authentication Key then Ko is equal to Ks. If the Protocol Specific Authentication Key
(Ks) is more than L octets long, then Ko is set to H(Ks). If the (Ks) is more than L octets long, then Ko is set to H(Ks). If the
Protocol Specific Authentication Key (Ks) is less than L octets long, Protocol Specific Authentication Key (Ks) is less than L octets long,
then Ko is set to the Protocol Specific Authentication Key (Ks) with then Ko is set to the Protocol Specific Authentication Key (Ks) with
zeros appended to the end of the Protocol Specific Authentication Key zeros appended to the end of the Protocol Specific Authentication Key
(Ks) such that Ko is L octets long. (Ks) such that Ko is L octets long.
5.2. Computing the Hash 5.2. Computing the Hash
First, the Authentication Data field in the Cryptographic First, the Authentication Data field in the Cryptographic
Authentication TLV is filled with the value Apad. Then, to compute Authentication TLV is filled with the value Apad. Then, to compute
HMAC over the Hello packet it performs: HMAC over the Hello message it performs:
H(Ko XOR Opad || H(Ko XOR Ipad || (Hello Packet))) H(Ko XOR Opad || H(Ko XOR Ipad || (Hello Message)))
Hello Packet refers to the LDP Hello packet excluding the IP header. Hello Message refers to the LDP Hello message excluding the IP
header.
When XORing Ko and Ipad, or XORing Ko and Opad, Ko must be padded When XORing Ko and Ipad, or XORing Ko and Opad, Ko must be padded
with zeros to the length of Ipad and the Opad. with zeros to the length of Ipad and the Opad.
5.3. Result 5.3. Result
The resultant Hash becomes the Authentication Data that is sent in The resultant Hash becomes the Authentication Data that is sent in
the Authentication Data field of the Cryptographic Authentication the Authentication Data field of the Cryptographic Authentication
TLV. The length of the Authentication Data field is always identical TLV. The length of the Authentication Data field is always identical
to the message digest size of the specific hash function H that is to the message digest size of the specific hash function H that is
being used. being used.
This also means that the use of hash functions with larger output This also means that the use of hash functions with larger output
sizes will also increase the size of the LDP packet as transmitted on sizes will also increase the size of the LDP message as transmitted
the wire. on the wire.
6. Processing Hello Message Using Cryptographic Authentication 6. Processing Hello Message Using Cryptographic Authentication
6.1. Transmission Using Cryptographic Authentication 6.1. Transmission Using Cryptographic Authentication
Prior to transmitting Hello message, the Length in the Cryptographic Prior to transmitting the Hello message, the Length in the
Authentication TLV header is set as per the authentication algorithm Cryptographic Authentication TLV header is set as per the
that is being used. It is set to 24 for HMAC-SHA-1, 36 for HMAC-SHA- authentication algorithm that is being used. It is set to 24 for
256, 52 for HMAC-SHA-384 and 68 for HMAC-SHA-512. HMAC-SHA-1, 36 for HMAC-SHA-256, 52 for HMAC-SHA-384 and 68 for HMAC-
SHA-512.
The Auth Key ID field is set to the ID of the current authentication The Security Association ID field is set to the ID of the current
key. The HMAC Hash is computed as explained in Section 3. The authentication key. The HMAC Hash is computed as explained in
resulting Hash is stored in the Authentication Data field prior to Section 3. The resulting Hash is stored in the Authentication Data
transmission. The authentication key MUST NOT be carried in the field prior to transmission. The authentication key MUST NOT be
packet. carried in the packet.
6.2. Receipt Using Cryptographic Authentication 6.2. Receipt Using Cryptographic Authentication
The receiving LSR applies acceptability criteria for received Hellos The receiving LSR applies acceptability criteria for received Hellos
using cryptographic authentication. If the Cryptographic using cryptographic authentication. If the Cryptographic
Authentication TLV is unknown to the receiving LSR, the received Authentication TLV is unknown to the receiving LSR, the received
packet MUST be discarded according to Section 3.5.1.2.2 of [RFC5036]. packet MUST be discarded according to Section 3.5.1.2.2 of [RFC5036].
If the Auth Key ID field does not match the ID of a configured The receiving LSR locates the LDP SA using the Security Association
authentication key, the received packet MUST be discarded. ID field carried in the message. If the SA is not found, or if the
SA is not valid for reception (i.e., current time < KeyStartAccept or
current time >= KeyStopAccept), LDP Hello message MUST be discarded.
If the cryptographic sequence number in the LDP packet is less than If the cryptographic sequence number in the LDP packet is less than
or equal to the last sequence number received from the same neighbor, or equal to the last sequence number received from the same neighbor,
the LDP packet MUST be discarded. the LDP message MUST be discarded, and an error event SHOULD be
logged.
Before the receiving LSR performs any processing, it needs to save Before the receiving LSR performs any processing, it needs to save
the values of the Authentication Data field. The receiving LSR then the values of the Authentication Data field. The receiving LSR then
replaces the contents of the Authentication Data field with Apad, replaces the contents of the Authentication Data field with Apad,
computes the Hash, using the authentication key specified by the computes the Hash, using the authentication key specified by the
received Auth Key ID field, as explained in Section 3. If the received Security Association ID field, as explained in Section 3.
locally computed Hash is equal to the received value of the If the locally computed Hash is equal to the received value of the
Authentication Data field, the received packet is accepted for other Authentication Data field, the received packet is accepted for other
normal checks and processing as described in [RFC5036]. Otherwise, normal checks and processing as described in [RFC5036]. Otherwise,
if the locally computed Hash is not equal to the received value of if the locally computed Hash is not equal to the received value of
the Authentication Data field, the received packet MUST be discarded. the Authentication Data field, the received packet MUST be discarded,
and an error event SHOULD be logged.
After the LDP Hello message has been successfully authenticated,
implementations MUST store the 64-bit cryptographic sequence number
for the Hello message received from the neighbor. The saved
cryptographic sequence numbers will be used for replay checking for
subsequent packets received from the neighbor.
7. Security Considerations 7. Security Considerations
Section 1 of this document describes the security issues arising from Section 1 of this document describes the security issues arising from
the use of unauthenticated LDP Hello messages. In order to address the use of unauthenticated LDP Hello messages. In order to address
those issues, it is RECOMMENDED that all deployments use the those issues, it is RECOMMENDED that all deployments use the
Cryptographic Authentication TLV to authenticate the Hello messages. Cryptographic Authentication TLV to authenticate the Hello messages.
The quality of the security provided by the Cryptographic The quality of the security provided by the Cryptographic
Authentication TLV depends completely on the strength of the Authentication TLV depends completely on the strength of the
skipping to change at page 15, line 12 skipping to change at page 18, line 12
----- -------------------------------- --------- ----- -------------------------------- ---------
TBD LDP Cryptographic Protocol ID this document (sect 4) TBD LDP Cryptographic Protocol ID this document (sect 4)
9. Acknowledgements 9. Acknowledgements
The authors would like to thank Liu Xuehu for his work on background The authors would like to thank Liu Xuehu for his work on background
and motivation for LDP Hello authentication. The authors also would and motivation for LDP Hello authentication. The authors also would
like to thank Adrian Farrel, Eric Rosen, Sam Hartman, Eric Gray, like to thank Adrian Farrel, Eric Rosen, Sam Hartman, Eric Gray,
Kamran Raza and Acee Lindem for their valuable comments. Kamran Raza and Acee Lindem for their valuable comments.
We would also like to thank the authors of RFC 5709 and RFC 6506 from We would also like to thank the authors of RFC 5709 and RFC 7166 from
where we have taken most of the cryptographic computation procedures where we have taken most of the cryptographic computation procedures
from. from.
10. References 10. References
10.1. Normative References 10.1. Normative References
[FIPS-180-3] [FIPS-180-3]
"Secure Hash Standard (SHS), FIPS PUB 180-3", "Secure Hash Standard (SHS), FIPS PUB 180-3",
October 2008. October 2008.
skipping to change at page 16, line 42 skipping to change at page 19, line 42
Authentication", RFC 5310, February 2009. Authentication", RFC 5310, February 2009.
[RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M., [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M.,
Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic
Authentication", RFC 5709, October 2009. Authentication", RFC 5709, October 2009.
[RFC6506] Bhatia, M., Manral, V., and A. Lindem, "Supporting [RFC6506] Bhatia, M., Manral, V., and A. Lindem, "Supporting
Authentication Trailer for OSPFv3", RFC 6506, Authentication Trailer for OSPFv3", RFC 6506,
February 2012. February 2012.
[RFC7166] Bhatia, M., Manral, V., and A. Lindem, "Supporting
Authentication Trailer for OSPFv3", RFC 7166, March 2014.
10.2. Informative References 10.2. Informative References
[I-D.ietf-karp-routing-tcp-analysis] [I-D.ietf-karp-routing-tcp-analysis]
Jethanandani, M., Patel, K., and L. Zheng, "Analysis of Jethanandani, M., Patel, K., and L. Zheng, "Analysis of
BGP, LDP, PCEP and MSDP Issues According to KARP Design BGP, LDP, PCEP and MSDP Issues According to KARP Design
Guide", draft-ietf-karp-routing-tcp-analysis-07 (work in Guide", draft-ietf-karp-routing-tcp-analysis-07 (work in
progress), April 2013. progress), April 2013.
[RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms [RFC5926] Lebovitz, G. and E. Rescorla, "Cryptographic Algorithms
for the TCP Authentication Option (TCP-AO)", RFC 5926, for the TCP Authentication Option (TCP-AO)", RFC 5926,
 End of changes. 41 change blocks. 
106 lines changed or deleted 219 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/