1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
|
<pre>Internet Engineering Task Force (IETF) U. Chunduri
Request for Comments: 7645 A. Tian
Category: Informational W. Lu
ISSN: 2070-1721 Ericsson Inc.
September 2015
<span class="h1">The Keying and Authentication for Routing Protocol (KARP)</span>
<span class="h1">IS-IS Security Analysis</span>
Abstract
This document analyzes the current state of the Intermediate System
to Intermediate System (IS-IS) protocol according to the requirements
set forth in "Keying and Authentication for Routing Protocols (KARP)
Design Guidelines" (<a href="./rfc6518">RFC 6518</a>) for both manual and automated key
management protocols.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7645">http://www.rfc-editor.org/info/rfc7645</a>.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Chunduri, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Requirements Language . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-1.2">1.2</a>. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Current State . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2.1">2.1</a>. Key Usage . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.1.1">2.1.1</a>. Subnetwork Independent . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.1.2">2.1.2</a>. Subnetwork dependent . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-2.2">2.2</a>. Key Agility . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.3">2.3</a>. Security Issues . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.3.1">2.3.1</a>. Replay Attacks . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-2.3.1.1">2.3.1.1</a>. Current Recovery Mechanism for LSPs . . . . . . . <a href="#page-6">6</a>
<a href="#section-2.3.2">2.3.2</a>. Spoofing Attacks . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-2.3.3">2.3.3</a>. DoS Attacks . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3">3</a>. Gap Analysis and Security Requirements . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3.1">3.1</a>. Manual Key Management . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-3.2">3.2</a>. Key Management Protocols . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-4">4</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-5">5</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-5.1">5.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-5.2">5.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-12">12</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document analyzes the current state of the Intermediate System
to Intermediate System (IS-IS) protocol according to the requirements
set forth in "Keying and Authentication for Routing Protocols (KARP)
Design Guidelines" [<a href="./rfc6518" title=""Keying and Authentication for Routing Protocols (KARP) Design Guidelines"">RFC6518</a>] for both manual and automated key
management protocols.
With currently published work, IS-IS meets some of the requirements
expected from a manually keyed routing protocol. Integrity
protection is expanded by allowing more cryptographic algorithms to
be used [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>]. However, even with this expanded protection, only
limited algorithm agility (HMAC-SHA family) is possible. [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>]
makes possible a basic form of intra-connection rekeying, but with
some gaps as analyzed in <a href="#section-3">Section 3</a> of this document.
This document summarizes the current state of cryptographic key usage
in the IS-IS protocol and several previous efforts that analyze IS-IS
security. This includes the base IS-IS specifications: [<a href="./rfc1195" title=""Use of OSI IS-IS for routing in TCP/IP and dual environments"">RFC1195</a>],
[<a href="./rfc5304" title=""IS-IS Cryptographic Authentication"">RFC5304</a>], [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>], and [<a href="./rfc6039" title=""Issues with Existing Cryptographic Protection Methods for Routing Protocols"">RFC6039</a>].
<span class="grey">Chunduri, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
This document also analyzes various threats to IS-IS (as described in
[<a href="./rfc6862" title=""Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements"">RFC6862</a>]), lists security gaps, and provides specific
recommendations to thwart the threats for both manual keying and
automated key management mechanisms.
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h3"><a class="selflink" id="section-1.2" href="#section-1.2">1.2</a>. Acronyms</span>
DoS - Denial of Service
GDOI - Group Domain of Interpretation
IGP - Interior Gateway Protocol
IIH - IS-IS HELLO
IPv4 - Internet Protocol version 4
KMP - Key Management Protocol (automated key management)
LSP - Link State PDU
MKM - Manual Key Management
NONCE - Number Once
PDU - Protocol Data Unit
SA - Security Association
SNP - Sequence Number PDU
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Current State</span>
IS-IS is specified in International Standards Organization (ISO)
10589 [<a href="#ref-ISO10589" title=""Intermediate System to Intermediate System intra-domain routeing information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode network service (ISO 8473)"">ISO10589</a>], with extensions to support Internet Protocol
version 4 (IPv4) described in [<a href="./rfc1195" title=""Use of OSI IS-IS for routing in TCP/IP and dual environments"">RFC1195</a>]. The specification includes
an authentication mechanism that allows for any authentication
algorithm and also specifies the algorithm for clear text passwords.
Further, [<a href="./rfc5304" title=""IS-IS Cryptographic Authentication"">RFC5304</a>] extends the authentication mechanism to work with
HMAC-MD5 and also modifies the base protocol for more effectiveness.
[<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>] provides algorithm agility, with a new generic
cryptographic authentication mechanism (CRYPTO_AUTH) for IS-IS.
<span class="grey">Chunduri, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
CRYPTO_AUTH also introduces a Key ID mechanism that maps to unique
IS-IS SAs.
The following sections describe the current authentication key usage
for various IS-IS messages, current key change methodologies, and the
various potential security threats.
<span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Key Usage</span>
IS-IS can be provisioned with a per-interface, peer-to-peer key for
IIH PDUs and a group key for LSPs and SNPs. If provisioned, IIH
packets can potentially use the same group key used for LSPs and
SNPs.
<span class="h4"><a class="selflink" id="section-2.1.1" href="#section-2.1.1">2.1.1</a>. Subnetwork Independent</span>
Link State PDUs, Complete and partial Sequence Number PDUs come under
Sub network Independent messages. For protecting Level-1 SNPs and
Level-1 LSPs, provisioned Area Authentication key is used. Level-2
SNPs as well as Level-2 LSPs use the provisioned domain
authentication key.
Because authentication is performed on the LSPs transmitted by an IS,
rather than on the LSP packets transmitted to a specific neighbor, it
is implied that all the ISes within a single flooding domain must be
configured with the same key in order for authentication to work
correctly. This is also true for SNP packets, though they are
limited to link-local scope in broadcast networks.
If multiple instances share the circuits as specified in [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>],
instance-specific authentication credentials can be used to protect
the LSPs and SNPs within an area or domain. It is important to note
that [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>] also allows usage of topology-specific authentication
credentials within an instance for the LSPs and SNPs.
<span class="h4"><a class="selflink" id="section-2.1.2" href="#section-2.1.2">2.1.2</a>. Subnetwork Dependent</span>
IIH PDUs use the Link Level Authentication key, which may be
different from that of LSPs and SNPs. This could be particularly
true for point-to-point links. In broadcast networks, it is possible
to provision the same common key used for LSPs and SNPs to protect
IIH messages. This allows neighbor discovery and adjacency formation
with more than one neighbor on the same physical interface. If
multiple instances share the circuits as specified in [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>],
instance-specific authentication credentials can be used to protect
Hello messages.
<span class="grey">Chunduri, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
<span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Key Agility</span>
Key roll over without effecting the routing protocols operation in
general and IS-IS in particular is necessary for effective key
management protocol integration.
Current HMAC-MD5 cryptographic authentication as defined in
[<a href="./rfc5304" title=""IS-IS Cryptographic Authentication"">RFC5304</a>], suggests a transition mode so that ISes use a set of keys
when verifying the authentication value to allow key changes. This
approach will allow changing the authentication key manually without
bringing down the adjacency and without dropping any control packet.
But, this can increase the load on the control plane for the key
transition duration, as each control packet may have to be verified
by more than one key, and it also allows a potential DoS attack in
the transition duration.
The above situation is improved with the introduction of the Key ID
mechanism as defined in [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>]. With this, the receiver
determines the active SA by looking at the Key ID field in the
incoming PDU and need not try with other keys when the integrity
check or digest verification fails. But, neither key coordination
across the group nor an exact key change mechanism is clearly
defined. [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>] says:
Normally, an implementation would allow the network operator to
configure a set of keys in a key chain, with each key in the chain
having a fixed lifetime. The actual operation of these mechanisms
is outside the scope of this document.
<span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Security Issues</span>
The following section analyzes various possible security threats in
the current state of the IS-IS protocol.
<span class="h4"><a class="selflink" id="section-2.3.1" href="#section-2.3.1">2.3.1</a>. Replay Attacks</span>
Replaying a captured protocol packet to cause damage is a common
threat for any protocol. Securing the packet with cryptographic
authentication information alone cannot mitigate this threat
completely. Though this problem is more prevalent in broadcast
networks, it is important to note that most of the IGP deployments
use P2P-over-lan circuits [<a href="./rfc5309" title=""Point-to-Point Operation over LAN in Link State Routing Protocols"">RFC5309</a>], which makes it possible for an
adversary to replay an IS-IS PDU more easily than the traditional P2P
networks.
In intra-session replay attacks, a secured protocol packet of the
current session that is replayed can cause damage, if there is no
other mechanism to confirm this is a replay packet. In inter-session
<span class="grey">Chunduri, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
replay attacks, a captured packet from one of the previous sessions
can be replayed to cause damage. IS-IS packets are vulnerable to
both of these attacks, as there is no sequence number verification
for IIH and SNP packets. Also with current manual key management,
periodic key changes across the group are rarely done. Thus, the
intra-connection and inter-connection replay requirements are not
met.
IS-IS specifies the use of the HMAC-MD5 [<a href="./rfc5304" title=""IS-IS Cryptographic Authentication"">RFC5304</a>] and HMAC-SHA-1
family in [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>] to protect IS-IS packets. An adversary could
replay old IIHs or replay old SNPs that would cause churn in the
network or bring down the adjacencies.
1. At the time of adjacency bring up an IS sends IIH packet with
empty neighbor list (TLV 6) and with the authentication
information as per the provisioned authentication mechanism. If
this packet is replayed later on the broadcast network, all ISes
in the broadcast network can bounce the adjacency to create a huge
churn in the network.
2. Today, LSPs have intra-session replay protection as the LSP header
contains a 32-bit sequence number, which is verified for every
received packet against the local LSP database. But, if a node in
the network is out of service (is undergoing some sort of high
availability condition or an upgrade) for more than LSP refresh
time and the rest of the network ages out the LSPs of the node
under consideration, an adversary can potentially plunge in inter-
session replay attacks in the network. If the key is not changed
in the above circumstances, attack can be launched by replaying an
old LSP with a higher sequence number and fewer prefixes or fewer
adjacencies. This may force the receiver to accept and remove the
routes from the routing table, which eventually causes traffic
disruption to those prefixes. However, as per the IS-IS
specification, there is a built-in recovery mechanism for LSPs
from inter-session replay attacks and it is further discussed in
<a href="#section-2.3.1.1">Section 2.3.1.1</a>.
3. In any IS-IS network (broadcast or otherwise), if an old and an
empty Complete Sequence Number Packet (CSNP) is replayed, this can
cause LSP flood in the network. Similarly, a replayed Partial
Sequence Number Packet (PSNP) can cause LSP flood in the broadcast
network.
<span class="h5"><a class="selflink" id="section-2.3.1.1" href="#section-2.3.1.1">2.3.1.1</a>. Current Recovery Mechanism for LSPs</span>
In the event of inter-session replay attack by an adversary, as an
LSP with a higher sequence number gets accepted, it also gets
propagated until it reaches the originating node of the LSP. The
<span class="grey">Chunduri, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
originator recognizes the LSP is "newer" than in the local database,
which prompts the originator to flood a newer version of the LSP with
a higher sequence number than that received. This newer version can
potentially replace any versions of the replayed LSP that may exist
in the network.
However, in the above process, depending on where in the network the
replay is initiated, how quickly the nodes in the network react to
the replayed LSP, and how different the content in the accepted LSP
is determines the damage caused by the replayed LSP.
<span class="h4"><a class="selflink" id="section-2.3.2" href="#section-2.3.2">2.3.2</a>. Spoofing Attacks</span>
IS-IS shares the same key between all neighbors in an area or in a
domain to protect the LSP, SNP packets, and in broadcast networks
even IIH packets. False advertisement by a router is not within the
scope of the KARP work. However, given the wide sharing of keys as
described above, there is a significant risk that an attacker can
compromise a key from one device and use it to falsely participate in
the routing, possibly even in a very separate part of the network.
If the same underlying topology is shared across multiple instances
to transport routing/application information as defined in [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>],
it is necessary to use different authentication credentials for
different instances. In this connection, based on the deployment
considerations, if certain topologies in a particular IS-IS instance
require more protection from spoofing attacks and less exposure,
topology-specific authentication credentials can be used for LSPs and
SNPs as facilitated in [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>].
Currently, possession of the key itself is used as an authentication
check and there is no identity check done separately. Spoofing
occurs when an illegitimate device assumes the identity of a
legitimate one. An attacker can use spoofing to launch various types
of attacks, for example:
1. The attacker can send out unrealistic routing information that
might cause the disruption of network services, such as block
holes.
2. A rogue system that has access to the common key used to protect
the LSP can flood an LSP by setting the Remaining Lifetime field
to zero, thereby initiating a purge. Subsequently, this can cause
the sequence number of all the LSPs to increase quickly to max out
the sequence number space, which can cause an IS to shut down for
MaxAge + ZeroAgeLifetime period to allow the old LSPs to age out
in other ISes of the same flooding domain.
<span class="grey">Chunduri, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
<span class="h4"><a class="selflink" id="section-2.3.3" href="#section-2.3.3">2.3.3</a>. DoS Attacks</span>
DoS attacks using the authentication mechanism is possible and an
attacker can send packets that can overwhelm the security mechanism
itself. An example is initiating an overwhelming load of spoofed but
integrity-protected protocol packets, so that the receiver needs to
process the integrity check, only to discard the packet. This can
cause significant CPU usage. DoS attacks are not generally
preventable within the routing protocol. As the attackers are often
remote, the DoS attacks are more damaging to area-scoped or domain-
scoped packet receivers than link-local-scoped packet receivers.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Gap Analysis and Security Requirements</span>
This section outlines the differences between the current state of
the IS-IS routing protocol and the desired state as specified in the
KARP Design Guidelines [<a href="./rfc6518" title=""Keying and Authentication for Routing Protocols (KARP) Design Guidelines"">RFC6518</a>]. This section focuses on where the
IS-IS protocol fails to meet general requirements as specified in the
threats and requirements document [<a href="./rfc6862" title=""Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements"">RFC6862</a>].
This section also describes security requirements that should be met
by IS-IS implementations that are secured by manual as well as
automated key management protocols.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Manual Key Management</span>
1. With CRYPTO_AUTH specification [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>], IS-IS packets can be
protected with the HMAC-SHA family of cryptographic algorithms.
The specification provides limited algorithm agility (SHA family).
By using Key IDs, it also conceals the algorithm information from
the protected control messages.
2. Even though both intra- and inter-session replay attacks are best
prevented by deploying key management protocols with frequent key
change capability, basic constructs for the sequence number should
be in the protocol messages. So, some basic or extended sequence
number mechanism should be in place to protect IIH packets and SNP
packets. The sequence number should be increased for each
protocol packet. This allows mitigation of some of the replay
threats as mentioned in <a href="#section-2.3.1">Section 2.3.1</a>.
3. Any common key mechanism with keys shared across a group of
routers is susceptible to spoofing attacks caused by a malicious
router. A separate authentication check (apart from the integrity
check to verify the digest) with digital signatures as described
in [<a href="./rfc2154" title=""OSPF with Digital Signatures"">RFC2154</a>] can effectively nullify this attack. But this
approach was never deployed, which we assume is due to operational
considerations at that time. The alternative approach to thwart
<span class="grey">Chunduri, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
this threat would be to use the keys from the group key management
protocol. As the group key(s) are generated by authenticating the
member ISes in the group first and are then periodically rekeyed,
per-packet identity or authentication checks may not be needed.
4. In general, DoS attacks may not be preventable with the mechanism
from the routing protocol itself. But some form of admin-
controlled lists at the forwarding plane can reduce the damage.
There are some other forms of DoS attacks common to any protocol
that are not in scope per <a href="./rfc6862#section-3.3">Section 3.3 of [RFC6862]</a>.
As discussed in <a href="#section-2.2">Section 2.2</a>, though the Key ID mechanism described in
[<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>] helps, a better key coordination mechanism for key roll
over is desirable even with manual key management. But, [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>]
does not specify the exact mechanism other than requiring use of key
chains. The specific requirements are as follows:
a. Keys SHOULD be able to change without effecting the established
adjacency, ideally without any control packet loss.
b. Keys SHOULD be able to change without effecting the protocol
operations; for example, LSP flooding should not be held for a
specific Key ID availability.
c. Any proposed mechanism SHOULD also be incrementally deployable
with key management protocols.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Key Management Protocols</span>
In broadcast deployments, the keys used for protecting IS-IS
protocols messages can, in particular, be group keys. A mechanism is
needed to distribute group keys to a group of ISes in a Level-1 area
or Level-2 domain, using the Group Domain of Interpretation (GDOI)
protocol as specified in [<a href="./rfc6407" title=""The Group Domain of Interpretation"">RFC6407</a>]. An example policy and payload
format is described in [<a href="#ref-GDOI" title=""GDOI Generic Message Authentication Code Policy"">GDOI</a>].
If a group key is used, the authentication granularity becomes group
membership of devices, not peer authentication between devices. The
deployed group key management protocol SHOULD support rekeying.
In some deployments, where IS-IS point-to-point (P2P) mode is used
for adjacency bring-up, subnetwork-dependent messages (e.g., IIHs)
can use a different key shared between the two P2P peers, while all
other messages use a group key. When a group keying mechanism is
deployed, even the P2P IIHs can be protected with the common group
keys. This approach facilitates one key management mechanism instead
of both pair-wise keying and group keying protocols being deployed
together. If the same circuits are shared across multiple instances,
<span class="grey">Chunduri, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
the granularity of the group can become per instance for IIHs and per
instance/topology for LSPs and SNPs as specified in [<a href="./rfc6822" title=""IS-IS Multi-Instance"">RFC6822</a>].
Effective key change capability within the routing protocol that
allows key roll over without impacting the routing protocol operation
is one of the requirements for deploying any group key mechanism.
Once such mechanism is in place with the deployment of group key
management protocol; IS-IS can be protected from various threats and
is not limited to intra- and inter-session replay attacks and
spoofing attacks.
Specific use of cryptographic tables [<a href="./rfc7210" title=""Database of Long-Lived Symmetric Cryptographic Keys"">RFC7210</a>] should be defined for
the IS-IS protocol.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Security Considerations</span>
This document is mostly about security considerations of the IS-IS
protocol, and it lists potential threats and security requirements
for mitigating these threats. This document does not introduce any
new security threats for the IS-IS protocol. In view of openly
published attack vectors, as noted in <a href="./rfc5310#section-1">Section 1 of [RFC5310]</a> on HMAC-
MD5 cryptographic authentication mechanism, IS-IS deployments SHOULD
use the HMAC-SHA family [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>] instead of HMAC-MD5 [<a href="./rfc5304" title=""IS-IS Cryptographic Authentication"">RFC5304</a>] to
protect IS-IS PDUs. For more detailed security considerations,
please refer the Security Considerations section of the IS-IS Generic
Cryptographic Authentication [<a href="./rfc5310" title=""IS-IS Generic Cryptographic Authentication"">RFC5310</a>], the KARP Design Guide
[<a href="./rfc6518" title=""Keying and Authentication for Routing Protocols (KARP) Design Guidelines"">RFC6518</a>] document, as well as the KARP threat document [<a href="./rfc6862" title=""Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements"">RFC6862</a>].
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. References</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Normative References</span>
[<a id="ref-RFC1195">RFC1195</a>] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and
dual environments", <a href="./rfc1195">RFC 1195</a>, DOI 10.17487/RFC1195,
December 1990, <<a href="http://www.rfc-editor.org/info/rfc1195">http://www.rfc-editor.org/info/rfc1195</a>>.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC5304">RFC5304</a>] Li, T. and R. Atkinson, "IS-IS Cryptographic
Authentication", <a href="./rfc5304">RFC 5304</a>, DOI 10.17487/RFC5304, October
2008, <<a href="http://www.rfc-editor.org/info/rfc5304">http://www.rfc-editor.org/info/rfc5304</a>>.
<span class="grey">Chunduri, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
[<a id="ref-RFC5310">RFC5310</a>] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R.,
and M. Fanto, "IS-IS Generic Cryptographic
Authentication", <a href="./rfc5310">RFC 5310</a>, DOI 10.17487/RFC5310, February
2009, <<a href="http://www.rfc-editor.org/info/rfc5310">http://www.rfc-editor.org/info/rfc5310</a>>.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Informative References</span>
[<a id="ref-GDOI">GDOI</a>] Weis, B. and S. Rowles, "GDOI Generic Message
Authentication Code Policy", Work in Progress,
<a href="./draft-weis-gdoi-mac-tek-03">draft-weis-gdoi-mac-tek-03</a>, September 2011.
[<a id="ref-ISO10589">ISO10589</a>] International Organization for Standardization,
"Intermediate System to Intermediate System intra-domain
routeing information exchange protocol for use in
conjunction with the protocol for providing the
connectionless-mode network service (ISO 8473)", ISO/IEC
10589:2002, Second Edition, November 2002.
[<a id="ref-RFC2154">RFC2154</a>] Murphy, S., Badger, M., and B. Wellington, "OSPF with
Digital Signatures", <a href="./rfc2154">RFC 2154</a>, DOI 10.17487/RFC2154, June
1997, <<a href="http://www.rfc-editor.org/info/rfc2154">http://www.rfc-editor.org/info/rfc2154</a>>.
[<a id="ref-RFC5309">RFC5309</a>] Shen, N., Ed., and A. Zinin, Ed., "Point-to-Point
Operation over LAN in Link State Routing Protocols",
<a href="./rfc5309">RFC 5309</a>, DOI 10.17487/RFC5309, October 2008,
<<a href="http://www.rfc-editor.org/info/rfc5309">http://www.rfc-editor.org/info/rfc5309</a>>.
[<a id="ref-RFC6039">RFC6039</a>] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues
with Existing Cryptographic Protection Methods for Routing
Protocols", <a href="./rfc6039">RFC 6039</a>, DOI 10.17487/RFC6039, October 2010,
<<a href="http://www.rfc-editor.org/info/rfc6039">http://www.rfc-editor.org/info/rfc6039</a>>.
[<a id="ref-RFC6407">RFC6407</a>] Weis, B., Rowles, S., and T. Hardjono, "The Group Domain
of Interpretation", <a href="./rfc6407">RFC 6407</a>, DOI 10.17487/RFC6407,
October 2011, <<a href="http://www.rfc-editor.org/info/rfc6407">http://www.rfc-editor.org/info/rfc6407</a>>.
[<a id="ref-RFC6518">RFC6518</a>] Lebovitz, G. and M. Bhatia, "Keying and Authentication for
Routing Protocols (KARP) Design Guidelines", <a href="./rfc6518">RFC 6518</a>,
DOI 10.17487/RFC6518, February 2012,
<<a href="http://www.rfc-editor.org/info/rfc6518">http://www.rfc-editor.org/info/rfc6518</a>>.
[<a id="ref-RFC6822">RFC6822</a>] Previdi, S., Ed., Ginsberg, L., Shand, M., Roy, A., and
D. Ward, "IS-IS Multi-Instance", <a href="./rfc6822">RFC 6822</a>,
DOI 10.17487/RFC6822, December 2012,
<<a href="http://www.rfc-editor.org/info/rfc6822">http://www.rfc-editor.org/info/rfc6822</a>>.
<span class="grey">Chunduri, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7645">RFC 7645</a> KARP IS-IS Security Analysis September 2015</span>
[<a id="ref-RFC6862">RFC6862</a>] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and
Authentication for Routing Protocols (KARP) Overview,
Threats, and Requirements", <a href="./rfc6862">RFC 6862</a>,
DOI 10.17487/RFC6862, March 2013,
<<a href="http://www.rfc-editor.org/info/rfc6862">http://www.rfc-editor.org/info/rfc6862</a>>.
[<a id="ref-RFC7210">RFC7210</a>] Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Database of Long-Lived Symmetric Cryptographic Keys",
<a href="./rfc7210">RFC 7210</a>, DOI 10.17487/RFC7210, April 2014,
<<a href="http://www.rfc-editor.org/info/rfc7210">http://www.rfc-editor.org/info/rfc7210</a>>.
Acknowledgements
Authors would like to thank Joel Halpern for initial discussions on
this document and for giving valuable review comments. The authors
would like to acknowledge Naiming Shen for reviewing and providing
feedback on this document. Thanks to Russ White, Brian Carpenter,
and Amanda Barber for reviewing the document during the IESG review
process.
Authors' Addresses
Uma Chunduri
Ericsson Inc.
300 Holger Way,
San Jose, California 95134
United States
Phone: 408 750-5678
Email: uma.chunduri@ericsson.com
Albert Tian
Ericsson Inc.
300 Holger Way,
San Jose, California 95134
United States
Phone: 408 750-5210
Email: albert.tian@ericsson.com
Wenhu Lu
Ericsson Inc.
300 Holger Way,
San Jose, California 95134
United States
Email: wenhu.lu@ericsson.com
Chunduri, et al. Informational [Page 12]
</pre>
|
