1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Network Working Group M. Gupta
Request for Comments: 4552 Tropos Networks
Category: Standards Track N. Melam
Juniper Networks
June 2006
<span class="h1">Authentication/Confidentiality for OSPFv3</span>
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document describes means and mechanisms to provide
authentication/confidentiality to OSPFv3 using an IPv6 Authentication
Header/Encapsulating Security Payload (AH/ESP) extension header.
<span class="grey">Gupta & Melam Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
<a href="#section-1.1">1.1</a>. Conventions Used in This Document ..........................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Transport Mode vs. Tunnel Mode ..................................<a href="#page-3">3</a>
<a href="#section-3">3</a>. Authentication ..................................................<a href="#page-3">3</a>
<a href="#section-4">4</a>. Confidentiality .................................................<a href="#page-3">3</a>
<a href="#section-5">5</a>. Distinguishing OSPFv3 from OSPFv2 ...............................<a href="#page-4">4</a>
<a href="#section-6">6</a>. IPsec Requirements ..............................................<a href="#page-4">4</a>
<a href="#section-7">7</a>. Key Management ..................................................<a href="#page-5">5</a>
<a href="#section-8">8</a>. SA Granularity and Selectors ....................................<a href="#page-7">7</a>
<a href="#section-9">9</a>. Virtual Links ...................................................<a href="#page-8">8</a>
<a href="#section-10">10</a>. Rekeying .......................................................<a href="#page-9">9</a>
<a href="#section-10.1">10.1</a>. Rekeying Procedure ........................................<a href="#page-9">9</a>
<a href="#section-10.2">10.2</a>. KeyRolloverInterval .......................................<a href="#page-9">9</a>
<a href="#section-10.3">10.3</a>. Rekeying Interval ........................................<a href="#page-10">10</a>
<a href="#section-11">11</a>. IPsec Protection Barrier and SPD ..............................<a href="#page-10">10</a>
<a href="#section-12">12</a>. Entropy of Manual Keys ........................................<a href="#page-12">12</a>
<a href="#section-13">13</a>. Replay Protection .............................................<a href="#page-12">12</a>
<a href="#section-14">14</a>. Security Considerations .......................................<a href="#page-12">12</a>
<a href="#section-15">15</a>. References ....................................................<a href="#page-13">13</a>
<a href="#section-15.1">15.1</a>. Normative References .....................................<a href="#page-13">13</a>
<a href="#section-15.2">15.2</a>. Informative References ...................................<a href="#page-13">13</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
OSPF (Open Shortest Path First) Version 2 [<a href="#ref-N1" title=""OSPF Version 2"">N1</a>] defines the fields
AuType and Authentication in its protocol header to provide security.
In OSPF for IPv6 (OSPFv3) [<a href="#ref-N2" title=""OSPF for IPv6"">N2</a>], both of the authentication fields
were removed from OSPF headers. OSPFv3 relies on the IPv6
Authentication Header (AH) and IPv6 Encapsulating Security Payload
(ESP) to provide integrity, authentication, and/or confidentiality.
This document describes how IPv6 AH/ESP extension headers can be used
to provide authentication/confidentiality to OSPFv3.
It is assumed that the reader is familiar with OSPFv3 [<a href="#ref-N2" title=""OSPF for IPv6"">N2</a>], AH [<a href="#ref-N5" title=""IP Authentication Header"">N5</a>],
ESP [<a href="#ref-N4" title=""IP Encapsulating Security Payload (ESP)"">N4</a>], the concept of security associations, tunnel and transport
mode of IPsec, and the key management options available for AH and
ESP (manual keying [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>] and Internet Key Exchange (IKE)[<a href="#ref-I1" title=""Internet Key Exchange (IKEv2) Protocol"">I1</a>]).
<span class="h3"><a class="selflink" id="section-1.1" href="#section-1.1">1.1</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a href="./rfc2119">RFC 2119</a> [<a href="#ref-N7" title=""Key words for use in RFCs to Indicate Requirement Levels"">N7</a>].
<span class="grey">Gupta & Melam Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Transport Mode vs. Tunnel Mode</span>
The transport mode Security Association (SA) is generally used
between two hosts or routers/gateways when they are acting as hosts.
The SA must be a tunnel mode SA if either end of the security
association is a router/gateway. Two hosts MAY establish a tunnel
mode SA between themselves. OSPFv3 packets are exchanged between
routers. However, since the packets are locally delivered, the
routers assume the role of hosts in the context of tunnel mode SA.
All implementations conforming to this specification MUST support
transport mode SA to provide required IPsec security to OSPFv3
packets. They MAY also support tunnel mode SA to provide required
IPsec security to OSPFv3 packets.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Authentication</span>
Implementations conforming to this specification MUST support
authentication for OSPFv3.
In order to provide authentication to OSPFv3, implementations MUST
support ESP and MAY support AH.
If ESP in transport mode is used, it will only provide authentication
to OSPFv3 protocol packets excluding the IPv6 header, extension
headers, and options.
If AH in transport mode is used, it will provide authentication to
OSPFv3 protocol packets, selected portions of IPv6 header, selected
portions of extension headers, and selected options.
When OSPFv3 authentication is enabled,
o OSPFv3 packets that are not protected with AH or ESP MUST be
silently discarded.
o OSPFv3 packets that fail the authentication checks MUST be
silently discarded.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Confidentiality</span>
Implementations conforming to this specification SHOULD support
confidentiality for OSPFv3.
If confidentiality is provided, ESP MUST be used.
<span class="grey">Gupta & Melam Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
When OSPFv3 confidentiality is enabled,
o OSPFv3 packets that are not protected with ESP MUST be silently
discarded.
o OSPFv3 packets that fail the confidentiality checks MUST be
silently discarded.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Distinguishing OSPFv3 from OSPFv2</span>
The IP/IPv6 Protocol Type for OSPFv2 and OSPFv3 is the same (89), and
OSPF distinguishes them based on the OSPF header version number.
However, current IPsec standards do not allow using arbitrary
protocol-specific header fields as the selectors. Therefore, the
OSPF version field in the OSPF header cannot be used to distinguish
OSPFv3 packets from OSPFv2 packets. As OSPFv2 is only for IPv4 and
OSPFv3 is only for IPv6, the version field in the IP header can be
used to distinguish OSPFv3 packets from OSPFv2 packets.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IPsec Requirements</span>
In order to implement this specification, the following IPsec
capabilities are required.
Transport mode
IPsec in transport mode MUST be supported. [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>]
Multiple Security Policy Databases (SPDs)
The implementation MUST support multiple SPDs with an SPD
selection function that provides an ability to choose a specific
SPD based on interface. [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>]
Selectors
The implementation MUST be able to use source address, destination
address, protocol, and direction as selectors in the SPD.
Interface ID tagging
The implementation MUST be able to tag the inbound packets with
the ID of the interface (physical or virtual) via which it
arrived. [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>]
Manual key support
Manually configured keys MUST be able to secure the specified
traffic. [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>]
<span class="grey">Gupta & Melam Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
Encryption and authentication algorithms
The implementation MUST NOT allow the user to choose stream
ciphers as the encryption algorithm for securing OSPFv3 packets
since the stream ciphers are not suitable for manual keys.
Except when in conflict with the above statement, the key words
"MUST", "MUST NOT", "REQUIRED", "SHOULD", and "SHOULD NOT" that
appear in the [<a href="#ref-N6" title=""Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)"">N6</a>] document for algorithms to be supported are to
be interpreted as described in [<a href="#ref-N7" title=""Key words for use in RFCs to Indicate Requirement Levels"">N7</a>] for OSPFv3 support as well.
Dynamic IPsec rule configuration
The routing module SHOULD be able to configure, modify, and delete
IPsec rules on the fly. This is needed mainly for securing
virtual links.
Encapsulation of ESP packet
IP encapsulation of ESP packets MUST be supported. For
simplicity, UDP encapsulation of ESP packets SHOULD NOT be used.
Different SAs for different Differentiated Services Code Points
(DSCPs)
As per [<a href="#ref-N3" title=""Security Architecture for the Internet Protocol"">N3</a>], the IPsec implementation MUST support the
establishment and maintenance of multiple SAs with the same
selectors between a given sender and receiver. This allows the
implementation to associate different classes of traffic with the
same selector values in support of Quality of Service (QoS).
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Key Management</span>
OSPFv3 exchanges both multicast and unicast packets. While running
OSPFv3 over a broadcast interface, the authentication/confidentiality
required is "one to many". Since IKE is based on the Diffie-Hellman
key agreement protocol and works only for two communicating parties,
it is not possible to use IKE for providing the required "one to
many" authentication/confidentiality. This specification mandates
the usage of Manual Keying with current IPsec implementations.
Future specifications can explore the usage of protocols like
Kerberized Internet Negotiation of Keys/Group Secure Association Key
Management Protocol (KINK/GSAKMP) when they are widely available. In
manual keying, SAs are statically installed on the routers and these
static SAs are used to authenticate/encrypt packets.
The following discussion explains that it is not scalable and is
practically infeasible to use different security associations for
inbound and outbound traffic to provide the required "one to many"
security. Therefore, the implementations MUST use manually
<span class="grey">Gupta & Melam Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
configured keys with the same SA parameters (Security Parameter Index
(SPI), keys, etc.) for both inbound and outbound SAs (as shown in
Figure 3).
A |
SAa ------------>|
SAb <------------|
|
B |
SAb ------------>|
SAa <------------| Figure 1
|
C |
SAa/SAb ------------>|
SAa/SAb <------------|
|
Broadcast
Network
If we consider communication between A and B in Figure 1, everything
seems to be fine. A uses security association SAa for outbound
packets and B uses the same for inbound packets and vice versa. Now
if we include C in the group and C sends a packet using SAa, then
only A will be able to understand it. Similarly, if C sends a packet
using SAb, then only B will be able to understand it. Since the
packets are multicast and they are going to be processed by both A
and B, there is no SA for C to use so that both A and B can
understand them.
A |
SAa ------------>|
SAb <------------|
SAc <------------|
|
B |
SAb ------------>|
SAa <------------| Figure 2
SAc <------------|
|
C |
SAc ------------>|
SAa <------------|
SAb <------------|
|
Broadcast
Network
<span class="grey">Gupta & Melam Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
The problem can be solved by configuring SAs for all the nodes on
every other node as shown in Figure 2. So A, B, and C will use SAa,
SAb, and SAc, respectively, for outbound traffic. Each node will
lookup the SA to be used based on the source (A will use SAb and SAc
for packets received from B and C, respectively). This solution is
not scalable and practically infeasible because a large number of SAs
will need to be configured on each node. Also, the addition of a
node in the broadcast network will require the addition of another SA
on every other node.
A |
SAo ------------>|
SAi <------------|
|
B |
SAo ------------>|
SAi <------------| Figure 3
|
C |
SAo ------------>|
SAi <------------|
|
Broadcast
Network
The problem can be solved by using the same SA parameters (SPI, keys,
etc.) for both inbound (SAi) and outbound (SAo) SAs as shown in
Figure 3.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. SA Granularity and Selectors</span>
The user SHOULD be given the choice of sharing the same SA among
multiple interfaces or using a unique SA per interface.
OSPFv3 supports running multiple instances over one interface using
the "Instance Id" field contained in the OSPFv3 header. As IPsec
does not support arbitrary fields in the protocol header to be used
as the selectors, it is not possible to use different SAs for
different OSPFv3 instances running over the same interface.
Therefore, all OSPFv3 instances running over the same interface will
have to use the same SA. In OSPFv3 RFC terminology, SAs are per-link
and not per-interface.
<span class="grey">Gupta & Melam Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Virtual Links</span>
A different SA than the SA of the underlying interface MUST be
provided for virtual links. Packets sent on virtual links use
unicast non-link local IPv6 addresses as the IPv6 source address,
while packets sent on other interfaces use multicast and unicast link
local addresses. This difference in the IPv6 source address
differentiates the packets sent on virtual links from other OSPFv3
interface types.
As the virtual link end point IPv6 addresses are not known, it is not
possible to install SPD/Security Association Database (SAD) entries
at the time of configuration. The virtual link end point IPv6
addresses are learned during the routing table computation process.
The packet exchange over the virtual links starts only after the
discovery of the end point IPv6 addresses. In order to protect these
exchanges, the routing module must install the corresponding SPD/SAD
entries before starting these exchanges. Note that manual SA
parameters are preconfigured but not installed in the SAD until the
end point addresses are learned.
According to the OSPFv3 RFC [<a href="#ref-N2" title=""OSPF for IPv6"">N2</a>], the virtual neighbor's IP address
is set to the first prefix with the "LA-bit" set from the list of
prefixes in intra-area-prefix-Link State Advertisements (LSAs)
originated by the virtual neighbor. But when it comes to choosing
the source address for the packets that are sent over the virtual
link, the RFC [<a href="#ref-N2" title=""OSPF for IPv6"">N2</a>] simply suggests using one of the router's own
global IPv6 addresses. In order to install the required security
rules for virtual links, the source address also needs to be
predictable. Hence, routers that implement this specification MUST
change the way the source and destination addresses are chosen for
packets exchanged over virtual links when IPsec is enabled.
The first IPv6 address with the "LA-bit" set in the list of prefixes
advertised in intra-area-prefix-LSAs in the transit area MUST be used
as the source address for packets exchanged over the virtual link.
When multiple intra-area-prefix-LSAs are originated, they are
considered concatenated and are ordered by ascending Link State ID.
The first IPv6 address with the "LA-bit" set in the list of prefixes
received in intra-area-prefix-LSAs from the virtual neighbor in the
transit area MUST be used as the destination address for packets
exchanged over the virtual link. When multiple intra-area-prefix-
LSAs are received, they are considered concatenated and are ordered
by ascending Link State ID.
This makes both the source and destination addresses of packets
exchanged over the virtual link predictable when IPsec is enabled.
<span class="grey">Gupta & Melam Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Rekeying</span>
To maintain the security of a link, the authentication and encryption
key values SHOULD be changed periodically.
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Rekeying Procedure</span>
The following three-step procedure SHOULD be provided to rekey the
routers on a link without dropping OSPFv3 protocol packets or
disrupting the adjacency.
(1) For every router on the link, create an additional inbound SA for
the interface being rekeyed using a new SPI and the new key.
(2) For every router on the link, replace the original outbound SA
with one using the new SPI and key values. The SA replacement
operation should be atomic with respect to sending OSPFv3 packets
on the link so that no OSPFv3 packets are sent without
authentication/encryption.
(3) For every router on the link, remove the original inbound SA.
Note that all routers on the link must complete step 1 before any
begin step 2. Likewise, all the routers on the link must complete
step 2 before any begin step 3.
One way to control the progression from one step to the next is for
each router to have a configurable time constant KeyRolloverInterval.
After the router begins step 1 on a given link, it waits for this
interval and then moves to step 2. Likewise, after moving to step 2,
it waits for this interval and then moves to step 3.
In order to achieve smooth key transition, all routers on a link
should use the same value for KeyRolloverInterval and should initiate
the key rollover process within this time period.
At the end of this procedure, all the routers on the link will have a
single inbound and outbound SA for OSPFv3 with the new SPI and key
values.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. KeyRolloverInterval</span>
The configured value of KeyRolloverInterval should be long enough to
allow the administrator to change keys on all the OSPFv3 routers. As
this value can vary significantly depending upon the implementation
and the deployment, it is left to the administrator to choose an
appropriate value.
<span class="grey">Gupta & Melam Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
<span class="h3"><a class="selflink" id="section-10.3" href="#section-10.3">10.3</a>. Rekeying Interval</span>
This section analyzes the security provided by manual keying and
recommends that the encryption and authentication keys SHOULD be
changed at least every 90 days.
The weakest security provided by the security mechanisms discussed in
this specification is when NULL encryption (for ESP) or no encryption
(for AH) is used with the HMAC-MD5 authentication. Any other
algorithm combinations will at least be as hard to break as the ones
mentioned above. This is shown by the following reasonable
assumptions:
o NULL Encryption and HMAC-SHA-1 Authentication will be more
secure as HMAC-SHA-1 is considered to be more secure than
HMAC-MD5.
o NON-NULL Encryption and NULL Authentication combination is not
applicable as this specification mandates authentication when
OSPFv3 security is enabled.
o Data Encryption Security (DES) Encryption and HMAC-MD5
Authentication will be more secure because of the additional
security provided by DES.
o Other encryption algorithms like 3DES and the Advanced
Encryption Standard (AES) will be more secure than DES.
<a href="./rfc3562">RFC 3562</a> [<a href="#ref-I4" title=""Key Management Considerations for the TCP MD5 Signature Option"">I4</a>] analyzes the rekeying requirements for the TCP MD5
signature option. The analysis provided in <a href="./rfc3562">RFC 3562</a> is also
applicable to this specification as the analysis is independent of
data patterns.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. IPsec Protection Barrier and SPD</span>
The IPsec protection barrier MUST be around the OSPF protocol.
Therefore, all the inbound and outbound OSPF traffic goes through
IPsec processing.
The SPD selection function MUST return an SPD with the following rule
for all the interfaces that have OSPFv3
authentication/confidentiality disabled.
No. source destination protocol action
1 any any OSPF bypass
<span class="grey">Gupta & Melam Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
The SPD selection function MUST return an SPD with the following
rules for all the interfaces that have OSPFv3
authentication/confidentiality enabled.
No. source destination protocol action
2 fe80::/10 any OSPF protect
3 fe80::/10 any ESP/OSPF or AH/OSPF protect
4 src/128 dst/128 OSPF protect
5 src/128 dst/128 ESP/OSPF or AH/OSPF protect
For rules 2 and 4, action "protect" means encrypting/calculating
Integrity Check Value (ICV) and adding an ESP or AH header. For
rules 3 and 5, action "protect" means decrypting/authenticating the
packets and stripping the ESP or AH header.
Rule 1 will bypass the OSPFv3 packets without any IPsec processing on
the interfaces that have OSPFv3 authentication/confidentiality
disabled.
Rules 2 and 4 will drop the inbound OSPFv3 packets that have not been
secured with ESP/AH headers.
ESP/OSPF or AH/OSPF in rules 3 and 5 mean that it is an OSPF packet
secured with ESP or AH.
Rules 2 and 3 are meant to secure the unicast and multicast OSPF
packets that are not being exchanged over the virtual links.
Rules 4 and 5 are meant to secure the packets being exchanged over
virtual links. These rules are installed after learning the virtual
link end point IPv6 addresses. These rules MUST be installed in the
SPD for the interfaces that are connected to the transit area for the
virtual link. These rules MAY alternatively be installed on all the
interfaces. If these rules are not installed on all the interfaces,
clear text or malicious OSPFv3 packets with the same source and
destination addresses as the virtual link end point IPv6 addresses
will be delivered to OSPFv3. Though OSPFv3 drops these packets as
they were not received on the right interface, OSPFv3 receives some
clear text or malicious packets even when the security is enabled.
Installing these rules on all the interfaces ensures that OSPFv3 does
not receive these clear text or malicious packets when security is
enabled. On the other hand, installing these rules on all the
interfaces increases the processing overhead on the interfaces where
there is no other IPsec processing. The decision of whether to
install these rules on all the interfaces or on just the interfaces
that are connected to the transit area is a private decision and
doesn't affect the interoperability in any way. Hence it is an
implementation choice.
<span class="grey">Gupta & Melam Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. Entropy of Manual Keys</span>
The implementations MUST allow the administrator to configure the
cryptographic and authentication keys in hexadecimal format rather
than restricting it to a subset of ASCII characters (letters,
numbers, etc.). A restricted character set will reduce key entropy
significantly as discussed in [<a href="#ref-I2" title=""OSPF Security Vulnerabilities Analysis"">I2</a>].
<span class="h2"><a class="selflink" id="section-13" href="#section-13">13</a>. Replay Protection</span>
Since it is not possible using the current standards to provide
complete replay protection while using manual keying, the proposed
solution will not provide protection against replay attacks.
Detailed analysis of various vulnerabilities of the routing protocols
and OSPF in particular is discussed in [<a href="#ref-I3" title=""Generic Threats to Routing Protocols"">I3</a>] and [<a href="#ref-I2" title=""OSPF Security Vulnerabilities Analysis"">I2</a>]. The conclusion
is that replay of OSPF packets can cause adjacencies to be disrupted,
which can lead to a DoS attack on the network. It can also cause
database exchange process to occur continuously thus causing CPU
overload as well as micro loops in the network.
<span class="h2"><a class="selflink" id="section-14" href="#section-14">14</a>. Security Considerations</span>
This memo discusses the use of IPsec AH and ESP headers to provide
security to OSPFv3 for IPv6. Hence, security permeates throughout
this document.
OSPF Security Vulnerabilities Analysis [<a href="#ref-I2" title=""OSPF Security Vulnerabilities Analysis"">I2</a>] identifies OSPF
vulnerabilities in two scenarios -- one with no authentication or
simple password authentication and the other with cryptographic
authentication. The solution described in this specification
provides protection against all the vulnerabilities identified for
scenarios with cryptographic authentication with the following
exceptions:
Limitations of manual key:
This specification mandates the usage of manual keys. The following
are the known limitations of the usage of manual keys.
o As the sequence numbers cannot be negotiated, replay protection
cannot be provided. This leaves OSPF insecure against all the
attacks that can be performed by replaying OSPF packets.
o Manual keys are usually long lived (changing them often is a
tedious task). This gives an attacker enough time to discover
the keys.
<span class="grey">Gupta & Melam Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
o As the administrator is manually configuring the keys, there is
a chance that the configured keys are weak (there are known
weak keys for DES/3DES at least).
Impersonating attacks:
The usage of the same key on all the OSPF routers connected to a link
leaves them all insecure against impersonating attacks if any one of
the OSPF routers is compromised, malfunctioning, or misconfigured.
Detailed analysis of various vulnerabilities of routing protocols is
discussed in [<a href="#ref-I3" title=""Generic Threats to Routing Protocols"">I3</a>].
<span class="h2"><a class="selflink" id="section-15" href="#section-15">15</a>. References</span>
<span class="h3"><a class="selflink" id="section-15.1" href="#section-15.1">15.1</a>. Normative References</span>
[<a id="ref-N1">N1</a>] Moy, J., "OSPF Version 2", STD 54, <a href="./rfc2328">RFC 2328</a>, April 1998.
[<a id="ref-N2">N2</a>] Coltun, R., Ferguson, D., and J. Moy, "OSPF for IPv6", <a href="./rfc2740">RFC 2740</a>,
December 1999.
[<a id="ref-N3">N3</a>] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-N4">N4</a>] Kent, S., "IP Encapsulating Security Payload (ESP)", <a href="./rfc4303">RFC 4303</a>,
December 2005.
[<a id="ref-N5">N5</a>] Kent, S., "IP Authentication Header", <a href="./rfc4302">RFC 4302</a>, December 2005.
[<a id="ref-N6">N6</a>] Eastlake 3rd, D., "Cryptographic Algorithm Implementation
Requirements for Encapsulating Security Payload (ESP) and
Authentication Header (AH)", <a href="./rfc4305">RFC 4305</a>, December 2005.
[<a id="ref-N7">N7</a>] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
<span class="h3"><a class="selflink" id="section-15.2" href="#section-15.2">15.2</a>. Informative References</span>
[<a id="ref-I1">I1</a>] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", <a href="./rfc4306">RFC 4306</a>,
December 2005.
[<a id="ref-I2">I2</a>] Jones, E. and O. Moigne, "OSPF Security Vulnerabilities
Analysis", Work in Progress.
[<a id="ref-I3">I3</a>] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to Routing
Protocols", Work in Progress.
<span class="grey">Gupta & Melam Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
[<a id="ref-I4">I4</a>] Leech, M., "Key Management Considerations for the TCP MD5
Signature Option", <a href="./rfc3562">RFC 3562</a>, July 2003.
Acknowledgements
The authors would like to extend sincere thanks to Marc Solsona,
Janne Peltonen, John Cruz, Dhaval Shah, Abhay Roy, Paul Wells,
Vishwas Manral, and Sam Hartman for providing useful information and
critiques on this memo. The authors would like to extend special
thanks to Acee Lindem for many editorial changes.
We would also like to thank members of the IPsec and OSPF WG for
providing valuable review comments.
Authors' Addresses
Mukesh Gupta
Tropos Networks
555 Del Rey Ave
Sunnyvale, CA 94085
Phone: 408-331-6889
EMail: mukesh.gupta@tropos.com
Nagavenkata Suresh Melam
Juniper Networks
1194 N. Mathilda Ave
Sunnyvale, CA 94089
Phone: 408-505-4392
EMail: nmelam@juniper.net
<span class="grey">Gupta & Melam Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4552">RFC 4552</a> Authentication/Confidentiality for OSPFv3 June 2006</span>
Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Gupta & Melam Standards Track [Page 15]
</pre>
|
