OSPF Working Group M. Bhatia
Internet-Draft Alcatel-Lucent
Intended status: Standards Track S. Hartman
Expires: August 26, 2013 Painless Security
D. Zhang
Huawei Technologies co., LTD.
A. Lindem
Ericsson
February 22, 2013
Security Extension for OSPFv2 when using Manual Key Management
draft-ietf-ospf-security-extension-manual-keying-04
Abstract
The current OSPFv2 cryptographic authentication mechanism as defined
in the OSPF standards is vulnerable to both inter-session and intra-
session replay attacks when its uses manual keying. Additionally,
the existing cryptographic authentication schemes do not cover the IP
header. This omission can be exploited to carry out various types of
attacks.
This draft proposes changes to the authentication sequence number
mechanism that will protect OSPFv2 from both inter-session and intra-
session replay attacks when its using manual keys for securing its
protocol packets. Additionally, we also describe some changes in the
cryptographic hash computation so that we eliminate most attacks that
result because OSPFv2 does not protect the IP header.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 26, 2013.
Copyright Notice
Bhatia, et al. Expires August 26, 2013 [Page 1]
Internet-Draft OSPF Manual Key Management February 2013
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Requirements Section . . . . . . . . . . . . . . . . . . . 4
2. Replay Protection using Extended Sequence Numbers . . . . . . 4
3. OSPF Packet Extensions . . . . . . . . . . . . . . . . . . . . 5
4. OSPF Packet Key Selection . . . . . . . . . . . . . . . . . . 6
4.1. Key Selection for Unicast OSPF Packet Transmission . . . . 7
4.2. Key Selection for Multicast OSPF Packet Transmission . . . 7
4.3. Key Selection for OSPF Packet Reception . . . . . . . . . 8
5. Mechanism to secure the IP header . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
8.1. Normative References . . . . . . . . . . . . . . . . . . . 10
8.2. Informative References . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Bhatia, et al. Expires August 26, 2013 [Page 2]
Internet-Draft OSPF Manual Key Management February 2013
1. Introduction
The OSPFv2 cryptographic authentication mechanism as described in
[[RFC2328]] uses per-packet sequence numbers to provide protection
against replay attacks. The sequence numbers increase monotonically
so that the attempts to replay the stale packets can be thwarted.
The sequence number values are maintained as a part of adjacency
datatracker.ietf.org