Network Working Group S. Murphy
Request for Comments: 2154 M. Badger
Category: Experimental B. Wellington
Trusted Information Systems
June 1997
OSPF with Digital Signatures
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. This memo does not specify an Internet standard of any
kind. Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Abstract
This memo describes the extensions to OSPF required to add digital
signature authentication to Link State data, and to provide a
certification mechanism for router data. Added LSA processing and
key management is detailed. A method for migration from, or co-
existence with, standard OSPF V2 is described.
Table of Contents
1 Acknowledgements ............................................. 2
2 Introduction ................................................. 2
3 LSA Processing ............................................... 4
3.1 Signed LSA ................................................. 4
3.2 Router Public Key LSA (PKLSA) .............................. 5
3.3 MaxAge Processing .......................................... 7
4 Key Management ............................................... 8
4.1 Identifying Keys ........................................... 8
4.1.1 Identifying Router Keys and PKLSAs ....................... 8
4.1.2 Identifying TE Public Keys ............................... 8
4.1.3 Key to use for Signing ................................... 9
4.1.4 Key to use for Verification .............................. 9
4.2 Trusted Entity (TE) Requirements ........................... 10
4.3 Scope for Keys and Signature Algorithms..................... 10
4.4 Router Key Replacement ..................................... 11
4.5 Trusted Entity Key Replacement ............................. 12
4.6 Flexible Cryptographic Environments ........................ 14
4.6.1 Multiple Signature Algorithms ............................ 14
4.6.2 Multiple Trusted Entities ................................ 15
4.6.3 Multiple Keys for One Router ............................. 16
5 Compatibility with Standard OSPF V2 .......................... 16
6 Special Considerations/Restrictions for the ABR-ASBR ......... 17
7 LSA formats .................................................. 18
Murphy, et. al. Experimental [Page 1]
RFC 2154 OSPF with Digital Signatures June 1997
7.1 Router Public Key LSA (PKLSA) .............................. 18
7.2 Router Public Key Certificate .............................. 20
7.3 Signed LSA ................................................. 23
8 Configuration Information .................................... 26
9 Remaining Vulnerabilities .................................... 26
9.1 Area Border Routers ........................................ 27
9.2 Internal Routers ........................................... 27
9.3 Autonomous System Border Routers ........................... 28
10 Security Considerations ..................................... 28
11 References .................................................. 29
12 Authors' Addresses .......................................... 29
1. Acknowledgements
The idea of signing routing information is not new. Foremost, of
course, there is the design that Radia Perlman reported in her thesis
[4] and in her book [5] for signing link state information and for
distribution of the public keys used in the signing. IDPR [7] also
recommends the use of public key based signatures of link state
information. Kumar and Crowcroft [2] discuss the use of secret and
public key authentication of inter-domain routing protocols. Finn [1]
discusses the use of secret and public key authentication of several
different routing protocols. The design reported here is closest to
that reported in [4] and [7]. It should be noted that [4] also
presents techniques for protecting the forwarding of data packets, a
topic that is not considered here, as we consider it not within the
scope of the OSPF working group.
The authors would also like to acknowledge many fruitful discussions
with many members of the OSPF working group, particularly Fred Baker
of Cisco Systems, Dennis Ferguson of MCI Telecommunications Corp.,
John Moy of Cascade Communications Corp., Curtis Villamizar of ANS,
Inc., and Rob Coltun of FORE Systems.
datatracker.ietf.org