datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

OSPF with Digital Signatures
RFC 2154

Document type: RFC - Experimental (June 1997; Errata)
Document stream: Legacy
Last updated: 2013-03-02
Other versions: plain text, pdf, html

Legacy State: (None)
Document shepherd: No shepherd assigned

IESG State: RFC 2154 (Experimental)
Responsible AD: (None)
Send notices to: No addresses provided

Network Working Group                                          S. Murphy
Request for Comments: 2154                                     M. Badger
Category: Experimental                                     B. Wellington
                                             Trusted Information Systems
                                                               June 1997

                      OSPF with Digital Signatures

Status of this Memo

   This memo defines an Experimental Protocol for the Internet
   community.  This memo does not specify an Internet standard of any
   kind.  Discussion and suggestions for improvement are requested.
   Distribution of this memo is unlimited.

Abstract

   This memo describes the extensions to OSPF required to add digital
   signature authentication to Link State data, and to provide a
   certification mechanism for router data.  Added LSA processing and
   key management is detailed.  A method for migration from, or co-
   existence with, standard OSPF V2 is described.

Table of Contents

   1 Acknowledgements .............................................   2
   2 Introduction .................................................   2
   3 LSA Processing ...............................................   4
   3.1 Signed LSA .................................................   4
   3.2 Router Public Key LSA (PKLSA) ..............................   5
   3.3 MaxAge Processing ..........................................   7
   4 Key Management ...............................................   8
   4.1 Identifying Keys ...........................................   8
   4.1.1 Identifying Router Keys and PKLSAs .......................   8
   4.1.2 Identifying TE Public Keys ...............................   8
   4.1.3 Key to use for Signing ...................................   9
   4.1.4 Key to use for Verification ..............................   9
   4.2 Trusted Entity (TE) Requirements ...........................  10
   4.3 Scope for Keys and Signature Algorithms.....................  10
   4.4 Router Key Replacement .....................................  11
   4.5 Trusted Entity Key Replacement .............................  12
   4.6 Flexible Cryptographic Environments ........................  14
   4.6.1 Multiple Signature Algorithms ............................  14
   4.6.2 Multiple Trusted Entities ................................  15
   4.6.3 Multiple Keys for One Router .............................  16
   5 Compatibility with Standard OSPF V2 ..........................  16
   6 Special Considerations/Restrictions for the ABR-ASBR .........  17
   7 LSA formats ..................................................  18

Murphy, et. al.               Experimental                      [Page 1]
RFC 2154              OSPF with Digital Signatures             June 1997

   7.1 Router Public Key LSA (PKLSA) ..............................  18
   7.2 Router Public Key Certificate ..............................  20
   7.3 Signed LSA .................................................  23
   8 Configuration Information ....................................  26
   9 Remaining Vulnerabilities ....................................  26
   9.1 Area Border Routers ........................................  27
   9.2 Internal Routers ...........................................  27
   9.3 Autonomous System Border Routers ...........................  28
   10 Security Considerations .....................................  28
   11 References ..................................................  29
   12 Authors' Addresses ..........................................  29

1.  Acknowledgements

   The idea of signing routing information is not new.  Foremost, of
   course, there is the design that Radia Perlman reported in her thesis
   [4] and in her book [5] for signing link state information and for
   distribution of the public keys used in the signing.  IDPR [7] also
   recommends the use of public key based signatures of link state
   information.  Kumar and Crowcroft [2] discuss the use of secret and
   public key authentication of inter-domain routing protocols.  Finn [1]
   discusses the use of secret and public key authentication of several
   different routing protocols.  The design reported here is closest to
   that reported in [4] and [7].  It should be noted that [4] also
   presents techniques for protecting the forwarding of data packets, a
   topic that is not considered here, as we consider it not within the
   scope of the OSPF working group.

   The authors would also like to acknowledge many fruitful discussions
   with many members of the OSPF working group, particularly Fred Baker
   of Cisco Systems, Dennis Ferguson of MCI Telecommunications Corp.,
   John Moy of Cascade Communications Corp., Curtis Villamizar of ANS,
   Inc., and Rob Coltun of FORE Systems.

[include full document text]