Network Working Group R. Atkinson
INTERNET-DRAFT Extreme Networks
25 August 2004
draft-rja-ripv2-auth-00.txt
Expires 25 February 2005
RIPv2 Cryptographic Authentication
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable patent or
other IPR claims of which I am aware have been disclosed, or will be
disclosed, and any of which I become aware will be disclosed, in accordance
with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups. Note that other groups
may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months and
may be updated, replaced, or obsoleted by other documents at any time. It
is inappropriate to use Internet-Drafts as reference material or to cite
them other than a "work in progress.
The list of current Internet-Drafts can be accessed at:
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at:
http://www.ietf.org/shadow.html
This memo is a contribution to the IETF and is intended for future
standards-track publication to update RFC-2082 and RFC-2453. This
memo is not yet the product of any IETF working group.
Distribution of this memo is unlimited.
ABSTRACT
This note describes a rough draft of a proposed revision to the RIPv2
Cryptographic Authentication mechanism originally specified in RFC-2082.
This document includes specific details of how HMAC SHA-1 is used with
RIPv2 Cryptographic Authentication, whereas the original document only
Atkinson [Page 1]
INTERNET-DRAFT 21 Aug 2004
specified the use of Keyed-MD5. Also, this document clarifies a potential
issue with an active attack on this mechanism and also adds significant
text to the Security Considerations section.
1. INTRODUCTION
Growth in the Internet has made us aware of the need for improved
authentication of routing information. RIPv2 provides for unauthenticated
service (as in classical RIP), or password authentication. Both are
vulnerable to passive attacks currently widespread in the Internet.
Well-understood security issues exist in routing protocols [Bellovin89].
Clear text passwords, originally specified for use with RIPv2, are widely
understood to be vulnerable to easily deployed passive attacks [RFC-1704].
The original RIPv2 cryptographic authentication specification [RFC-2082]
used the Keyed-MD5 cryptographic mechanism. While there are no openly
published attacks on that mechanism, work subsequent to the original
specification [Dobbertin] creates concern about the ultimate strength of
the MD5 cryptographic hash function. Further, some end users, particularly
certain governments, insist on the use of the SHA-1 cryptographic hash
function rather than any other such function. Finally, the original
specification predated the publication of the HMAC specification
[RFC-2104].
So this document replaces [RFC-2082] with an improved specification. There
are 2 significant changes in this document. First, this specification is
explicitly designed to support algorithm-independence, while retaining full
backwards compatibility with the previous specification. Second, this
specification adds support for the HMAC-SHA1 cryptographic mechanism to
supplement the Keyed-MD5 mechanism that was originally specified.
The author does NOT believe that this specification is the penultimate
answer to RIPv2 authentication and encourages the reader to consult the
SECURITY CONSIDERATIONS section of this document for more details on that.
If RIPv2 authentication is disabled, then only simple misconfigurations are
detected. Simple passwords transmitted in the clear would further protect
against accidential misconfigurations if that were the only threat, but are
useless in the general case. By simply capturing information on the wire -
straightforward even in a remote environment - a hostile process can learn
the password and overcome the network.
The goal of this mechanism is to reduce risk of passive attack for RIPv2
deployments. That is, deployment of this mechanism greatly reduces the
vulnerability of the RIPv2-based routing system from a passive attack.
This risk reduction arises because with cryptographic authentication
enabled, we transmit the output of a keyed cryptographic hash function
Atkinson [Page 2]
INTERNET-DRAFT 21 Aug 2004
whose value is bound to the contents of the RIPv2 packet, rather than
transmitting a reusable clear-text password. The cryptographic output is a
one-way function of a message and a secret RIPv2 Authentication Key. This
RIPv2 Authentication Key is never sent over the network in the clear, thus
providing protection against the passive attacks now commonplace in the
Internet.
In this way, protection is afforded against forgery or message
modification. It is possible to replay a message until the sequence
number changes, but the sequence number makes replay in the long term
less of an issue. The mechanism does not afford confidentiality,
since messages stay in the clear; however, the mechanism is also
exportable from most countries, which test a privacy algorithm would
fail. Further, since the objective of a routing protocol is to
advertise reachability, confidentiality is not normally required for
routing protocols.
Other relevant rationales for the approach are that MD5 and SHA-1
are both being used for other purposes and are therefore generally
already present in IP routers, as is some form of password management.
A similar approach has been standardized for use in IP-layer
authentication. [AH]
1.1 Terminology
In this document, the words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" are to be interpreted as described in [BCP14] [RFC-2119] and
indicate requirement levels for compliant or conformant implementations.
2. Implementation Approach
Implementation requires use of a special packet format, special
authentication procedures, and also management controls. Implementers
need to remember that the SECURITY CONSIDERATIONS section is an integral
part of this specification and contains important parts of this
specification.
2.1. RIPv2 PDU Format
The basic RIPv2 message format provides for an 8 byte header with
an array of 20 byte records as its data content. When Keyed MD5 is used,
the same header and content are used, except that the 16 byte
"authentication key" field is reused to describe a "Cryptographic
Authentication" trailer. This trailer contains five fields as
Atkinson [Page 3]
INTERNET-DRAFT 21 Aug 2004
follows:
AUTHENTICATION TYPE
The "Authentication Type" is Cryptographic Hash Function,
which is indicated by the value 3.
RIPv2 PACKET LENGTH
An unsigned 16 bit offset from the RIPv2 header to the output of
the cryptographic hash function in use (if no other trailer fields are ever
defined, this value equals the RIPv2 Data Length).
KEY IDENTIFIER
An unsigned 8-bit field that contains the Key Identifier or
Key-ID. This identifies the RIPv2 Security Association in use for this
packet. The RIPv2 Security association includes the Authentication Key
that was used to create the Authentication Data for this RIPv2 message.
In implementations supporting more than one authentication algorithm,
the Key-ID also indicates the authentication algorithm in use for this
message. A key is always associated with an interface.
AUTHENTICATION DATA LENGTH
An unsigned 8-bit field that contains the length in octets of the
trailing Authentication Data field. The presence of this field provides
cryptographic algorithm independence.
SEQUENCE NUMBER
An unsigned 32 bit sequence number. The sequence number MUST be
non-decreasing for all messages sent with a given Key ID value.
The authentication trailer consists of the Authentication Data, which is
the output of the keyed cryptographic hash function. See later
subsections of this section for details on computing this field.
2.2 RIPv2 Security Association
Understanding the RIPv2 Security Association concept is central to
understanding this specification. A RIPv2 Security Association
contains the set of shared authentication configuration parameters
needed by the legitimate sender or any legitimate receiver.
An implementation MUST be able to support at least 2 concurrent RIPv2
Security Associations on each RIP interface. This is a functional
requirement for supporting key rollover. Support for key rollover is
mandatory.
The RIPv2 Security Association is selected by the sender based on the
Atkinson [Page 4]
INTERNET-DRAFT 21 Aug 2004
outgoing interface. Each Security Association has a lifetime and other
configuration parameters (see below) associated with it. In normal
operation, no Security Association is used outside its lifetime.
The minimum data items in a RIPv2 Security Association are as follows:
KEY-IDENTIFIER
This unsigned 8-bit value is used to identify the RIPv2
Security Association in use for this packet. The receiver uses
the combination of the interface the packet was receive upon and
this value to uniquely identify the appropriate Security Association.
The sender selects which Security Association to use based on the
outbound interface for this RIPv2 packet and then places the correct
KEY-IDENTIFIER value into that packet.
AUTHENTICATION ALGORITHM
This information is never sent in clear-text over the wire,
but is essential to correct operation. Because this information is
not sent on the wire, the implementer chooses an implementation-specific
representation for this information. At present, the following
values are possible: KEYED-MD5, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384,
and HMAC-SHA-512.
AUTHENTICATION KEY
This is the value of the cryptographic authentication key used with
the associated Authentication Algorithm. It MUST NOT ever be sent over the
network in clear-text via any protocol. The length of this key will depend
on the Authentication Algorithm in use. Operators should take care to
select unpredictable and crptographically strong keys, avoiding any keys
known to be weak for the algorithm in use. [RFC-1750] contains helpful
information on key generation techniques.
SEQUENCE NUMBER
This is an unsigned 32-bit number. For a given KEY-ID value, this
number MUST NOT decrease. In normal operation, the operator should rekey
the RIPv2 session prior to reaching the maximum value. The value used in
the sequence number is arbitrary, but two examples are the time of the
message's creation or a simple message counter.
START TIME
This is a local representation of the day and time that this
Security Association first becomes valid.
STOP TIME
This is a local representation of the day and time that this
Security Association becomes invalid (i.e. when it expires). It is
permitted, but not recommended, for an operator to configure this
to be "never expire". The "never expire" value is not recommended
Atkinson [Page 5]
INTERNET-DRAFT 21 Aug 2004
operational practice because it reduces security as compared with
periodic rekeying.
2.3 Processing Algorithm
When the authentication type is "Cryptographic Authentication", message
processing is changed in message creation and reception.
0 1 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Command (1) | Version (1) | Routing Domain (2) |
+---------------+---------------+-------------------------------+
| 0xFFFF | AuType=Keyed Message Digest |
+-------------------------------+-------------------------------+
| RIPv2 Packet Length | Key ID | Auth Data Len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sequence Number (non-decreasing) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reserved must be zero |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| reserved must be zero |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
/ (RIPv2 Packet Length - 24) bytes of Data /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 0xFFFF | 0x01 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
/ Authentication Data (variable length) /
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Algorithm-dependent processing is described in separate sub-sections
later in this section.
2.3.1. Message Generation
The RIPv2 Packet is created as usual, with these exceptions:
(1) The UDP checksum SHOULD be calculated, but MAY be set to zero.
(2) The authentication type field indicates Cryptographic Authentication (3).
(3) The authentication "password" field is reused to store a packet offset
to the Authentication Data, a Key Identifier, the Authentication Data
Atkinson [Page 6]
INTERNET-DRAFT 21 Aug 2004
Length, and a non-decreasing sequence number.
See also Section 2.2 above on RIPv2 Security Association for important
background.
(1) The RIPv2 header's packet length field indicates the standard
RIPv2 portion of the packet.
(2) The Authentication Data Offset, Key Identifier, and
Authentication Data size fields are filled in appropriately.
(3) The RIPv2 Authentication Key is now appended to the data.
For all algorithms, the RIPv2 Authentication Key is never longer
than the output of the algorithm in use.
(4) Trailing pad (if any) and length fields are added and the
Authentication Data value is calculated according to the
Authentication Algorithm that is in use.
(5) The resulting Authentication Data value is written over the RIPv2
Authentication Key. The trailing pad (if any) is not actually
transmitted, as it is entirely predictable from the message length
and Authentication Algorithm in use.
2.3.2. Message Reception
When the message is received, the process is reversed:
(1) The received Authentication Data is set aside,
(2) The appropriate RIPv2 Security Association is determined from the
value of the Key Identifier field and the interface the packet
was received on.
(3) The Authentication Key is written into the appropriate number of bytes
starting at the offset indicated,
(4) Appropriate padding is added if needed, and
(5) A new authentication data result is calculated using the
Authentication Algorithm for the appropriate RIPv2 Security Association.
(6) The calculated Authentication Data result is compared with
the received Authentication Data.
(7) If the calculated authentication data result does not match the
received Authentication Data, then the message is discarded unprocessed
Atkinson [Page 7]
INTERNET-DRAFT 21 Aug 2004
and a security event SHOULD be logged by the RIPv2 subsystem of the
receiving system. That security event SHOULD indicate at least the
day/time that the bad packet was received, the Source IP Address of
the received RIPv2 packet, the Key-ID field value, and the fact that
RIPv2 Authentication failed upon receipt.
(8) If the neighbor has been heard from recently enough to have viable
routes in the route table and the received sequence number is less
than the last one received, the message likewise is discarded
unprocessed. If the received sequence number is less than the last
one received, that security event should be logged. This logged
security event should indicate at least the day/time that the bad
packet was received, the Source IP Address of the received RIPv2
packet, the Key-ID field value, and the fact that an out-of-order
Sequence Number was received.
When connectivity to the neighbor has been lost, the receiver
SHOULD be ready to accept either:
- a message with a sequence number of zero
- a message with a higher sequence number than the last received
sequence number.
Acceptable messages are now truncated to RIPv2 message itself and
treated normally.
NOTA BENE:
A router that has forgotten its current sequence number but
remembers its Security Association MUST send its first packet with a
sequence number of zero. This leaves a small opening for a replay attack.
Router vendors are encouraged to provide stable storage for all
components of a RIPv2 Security Association to reduce the risk of
such attacks.
2.3.2. Keyed-MD5 Algorithm-Dependent Processing
This section describes algorithm-dependent processing steps for when the
Keyed-MD5 Authentication Algorithm is in use. The MD5 hash function is
defined in [RFC-1321].
The Authentication Key is 16 octets long when Keyed-MD5 is in use. The key
with value of all zero bits is believed to be weak and should not be used.
For this algorithm, the output Authentication Data contained in the trailer
is 16 bytes long. During digest calculation, this is effectively followed
by a pad field and a length field as defined by [RFC-1321].
When Keyed-MD5 is in use, the following trailer is appended in memory
Atkinson [Page 8]
INTERNET-DRAFT 21 Aug 2004
by the MD5 algorithm and treated as though it were part of the message.
Pad Bytes will be present if and only if so required by RFC-1321's
processing rules.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Key |
/ (16 octets long) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more pad bytes (as defined by RFC 1321) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64 bit message length MSW |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64 bit message length LSW |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
2.3.3 HMAC-SHA1 Algorithm-Dependent Processing
This section describes algorithm-dependent processing steps for when the
HMAC-SHA1 Authentication Algorithm is in use. While HMAC was originally
documented in [RFC-2104], for this specification the generalised HMAC
process is performed as defined in [FIPS-198]. The US NIST Secure Hash
Standard (SHA-1) is defined by [FIPS-180-2], which includes specifications
for SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
The output of the cryptographic computations (e.g. HMAC-SHA1) is NOT
truncated for RIPv2 Cryptographic Authentication.
When HMAC-SHA1 is in use, the Authentication Key is 160 bits long. When
HMAC-SHA-224 is in use, the Authentication Key is 224 bits long. When
HMAC-SHA-256 is in use, the Authentication Key is 256 bits long. When
HMAC-SHA-512 is in use, the Authentication Key is 512 bits long. The
Authentication Data length is equal to the Authentication Key length for
the authentication algorithm in use. Alternately phrased in the language
of [FIPS-198], Section 5, "length of K == B" is always true with this
specification.
The key with value of all zero bits is believed to be weak and should not
be used.
During Authentication Data calculation, the Authentication Data field in
memory contains the Authentication Key and is effectively followed by a pad
field and a length field as shown below. Padding, if any, is performed as
specified by Section 5.1 of [FIPS-180-2] with reference to the actual
SHA variant algorithm that is actually in use.
Atkinson [Page 9]
INTERNET-DRAFT 21 Aug 2004
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Authentication Key |
/ (16 octets long) /
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| zero or more pad bytes (as defined by FIPS-180-2) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64 bit message length MSW |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| 64 bit message length LSW |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3. Management Procedures
Key management is an important component of this mechanism and
proper implementation is central to providing the intended level
of risk reduction.
3.2. Key Management Requirements
It is strongly desirable that a hypothetical security breach in one
Internet protocol not automatically compromise other Internet
protocols. The Authentication Key of this specification SHOULD NOT
be stored using protocols or algorithms that have known flaws.
Implementations MUST support the storage of more than one key at the
same time, although it is recognized that only one key will normally
be active on an interface. They MUST associate a specific lifetime
(i.e., date/time first valid and date/time no longer valid) and a key
identifier with each key, and MUST support manual key distribution
(e.g., the privileged user manually typing in the key, key lifetime,
and key identifier on the router console). The lifetime may be
infinite. If more than one algorithm is supported, then the
implementation MUST require that the algorithm be specified for each
key at the time the other key information is entered. Keys that are
out of date MAY be deleted at will by the implementation without
requiring human intervention. Manual deletion of active keys SHOULD
also be supported.
It is likely that the IETF will define a standard key management protocol
for use with routing protocols. It is strongly desirable to use that key
management protocol to distribute RIPv2 Authentication Keys among
communicating RIPv2 implementations. Such a protocol would provide
scalability and significantly reduce the human administrative burden.
The Key-ID field can be used as a hook between RIPv2 and such a future
protocol.
Atkinson [Page 10]
INTERNET-DRAFT 21 Aug 2004
Key management protocols have a long history of subtle flaws that are
often discovered long after the protocol was first described in
public. To avoid having to change all RIPv2 implementations should
such a flaw be discovered, integrated key management protocol
techniques were deliberately omitted from this specification.
3.3. Key Management Procedures
As with all security methods using keys, it is necessary to change
the RIPv2 Authentication Key on a regular basis. To maintain routing
stability during such changes, implementations MUST be able to store
and use more than one RIPv2 Authentication Key on a given interface
at the same time.
Each key will have its own Key Identifier, which is stored locally.
The combination of the Key Identifier and the interface associated
with the message uniquely identifies the Authentication Algorithm and
RIPv2 Authentication Key in use.
As noted above in Section 2.2.1, the party creating the RIPv2 message will
select a valid key from the set of valid keys for that interface. The
receiver MUST use the Key Identifier and interface to determine which key
to use for authentication of the received message. More than one key MAY
be associated with an interface at the same time. The receiver MUST NOT
simply try all keys that might be configured for RIPv2 on the receiving
interface, as that creates an easily exploited denial-of-service attack on
the RIP subsystem of the receiver.
Hence it is possible to have fairly smooth RIPv2 Authentication Key
rollovers without losing legitimate RIPv2 messages because the stored
key is incorrect and without requiring people to change all the keys
at once. To ensure a smooth rollover, each communicating RIPv2
system must be updated with the new key several minutes before the
current key will expire and several minutes before the new key
lifetime begins. The new key should have a lifetime that starts
several minutes before the old key expires. This gives time for each
system to learn of the new RIPv2 Authentication Key before that key
will be used. It also ensures that the new key will begin being used
and the current key will go out of use before the current key's
lifetime expires. For the duration of the overlap in key lifetimes,
a system may receive messages using either key and authenticate the
message. The Key-ID in the received message is used to select the
appropriate key for authentication.
Atkinson [Page 11]
INTERNET-DRAFT 21 Aug 2004
4. Conformance Requirements
For this specification, the term "conformance" has identical meaning
to the phrase "full compliance".
The Keyed MD5 authentication algorithm and the HMAC-SHA1 algorithm MUST be
implemented by all conforming implementations. In addition, the
HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 algorithms SHOULD be
implemented. MD5 is defined in RFC-1321. SHA-1, SHA-256, SHA-384, and
SHA-512 have been defined by the US National Institute of Standards &
Technology (NIST) in [FIPS-180-2]. A conforming implementation MAY also
support additional authentication algorithms. Manual key distribution as
described above MUST be supported by all conforming implementations. All
implementations MUST support the smooth key rollover described under "Key
Change Procedures."
The user documentation provided with the implementation MUST contain
clear instructions on how to ensure that smooth key rollover occurs.
Implementations SHOULD support a standard key management protocol for
secure distribution of RIPv2 Authentication Keys once such a key management
protocol is standardized by the IETF.
The Security Considerations section of this document is an integral
part of the specification, not just discussion of the protocol.
5. Security Considerations
8. Security Considerations
This entire memo describes and specifies an authentication mechanism
for the RIPv2 routing protocol that is believed to be secure against
passive attacks. Passive attacks are clearly widespread in
the Internet at present. Protection against active attacks is
incomplete in this current specification. The main issue relative
to active attacks lies in the need to support the case where another
router has recently rebooted and lacks the non-volatile storage needed
to remember the current RIPv2 sequence number across that reboot.
8.1 Known Pathological Cases
Two known pathological cases exist which MUST be handled by implementations.
Both of these are failures of the network manager. Both of these should be
exceedingly rare in normal operation.
Atkinson [Page 12]
INTERNET-DRAFT 21 Aug 2004
(1) During key rollover, devices might exist which have not yet been
successfully configured with the new key. Therefore, routers SHOULD
implement (and would be well advised to implement) an algorithm that
detects the set of keys being used by its neighbors, and transmits its
messages using both the new and old keys until all of the neighbors are
using the new key or the lifetime of the old key expires. Under normal
circumstances, this elevated transmission rate will exist for a single
update interval.
(2) In the event that the last key associated with an interface expires, it
is unacceptable to revert to an unauthenticated condition, and not
advisable to disrupt routing. Therefore, the router should send a "last
authentication key expiration" notification to the network manager and
treat the key as having an infinite lifetime until the lifetime is
extended, the key is deleted by network management, or a new key is
configured.
In some circumstances, this last practice can leave an opening to an active
attack on the RIPv2 routing subsystem. Therefore, any actual occurance of
a key expiration SHOULD cause a security event to be logged by the
implementation. This log item SHOULD include at least the fact that the
key expired, the RIP routing protocol instance(s) affected, the routing
interfaces affected, the Key-ID that is affected, and the current
date/time. Operators are encouraged to check such logs as an operational
security practice that can help detect active attacks on the RIPv2 routing
subsystem. Further, implementations SHOULD provide a configuration knob
to let a network operator prefer to have the RIPv2 routing fail when
the last key expires, rather than continue using RIPv2 in an insecure
manner.
5.2 Other Security Considerations
Separately, the receipt of a RIPv2 packet using cryptographic
authentication but containing an invalid or unknown Key-ID value might
indicate an active attack on the RIP routing subsystem and is a significant
security event. Therefore, any actual receipt of a RIPv2 packet using
cryptographic authentication and containing an unknown, expired, or
otherwise invalid KEY-ID value SHOULD cause a security event to be logged
by the implementation. This log item SHOULD include at least the fact that
the invalid KEY-ID was received, the source IP address of the packet
containing the invalid KEY-ID, the interface(s) the packet was received on,
the KEY-ID received, and the current date/time.
Also, the use of SNMP, even SNMP with cryptographic confidentiality
enabled, to read or write RIPv2 Authentication Keys is NOT RECOMMENDED.
This practice would create a potential for a cascading vulnerability,
whereby a compromise in the SNMP security implementation would necessarily
Atkinson [Page 13]
INTERNET-DRAFT 21 Aug 2004
lead to a compromise not only of the local routing table (which could be
accessed via SNMP) but also of all other routers that receive RIPv2 packets
from the compromised router. Also, the use of SNMP to configure which form
of RIPv2 authentication is in use is also NOT RECOMMENDED.
Further, for similar reasons it is RECOMMENDED that any future revisions to
the RIPv2 Management Information Base deprecate or omit any MIB objects
that would permit reading or writing any RIPv2 cryptographic authentication
key.
Also, it is RECOMMENDED that any future revisions to the RIPv2 Management
Information Base (MIB) deprecate or omit any MIB objects that would permit
SNMP to be used to modify whether the RIPv2 instance uses cryptographic
authentication, cleartext password authentication, or no authentication.
Also, it is RECOMMENDED that any future revisions to the RIPv2
Management Information Base (MIB) consider adding MIB objects that could be
used to read the set of security events that have been logged by the RIPv2
subsystem.
Users need to understand that the quality of the security provided by
this mechanism depends completely on the strength of the implemented
authentication algorithms, the strength of the key being used, and
the correct implementation of the security mechanism in all
communicating RIPv2 implementations. This mechanism also depends on
the RIPv2 Authentication Key being kept confidential by all parties.
If any of these incorrect or insufficiently secure, then no real
security will be provided to the users of this mechanism.
Use of high assurance development methods is RECOMMENDED for
implementations of this specification, in order to reduce the risk of
subtle implementation flaws that might adversely impact the operational
risk reduction that this specification seeks to provide.
A subtle user-interface consideration also should be noted. If a
user-interface only permits the entry of human-readable text (e.g. a
password in US-ASCII format) for use as a cryptographic key, significant
numbers of bits of the cryptographic key in use become predictable, thereby
reducing the strength of the key in this context. For this reason,
implementations of this specification SHOULD support the entry of
RIPv3 cryptographic authentication keys in hexadecimal format.
5.3 Confidentiality & Traffic Analysis Considerations
Confidentiality is not provided by this mechanism. Recent work in the IETF
provides a standard mechanism for IP-layer encryption [8] and for IP-layer
authentication [AH]. We do not require use of either of those mechanisms
Atkinson [Page 14]
INTERNET-DRAFT 21 Aug 2004
in this specification in order to preserve backwards-compatibility with the
installed base of RIPv2 systems that support cryptographic authentication.
Protection against traffic analysis is also not provided. Mechanisms such
as bulk link encryption might be used when protection against traffic
analysis is required.
5.4 Future Directions
Specification and deployment of a standards-track key management protocol
that supporting this RIPv2 cryptographic authentication mechanism would be
a significant next step in operational risk reduction and might actually
increase the ease of deployment and operation of this mechanism. Such
specification is beyond the scope of this document.
Finally, we observe that this mechanism is not the penultimate security
approach to RIPv2 authentication. Rather, it is believed that this
particular mechanism represents a significant risk reduction over previous
methods (e.g. plain-text passwords), while remaining straight-forward to
implement correctly and also straight-forward to deploy. User communities
that believe this mechanism is not adequate to their needs are encouraged
to consider using digital signatures with RIPv2. [RFC-2154] specifies the
use of OSPF with Digital Signatures; that document might be a starting
point for creating such a specification for the RIPv2 protocol. Digital
signatures are significantly more expensive computationally and are also
significantly more difficult to deploy operationally, as compared with the
mechanism specified here. It appears likely that the much of the
mechanism in this document could be reused with digital signatures.
6. IANA Considerations
No new IANA protocol parameter registries are created by this specification.
One existing registry entry is renamed. The entry (3) for authentication
type for Routing Information Protocol version 2 is renamed from "Message
Digest Authentication" to "Cryptographic Authentication" to more clearly
reflect the algorithm-independent nature of this mechanism.
Acknowledgments
Fred Baker was co-author of the earlier RIPv2 MD5 Authentication document.
This document is a direct derivative of that earlier document, though
it has been significantly reworked. Any errors are the responsibility of
the current author.
Atkinson [Page 15]
INTERNET-DRAFT 21 Aug 2004
Informative References
[RFC-1321] Rivest, R., "The MD5 Message-Digest Algorithm",
RFC-1321, April 1992.
[RFC-1704] N. Haller & R. Atkinson, "On Internet Authentication",
RFC-1704, October 1994.
[RFC-1724] Malkin, G., and F. Baker, "RIP Version 2 MIB Extension",
RFC-1724, November 1994.
[RFC-1750] Eastlake 3rd, D, S. Crocker, & J. Schiller, "Randomness
Recommendations for Security", RFC-1750, December 1994.
[RFC-2104] H. Krawczyk, M. Bellare, & R. Canetti, "Keyed-Hashing for
Message Authentication", RFC-2104, February 1997.
[RFC-2154] Murphy, S., M. Badger, and B. Wellington, "OSPF with
Digital Signatures", RFC-2154, June 1997.
[Bellovin89] S. Bellovin, "Security Problems in the TCP/IP Protocol Suite",
ACM Computer Communications Review, Volume 19, Number 2,
pp.32-48, April 1989.
[AH] Atkinson, R., "IP Authentication Header", RFC-1826, August 1995.
[ESP] Atkinson, R., "IP Encapsulating Security Payload", RFC-1827,
August 1995.
Normative References
[RFC-2453] Malkin, G., "RIP Version 2", RFC-2453, November 1988.
[FIPS-180-2] US National Institute of Standards & Technology (NIST),
"Secure Hash Specification", US Federal Information Processing
Standard 180-2, NIST, Gaithersburg, MD,
USA, 1 August 2002. http://csrc.nist.gov/cryptval
[FIPS-198] US National Institute of Standards & Technology (NIST),
"The Keyed-Hash Message Authentication Code (HMAC)",
US Federal Information Processing Standard 198, NIST,
Gaithersburg, MD, USA, 6 March 2002. http://csrc.nist.gov/cryptval
Atkinson [Page 16]
INTERNET-DRAFT 21 Aug 2004
COPYRIGHT NOTICE
Copyright (C) The Internet Society 2004. This document is subject to the
rights, licenses and restrictions contained in BCP 78, and except as set
forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an "AS
IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS
SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Author's Address
R. Atkinson
Extreme Networks
3585 Monroe Street
Santa Clara, CA
Phone: (408) 579-2800
EMail: rja@extremenetworks.com
Filename: draft-rja-ripv2-auth-00.txt
Expires: 25 February 2005
Atkinson [Page 17]
