Key Change Strategies for TCP-MD5
RFC 4808
| Document | Type |
RFC - Informational
(March 2007; No errata)
Was draft-bellovin-keyroll2385 (individual in sec area)
|
|
|---|---|---|---|
| Last updated | 2013-03-02 | ||
| Stream | IETF | ||
| Formats | plain text pdf htmlized bibtex | ||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4808 (Informational) | |
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Russ Housley | ||
| Send notices to | smb@cs.columbia.edu | ||
Network Working Group S. Bellovin
Request for Comments: 4808 Columbia University
Category: Informational March 2007
Key Change Strategies for TCP-MD5
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
The TCP-MD5 option is most commonly used to secure BGP sessions
between routers. However, changing the long-term key is difficult,
since the change needs to be synchronized between different
organizations. We describe single-ended strategies that will permit
(mostly) unsynchronized key changes.
Bellovin Informational [Page 1]
RFC 4808 TCP-MD5 Key Change March 2007
1. Introduction
The TCP-MD5 option [RFC2385] is most commonly used to secure BGP
sessions between routers. However, changing the long-term key is
difficult, since the change needs to be synchronized between
different organizations. Worse yet, if the keys are out of sync, it
may break the connection between the two routers, rendering repair
attempts difficult.
The proper solution involves some sort of key management protocol.
Apart from the complexity of such things, RFC 2385 was not written
with key changes in mind. In particular, there is no KeyID field in
the option, which means that even a key management protocol would run
into the same problem.
Fortunately, a heuristic permits key change despite this protocol
deficiency. The change can be installed unilaterally at one end of a
connection; it is fully compatible with the existing protocol.
1.1. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. The Algorithm
Separate algorithms are necessary for transmission and reception.
Reception is easier; we explain it first.
2.1. Reception
A receiver has a list of valid keys. Each key has a (conceptual)
timestamp associated with it. When a segment arrives, each key is
tried in turn. The segment is discarded if and only if it cannot be
validated by any key in the list.
In principle, there is no need to test keys in any particular order.
For performance reasons, though, a simple most-recently-used (MRU)
strategy -- try the last valid key first -- should work well. More
complex mechanisms, such as examining the TCP sequence number of an
arriving segment to see whether it fits in a hole, are almost
certainly unnecessary. On the other hand, validating that a received
segment is putatively legal, by checking its sequence number against
the advertised window, can help avoid denial of service attacks.
The newest key that has successfully validated a segment is marked as
the "preferred" key; see below.
Bellovin Informational [Page 2]
RFC 4808 TCP-MD5 Key Change March 2007
Implicit in this scheme is the assumption that older keys will
eventually be unneeded and can be removed. Accordingly,
implementations SHOULD provide an indication of when a key was last
used successfully.
2.2. Transmission
Transmission is more complex, because the sender does not know which
keys can be accepted at the far end. Accordingly, the conservative
strategy is to delay using any new keys for a considerable amount of
time, probably measured in days. This time interval is the amount of
asynchronicity the parties wish to permit; it is agreed upon out of
band and configured manually.
Some automation is possible, however. If a key has been used
successfully to validate an incoming segment, clearly the other side
knows it. Accordingly, any key marked as "preferred" by the
receiving part of a stack SHOULD be used for transmissions.
A sophisticated implementation could try alternate keys if the TCP
retransmission counter gets too high. (This is analogous to dead
gateway detection.) In particular, if a key change has just been
attempted but such segments are not acknowledged, it is reasonable to
fall back to the previous key and issue an alert of some sort.
Similarly, an implementation with a new but unused key could
occasionally try to use it, much in the way that TCP implementations
probe closed windows. Doing this avoids the "silent host" problem
discussed in Section 3.1. This should be done at a moderately slow
rate.
Note that there is an ambiguity when an acknowledgment is received
for a segment transmitted with two different keys. The TCP Timestamp
Show full document text