Skip to main content

IS-IS Cryptographic Authentication
RFC 5304

Revision differences

Document history

Date Rev. By Action
2018-12-20
03 (System)
Received changes through RFC Editor sync (changed abstract to 'This document describes the authentication of Intermediate System to Intermediate System (IS-IS) Protocol Data Units (PDUs) …
Received changes through RFC Editor sync (changed abstract to 'This document describes the authentication of Intermediate System to Intermediate System (IS-IS) Protocol Data Units (PDUs) using the Hashed Message Authentication Codes - Message Digest 5 (HMAC-MD5) algorithm as found in RFC 2104. IS-IS is specified in International Standards Organization (ISO) 10589, with extensions to support Internet Protocol version 4 (IPv4) described in RFC 1195. The base specification includes an authentication mechanism that allows for multiple authentication algorithms. The base specification only specifies the algorithm for cleartext passwords. This document replaces RFC 3567.

This document proposes an extension to that specification that allows the use of the HMAC-MD5 authentication algorithm to be used in conjunction with the existing authentication mechanisms. [STANDARDS-TRACK]')
2017-05-16
03 (System) Changed document authors from "Tony Li" to "Tony Li, Randall Atkinson"
2015-10-14
03 (System) Notify list changed from isis-chairs@ietf.org, draft-ietf-isis-rfc3567bis@ietf.org to (None)
2012-08-22
03 (System) post-migration administrative database adjustment to the No Objection position for Chris Newman
2012-08-22
03 (System) post-migration administrative database adjustment to the No Objection position for Pasi Eronen
2008-10-06
03 Amy Vezza State Changes to RFC Published from RFC Ed Queue by Amy Vezza
2008-10-06
03 Amy Vezza [Note]: 'RFC 5304' added by Amy Vezza
2008-10-03
03 (System) RFC published
2008-07-23
03 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2008-07-23
03 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2008-07-23
03 (System) IANA Action state changed to In Progress from Waiting on Authors
2008-07-23
03 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2008-07-22
03 (System) IANA Action state changed to Waiting on Authors from In Progress
2008-07-22
03 (System) IANA Action state changed to In Progress
2008-07-22
03 Amy Vezza IESG state changed to Approved-announcement sent
2008-07-22
03 Amy Vezza IESG has approved the document
2008-07-22
03 Amy Vezza Closed "Approve" ballot
2008-07-22
03 Ross Callon State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Ross Callon
2008-07-17
03 Pasi Eronen [Ballot Position Update] Position for Pasi Eronen has been changed to No Objection from Undefined by Pasi Eronen
2008-07-17
03 Pasi Eronen [Ballot Position Update] Position for Pasi Eronen has been changed to Undefined from Discuss by Pasi Eronen
2008-07-14
03 (System) New version available: draft-ietf-isis-rfc3567bis-03.txt
2008-07-14
03 Chris Newman [Ballot Position Update] Position for Chris Newman has been changed to No Objection from Discuss by Chris Newman
2008-07-11
03 Chris Newman
[Ballot comment]
This does not appear to have a mechanism for hash function transition.
That problem should be considered in the event a future revision …
[Ballot comment]
This does not appear to have a mechanism for hash function transition.
That problem should be considered in the event a future revision of this
specification is prepared.
2008-07-11
03 Chris Newman
[Ballot discuss]
The document should not make questionable claims.  In particular:

>  operational complexity.  It is believed secure against passive
>  attacks, as defined in …
[Ballot discuss]
The document should not make questionable claims.  In particular:

>  operational complexity.  It is believed secure against passive
>  attacks, as defined in [RFC1704], unlike cleartext password
>  authentication.

is not true as HMAC when used with a textual password is subject to
passive dictionary attacks as well as passive brute-force attacks
(although both of these passive attacks can be mitigated by using
a long password or passphrase).
2008-07-04
03 (System) Removed from agenda for telechat - 2008-07-03
2008-07-03
03 Cindy Morgan State Changes to IESG Evaluation::AD Followup from IESG Evaluation by Cindy Morgan
2008-07-03
03 Mark Townsley [Ballot Position Update] New position, No Objection, has been recorded by Mark Townsley
2008-07-03
03 Magnus Westerlund [Ballot Position Update] New position, No Objection, has been recorded by Magnus Westerlund
2008-07-03
03 Tim Polk [Ballot Position Update] New position, No Objection, has been recorded by Tim Polk
2008-07-03
03 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded by Dan Romascanu
2008-07-03
03 Pasi Eronen
[Ballot discuss]
Since this is basically the main document discussing ISIS security
considerations (neither RFC 1195 nor 10589:2002 really have any
text worth mentioning), it …
[Ballot discuss]
Since this is basically the main document discussing ISIS security
considerations (neither RFC 1195 nor 10589:2002 really have any
text worth mentioning), it should also say what is not addressed.
The ospfv3-update draft had the following text; I think something
similar should be added here.

  "The mechanisms in [OSPFV3-AUTH] do not provide protection against
  compromised, malfunctioning, or misconfigured routers.  Such
  routers can, either accidentally or deliberately, cause
  malfunctions affecting the whole routing domain.  The reader is
  encouraged to consult [GENERIC-THREATS] for a more comprehensive
  description of threats to routing protocols."

Identified in Stephen Farrell's SecDir review:

If two admins agree that the key is "cisco" and enter it in their
routers, it should work -- but it requires that both implementations
(esp. their management interfaces) use the same character-string to
octet-string conversion algorithm.  I would guess that existing
implementations don't support anything else than (possibly subset
of) printable ASCII characters; thus, text similar to RFC 2385
Section 4.5 should be added.

The table in IANA considerations section should reference this
document, not RFC3567 (which is obsoleted by this document).
2008-07-03
03 Pasi Eronen [Ballot Position Update] New position, Discuss, has been recorded by Pasi Eronen
2008-07-03
03 Jon Peterson [Ballot Position Update] New position, No Objection, has been recorded by Jon Peterson
2008-07-02
03 Chris Newman
[Ballot discuss]
The document should not make questionable claims.  In particular:

>  operational complexity.  It is believed secure against passive
>  attacks, as defined in …
[Ballot discuss]
The document should not make questionable claims.  In particular:

>  operational complexity.  It is believed secure against passive
>  attacks, as defined in [RFC1704], unlike cleartext password
>  authentication.

is not true as HMAC when used with a textual password is subject to
passive dictionary attacks as well as passive brute-force attacks
(although both of these passive attacks can be mitigated by using
a long password or passphrase).

While this does a good job discussing password transition, I would like
to understand the procedure for hash-function (authentication mechanism)
transition.
2008-07-02
03 Chris Newman [Ballot Position Update] New position, Discuss, has been recorded by Chris Newman
2008-07-02
03 David Ward [Ballot Position Update] New position, Recuse, has been recorded by David Ward
2008-07-02
03 Lisa Dusseault [Ballot Position Update] New position, No Objection, has been recorded by Lisa Dusseault
2008-07-02
03 Ron Bonica
[Ballot comment]
This is a no-objection with point raised. I'm not willing to block the document over this point, but think that you should address …
[Ballot comment]
This is a no-objection with point raised. I'm not willing to block the document over this point, but think that you should address it in the future.

What happens when a NOC guy who knew the shared secret leaves the company? Do you have to bounce all of the ISIS adjacencies so that you can change the secret. It would be great if you could change the shared secret without bouncing the adjacency.
2008-07-02
03 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded by Ron Bonica
2008-07-02
02 (System) New version available: draft-ietf-isis-rfc3567bis-02.txt
2008-07-02
03 Lars Eggert [Ballot Position Update] New position, No Objection, has been recorded by Lars Eggert
2008-07-01
03 Samuel Weiler Request for Last Call review by SECDIR Completed. Reviewer: Stephen Farrell.
2008-07-01
03 Ross Callon [Ballot Position Update] New position, Yes, has been recorded for Ross Callon
2008-07-01
03 Ross Callon Ballot has been issued by Ross Callon
2008-07-01
03 Ross Callon Created "Approve" ballot
2008-06-26
03 Ross Callon State Changes to IESG Evaluation from Waiting for AD Go-Ahead by Ross Callon
2008-06-26
03 Ross Callon Placed on agenda for telechat - 2008-07-03 by Ross Callon
2008-06-25
03 Samuel Weiler Request for Last Call review by SECDIR is assigned to Stephen Farrell
2008-06-25
03 Samuel Weiler Request for Last Call review by SECDIR is assigned to Stephen Farrell
2008-06-23
03 (System) State has been changed to Waiting for AD Go-Ahead from In Last Call by system
2008-06-18
03 Amanda Baber
IANA has a question:

- Where is HMAC-MD5 defined/registered as Authentication Type 54 (0x36)?

As described in the IANA Considerations section, we understand this document …
IANA has a question:

- Where is HMAC-MD5 defined/registered as Authentication Type 54 (0x36)?

As described in the IANA Considerations section, we understand this document
to have NO IANA Actions.
2008-06-09
03 Cindy Morgan Last call sent
2008-06-09
03 Cindy Morgan State Changes to In Last Call from Last Call Requested by Cindy Morgan
2008-06-09
03 Ross Callon State Changes to Last Call Requested from IESG Evaluation by Ross Callon
2008-06-09
03 Ross Callon Last Call was requested by Ross Callon
2008-06-09
03 (System) Ballot writeup text was added
2008-06-09
03 (System) Last call text was added
2008-06-09
03 (System) Ballot approval text was added
2008-06-09
03 Ross Callon Removed from agenda for telechat - 2008-06-19 by Ross Callon
2008-06-03
03 Ross Callon Placed on agenda for telechat - 2008-06-19 by Ross Callon
2008-06-03
03 Ross Callon State Changes to IESG Evaluation from Publication Requested::External Party by Ross Callon
2008-04-09
03 Ross Callon Draft Added by Ross Callon in state Publication Requested
2008-03-18
01 (System) New version available: draft-ietf-isis-rfc3567bis-01.txt
2008-01-17
00 (System) New version available: draft-ietf-isis-rfc3567bis-00.txt