LDP Hello Cryptographic Authentication
RFC 7349
Document Type RFC - Proposed Standard (August 2014; No errata)
Last updated 2015-10-14
Replaces draft-zheng-mpls-ldp-hello-crypto-auth
Stream IETF
Formats plain text pdf htmlized bibtex
Reviews
OPSDIR Telechat Review (of -08): Ready
GENART Last Call Review (of -05): Ready
SECDIR Last Call Review (of -05): Has Issues
SECDIR Early Review (of draft-zheng-mpls-ldp-hello-crypto-auth-): Ready with Nits
Stream WG state Submitted to IESG for Publication
Document shepherd Loa Andersson
Shepherd write-up Show (last changed 2014-04-08)
IESG IESG state RFC 7349 (Proposed Standard)
Consensus Boilerplate Yes
Telechat date
Responsible AD Adrian Farrel
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state RFC-Ed-Ack
Email authors Email WG IPR References Referenced by Nits 
Internet Engineering Task Force (IETF)                          L. Zheng
Request for Comments: 7349                                       M. Chen
Category: Standards Track                            Huawei Technologies
ISSN: 2070-1721                                                M. Bhatia
                                                          Ionos Networks
                                                             August 2014

                 LDP Hello Cryptographic Authentication

Abstract

   This document introduces a new optional Cryptographic Authentication
   TLV that LDP can use to secure its Hello messages.  It secures the
   Hello messages against spoofing attacks and some well-known attacks
   against the IP header.  This document describes a mechanism to secure
   the LDP Hello messages using Hashed Message Authentication Code
   (HMAC) with the National Institute of Standards and Technology (NIST)
   Secure Hash Standard family of algorithms.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7349.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Zheng, et al.                Standards Track                    [Page 1]
RFC 7349         LDP Hello Cryptographic Authentication      August 2014

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
   2.  Cryptographic Authentication TLV  . . . . . . . . . . . . . .   4
     2.1.  Optional Parameter for Hello Message  . . . . . . . . . .   4
     2.2.  LDP Security Association  . . . . . . . . . . . . . . . .   4
     2.3.  Cryptographic Authentication TLV Encoding . . . . . . . .   6
     2.4.  Sequence Number Wrap  . . . . . . . . . . . . . . . . . .   7
   3.  Cryptographic Authentication Procedure  . . . . . . . . . . .   8
   4.  Cross-Protocol Attack Mitigation  . . . . . . . . . . . . . .   8
   5.  Cryptographic Aspects . . . . . . . . . . . . . . . . . . . .   8
     5.1.  Preparing the Cryptographic Key . . . . . . . . . . . . .   9
     5.2.  Computing the Hash  . . . . . . . . . . . . . . . . . . .   9
     5.3.  Result  . . . . . . . . . . . . . . . . . . . . . . . . .  10
   6.  Processing Hello Message Using Cryptographic Authentication .  10
     6.1.  Transmission Using Cryptographic Authentication . . . . .  10
     6.2.  Receipt Using Cryptographic Authentication  . . . . . . .  10
   7.  Operational Considerations  . . . . . . . . . . . . . . . . .  11
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  12
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  13
   10. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  13
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     11.1.  Normative References . . . . . . . . . . . . . . . . . .  13
     11.2.  Informative References . . . . . . . . . . . . . . . . .  14

1.  Introduction

   The Label Distribution Protocol (LDP) [RFC5036] sets up LDP sessions
   that run between LDP peers.  The peers could either be directly
   connected at the link level or be multiple hops away.  An LDP Label
   Switching Router (LSR) could either be configured with the identity
   of its peers or could discover them using LDP Hello messages.  These
   messages are sent encapsulated in UDP addressed to "all routers on
   this subnet" or to a specific IP address.  Periodic Hello messages
   are also used to maintain the relationship between LDP peers
   necessary to keep the LDP session active.

   Since the Hello messages are sent using UDP and not TCP, these
   messages cannot use the security mechanisms defined for TCP
   [RFC5926].  While some configuration guidance is given in [RFC5036]
   to help protect against false discovery messages, it does not provide
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools