LDP Hello Cryptographic Authentication
RFC 7349
Internet Engineering Task Force (IETF) L. Zheng
Request for Comments: 7349 M. Chen
Category: Standards Track Huawei Technologies
ISSN: 2070-1721 M. Bhatia
Ionos Networks
August 2014
LDP Hello Cryptographic Authentication
Abstract
This document introduces a new optional Cryptographic Authentication
TLV that LDP can use to secure its Hello messages. It secures the
Hello messages against spoofing attacks and some well-known attacks
against the IP header. This document describes a mechanism to secure
the LDP Hello messages using Hashed Message Authentication Code
(HMAC) with the National Institute of Standards and Technology (NIST)
Secure Hash Standard family of algorithms.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7349.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Zheng, et al. Standards Track [Page 1]
RFC 7349 LDP Hello Cryptographic Authentication August 2014
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Cryptographic Authentication TLV . . . . . . . . . . . . . . 4
2.1. Optional Parameter for Hello Message . . . . . . . . . . 4
2.2. LDP Security Association . . . . . . . . . . . . . . . . 4
2.3. Cryptographic Authentication TLV Encoding . . . . . . . . 6
2.4. Sequence Number Wrap . . . . . . . . . . . . . . . . . . 7
3. Cryptographic Authentication Procedure . . . . . . . . . . . 8
4. Cross-Protocol Attack Mitigation . . . . . . . . . . . . . . 8
5. Cryptographic Aspects . . . . . . . . . . . . . . . . . . . . 8
5.1. Preparing the Cryptographic Key . . . . . . . . . . . . . 9
5.2. Computing the Hash . . . . . . . . . . . . . . . . . . . 9
5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Processing Hello Message Using Cryptographic Authentication . 10
6.1. Transmission Using Cryptographic Authentication . . . . . 10
6.2. Receipt Using Cryptographic Authentication . . . . . . . 10
7. Operational Considerations . . . . . . . . . . . . . . . . . 11
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . 14
1. Introduction
The Label Distribution Protocol (LDP) [RFC5036] sets up LDP sessions
that run between LDP peers. The peers could either be directly
connected at the link level or be multiple hops away. An LDP Label
Switching Router (LSR) could either be configured with the identity
of its peers or could discover them using LDP Hello messages. These
messages are sent encapsulated in UDP addressed to "all routers on
this subnet" or to a specific IP address. Periodic Hello messages
are also used to maintain the relationship between LDP peers
necessary to keep the LDP session active.
Since the Hello messages are sent using UDP and not TCP, these
messages cannot use the security mechanisms defined for TCP
[RFC5926]. While some configuration guidance is given in [RFC5036]
to help protect against false discovery messages, it does not provide
Show full document text