LDP Hello Cryptographic Authentication
RFC 7349
Document | Type | RFC - Proposed Standard (August 2014; No errata) | |
---|---|---|---|
Authors | Lianshu Zheng , Mach Chen , Manav Bhatia | ||
Last updated | 2015-10-14 | ||
Replaces | draft-zheng-mpls-ldp-hello-crypto-auth | ||
Stream | Internet Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Reviews | |||
Stream | WG state | Submitted to IESG for Publication | |
Document shepherd | Loa Andersson | ||
Shepherd write-up | Show (last changed 2014-04-08) | ||
IESG | IESG state | RFC 7349 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Adrian Farrel | ||
Send notices to | (None) | ||
IANA | IANA review state | Version Changed - Review Needed | |
IANA action state | RFC-Ed-Ack |
Internet Engineering Task Force (IETF) L. Zheng Request for Comments: 7349 M. Chen Category: Standards Track Huawei Technologies ISSN: 2070-1721 M. Bhatia Ionos Networks August 2014 LDP Hello Cryptographic Authentication Abstract This document introduces a new optional Cryptographic Authentication TLV that LDP can use to secure its Hello messages. It secures the Hello messages against spoofing attacks and some well-known attacks against the IP header. This document describes a mechanism to secure the LDP Hello messages using Hashed Message Authentication Code (HMAC) with the National Institute of Standards and Technology (NIST) Secure Hash Standard family of algorithms. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7349. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Zheng, et al. Standards Track [Page 1] RFC 7349 LDP Hello Cryptographic Authentication August 2014 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Cryptographic Authentication TLV . . . . . . . . . . . . . . 4 2.1. Optional Parameter for Hello Message . . . . . . . . . . 4 2.2. LDP Security Association . . . . . . . . . . . . . . . . 4 2.3. Cryptographic Authentication TLV Encoding . . . . . . . . 6 2.4. Sequence Number Wrap . . . . . . . . . . . . . . . . . . 7 3. Cryptographic Authentication Procedure . . . . . . . . . . . 8 4. Cross-Protocol Attack Mitigation . . . . . . . . . . . . . . 8 5. Cryptographic Aspects . . . . . . . . . . . . . . . . . . . . 8 5.1. Preparing the Cryptographic Key . . . . . . . . . . . . . 9 5.2. Computing the Hash . . . . . . . . . . . . . . . . . . . 9 5.3. Result . . . . . . . . . . . . . . . . . . . . . . . . . 10 6. Processing Hello Message Using Cryptographic Authentication . 10 6.1. Transmission Using Cryptographic Authentication . . . . . 10 6.2. Receipt Using Cryptographic Authentication . . . . . . . 10 7. Operational Considerations . . . . . . . . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 11.1. Normative References . . . . . . . . . . . . . . . . . . 13 11.2. Informative References . . . . . . . . . . . . . . . . . 14 1. Introduction The Label Distribution Protocol (LDP) [RFC5036] sets up LDP sessions that run between LDP peers. The peers could either be directly connected at the link level or be multiple hops away. An LDP Label Switching Router (LSR) could either be configured with the identity of its peers or could discover them using LDP Hello messages. These messages are sent encapsulated in UDP addressed to "all routers on this subnet" or to a specific IP address. Periodic Hello messages are also used to maintain the relationship between LDP peers necessary to keep the LDP session active. Since the Hello messages are sent using UDP and not TCP, these messages cannot use the security mechanisms defined for TCP [RFC5926]. While some configuration guidance is given in [RFC5036] to help protect against false discovery messages, it does not provideShow full document text