Analysis of Bidirectional Forwarding Detection (BFD) Security According to the Keying and Authentication for Routing Protocols (KARP) Design Guidelines
RFC 7492

Document Type RFC - Informational (March 2015; No errata)
Was draft-ietf-karp-bfd-analysis (individual in rtg area)
Last updated 2015-10-14
Replaces draft-bhatia-zhang-karp-bfd-analysis
Stream IETF
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd Brian Weis
Shepherd write-up Show (last changed 2014-07-01)
IESG IESG state RFC 7492 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Adrian Farrel
IESG note Processing as AD Sponsored as KARP working group has closed down.
Send notices to (None)
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
Internet Engineering Task Force (IETF)                         M. Bhatia
Request for Comments: 7492                                Ionos Networks
Category: Informational                                         D. Zhang
ISSN: 2070-1721                                                   Huawei
                                                         M. Jethanandani
                                                       Ciena Corporation
                                                              March 2015

     Analysis of Bidirectional Forwarding Detection (BFD) Security
According to the Keying and Authentication for Routing Protocols (KARP)
                           Design Guidelines

Abstract

   This document analyzes the Bidirectional Forwarding Detection (BFD)
   protocol according to the guidelines set forth in Section 4.2 of RFC
   6518, "Keying and Authentication for Routing Protocols (KARP) Design
   Guidelines".

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7492.

Bhatia, et al.                Informational                     [Page 1]
RFC 7492                    BFD Gap Analysis                  March 2015

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements to Meet  . . . . . . . . . . . . . . . . . . . .   3
   3.  Current State of Security Methods . . . . . . . . . . . . . .   3
   4.  Impacts of BFD Replays  . . . . . . . . . . . . . . . . . . .   5
   5.  Impact of New Authentication Requirements . . . . . . . . . .   6
   6.  Considerations for Improvement  . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   8
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction

   This document performs a gap analysis of the current state of
   Bidirectional Forwarding Detection [RFC5880] according to the
   requirements of KARP Design Guidelines [RFC6518].  Previously, the
   OPSEC working group has provided an analysis of cryptographic issues
   with BFD in "Issues with Existing Cryptographic Protection Methods
   for Routing Protocols" [RFC6039].

   The existing BFD specifications provide a basic security solution.
   Key ID is provided so that the key used in securing a packet can be
   changed on demand.  Two cryptographic algorithms (MD5 and SHA-1) are
   supported for integrity protection of the control packets; the
   algorithms are both demonstrated to be subject to collision attacks.
   Routing protocols like "RIPv2 Cryptographic Authentication"
   [RFC4822], "IS-IS Generic Cryptographic Authentication" [RFC5310],
   and "OSPFv2 HMAC-SHA Cryptographic Authentication" [RFC5709] have
   started to use BFD for liveliness checks.  Moving the routing

Bhatia, et al.                Informational                     [Page 2]
RFC 7492                    BFD Gap Analysis                  March 2015

   protocols to a stronger algorithm while using a weaker algorithm for
   BFD would allow the attacker to bring down BFD in order to bring down
   the routing protocol.  BFD therefore needs to match the routing
Show full document text