The Keying and Authentication for Routing Protocol (KARP) IS-IS Security Analysis
RFC 7645
Document | Type |
RFC - Informational
(September 2015; No errata)
Was draft-ietf-karp-isis-analysis (individual)
|
|
---|---|---|---|
Authors | Uma Chunduri , Albert Tian , Wenhu Lu | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | WG Document | |
Document shepherd | Russ White | ||
Shepherd write-up | Show (last changed 2015-05-11) | ||
IESG | IESG state | RFC 7645 (Informational) | |
Consensus Boilerplate | Yes | ||
Telechat date | |||
Responsible AD | Alia Atlas | ||
Send notices to | (None) | ||
IANA | IANA review state | IANA OK - No Actions Needed | |
IANA action state | No IANA Actions |
Internet Engineering Task Force (IETF) U. Chunduri Request for Comments: 7645 A. Tian Category: Informational W. Lu ISSN: 2070-1721 Ericsson Inc. September 2015 The Keying and Authentication for Routing Protocol (KARP) IS-IS Security Analysis Abstract This document analyzes the current state of the Intermediate System to Intermediate System (IS-IS) protocol according to the requirements set forth in "Keying and Authentication for Routing Protocols (KARP) Design Guidelines" (RFC 6518) for both manual and automated key management protocols. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7645. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Chunduri, et al. Informational [Page 1] RFC 7645 KARP IS-IS Security Analysis September 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Current State . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Key Usage . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1.1. Subnetwork Independent . . . . . . . . . . . . . . . 4 2.1.2. Subnetwork dependent . . . . . . . . . . . . . . . . 4 2.2. Key Agility . . . . . . . . . . . . . . . . . . . . . . . 5 2.3. Security Issues . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5 2.3.1.1. Current Recovery Mechanism for LSPs . . . . . . . 6 2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7 2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8 3. Gap Analysis and Security Requirements . . . . . . . . . . . 8 3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8 3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 5.1. Normative References . . . . . . . . . . . . . . . . . . 10 5.2. Informative References . . . . . . . . . . . . . . . . . 11 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 1. Introduction This document analyzes the current state of the Intermediate System to Intermediate System (IS-IS) protocol according to the requirements set forth in "Keying and Authentication for Routing Protocols (KARP) Design Guidelines" [RFC6518] for both manual and automated key management protocols. With currently published work, IS-IS meets some of the requirements expected from a manually keyed routing protocol. Integrity protection is expanded by allowing more cryptographic algorithms to be used [RFC5310]. However, even with this expanded protection, only limited algorithm agility (HMAC-SHA family) is possible. [RFC5310] makes possible a basic form of intra-connection rekeying, but with some gaps as analyzed in Section 3 of this document. This document summarizes the current state of cryptographic key usage in the IS-IS protocol and several previous efforts that analyze IS-IS security. This includes the base IS-IS specifications: [RFC1195], [RFC5304], [RFC5310], and [RFC6039].Show full document text