The Keying and Authentication for Routing Protocol (KARP) IS-IS Security Analysis
RFC 7645

Document Type RFC - Informational (September 2015; No errata)
Last updated 2015-10-14
Stream IETF
Formats plain text pdf html bibtex
Stream WG state WG Document
Document shepherd Russ White
Shepherd write-up Show (last changed 2015-05-11)
IESG IESG state RFC 7645 (Informational)
Consensus Boilerplate Yes
Telechat date
Responsible AD Alia Atlas
Send notices to (None)
IANA IANA review state IANA OK - No Actions Needed
IANA action state No IC
Internet Engineering Task Force (IETF)                       U. Chunduri
Request for Comments: 7645                                       A. Tian
Category: Informational                                            W. Lu
ISSN: 2070-1721                                            Ericsson Inc.
                                                          September 2015

       The Keying and Authentication for Routing Protocol (KARP)
                        IS-IS Security Analysis

Abstract

   This document analyzes the current state of the Intermediate System
   to Intermediate System (IS-IS) protocol according to the requirements
   set forth in "Keying and Authentication for Routing Protocols (KARP)
   Design Guidelines" (RFC 6518) for both manual and automated key
   management protocols.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7645.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Chunduri, et al.              Informational                     [Page 1]
RFC 7645              KARP IS-IS Security Analysis        September 2015

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   3
     1.2.  Acronyms  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Current State . . . . . . . . . . . . . . . . . . . . . . . .   3
     2.1.  Key Usage . . . . . . . . . . . . . . . . . . . . . . . .   4
       2.1.1.  Subnetwork Independent  . . . . . . . . . . . . . . .   4
       2.1.2.  Subnetwork dependent  . . . . . . . . . . . . . . . .   4
     2.2.  Key Agility . . . . . . . . . . . . . . . . . . . . . . .   5
     2.3.  Security Issues . . . . . . . . . . . . . . . . . . . . .   5
       2.3.1.  Replay Attacks  . . . . . . . . . . . . . . . . . . .   5
         2.3.1.1.  Current Recovery Mechanism for LSPs . . . . . . .   6
       2.3.2.  Spoofing Attacks  . . . . . . . . . . . . . . . . . .   7
       2.3.3.  DoS Attacks . . . . . . . . . . . . . . . . . . . . .   8
   3.  Gap Analysis and Security Requirements  . . . . . . . . . . .   8
     3.1.  Manual Key Management . . . . . . . . . . . . . . . . . .   8
     3.2.  Key Management Protocols  . . . . . . . . . . . . . . . .   9
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .  10
     5.1.  Normative References  . . . . . . . . . . . . . . . . . .  10
     5.2.  Informative References  . . . . . . . . . . . . . . . . .  11
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  12
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  12

1.  Introduction

   This document analyzes the current state of the Intermediate System
   to Intermediate System (IS-IS) protocol according to the requirements
   set forth in "Keying and Authentication for Routing Protocols (KARP)
   Design Guidelines" [RFC6518] for both manual and automated key
   management protocols.

   With currently published work, IS-IS meets some of the requirements
   expected from a manually keyed routing protocol.  Integrity
   protection is expanded by allowing more cryptographic algorithms to
   be used [RFC5310].  However, even with this expanded protection, only
   limited algorithm agility (HMAC-SHA family) is possible.  [RFC5310]
   makes possible a basic form of intra-connection rekeying, but with
   some gaps as analyzed in Section 3 of this document.

   This document summarizes the current state of cryptographic key usage
Show full document text