The Keying and Authentication for Routing Protocol (KARP) IS-IS Security Analysis
RFC 7645
| Document | Type |
RFC - Informational
(September 2015; No errata)
Was draft-ietf-karp-isis-analysis (individual)
|
|
|---|---|---|---|
| Last updated | 2015-10-14 | ||
| Stream | IETF | ||
| Formats | plain text pdf html bibtex | ||
| Reviews | |||
| Stream | WG state | WG Document | |
| Document shepherd | Russ White | ||
| Shepherd write-up | Show (last changed 2015-05-11) | ||
| IESG | IESG state | RFC 7645 (Informational) | |
| Consensus Boilerplate | Yes | ||
| Telechat date | |||
| Responsible AD | Alia Atlas | ||
| Send notices to | (None) | ||
| IANA | IANA review state | IANA OK - No Actions Needed | |
| IANA action state | No IANA Actions | ||
Internet Engineering Task Force (IETF) U. Chunduri
Request for Comments: 7645 A. Tian
Category: Informational W. Lu
ISSN: 2070-1721 Ericsson Inc.
September 2015
The Keying and Authentication for Routing Protocol (KARP)
IS-IS Security Analysis
Abstract
This document analyzes the current state of the Intermediate System
to Intermediate System (IS-IS) protocol according to the requirements
set forth in "Keying and Authentication for Routing Protocols (KARP)
Design Guidelines" (RFC 6518) for both manual and automated key
management protocols.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7645.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Chunduri, et al. Informational [Page 1]
RFC 7645 KARP IS-IS Security Analysis September 2015
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
1.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Current State . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Key Usage . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1. Subnetwork Independent . . . . . . . . . . . . . . . 4
2.1.2. Subnetwork dependent . . . . . . . . . . . . . . . . 4
2.2. Key Agility . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. Security Issues . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5
2.3.1.1. Current Recovery Mechanism for LSPs . . . . . . . 6
2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7
2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8
3. Gap Analysis and Security Requirements . . . . . . . . . . . 8
3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8
3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. Normative References . . . . . . . . . . . . . . . . . . 10
5.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
This document analyzes the current state of the Intermediate System
to Intermediate System (IS-IS) protocol according to the requirements
set forth in "Keying and Authentication for Routing Protocols (KARP)
Design Guidelines" [RFC6518] for both manual and automated key
management protocols.
With currently published work, IS-IS meets some of the requirements
expected from a manually keyed routing protocol. Integrity
protection is expanded by allowing more cryptographic algorithms to
be used [RFC5310]. However, even with this expanded protection, only
limited algorithm agility (HMAC-SHA family) is possible. [RFC5310]
makes possible a basic form of intra-connection rekeying, but with
some gaps as analyzed in Section 3 of this document.
This document summarizes the current state of cryptographic key usage
in the IS-IS protocol and several previous efforts that analyze IS-IS
security. This includes the base IS-IS specifications: [RFC1195],
[RFC5304], [RFC5310], and [RFC6039].
Show full document text