KARP Working Group M. Bhatia Internet-Draft Alcatel-Lucent Intended status: Standards Track S. Hartman Expires: July 23, 2011 Painless Security D. Zhang Huawei Technologies co., LTD. January 19, 2011 Security Extension for OSPFv2 when using Manual Key Management draft-bhatia-karp-ospf-ip-layer-protection-02 Abstract The current OSPFv2 cryptographic authentication mechanism as defined in the OSPF standards is vulnerable to both inter and intra replay attacks when its uses manual keying. Additionally, the existing cryptographic authentication schemes do not cover the IP header. This omission can be exploited to carry out various types of attacks. This draft proposes an authentication scheme based on a challenge- response mechanism that will protect OSPFv2 from both inter and intra replay attacks when its using manual keys for securing its protocol packets. Later we also describe some changes in the cryptographic hash computation so that we eliminate most attacks that result because of OSPFv2 not protecting the IP header. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on July 23, 2011. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. Bhatia, et al. Expires July 23, 2011 [Page 1] Internet-Draft OSPF Manual Key Management January 2011 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. A Challenge and Response Solution . . . . . . . . . . . . . . 5 2.1. Receiver Behavior . . . . . . . . . . . . . . . . . . . . 10 2.2. Nonce Triggers . . . . . . . . . . . . . . . . . . . . . . 11 3. Packet Format . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1. Extensions to OSPF packets . . . . . . . . . . . . . . . . 13 3.2. Extension of Hello Packet . . . . . . . . . . . . . . . . 14 4. Key Selection in Processing OSPF Packets . . . . . . . . . . . 16 4.1. Key Selection in Sending Unicast OSPF Packets . . . . . . 16 4.2. Key Selection in Sending Multicast OSPF Packets . . . . . 16 4.3. Key Selection on Receiving OSPF Packets . . . . . . . . . 17 5. Existing Cryptographic Authentication Mechanism . . . . . . . 18 6. Mechanism to secure the IP header . . . . . . . . . . . . . . 19 7. Security Considerations . . . . . . . . . . . . . . . . . . . 20 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 9.1. Normative References . . . . . . . . . . . . . . . . . . . 22 9.2. Informative References . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 Bhatia, et al. Expires July 23, 2011 [Page 2] Internet-Draft OSPF Manual Key Management January 2011 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119 [RFC2119]. When used in lower case, these words convey their typical use in common language, and are not to be interpreted as described in RFC2119 [RFC2119]. Bhatia, et al. Expires July 23, 2011 [Page 3] Internet-Draft OSPF Manual Key Management January 2011 1. Introduction The OSPFv2 cryptographic authentication mechanism as described in [[RFC2328]] uses per-packet sequence numbers to provide protection against replay attacks. The sequence numbers increase monotonically so that the attempts to replay the stale packets can be thwarted. The sequence number values are maintained as a part of adjacency states. Therefore, if an adjacency is broken down, the associated sequence numbers get re-initiated and the neighbors start all over again. Additionally, the cryptographic authentication mechanism does not specify how to deal with the rollover of a sequence number when it reaches its maximum limit. These omissions can be taken advantage of by attackers to implement various replay attacks ([RFC6039]). In order to address these issues, we propose a challenge/ response mechanism that introduces two additional random numbers to help routers generate distinguishable new states when the sequence numbers need to be re-initiated. Compared with the cryptographic authentication mechanism proposed in [RFC5709], the solution proposed does not impose any more security presumption. The cryptographic authentication as described in [RFC2328] and later updated in [RFC5709] does not include the IP header. This also can be exploited to launch several attacks as the source address in the IP header is no longer protected. The OSPF specification, in certain cases, requires the implementations to look at the source address carried in the IP header to determine the neighbor the packet was recieved from. Changing the source address of a packet can thus, confuse the reciever which can be exploited to produce a number of denial of service attacks [RFC6039]. If the packet is interpreted as coming from a different neighbor, the sequence number received from the neighbor may be updated. This may disrupt communication with the legitimate neighbor. Hello packets may be reflected to cause a neighbor to appear to have one-way communication. Old Database descriptions may be reflected in cases where the per-packet sequence numbers are sufficiently divergent in order to disrupt an adjacency [I-D.hartman-ospf-analysis]. This is referred to as the IP layer issue in [I-D.ietf-karp-threats-reqs]. [RFC2328] states that implementations MUST offer keyed MD5 authentication. It is likely that this will be deprecated in favor of the stronger algorithms described in [RFC5709] in future deployments [I-D.ietf-opsec-igp-crypto-requirements]. This draft proposes a simple change in the cryptographic authentication mechanism, as currently described in [RFC5709], to prevent such IP layer attacks. Bhatia, et al. Expires July 23, 2011 [Page 4] Internet-Draft OSPF Manual Key Management January 2011 2. A Challenge and Response Solution In OSPFv2, a non-decreasing sequence member is associated with each OSPF packet sent from a router in order to prevent replay attacks. However, as illustrated in [I-D.hartman-ospf-analysis] and [RFC6039], in the circumstances where automatic key management mechanisms are unavailable, any re-initiation of sequence numbers can potentially be taken advantage of to perform replay attacks. In this section, we introduce an extension of the OSPFv2 protocol, which uses challenge/ response to benefit the verification of the freshness of OSPF packets when the sequence numbers of routers are re-initiated. This solution eliminates the reliance on automatic key management mechanisms. However, it is assumed that a traffic key is shared between two communicating routers so that an attacker can play antique packets but lacks the capability to modify packets without being detected. In this protocol, two random numbers (Session ID and Nonce) are introduced. The session ID is used to identify the session a packet is within and thus makes inter-session replay attacks difficult. The nonce is used to challenge the liveness of communicating routers so that states need not be maintained with routers that are not currently neighbors. In combination with the sequence number, the session ID can effectively resist intra-session replay attacks. When the sequence space is exhausted, a router simply chooses a new session ID. Figure 1 illustrates how two routers A and B, challenge each other's liveness when they are initially connected to a link. First, A selects a new session ID (X1) and a new nonce (N1), and sends them out within a hello packet (see step 1). Particularly, X1and N1 are encapsulated in the OSPF header of the packet. Note that if A is on a multicast LAN, the packet is sent using multicast. Similarly, B sends a hello packet with its new session ID (X2) and Nonce (N2) (step 2). Upon receiving the hello packet from B, A sends a hello packet with X1 and N1. In the neighbor field of the packet, the router ID of B, X2, and N2 is encapsulated (Step 3). Upon receiving the packet sent in step 3, B can ensure the freshness of the packet if the attached session ID and nonce values of both routers are correct. In the same way, after receiving the hello packet from A, B sends a hello packet with X2 and N2 in the OSPF header, and in the neighbor field of the packet, the router ID of A, X1, and N1 is listed to identify that A has been discovered. After receiving the packet, A can make sure the packet is fresh if the session IDs and the nonce of both routers contained in the packet are correct. After A and B discover each other, they start exchanging their database information (steps 5 and 6). During the exchange, every packet from Router A is Bhatia, et al. Expires July 23, 2011 [Page 5] Internet-Draft OSPF Manual Key Management January 2011 associated with X1 and N1, while every packet from Router B is associated with X2 and N2. Each of these packets also contains a sequence number as part of the cryptographic authentication option. The sequence number MUST increase for every packet sent. +---------------+ +---------------+ | router A | | router B | +---------------+ +---------------+ --------------------------------------------------------------- OSPF Hdr: Session ID = X1; Nonce = N1; OSPF HELLO: Neighbor = 0 (1) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2; OSPF HELLO: Neighbor = 0 (2) <------------------------------------ OSPF Hdr: Session ID = X1; Nonce = N1; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2 (3) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2; OSPF HELLO: Neighbor = A; Session ID = X1; Nonce = N1 (4) <------------------------------------ OSPF Hdr: Session ID = X1; Nonce = N1; Normal OSPF DD packet (5) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2 Normal OSPF DD packet (6) <------------------------------------ * * * OSPF Hdr: Session ID = X1; Nonce = N1; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2 (7) ------------------------------------> Figure 1 Scenario: two Routers coming up on a LAN After A and B have generated a neighbor relationship, assume another router, C, is connected to the link. C finds the existence of A and intends to become a neighbor of A. The packets exchanged during this process are illustrated in Figure 2. Firstly, C selects a new session ID (X3) and a new nonce value (N3), and sends them out within a blank hello packet (see the second step of Figure 2). After receiving this packet, A sends out a hello packet with the information of C (router ID, X3, and N3) in the neighbor field. Bhatia, et al. Expires July 23, 2011 [Page 6] Internet-Draft OSPF Manual Key Management January 2011 Because A is challenging the liveness of a new neighbor, A selects a new nonce N1' and encapsulates it in the OSPF header of the hello packet to challenge whether the packet sent in step 2 is really from C. After receiving the packet from A, C can make sure the packet is valid since it consists of its current session ID and nonce (e.g., X3 and N3). Thus, C replies to A with a hello packet including the information of A (e.g., X1 and N1') in the neighbor field. After receiving this packet and checking the correctness of X1 and N1', A can ensure that the packet is fresh and C is currently online. It worthwhile to note that during the challenge and response the hello packets sent immediately amnogst routers. Bhatia, et al. Expires July 23, 2011 [Page 7] Internet-Draft OSPF Manual Key Management January 2011 +---------------+ +---------------+ | router A | | router C | +---------------+ +---------------+ -------------------------------------------------------------- OSPF Hdr: Session ID = X1; Nonce = N1; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2 (1) ------------------------------------> OSPF Hdr: Session ID = X3; Nonce = N3; OSPF HELLO: Neighbor = 0 (2) <------------------------------------ OSPF Hdr: Session ID = X1; Nonce = N1'; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2; Neighbor = C; Session ID = X3; Nonce = N3 (3) ------------------------------------> OSPF Hdr: Session ID = X3; Nonce = N3; OSPF HELLO: Neighbor = A; Session ID = X1; Nonce = N1' (4) <------------------------------------ OSPF Hdr: Session ID = X1; Nonce = N1'; Normal OSPF DD packet (5) ------------------------------------> OSPF Hdr: Session ID = X3; Nonce = N3 Normal OSPF DD packet (6) <------------------------------------ * * * OSPF Hdr: Session ID = X1; Nonce = N1'; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2; Neighbor = C; Session ID = X3; Nonce = N3 (7) ------------------------------------> Figure 2. Scenario: another Router C comes up on that LAN Figure 3 illustrates the scenario in which router A is rebooted. After the reboot, A lost its state and selects a new session ID (X4) and a new nonce value (N4). However, B still maintains the earlier session ID and nonce values of A (X1 and N1). In step 1, A sends a blank hello packet out with its new session ID and nonce value. After receiving the hello packet, B realizes that the session ID and the nonce value of A in the OSPF header are different from the ones maintained in its database. In order to distinguish a reboot from a replay of an old packet, B selects a new nonce value, N2', and Bhatia, et al. Expires July 23, 2011 [Page 8] Internet-Draft OSPF Manual Key Management January 2011 transports it as well as its session ID (X2) in a hello packet to check whether the packet is from A. In the neighbor field of this packet, B continues listing A with the earlier session ID and nonce values (i.e., X1 and N1). Therefore, if an attacker attempts to send an antique packet to masquerade as A, A would update its database with the new nonce of B and send a hello packet with its existing Session ID and nonce values (X1 and N1). In step 3, B receives a new hello packet consisting of B's new nonce value from A. Since this packet lists B with the new nonce value in the neighbors field of the hello and since the nonce is new, this packet cannot be a replay. Now, B can safely assume that A has indeed restarted and can start using the new session ID and the nonce values sent by A in the neighbor field of its hellos. Bhatia, et al. Expires July 23, 2011 [Page 9] Internet-Draft OSPF Manual Key Management January 2011 +---------------+ +---------------+ | router A | | router B | +---------------+ +---------------+ --------------------------------------------------------------- OSPF Hdr: Session ID = X4; Nonce = N4; OSPF HELLO: Neighbor = 0 (1) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2'; OSPF HELLO: Neighbor = A; Session ID = X1; Nonce = N1 (2) <------------------------------------ OSPF Hdr: Session ID = X4; Nonce = N4; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2' (3) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2'; OSPF HELLO: Neighbor = A; Session ID = X4; Nonce = N4 (4) <------------------------------------ OSPF Hdr: Session ID = X4; Nonce = N4; Normal OSPF DD packet (5) ------------------------------------> OSPF Hdr: Session ID = X2; Nonce = N2' Normal OSPF DD packet (6) <------------------------------------ * * * OSPF Hdr: Session ID = X4; Nonce = N4; OSPF HELLO: Neighbor = B; Session ID = X2; Nonce = N2' (7) ------------------------------------> Figure 3. Scenario: Router A Reboot 2.1. Receiver Behavior This section describes how OSPF receivers will handle the reception of packets with the nonce and session ID. If a packet other than a hello is received with the new cryptographic authentication option, it must correspond to an existing neighbor relationship in at least the 2-way state. If the neighbor is not in 2-way state or greater, the packet is discarded. If the session ID does not match the session ID recorded with the neighbor, the packet is discarded. If the sequence number in the cryptographic Bhatia, et al. Expires July 23, 2011 [Page 10] Internet-Draft OSPF Manual Key Management January 2011 authentication option is not strictly greater than the sequence number associated with the neighbor, then the packet is discarded. If the cryptographic verification of the checksum fails, the packet is discarded. Otherwise, the packet is accepted by the cryptographic authentication and the sequence number associated with the neighbor is updated to be the sequence number in the packet. If a hello is received for a neighbor that is not found or that has not reached 2-way state, the following steps are performed. If a neighbor structure exists for the neighbor and the session ID match that stored in the neighbor structure, then the packet is processed as follows. The sequence number is checked and MUST be strictly greater than the sequence number in the neighbor structure. The cryptographic authentication is verified. If this router is listed in the set of neighbors in the hello packet, the nonce and session ID MUST match this router's current nonce and session ID. If any of these checks fail, the packet is discarded. Otherwise the packet is accepted past cryptographic processing. By this point, the router has received a hello packet. Either no neighbor structure exists or the session ID has changed. Before permitting communication with this router, its liveness needs to be challenged. If a new neighbor has been added since the last nonce trigger, then a nonce trigger (see Section 2.2is performed and the packet is discarded. If this router is listed in the list of neighbors, it MUST be listed with its current session ID and nonce otherwise the packet is discarded. If verification of the cryptographic checksum fails, the packet is discarded. Otherwise, the session ID, nonce and sequence number associated with the neighbor are updated from the packet and the packet is accepted by cryptographic authentication processing. If a neighbor structure is added, then nonce trigger state is updated to indicate that a neighbor has been added. 2.2. Nonce Triggers The router keeps track of whether a nonce trigger has happened since the last time a neighbor is added. In order to test liveness, a router updates its current nonce to a new value. As a side effect, all routers on the link will update the nonce of the router associated with this router. More importantly, though, the router we are testing liveness with will update the nonce in its hello entry for this router. That will allow this router to confirm that the session ID is correct and corresponds to current replay state. As part of a nonce trigger, the router updates its current nonce. If Bhatia, et al. Expires July 23, 2011 [Page 11] Internet-Draft OSPF Manual Key Management January 2011 a hello has not been sent too recently, then a hello is sent with the new nonce. The nonce trigger state is updated to indicate that no new neighbors have been added since the last nonce trigger. Bhatia, et al. Expires July 23, 2011 [Page 12] Internet-Draft OSPF Manual Key Management January 2011 3. Packet Format In the challenge/ response mechanism, every OSPFv2 packet MUST carry the current Session ID and the associated Nonce value. This section describes how this information is carried in the OSPFv2 packets. The OSPF packet header includes an authentication type field, and 64- bits of data for use by the appropriate authentication scheme (determined by the type field). Authentication types 0, 1 and 2 are defined in [RFC2328]. This document defines Authentication type 3. When using this authentication scheme the 64 bit Authentication field in the OSPF packet header remains unchanged and is the same as defined in Section D.3 of [RFC2328]. NOTE to the WG: We can also increase the size of the Key ID. Currently it has been kept as, but nothing prevents us from changing this. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | 0 | Key ID | Auth Data Len | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Cryptographic sequence number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 4.Usage of the Authentication field in the OSPF header when this mechanism is employed The Session ID and the Nonce information is placed before the message digest that is appended to the OSPF packet. In this case too, the final Authentication data is not actually considered part of the OSPF protocol packet. 3.1. Extensions to OSPF packets This section describes the new OSPFv2 packet format when this authentication scheme is being used. Bhatia, et al. Expires July 23, 2011 [Page 13] Internet-Draft OSPF Manual Key Management January 2011 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Version # | Type | Packet length | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Router ID | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Area ID | |OSPF +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HEADER | Checksum | AuType | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 0 | Key ID | Auth Data Len | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cryptographic sequence number | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | ^ | OSPF Protocol Packet | | ~ ~ |BODY | | | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Session ID | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce Value | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |AUTH | | |DIGEST ~ Authentication Data ~ | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Figure 5.OSPFv2 Packet view 3.2. Extension of Hello Packet The following figure shows an OSPF HELLO packet when this authentication scheme is being used. The HELLO payload has been modified to include each neighbor's Session ID and the Nonce value. The authentication data, as described above, carries the router's current Session ID and the Nonce value. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Version # | 1 | Packet length | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Router ID | | Bhatia, et al. Expires July 23, 2011 [Page 14] Internet-Draft OSPF Manual Key Management January 2011 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |OSPF | Area ID | |HDR +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Checksum | AuType = 3 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | 0 | Key ID | Auth Data Len | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Cryptographic sequence number | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Network Mask | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | HelloInterval | Options | Rtr Pri | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | RouterDeadInterval | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Designated Router | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Backup Designated Router | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |HELLO | Neighbor 1 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Session ID of Neighbor 1 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce of Neighbor 1 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Neighbor 2 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Session ID of Neighbor 2 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce of Neighbor 2 | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Session ID | ^ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Nonce Value | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |AUTH | | |DATA ~ Authentication Data ~ | | | V +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Figure 6.Extension of Protocol Packet Bhatia, et al. Expires July 23, 2011 [Page 15] Internet-Draft OSPF Manual Key Management January 2011 4. Key Selection in Processing OSPF Packets This section introduces how the proposed security solution looks up long lived keys from key tables [I-D.ietf-karp-crypto-key-table]. Generally, a proper key selected to process an OSPFv2 packet should satisfy the requirements listed as follows: the key is in its valid period; and the key can be used for the desired security algorithm. In the remainder of this section, other requirements that a selected key should particularly satisfy are depicted in different scenarios. 4.1. Key Selection in Sending Unicast OSPF Packets Assume that a router R1 tries to send a unicast OSPF packet from its interface I1 to the interface R2 of a remote router R2 using security protocol P via interface I at time T. Firstly consider the circumstances where R1 and R2 are not connected with a virtual link. R1 then needs to select a long long-lived symmetric key from its key table. Because the key should be shared by the by both R1 and R2 to protect the communication between I1 and I2, the key should satisfy the following requirements: the Peer field includes the router ID of R2; the PeerKeyID field is not "unknown"; the Interfaces field includes I1; and the Direction field is either "out" or "both". When R1 and R2 are at the ends of a virtual link, the condition is a little more complex. Because the virtual link can be regarded as an unnumbered point-to-point network, the IP address of the interface actually used to send the packet (i.e., I1) is discovered during the routing table build process. Therefore, when the system operator deploys the keys to protect the virtual link, I1 has not been specified yet. Therefore, the key should be identified by the router IDs rather than by the interface originating the packet, and the third requirement introduced above should be changed to "the Interface field includes the router ID". 4.2. Key Selection in Sending Multicast OSPF Packets If a router R1 sends an OSPF packet from its interface I1 to a multicast address (e.g., AllSPFRouters, AllDRouters), it needs to Bhatia, et al. Expires July 23, 2011 [Page 16] Internet-Draft OSPF Manual Key Management January 2011 select a key according to the following requirements: the Peer field includes the multicast address; the PeerKeyID field is "group"; the Interfaces field includes I1; and the Direction field is either "out" or "both". 4.3. Key Selection on Receiving OSPF Packets When Cryptographic Authentication is employed, the ID of the adopted key is encapsulated within the authentication field of an OSPF packet header. Using this ID, it is relatively easy for a receiver to locate the key. The requirement is relatively simple: the Peer field includes the router ID of the sender; and the PeerKeyID field includes the key ID obtained from the authentication field Bhatia, et al. Expires July 23, 2011 [Page 17] Internet-Draft OSPF Manual Key Management January 2011 5. Existing Cryptographic Authentication Mechanism The overall cryptographic authentication process defined in [RFC5709] remains unchanged. To reduce the potential for confusion, this section minimises the repetition of text from RFC 5709 and is incorporated here by reference [RFC5709]. RFC 5709, Section 3.3, describes how the cryptographic authentication must be computed. It requires OSPFv2 packet's Authentication Trailer (which is the appendage described in RFC 2328, Section D.4.3, Page 233, items (6)(a) and (6)(d)) to be filled with the value Apad where Apad is a hexadecimal constant value 0x878FE1F3 repeated (L/4) times, where L is the length of the hash being used and is measured in octets rather than bits. Bhatia, et al. Expires July 23, 2011 [Page 18] Internet-Draft OSPF Manual Key Management January 2011 6. Mechanism to secure the IP header This document updates the definition of Apad which is currently a constant defined in [RFC5709] to the source address thats carried in the IP header of the OSPFv2 protocol packet. Routers at the sending side must initialize Apad to a value of the source address that would be used when sending out the OSPFv2 packet, repeated L/4 times, where L is the length of the hash, measured in octets. The basic idea is to incorporate the source address from the IP header in the cryptographic authentication computation so that any change there can be detected. At the recieving end implementations MUST initialize Apad as the source address that exists in the IP Header of the incoming OSPFv2 protocol packet, repeated L/4 times, instead of the constant that's currently defined in [RFC5709]. Besides changing the value of Apad this document does not introduce any other changes to the authentication mechanism described in [RFC5709]. This would prevent all attacks where a rogue OSPF router changes the source address of the protocol packet and reflects it on some other interface as the authentication check would fail and all such packets would get rejected. Bhatia, et al. Expires July 23, 2011 [Page 19] Internet-Draft OSPF Manual Key Management January 2011 7. Security Considerations This document attempts to fix the manual key management procedure that currently exists within OSPFv2, as part of the Phase 1 of the KARP Working Group. This therefore, only considers manual key management mechanism to be used for OSPFv2. Any solution that takes advantage of the automatic key management mechanism is beyond the scope of this document. This document also provides a solution to prevent certain denial of service attacks that can be launched by changing the source address in the IP header of the OSPFv2 protocol packet. Bhatia, et al. Expires July 23, 2011 [Page 20] Internet-Draft OSPF Manual Key Management January 2011 8. IANA Considerations This document requests a new Auth Type to be defined for OSPFv2. It currently uses 3 to foster pre-standard deployments. Bhatia, et al. Expires July 23, 2011 [Page 21] Internet-Draft OSPF Manual Key Management January 2011 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M., Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic Authentication", RFC 5709, October 2009. 9.2. Informative References [I-D.hartman-ospf-analysis] Hartman, S. and D. Zhang, "Analysis of OSPF Security According to KARP Design Guide", draft-hartman-ospf-analysis-02 (work in progress), December 2010. [I-D.ietf-karp-crypto-key-table] Housley, R. and T. Polk, "Database of Long-Lived Symmetric Cryptographic Keys", draft-ietf-karp-crypto-key-table-00 (work in progress), November 2010. [I-D.ietf-karp-threats-reqs] Lebovitz, G., Bhatia, M., and R. White, "The Threat Analysis and Requirements for Cryptographic Authentication of Routing Protocols' Transports", draft-ietf-karp-threats-reqs-01 (work in progress), October 2010. [I-D.ietf-opsec-igp-crypto-requirements] Bhatia, M. and V. Manral, "Summary of Cryptographic Authentication Algorithm Implementation Requirements for Routing Protocols", draft-ietf-opsec-igp-crypto-requirements-04 (work in progress), October 2010. [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues with Existing Cryptographic Protection Methods for Routing Protocols", RFC 6039, October 2010. Bhatia, et al. Expires July 23, 2011 [Page 22] Internet-Draft OSPF Manual Key Management January 2011 Authors' Addresses Manav Bhatia Alcatel-Lucent Bangalore, India Phone: Email: manav.bhatia@alcatel-lucent.com Sam Hartman Painless Security Email: hartmans@painless-security.com Dacheng Zhang Huawei Technologies co., LTD. Beijing, China Phone: Fax: Email: zhangdacheng@huawei.com URI: Bhatia, et al. Expires July 23, 2011 [Page 23]