| draft-ietf-bfd-optimizing-authentication-02.txt | draft-ietf-bfd-optimizing-authentication-03.txt | |||
|---|---|---|---|---|
| Network Working Group M. Jethanandani | Network Working Group M. Jethanandani | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track A. Mishra | Intended status: Standards Track A. Mishra | |||
| Expires: July 9, 2017 A. Saxena | Expires: December 29, 2017 O3b Networks | |||
| A. Saxena | ||||
| Ciena Corporation | Ciena Corporation | |||
| M. Bhatia | M. Bhatia | |||
| Ionos Networks | Ionos Networks | |||
| January 5, 2017 | June 27, 2017 | |||
| Optimizing BFD Authentication | Optimizing BFD Authentication | |||
| draft-ietf-bfd-optimizing-authentication-02 | draft-ietf-bfd-optimizing-authentication-03 | |||
| Abstract | Abstract | |||
| This document describes an optimization to BFD Authentication as | This document describes an optimization to BFD Authentication as | |||
| described in Section 6.7 of BFD [RFC5880]. | described in Section 6.7 of BFD [RFC5880]. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 9, 2017. | This Internet-Draft will expire on December 29, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 25 ¶ | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3 | 2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| Authenticating every BFD [RFC5880] packet with a Simple Password, or | Authenticating every BFD [RFC5880] packet with a Simple Password, or | |||
| with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash | with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash | |||
| Algorithm (SHA-1) algorithms is computationally intensive process, | Algorithm (SHA-1) algorithms is computationally intensive process, | |||
| making it difficult if not impossible to authenticate every packet - | making it difficult if not impossible to authenticate every packet - | |||
| particularly at faster rates. Also, the recent escalating series of | particularly at faster rates. Also, the recent escalating series of | |||
| attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise | attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise | |||
| concerns about their remaining useful lifetime as outlined in Updated | concerns about their remaining useful lifetime as outlined in Updated | |||
| skipping to change at page 4, line 45 ¶ | skipping to change at page 4, line 49 ¶ | |||
| Auth TL) | Auth TL) | |||
| Auth Len: The length of the NULL Auth TLV, in bytes i.e. 8 bytes | Auth Len: The length of the NULL Auth TLV, in bytes i.e. 8 bytes | |||
| Auth Key ID: The authentication key ID in use for this packet. Must | Auth Key ID: The authentication key ID in use for this packet. Must | |||
| be set to zero. | be set to zero. | |||
| Reserved: The authentication key ID in use for this packet. This | Reserved: The authentication key ID in use for this packet. This | |||
| allows multiple keys to be active simultaneously. | allows multiple keys to be active simultaneously. | |||
| Sequence Number: The sequence number for this packet. This value is | Sequence Number: The sequence number for this packet. Implementation | |||
| incremented for each successive packet transmitted for a session. | may use sequence numbers as defined in [RFC5880], or secure sequence | |||
| This provides protection against replay attacks. Must use the same | numbers as defined in [I-D.ietf-bfd-secure-sequence-numbers]. | |||
| sequence number counter as the authenticated frames. | ||||
| The NULL Auth TLV must be used for all frames that are not | The NULL Auth TLV must be used for all frames that are not | |||
| authenticated. This protects against replay-attacks by allowing the | authenticated. This protects against replay-attacks by allowing the | |||
| session to maintain an incrementing sequence number for all frames | session to maintain an incrementing sequence number for all frames | |||
| (authenticated and un-authenticated). | (authenticated and un-authenticated). | |||
| In the future, if a new scheme is adopted for changing the sequence | In the future, if a new scheme is adopted for changing the sequence | |||
| number, this method can adopt the new scheme without any impact. | number, this method can adopt the new scheme without any impact. | |||
| 4. IANA Considerations | 4. IANA Considerations | |||
| skipping to change at page 5, line 42 ¶ | skipping to change at page 5, line 45 ¶ | |||
| [FIPS-180-2] | [FIPS-180-2] | |||
| National Institute of Standards and Technology, FIPS PUB | National Institute of Standards and Technology, FIPS PUB | |||
| 180-2, "The Keyed-Hash Message Authentication Code | 180-2, "The Keyed-Hash Message Authentication Code | |||
| (HMAC)", August 2002. | (HMAC)", August 2002. | |||
| [FIPS-198] | [FIPS-198] | |||
| National Institute of Standards and Technology, FIPS PUB | National Institute of Standards and Technology, FIPS PUB | |||
| 198, "The Keyed-Hash Message Authentication Code (HMAC)", | 198, "The Keyed-Hash Message Authentication Code (HMAC)", | |||
| March 2002. | March 2002. | |||
| [I-D.ashesh-bfd-stability] | ||||
| Mishra, A., Jethanandani, M., Saxena, A., Networks, J., | ||||
| Chen, M., and P. Fan, "BFD Stability", draft-ashesh-bfd- | ||||
| stability-04 (work in progress), March 2016. | ||||
| [I-D.ietf-bfd-generic-crypto-auth] | [I-D.ietf-bfd-generic-crypto-auth] | |||
| Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, | Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, | |||
| "BFD Generic Cryptographic Authentication", draft-ietf- | "BFD Generic Cryptographic Authentication", draft-ietf- | |||
| bfd-generic-crypto-auth-06 (work in progress), April 2014. | bfd-generic-crypto-auth-06 (work in progress), April 2014. | |||
| [I-D.ietf-bfd-secure-sequence-numbers] | ||||
| Jethanandani, M., Agarwal, S., Mishra, A., Saxena, A., and | ||||
| A. DeKok, "Secure BFD Sequence Numbers", draft-ietf-bfd- | ||||
| secure-sequence-numbers-00 (work in progress), May 2017. | ||||
| [I-D.ietf-bfd-stability] | ||||
| Mishra, A., Jethanandani, M., Saxena, A., Networks, J., | ||||
| Chen, M., and P. Fan, "BFD Stability", draft-ietf-bfd- | ||||
| stability-00 (work in progress), May 2017. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <http://www.rfc-editor.org/info/rfc2119>. | <http://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues | [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues | |||
| with Existing Cryptographic Protection Methods for Routing | with Existing Cryptographic Protection Methods for Routing | |||
| Protocols", RFC 6039, DOI 10.17487/RFC6039, October 2010, | Protocols", RFC 6039, DOI 10.17487/RFC6039, October 2010, | |||
| <http://www.rfc-editor.org/info/rfc6039>. | <http://www.rfc-editor.org/info/rfc6039>. | |||
| skipping to change at page 8, line 14 ¶ | skipping to change at page 8, line 21 ¶ | |||
| Mahesh Jethanandani | Mahesh Jethanandani | |||
| Cisco Systems | Cisco Systems | |||
| 170 W. Tasman Drive | 170 W. Tasman Drive | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| USA | USA | |||
| Phone: +1 (408) 526-8763 | Phone: +1 (408) 526-8763 | |||
| Email: mjethanandani@gmail.com | Email: mjethanandani@gmail.com | |||
| Ashesh Mishra | Ashesh Mishra | |||
| Ciena Corporation | O3b Networks | |||
| 3939 North 1st Street | ||||
| San Jose, CA 95134 | ||||
| USA | ||||
| Email: mishra.ashesh@gmail.com | Email: mishra.ashesh@gmail.com | |||
| Ankur Saxena | Ankur Saxena | |||
| Ciena Corporation | Ciena Corporation | |||
| 3939 N 1st Street | 3939 N 1st Street | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| USA | USA | |||
| Email: ankurpsaxena@gmail.com | Email: ankurpsaxena@gmail.com | |||
| End of changes. 9 change blocks. | ||||
| 18 lines changed or deleted | 20 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||