| draft-ietf-bfd-optimizing-authentication-04.txt | draft-ietf-bfd-optimizing-authentication-05.txt | |||
|---|---|---|---|---|
| Network Working Group M. Jethanandani | Network Working Group M. Jethanandani | |||
| Internet-Draft Cisco Systems | Internet-Draft | |||
| Intended status: Standards Track A. Mishra | Intended status: Standards Track A. Mishra | |||
| Expires: May 25, 2018 O3b Networks | Expires: November 26, 2018 SES Networks | |||
| A. Saxena | A. Saxena | |||
| Ciena Corporation | Ciena Corporation | |||
| M. Bhatia | M. Bhatia | |||
| Ionos Networks | Nokia | |||
| November 21, 2017 | May 25, 2018 | |||
| Optimizing BFD Authentication | Optimizing BFD Authentication | |||
| draft-ietf-bfd-optimizing-authentication-04 | draft-ietf-bfd-optimizing-authentication-05 | |||
| Abstract | Abstract | |||
| This document describes an optimization to BFD Authentication as | This document describes an optimization to BFD Authentication as | |||
| described in Section 6.7 of BFD [RFC5880]. | described in Section 6.7 of BFD RFC5880. | |||
| Requirements Language | Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in BCP 14 [RFC2119] | |||
| [RFC8174] when, and only when, they appear in all capitals, as shown | ||||
| here. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 25, 2018. | This Internet-Draft will expire on November 26, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3 | 2. Authentication Mode . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. NULL Auth TLV . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 1. Introduction | 1. Introduction | |||
| Authenticating every BFD [RFC5880] packet with a Simple Password, or | Authenticating every BFD [RFC5880] packet with a Simple Password, or | |||
| with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash | with a MD5 Message-Digest Algorithm [RFC1321] , or Secure Hash | |||
| Algorithm (SHA-1) algorithms is computationally intensive process, | Algorithm (SHA-1) algorithms is computationally intensive process, | |||
| making it difficult if not impossible to authenticate every packet - | making it difficult if not impossible to authenticate every packet - | |||
| particularly at faster rates. Also, the recent escalating series of | particularly at faster rates. Also, the recent escalating series of | |||
| attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise | attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise | |||
| concerns about their remaining useful lifetime as outlined in Updated | concerns about their remaining useful lifetime as outlined in Updated | |||
| skipping to change at page 5, line 35 ¶ | skipping to change at page 6, line 18 ¶ | |||
| authentication a BFD session by taking away the onerous requirement | authentication a BFD session by taking away the onerous requirement | |||
| that every frame be authenticated. By authenticating frames that | that every frame be authenticated. By authenticating frames that | |||
| affect the state of the session, the security of the BFD session is | affect the state of the session, the security of the BFD session is | |||
| maintained. As such this document does not change the security | maintained. As such this document does not change the security | |||
| considerations for BFD. | considerations for BFD. | |||
| 6. References | 6. References | |||
| 6.1. Normative References | 6.1. Normative References | |||
| [FIPS-180-2] | ||||
| National Institute of Standards and Technology, FIPS PUB | ||||
| 180-2, "The Keyed-Hash Message Authentication Code | ||||
| (HMAC)", August 2002. | ||||
| [FIPS-198] | ||||
| National Institute of Standards and Technology, FIPS PUB | ||||
| 198, "The Keyed-Hash Message Authentication Code (HMAC)", | ||||
| March 2002. | ||||
| [I-D.ietf-bfd-generic-crypto-auth] | ||||
| Bhatia, M., Manral, V., Zhang, D., and M. Jethanandani, | ||||
| "BFD Generic Cryptographic Authentication", draft-ietf- | ||||
| bfd-generic-crypto-auth-06 (work in progress), April 2014. | ||||
| [I-D.ietf-bfd-secure-sequence-numbers] | [I-D.ietf-bfd-secure-sequence-numbers] | |||
| Jethanandani, M., Agarwal, S., Mishra, A., Saxena, A., and | Jethanandani, M., Agarwal, S., Mishra, A., Saxena, A., and | |||
| A. DeKok, "Secure BFD Sequence Numbers", draft-ietf-bfd- | A. DeKok, "Secure BFD Sequence Numbers", draft-ietf-bfd- | |||
| secure-sequence-numbers-00 (work in progress), May 2017. | secure-sequence-numbers-01 (work in progress), November | |||
| 2017. | ||||
| [I-D.ietf-bfd-stability] | ||||
| Mishra, A., Jethanandani, M., Saxena, A., Networks, J., | ||||
| Chen, M., and P. Fan, "BFD Stability", draft-ietf-bfd- | ||||
| stability-00 (work in progress), May 2017. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| with Existing Cryptographic Protection Methods for Routing | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| Protocols", RFC 6039, DOI 10.17487/RFC6039, October 2010, | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| <https://www.rfc-editor.org/info/rfc6039>. | ||||
| [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | ||||
| for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | ||||
| RFC 6151, DOI 10.17487/RFC6151, March 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6151>. | ||||
| [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | ||||
| Considerations for the SHA-0 and SHA-1 Message-Digest | ||||
| Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6194>. | ||||
| 6.2. Informative References | 6.2. Informative References | |||
| [Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress", May 1996. | ||||
| [Dobb96b] Dobbertin, H., "The Status of MD5 After a Recent Attack", | ||||
| CryptoBytes", 1996. | ||||
| [I-D.ietf-karp-design-guide] | ||||
| Lebovitz, G. and M. Bhatia, "Keying and Authentication for | ||||
| Routing Protocols (KARP) Design Guidelines", draft-ietf- | ||||
| karp-design-guide-10 (work in progress), December 2011. | ||||
| [MD5-attack] | ||||
| Wang, X., Feng, D., Lai, X., and H. Yu, "Collisions for | ||||
| Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", August | ||||
| 2004. | ||||
| [NIST-HMAC-SHA] | ||||
| National Institute of Standards and Technology, Available | ||||
| online at http://csrc.nist.gov/groups/ST/hash/policy.html, | ||||
| "NIST's Policy on Hash Functions", 2006. | ||||
| [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, | |||
| DOI 10.17487/RFC1321, April 1992, | DOI 10.17487/RFC1321, April 1992, | |||
| <https://www.rfc-editor.org/info/rfc1321>. | <https://www.rfc-editor.org/info/rfc1321>. | |||
| [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- | ||||
| Hashing for Message Authentication", RFC 2104, | ||||
| DOI 10.17487/RFC2104, February 1997, | ||||
| <https://www.rfc-editor.org/info/rfc2104>. | ||||
| [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, | ||||
| "Randomness Requirements for Security", BCP 106, RFC 4086, | ||||
| DOI 10.17487/RFC4086, June 2005, | ||||
| <https://www.rfc-editor.org/info/rfc4086>. | ||||
| [RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic | ||||
| Authentication", RFC 4822, DOI 10.17487/RFC4822, February | ||||
| 2007, <https://www.rfc-editor.org/info/rfc4822>. | ||||
| [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., | ||||
| and M. Fanto, "IS-IS Generic Cryptographic | ||||
| Authentication", RFC 5310, DOI 10.17487/RFC5310, February | ||||
| 2009, <https://www.rfc-editor.org/info/rfc5310>. | ||||
| [RFC5709] Bhatia, M., Manral, V., Fanto, M., White, R., Barnes, M., | ||||
| Li, T., and R. Atkinson, "OSPFv2 HMAC-SHA Cryptographic | ||||
| Authentication", RFC 5709, DOI 10.17487/RFC5709, October | ||||
| 2009, <https://www.rfc-editor.org/info/rfc5709>. | ||||
| [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection | [RFC5880] Katz, D. and D. Ward, "Bidirectional Forwarding Detection | |||
| (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, | (BFD)", RFC 5880, DOI 10.17487/RFC5880, June 2010, | |||
| <https://www.rfc-editor.org/info/rfc5880>. | <https://www.rfc-editor.org/info/rfc5880>. | |||
| [RFC6234] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms | [RFC6151] Turner, S. and L. Chen, "Updated Security Considerations | |||
| (SHA and SHA-based HMAC and HKDF)", RFC 6234, | for the MD5 Message-Digest and the HMAC-MD5 Algorithms", | |||
| DOI 10.17487/RFC6234, May 2011, | RFC 6151, DOI 10.17487/RFC6151, March 2011, | |||
| <https://www.rfc-editor.org/info/rfc6234>. | <https://www.rfc-editor.org/info/rfc6151>. | |||
| [RFC6194] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security | ||||
| Considerations for the SHA-0 and SHA-1 Message-Digest | ||||
| Algorithms", RFC 6194, DOI 10.17487/RFC6194, March 2011, | ||||
| <https://www.rfc-editor.org/info/rfc6194>. | ||||
| [SHA-1-attack1] | [SHA-1-attack1] | |||
| Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the | Wang, X., Yin, Y., and H. Yu, "Finding Collisions in the | |||
| Full SHA-1", 2005. | Full SHA-1", 2005. | |||
| [SHA-1-attack2] | [SHA-1-attack2] | |||
| Wang, X., Yao, A., and F. Yao, "New Collision Search for | Wang, X., Yao, A., and F. Yao, "New Collision Search for | |||
| SHA-1", 2005. | SHA-1", 2005. | |||
| Authors' Addresses | Authors' Addresses | |||
| Mahesh Jethanandani | Mahesh Jethanandani | |||
| Cisco Systems | ||||
| 170 W. Tasman Drive | ||||
| San Jose, CA 95134 | ||||
| USA | USA | |||
| Phone: +1 (408) 526-8763 | ||||
| Email: mjethanandani@gmail.com | Email: mjethanandani@gmail.com | |||
| Ashesh Mishra | Ashesh Mishra | |||
| O3b Networks | SES Networks | |||
| Email: mishra.ashesh@gmail.com | Email: mishra.ashesh@gmail.com | |||
| Ankur Saxena | Ankur Saxena | |||
| Ciena Corporation | Ciena Corporation | |||
| 3939 N 1st Street | 3939 N 1st Street | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| USA | USA | |||
| Email: ankurpsaxena@gmail.com | Email: ankurpsaxena@gmail.com | |||
| Manav Bhatia | Manav Bhatia | |||
| Ionos Networks | Nokia | |||
| Bangalore | Bangalore | |||
| India | India | |||
| Email: manavbhatia@gmail.com | Email: manav.bhatia@nokia.com | |||
| End of changes. 21 change blocks. | ||||
| 102 lines changed or deleted | 31 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||