| < draft-ietf-karp-isis-analysis-00.txt | draft-ietf-karp-isis-analysis-01.txt > | |||
|---|---|---|---|---|
| KARP Working Group U.C. Chunduri | KARP Working Group U. Chunduri | |||
| Internet-Draft A.T. Tian | Internet-Draft A. Tian | |||
| Intended status: Informational W.L. Lu | Intended status: Informational W. Lu | |||
| Expires: September 12, 2013 Ericsson Inc., | Expires: April 23, 2014 Ericsson Inc., | |||
| March 11, 2013 | October 20, 2013 | |||
| KARP IS-IS security analysis | KARP IS-IS security analysis | |||
| draft-ietf-karp-isis-analysis-00 | draft-ietf-karp-isis-analysis-01 | |||
| Abstract | Abstract | |||
| This document analyzes the threats applicable for Intermediate system | This document analyzes the threats applicable for Intermediate system | |||
| to Intermediate system (IS-IS) routing protocol and security gaps | to Intermediate system (IS-IS) routing protocol and security gaps | |||
| according to the KARP Design Guide. This document also provides | according to the KARP Design Guide. This document also provides | |||
| specific requirements to address the gaps with both manual and auto | specific requirements to address the gaps with both manual and auto | |||
| key management protocols. | key management protocols. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 12, 2013. | This Internet-Draft will expire on April 23, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2013 IETF Trust and the persons identified as the | Copyright (c) 2013 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 36 ¶ | skipping to change at page 2, line 36 ¶ | |||
| 2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5 | 2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.3.1.1. Current Recovery mechanism for LSPs . . . . . . . 7 | 2.3.1.1. Current Recovery mechanism for LSPs . . . . . . . 7 | |||
| 2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7 | 2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7 | |||
| 2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8 | 2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3. Gap Analysis and Security Requirements . . . . . . . . . . . 8 | 3. Gap Analysis and Security Requirements . . . . . . . . . . . 8 | |||
| 3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8 | 3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8 | |||
| 3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9 | 3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 11 | 7.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 1. Introduction | 1. Introduction | |||
| This document analyzes the current state of Intermediate system to | This document analyzes the current state of Intermediate system to | |||
| Intermediate system (IS-IS) protocol according to the requirements | Intermediate system (IS-IS) protocol according to the requirements | |||
| set forth in [RFC6518] for both manual and key management protocols. | set forth in [RFC6518] for both manual and auto key management | |||
| protocols. | ||||
| With currently published work, IS-IS meets some of the requirements | With currently published work, IS-IS meets some of the requirements | |||
| expected from a manually keyed routing protocol. Integrity | expected from a manually keyed routing protocol. Integrity | |||
| protection is expanded with more cryptographic algorithms and also | protection is expanded with more cryptographic algorithms and also | |||
| limited algorithm agility (HMAC-SHA family) is provided with | limited algorithm agility (HMAC-SHA family) is provided with | |||
| [RFC5310]. Basic form of Intra-connection re-keying capability is | [RFC5310]. Basic form of Intra-connection re-keying capability is | |||
| provided by the specification [RFC5310] with some gaps as explained | provided by the specification [RFC5310] with some gaps as explained | |||
| in Section 3. | in Section 3. | |||
| This draft summarizes the current state of cryptographic key usage in | This draft summarizes the current state of cryptographic key usage in | |||
| IS-IS protocol and several previous efforts to analyze IS-IS | IS-IS protocol and several previous efforts to analyze IS-IS | |||
| security. This includes base IS-IS specification [RFC1195], | security. This includes base IS-IS specification [RFC1195], | |||
| [RFC5304], [RFC5310] and the OPSEC working group document [RFC6039]. | [RFC5304], [RFC5310] and the OPSEC working group document [RFC6039]. | |||
| Authors would like to acknowledge all the previous work done in the | Authors would like to acknowledge all the previous work done in the | |||
| above documents. | above documents. | |||
| This document also analyzes applicability of various threats as | This document also analyzes applicability of various threats as | |||
| described in [RFC6862] to IS-IS, lists gaps and provides specific | described in [RFC6862] to IS-IS, lists gaps and provide specific | |||
| recommendations to thwart the applicable threats for both manual | recommendations to thwart the applicable threats for both manual | |||
| keying and for auto key management mechanisms. | keying and for auto key management mechanisms. | |||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in RFC 2119 [RFC2119]. | document are to be interpreted as described in RFC 2119 [RFC2119]. | |||
| 1.2. Acronyms | 1.2. Acronyms | |||
| skipping to change at page 11, line 36 ¶ | skipping to change at page 11, line 29 ¶ | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.hartman-karp-mrkmp] | [I-D.hartman-karp-mrkmp] | |||
| Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router | Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router | |||
| Key Management Protocol (MaRK)", draft-hartman-karp- | Key Management Protocol (MaRK)", draft-hartman-karp- | |||
| mrkmp-05 (work in progress), September 2012. | mrkmp-05 (work in progress), September 2012. | |||
| [I-D.ietf-karp-crypto-key-table] | [I-D.ietf-karp-crypto-key-table] | |||
| Housley, R., Polk, T., Hartman, S., and D. Zhang, | Housley, R., Polk, T., Hartman, S., and D. Zhang, | |||
| "Database of Long-Lived Symmetric Cryptographic Keys", | "Database of Long-Lived Symmetric Cryptographic Keys", | |||
| draft-ietf-karp-crypto-key-table-06 (work in progress), | draft-ietf-karp-crypto-key-table-08 (work in progress), | |||
| February 2013. | July 2013. | |||
| [I-D.weis-gdoi-mac-tek] | [I-D.weis-gdoi-mac-tek] | |||
| Weis, B. and S. Rowles, "GDOI Generic Message | Weis, B. and S. Rowles, "GDOI Generic Message | |||
| Authentication Code Policy", draft-weis-gdoi-mac-tek-03 | Authentication Code Policy", draft-weis-gdoi-mac-tek-03 | |||
| (work in progress), September 2011. | (work in progress), September 2011. | |||
| [I-D.yeung-g-ikev2] | [I-D.yeung-g-ikev2] | |||
| Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key | Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key | |||
| Management using IKEv2", draft-yeung-g-ikev2-05 (work in | Management using IKEv2", draft-yeung-g-ikev2-06 (work in | |||
| progress), October 2012. | progress), April 2013. | |||
| [RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with | [RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with | |||
| Digital Signatures", RFC 2154, June 1997. | Digital Signatures", RFC 2154, June 1997. | |||
| [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic | [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic | |||
| Key Management", BCP 107, RFC 4107, June 2005. | Key Management", BCP 107, RFC 4107, June 2005. | |||
| [RFC5309] Shen, N. and A. Zinin, "Point-to-Point Operation over LAN | [RFC5309] Shen, N. and A. Zinin, "Point-to-Point Operation over LAN | |||
| in Link State Routing Protocols", RFC 5309, October 2008. | in Link State Routing Protocols", RFC 5309, October 2008. | |||
| End of changes. 8 change blocks. | ||||
| 14 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||