idnits 2.17.1 draft-bellovin-keyroll2385-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 14. -- Found old boilerplate from RFC 3978, Section 5.5 on line 188. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 165. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 172. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 178. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard == The page length should not exceed 58 lines per page, but there was 1 longer page, the longest (page 1) being 60 lines Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** The document seems to lack separate sections for Informative/Normative References. All references will be assumed normative when checking for downward references. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 18, 2006) is 6521 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 1323 (Obsoleted by RFC 7323) ** Obsolete normative reference: RFC 2385 (Obsoleted by RFC 5925) ** Downref: Normative reference to an Informational RFC: RFC 3562 Summary: 8 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group S. Bellovin 3 Internet-Draft Columbia University 4 Expires: December 20, 2006 June 18, 2006 6 Key Change Strategies for TCP-MD5 7 draft-bellovin-keyroll2385-00.txt 9 Status of this Memo 11 By submitting this Internet-Draft, each author represents that any 12 applicable patent or other IPR claims of which he or she is aware 13 have been or will be disclosed, and any of which he or she becomes 14 aware will be disclosed, in accordance with Section 6 of BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on December 20, 2006. 34 Copyright Notice 36 Copyright (C) The Internet Society (2006). 38 Abstract 40 The TCP-MD5 option is most commonly used to secure BGP sessions 41 between routers. However, changing the long-term key is difficult, 42 since the change needs to be synchronized between different 43 organizations. We describe single-ended strategies that will permit 44 (mostly) unsynchronized key changes. 46 1. Introduction 48 The TCP-MD5 option [RFC2385] is most commonly used to secure BGP 49 sessions between routers. However, changing the long-term key is 50 difficult, since the change needs to be synchronized between 51 different organizations. Worse yet, if the keys are out of sync, it 52 may break the connection between the two routers, rendering repair 53 attempts difficult. 55 The proper solution involves some sort of key management protocol. 56 Apart from the complexity of such things, RFC 2385 was not written 57 with key changes in mind. In particular, there is no KeyID field in 58 the option, which means that even a key management protocol would run 59 into the same problem. 61 Fortunately, a heuristic permits key change despite this protocol 62 deficiency. The change can be installed unilaterally at one end of a 63 connection; it is fully compatible with the existing protocol. 65 1.1. Terminology 67 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 68 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 69 document are to be interpreted as described in [RFC2119]. 71 2. The Algorithm 73 Separate algorithms are necessary for transmission and reception. 74 Reception is easier; we explain it first. 76 2.1. Reception 78 A receiver has a list of valid keys. Each key has a timestamp 79 associated with it. When a segment arrives, each key is tried in 80 turn. The segment is discarded if and only if it cannot be validated 81 by any key in the list. 83 In principle, there is no need to test keys in any order. For 84 performance reasons, though, a simple LRU strategy -- try the last 85 valid key first -- should work well. More complex mechanisms, such 86 as examining the TCP sequence number of an arriving segment to see 87 whether it fits in a "hole", are almost certainly unnecessary. 89 The newest key that has successfully validated a segment is marked as 90 the "preferred" key; see below. 92 Implicit in this scheme is the assumption that older keys will 93 eventually be unneeded and can be removed. Accordingly, 94 implementations SHOULD provide an indication of when a key was last 95 used successfully. 97 2.2. Transmission 99 Transmission is more complex, because the sender does not know which 100 keys can be accepted at the far end. Accordingly, the conservative 101 strategy is to delay using any new keys for a considerable amount of 102 time, probably measured in days. This time interval is the amount of 103 asynchronicity the parties wish to permit; it is agreed-upon out of 104 band and configured manually. 106 Some automation is possible, however. If a key has been used 107 successfully to validate an incoming segment, clearly the other side 108 knows it. Accordingly, any key marked as "preferred" by the receiver 109 SHOULD be used for transmissions. 111 A sophisticated implementation could try alternate keys if the TCP 112 retransmission counter gets too high. (This is analogous to dead 113 gateway detection.) In particular, if a key change has just been 114 attempted but such segments are not acknowledged, it is reasonable to 115 fall back to the previous key and issue an alert of some sort. 117 Note that there is an ambiguity when an acknowledgment is received 118 for a segment transmitted with two different keys. The TCP Timestamp 119 option [RFC1323] can be used for disambiguation. 121 3. Security Considerations 123 In theory, accepting multiple keys simultaneously makes life easier 124 for an attacker. In practice, if the recommendations in [RFC3562] 125 are followed, this should not be a problem. 127 New keys must be communicated securely. In particular, new key 128 messages must be kept confidential and must be properly 129 authenticated. 131 4. References 133 [RFC1323] Jacobson, V., Braden, B., and D. Borman, "TCP Extensions 134 for High Performance", RFC 1323, May 1992. 136 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 137 Requirement Levels", BCP 14, RFC 2119, March 1997. 139 [RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5 140 Signature Option", RFC 2385, August 1998. 142 [RFC3562] Leech, M., "Key Management Considerations for the TCP MD5 143 Signature Option", RFC 3562, July 2003. 145 Author's Address 147 Steven M. Bellovin 148 Columbia University 149 1214 Amsterdam Avenue 150 MC 0401 151 New York, NY 10027 152 US 154 Phone: +1 212 939 7149 156 Intellectual Property Statement 158 The IETF takes no position regarding the validity or scope of any 159 Intellectual Property Rights or other rights that might be claimed to 160 pertain to the implementation or use of the technology described in 161 this document or the extent to which any license under such rights 162 might or might not be available; nor does it represent that it has 163 made any independent effort to identify any such rights. Information 164 on the procedures with respect to rights in RFC documents can be 165 found in BCP 78 and BCP 79. 167 Copies of IPR disclosures made to the IETF Secretariat and any 168 assurances of licenses to be made available, or the result of an 169 attempt made to obtain a general license or permission for the use of 170 such proprietary rights by implementers or users of this 171 specification can be obtained from the IETF on-line IPR repository at 172 http://www.ietf.org/ipr. 174 The IETF invites any interested party to bring to its attention any 175 copyrights, patents or patent applications, or other proprietary 176 rights that may cover technology that may be required to implement 177 this standard. Please address the information to the IETF at 178 ietf-ipr@ietf.org. 180 Disclaimer of Validity 182 This document and the information contained herein are provided on an 183 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 184 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 185 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 186 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 187 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 188 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 190 Copyright Statement 192 Copyright (C) The Internet Society (2006). This document is subject 193 to the rights, licenses and restrictions contained in BCP 78, and 194 except as set forth therein, the authors retain all their rights. 196 Acknowledgment 198 Funding for the RFC Editor function is currently provided by the 199 Internet Society.