idnits 2.17.1 

draft-bellovin-keyroll2385-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

  ** It looks like you're using RFC 3978 boilerplate.  You should update this
     to the boilerplate described in the IETF Trust License Policy document
     (see https://trustee.ietf.org/license-info), which is required now.

  -- Found old boilerplate from RFC 3978, Section 5.1 on line 15.

  -- Found old boilerplate from RFC 3978, Section 5.5 on line 284.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 295.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 302.

  -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 308.

  ** This document has an original RFC 3978 Section 5.4 Copyright Line,
     instead of the newer IETF Trust Copyright according to RFC 4748.

  ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead
     of the newer disclaimer which includes the IETF Trust according to RFC
     4748.


  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not
     match the current year

  -- The document seems to lack a disclaimer for pre-RFC5378 work, but may
     have content which was first submitted before 10 November 2008.  If you
     have contacted all the original authors and they are all willing to grant
     the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
     this comment.  If not, you may need to add the pre-RFC5378 disclaimer. 
     (See the Legal Provisions document at
     https://trustee.ietf.org/license-info for more information.)

  -- The document date (September 26, 2006) is 6421 days in the past.  Is
     this intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  ** Obsolete normative reference: RFC 1323 (Obsoleted by RFC 7323)

  ** Obsolete normative reference: RFC 2385 (Obsoleted by RFC 5925)

  -- Obsolete informational reference (is this intentional?): RFC 3682
     (Obsoleted by RFC 5082)

  -- Obsolete informational reference (is this intentional?): RFC 4634
     (Obsoleted by RFC 6234)


     Summary: 6 errors (**), 0 flaws (~~), 1 warning (==), 9 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	Network Working Group                                        S. Bellovin
3	Internet-Draft                                       Columbia University
4	Intended status: Informational                        September 26, 2006
5	Expires: March 30, 2007

7	                   Key Change Strategies for TCP-MD5
8	                   draft-bellovin-keyroll2385-03.txt

10	Status of this Memo

12	   By submitting this Internet-Draft, each author represents that any
13	   applicable patent or other IPR claims of which he or she is aware
14	   have been or will be disclosed, and any of which he or she becomes
15	   aware will be disclosed, in accordance with Section 6 of BCP 79.

17	   Internet-Drafts are working documents of the Internet Engineering
18	   Task Force (IETF), its areas, and its working groups.  Note that
19	   other groups may also distribute working documents as Internet-
20	   Drafts.

22	   Internet-Drafts are draft documents valid for a maximum of six months
23	   and may be updated, replaced, or obsoleted by other documents at any
24	   time.  It is inappropriate to use Internet-Drafts as reference
25	   material or to cite them other than as "work in progress."

27	   The list of current Internet-Drafts can be accessed at
28	   http://www.ietf.org/ietf/1id-abstracts.txt.

30	   The list of Internet-Draft Shadow Directories can be accessed at
31	   http://www.ietf.org/shadow.html.

33	   This Internet-Draft will expire on March 30, 2007.

35	Copyright Notice

37	   Copyright (C) The Internet Society (2006).

39	Abstract

41	   The TCP-MD5 option is most commonly used to secure BGP sessions
42	   between routers.  However, changing the long-term key is difficult,
43	   since the change needs to be synchronized between different
44	   organizations.  We describe single-ended strategies that will permit
45	   (mostly) unsynchronized key changes.

47	1.  Introduction

49	   The TCP-MD5 option [RFC2385] is most commonly used to secure BGP
50	   sessions between routers.  However, changing the long-term key is
51	   difficult, since the change needs to be synchronized between
52	   different organizations.  Worse yet, if the keys are out of sync, it
53	   may break the connection between the two routers, rendering repair
54	   attempts difficult.

56	   The proper solution involves some sort of key management protocol.
57	   Apart from the complexity of such things, RFC 2385 was not written
58	   with key changes in mind.  In particular, there is no KeyID field in
59	   the option, which means that even a key management protocol would run
60	   into the same problem.

62	   Fortunately, a heuristic permits key change despite this protocol
63	   deficiency.  The change can be installed unilaterally at one end of a
64	   connection; it is fully compatible with the existing protocol.

66	1.1.  Terminology

68	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
69	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
70	   document are to be interpreted as described in [RFC2119].

72	2.  The Algorithm

74	   Separate algorithms are necessary for transmission and reception.
75	   Reception is easier; we explain it first.

77	2.1.  Reception

79	   A receiver has a list of valid keys.  Each key has a (conceptual)
80	   timestamp associated with it.  When a segment arrives, each key is
81	   tried in turn.  The segment is discarded if and only if it cannot be
82	   validated by any key in the list.

84	   In principle, there is no need to test keys in any particular order.
85	   For performance reasons, though, a simple MRU strategy -- try the
86	   last valid key first -- should work well.  More complex mechanisms,
87	   such as examining the TCP sequence number of an arriving segment to
88	   see whether it fits in a hole, are almost certainly unnecessary.  On
89	   the other hand, validating that a received segment is putatively
90	   legal, by checking its sequence number against the advertised window,
91	   can help avoid denial of service attacks.

93	   The newest key that has successfully validated a segment is marked as
94	   the "preferred" key; see below.

96	   Implicit in this scheme is the assumption that older keys will
97	   eventually be unneeded and can be removed.  Accordingly,
98	   implementations SHOULD provide an indication of when a key was last
99	   used successfully.

101	2.2.  Transmission

103	   Transmission is more complex, because the sender does not know which
104	   keys can be accepted at the far end.  Accordingly, the conservative
105	   strategy is to delay using any new keys for a considerable amount of
106	   time, probably measured in days.  This time interval is the amount of
107	   asynchronicity the parties wish to permit; it is agreed-upon out of
108	   band and configured manually.

110	   Some automation is possible, however.  If a key has been used
111	   successfully to validate an incoming segment, clearly the other side
112	   knows it.  Accordingly, any key marked as "preferred" by the
113	   receiving part of a stack SHOULD be used for transmissions.

115	   A sophisticated implementation could try alternate keys if the TCP
116	   retransmission counter gets too high.  (This is analogous to dead
117	   gateway detection.)  In particular, if a key change has just been
118	   attempted but such segments are not acknowledged, it is reasonable to
119	   fall back to the previous key and issue an alert of some sort.
120	   Similarly, an implementation with a new but unused key could
121	   occasionally try to use it, much in the way that TCP implementations
122	   probe closed windows.  Doing this avoid the "silent host" problem
123	   discusssed in Section 3.1.  This should be done at a moderately slow
124	   rate.

126	   Note that there is an ambiguity when an acknowledgment is received
127	   for a segment transmitted with two different keys.  The TCP Timestamp
128	   option [RFC1323] can be used for disambiguation.

130	3.  Operations

132	3.1.  Single-Ended Operations

134	   Suppose only one end of the connection has this algorithm
135	   implemented.  The new key is provisioned on that system, with a start
136	   time far in the future -- sufficiently far, in fact, that it will not
137	   be used spontaneously.  After the key is ready, the other end is
138	   notified, out-of-band, that a key change can commence.

140	   At some point, the other end is upgraded.  Because it does not have
141	   multiple keys available, it will start using the new key immediately
142	   for its transmission, and will drop all segments that use the old
143	   key.  As soon as it tries to transmit, the upgraded side will
144	   designate the new key as preferred, and will use it for all of its
145	   transmissions.  Note specifically that this will include
146	   retransmissions of any segments rejected because they used the old
147	   key.

149	   There is a problem if the unchanged machine is a "silent host" -- a
150	   host that has nothing to say, and hence does not transmit.  The best
151	   way to avoid this is for an upgraded machine to try a variety of keys
152	   in event of repeated unacknowledged packets, as discussed earlier.

154	3.2.  Double-Ended Operations

156	   Double-ended operations are similar, save that both sides deploy the
157	   new key at about the same time.  One should be configured to start
158	   using the new key at a point where it is reasonably certain that the
159	   other side would have it installed, too.  Assuming that that has in
160	   fact happened, the new key will be marked "preferred" on both sides.

162	3.3.  Monitoring

164	   As noted, implementations should monitor when a key was last used for
165	   transmission or reception.  Any monitoring mechanism can be used;
166	   most likely, it will be a combination of a MIB entry and a command-
167	   line display.  Regardless, the network operations center should keep
168	   track of this.  When a new key has been used successfully for both
169	   transmission and reception for a reasonable amount of time -- the
170	   exact value isn't crucial, but it should probably be longer than
171	   twice the maximum segment lifetime -- the old key can be marked for
172	   deletion.  There is an implicit assumption here that there will not
173	   be substantial overlap in the usage period of such keys; monitoring
174	   systems should look for any such anomalies, of course.

176	4.  Moving Forward

178	   As implied in Section 1, this is an interim strategy, intended to
179	   make TCP-MD5 operationally usable today.  We do not suggest or
180	   recommend it as a long-term solution.  In this section, we make some
181	   suggestions about the design of a future TCP authentication option.

183	   The first and most obvious change is to replace keyed MD5 with a
184	   stronger MAC [RFC4278].  Today, HMAC-SHA1 [RFC4634] is the preferred
185	   choice, though others such as UMAC [RFC4418] should be considered as
186	   well.

188	   A new authentication option should contain some form of Key ID field.
189	   Such an option would permit uambiguous identification of which key
190	   was used to create the MAC for a given segment, sparing the receiver
191	   the need to engage in the sort of heuristics described here.  A Key
192	   ID is useful with both manual and automatic key management.  (Note
193	   carefully that we do not prescribe any particular Key ID mechanism
194	   here.  Rather, we are stating a requirement: there must be a simple,
195	   low-cost way to select a particular key, and it must be possible to
196	   rekey without tearing down long-lived connections.)

198	   Finally, an automated key management mechanism should be defined.
199	   The general reasoning for that is set forth in [RFC4107]; specific
200	   issues pertaining to BGP and TCP are given in [RFC3562].

202	5.  Security Considerations

204	   In theory, accepting multiple keys simultaneously makes life easier
205	   for an attacker.  In practice, if the recommendations in [RFC3562]
206	   are followed, this should not be a problem.

208	   New keys must be communicated securely.  Specifically, new key
209	   messages must be kept confidential and must be properly
210	   authenticated.

212	   Having multiple keys makes CPU denial of service attacks easier.
213	   This suggests that keeping the overlap period reasonably short is a
214	   good idea.  In addition, the Generalized TTL Security Mechanism
215	   [RFC3682], if applicable to the local topology, can help.  Note that
216	   most of the time, only one key will exist; virtually all of the
217	   remaining time there will be only two keys in existence.

219	6.  Acknowledgments

221	   I'd like to thank Ron Bonica, Randy Bush, Ross Callon, Rob Evans,
222	   Eric Rescorla, and Sam Weiler for their comments and inspiration.

224	7.  References

226	7.1.  Normative

228	   [RFC1323]  Jacobson, V., Braden, B., and D. Borman, "TCP Extensions
229	              for High Performance", RFC 1323, May 1992.

231	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
232	              Requirement Levels", BCP 14, RFC 2119, March 1997.

234	   [RFC2385]  Heffernan, A., "Protection of BGP Sessions via the TCP MD5
235	              Signature Option", RFC 2385, August 1998.

237	7.2.  Informative

239	   [RFC3562]  Leech, M., "Key Management Considerations for the TCP MD5
240	              Signature Option", RFC 3562, July 2003.

242	   [RFC3682]  Gill, V., Heasley, J., and D. Meyer, "The Generalized TTL
243	              Security Mechanism (GTSM)", RFC 3682, February 2004.

245	   [RFC4107]  Bellovin, S. and R. Housley, "Guidelines for Cryptographic
246	              Key Management", BCP 107, RFC 4107, June 2005.

248	   [RFC4278]  Bellovin, S. and A. Zinin, "Standards Maturity Variance
249	              Regarding the TCP MD5 Signature Option (RFC 2385) and the
250	              BGP-4 Specification", RFC 4278, January 2006.

252	   [RFC4418]  Krovetz, T., "UMAC: Message Authentication Code using
253	              Universal Hashing", RFC 4418, March 2006.

255	   [RFC4634]  Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
256	              (SHA and HMAC-SHA)", RFC 4634, August 2006.

258	Author's Address

260	   Steven M. Bellovin
261	   Columbia University
262	   1214 Amsterdam Avenue
263	   MC 0401
264	   New York, NY  10027
265	   US

267	   Phone: +1 212 939 7149
268	   Email: bellovin@acm.org

270	Full Copyright Statement

272	   Copyright (C) The Internet Society (2006).

274	   This document is subject to the rights, licenses and restrictions
275	   contained in BCP 78, and except as set forth therein, the authors
276	   retain all their rights.

278	   This document and the information contained herein are provided on an
279	   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
280	   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
281	   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
282	   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
283	   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
284	   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

286	Intellectual Property

288	   The IETF takes no position regarding the validity or scope of any
289	   Intellectual Property Rights or other rights that might be claimed to
290	   pertain to the implementation or use of the technology described in
291	   this document or the extent to which any license under such rights
292	   might or might not be available; nor does it represent that it has
293	   made any independent effort to identify any such rights.  Information
294	   on the procedures with respect to rights in RFC documents can be
295	   found in BCP 78 and BCP 79.

297	   Copies of IPR disclosures made to the IETF Secretariat and any
298	   assurances of licenses to be made available, or the result of an
299	   attempt made to obtain a general license or permission for the use of
300	   such proprietary rights by implementers or users of this
301	   specification can be obtained from the IETF on-line IPR repository at
302	   http://www.ietf.org/ipr.

304	   The IETF invites any interested party to bring to its attention any
305	   copyrights, patents or patent applications, or other proprietary
306	   rights that may cover technology that may be required to implement
307	   this standard.  Please address the information to the IETF at
308	   ietf-ipr@ietf.org.

310	Acknowledgment

312	   Funding for the RFC Editor function is provided by the IETF
313	   Administrative Support Activity (IASA).