idnits 2.17.00 (12 Aug 2021) /tmp/idnits37189/draft-polk-saag-rtg-auth-keytable-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 327 has weird spacing: '...FInputs non...' == Line 330 has weird spacing: '...rection bot...' == Line 343 has weird spacing: '...FInputs non...' == Line 346 has weird spacing: '...rection bot...' == Line 515 has weird spacing: '...FInputs non...' == (15 more instances...) == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (November 8, 2010) is 4205 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 INTERNET DRAFT T. Polk 3 Intended Status: Informational NIST 4 R. Housley 5 Vigil Security 6 Expires: May 12, 2011 November 8, 2010 8 Routing Authentication Using A Database of Long-Lived Cryptographic Keys 9 draft-polk-saag-rtg-auth-keytable-05.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as 19 Internet-Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/1id-abstracts.html 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html 32 Abstract 34 This document describes the application of a database of long-lived 35 cryptographic keys to establish session-specific cryptographic keys 36 to support authentication services in routing protocols. Keys may be 37 established between two peers for pair-wise communications, or 38 between groups of peers for multicast traffic. 40 Table of Contents 42 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 2 43 1.1 Terminology . . . . . . . . . . . . . . . . . . . . . . . . 2 44 2 Architecture and Design . . . . . . . . . . . . . . . . . . . . . 3 45 3 Pair-wise Application . . . . . . . . . . . . . . . . . . . . . . 3 46 4 Identifier Mapping . . . . . . . . . . . . . . . . . . . . . . . 5 47 4.1 Selected Range Reservation . . . . . . . . . . . . . . . . . 6 48 4.2 Protocol Specific Mapping Tables . . . . . . . . . . . . . . 6 49 5 Database Maintenance . . . . . . . . . . . . . . . . . . . . . . 6 50 6 Worked Examples . . . . . . . . . . . . . . . . . . . . . . . . . 6 51 6.1 Worked Example: TCP-AO . . . . . . . . . . . . . . . . . . . 7 52 6.1.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . . 7 53 6.1.2 Protocol Operation: Xp Initiates a Connection . . . . . 8 54 6.1.3 Protocol Operation: Yp Initiates a Connection . . . . . 9 55 6.2 Worked Example: IS-IS . . . . . . . . . . . . . . . . . . . 9 56 6.2.1 Setup . . . . . . . . . . . . . . . . . . . . . . . . 10 57 6.2.2 Protocol Operations . . . . . . . . . . . . . . . . . 14 58 6.2.2.1 Sending a Hello Message . . . . . . . . . . . . 14 59 6.2.2.2 Receiving a Hello Message . . . . . . . . . . . 15 60 6.2.2.3 Generating a Link State PDU . . . . . . . . . . 15 61 6.2.2.4 Receiving a Link State PDU . . . . . . . . . . . 16 62 6.2.2.5 Sending a Sequence Number PDU . . . . . . . . . 16 63 6.2.2.6 Receiving a Sequence Number PDU . . . . . . . . 16 64 7 Security Considerations . . . . . . . . . . . . . . . . . . . 16 65 8 IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 66 9 IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 67 10 References . . . . . . . . . . . . . . . . . . . . . . . . . 17 68 10.1 Normative References . . . . . . . . . . . . . . . . . . 17 69 10.2 Informative References . . . . . . . . . . . . . . . . . 17 70 Author's Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 71 Full Copyright Statement . . . . . . . . . . . . . . . . . . . . 19 73 1 Introduction 75 This document describes the application of a database of long-lived 76 cryptographic keys, as defined in [KEYTAB], to establish session- 77 specific cryptographic keys to provide authentication services in 78 routing protocols. Keys may be established between two peers for 79 pair-wise communications, or between groups of peers for multicast 80 traffic. 82 1.1 Terminology 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in RFC 2119 [RFC2119]. 88 2 Architecture and Design 90 Figure 1 illustrates the establishment and use of cryptographic keys 91 for authentication in routing protocols. Long-lived cryptographic 92 keys are inserted in a database manually. In the future, we 93 anticipate an automated key management protocol to insert these keys 94 in the database. (While this future environment conceivably includes 95 automated key management protocols to negotiate short-lived 96 cryptographic session keys, such keys are out of scope for this 97 database.) The structure of the database of long-lived cryptographic 98 keys is described in [KEYTAB]. 100 The cryptographic keying material for individual sessions is derived 101 from the keying material stored in the database of long-lived 102 cryptographic keys. A key derivation function (KDF) and its inputs 103 are named in the database of long-lived cryptographic keys; session 104 specific values based on the routing protocol are input the the KDF. 105 Protocol specific key identifiers may be assigned to the 106 cryptographic keying material for individual sessions if needed. 108 +--------------+ +----------------+ 109 | | | | 110 | Manual Key | | Automated Key | 111 | Installation | | Mgmt. Protocol | 112 | | | | 113 +------+-------+ +--+----------+--+ 114 | | | 115 | | | 116 V V |<== Out of scope for this model. 117 +------------------------+ | Often used in other 118 | | | protocol environments 119 | Long-lived Crypto Keys | | like IPsec and TLS. 120 | | | 121 +------------+-----------+ | 122 | | 123 | | 124 V V 125 +---------------------------------+ 126 | | 127 | Short-lived Crypto Session Keys | 128 | | 129 +---------------------------------+ 131 Figure 1. Cryptographic key establishment and use. 133 3 Pair-wise Application 134 Figure 2 illustrates how the long-lived cryptographic keys are 135 accessed and employed when an entity wishes to establish a protected 136 session with a peer. As one step in the initiation process, the 137 initiator requests the set of long term keys associated with the peer 138 for the particular protocol. If the set contains more than one key, 139 the initiator selects one long-term key based on the local policy. 140 The long-term key is provided as an input, along with session- 141 specific information (e.g., ports or initial counters), to a key 142 derivation function. The result is session-specific key material 143 which is used to generate cryptographic authentication. 145 Where the initiator is establishing a multicast session, the Peer in 146 the key request identifies the set of systems that will receive this 147 information. 149 +-------------------------+ 150 | | 151 | Long-Lived | 152 | Crypto Keys | 153 | | 154 +-+---------------------+-+ 155 ^ | 156 | | 157 | V 158 +-------+-------+ +-------+-------+ 159 | | | | 160 | Lookup Keys | | Select Key | 161 | By Peer | | By Policy | 162 | and Protocol | | | 163 | | +-------+-------+ 164 +-------+-------+ | 165 ^ | 166 | V 167 | +-------+-------+ 168 | | | 169 | | Session Key | 170 | | Derivation | 171 | | | 172 | +-------+-------+ 173 | | 174 | | 175 +-------+-------+ V 176 | | +-------+-------+ 177 | Initiate | | | 178 | Session | |Authentication | 179 | with Peer | | Mechanism | 180 | | | | 181 +---------------+ +---------------+ 182 Figure 2. Session Initiation 184 Figure 3 illustrates how the long-lived cryptographic keys are 185 accessed and employed when an entity receives a request establish a 186 protected session with a peer. As step one in the session 187 establishment process, the receiver extracts the keyID for the long- 188 term keyID from the received data. The receiver then requests the 189 specified long-term key from the table. The long-term key is provided 190 as an input, along with session-specific information (e.g., ports or 191 initial counters), to a key derivation function. The result is 192 session-specific key material which is used to verify the 193 cryptographic authentication information. 195 +-------------------------+ 196 | | 197 | Long-Lived | 198 | Crypto Keys | 199 | | 200 +-+---------------------+-+ 201 ^ | 202 | | 203 | V 204 +-------+-------+ +-------+-------+ 205 | | | | 206 | Lookup Key | | Session Key | 207 | By KeyID | | Derivation | 208 | | | | 209 +-------+-------+ +-------+-------+ 210 ^ | 211 | | 212 | V 213 +-------+-------+ +-------+-------+ 214 | | | | 215 | Receive Data | |Authentication | 216 | From Peer | | Mechanism | 217 | | | | 218 +---------------+ +---------------+ 220 Figure 3. Session Acceptance 222 4 Identifier Mapping 224 [KEYTAB] specifies a 16-bit identifier, but protocols already exist 225 with key identifiers of various sizes. Where the identifiers are of 226 different sizes, an extra mapping step may be required. Note that 227 mapping mechanisms are local - that is, different mapping mechanisms 228 could be employed on different peers. 230 In practice, the mapping process need only be applied to the 231 LocalKeyID, whose value must be unique in the context of the 232 database, as defined in [KEYTAB]. Uniqueness is not required for the 233 PeerKeyID, so mapping is generally restricted to truncation. Mapping 234 would only be needed to expand PeerKeyID's value beyond 16 bits. 236 4.1 Selected Range Reservation 238 Where a protocol uses an index of less than 16 bits, a selected range 239 of the local index space can be reserved for a particular protocol. 240 For example, consider two protocols P1 and P2 that each use 8 bit key 241 identifiers. Without identifier mapping these protocols would share 242 the space {0x0000 through 0x00ff} which would limit the pair of 243 protocols to 256 keys in total. By reserving the ranges {0x7f00 244 through 0x7fff} and {0x7e00 through 0x7eff} for P1 and P2 245 respectively permits each protocol to use the full 256 key 246 identifiers and establishes an unambiguous mapping for the protocol 247 key identifiers and local table identifiers. 249 When an initiator selects a key from the set in the table, the given 250 key identifier needs to be masked or shifted to the on-the-wire 251 range. Before requesting a specific key, the receiver would use a 252 shim layer to map the on-the-wire identifier into the reserved range. 254 4.2 Protocol Specific Mapping Tables 256 Each protocol can also maintain a simple mapping table with two 257 fields: the 16 bit index and the protocol specific value: 259 KEYTAB index (16 bits) | Protocol specific index (8 bits) 261 In this case, the host system would maintain separate mapping tables 262 for protocols P1 and P2. 264 5 Database Maintenance 266 The previous sections focus upon installing and using the 267 cryptographic keys in the database. A mechanism or mechanisms to 268 remove unneeded keys is also needed to ensure that the key material 269 up-to-date. [KEYTAB] provides mechanisms for expiration of entries; 270 such key management could be performed in a fully automated fashion. 271 Other reasons for key removal, such as severing a business 272 relationship, or deciding a long lived key has been compromised 273 before its expiration date, would inherently require a manual key 274 removal process. 276 6 Worked Examples 277 6.1 Worked Example: TCP-AO 279 This section describes the way a TCP-AO implementation could use the 280 database. [tcpao] TCP-AO protocol is an example where the key 281 identifier is limited to 8 bits, so an identifier mapping is needed. 283 We will assume two peers Xp and Yp. Xp employs the range reservation 284 method for mapping and has reserved the range {0x7f00 ... 0x7fff} for 285 LocalKeyIDs for TCP-AO, mapping to {0x00 ... 0xff}. Yp employs a 286 protocol specific mapping table in its TCP-AO implementation. 288 The following subsections describe how peers Xp and Yp make use of 289 the database of long-lived cryptographic keys when Xp and Yp 290 respectively initiate a session. (Note: Rollover to new sessions 291 keys during a session is described in [tcpao].) 293 6.1.1 Setup 295 The owners of Xp and Yp determine a need for authenticated 296 communication using TCP-AO. They decide to use AES-CMAC-128 for 297 authentication, so a 128 bit key is needed. They decide to use the 298 same key for both directions (inbound and outbound), and that the key 299 will be available from 12/31/2010 through 12/31/2011. Through an out- 300 of-band channel, the administrators establish the shared secret: 302 0x0123456789ABCDEF0123456789ABCDEF 304 Peer Xp selects the first available TCP-AO identifier in the reserved 305 range, which is 0x7f05 and maps to an eight-bit identifier 0x05. 306 Peer Yp selects the next available TCP-AO identifier, 0x12, and the 307 next available LocalKeyID, which is 0x0107. Peer Yp also adds an 308 entry to its TCP-AO mapping table mapping the LocalKeyID to the TCP- 309 AO identifier, as shown in Figure 5: 311 LocalKeyID TCP-AO identifier 312 -------------------------------- 313 0x001a | 0x01 314 0x004d | 0x02 315 ... ... 316 0x0107 | 0x12 318 Figure 5. Protocol Specific KeyID Mapping Table for TCP-AO 320 After exchanging the TCP-AO identifiers, the peers have sufficient 321 information to establish their [KEYTAB] entries. Peer Xp's [KEYTAB] 322 entry is shown as Figure 6: 324 LocalKeyID 0x7f05 325 PeerKeyID 0x0012 326 KDF ???? 327 KDFInputs none 328 AlgID AES-CMAC-128 329 Key 0x0123456789ABCDEF0123456789ABCDEF 330 Direction both 331 NotBefore 12/31/2010 332 NotAfter 12/31/2011 333 Peers yp.example.com 334 Protocol TCP-AO 336 Figure 6. Key Table Entry on Xp 338 Peer Yp's [KEYTAB] entry is shown as Figure 6: 340 LocalKeyID 0x0107 341 PeerKeyID 0x0005 342 KDF ???? 343 KDFInputs none 344 AlgID AES-CMAC-128 345 Key 0x0123456789ABCDEF0123456789ABCDEF 346 Direction both 347 NotBefore 12/31/2010 348 NotAfter 12/31/2011 349 Peers xp.example.com 350 Protocol TCP-AO 352 Figure 7. Key Table Entry on Yp 354 6.1.2 Protocol Operation: Xp Initiates a Connection 356 Peer Xp wishes to initiate a connection with Peer Yp. 358 (1) Xp performs a key lookup for {Peer=Yp, Protocol=TCP-AO}, and the 359 entry with LocalKeyID 0x7f05 is returned. 360 (2) The LocalKeyID 0x7f05 is range mapped by Xp to the TCP-AO 361 identifier 0x05. 362 (3) Xp performs the session key derivation using the mechanism 363 specified for the TCP-AO protocol in [ao-crypto]. 364 (4) Xp generates the AES-CMAC-128 MACs for the outgoing traffic using 365 the derived key, and asserts the key identifier 0x05 in the packets. 366 (5) Yp receives a protected packet from Xp, and extracts the key 367 identifier 0x05. 368 (6) Yp performs a a key lookup for {Peer=Xp, Protocol=TCP-AO, 369 PeerKeyID=0x05}, and the entry with LocalKeyID 0x0107 is returned. 370 (7) Yp performs the session key derivation using the mechanism 371 specified for the TCP-AO protocol in [ao-crypto]. 372 (8) Yp verifies the MACs for the incoming traffic using the derived 373 key. 375 6.1.3 Protocol Operation: Yp Initiates a Connection 377 Where Peer Yp establishes the connection, the same process is 378 followed, except that the range mapping process from step (2) is 379 replaced by a table lookup. 381 6.2 Worked Example: IS-IS 383 This section describes the way an IS-IS implementation supporting the 384 IS-IS generic cryptographic authentication mechanism could use the 385 database. [isis] [rfc1195] [rfc5310] IS-IS is an interior gateway 386 protocol (IGP) that can be used to support IP as well as OSI. 388 IS-IS routers are grouped into "areas". Routers establish adjacencies 389 with their neighboring routers and share link state information 390 through flooding. Information shared within an area is termed Level 1 391 information, and information shared between areas is termed level 2 392 information. An IS-IS router can be Level 1, Level 2, or both 393 (designated as Level 1/2). Level 1 routers only form Level 1 394 adjacencies with other Level 1 or Level 1/2 routers within their own 395 area. Level 2 or Level 1/2 routers can form adjacencies with other 396 Level 2 or Level 1/2 routers in other areas as well as their own 397 area. 399 An IS-IS deployment can have multiple Level 1 areas; Level 1 areas 400 are differentiated by area addresses that are unique within the IS-IS 401 deployment. (An IS-IS deployment has only a single Level 2 domain 402 which is formed from all the Level 2 and Level 1/2 routers within the 403 routing domain, irrespective of their area addresses.) 405 The IS-IS protocol supports routers that are connected by LANs and 406 point-to-point links. Level 1 and Level 2 messages on a LAN are 407 differentiated by the broadcast address. Point-to-Point links may be 408 configured as Level 1, Level 2, or both. 410 This worked example describes how an IS-IS router, denoted Rp, makes 411 use of the database for the following eight cases: 412 * sending a LAN IS to IS Hello PDU 413 * receiving a LAN IS to IS Hello PDU 414 * sending a Point-to-Point IS to IS Hello PDU 415 * receiving a Point-to-Point IS to IS Hello PDU 416 * sending a Link State Packet 417 * receiving a Link State Packet 418 * sending sequence number PDUs 419 * receiving sequence number PDUs 420 In this example, Rp is a Level 1/2 router. Rp has two LAN interfaces; 421 on the first interface (eth0) Rp is connected to other Level 1 422 routers; on the second interface (eth1) Rp is connected to both other 423 Level 1 and Level 2 routers by a LAN. Rp is also connected to one 424 additional Level 1 router, Rq, by a point-to-point link (ppp1). The 425 Level 1 area that Rp participates in has an area address of: 427 0x4922 429 The IS-IS protocol supports routers that are connected by LANs and 430 point-to-point links. Level 1 and Level 2 messages on a LAN are 431 differentiated by the broadcast address. The implementation will use 432 the following multicast addresses: 434 Level 1: 01-80-C2-00-00-14 435 Level 2: 01-80-C2-00-00-15 437 The authentication mechanism specified in RFC 5310 uses a 16 bit key 438 identifier which matches the key table, so the identifier can be used 439 directly. 441 In this example, an interior router Rp makes use of the database of 442 long-lived cryptographic keys to manage its IS-IS long-term keys. Rp 443 participates in both Level 1 and Level 2. 445 (For this example, we will use a single area address for each area. 446 Note that multiple area addresses can be supported for each area.) 448 In addition to the area addresses that specify the set of recipients, 449 six octet system IDs are used to uniquely identify the sender. The 450 system ID is required to be unique within the area, and in practice 451 is derived from a MAC address. Rp has the following system ID 453 0x123456 455 The Network Entity Title (or NET) is constructed from the system ID 456 and the area. Rp has the following NET: 458 Level 1 Area: 0x4922123456 460 6.2.1 Setup 462 The owners of the IS-IS system determine a need for authenticated 463 communication between the interior gateways. They decide to use HMAC- 464 SHA1 for authentication with 128 bit keys. 466 For routers that only participate in Level 1, there are two long-term 467 keys: one for hello traffic, and a second for link state PDUs. For 468 routers that participate in both Level 1 and Level 2, two additional 469 long-term keys are required: again, the two keys are used to protect 470 hellos and LSPs, respectively. The owners decide these keys will be 471 available from 12/31/2010 through 12/31/2011. Through an out-of-band 472 channel, the administrators establish the following shared secrets: 474 * a pairwise key for each point-to-point link to protect hello 475 messages; 477 * a multicast key for each broadcast LAN interface for each Level to 478 protect hello messages; 480 * a multicast key for LSP and sequence number packets for each Level 481 1 area; and 483 * a multicast key for LSP and sequence number packets for the Level 2 484 domain. 486 Since Rp will send Level 1 hellos on two LANs and a point-to-point 487 link, and Level 2 hellos on one LAN, it will be configured with four 488 IS-IS hello keys. These keys are specified in Figures 8 through 11, 489 respectively. 491 Level 1 hello traffic: 0x0123456789ABCDEF0123456789ABCDEF 492 Level 1 link state PDUs: 0x123456789ABCDEF0123456789ABCDEF0 493 Level 2 hello traffic: 0x23456789ABCDEF0123456789ABCDEF01 494 Level 2 link state PDUs: 0x3456789ABCDEF0123456789ABCDEF012 496 Since the three LAN hello keys are for multicast traffic, the leading 497 bit of the LocalKeyID is required to be 1. PeerkeyID is set to group. 498 There is a pairwsie key for the point-to-point hellos (in Figure 499 10), Since there is no concept of a session, key diversification is 500 not needed. This implies there is no kdf or kdf inputs, and the 501 long-term key is used directly to protect the messages. The 502 algorithm id indicates hmac sha1, and the direction is both inbound 503 and outbound. 505 The key generator selects the first available IS-IS identifier. For 506 a new implementation, any value may be selected. Otherwise, the key 507 identifiers can not collide with currently assigned values for IS-IS 508 keys. Since Rp participates at both Level 1 and Level 2, Rp installs 509 all four keys. Rp's [KEYTAB] entries are shown as Figures 8 through 510 11: 512 LocalKeyID 0x7101 513 PeerKeyID group 514 KDF none 515 KDFInputs none 516 AlgID HMAC-SHA-1 517 Key 0x0123456789ABCDEF0123456789ABCDEF 518 Interface eth0 519 Direction both 520 NotBefore 12/31/2010 521 NotAfter 12/31/2011 522 Peers 0x4922 523 Protocol IS-IS Hello L1 525 Figure 8. Key Table Entry on Rp for Level 1 LAN Hellos on eth0 527 (use ppp1) 529 LocalKeyID 0x7102 530 PeerKeyID 0x7102 531 KDF none 532 KDFInputs none 533 AlgID HMAC-SHA-1 534 Key 0x123456789ABCDEF0123456789ABCDEF0 535 Interface eth1 536 Direction both 537 NotBefore 12/31/2010 538 NotAfter 12/31/2011 539 Peers 0x4922 540 Protocol IS-IS Hello L1 542 Figure 9. Key Table Entry on Rp for Level 1 LAN Hellos on eth1 544 LocalKeyID 0x0003 545 PeerKeyID 0x0105 546 KDF none 547 KDFInputs none 548 AlgID HMAC-SHA-1 549 Key 0x23456789ABCDEF0123456789ABCDEF01 550 Interface ppp1 551 Direction both 552 NotBefore 12/31/2010 553 NotAfter 12/31/2011 554 Peers 0x4922 555 Protocol IS-IS Hello L1 557 Figure 10. Key Table Entry on Rp for Level 1 point-to-point Hellos 559 LocalKeyID 0x7103 560 PeerKeyID group 561 KDF none 562 KDFInputs none 563 AlgID HMAC-SHA-1 564 Key 0x3456789ABCDEF0123456789ABCDEF012 565 Interface eth1 566 Direction both 567 NotBefore 12/31/2010 568 NotAfter 12/31/2011 569 Peers 0x4922 570 Protocol IS-IS Hello L2 572 Figure 11. Key Table Entry on Rp for Level 2 Hellos on eth1 574 Rp also requires two multicast keys for flooding Link State Packets 575 and transmitting Sequence number packets. The first key is shared 576 throughout the Level 1 Area 0x4922; the second key is shared amongst 577 the routers in the Level 2 domain. Rp's [KEYTAB] entries for the two 578 multicast LSP/sequence number packet keys are shown as Figures 12 and 579 13: 581 LocalKeyID 0x7104 582 PeerKeyID group 583 KDF none 584 KDFInputs none 585 AlgID HMAC-SHA-1 586 Key 0x456789ABCDEF0123456789ABCDEF0123 587 Interface * 588 Direction both 589 NotBefore 12/31/2010 590 NotAfter 12/31/2011 591 Peers 0x4922 592 Protocol IS-IS LSP L1 594 Figure 12. Key Table Entry on Rp for Level 1 LSPs and Sequence Number 595 packets 597 LocalKeyID 0x7105 598 PeerKeyID group 599 KDF none 600 KDFInputs none 601 AlgID HMAC-SHA-1 602 Key 0x56789ABCDEF0123456789ABCDEF01234 603 Interface * 604 Direction both 605 NotBefore 12/31/2010 606 NotAfter 12/31/2011 607 Peers IS-IS L2 608 Protocol IS-IS LSP L2 610 Figure 13. Key Table Entry on Rp for Level 1 LSPs and Sequence Number 611 packets 613 6.2.2 Protocol Operations 615 The following subsections describe how an IS-IS router makes use of 616 the database for the following four cases: 617 * sending a Hello message 618 * receiving a Hello message 619 * sending a Link State Packet 620 * receiving a Link State Packet 621 * sending a sequence number PDU 622 * receiving a sequence number PDU 624 6.2.2.1 Sending a Hello Message 626 Rp wishes to send a Hello message. Because Rp is configured with 627 three Level 1 interfaces, and one Level 2 interface, four different 628 hello messages will be transmitted. Each message is protected with 629 the key IS-IS Hello key for that interface and level. 631 For each LAN interface: 633 (1) Rp performs a key lookup for the interface (e.g., eth0 or eth1) 634 with the protocol "IS-IS Hello L1". 635 (2) Rp parses the key entry and determines the algorithm attribute 636 (in this example, the algorithm attribute is always HMAC-SHA1). 637 (3) Rp constructs the outgoing LAN Hello PDU. If replay protection 638 is a concern, Rp includes a timestamp with the local time. (The 639 timestamp would would be contained in a new TLV. Such a TLV has not 640 been specified at this time.) 641 (4) Rp generates the SHA1-HMAC for the outgoing LAN Hello using the 642 long-term key, and asserts the appropriate key identifier in the RFC 643 5310 authentication mechanism TLV. 644 (5) Rp transmits the Hello message on the LAN interface using the 645 Level 1 multicast MAC address. 647 For the point-to-point HELLO: 649 (1) Rp performs a key lookup for the interface (ppp1) and protocol 650 "IS-IS Hello L1". 651 (2) Rp parses the key entry and determines the algorithm attribute 652 (i.e., HMAC-SHA1). 653 (3) Rp constructs the outgoing point-to-point Hello PDU. If replay 654 protection is a concern, Rp includes a timestamp with the local time. 655 (4) Rp generates the SHA1-HMAC for the outgoing point-to-point LAN 656 Hello using the long-term key, and asserts the key identifier in the 657 RFC 5310 authentication mechanism TLV. 658 (5) Rp transmits the Hello message over the point-to-point link. 660 6.2.2.2 Receiving a Hello Message 662 Rp processes hello messages by the following algorithm: 664 (1) Rp parses the RFC 5310 authentication mechanism TLV and performs 665 a key lookup using the included PeerKeyID. 666 (2) Rp parses the key entry and 667 (a) Rp verifies the keyID is associated with this interface. If 668 the interface does not match, the sender or receiver is 669 misconfigured. An alarm is triggered and the hello is discarded. 670 Otherwise, continue with (2)(b). 671 (b) Rp determines the algorithm attribute (in this case, HMAC- 672 SHA1). 673 (3) Rp calculates the SHA1-HMAC and compares it to the value in the 674 Hello. If the HMACs do not match, the message is discarded. 675 (Otherwise proceed to step 4.) 676 (4) Rp checks the timestamp state for the sender. (If the timestamp 677 value is NULL, proceed to 6. If there is a timestamp value for this 678 sender, proceed to step 7). 679 (5) Rp extracts the timestamp, if any, and compares it to the value 680 in the Hello. If the timestamp is earlier than the stored timestamp, 681 or no timestamp was present, the Hello message is discarded. If the 682 timestamp is later than the stored timestamp, update the stored value 683 and process the Hello message. 684 (6) Process the hello message. 686 [Note that there is no different in processing for LAN or Point-to- 687 point hellos.] 689 6.2.2.3 Generating a Link State PDU 691 Rp wishes to send a link state PDU to the other routers. To perform 692 this task, Rp constructs two separate LSPs, protected by its Level 1 693 and Level 2 LSP keys. The LSPs are transmitted to each neighbor that 694 has formed an adjacency with Rp as appropriate. (Level 1 LSPs are 695 ONLY transmitted over links which have a Level 1 adjacency, and 696 similarly Level 2 LSPs only over links which have Level 2 697 adjacencies.) 699 (1) Rp performs a key lookup for protocol "IS-IS L1 Flood". (The 700 entry with PeerKeyID 0x7104 is returned.) 701 (2) Rp parses the key entry and determines the algorithm attribute 702 (HMAC-SHA1). 703 (3) Rp constructs the Level 1 link state PDU. Note that this includes 704 a sequence number. 705 (4) Rp generates the appropriate MAC for the outgoing LSP using the 706 long-term key, and asserts the key identifier 0x7104 in the RFC 5310 707 authentication mechanism TLV. 708 (5) Rp transmits the LSP to all current L1 neighboring adjacencies. 710 The process is repeated for Level 2, beginning with a key lookup for 711 protocol "IS-IS L2 Flood"". Note that the Level 2 link state PDU 712 constructed in step (3) will contain different information than the 713 Level 1 LSP. 715 6.2.2.4 Receiving a Link State PDU 717 Rp processes incoming link state PDUs by the following algorithm: 719 (1) Rp parses the RFC 5310 authentication mechanism TLV and performs 720 a key lookup using the PeerKeyID. 721 (2) Rp parses the key entry and determines the algorithm attribute 722 (HMAC-SHA1) 723 (3) Rp calculates the SHA1-HMAC and compares it to the value in the 724 link state PDU. If the HMACs do not match, the message is discarded. 725 (Otherwise proceed to step 4.) 726 (4) Rp performs IS-IS processing to ensure the message is fresh 727 (e.g., checks the sequence number for the sender.) If Rp already has 728 fresher information, Rp will discard the packet, then construct an 729 LSP with the fresher information and forward it to the sender. 730 Otherwise, perform step 5. 731 (5) Rp forwards the verified Link State PDU to all neighbors with the 732 same level except the neighbor that transmitted the PDU. (That is, 733 Level 1 Link State PDUs are forwarded to Level 1 neighbors; Level 2 734 Link State PDUs are forwarded to Level 2 neighbors.) 736 6.2.2.5 Sending a Sequence Number PDU 738 The cryptographic process for protecting a Sequence Number PDU is the 739 same as those specified for LSPs in 6.2.2.3. Note that there is no 740 difference when sending partial or full link state PDUs. 742 6.2.2.6 Receiving a Sequence Number PDU 744 The cryptographic process for authenticating a Sequence Number PDU is 745 the same as those specified for LSPs in 6.2.2.4. 747 7 Security Considerations 749 The "hello" message processing examples assume the existence of a 750 timestamp extension to provide replay protection. Sequence numbers 751 for hello messages would provide an alternative solution; the authors 752 selected a timestamp since this imposes no state on the sender. Time 753 synchronization is not needed to achieve replay protection; receivers 754 that desire replay protection simply retain the timestamp from the 755 previous hello for comparison. 757 By requiring an IS-IS router to begin using timestamps immediately 758 upon key change, or not at all, step (x) in 6.2.2.2 could have been 759 omitted. By verifying that previous messages did not have a 760 timestamp, a receiver prevents replay of a past hello message that 761 did not include timestamps that was protected with the current key. 763 The timestamp was omitted from the point-to-point hello in the 764 example based on an assumption of physically protected media. If that 765 is not the case, the timestamp could be included in these messages as 766 well. 768 8 IANA Considerations 770 This document requires no actions by IANA. 772 9 IANA Considerations 774 Mike Shand was amazingly patient and helpful, demystifying and 775 explaining IS-IS. The authors are grateful for his assistance. Any 776 remaining mistakes in section 6.2 are the responsibility of the 777 authors, of course! 779 10 References 781 10.1 Normative References 783 [RFC2119] S. Bradner, "Key words for use in RFCs to Indicate 784 Requirement Levels", BCP 14, RFC 2119, March 1997. 786 [KEYTAB] R. Housley and Polk, T. "Database of Long-Lived 787 Cryptographic Keys", draft-housley-saag-crypto-key-table- 788 04.txt, October 2010. 790 10.2 Informative References 792 [tcpao] J. Touch, Mankin A., and Bonica R. "The TCP Authentication 793 Option", draft-ietf-tcpm-tcp-auth-opt-08.txt, October 794 2009. 796 [ao-crypto] Lebovitz, G., "Cryptographic Algorithms, Use, & 797 Implementation Requirments for TCP Authentication 798 Option", draft-lebovitz-ietf-tcpm-tcp-ao-crypto-02.txt, 799 July 2009. 801 [rfc1195] Callon, R., "Use of OSI IS-IS for routing in TCP/IP and 802 dual environments", RFC 1195, December 1990. 804 [isis] International Organization for Standardization, 805 "Intermediate system to Intermediate system intra-domain 806 routeing information exchange protocol for use in 807 conjunction with the protocol for providing the 808 connectionless-mode Network Service (ISO 8473)", ISO/IEC 809 10589:2002, Second Edition, Nov 2002. 811 [rfc5310] M. Bhatia, Manral, V., Li, T., Atkinson, R., White, R. 812 and Fanto, M. "IS-IS Generic Cryptographic 813 Authentication", RFC 5310, February 2009 815 Author's Addresses 817 Tim Polk 818 National Institute of Standards and Technology 819 100 Bureau Drive, Mail Stop 8930 820 Gaithersburg, MD 20899-8930 821 USA 822 EMail: tim.polk@nist.gov 824 Russell Housley 825 Vigil Security, LLC 826 918 Spring Knoll Drive 827 Herndon, VA 20170 828 USA 829 EMail: housley@vigilsec.com 831 Full Copyright Statement 833 Copyright (c) 2010 IETF Trust and the persons identified as the 834 document authors. All rights reserved. 836 This document is subject to BCP 78 and the IETF Trust's Legal 837 Provisions Relating to IETF Documents 838 (http://trustee.ietf.org/license-info) in effect on the date of 839 publication of this document. Please review these documents 840 carefully, as they describe your rights and restrictions with respect 841 to this document. 843 All IETF Documents and the information contained therein are provided 844 on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE 845 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE 846 IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL 847 WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY 848 WARRANTY THAT THE USE OF THE INFORMATION THEREIN WILL NOT INFRINGE 849 ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS 850 FOR A PARTICULAR PURPOSE.