Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 Network Working Group Manav Bhatia Internet Draft Lucent Technologies Expires: January 2007 Vishwas Manral IP Infusion Cryptographic Algorithm Implementations Requirements for OSPF draft-bhatia-manral-crypto-req-ospf-00.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf- ipr@ietf.org. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at: http://www.ietf.org/1id-abstracts.html Bhatia and Manral [Page 1] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 The list of Internet-Draft Shadow Directories can be accessed at: http://www.ietf.org/shadow.html This memo is a contribution to the IETF and is intended for future standards-track publication to update RFC-2082 and RFC-2453. This memo is not the product of any IETF working group. Distribution of this memo is unlimited. Abstract OSPF defines three different kinds of authentication schemes: Null authentication, simple password and cryptographic authentication. The cryptographic authentication scheme can make use of various cryptographic algorithms in order to authenticate the OSPF packets. To ensure interoperability between disparate implementations, it is necessary to specify a set of mandatory-to-implement algorithms to ensure that there is at least one algorithm that all implementations will have available. This document defines the current set of mandatory-to-implement algorithms to be used for the cryptographic authentication for OSPF as well as specifying the algorithms that should be implemented because they may be promoted to mandatory at some future time. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [KEYWORDS] 1. Introduction OSPF as defined in [RFC 2328] includes three different types of authentication schemes: Null authentication, simple password and cryptographic authentication. NULL authentication is akin to having no authentication at all. In the simple password scheme of authentication, the passwords are exchanged in the cleartext on the network and anyone with physical access to the network can learn the password and compromise the security of the OSPF domain. In the cryptographic authentication scheme, the OSPF routers on a common network/subnet share a secret key which is used to generate a keyed MD5 digest for each packet and a monotonically increasing sequence number scheme is used to prevent replay attacks. Bhatia and Manral [Page 2] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 This isn't good enough as there have recently been reports about attacks on the collision resistance properties of MD5 [MD5-attack] and SHA-1 [SHA-1-attack] hash functions. MD5CRK, was a distributed computing project to break the MD5 hash algorithm in a short period of time. The project closed down with the publication of the paper [MD5-attack]. It was discovered that collisions can be found in MD5 algorithm in less than 24 hours, making MD5 very insecure. Further research has verified this result and shown other ways to find collisions in MD5 hashes. We thus need to move away from MD5 towards more complex and difficult to break hash algorithms. The [OSPF-HMAC] document recently submitted in the IETF addresses this. It is imperative that we move away from using Keyed MD5 to something that’s cryptographically more stronger (like HMAC-SHA-1). However, the nature of cryptography is that new algorithms surface continuously and existing algorithms are continuously attacked. An algorithm believed to be strong today may be demonstrated to be weak tomorrow. Given this, the choice of mandatory-to-implement algorithm should be conservative so as to minimize the likelihood of it being compromised quickly. Also, we need to recognize that the mandatory-to-implement algorithm(s) may need to change over time to adapt to the changing world. For this reason, the selection of mandatory-to-implement algorithms should not be included in the base OSPF specification. This way it is only this document that needs to get updated, whenever there is a need to update the status of mandatory-to-implement authentication algorithms. 2. Requirements Terminology Keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT" and "MAY" that appear in this document are to be interpreted as described in [RFC2119]. We define some additional terms here: SHOULD+ This term means the same as SHOULD. However, it is likely that an algorithm marked as SHOULD+ will be promoted at some future time to be a MUST. SHOULD- This term means the same as SHOULD. However, it is likely that an algorithm marked as SHOULD- will be deprecated to a MAY or worse in a future version of this document. MUST- This term means the same as MUST. However, we expect Bhatia and Manral [Page 3] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 that at some point in the future this algorithm will no longer be a MUST. 3. Authentication Scheme Selection For OSPF implementations to interoperate, they must support one or more authentication schemes in common. This section specifies the requirements for standards conformant OSPF implementations, which desire to utilize the security feature. Old Old New Req. RFC Requirement Authentication Scheme --- ------ ----------- ------------------------ MUST 2328 SHOULD NOT Null Authentication (1) MUST 2328 SHOULD NOT Simple Password (2) MUST 2328 MUST Cryptographic Authentication The above is only true in case security is required, if there is no requirement of security from an implementation, the above requirements need not be followed Notes: (1)This is used when no authentication is required as there are scenarios when the operator does not really require any sort of authentication. However, this document lists down the requirements that an implementation must support in order to authenticate the OSPF packets. Clearly, NULL should not be used for that if the operator has network security in mind. (2)This is used when all the routers can “trust” one another but the operator does not want an accidental introduction of a router in the domain. Again the same logic applies. This scheme of authentication is useful, but not when the operator wants to “cryptographically” authenticate the OSPF packets. 4. Authentication Algorithm Selection For OSPF implementations to interoperate, they must support one or more authentication algorithms in common that can be used in the cryptographic scheme of authentication. This section details the authentication algorithm requirements for standards conformant OSPF implementations. Bhatia and Manral [Page 4] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 Old Old New Req. RFC Requirement Authentication Algorithm --- ------ ----------- ------------------------ MUST 2328 MUST- Keyed MD5 - - SHOULD+ HMAC-SHA-1 [OSPF-HMAC] - - MAY+ HMAC-SHA-256/HMAC-SHA-384/HMAC-SHA-512 5. Security Considerations TBD 6. Acknowledgements Much of the wording herein was adapted from RFC 4307, "Cryptographic Algorithms for Use in the Internet Key Exchange Version 2", by Jeffrey I. Schiller. 7. IANA Considerations This document places no requests to IANA. 8. References 8.1 Normative References [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119 [RFC2328] Moy, J., "OSPF Version 2", RFC 2328, April 1998 [OSPF-HMAC] Bhatia, M., Manral, V. and White, R.," OSPF HMAC Cryptographic Authentication”, Work in Progress 8.2 Informative References [MD5-attack] Wang, X. et al., "Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", August 2004, http://eprint.iacr.org/2004/199 [SHA-1-attack] Wang, X. et al., "Collision Search Attacks on SHA1", February 2005, http://theory.csail.mit.edu/~yiqun/shanote.pdf Bhatia and Manral [Page 5] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 9. Author's Addresses Manav Bhatia Lucent Technologies Bangalore, India Email: manav@lucent.com Vishwas Manral IP Infusion Bangalore, India Email: vishwas@ipinfusion.com 10. Intellectual Property Notice The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it as made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 11. Full Copyright Notice Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Bhatia and Manral [Page 6] Internet Draft draft-bhatia-manral-crypto-req-ospf-00.txt July 2006 Bhatia and Manral [Page 7]