| KARP | W. Atwood |
| Internet-Draft | R. Bangalore Somanatha |
| Intended status: Standards Track | Concordia University/CSE |
| Expires: January 16, 2014 | S. Hartman |
| Painless Security | |
| D. Zhang | |
| Huawei | |
| July 15, 2013 |
Authentication, Authorization and Policy Management for Routing Protocols
draft-atwood-karp-aapm-rp-00
When tightening the security of the core routing infrastructure, one requirement is to ensure that the keying material for the routing protocol exchanges is distributed only to the appropriate routers. This document specifies requirements on the authentication and authorization of routers and proposes the use of policy distribution to achieve those requirements.
This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2014.
Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
Within the Keying and Authentication for Routing Protocols (KARP) working group, there are several goals:
Within the first goal, each routing protocol has its own procedures for protecting a routing protocol message "on the wire", given appropriate parameters such as an appropriate traffic encryption key and the cryptographic transforms to be used. How these parameters are placed is not defined by the routing protocol specification.
Within the second goal, protocols and procedures for creating shared keys for specific environments have been developed [I-D.hartman-karp-mrkmp] [I-D.mahesh-karp-rkmp], under the assumption that the end points of the exchanges (the routers) are entitled to enter into the conversation. However, these protocols rely on the authentication mechanisms of IKEv2 [RFC5996] to ensure the endpoints are who they say they are. No way is offered to provide these mechanisms with expected endpoint identities or to provide information on whether an endpoint is entitled to be a neighbor. Provision of expected endpoint identities and neighbor authorization is in effect provision of a policy on what constitutes an acceptable identity and who is an acceptable neighbor.
In addition, requirements for an operations and management model are specified in [I-D.ietf-karp-ops-model].
This document addresses the issue of policy distribution for authentication and authorization of adjacent routers in secure routing protocols. In particular, it addresses the need to ensure that cryptographic parameters are distributed only to routers that legitimately form part of the "authorized neighbor set" of a particular router. It is not concerned with the contents of the exchanged Routing Protocol messages; this is the responsibility of the Routing Protocol specification documents. It is also not concerned with the validity of the Routing Protocol messages themselves; this is being considered by the SIDR working group. Finally, in accordance with the KARP charter, only source authentication is provided for the Routing Protocol messages; confidentiality of these messages is out-of-scope at this time.
If the proposed authentication and authorization mechanisms are not in place, the mechanism used for authentication is likely to be a preshared key, with the same key used throughout a specific area. It is also likely never to be changed, given the difficulty of making this change. When changes come in the topology of the network, it is difficult to tell whether a new router is legitimate or not.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
A network that is managed by a particular System Administrator will have some number of routers in it, each of which will be running some set of routing protocols.
For a particular routing protocol, the network is divided into one or more Administrative Domains (AD). An AD is a set of routers with a common policy. An AD might encompass a collection of BGP routers spanning several Autonomous Systems, or all of the routers inside a particular Autonomous System, or all of the routers in an organization, or all of the routers in a unit within an organization, or simply a pair of routers with a point-to-point link.
We distinguish four participants in the architecture:
[[NOTE: A figure would be helpful here.]]
The common policy for a particular AD is managed by the ADM.
Each router has a unique identity in the context of a particular AD. To deal with the issue of interaction between routers in adjacent ADs, the link between two such routers may either be managed by one of the ADs, or a small AD may be created to manage that specific link. In either case, this implies that a specific router may have more than one identity. Authentication of a router involves presenting this identity and establishing its validity.
For a particular routing protocol, a router needs to know which other routers are allowed to exchange routing messages with it. This set of legitimate neighbors may, in general, be different for each routing protocol that a particular router is executing. Authorization of a router involves matching the identity of that router against the policy governing the set of permitted neighbors.
Within an AD, there are two levels of interaction. At the first level, there is the interaction between the ADM and each of the client routers (GMs). At the second level, there are the interactions between a specific router and the members of its neighbor set.
To participate in the activities within an AD, a router must be authenticated, i.e., it must be able to prove that it is a legitimate member of the AD.
To be permitted to communicate with an adjacent router (however adjacency is defined for a particular routing protocol), a router must be authorized. A router needs to present its identity when communicating with the ADM and also when communicating with the routers that are adjacent to it.
The ADM will distribute to each router the policy that defines how the router is to assess the authenticity of a prospective neighbor, and how the router is to ascertain that the prospective neighbor is authorized to communicate with it.
The SA interacts with the ADM to set the policies for the AD.
The ADM establishes a mutually authenticated relationship with each client router, i.e., with each GM in the AD.
The ADM then pushes the policy definitions to the GMs.
Based on the policy, each GM establishes a mutually authenticated relationship with each of its authorized neighbors.
Each GM will then negotiate cryptographic parameters with its neighbors, or distribute the parameters that it generates, depending on the policy in place.
This specification introduces a new conceptual database on each GM, the Routing Authentication Policy Database (RAPD). The RAPD compliments the key table [I-D.ietf-karp-crypto-key-table]. The key table provides manually configured keys and the RAPD provides policy for automated key management. The RAPD provides services similar to the IPsec Security Policy Database and Peer Authentication Database [RFC4301]
The RAPD serves the following purposes:
See Section 5 for details on the RAPD.
The aim of this document is to specify an overall system for automated key management, which will eliminate the disadvantages of the manual method of key updating. The basic function of this automated system is to distribute and enforce the key management policies of the Administrative Domain. In accordance with these policies, secure generation and distribution will be effected of the keys or other cryptographic material that will be used for the router-to-router exchanges. The system will also enable key updates at regular intervals so as to protect against both active intruders and passive intruders who could be eavesdropping the traffic after having gained access to the keys secretly.
Along with these basic goals, a key management system should satisfy an additional set of requirements. These requirements ensure among other things, security, easy deployment, robustness and scalability. We have compiled this set after referring to the KARP Design Guide [RFC6518], the KARP Threats and Requirements Guide [RFC6862] and the PIM-SM "security on the wire" specification [RFC5796].
[[NOTE: The following lists of goals were appropriate in the context of Revathi's thesis, which was on formal validation of the security of her proposed protocols. Since we will probably meet at least some of these goals by using an already-standardized, secure protocol, the list is subject to revision as the details of the framework are established.]]
Each router is assumed to have an identity, i.e., some way of distinguishing it from other routers. The form of this identity is determined by the SA of the network. It may be a simple string, or it may be a cryptographically strong identity such as that proposed by Chunduri [draft-chunduri].
Each router is assumed to have a way to assert the validity of this identity. The acceptable form(s) of this assertion mechanism will be determined by the policy set by the SA.
[[NOTE: Insert examples here from Sections 4.1, 4.2 and 4.3 of the ops-model.]]
A router has a neighbor set, which is the set of routers that it is able to exchange packets with. The connection used for this exchange may be physical or virtual.
A router has an authorized neighbor set, for a particular Routing Protocol, which is the set of routers that it is authorized to communicate with using the exchanges of that Routing Protocol.
The verification that a router in the neighbor set is also in the authorized neighbor set for a particular Routing Protocol is governed by a policy that is set by the SA.
[[NOTE: Insert examples here from ops-model, section 4.]]
When a router discovers one or more members of its authorized neighbor set, it will then generate, negotiate, or acquire the cryptographic parameters that it will use when exchanging Routing Protocol packets with these neighbors. Depending on the procedures defined by the Routing Protocol specification for securing the exchanged packets, these cryptographic parameters may include the key(s) to be used, the IPsec Security Parameter Index (SPI) assigned, etc.
For the case where inter-router communication is based on unicast communication, an approach has been developed, which is presented in [I-D.mahesh-karp-rkmp]. For the case where the inter-router communication is based on multicast exchanges, an approach has been developed, which is presented in [I-D.hartman-karp-mrkmp].
An important aspect of the design is ease of deployment. When a new router is installed, the following steps must be taken:
A router must store the information concerning its governing policies in a form of storage that persists over a reboot.
When a router reboots (and especially when a large number of routers reboot due to a power failure and restoration), a router must use the stored information to re-establish its neighbor relationships. This will minimize the likelihood of an apparent denial of service attack on the ADM.
Once the router has established its neighbor relationships, and after a suitable (random) interval, the router should contact its ADM to refresh its policy database.
According to the key table, routing protocols specify a peer and protocol in order to request a key to send a message. The peer is either the identity of a unicast peer or of a group. The form of the peer identifier is specified by the specific routing protocol in question.
The peer and protocol are enough to find an existing key. As a result, the RAPD needs to be able to locate the appropriate automated key management policy given a peer and protocol.
The RAPD is also used by key management applications when a peer attempts to authenticate or request a key. In this instance, the key management application has the IKE identity of the peer.
In order to establish an IKE SA, the following information is needed:
In order to establish a routing SA keyed by an IKE SA, the following information is needed:
Additional information is required for multicast policy.
The RAPD entry needs to include enough information that the remote peer can be authenticated. The required information tends to break down along the same lines as the credential types discussed in section 4 of [I-D.ietf-karp-ops-model].
For pre-shared keys, mutual authentication is obtained by using the same key in both directions. In this case the credential for outbound authentication is a pre-shared key. For inbound authentication, multiple acceptable credentials can be provided.
For public keys used outside of authentication, authentication needs to happen in each direction. Each peer needs a private key and potentially a certificate to send as a credential. Each peer also needs a set of acceptable fingerprints for the remote key-management peer's key or certificate.
When a PKI is used, each peer needs a private key and a certificate as a credential. In addition, trust anchors and constraints on how to validate whether an asserted identifier is appropriate for the presented certificate are required.
One open question is how to organize the RAPD. When initiating a connection, policy is found using the peer and protocol information. When receiving an incoming association, the peer and protocol might not be available until the routing protocol SA is requested so policy needs to be found based on the initiator's asserted identity.
One approach would be to separate incoming and outgoing policy and use two different databases. This is highly undesirable from an operational standpoint. In general it is not possible to know ahead of time which router will initiate a key management exchange. For this reason, it is strongly desired from an operational standpoint that the policy be symmetric. That is, an association SHOULD successfully authenticate and be authorized independent of which party initiates the association. There are exceptions; for example, in a multicast association, one router MAY be configured not to take on the role of a Group Controller/Key Server (GCKS) and such a router could not respond to key-management associations.
Another approach is to have a single database indexed by the tuple containing peer and protocol as well as the set of acceptable remote identifiers.
Another approach is to have two databases. One contains the peer, protocol, unicast key management endpoint and a policy identifier. The second database contains the remaining information along with a policy identifier. It is indexed by the policy identifier and by the set of acceptable remote identifiers. This layout is very similar to the breakdown between IPsec's SPD and PAD.
All of these approaches assume that the set of acceptable remote identifiers is enumerated in the policy database. In a PKI this may be undesirable.
[[NOTE: I give below my initial suggestion on a list of policy items that will need to be distributed. My student Nitin has suggested a different way to organize the information, specifically by looking at the types of interaction: SA - ADM; ADM - GM and GM - GM. I expect that both views will be necessary and will revise the document appropriately.]]
In this section, we give an initial list of the policy items that will need to be distributed. The policy will have several facets, each derived from the operational steps.
The system configuration information consists of the following:
This information is pushed regularly to allow for changes to the ADM location and the SADM location after the initial (manual) configuration.
These entries deal with how to identify a legitimate member of the AD.
Under certain circumstances, the ideas in KARP KMP: Simplified Peer Authentication [I-D.chunduri-karp-kmp-router-fingerprints] are appropriate.
[[NOTE: I need to go through the ideas in section 4 of the ops-model document to clarify this.]]
These entries deal with how to authorize a specific group member to communicate with its peers.
At a minimumn, this will be a list of "authorized neighbors", along with the necessary cryptographic material to permit identifying them.
This document has no actions for IANA.
[NOTE TO RFC EDITOR: this section for use during I-D stage only. Please remove before publishing as RFC.]
atwood-karp-akam-rp-00
[NOTE TO RFC EDITOR: this section for use during I-D stage only. Please remove before publishing as RFC.]
List of stuff that still needs work
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |