Network Working Group | M. Jethanandani |
Internet-Draft | Cisco Systems |
Intended status: Standards Track | A. Mishra |
Expires: December 29, 2017 | O3b Networks |
A. Saxena | |
Ciena Corporation | |
M. Bhatia | |
Ionos Networks | |
June 27, 2017 |
Optimizing BFD Authentication
draft-ietf-bfd-optimizing-authentication-03
This document describes an optimization to BFD Authentication as described in Section 6.7 of BFD [RFC5880].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 29, 2017.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Authenticating every BFD packet with a Simple Password, or with a MD5 Message-Digest Algorithm , or Secure Hash Algorithm (SHA-1) algorithms is computationally intensive process, making it difficult if not impossible to authenticate every packet - particularly at faster rates. Also, the recent escalating series of attacks on MD5 and SHA-1 [SHA-1-attack1] [SHA-1-attack2] raise concerns about their remaining useful lifetime as outlined in Updated Security Considerations for the MD5 Message-Digest and the HMAC-MD5 Algorithm and Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithm. If replaced by stronger algorithms, the computational overhead, will make the task of authenticating every packet even more difficult to achieve.
This document proposes that only BFD frames that signal a state change in BFD be authenticated. Rest of the frames can be transmitted and received without authentication enabled. Most frames that are transmitted and received have no state change associated with them. Limiting authentication to frames that affect a BFD session state allows more sessions to be supported for authentication. Moreover, most BFD frames that signal a state change are generally transmitted at a slower interval of 1s leaving enough time to compute the hash.
Section 2 talks about the changes to authentication mode as described in BFD.
The cryptographic authentication mechanisms specified in BFD describes enabling and disabling of authentication as a one time operation. As a security precaution, it mentions that authentication state be allowed to change at most once. Once enabled, every packet must have Authentication Bit set and the associated Authentication TLV appended. In addition, it states that an implementation SHOULD NOT allow the authentication state to be changed based on the receipt of a BFD Control packet.
This document proposes that the authentication mode be modified to be enabled on demand. Instead of authenticating every packet, BFD peers decide which frames need to be authenticated, and authenticate only those frames. For example, the two ends can decide that BFD frames that indicate a state change should be authenticated and enable authentication on those frames only. If the two ends have not previously negotiated which frames they will transmit or receive with authentication enabled, then the BFD session will fail to come up, because at least one end will expect every frame to be authenticated. The state changes for which authentication is being suggested include:
Read : On state change from <column> to <row> Auth : Authenticate frame NULL : No Authentication. Use NULL AUTH TLV. n/a : Invalid state transition. Select : Most frames NULL AUTH. Selective (periodic) frames authenticated. +--------+--------+--------+--------+--------+--------+ | | DOWN | INIT | UP | POLL | DEMAND | +--------+--------+--------+--------+--------+--------+ | DOWN | NULL | Auth | Auth | Auth | Auth | +--------+--------+--------+--------+--------+--------+ | INIT | Auth | NULL | Auth | Auth | Auth | +--------+--------+--------+--------+--------+--------+ | UP | Auth | n/a | Select | Auth | Auth | +--------+--------+--------+--------+--------+--------+ | POLL | Auth | n/a | Auth | Auth | Auth | +--------+--------+--------+--------+--------+--------+ | DEMAND | Auth | Auth | Auth | Auth | Auth | +--------+--------+--------+--------+--------+--------+
Optimized Authentication Map
All frames already carry the sequence number. The NULL AUTH frames MUST contain the TLV specified in Section 3. This enables a monotonically increasing sequence number to be carried in each frame, and prevents man-in-the-middle from capturing and replaying the same frame again. Since all frames still carry a sequence number, the logic for sequence number maintenance remains unchanged from [RFC5880]. If at a later time, a different scheme is adopted for changing sequence number, this method can use the updated scheme without any impact.
Most frames transmitted on a BFD session are BFD CC UP frames. Authenticating a small subset of these frames (one per configured period) significantly reduces the computational demand for the system while maintaining security of the session across the configured authentication periods. The configuration of the periodic authentication interval for BFD CC UP frames is an open issue.
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Auth Type | Auth Len | Auth Key ID | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Sequence Number | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
NULL Auth TLV
This section describes a new Authentication TLV as:
Auth Type: The Authentication Type, which in this case is 0 (NULL Auth TL)
Auth Len: The length of the NULL Auth TLV, in bytes i.e. 8 bytes
Auth Key ID: The authentication key ID in use for this packet. Must be set to zero.
Reserved: The authentication key ID in use for this packet. This allows multiple keys to be active simultaneously.
Sequence Number: The sequence number for this packet. Implementation may use sequence numbers as defined in [RFC5880], or secure sequence numbers as defined in [I-D.ietf-bfd-secure-sequence-numbers].
The NULL Auth TLV must be used for all frames that are not authenticated. This protects against replay-attacks by allowing the session to maintain an incrementing sequence number for all frames (authenticated and un-authenticated).
In the future, if a new scheme is adopted for changing the sequence number, this method can adopt the new scheme without any impact.
This document requests an update to the registry titled "BFD Authentication Types". IANA is requested to update the Value of 0 which is currently named as Reserved to NULL (see Section 3).
Note to RFC Editor: this section may be removed on publication as an RFC.
The approach described in this document enhances the ability to authentication a BFD session by taking away the onerous requirement that every frame be authenticated. By authenticating frames that affect the state of the session, the security of the BFD session is maintained. As such this document does not change the security considerations for BFD.