Internet DRAFT - draft-atwood-karp-aapm-rp
draft-atwood-karp-aapm-rp
KARP W. Atwood
Internet-Draft R. Bangalore Somanatha
Intended status: Standards Track Concordia University/CSE
Expires: January 16, 2014 S. Hartman
Painless Security
D. Zhang
Huawei
July 15, 2013
Authentication, Authorization and Policy Management for Routing
Protocols
draft-atwood-karp-aapm-rp-00
Abstract
When tightening the security of the core routing infrastructure, one
requirement is to ensure that the keying material for the routing
protocol exchanges is distributed only to the appropriate routers.
This document specifies requirements on the authentication and
authorization of routers and proposes the use of policy distribution
to achieve those requirements.
Status of This Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 16, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Atwood, et al. Expires January 16, 2014 [Page 1]
�
Internet-Draft KARP AAPM-RP July 2013
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. System Overview . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. System Structure . . . . . . . . . . . . . . . . . . . . 4
2.2. System Operation . . . . . . . . . . . . . . . . . . . . 5
2.3. Routing Authentication Policy Database . . . . . . . . . 5
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Security Goals . . . . . . . . . . . . . . . . . . . . . 6
3.2. Operational Goals . . . . . . . . . . . . . . . . . . . . 7
4. System Design . . . . . . . . . . . . . . . . . . . . . . . . 7
4.1. Authentication . . . . . . . . . . . . . . . . . . . . . 7
4.2. Authorization . . . . . . . . . . . . . . . . . . . . . . 8
4.3. Management of Cryptographic Material . . . . . . . . . . 8
4.4. Router Installation . . . . . . . . . . . . . . . . . . . 8
4.5. Router Reboot . . . . . . . . . . . . . . . . . . . . . . 9
5. RAPD . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.1. Contents of an RAPD entry . . . . . . . . . . . . . . . . 10
5.2. RAPD Authentication Information . . . . . . . . . . . . . 10
5.3. Organization and lookup . . . . . . . . . . . . . . . . . 11
5.4. Hierarchy of Policy . . . . . . . . . . . . . . . . . . . 11
6. Policy Distribution . . . . . . . . . . . . . . . . . . . . . 11
6.1. System Configuration Information . . . . . . . . . . . . 12
6.2. Router Authentication . . . . . . . . . . . . . . . . . . 12
6.3. Router Authorization . . . . . . . . . . . . . . . . . . 12
6.4. Key Management . . . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
9. Change History (RFC Editor: Delete Before Publishing) . . . . 13
10. Needs Work in Next Draft (RFC Editor: Delete Before
Publishing) . . . . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
Within the Keying and Authentication for Routing Protocols (KARP)
working group, there are several goals:
o Determining how to update the security of existing routing
protocols, and guiding this work;
Atwood, et al. Expires January 16, 2014 [Page 2]
�
Internet-Draft KARP AAPM-RP July 2013
o Development of automated mechanisms for management of the keying
material.
Within the first goal, each routing protocol has its own procedures
for protecting a routing protocol message "on the wire", given
appropriate parameters such as an appropriate traffic encryption key
and the cryptographic transforms to be used. How these parameters
are placed is not defined by the routing protocol specification.
Within the second goal, protocols and procedures for creating shared
keys for specific environments have been developed
[I-D.hartman-karp-mrkmp] [I-D.mahesh-karp-rkmp], under the assumption
that the end points of the exchanges (the routers) are entitled to
enter into the conversation. However, these protocols rely on the
authentication mechanisms of IKEv2 [RFC5996] to ensure the endpoints
are who they say they are. No way is offered to provide these
mechanisms with expected endpoint identities or to provide
information on whether an endpoint is entitled to be a neighbor.
Provision of expected endpoint identities and neighbor authorization
is in effect provision of a policy on what constitutes an acceptable
identity and who is an acceptable neighbor.
In addition, requirements for an operations and management model are
specified in [I-D.ietf-karp-ops-model].
This document addresses the issue of policy distribution for
authentication and authorization of adjacent routers in secure
routing protocols. In particular, it addresses the need to ensure
that cryptographic parameters are distributed only to routers that
legitimately form part of the "authorized neighbor set" of a
particular router. It is not concerned with the contents of the
exchanged Routing Protocol messages; this is the responsibility of
the Routing Protocol specification documents. It is also not
concerned with the validity of the Routing Protocol messages
themselves; this is being considered by the SIDR working group.
Finally, in accordance with the KARP charter, only source
authentication is provided for the Routing Protocol messages;
confidentiality of these messages is out-of-scope at this time.
If the proposed authentication and authorization mechanisms are not
in place, the mechanism used for authentication is likely to be a
preshared key, with the same key used throughout a specific area. It
is also likely never to be changed, given the difficulty of making
this change. When changes come in the topology of the network, it is
difficult to tell whether a new router is legitimate or not.
1.1. Terminology
Atwood, et al. Expires January 16, 2014 [Page 3]
�
Internet-Draft KARP AAPM-RP July 2013
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. System Overview
2.1. System Structure
A network that is managed by a particular System Administrator will
have some number of routers in it, each of which will be running some
set of routing protocols.
For a particular routing protocol, the network is divided into one or
more Administrative Domains (AD). An AD is a set of routers with a
common policy. An AD might encompass a collection of BGP routers
spanning several Autonomous Systems, or all of the routers inside a
particular Autonomous System, or all of the routers in an
organization, or all of the routers in a unit within an organization,
or simply a pair of routers with a point-to-point link.
We distinguish four participants in the architecture:
System Administrator (SA) This is the human who controls the
Administrative Domain.
Administrative Domain Manager (ADM) This is the manager for the
entire AD. Its role is to distribute the operational policies
to the routers within the AD.
Standby ADM (SADM) This provides for robustness if the ADM is
unavailable.
Group Member (GM) Any router within the AD.
[[NOTE: A figure would be helpful here.]]
The common policy for a particular AD is managed by the ADM.
Each router has a unique identity in the context of a particular AD.
To deal with the issue of interaction between routers in adjacent
ADs, the link between two such routers may either be managed by one
of the ADs, or a small AD may be created to manage that specific
link. In either case, this implies that a specific router may have
more than one identity. Authentication of a router involves
presenting this identity and establishing its validity.
For a particular routing protocol, a router needs to know which other
routers are allowed to exchange routing messages with it. This set
Atwood, et al. Expires January 16, 2014 [Page 4]
�
Internet-Draft KARP AAPM-RP July 2013
of legitimate neighbors may, in general, be different for each
routing protocol that a particular router is executing.
Authorization of a router involves matching the identity of that
router against the policy governing the set of permitted neighbors.
Within an AD, there are two levels of interaction. At the first
level, there is the interaction between the ADM and each of the
client routers (GMs). At the second level, there are the
interactions between a specific router and the members of its
neighbor set.
To participate in the activities within an AD, a router must be
authenticated, i.e., it must be able to prove that it is a legitimate
member of the AD.
To be permitted to communicate with an adjacent router (however
adjacency is defined for a particular routing protocol), a router
must be authorized. A router needs to present its identity when
communicating with the ADM and also when communicating with the
routers that are adjacent to it.
The ADM will distribute to each router the policy that defines how
the router is to assess the authenticity of a prospective neighbor,
and how the router is to ascertain that the prospective neighbor is
authorized to communicate with it.
2.2. System Operation
The SA interacts with the ADM to set the policies for the AD.
The ADM establishes a mutually authenticated relationship with each
client router, i.e., with each GM in the AD.
The ADM then pushes the policy definitions to the GMs.
Based on the policy, each GM establishes a mutually authenticated
relationship with each of its authorized neighbors.
Each GM will then negotiate cryptographic parameters with its
neighbors, or distribute the parameters that it generates, depending
on the policy in place.
2.3. Routing Authentication Policy Database
This specification introduces a new conceptual database on each GM,
the Routing Authentication Policy Database (RAPD). The RAPD
compliments the key table [I-D.ietf-karp-crypto-key-table]. The key
table provides manually configured keys and the RAPD provides policy
Atwood, et al. Expires January 16, 2014 [Page 5]
�
Internet-Draft KARP AAPM-RP July 2013
for automated key management. The RAPD provides services similar to
the IPsec Security Policy Database and Peer Authentication Database
[RFC4301]
The RAPD serves the following purposes:
o Is automated key management expected for a particular routing
protocol peer or group
o What identity and credentials are used to authenticate to a remote
key-management peer
o What identities and credentials are accepted when a remote peer
authenticates to us
o Is a particular peer authorized for a particular routing protocol
o What parameters and transforms are used for a particular security
association
o What key management protocols does this router need to participate
in and on what interfaces
See Section 5 for details on the RAPD.
3. Problem Statement
The aim of this document is to specify an overall system for
automated key management, which will eliminate the disadvantages of
the manual method of key updating. The basic function of this
automated system is to distribute and enforce the key management
policies of the Administrative Domain. In accordance with these
policies, secure generation and distribution will be effected of the
keys or other cryptographic material that will be used for the
router-to-router exchanges. The system will also enable key updates
at regular intervals so as to protect against both active intruders
and passive intruders who could be eavesdropping the traffic after
having gained access to the keys secretly.
Along with these basic goals, a key management system should satisfy
an additional set of requirements. These requirements ensure among
other things, security, easy deployment, robustness and scalability.
We have compiled this set after referring to the KARP Design Guide
[RFC6518], the KARP Threats and Requirements Guide [RFC6862] and the
PIM-SM "security on the wire" specification [RFC5796].
3.1. Security Goals
Atwood, et al. Expires January 16, 2014 [Page 6]
�
Internet-Draft KARP AAPM-RP July 2013
[[NOTE: The following lists of goals were appropriate in the context
of Revathi's thesis, which was on formal validation of the security
of her proposed protocols. Since we will probably meet at least some
of these goals by using an already-standardized, secure protocol, the
list is subject to revision as the details of the framework are
established.]]
1. Peer authentication for unicast and authentication of all members
of the group for multicast protocols.
2. Message authentication, which includes data origin authentication
and message integrity.
3. Protection of the system from replay attacks.
4. Peer liveness.
5. Secrecy of key management messages.
6. Authorization to ensure that only authorized routers get the
keys.
7. Resistance to man-in-the-middle attacks.
8. Resistance to DoS attacks.
9. Usage of strong keys; those that are unpredictable and are of
sufficient length.
3.2. Operational Goals
1. Possibility for easy and incremental deployment.
2. Smooth key rollover.
3. Robustness across router reboots.
4. Scalable design.
5. Policy for authentication and authorization can be shared between
unicast and multicast key management.
4. System Design
4.1. Authentication
Each router is assumed to have an identity, i.e., some way of
distinguishing it from other routers. The form of this identity is
Atwood, et al. Expires January 16, 2014 [Page 7]
�
Internet-Draft KARP AAPM-RP July 2013
determined by the SA of the network. It may be a simple string, or
it may be a cryptographically strong identity such as that proposed
by Chunduri [draft-chunduri].
Each router is assumed to have a way to assert the validity of this
identity. The acceptable form(s) of this assertion mechanism will be
determined by the policy set by the SA.
[[NOTE: Insert examples here from Sections 4.1, 4.2 and 4.3 of the
ops-model.]]
4.2. Authorization
A router has a neighbor set, which is the set of routers that it is
able to exchange packets with. The connection used for this exchange
may be physical or virtual.
A router has an authorized neighbor set, for a particular Routing
Protocol, which is the set of routers that it is authorized to
communicate with using the exchanges of that Routing Protocol.
The verification that a router in the neighbor set is also in the
authorized neighbor set for a particular Routing Protocol is governed
by a policy that is set by the SA.
[[NOTE: Insert examples here from ops-model, section 4.]]
4.3. Management of Cryptographic Material
When a router discovers one or more members of its authorized
neighbor set, it will then generate, negotiate, or acquire the
cryptographic parameters that it will use when exchanging Routing
Protocol packets with these neighbors. Depending on the procedures
defined by the Routing Protocol specification for securing the
exchanged packets, these cryptographic parameters may include the
key(s) to be used, the IPsec Security Parameter Index (SPI) assigned,
etc.
For the case where inter-router communication is based on unicast
communication, an approach has been developed, which is presented in
[I-D.mahesh-karp-rkmp]. For the case where the inter-router
communication is based on multicast exchanges, an approach has been
developed, which is presented in [I-D.hartman-karp-mrkmp].
4.4. Router Installation
An important aspect of the design is ease of deployment. When a new
router is installed, the following steps must be taken:
Atwood, et al. Expires January 16, 2014 [Page 8]
�
Internet-Draft KARP AAPM-RP July 2013
1. Establish the existence of a new router identity in the AD, using
the SA - ADM interface.
2. Define the policy or policies that are applicable to this new
identity, using the SA - ADM interface.
3. For the router that will be the first router on the network path
between the new router and the ADM, take whatever action is
necessary to force the ADM to push revised configuration
information to it.
4. At the new router, manually install sufficient policy to allow it
to accept its neighbor as part of its authorized neighbor set,
and to allow it to know the location of the ADM. Then, force the
ADM to push complete configuration information to it.
4.5. Router Reboot
A router must store the information concerning its governing policies
in a form of storage that persists over a reboot.
When a router reboots (and especially when a large number of routers
reboot due to a power failure and restoration), a router must use the
stored information to re-establish its neighbor relationships. This
will minimize the likelihood of an apparent denial of service attack
on the ADM.
Once the router has established its neighbor relationships, and after
a suitable (random) interval, the router should contact its ADM to
refresh its policy database.
5. RAPD
According to the key table, routing protocols specify a peer and
protocol in order to request a key to send a message. The peer is
either the identity of a unicast peer or of a group. The form of the
peer identifier is specified by the specific routing protocol in
question.
The peer and protocol are enough to find an existing key. As a
result, the RAPD needs to be able to locate the appropriate automated
key management policy given a peer and protocol.
The RAPD is also used by key management applications when a peer
attempts to authenticate or request a key. In this instance, the key
management application has the IKE identity of the peer.
Atwood, et al. Expires January 16, 2014 [Page 9]
�
Internet-Draft KARP AAPM-RP July 2013
5.1. Contents of an RAPD entry
In order to establish an IKE SA, the following information is needed:
o Identity of the local system to use
o Identities acceptable for the remote endpoint
o Credential to use for the local system
o Authentication information for the remote system; see Section 5.2
o Lifetime information
o Acceptable transforms
In order to establish a routing SA keyed by an IKE SA, the following
information is needed:
o Peer and protocol
o Acceptable transforms
Additional information is required for multicast policy.
5.2. RAPD Authentication Information
The RAPD entry needs to include enough information that the remote
peer can be authenticated. The required information tends to break
down along the same lines as the credential types discussed in
section 4 of [I-D.ietf-karp-ops-model].
For pre-shared keys, mutual authentication is obtained by using the
same key in both directions. In this case the credential for
outbound authentication is a pre-shared key. For inbound
authentication, multiple acceptable credentials can be provided.
For public keys used outside of authentication, authentication needs
to happen in each direction. Each peer needs a private key and
potentially a certificate to send as a credential. Each peer also
needs a set of acceptable fingerprints for the remote key-management
peer's key or certificate.
When a PKI is used, each peer needs a private key and a certificate
as a credential. In addition, trust anchors and constraints on how
to validate whether an asserted identifier is appropriate for the
presented certificate are required.
Atwood, et al. Expires January 16, 2014 [Page 10]
�
Internet-Draft KARP AAPM-RP July 2013
5.3. Organization and lookup
One open question is how to organize the RAPD. When initiating a
connection, policy is found using the peer and protocol information.
When receiving an incoming association, the peer and protocol might
not be available until the routing protocol SA is requested so policy
needs to be found based on the initiator's asserted identity.
One approach would be to separate incoming and outgoing policy and
use two different databases. This is highly undesirable from an
operational standpoint. In general it is not possible to know ahead
of time which router will initiate a key management exchange. For
this reason, it is strongly desired from an operational standpoint
that the policy be symmetric. That is, an association SHOULD
successfully authenticate and be authorized independent of which
party initiates the association. There are exceptions; for example,
in a multicast association, one router MAY be configured not to take
on the role of a Group Controller/Key Server (GCKS) and such a router
could not respond to key-management associations.
Another approach is to have a single database indexed by the tuple
containing peer and protocol as well as the set of acceptable remote
identifiers.
Another approach is to have two databases. One contains the peer,
protocol, unicast key management endpoint and a policy identifier.
The second database contains the remaining information along with a
policy identifier. It is indexed by the policy identifier and by the
set of acceptable remote identifiers. This layout is very similar to
the breakdown between IPsec's SPD and PAD.
All of these approaches assume that the set of acceptable remote
identifiers is enumerated in the policy database. In a PKI this may
be undesirable.
5.4. Hierarchy of Policy
6. Policy Distribution
[[NOTE: I give below my initial suggestion on a list of policy items
that will need to be distributed. My student Nitin has suggested a
different way to organize the information, specifically by looking at
the types of interaction: SA - ADM; ADM - GM and GM - GM. I expect
that both views will be necessary and will revise the document
appropriately.]]
Atwood, et al. Expires January 16, 2014 [Page 11]
�
Internet-Draft KARP AAPM-RP July 2013
In this section, we give an initial list of the policy items that
will need to be distributed. The policy will have several facets,
each derived from the operational steps.
6.1. System Configuration Information
The system configuration information consists of the following:
1. ADM information (how to reach it)
2. SADM information (how to reach it)
This information is pushed regularly to allow for changes to the ADM
location and the SADM location after the initial (manual)
configuration.
6.2. Router Authentication
These entries deal with how to identify a legitimate member of the
AD.
Under certain circumstances, the ideas in KARP KMP: Simplified Peer
Authentication [I-D.chunduri-karp-kmp-router-fingerprints] are
appropriate.
[[NOTE: I need to go through the ideas in section 4 of the ops-model
document to clarify this.]]
6.3. Router Authorization
These entries deal with how to authorize a specific group member to
communicate with its peers.
At a minimumn, this will be a list of "authorized neighbors", along
with the necessary cryptographic material to permit identifying them.
6.4. Key Management
o Key generation/negotiation: acceptable procedures, acceptable
transforms
o Key hygiene: lifetimes, etc.
o Operational rules (from, for example, Operations Model for Router
Keying [I-D.ietf-karp-ops-model]
7. IANA Considerations
Atwood, et al. Expires January 16, 2014 [Page 12]
�
Internet-Draft KARP AAPM-RP July 2013
This document has no actions for IANA.
8. Acknowledgements
9. Change History (RFC Editor: Delete Before Publishing)
[NOTE TO RFC EDITOR: this section for use during I-D stage only.
Please remove before publishing as RFC.]
atwood-karp-akam-rp-00
o Original submission.
10. Needs Work in Next Draft (RFC Editor: Delete Before Publishing)
[NOTE TO RFC EDITOR: this section for use during I-D stage only.
Please remove before publishing as RFC.]
List of stuff that still needs work
o Expand the set of policy descriptions
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
11.2. Informative References
[I-D.chunduri-karp-kmp-router-fingerprints]
Chunduri, U., Tian, A., Keranen, A., and T. Kivinen, "KARP
KMP: Simplified Peer Authentication", draft-chunduri-karp-
kmp-router-fingerprints-03 (work in progress), March 2013.
[I-D.hartman-karp-mrkmp]
Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router
Key Management Protocol (MaRK)", draft-hartman-karp-
mrkmp-05 (work in progress), September 2012.
[I-D.ietf-karp-crypto-key-table]
Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Database of Long-Lived Symmetric Cryptographic Keys",
draft-ietf-karp-crypto-key-table-07 (work in progress),
March 2013.
[I-D.ietf-karp-ops-model]
Atwood, et al. Expires January 16, 2014 [Page 13]
�
Internet-Draft KARP AAPM-RP July 2013
Hartman, S. and D. Zhang, "Operations Model for Router
Keying", draft-ietf-karp-ops-model-07 (work in progress),
July 2013.
[I-D.mahesh-karp-rkmp]
Jethanandani, M., Weis, B., Patel, K., Zhang, D., Hartman,
S., Chunduri, U., Tian, A., and J. Touch, "Negotiation for
Keying Pairwise Routing Protocols in IKEv2", draft-mahesh-
karp-rkmp-04 (work in progress), February 2013.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005.
[RFC5796] Atwood, W., Islam, S., and M. Siami, "Authentication and
Confidentiality in Protocol Independent Multicast Sparse
Mode (PIM-SM) Link-Local Messages", RFC 5796, March 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010.
[RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for
Routing Protocols (KARP) Design Guidelines", RFC 6518,
February 2012.
[RFC6862] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and
Authentication for Routing Protocols (KARP) Overview,
Threats, and Requirements", RFC 6862, March 2013.
Authors' Addresses
William Atwood
Concordia University/CSE
1455 de Maisonneuve Blvd, West
Montreal, QC H3G 1M8
Canada
Phone: +1(514)848-2424 ext3046
Email: william.atwood@concordia.ca
URI: http://users.encs.concordia.ca/~bill
Atwood, et al. Expires January 16, 2014 [Page 14]
�
Internet-Draft KARP AAPM-RP July 2013
Revathi Bangalore Somanatha
Concordia University/CSE
1455 de Maisonneuve Blvd, West
Montreal, QC H3G 1M8
Canada
Email: revathi.bs@gmail.com
Sam Hartman
Painless Security
Email: hartmans@painless-security.com
Dacheng Zhang
Huawei
Email: zhangdacheng@huawei.com
Atwood, et al. Expires January 16, 2014 [Page 15]
