Internet DRAFT - draft-nslag-ietf-deprecate-md5
draft-nslag-ietf-deprecate-md5
MPLS Working Group L. Andersson
Internet-Draft Bronze Dragon Consulting
Intended status: Informational S. Bryant
Expires: September 2, 2018 A. Malis
Huawei Technologies
N. Leymann
Deutshe Telekom
G. Swallow
Independent
March 1, 2018
Deprecating MD5 for LDP
draft-nslag-ietf-deprecate-md5-00.txt
Abstract
When the MPLS Label Distribution Protocol (LDP) was specified circa
1999, there were very strong requirements that LDP should use a
cryptographic hash function to sign LDP protocol messages. MD5 was
widely used at that time, and was the obvious choices.
However, even when this decision was being taken there were concerns
as to whether MD5 was a strong enough signing option. This
discussion was briefly reflected in section 5.1 of RFC 5036 [RFC5036]
(and also in RFC 3036 [RFC3036]).
Over time it has been shown that MD5 can be compromised. Thus, there
is a concern shared in the security community and the working groups
responsible for the development of the LDP protocol that LDP is no
longer adequately secured.
This document deprecates MD5 as the signing method for LDP messages.
The document also selects a future method to secure LDP messages -
the choice is TCP-AO. In addition, we specify that the TBD
cryptographic mechanism is to be the default TCP-AO security method.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Andersson, et al. Expires September 2, 2018 [Page 1]
�
Internet-Draft Deprecating MD5 for LDP March 2018
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 2, 2018.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Requirement Language . . . . . . . . . . . . . . . . . . 3
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. LDP in RFC 5036 . . . . . . . . . . . . . . . . . . . . . 3
2.2. MD5 in BGP . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. Prior Art . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Securing LDP . . . . . . . . . . . . . . . . . . . . . . . . 4
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 5
7.1. Normative References . . . . . . . . . . . . . . . . . . 5
7.2. Informative References . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
RFC 3036 was published in January 2001 as a Proposed Standard, and it
was replaced by RFC 5035, which is a Draft Standard, in October 2007.
Two decades after LDP was originally specified there is a concern
shared by the security community and the IETF working groups that
develop the LDP protocol that LDP is no longer adequately secured.
Andersson, et al. Expires September 2, 2018 [Page 2]
�
Internet-Draft Deprecating MD5 for LDP March 2018
LDP currently uses MD5 to cryptographically sign its messages for
security security purposes. However, MD5 is a hash function that is
no longer considered adequate to meet current security requirements.
1.1. Requirement Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
2. Background
2.1. LDP in RFC 5036
In Section 5.1 "Spoofing" of RFC 5036 [RFC5036], in list item 2
"Session communication carried by TCP" the following statements are
made:
LDP specifies use of the TCP MD5 Signature Option to provide for
the authenticity and integrity of session messages.
RFC 2385 [RFC2385] asserts that MD5 authentication is now
considered by some to be too weak for this application. It also
points out that a similar TCP option with a stronger hashing
algorithm (it cites SHA-1 as an example) could be deployed. To
our knowledge, no such TCP option has been defined and deployed.
However, we note that LDP can use whatever TCP message digest
techniques are available, and when one stronger than MD5 is
specified and implemented, upgrading LDP to use it would be
relatively straightforward.
2.2. MD5 in BGP
There has been a similar discussion among working groups developing
the BGP protocol. BGP has already replaced MD5 with TCP-AO. This
was specified in RFC 7454 [RFC7454].
To secure LDP the same approach will be followed, TCP-AO will be used
for LDP also.
As far as we are able to ascertain, there is currently no
recommended, mandatory to implement, cryptographic function
specified. We are concerned that without such a mandatory function,
implementations will simply fall back to MD5 and nothing will really
be changed. The MPLS working group will need the expertise of the
Andersson, et al. Expires September 2, 2018 [Page 3]
�
Internet-Draft Deprecating MD5 for LDP March 2018
security community to specify a viable security function that is
suitable for wide scale deployment on existing network platforms.
2.3. Prior Art
RFC 6952 [RFC6952] dicusses a set of routing protocols that all are
using TCP for transport of protocol messages, according to guidelines
set forth in Section 4.2 of "Keying and Authentication for Routing
Protocols Design Guidelines", RFC 6518 [RFC6518].
RFC 6952 takes a much broader approach than this document, it
discusses several protcols and also securing the LDP session
initialization. This document has a narrower scope, securing LDP
session messages only. LDP in initialization mode is addressed in
RFC 7349 [RFC7349].
RFC 6952 and this document, basically suggest the same thing, move to
TCP-AO and deploy a strong cryotoigraphic algorithm.
All the protcols discuseed in RFC 6952 should adopt the approach to
securing protocol messages over TCP.
3. Securing LDP
Implementations conforming to this RFC MUST implement TCP-AO to
secure the TCP sessions carrying LDP in addition to the currently
required TCP MD5 Signature Option.
A TBD cryptographic mechanism must be implemented and provided to
TCP-AO to secure LDP messages.
The TBD mechanism is the preferred option, and MD5 SHOULD only to be
used when TBD is unavailable.
Note: The authors are not experts on this part of the stack, but it
seems that TCP security negotiation is still work in progress. If we
are wrong, then we need to include a requirement that such
negotiation is also required. In the absence of a negotiation
protocol, however, we need to leave this as a configuration process
until such time as the negotiation protocol work is complete. On
completion of a suitable negotiation protocol we need to issue a
further update requiring its use.
Cryptographic mechanisms do not have an indefinite lifetime, the IETF
hence anticipates updating default cryptographic mechanisms over
time.
Andersson, et al. Expires September 2, 2018 [Page 4]
�
Internet-Draft Deprecating MD5 for LDP March 2018
The TBD default security function will need to be chosen such that it
can reasonably be implemented on a typical router route processor,
and which will provide adequate security without significantly
degrading the convergence time of a Label Switching Router (LSR).
Without a function that does not significantly impact router
convergence we simply close one vulnerability and open another.
Note: As experts on the LDP protocol, but not on security mechanisms,
we need to ask the security area for a review of our proposed
approach, and help correcting any misunderstanding of the security
issues or our misunderstanding of the existing security mechanisms.
We also need a recommendation on a suitable security function (TBD in
the above text).
4. Security Considerations
This document is entirely about LDP operational security. It
describes best practices that one should adopt to secure LDP messages
and the TCP based LDP sessions between LSRs.
This document does not aim to describe existing LDP implementations,
their potential vulnerabilities, or ways they handle errors. It does
not detail how protection could be enforced against attack techniques
using crafted packets.
5. IANA Considerations
There are no requests for IANA actions in this document.
Note to the RFC Editor - this section can be removed before
publication.
6. Acknowledgements
-
-
7. References
7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Andersson, et al. Expires September 2, 2018 [Page 5]
�
Internet-Draft Deprecating MD5 for LDP March 2018
[RFC2385] Heffernan, A., "Protection of BGP Sessions via the TCP MD5
Signature Option", RFC 2385, DOI 10.17487/RFC2385, August
1998, <https://www.rfc-editor.org/info/rfc2385>.
[RFC5036] Andersson, L., Ed., Minei, I., Ed., and B. Thomas, Ed.,
"LDP Specification", RFC 5036, DOI 10.17487/RFC5036,
October 2007, <https://www.rfc-editor.org/info/rfc5036>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References
[RFC3036] Andersson, L., Doolan, P., Feldman, N., Fredette, A., and
B. Thomas, "LDP Specification", RFC 3036,
DOI 10.17487/RFC3036, January 2001,
<https://www.rfc-editor.org/info/rfc3036>.
[RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for
Routing Protocols (KARP) Design Guidelines", RFC 6518,
DOI 10.17487/RFC6518, February 2012,
<https://www.rfc-editor.org/info/rfc6518>.
[RFC6952] Jethanandani, M., Patel, K., and L. Zheng, "Analysis of
BGP, LDP, PCEP, and MSDP Issues According to the Keying
and Authentication for Routing Protocols (KARP) Design
Guide", RFC 6952, DOI 10.17487/RFC6952, May 2013,
<https://www.rfc-editor.org/info/rfc6952>.
[RFC7349] Zheng, L., Chen, M., and M. Bhatia, "LDP Hello
Cryptographic Authentication", RFC 7349,
DOI 10.17487/RFC7349, August 2014,
<https://www.rfc-editor.org/info/rfc7349>.
[RFC7454] Durand, J., Pepelnjak, I., and G. Doering, "BGP Operations
and Security", BCP 194, RFC 7454, DOI 10.17487/RFC7454,
February 2015, <https://www.rfc-editor.org/info/rfc7454>.
Authors' Addresses
Loa Andersson
Bronze Dragon Consulting
Email: loa@pi.nu
Andersson, et al. Expires September 2, 2018 [Page 6]
�
Internet-Draft Deprecating MD5 for LDP March 2018
Stewart Bryant
Huawei Technologies
Email: stewart.bryant@gmail.com
Andrew G. Malis
Huawei Technologies
Email: stewart.bryant@gmail.com
Nicolai Leymanm
Deutshe Telekom
Email: N.Leymann@telekom.de
George Swallow
Independent
Email: swallow.ietf@gmail.com
Andersson, et al. Expires September 2, 2018 [Page 7]
