draft-ietf-bfd-generic-crypto-auth-04.txt   draft-ietf-bfd-generic-crypto-auth-05.txt 
Network Working Group M. Bhatia Network Working Group M. Bhatia
Internet-Draft Alcatel-Lucent Internet-Draft Alcatel-Lucent
Intended status: Standards Track V. Manral Intended status: Standards Track V. Manral
Expires: October 20, 2013 Hewlett-Packard Co. Expires: April 18, 2014 Hewlett-Packard Co.
D. Zhang D. Zhang
Huawei Huawei
April 18, 2013 October 15, 2013
BFD Generic Cryptographic Authentication BFD Generic Cryptographic Authentication
draft-ietf-bfd-generic-crypto-auth-04 draft-ietf-bfd-generic-crypto-auth-05
Abstract Abstract
This document proposes an extension to Bidirectional Forwarding This document proposes an extension to Bidirectional Forwarding
Detection (BFD) to allow the use of arbitary cryptographic Detection (BFD) to allow the use of arbitary cryptographic
authentication algorithms in addition to the already-documented authentication algorithms in addition to the already-documented
authentication schemes described in the base specification. This authentication schemes described in the base specification. This
document adds the basic infrastructure that is required for document adds the basic infrastructure that is required for
supporting algorithm and key agility for BFD. supporting algorithm and key agility for BFD.
skipping to change at page 1, line 44 skipping to change at page 1, line 44
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 20, 2013. This Internet-Draft will expire on April 18, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 41 skipping to change at page 3, line 41
inter-session replay attacks. inter-session replay attacks.
In order to address the issues mentioned above, this document In order to address the issues mentioned above, this document
proposes two new authentication types that can be used to secure the proposes two new authentication types that can be used to secure the
BFD packets. The two authentication types are - Cryptographic BFD packets. The two authentication types are - Cryptographic
Authentication (CRYPTO_AUTH) and Meticulous Cryptographic Authentication (CRYPTO_AUTH) and Meticulous Cryptographic
Authentication (MET_ CRYPTO_AUTH). Unlike earlier authentication Authentication (MET_ CRYPTO_AUTH). Unlike earlier authentication
types that were defined in BFD, the proposed authentication types are types that were defined in BFD, the proposed authentication types are
not tied to any particular authentication algorithm or construct. not tied to any particular authentication algorithm or construct.
These can use different authentication algorithms and constructs like These can use different authentication algorithms and constructs like
MD5, SHA-1, SHA-2, HMAC-SHA1, HMAC-SHA2, etc. to provide MD5, SHA-1, SHA-2, HMAC-SHA1, HMAC-SHA2, etc. to provide
authentication and data integrity protection for BFD control packets. authentication and data integrity protection for BFD control packets.
The packet replay mechanism has also been enhanced to improve its The packet replay mechanism has also been enhanced to improve its
capability in handling inter and intra-session replay attacks. capability in handling inter and intra-session replay attacks.
It should be noted that this document attempts to fix the security It should be noted that this document attempts to fix the security
issues raised by the manual key management procedure that currently issues raised by the manual key management procedure that currently
exists within BFD, as part of the Phase One described in KARP-design- exists within BFD, as part of the Phase One described in KARP-design-
guide [I-D.ietf-karp-design-guide]. Therefore, only the pre-shared guide [I-D.ietf-karp-design-guide]. Therefore, only the pre-shared
keys is considered in this document. However, the solution described keys is considered in this document. However, the solution described
skipping to change at page 11, line 18 skipping to change at page 11, line 18
7.2. Informative References 7.2. Informative References
[Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress", May 1996. [Dobb96a] Dobbertin, H., "Cryptanalysis of MD5 Compress", May 1996.
[Dobb96b] Dobbertin, H., "The Status of MD5 After a Recent Attack", [Dobb96b] Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes", 1996. CryptoBytes", 1996.
[I-D.ietf-karp-crypto-key-table] [I-D.ietf-karp-crypto-key-table]
Housley, R., Polk, T., Hartman, S., and D. Zhang, Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Database of Long-Lived Symmetric Cryptographic Keys", "Database of Long-Lived Symmetric Cryptographic Keys",
draft-ietf-karp-crypto-key-table-07 (work in progress), draft-ietf-karp-crypto-key-table-08 (work in progress),
March 2013. July 2013.
[I-D.ietf-karp-design-guide] [I-D.ietf-karp-design-guide]
Lebovitz, G. and M. Bhatia, "Keying and Authentication for Lebovitz, G. and M. Bhatia, "Keying and Authentication for
Routing Protocols (KARP) Design Guidelines", draft-ietf- Routing Protocols (KARP) Design Guidelines", draft-ietf-
karp-design-guide-10 (work in progress), December 2011. karp-design-guide-10 (work in progress), December 2011.
[MD5-attack] [MD5-attack]
Wang, X., Feng, D., Lai, X., and H. Yu, "Collisions for Wang, X., Feng, D., Lai, X., and H. Yu, "Collisions for
Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", August Hash Functions MD4, MD5, HAVAL-128 and RIPEMD", August
2004. 2004.
 End of changes. 6 change blocks. 
7 lines changed or deleted 7 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/