draft-ietf-karp-isis-analysis-00.txt   draft-ietf-karp-isis-analysis-01.txt 
KARP Working Group U.C. Chunduri KARP Working Group U. Chunduri
Internet-Draft A.T. Tian Internet-Draft A. Tian
Intended status: Informational W.L. Lu Intended status: Informational W. Lu
Expires: September 12, 2013 Ericsson Inc., Expires: April 23, 2014 Ericsson Inc.,
March 11, 2013 October 20, 2013
KARP IS-IS security analysis KARP IS-IS security analysis
draft-ietf-karp-isis-analysis-00 draft-ietf-karp-isis-analysis-01
Abstract Abstract
This document analyzes the threats applicable for Intermediate system This document analyzes the threats applicable for Intermediate system
to Intermediate system (IS-IS) routing protocol and security gaps to Intermediate system (IS-IS) routing protocol and security gaps
according to the KARP Design Guide. This document also provides according to the KARP Design Guide. This document also provides
specific requirements to address the gaps with both manual and auto specific requirements to address the gaps with both manual and auto
key management protocols. key management protocols.
Status of This Memo Status of This Memo
skipping to change at page 1, line 35 skipping to change at page 1, line 35
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 12, 2013. This Internet-Draft will expire on April 23, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 36 skipping to change at page 2, line 36
2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5 2.3.1. Replay Attacks . . . . . . . . . . . . . . . . . . . 5
2.3.1.1. Current Recovery mechanism for LSPs . . . . . . . 7 2.3.1.1. Current Recovery mechanism for LSPs . . . . . . . 7
2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7 2.3.2. Spoofing Attacks . . . . . . . . . . . . . . . . . . 7
2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8 2.3.3. DoS Attacks . . . . . . . . . . . . . . . . . . . . . 8
3. Gap Analysis and Security Requirements . . . . . . . . . . . 8 3. Gap Analysis and Security Requirements . . . . . . . . . . . 8
3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8 3.1. Manual Key Management . . . . . . . . . . . . . . . . . . 8
3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9 3.2. Key Management Protocols . . . . . . . . . . . . . . . . 9
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction 1. Introduction
This document analyzes the current state of Intermediate system to This document analyzes the current state of Intermediate system to
Intermediate system (IS-IS) protocol according to the requirements Intermediate system (IS-IS) protocol according to the requirements
set forth in [RFC6518] for both manual and key management protocols. set forth in [RFC6518] for both manual and auto key management
protocols.
With currently published work, IS-IS meets some of the requirements With currently published work, IS-IS meets some of the requirements
expected from a manually keyed routing protocol. Integrity expected from a manually keyed routing protocol. Integrity
protection is expanded with more cryptographic algorithms and also protection is expanded with more cryptographic algorithms and also
limited algorithm agility (HMAC-SHA family) is provided with limited algorithm agility (HMAC-SHA family) is provided with
[RFC5310]. Basic form of Intra-connection re-keying capability is [RFC5310]. Basic form of Intra-connection re-keying capability is
provided by the specification [RFC5310] with some gaps as explained provided by the specification [RFC5310] with some gaps as explained
in Section 3. in Section 3.
This draft summarizes the current state of cryptographic key usage in This draft summarizes the current state of cryptographic key usage in
IS-IS protocol and several previous efforts to analyze IS-IS IS-IS protocol and several previous efforts to analyze IS-IS
security. This includes base IS-IS specification [RFC1195], security. This includes base IS-IS specification [RFC1195],
[RFC5304], [RFC5310] and the OPSEC working group document [RFC6039]. [RFC5304], [RFC5310] and the OPSEC working group document [RFC6039].
Authors would like to acknowledge all the previous work done in the Authors would like to acknowledge all the previous work done in the
above documents. above documents.
This document also analyzes applicability of various threats as This document also analyzes applicability of various threats as
described in [RFC6862] to IS-IS, lists gaps and provides specific described in [RFC6862] to IS-IS, lists gaps and provide specific
recommendations to thwart the applicable threats for both manual recommendations to thwart the applicable threats for both manual
keying and for auto key management mechanisms. keying and for auto key management mechanisms.
1.1. Requirements Language 1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119]. document are to be interpreted as described in RFC 2119 [RFC2119].
1.2. Acronyms 1.2. Acronyms
skipping to change at page 11, line 36 skipping to change at page 11, line 29
7.2. Informative References 7.2. Informative References
[I-D.hartman-karp-mrkmp] [I-D.hartman-karp-mrkmp]
Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router
Key Management Protocol (MaRK)", draft-hartman-karp- Key Management Protocol (MaRK)", draft-hartman-karp-
mrkmp-05 (work in progress), September 2012. mrkmp-05 (work in progress), September 2012.
[I-D.ietf-karp-crypto-key-table] [I-D.ietf-karp-crypto-key-table]
Housley, R., Polk, T., Hartman, S., and D. Zhang, Housley, R., Polk, T., Hartman, S., and D. Zhang,
"Database of Long-Lived Symmetric Cryptographic Keys", "Database of Long-Lived Symmetric Cryptographic Keys",
draft-ietf-karp-crypto-key-table-06 (work in progress), draft-ietf-karp-crypto-key-table-08 (work in progress),
February 2013. July 2013.
[I-D.weis-gdoi-mac-tek] [I-D.weis-gdoi-mac-tek]
Weis, B. and S. Rowles, "GDOI Generic Message Weis, B. and S. Rowles, "GDOI Generic Message
Authentication Code Policy", draft-weis-gdoi-mac-tek-03 Authentication Code Policy", draft-weis-gdoi-mac-tek-03
(work in progress), September 2011. (work in progress), September 2011.
[I-D.yeung-g-ikev2] [I-D.yeung-g-ikev2]
Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key Rowles, S., Yeung, A., Tran, P., and Y. Nir, "Group Key
Management using IKEv2", draft-yeung-g-ikev2-05 (work in Management using IKEv2", draft-yeung-g-ikev2-06 (work in
progress), October 2012. progress), April 2013.
[RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with [RFC2154] Murphy, S., Badger, M., and B. Wellington, "OSPF with
Digital Signatures", RFC 2154, June 1997. Digital Signatures", RFC 2154, June 1997.
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
Key Management", BCP 107, RFC 4107, June 2005. Key Management", BCP 107, RFC 4107, June 2005.
[RFC5309] Shen, N. and A. Zinin, "Point-to-Point Operation over LAN [RFC5309] Shen, N. and A. Zinin, "Point-to-Point Operation over LAN
in Link State Routing Protocols", RFC 5309, October 2008. in Link State Routing Protocols", RFC 5309, October 2008.
 End of changes. 8 change blocks. 
14 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/