draft-ietf-ospf-rfc6506bis-03.txt   draft-ietf-ospf-rfc6506bis-04.txt 
OSPF Working Group M. Bhatia OSPF Working Group M. Bhatia
Internet-Draft Alcatel-Lucent Internet-Draft Alcatel-Lucent
Obsoletes: 6506 (if approved) V. Manral Obsoletes: 6506 (if approved) V. Manral
Intended status: Standards Track Hewlett Packard Intended status: Standards Track Hewlett Packard
Expires: May 30, 2014 A. Lindem Expires: June 11, 2014 A. Lindem
Ericsson Ericsson
November 26, 2013 December 8, 2013
Supporting Authentication Trailer for OSPFv3 Supporting Authentication Trailer for OSPFv3
draft-ietf-ospf-rfc6506bis-03.txt draft-ietf-ospf-rfc6506bis-04.txt
Abstract Abstract
Currently, OSPF for IPv6 (OSPFv3) uses IPsec as the only mechanism Currently, OSPF for IPv6 (OSPFv3) uses IPsec as the only mechanism
for authenticating protocol packets. This behavior is different from for authenticating protocol packets. This behavior is different from
authentication mechanisms present in other routing protocols (OSPFv2, authentication mechanisms present in other routing protocols (OSPFv2,
Intermediate System to Intermediate System (IS-IS), RIP, and Routing Intermediate System to Intermediate System (IS-IS), RIP, and Routing
Information Protocol Next Generation (RIPng)). In some environments, Information Protocol Next Generation (RIPng)). In some environments,
it has been found that IPsec is difficult to configure and maintain it has been found that IPsec is difficult to configure and maintain
and thus cannot be used. This document defines an alternative and thus cannot be used. This document defines an alternative
mechanism to authenticate OSPFv3 protocol packets so that OSPFv3 does mechanism to authenticate OSPFv3 protocol packets so that OSPFv3 does
not only depend upon IPsec for authentication. This document not only depend upon IPsec for authentication.
obsoletes RFC 6506.
The OSPFv3 Authentication Trailer was originally defined in RFC 6506.
This document obsoletes RFC 6506 by providing a revised definition
including clarifications and refinements of the procedures.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 30, 2014. This Internet-Draft will expire on June 11, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 41 skipping to change at page 3, line 41
Regarding replay protection, [RFC4552] states that: Regarding replay protection, [RFC4552] states that:
Since it is not possible using the current standards to provide Since it is not possible using the current standards to provide
complete replay protection while using manual keying, the proposed complete replay protection while using manual keying, the proposed
solution will not provide protection against replay attacks. solution will not provide protection against replay attacks.
Since there is no replay protection provided there are a number of Since there is no replay protection provided there are a number of
vulnerabilities in OSPFv3 that have been discussed in [RFC6039]. vulnerabilities in OSPFv3 that have been discussed in [RFC6039].
Since there is no deterministic way to differentiate between While techniques exist to identify ESP Null packets [RFC5879], these
encrypted and unencrypted ESP packets by simply examining the packet, techniques are generally not implemented in the data planes of OSPFv3
it could be difficult for some implementations to prioritize certain routers. This makes it very difficult for implementations to examine
OSPFv3 packet types, e.g., Hello packets, over the other types. OSPFv3 packet and prioritize certain OSPFv3 packet types, e.g., Hello
packets, over the other types.
This document defines a new mechanism that works similarly to OSPFv2 This document defines a new mechanism that works similarly to OSPFv2
[RFC5709] to provide authentication to the OSPFv3 packets and [RFC5709] to provide authentication to the OSPFv3 packets and
attempts to solve the problems related to replay protection and attempts to solve the problems related to replay protection and
deterministically disambiguating different OSPFv3 packets as deterministically disambiguating different OSPFv3 packets as
described above. described above.
This document adds support for the Secure Hash Algorithms (SHAs) This document adds support for the Secure Hash Algorithms (SHAs)
defined in the US NIST Secure Hash Standard (SHS), which is specified defined in the US NIST Secure Hash Standard (SHS), which is specified
by NIST FIPS 180-3. [FIPS-180-3] includes SHA-1, SHA-224, SHA-256, by NIST FIPS 180-3. [FIPS-180-3] includes SHA-1, SHA-224, SHA-256,
skipping to change at page 23, line 19 skipping to change at page 23, line 19
[RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic [RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic
Authentication", RFC 4822, February 2007. Authentication", RFC 4822, February 2007.
[RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R.,
and M. Fanto, "IS-IS Generic Cryptographic and M. Fanto, "IS-IS Generic Cryptographic
Authentication", RFC 5310, February 2009. Authentication", RFC 5310, February 2009.
[RFC5613] Zinin, A., Roy, A., Nguyen, L., Friedman, B., and D. [RFC5613] Zinin, A., Roy, A., Nguyen, L., Friedman, B., and D.
Yeung, "OSPF Link-Local Signaling", RFC 5613, August 2009. Yeung, "OSPF Link-Local Signaling", RFC 5613, August 2009.
[RFC5879] Kivinen, T. and D. McDonald, "Heuristics for Detecting
ESP-NULL Packets", RFC 5879, May 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", "Internet Key Exchange Protocol Version 2 (IKEv2)",
RFC 5996, September 2010. RFC 5996, September 2010.
[RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues [RFC6039] Manral, V., Bhatia, M., Jaeggli, J., and R. White, "Issues
with Existing Cryptographic Protection Methods for Routing with Existing Cryptographic Protection Methods for Routing
Protocols", RFC 6039, October 2010. Protocols", RFC 6039, October 2010.
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms [RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011. (SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
skipping to change at page 26, line 5 skipping to change at page 25, line 9
Routing Directorate review. Routing Directorate review.
Thanks to Stephen Farrell for comments during the IESG review. Thanks to Stephen Farrell for comments during the IESG review.
Stephen was also involved in the discussion of cross-protocol Stephen was also involved in the discussion of cross-protocol
attacks. attacks.
Thanks to Brian Carpenter for comments made during Gen-ART review. Thanks to Brian Carpenter for comments made during Gen-ART review.
Thanks to Victor Kuarsingh for the OPS-DIR review. Thanks to Victor Kuarsingh for the OPS-DIR review.
Thanks to Brian Weis for the SEC-DIR review.
Authors' Addresses Authors' Addresses
Manav Bhatia Manav Bhatia
Alcatel-Lucent Alcatel-Lucent
Bangalore Bangalore
India India
Email: manav.bhatia@alcatel-lucent.com Email: manav.bhatia@alcatel-lucent.com
Vishwas Manral Vishwas Manral
 End of changes. 8 change blocks. 
10 lines changed or deleted 19 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/