Skip to main content

Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements
draft-ietf-karp-threats-reqs-07

Revision differences

Document history

Date Rev. By Action
2013-02-27
07 (System) RFC Editor state changed to AUTH48-DONE from AUTH48
2012-12-21
07 Amy Vezza State changed to RFC Ed Queue from Approved-announcement sent
2012-12-20
07 (System) IANA Action state changed to No IC
2012-12-20
07 Amy Vezza State changed to Approved-announcement sent from IESG Evaluation::AD Followup
2012-12-20
07 Amy Vezza IESG has approved the document
2012-12-20
07 Amy Vezza Closed "Approve" ballot
2012-12-20
07 Amy Vezza Ballot approval text was generated
2012-12-20
07 Stewart Bryant Ballot writeup was changed
2012-12-20
07 Sean Turner [Ballot comment]
Thank you for addressing my concerns.
2012-12-20
07 Sean Turner [Ballot Position Update] Position for Sean Turner has been changed to No Objection from Discuss
2012-12-19
07 Gregory Lebovitz New version available: draft-ietf-karp-threats-reqs-07.txt
2012-11-05
06 Sean Turner
[Ballot discuss]
Based on -06

1) s4 #5: Needs more detail about inter- and intra-session replay protection.

2) s4 #8: I don't entirely understand this: …
[Ballot discuss]
Based on -06

1) s4 #5: Needs more detail about inter- and intra-session replay protection.

2) s4 #8: I don't entirely understand this:

8.  Re-keying SHOULD be supported in such a way that it can occur
      during a session without the peer needing to use multiple keys
      to validate a given packet.  The rare exception will occur if a
      routing protocol's design team can find no other way to re-key
      and still adhere to the other requirements in this section.  The
      specification SHOULD include a key identifier, which allows
      receivers to choose the correct key (or determine that they are
      not in possession of the correct key).

I don't understand how the 1st and 2nd relate.  The first sentence says use one key, and then it says implement a key identifier so I can pick from the two keys?  Aren't we really just asking for re-keying in session - not necessarily under the same key. That is:

8.  Re-keying SHOULD be supported in such a way that it can occur
      during a session. ....
2012-11-05
06 Sean Turner
[Ballot comment]
Updated based on -06:

1)  s2.3: Step 4: Still having issues with the following but I think you're getting closer:

Measurably, we
would …
[Ballot comment]
Updated based on -06:

1)  s2.3: Step 4: Still having issues with the following but I think you're getting closer:

Measurably, we
would like to see an increase in the number of surveyed
respondents who report deploying the updated authentication and
integrity mechanisms in their networks, as well as a sharp rise
in usage for the total percentage of their network's routers.

I think you're trying to say this:

We would like to see a measurable increase in the number of surveyed
respondents who report [ISR2008] deploying ....

2) s4 #7: I think it's true that any good policy would require a key changed ... r/Keys may need to/Keys need to

3) s4 #14: Maybe: r/immediately verifiable by/immediately and independently verifiable by

4) s4 #19: I think the 1st and 3rd sentences are duplicated.  And "some benefit" is a little squishy:

19.  Every new KARP-developed security mechanisms MUST support
        incremental deployment. 

        Proposed solutions MUST
        support an incremental deployment method that provides some
        benefit for those who participate.
2012-11-05
06 Sean Turner Ballot comment and discuss text updated for Sean Turner
2012-11-05
06 Sean Turner Ballot comment text updated for Sean Turner
2012-09-26
06 (System) Sub state has been changed to AD Followup from Revised ID Needed
2012-09-26
06 Manav Bhatia New version available: draft-ietf-karp-threats-reqs-06.txt
2012-09-13
05 Brian Weis Changed protocol writeup
2012-09-13
05 Brian Weis Changed shepherd to Brian Weis
2012-09-13
05 Brian Weis IETF state changed to Submitted to IESG for Publication from WG Document
2012-09-13
05 Brian Weis Annotation tag Revised I-D Needed - Issue raised by IESG set.
2012-09-12
05 Joel Halpern Annotation tag Doc Shepherd Follow-up Underway cleared.
2012-09-12
05 Joel Halpern Changed protocol writeup
2012-07-19
05 Brian Weis Authors are addressing comments/disscuss items from the IESG review.
2012-07-19
05 Cindy Morgan State changed to IESG Evaluation::Revised ID Needed from IESG Evaluation
2012-07-19
05 Stephen Farrell
[Ballot comment]

- Are there any weird cases where a lack of address
aggregtaion (esp for IPv6) could create a privacy
issue that would mean …
[Ballot comment]

- Are there any weird cases where a lack of address
aggregtaion (esp for IPv6) could create a privacy
issue that would mean that a confidentiality service
might be needed? (Just checking)

- s/privacy/confidentiality/ please

- the language telling secdir reviewers what to do ought
be less presecriptive

- I agree with Sean's discuss
2012-07-19
05 Stephen Farrell [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell
2012-07-19
05 Russ Housley
[Ballot comment]

  Please consider the editorial comments from the Gen-ART Review by
  Vijay Gurbani on 18-July-2012.  The review can be found here:
  …
[Ballot comment]

  Please consider the editorial comments from the Gen-ART Review by
  Vijay Gurbani on 18-July-2012.  The review can be found here:
  http://www.ietf.org/mail-archive/web/gen-art/current/msg07639.html
2012-07-19
05 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley
2012-07-19
05 Gonzalo Camarillo [Ballot Position Update] New position, No Objection, has been recorded for Gonzalo Camarillo
2012-07-19
05 Sean Turner
[Ballot discuss]
Thanks to the authors for getting the draft this far.  First off a big mea cupla for following KARP and not getting to …
[Ballot discuss]
Thanks to the authors for getting the draft this far.  First off a big mea cupla for following KARP and not getting to this earlier.

Steve Kent's secdir review pointed out many issues with this draft.  Many of those are in the comments section and some are here.  I guess I'm willing to be shouted down that the following things turned up during the secdir aren't blocking, but I think we might be doing a disservice to others if we don't fix these because I find the draft hard to follow and some of the requirements are vague.

1) s1.1: The KDF definition lists four sources from which to generate keys.  Two seem to be the same, (i) a random or pseudorandom seed value and (iii) a non-uniform random source, I'd like to understand how they differ.

2) s1.1: The KMP definition indicates that the KMP determines how secret keys are generated - this isn't always true.  Are you presupposing a solution?  Here's some suggested text:

OLD:

It determines how secret keys are generated and made
  available to both the parties. 

NEW:

It determines how secret keys are made available to both
parties and in some cases also determines how the secret
keys are generated. 

3) s1.1: PRF vs KDF: The definitions look to be pretty similar.  It'd be worth saying how they're different or whether they're the same.  Often times PRFs are used in KDFs.  Maybe Brian can help with this based on (https://datatracker.ietf.org/doc/draft-irtf-cfrg-kdf-uses/).

4) s2.3 Step 4: Is there an agreement about the common operator teams and common deployment process?  How will this help evaluations?  Who will conduct the survey?  Who's going to perform the interviews?  Is there a citation for the interviews?

5) s2.3: Step 4: Having some trouble parsing the following:

Measurably, we
would like to see an increase in the number of surveyed
respondents who report deploying the updated authentication and
integrity mechanisms in their networks, as well as a sharp rise
in usage for the total percentage of their network's routers.

Are you asking for more people to deploy and to fill out the surveys?

6) s3.1.2: Stolen Keys (s3.1.2) aren't a threat source but Terminated Employees are (s3.1.2.1).

6a) How about re-titling s3.1.2.1 to INSIDERS and moving it to s3.1.2 and moving s3.1.2 to somewhere else (not sure where yet).

6b) RFC 4593 says there's two sources: outsiders (addressed) and byzantine (addressed). Are we updating RFC 4593 by adding a new type of adversary?

7) s3.2: I thought a non-goal was "Message content validity (routing database validity)" so it's unclear why FALSIFICATION is in scope?

8) s3.2: I know 4593 uses INTERFERENCE, but how are the things that are listed under that any different than the DoS attacks (or integrity violations that an attacker would try to us in a DoS attacks) introduced here?  In s3.3 you list DoS under INTERFERENCE so maybe we should try to make the two sections be more alike and group them together somehow.

9) I know 4593 uses "noise" but how's that any different than inserting messages, replying out-dated messages, corrupting messages, changing message contents?  I can hear everybody saying it's in 4593 go away, but we don't have to continue to repeat the sins of our fathers/mothers.

10) s3.2: The brute force paragraph indicates that the key should be long enough to thwart attacks 10 or more years out.  That's a big range - is it 11 or 100 years?  The answer is going to drive the solution.

11) s3.2/3.3: FALSIFICATION is listed as in scope in 3.2 and out of scope in 3.3.  Very confusing.

12) s4 #3: Algorithm agility is about being able to transition from one alg to another not supporting two MTI algs at the same time. I think #3 needs to be reworded.

13) s4 #5: Needs more detail about inter- and intra-session replay protection.

14) s4 #7: If keys are only changed when somebody leaves it is not very periodic, confidentiality is out-of-scope, and I'm not sure what you mean by entropy (are you saying to add more entropy - i.e., bigger key). How about:

Intra-session re-keying which occurs without a break or
interruption to the current routing session, and, if possible,
without data loss, MUST be specified.  Keys need to be changed
periodically, for operational confidentiality (e.g. when an
administrator who had access to the keys leaves an organization)
and for entropy purposes, and a re-keying mechanism enables the
operators to execute the change without productivity loss.

To:

  Security mechanisms MUST specify a means to effect
  intra-session re-keying without disrupting a routing
  session.  Keys need to be changed periodically, for
  authentication and integrity (e.g., when an administrator
  who had access to the keys leaves an organization).

15) s4 #7 & #8: Are #7 and #8 at odds?  Is there any other way to rekey an intra-session without sending the thing twice under two different keys?  Maybe "intra-" should be dropped?

16) s4 #8: "Efficient" rekeying - how do we measure this?  One person's efficiency is another person's IPR ;)  Maybe this just needs to be reworded:

  Re-keying SHOULD be supported in such a way that it can occur
  during a session without the peer needing to use multiple
  keys to validate a given packet.

17) s4 #12: Why not MUST consider and allow for future use of KMP?  I guess we could define one and then chuck it away but would we really do that?

18) s4 #13: Levies the following requirement:

It MUST be
obvious how the keying material was obtained, and the process
for obtaining the keying material MUST exist outside of the
Routing Protocol. 

Obvious to some is not obvious to others.  I think this needs to be restated.  Is this just about a key identifier so you can locate it in the table?

19) s4 #14: Levies a requirement of no more than 5% increase in convergence time.  It then goes on to say this time will be measured by router vendors and ISPs. Are folks not in that group going to be able to verify the data too?

20) s4 #19: In the following:

Proposed solutions MUST support an incremental
deployment method that provides some benefit for those who
participate. 

Who are those?  Is that inter- or intra-AS deployments?

21) s5: Isn't the last paragraph in the security misplaced?  Ought it be in the mainbody describing what's in and what's out?
2012-07-19
05 Sean Turner
[Ballot comment]
There's a whole lotto these and I'm willing to provide the authors with an update .nroff or .txt file.

1) abstract:

OLD:

Different …
[Ballot comment]
There's a whole lotto these and I'm willing to provide the authors with an update .nroff or .txt file.

1) abstract:

OLD:

Different routing protocols exist and each employs its own mechanism
for securing the protocol packets on the wire.

NEW:

  Different routing protocols employ different mechanisms
  for securing protocol packets on the wire. 

OLD:

... routing protocols' transport systems, including any
mechanisms built into the routing protocols themselves, which
accomplish packet authentication.

NEW:

... routing protocol transport systems. This includes any
mechanisms built into the routing protocols themselves, to authenticate
packets. 

2) s1:

OLD:

This document addresses the last item in the list above, securing the
transmission of routing protocol packets on the wire, or rather
securing the routing protocols' transport systems, including any
mechanisms built into the routing protocols themselves which
accomplish packet authentication.  This effort is referred to as
Keying and Authentication for Routing Protocols, or "KARP".  KARP is
concerned with issues and techniques for protecting the messages and
their contents between directly communicating peers.  This may
overlap with, but is strongly distinct from, protection designed to
ensure that routing information is properly authorized relative to
sources of information.  Such assurances are provided by other
mechanisms and are outside the scope of this document and work that
relies on it.

NEW:

This document addresses the last item in the list above, securing
the transmission of routing protocol packets on the wire. More
precisely, it focuses on securing the transport systems employed by
routing protocols, including any mechanisms built into the protocols
themselves to authenticate packets.  This effort is referred to as
Keying and Authentication for Routing Protocols, or "KARP".  KARP is
concerned with issues and techniques for protecting the messages and
their contents between directly communicating peers.  This may
overlap with, but is strongly distinct from, protection designed to
ensure that routing information is properly authorized relative to
the source of the information.  Such assurances are provided by other
mechanisms and are outside the scope of this document.

In this text is the "their content" trying to distinguish between contents and headers but it's ambiguous.

OLD:

and to provide a set of requirements for KARP design teams to
follow as they tackle [RFC6518], Section 4.1's "Work Phase 1", the
update to a routing protocol's existing transport security.

NEW:

and to provide a set of requirements for KARP design teams to
follow as they update a routing protocol's existing transport
security (see [RFC6518], Section 4.1's "Work Phase 1’).

OLD:

Section 3 lists the
threats from [RFC4593], Generic Threats To Routing Protocols, that
are in scope for routing protocols' transport systems' per packet
authentication.

NEW:

Section 3 lists the
threats from [RFC4593] (Generic Threats To Routing Protocols) that
are in scope for per-packet authentication for routing protocol
transport systems.

OLD:

Individual
protocol analysis documents will need to be more specific in their
usage.

NEW:

Individual
protocol analysis documents will need to be more specific in their
use of this phrase.

3) s1.1:

Probably worth adding some text about the terms later defined in s3.1.

Identity Authentication: The point here is that you get an authenticated identity after it's been verified.

OLD:

Once the identity is determined

NEW:

Once the identity is verified

OLD:

or an assymetric key containted in a certificate

NEW:

or an asymmetric key contained in a certificate.

OLD:

The use of these different identity authentication

NEW:

The use of these different identity verification

For the next one it's not clear what's meant by "ongoing effort".  I'd just delete it because I think that supposed to be management.

OLD:

  ongoing effort and management

NEW:

  management

OLD:

For example, they differ in resistance
to a security breach, and the effort required to remediate the
whole system in the event of such a breach. 

NEW:

For example, they differ in resistance
to a security breach, and the effort required to recover
in the event of such a breach. 

KDF: The or derive part isn't really needed.

OLD:

A KDF is a function in which an input key and other input data is
used to generate (or derive) keying material that can be employed
by cryptographic algorithms.

NEW:

A KDF is a function in which an input key and other input data is
used to generate keying material for use with
cryptographic algorithms. 

NEW:

and r/a truly random/a random

KMP:

r/(or a group)/(or among a group)


The last paragraph isn't really need it's is copied from the RFC 6518.

KMP Function:

r/Any actual/Any

Peer Key

r/authentication mechanism used ina/uthentication mechanism are used in
r/a KMP that would/a KMP and would

PRF:

r/PRF/Pseudorandom Function (PRF)
r/efficiently-computable functions, which emulate
  /efficiently-computable functions that emulate

Routing Protocol: Since this is about the last item in the intro we should stick with that terminology:

r/to provide or enhance its peer authentication mechanisms
  /to its packets on the wire

SA:

OLD:

  Examples of items that may
  exist in an SA include: Identifier, PSK, Traffic Key,
  cryptographic algorithms, key lifetimes.

NEW:

  Examples of attributes that may be associated with an SA include:
  Identifier, PSK, Traffic Key, cryptographic algorithms, key lifetimes.

Traffic Key:

OLD:

protecting the routing protocol traffic.  Since the traffic keys
used in a particular connection are not a fixed part of a device
configuration no data exists anywhere else in the operator's
systems which can be stolen, e.g. in the case of a terminated or
turned employee.  If a server or other data store is stolen or
compromised, the thieves gain no access to current traffic keys.

NEW:

protecting routing protocol traffic. A traffic key should not be
a fixed value in a device configuration. A traffic key should be
known only to the participants in a connection, so that a
compromise of stored , e.g. in the case of a terminated or
turned employee, does not result in disclosure of traffic keys.
If a server or other data store is stolen or compromised,
the attackers gain no access to current traffic keys.

4) s2.1:

Lines up with the three services listed earlier:
r/privacy service/confidentiality

r/have existing/incorporate

r/and both have/and have (there's four protocols listed earlier assume you mean all four)

r/use of existing/use of existing (exist is used later so remove this one or the later one)

(I think you're trying to say with the Routing Protocol)
r/with the bits-on-the-wire mechanisms
  /Routing Protocol

5) s2.2:

r/The work/This document
r/The roadmap for any one routing protocol/The roadmap for any routing protocol
r/The performance impact of any incremental step of security improvement
  /The performance impact of any incremental security improvement
r/However,in the spirit of incremental deployment, we first
  /However, in the spirit of incremental deployment, the IETF first

6) s2.3:
r/the wire of existing/the wire for existing
r/in the earlier sections/in Section 2.2.

OLD:

Ensure that the improved security solutions on currently running
routing infrastructure equipment are deployable.  This begs the
consideration of the current state of processing power available
on routers in the network today.

NEW:

Ensure that the improved security solutions is deployable on the
current routing infrastructure.  The current state of processing
power available on routers will need to be investigated.

Get rid of "we"
r/to ensure that what we specify can
  /to ensure that what solutions can be specified

r/Protoco/Protocol
r/The survey/The survey [ISR2008]

Get rid of our - I've heard this too :)
r/From our personal conversations with operators, of those using MD5,
  /Anecdotal evidence from operators using MD% shows

r/as cumbersome/as cumbersome to manage securely
r/threat at play here/threat here

r/security and threat protection/security

6) s2.4:

r/privacy/confidentiality
r/efforts, like SIDE/working groups (e.g., SIDR).

7) s2.5:

r/with updates to the Routing/with updating Routing
r/with close/in close
r/are delegated/are tasked

OLD:

... , presumably due to a perception of significantly
improved security value coupled with relative similarity to
deployment complexity and cost.  Conversely, the work will be
considered a failure if the operators do not care to deploy it,
either due to lack of value or perceived (or real) over-
complexity of operations.

NEW:

... . It is anticipated that deployment will take place
only if operators perceive that the improved security offered
by the Routing Protocol updates warrant the complexity and cost
of deployment and opertation.  Conversely, the work will be
considered a failure if operators do not deploy it,
either due to lack of perceived value or due to perceived
operational complexity.

8) s3:

r/"threat" defined in/"threat" from
r/and simply listing/and listing

OLD:

As such, the below text intentionally does not constitute
a self-standing, complete threat analysis, but rather describes the
applicability of the existing threat analysis [RFC4593]relevant to
KARP.

NEW:

As such, the following text intentionally is not a comprehensive
threat analysis. Rather it describes the
applicability of the existing threat analysis [RFC4593] to
KARP.

9) s3.1.

The BYZANTINE sources should be listed here to align with [RFC4593].  Then you can say they're out of scope in s3.3.

10) s3.1.1:

r/sources/attackers
r/path of packets between the two routing/path between two routing
r/attacker actually/attacker
r/attacker only/attacker
r/treat/reject
r/may often eventually/may

An MitM can also spoof packets.  So maybe:

11) s3.1.2 (assuming it'll get moved someplace):

r/router A to router B/router A, destined for router B
r/having/one has
r/The stolen keys,/The stolen keys
r/keying material will become necessary with little or
  no advanced warning
  /keying material will need to be put in place with little
  or no advanced warning
r/short, or make nonexistent,/short
r/the source with stoke keys attack by creating
  /this type of attack by
r/habitually/regularly (frequently)

12) s3.1.2.1:

To avoid any confusion just use the definition from 4593
r/On the other hand, they aren't really a BYZANTINE
  attacker, which is defined to be an attack from an INSIDER, a
  legitimate router
  /One the other hand, they aren't really a BYZANTINE attacker which
  is defined in [RFC4593] as: faulty, misconfigured, or subverted
  routers; i.e., legitimate participants in the routing protocol.
r/to be legitimate participants/to be a legitimate participant
r/"insider"/INSIDER

13) s3.2:

Title and first sentence don't match.  assume r/ATTACK/THREAT.  Lines up nicely with 4593.

SPOOFING: I hate to copy text, but it might really help to copy this bit from 4593 about spoofing as a  second sentence:

Spoofing is special in that it can be used to carry out
other threat actions causing other threat consequences.

I tend to agree with Steve, if this is an example of Spoofing then I'm not sure why it's not indented below SPOOFING.

It would make more sense to have one DoS bullet and say that DoS involving the routing protocol is in scope (opposite of what's in the out-of-scope section), generally describe DoS, and then give two examples.  There might be a bunch of others that we think of later.

14) s3.3:
r/(Section 2.1)/(Section 3.2)
r/SNIFFING/SNIFFING (passive wiretapping) - you mentioned active wiretapping earlier so it only makes sense to add it here.
r/privacy/confidentiality

15) s4:

r/how each of the below requirements are met
  /how each of the following requirements are met

Please do a review of the 2119-language to make sure that all the MUSTs/SHOULDs are capitalized.  Also sometimes the "p" isn't capitalized in Router protocols when maybe it should.

#1: r/by the authentication mechanism/by an authentication/integrity mechanism

#5: r/The ability … IP address.
    /The ability to run a MAC operation with K is used
      for (group-level) authentication  and message integrity, and
      (currently) no other authentication check is performed.

#6: r/REQUIRES, and even forces,/MUST trigger

#9: r/must/MUST
    r/filter/reject

#10:
r/for a routing protocol/for each routing protocol security mechanism
r/at or below/at
Not sure you need the explanation to understand the requirement - just delete that bit.


#11: r/For backward compatibility reasons/For backward compatibility reasons,

#12: r/Architecture of the/The

#13: r/the Routing/a Routing
    r/This will allow for the various key
        generation methods, like manual keys and KMPs, to be used with
        the same Routing Protocol mechanism.
      /This will accommodate both manual keying and use of KMPs and use of KMPs./

#14: I don't think the alternate way of stating the requirement adds anything - it's really squishy: minimal increase.  I'd drop it.
  Also, does this contradict the earlier measurement criteria, which WILL be affected by specific implementations. Which criteria do you really want to employ?

#15: r/advertisments/advertisements

#17: r/Routing protocols MUST only send minimal information regarding
      the authentication mechanisms and the parameters in its protocol
      packets.  One reason for this is to keep the Routing Protocols
        as clean and focused as possible, and load security negotiations
        into the future KMP as much as possible.
      /The Routing Protocol MUST send minimal information regarding the
      the authentication mechanisms and associated parameters in its protocol
      packets.  This keeps the Routing Protocols
        as clean and focused as possible, and loads security negotiations
        into the KMP as much as possible.

#18: r/seperate/separate
    r/that are based on this requirement/that motivate this requirement

#19:  The 2nd and 3rd sentences are redundant.  Delete the 3rd.

#19:
B: r/compatibility in the message/compatibility with respect to message
B: r/mixed security/secure and non-secure
C: r/systems/routers

#20: r/to destabilize routers/to degrade router perform

#22:
r/for the routing system to function/for the routing system to be secure
r/information/security association?  (If by information you mean shared secret key)?
r/okay/acceptable X2
2012-07-19
05 Sean Turner [Ballot Position Update] New position, Discuss, has been recorded for Sean Turner
2012-07-19
05 Benoît Claise [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise
2012-07-19
05 Adrian Farrel
[Ballot comment]
I am pleased to support the publication of this document.

Requirement 20 in Section 4 seems to be the only one without an …
[Ballot comment]
I am pleased to support the publication of this document.

Requirement 20 in Section 4 seems to be the only one without an RFC 2119
word.

Think this should be:

        Thus proposed solutions SHOULD be evaluated carefully with
2012-07-19
05 Adrian Farrel [Ballot Position Update] New position, Yes, has been recorded for Adrian Farrel
2012-07-18
05 Vijay Gurbani Request for Telechat review by GENART Completed. Reviewer: Vijay Gurbani.
2012-07-18
05 Ralph Droms [Ballot Position Update] New position, No Objection, has been recorded for Ralph Droms
2012-07-18
05 Ron Bonica [Ballot Position Update] New position, No Objection, has been recorded for Ronald Bonica
2012-07-17
05 Robert Sparks [Ballot Position Update] New position, No Objection, has been recorded for Robert Sparks
2012-07-17
05 Wesley Eddy [Ballot Position Update] New position, No Objection, has been recorded for Wesley Eddy
2012-07-17
05 Martin Stiemerling [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling
2012-07-13
05 Samuel Weiler Request for Telechat review by SECDIR Completed: Not Ready. Reviewer: Stephen Kent.
2012-07-13
05 Brian Haberman
[Ballot comment]
- Section 1.1

s/assymetric/asymmetric/

- Section 2.1

* I agree with Barry that the document should not inter-change confidentiality and privacy.  They are …
[Ballot comment]
- Section 1.1

s/assymetric/asymmetric/

- Section 2.1

* I agree with Barry that the document should not inter-change confidentiality and privacy.  They are different components and can be accomplished in vastly different ways.

- Section 2.3

* Does backwards compatibility need to be considered?  Or is it being implied within the incremental deployment discussion?

- Section 4

* It may be the way I am reading them, but requirements 21 and 22 seem to be contradictory.  Requirement 21 says "if you can, centralize some features to reduce the work load on all routers".  On the other hand, requirement 22 says "don't build in any external dependencies".
2012-07-13
05 Brian Haberman [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman
2012-07-12
05 Jean Mahoney Request for Telechat review by GENART is assigned to Vijay Gurbani
2012-07-12
05 Jean Mahoney Request for Telechat review by GENART is assigned to Vijay Gurbani
2012-07-12
05 Barry Leiba
[Ballot comment]
Substantive comments; these are non-blocking, but please consider them
seriously, and feel free to chat with me about them:

-- Section 2.1 -- …
[Ballot comment]
Substantive comments; these are non-blocking, but please consider them
seriously, and feel free to chat with me about them:

-- Section 2.1 --
  Three basic services may be employed in order to secure any piece of
  data as it is transmitted over the wire: confidentiality,
  authenticity, or integrity.

You're not talking about *employing* these to secure anything; they're not "services" that you use.  You're talking about what you *get* as a benefit from securing the data.  Your goal here, by securing the data, is to get authenticity an integrity, but not confidentiality.  Please re-word this accordingly.  You also say "privacy" right after this.  Do you really mean "privacy", or should it be "confidentiality"?

-- Section 2.3 --
OLD
  3.  Ensure that the improved security solutions on currently running
      routing infrastructure equipment are deployable.  This begs the
      consideration of the current state of processing power available
      on routers in the network today.

This is a bit awkward in phrasing.  I suggest this:
NEW
  3.  Ensure that the improved security solutions are deployable on
      currently running routing infrastructure equipment.  This requires
      consideration of the current state of processing power available
      on routers in the network today.

But anyway, isn't this part of item 4, "Operational deployability"?

In item 4:
OLD
      F. There are three use cases for operational peering at play
          here: peers and interconnection with other operators, iBGP,
          and other routing sessions within a single operator, and
          operator-to-customer devices.

I'm not sure I see the three cases.  I think the problem is that one of the cases is itself a list with commas.  You should use semicolons in the outer list when that happens, but in this case maybe you just need to remove the comma after "iBGP"?

-- Section 2.4 --
Privacy and confidentiality are not the same thing; please don't use them interchangeably.  You mean confidentiality, and you should probably scrub the document of all instances of "privacy", because this happened in Section 2.1 as well.

-- Section 3.1.2.1 --
The second paragraph is long, rambling, confused, and confusing.  Please tighten it, trim it, and take out the unnecessary stuff about "well, he could be an INSIDER, and he could be BYZANTINE, but he's unauthorized, and then he's *really* unauthorized, so then he's an OUTSIDER and......"  May I suggest this for the whole paragraph?:
NEW
  A terminated employee, once an INSIDER, becomes unauthorized
  and an OUTSIDER at the point of termination -- no longer a legitimate
  participant in the routing system.  It behooves the operator to change
  the keys, to enforce the revocation of authorization of the old keys, in
  order to minimize the threat source's window of opportunity.

The last two paragraphs also repeat themselves, and should probably be merged.  For instance, the penultimate one says that key changes need to happen "very quickly, with zero impact to the routing system, and with little operational expense," and the last paragraph says, "quickly with minimal impact to the routing system, at low operational cost."  Whether zero or minimal, you shouldn't say the same thing twice in two paragraphs.  Do a merger here.

-- Section 3.2 --
      attacker sends
      spoofed packets aimed at halting or preventing the underlying
      protocol over which the routing protocol runs.

I can't parse "preventing the protocol".  "Halting the protocol" is OK, but "preventing" doesn't work the same way (you have to prevent it *from doing something*).  Re-word.

More general: are all DoS attacks on the routing system really spoofing attacks?  In general, some DoS attacks are done by spoofing and some aren't.  Is that not the case with routing attacks?  (I don't know; I'm asking.)

-- Section 4 --
Requirement 2:
        Strong cryptographic algorithms, as defined and accepted by the
        IETF security community, MUST be specified.  The use of non-
        standard or unpublished algorithms SHOULD BE avoided.

These are contradictory: non-standard and unpublished algorithms won't be accepted by the IETF security community, and so are already declared MUST NOT by the first sentence.  Make it "MUST be avoided," or "MUST NOT be used."

Requirement 3:
        Algorithm agility for the cryptographic algorithms used in the
        authentication MUST be specified, i.e. more than one algorithm
        MUST be specified and it MUST be clear how new algorithms MAY be
        specified and used within the protocol.

Hm.  You don't really need to have more than one algorithm specified; you just have to *be able* to specify more than one, and have a way to add new ones.  This requirement isn't meant to say that if only one suitable algorithm exists at the time the protocol is written, that's a problem.  The "MAY" is also an improper use of 2119 language.  How about this?:

NEW
        Algorithm agility for the cryptographic algorithms used in the
        authentication MUST be specified.  That is, it MUST be possible to
        choose which algorithm is being used, and  it MUST be clear how
        new algorithms are specified and used within the protocol.

You may also need to make changes later in the paragraph, where you say "Mandating two algorithms".

Requirement 5:
Item "A" seems out of place here.  It's not a requirement nor an explanation of one.  It's a specific threat that you've stuck in the middle of the requirements section.  (I also don't see how it directly relates to requirement 5.)  It should be moved elsewhere (maybe a new Section 3.1.3?).

Requirement 6:
        A change of security parameters REQUIRES, and even forces, a
        change of session traffic keys.

"REQUIRES" is not a 2119 word.  If you want to keep 2119 language here, maybe this:
NEW
        A change of security parameters MUST force a
        change of session traffic keys.

Otherwise, just make "requires" lower case.

Requirement 7:
        Intra-session re-keying which occurs without a break or
        interruption to the current routing session, and, if possible,
        without data loss, MUST be specified.

There's a little too much in there, and "if possible" seems not to go so well in the same sentence as MUST.  How about this?:
NEW
        Intra-session re-keying that occurs without a break or
        interruption to the current routing session MUST be
        specified.  If possible, this ought to happen without
        data loss.

Requirement 22:
The second paragraph looks like it should be a separate requirement, number 23.

-- Section 5 --
The second Security Considerations paragraph doesn't seem to belong here. As with paragraph "A" in requirement 5, above, it really looks like it should be moved to the threats discussion, and, in fact, seems like a variation of that attack (a variation that's performed by a Byzantine insider).  I suggest putting both attacks into a new Section 3.1.3, because they're so closely related.

The first paragraph of the Security Considerations seems to stand alone as sufficient for this document.
2012-07-12
05 Barry Leiba [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba
2012-07-05
05 Samuel Weiler Request for Telechat review by SECDIR is assigned to Stephen Kent
2012-07-05
05 Samuel Weiler Request for Telechat review by SECDIR is assigned to Stephen Kent
2012-06-29
05 Stewart Bryant State changed to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup
2012-06-29
05 Stewart Bryant Placed on agenda for telechat - 2012-07-19
2012-06-29
05 Stewart Bryant Ballot has been issued
2012-06-29
05 Stewart Bryant [Ballot Position Update] New position, Yes, has been recorded for Stewart Bryant
2012-06-29
05 Stewart Bryant Created "Approve" ballot
2012-05-10
05 Gregory Lebovitz New version available: draft-ietf-karp-threats-reqs-05.txt
2012-03-09
04 (System) Sub state has been changed to AD Followup from Revised ID Needed
2012-03-09
04 Manav Bhatia New version available: draft-ietf-karp-threats-reqs-04.txt
2011-08-30
03 Stewart Bryant State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead.
2011-08-15
03 (System) State changed to Waiting for AD Go-Ahead from In Last Call.
2011-08-14
03 Samuel Weiler Request for Last Call review by SECDIR Completed. Reviewer: Stephen Kent.
2011-08-03
03 David Harrington Request for Last Call review by TSVDIR Completed. Reviewer: Yoshifumi Nishida.
2011-08-01
03 Samuel Weiler Request for Last Call review by SECDIR is assigned to Stephen Kent
2011-08-01
03 Samuel Weiler Request for Last Call review by SECDIR is assigned to Stephen Kent
2011-07-26
03 Amanda Baber We understand that this document doesn't require any IANA actions.
2011-07-20
03 David Harrington Request for Last Call review by TSVDIR is assigned to Yoshifumi Nishida
2011-07-20
03 David Harrington Request for Last Call review by TSVDIR is assigned to Yoshifumi Nishida
2011-07-18
03 Amy Vezza Last call sent
2011-07-18
03 Amy Vezza
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: …
State changed to In Last Call from Last Call Requested.

The following Last Call Announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (The Threat Analysis and Requirements for Cryptographic Authentication of Routing Protocols' Transports) to Informational RFC


The IESG has received a request from the Keying and Authentication for
Routing Protocols WG (karp) to consider the following document:
- 'The Threat Analysis and Requirements for Cryptographic Authentication
  of Routing Protocols' Transports'
  as an Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2011-08-15. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  Different routing protocols exist and each employs its own mechanism
  for securing the protocol packets on the wire.  While most already
  have some method for accomplishing cryptographic message
  authentication, in many cases the existing methods are dated,
  vulnerable to attack, and employ cryptographic algorithms that have
  been deprecated.  The "Keying and Authentication for Routing
  Protocols" (KARP) effort aims to overhaul and improve these
  mechanisms.

  This document has two main parts - the first describes the threat
  analysis for attacks against routing protocols' transports and the
  second enumerates the requirements for addressing the described
  threats.  This document, along with the KARP design guide will be
  used by KARP design teams for specific protocol review and overhaul.
  This document reflects the input of both the IETF's Security Area and
  Routing Area in order to form a jointly agreed upon guidance.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-karp-threats-reqs/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-karp-threats-reqs/


No IPR declarations have been submitted directly on this I-D.


2011-07-18
03 Stewart Bryant Ballot writeup text changed
2011-07-18
03 Stewart Bryant Last Call was requested
2011-07-18
03 Stewart Bryant State changed to Last Call Requested from Publication Requested.
2011-07-18
03 Stewart Bryant Last Call text changed
2011-07-18
03 (System) Ballot writeup text was added
2011-07-18
03 (System) Last call text was added
2011-07-18
03 (System) Ballot approval text was added
2011-07-10
03 Brian Weis I-D was reviewed by the document shepherd and sent to IESG.
2011-07-10
03 Brian Weis IETF state changed to Submitted to IESG for Publication from WG Consensus: Waiting for Write-Up
2011-06-22
03 Cindy Morgan
(1.a) Brian Weis, co-chair of the KARP working group, is the document shepherd for this document. He has personally reviewed the most current version of …
(1.a) Brian Weis, co-chair of the KARP working group, is the document shepherd for this document. He has personally reviewed the most current version of this document, and believes it is ready for forwarding to the IESG for publication.

(1.b) The document has had sufficient review both inside and outside of the WG.

(1.c) I have no concerns that specific areas were under-reviewed. There were sufficient routing and security reviews of the document.

(1.d) I do not have any concerns or issues with this document.

(1.e) WG consensus behind this document was strong; no public opinions were expressed that it should not be published.

(1.f) There are no known threatened appeals.

(1.g) The document passes id-nits checks & there are no other reviews required.

(1.h) References are in good shape.

(1.i) There are no IANA issues in the document, and there is a placeholder section stating that.

(1.j) There is no formal language usage in the document.

(1.k) Draft Writeup:

Technical Summary
Existing IAB work recommends the tightening of the security of the core routing infrastructure. This document provides a threat analysis for attacks against routing protocols' transports and the then enumerates the requirements for addressing the described threats. It is intended to be used by KARP design teams in their analysis of routing protocols, and will generally be useful in the analysis of routing protocols.

Working Group Summary:
The working group support publication of this document as an informational document.

Document Quality:
This informational document does not specify a protocol or other semantics that can be directly implemented, thus there are no machine implementations. However, in terms of quality it has been reviewed by a number of security experts.
2011-06-22
03 Cindy Morgan Draft added in state Publication Requested
2011-06-22
03 Cindy Morgan [Note]: 'Brian Weis (bew@cisco.com) is the document shepherd.' added
2011-06-18
03 (System) New version available: draft-ietf-karp-threats-reqs-03.txt
2011-06-06
03 Brian Weis Document has completed WGLC.
2011-06-06
03 Brian Weis IETF state changed to WG Consensus: Waiting for Write-Up from WG Document
2011-04-15
02 (System) New version available: draft-ietf-karp-threats-reqs-02.txt
2011-04-11
03 (System) Document has expired
2010-10-09
01 (System) New version available: draft-ietf-karp-threats-reqs-01.txt
2010-03-01
00 (System) New version available: draft-ietf-karp-threats-reqs-00.txt