OSPF with Digital Signatures
RFC 2154
Document | Type |
RFC - Experimental
(June 1997; Errata)
Was draft-murphy-ospf-signature (individual)
|
|
---|---|---|---|
Authors | Brian Wellington , Madelyn Badger , Sandra Murphy | ||
Last updated | 2020-01-21 | ||
Stream | Legacy stream | ||
Formats | plain text html pdf htmlized (tools) htmlized with errata bibtex | ||
Stream | Legacy state | (None) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | RFC 2154 (Experimental) | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
Network Working Group S. Murphy Request for Comments: 2154 M. Badger Category: Experimental B. Wellington Trusted Information Systems June 1997 OSPF with Digital Signatures Status of this Memo This memo defines an Experimental Protocol for the Internet community. This memo does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. Abstract This memo describes the extensions to OSPF required to add digital signature authentication to Link State data, and to provide a certification mechanism for router data. Added LSA processing and key management is detailed. A method for migration from, or co- existence with, standard OSPF V2 is described. Table of Contents 1 Acknowledgements ............................................. 2 2 Introduction ................................................. 2 3 LSA Processing ............................................... 4 3.1 Signed LSA ................................................. 4 3.2 Router Public Key LSA (PKLSA) .............................. 5 3.3 MaxAge Processing .......................................... 7 4 Key Management ............................................... 8 4.1 Identifying Keys ........................................... 8 4.1.1 Identifying Router Keys and PKLSAs ....................... 8 4.1.2 Identifying TE Public Keys ............................... 8 4.1.3 Key to use for Signing ................................... 9 4.1.4 Key to use for Verification .............................. 9 4.2 Trusted Entity (TE) Requirements ........................... 10 4.3 Scope for Keys and Signature Algorithms..................... 10 4.4 Router Key Replacement ..................................... 11 4.5 Trusted Entity Key Replacement ............................. 12 4.6 Flexible Cryptographic Environments ........................ 14 4.6.1 Multiple Signature Algorithms ............................ 14 4.6.2 Multiple Trusted Entities ................................ 15 4.6.3 Multiple Keys for One Router ............................. 16 5 Compatibility with Standard OSPF V2 .......................... 16 6 Special Considerations/Restrictions for the ABR-ASBR ......... 17 7 LSA formats .................................................. 18 Murphy, et. al. Experimental [Page 1] RFC 2154 OSPF with Digital Signatures June 1997 7.1 Router Public Key LSA (PKLSA) .............................. 18 7.2 Router Public Key Certificate .............................. 20 7.3 Signed LSA ................................................. 23 8 Configuration Information .................................... 26 9 Remaining Vulnerabilities .................................... 26 9.1 Area Border Routers ........................................ 27 9.2 Internal Routers ........................................... 27 9.3 Autonomous System Border Routers ........................... 28 10 Security Considerations ..................................... 28 11 References .................................................. 29 12 Authors' Addresses .......................................... 29 1. Acknowledgements The idea of signing routing information is not new. Foremost, of course, there is the design that Radia Perlman reported in her thesis [4] and in her book [5] for signing link state information and for distribution of the public keys used in the signing. IDPR [7] also recommends the use of public key based signatures of link state information. Kumar and Crowcroft [2] discuss the use of secret and public key authentication of inter-domain routing protocols. Finn [1] discusses the use of secret and public key authentication of several different routing protocols. The design reported here is closest to that reported in [4] and [7]. It should be noted that [4] also presents techniques for protecting the forwarding of data packets, a topic that is not considered here, as we consider it not within the scope of the OSPF working group. The authors would also like to acknowledge many fruitful discussions with many members of the OSPF working group, particularly Fred Baker of Cisco Systems, Dennis Ferguson of MCI Telecommunications Corp., John Moy of Cascade Communications Corp., Curtis Villamizar of ANS, Inc., and Rob Coltun of FORE Systems. 2. Introduction It is well recognized that there is a need for greater security in routing protocols. OSPF currently provides "simple password"Show full document text