| draft-ietf-idr-bgp-tcp-md5-00.txt | rfc2385.txt | |||
|---|---|---|---|---|
| INTERNET-DRAFT Andy Heffernan | ||||
| <draft-ietf-idr-bgp-tcp-md5-00.txt> cisco Systems | Network Working Group A. Heffernan | |||
| March 12, 1998 | Request for Comments: 2385 cisco Systems | |||
| Category: Standards Track August 1998 | ||||
| Protection of BGP Sessions via the TCP MD5 Signature Option | Protection of BGP Sessions via the TCP MD5 Signature Option | |||
| Status of this Memo | Status of this Memo | |||
| This document is an Internet Draft. Internet Drafts are working | This document specifies an Internet standards track protocol for the | |||
| documents of the Internet Engineering Task Force (IETF), its Areas, | Internet community, and requests discussion and suggestions for | |||
| and its Working Groups. Note that other groups may also distribute | improvements. Please refer to the current edition of the "Internet | |||
| working documents as Internet Drafts. | Official Protocol Standards" (STD 1) for the standardization state | |||
| and status of this protocol. Distribution of this memo is unlimited. | ||||
| Internet Drafts are draft documents valid for a maximum of six | Copyright Notice | |||
| months. Internet Drafts may be updated, replaced, or obsoleted by | ||||
| other documents at any time. It is not appropriate to use Internet | ||||
| Drafts as reference material or to cite them other than as a "working | ||||
| draft" or "work in progress." | ||||
| Please check the I-D abstract listing contained in each Internet | Copyright (C) The Internet Society (1998). All Rights Reserved. | |||
| Draft directory to learn the current status of this or any Internet | ||||
| Draft. | ||||
| IESG Note | IESG Note | |||
| This document describes currrent existing practice for securing BGP | This document describes currrent existing practice for securing BGP | |||
| against certain simple attacks. It is understood to have security | against certain simple attacks. It is understood to have security | |||
| weaknesses against concerted attacks. | weaknesses against concerted attacks. | |||
| Abstract | Abstract | |||
| This memo describes a TCP extension to enhance security for BGP. It | This memo describes a TCP extension to enhance security for BGP. It | |||
| defines a new TCP option for carrying an MD5 [RFC1321] digest in a | defines a new TCP option for carrying an MD5 [RFC1321] digest in a | |||
| TCP segment. This digest acts like a signature for that segment, | TCP segment. This digest acts like a signature for that segment, | |||
| incorporating information known only to the connection end points. | incorporating information known only to the connection end points. | |||
| Since BGP uses TCP as its transport, using this option in the way | Since BGP uses TCP as its transport, using this option in the way | |||
| described in this paper significantly reduces the danger from certain | described in this paper significantly reduces the danger from certain | |||
| security attacks on BGP. | security attacks on BGP. | |||
| This document specifies an experimental protocol for use in the | ||||
| Internet. | ||||
| 1.0 Introduction | 1.0 Introduction | |||
| The primary motivation for this option is to allow BGP to protect | The primary motivation for this option is to allow BGP to protect | |||
| itself against the introduction of spoofed TCP segments into the | itself against the introduction of spoofed TCP segments into the | |||
| connection stream. Of particular concern are TCP resets. | connection stream. Of particular concern are TCP resets. | |||
| To spoof a connection using the scheme described in this paper, an | To spoof a connection using the scheme described in this paper, an | |||
| attacker would not only have to guess TCP sequence numbers, but would | attacker would not only have to guess TCP sequence numbers, but would | |||
| also have had to obtain the password included in the MD5 digest. | also have had to obtain the password included in the MD5 digest. | |||
| This password never appears in the connection stream, and the actual | This password never appears in the connection stream, and the actual | |||
| skipping to change at page 2, line 26 | skipping to change at page 2, line 19 | |||
| connection, rather it is purely a matter of site policy whether or | connection, rather it is purely a matter of site policy whether or | |||
| not its connections use the option. | not its connections use the option. | |||
| 2.0 Proposal | 2.0 Proposal | |||
| Every segment sent on a TCP connection to be protected against | Every segment sent on a TCP connection to be protected against | |||
| spoofing will contain the 16-byte MD5 digest produced by applying the | spoofing will contain the 16-byte MD5 digest produced by applying the | |||
| MD5 algorithm to these items in the following order: | MD5 algorithm to these items in the following order: | |||
| 1. the TCP pseudo-header (in the order: source IP address, | 1. the TCP pseudo-header (in the order: source IP address, | |||
| destination IP address, zero-padded protocol number, and segment | destination IP address, zero-padded protocol number, and | |||
| length) | segment length) | |||
| 2. the TCP header, excluding options, and assuming a checksum of zero | 2. the TCP header, excluding options, and assuming a checksum of | |||
| zero | ||||
| 3. the TCP segment data (if any) | 3. the TCP segment data (if any) | |||
| 4. an independently-specified key or password, known to both TCPs | 4. an independently-specified key or password, known to both TCPs | |||
| and presumably connection-specific | and presumably connection-specific | |||
| The header and pseudo-header are in network byte order. The nature | The header and pseudo-header are in network byte order. The nature | |||
| of the key is deliberately left unspecified, but it must be known by | of the key is deliberately left unspecified, but it must be known by | |||
| both ends of the connection. A particular TCP implementation will | both ends of the connection. A particular TCP implementation will | |||
| determine what the application may specify as the key. | determine what the application may specify as the key. | |||
| Upon receiving a signed segment, the receiver must validate it by | Upon receiving a signed segment, the receiver must validate it by | |||
| skipping to change at page 4, line 34 | skipping to change at page 4, line 32 | |||
| segment will be the initial SYN packet to start the connection. With | segment will be the initial SYN packet to start the connection. With | |||
| MD5 signatures, the SYN packet will contain the following: | MD5 signatures, the SYN packet will contain the following: | |||
| -- 4 bytes MSS option | -- 4 bytes MSS option | |||
| -- 4 bytes window scale option (3 bytes padded to 4 in 4.4BSD) | -- 4 bytes window scale option (3 bytes padded to 4 in 4.4BSD) | |||
| -- 12 bytes for timestamp (4.4BSD pads the option as recommended | -- 12 bytes for timestamp (4.4BSD pads the option as recommended | |||
| in RFC 1323 Appendix A) | in RFC 1323 Appendix A) | |||
| -- 18 bytes for MD5 digest | -- 18 bytes for MD5 digest | |||
| -- 2 bytes for end-of-option-list, to pad to a 32-bit boundary. | -- 2 bytes for end-of-option-list, to pad to a 32-bit boundary. | |||
| This sums to 40 bytes, which just makes it. | This sums to 40 bytes, which just makes it. | |||
| 4.4 MD5 as a Hashing Algorithm | 4.4 MD5 as a Hashing Algorithm | |||
| Since this draft was first issued (under a different title), the MD5 | Since this memo was first issued (under a different title), the MD5 | |||
| algorithm has been found to be vulnerable to collision search attacks | algorithm has been found to be vulnerable to collision search attacks | |||
| [Dobb], and is considered by some to be insufficiently strong for | [Dobb], and is considered by some to be insufficiently strong for | |||
| this type of application. | this type of application. | |||
| This draft still specifies the MD5 algorithm, however, since the | This memo still specifies the MD5 algorithm, however, since the | |||
| option has already been deployed operationally, and there was no | option has already been deployed operationally, and there was no | |||
| "algorithm type" field defined to allow an upgrade using the same | "algorithm type" field defined to allow an upgrade using the same | |||
| option number. The original draft did not specify a type field since | option number. The original document did not specify a type field | |||
| this would require at least one more byte, and it was felt at the | since this would require at least one more byte, and it was felt at | |||
| time that taking 19 bytes for the complete option (which would | the time that taking 19 bytes for the complete option (which would | |||
| probably be padded to 20 bytes in TCP implementations) would be too | probably be padded to 20 bytes in TCP implementations) would be too | |||
| much of a waste of the already limited option space. | much of a waste of the already limited option space. | |||
| This does not prevent the deployment of another similar option which | This does not prevent the deployment of another similar option which | |||
| uses another hashing algorithm (like SHA-1). Also, if most | uses another hashing algorithm (like SHA-1). Also, if most | |||
| implementations pad the 18 byte option as defined to 20 bytes anyway, | implementations pad the 18 byte option as defined to 20 bytes anyway, | |||
| it would be just as well to define a new option which contains an | it would be just as well to define a new option which contains an | |||
| algorithm type field. | algorithm type field. | |||
| This would need to be addressed in another draft, however. | This would need to be addressed in another document, however. | |||
| 4.5 Key configuration | 4.5 Key configuration | |||
| It should be noted that the key configuration mechanism of routers | It should be noted that the key configuration mechanism of routers | |||
| may restrict the possible keys that may be used between peers. | may restrict the possible keys that may be used between peers. It is | |||
| Implementors should consider this issue in their design. | strongly recommended that an implementation be able to support at | |||
| minimum a key composed of a string of printable ASCII of 80 bytes or | ||||
| less, as this is current practice. | ||||
| 5.0 Security Considerations | 5.0 Security Considerations | |||
| This document defines a weak but currently practiced security | This document defines a weak but currently practiced security | |||
| mechanism for BGP. It is anticipated that future work will provide | mechanism for BGP. It is anticipated that future work will provide | |||
| different stronger mechanisms for dealing with these issues. | different stronger mechanisms for dealing with these issues. | |||
| 6.0 References | 6.0 References | |||
| [RFC1321] Rivest, R, "The MD5 Message-Digest Algorithm," RFC 1321, | [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm," RFC 1321, | |||
| MIT Laboratory for Computer Science, April 1992. | April 1992. | |||
| [RFC1323] Jacobson, V., Braden, R, and D. Borman, "TCP Extensions for | [RFC1323] Jacobson, V., Braden, R., and D. Borman, "TCP Extensions | |||
| High Performance", RFC 1323, LBL, USC/Information Sciences Institute, | for High Performance", RFC 1323, May 1992. | |||
| Cray Research, May 1992. | ||||
| [Dobb] H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA | [Dobb] H. Dobbertin, "The Status of MD5 After a Recent Attack", RSA | |||
| Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996. | Labs' CryptoBytes, Vol. 2 No. 2, Summer 1996. | |||
| http://www.rsa.com/rsalabs/pubs/cryptobytes.html | http://www.rsa.com/rsalabs/pubs/cryptobytes.html | |||
| Author's Address | Author's Address | |||
| Andy Heffernan | Andy Heffernan | |||
| cisco Systems | cisco Systems | |||
| 170 West Tasman Drive | 170 West Tasman Drive | |||
| San Jose, CA 95134 USA | San Jose, CA 95134 USA | |||
| Phone: +1 408 526-8115 | Phone: +1 408 526-8115 | |||
| Email: ahh@cisco.com | EMail: ahh@cisco.com | |||
| Full Copyright Statement | ||||
| Copyright (C) The Internet Society (1998). All Rights Reserved. | ||||
| This document and translations of it may be copied and furnished to | ||||
| others, and derivative works that comment on or otherwise explain it | ||||
| or assist in its implementation may be prepared, copied, published | ||||
| and distributed, in whole or in part, without restriction of any | ||||
| kind, provided that the above copyright notice and this paragraph are | ||||
| included on all such copies and derivative works. However, this | ||||
| document itself may not be modified in any way, such as by removing | ||||
| the copyright notice or references to the Internet Society or other | ||||
| Internet organizations, except as needed for the purpose of | ||||
| developing Internet standards in which case the procedures for | ||||
| copyrights defined in the Internet Standards process must be | ||||
| followed, or as required to translate it into languages other than | ||||
| English. | ||||
| The limited permissions granted above are perpetual and will not be | ||||
| revoked by the Internet Society or its successors or assigns. | ||||
| This document and the information contained herein is provided on an | ||||
| "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING | ||||
| TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING | ||||
| BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION | ||||
| HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF | ||||
| MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | ||||
| End of changes. 16 change blocks. | ||||
| 37 lines changed or deleted | 32 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||