Addendum to the Security Extension for UNI and NNI March 31, 2006

Addendum to the Security Extension for
UNI and NNI
IA # OIF-SEP-02.1
March 31, 2006
Implementation Agreement created and approved
by the Optical Internetworking Forum
www.oiforum.com
The OIF is an international non profit organization with over 100 member companies,
including the world’s leading carriers and vendors. Being an industry group uniting
representatives of the data and optical worlds, OIF’s purpose is to accelerate the deployment
of interoperable, cost-effective and robust optical internetworks and their associated
technologies. Optical internetworks are data networks composed of routers and data switches
interconnected by optical networking elements.
With the goal of promoting worldwide compatibility of optical internetworking products, the
OIF actively supports and extends the work of national and international standards bodies.
Formal liaisons have been established with The ATM Forum, IEEE 802.3, IETF, ITU-T Study
Group 13, ITU-T Study Group 15, MEF, NPF, T1M1, T1X1, TMF, UXPi and the XFP MSA
Group.
For additional information contact:
The Optical Internetworking Forum, 39355 California Street,
Suite 307, Fremont, CA 94538
510-608-5928 Φ info@oiforum.com
www.oiforum.com
Notice: This Technical Document has been created by the Optical Internetworking Forum (OIF).
This document is
offered to the OIF Membership solely as a basis for agreement and is not a binding proposal on the companies listed as
resources above. The OIF reserves the rights to at any time to add, amend, or withdraw statements contained herein.
Nothing in this document is in any way binding on the OIF or any of its members.
The user's attention is called to the possibility that implementation of the OIF implementation agreement contained herein
may require the use of inventions covered by the patent rights held by third parties. By publication of this OIF
implementation agreement, the OIF makes no representation or warranty whatsoever, whether expressed or implied, that
implementation of the specification will not infringe any third party rights, nor does the OIF make any representation or
warranty whatsoever, whether expressed or implied, with respect to any claim that has been or may be asserted by any
third party, the validity of any patent rights related to any such claim, or the extent to which a license to use any such
rights may or may not be available or the terms hereof.
© 2001 Optical Internetworking Forum
This document and translations of it may be copied and furnished to others, and derivative works that comment on or
otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in
part, without restriction other than the following, (1) the above copyright notice and this paragraph must be included on
all such copies and derivative works, and (2) this document itself may not be modified in any way, such as by removing
the copyright notice or references to the OIF, except as needed for the purpose of developing OIF Implementation
Agreements.
By downloading, copying, or using this document in any manner, the user consents to the terms and conditions of this
notice. Unless the terms and conditions of this notice are breached by the user, the limited permissions granted above are
perpetual and will not be revoked by the OIF or its successors or assigns.
This document and the information contained herein is provided on an “AS IS” basis and THE OIF DISCLAIMS ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY, TITLE OR FITNESS FOR A PARTICULAR PURPOSE.
www.oiforum.com
2
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
1
Table of Contents
Cover Sheet ........................................................................................................... 1
1
Table of Contents ................................................................................................. 3
2
List of Figures ....................................................................................................... 4
3
List of Tables ......................................................................................................... 4
4
Document Revision History ............................................................................... 5
5
Document Summary............................................................................................ 6
5.1 Problem Statement............................................................................................... 6
5.2 Scope ...................................................................................................................... 6
5.3 Relationship to Other Standards Bodies........................................................... 7
5.4 Acknowledgements ............................................................................................. 7
6 Introduction .......................................................................................................... 7
6.1 Outline of the Implementation Agreement...................................................... 7
6.2 How to Use this Implementation Agreement.................................................. 8
7
Terminology and Acronyms .............................................................................. 8
7.1 Terminology.......................................................................................................... 8
7.2 Keywords .............................................................................................................. 8
7.3 Acronyms .............................................................................................................. 9
8
Applicability of Updates to IPsec .................................................................... 10
8.1 IKEv1 and IKEv2................................................................................................ 10
8.2 Revisions to ESP, AH, and RFC 2401 .............................................................. 11
8.3 Transforms .......................................................................................................... 13
8.4 IPv6 Considerations........................................................................................... 15
9 Security for Link State Routing in the NNI.................................................... 15
9.1 Implementations not Using the Security Extension...................................... 17
9.2 Securing OSPF with the Security Extension................................................... 17
9.3 Securing IS-IS with the Security Extension .................................................... 18
9.4 Additional Issues ............................................................................................... 18
10 Security for Discovery Protocols...................................................................... 19
10.1 Use of the Security Extension with LMP ........................................................ 19
11 Clarifications and Updates to the Security Extension .................................. 19
12 References ........................................................................................................... 20
12.1 Normative references ........................................................................................ 21
12.2 Informative references....................................................................................... 24
13 Appendix A: Open Issues / current work items........................................... 25
14 Appendix B: List of companies belonging to OIF when document was
approved ......................................................................................................... 26
www.oiforum.com
3
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
2
List of Figures
None.
3
List of Tables
None.
www.oiforum.com
4
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
4
Document Revision History
Working Group: OAM&P
SOURCE:
Editors
Renée Esposito
Department of Defense
esposito_renee@bah.com
Working Group Chair
Doug Zuckerman
Telcordia Technologies
w2xd@aol.com
Richard Graveman
Department of Defense
rfg@acm.org
DATE: OIF-SEP-02.0: October 3, 2005
OIF-SEP-02.1: March 31, 2006
5
www.oiforum.com
5
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Document Summary
This addendum brings the Security Extension for UNI and NNI [SecExt] up to date
with (1) new work in the OIF on NNI, routing, and discovery; (2) new work in
the IETF on IPsec and IKE; and (3) feedback gained from implementation
experience and other comments on [SecExt].
5.1
Problem Statement
The Security Extension for UNI and NNI [SecExt] defines an optional-toimplement profile of IPsec for securing the OIF’s control plane protocols. Its
first goal is to define a complete, high-quality, interoperable security system
for all control plane traffic between two network elements consisting of a
single pair of Tunnel Mode Security Associations running the mandatory-toimplement IPsec transforms. Secondly, it defines additional security services
and mechanisms that implementations of [SecExt] can include for finegrained control of security.
Since the publication of [SecExt], (1) the OIF has started new work on the UNI
and NNI and released Implementation Agreements for UNI 1.0r2 and E-NNI;
(2) the IETF has continued to revise IPsec, IKE, and the list of associated
transforms; and (3) suggestions to clarify certain aspects of [SecExt] have been
received. This IA keeps [SecExt] up to date and aligned with current practice
by addressing these three items.
5.2
Scope
This IA modifies the optional security extension to UNI and NNI in [SecExt].
It addresses protocol security for the OIF’s control plane signaling, routing,
and discovery protocols specified in [UNI1.0], [UNI1.0r2], [UNI1.0r2r],
[UNI2.0], [UNI2.0r], [UNI2.0c], [E-NNI], [NNI-OSPF], and [NNI-IS-IS].
Security for management plane interfaces to network elements is addressed
separately in [SecMang] and [SecManA].
[SecExt] defines an optional extension to the OIF’s control plane protocols
listed in Section 1.3. This addendum contains both REQUIRED and
OPTIONAL requirements for compliance with [SecExt] as well as
informational material to clarify items in [SecExt] and promote the
development of interoperable implementations.
www.oiforum.com
6
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
This IA extends the value of [SecExt] to new OIF control plane protocols,
keeps [SecExt] up to date with current work in the IETF, and clarifies aspects
of the use of [SecExt].
5.3
Relationship to Other Standards Bodies
This IA uses the RFCs written by the IETF as normative references to almost
all of the work described herein.
This document defines no new protocols. It consolidates, profiles, and applies
many aspects of work done at other standards bodies, particularly the IETF.
It updates and modifies the optional security services in [SecExt].
5.4
Acknowledgements
Hannes Tschofenig (Siemens) raised a number of questions about the use of IPsec
to protect RSVP. Scott McNown (DoD), Sheila Frankel (NIST), and Don Choi
(DoD) cooperated on implementing [SecExt] and provided feedback from their
experiences. Jonathan Sadler (Tellabs) advised the editors on the directions the
OIF is likely to take with respect to routing protocols, the use of GRE to
encapsulate IS-IS, and the potential, unintended interactions between IPsec
tunnel mode and DCN routing protocols. Jim Jones, Monica Lazer, Walter
Rothkegel, and Stephen Trowbridge provided helpful inputs during balloting.
6
Introduction
The goal of [SecExt] is to specify how to apply security to the control plane
(signaling, routing, and discovery) protocols used in the OIF’s UNI and NNI.
This IA brings [SecExt] up to date with changes in the UNI, specification of
the E-NNI, IETF work on IPsec, and implementors’ experiences with [SecExt].
6.1
Outline of the Implementation Agreement
This document is organized as follows:
•
Section 5 provides a summary of this addendum.
•
Section 6 describes the organization of this document.
•
Section 7 defines the terminology, keywords, and acronyms used.
•
Section 8 brings [SecExt] up to date with work in the IETF.
•
Section 9 covers security for the OIF’s link state routing in the NNI based
on OSPF and IS-IS.
www.oiforum.com
7
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
•
Section 10 defines the use of [SecExt] for the OIF’s discovery protocols
based on LMP.
•
Section 11 contains clarifications and implementation guidelines for
[SecExt].
•
Section 12 contains normative and informative references.
6.2
How to Use this Implementation Agreement
This IA is an addendum to [SecExt]. To apply it, it must be used together with
[SecExt]. It is not a self-contained replacement for [SecExt]. Applying this IA
also depends on using the normative references from the IETF and OIF listed
in Section 8.1.
7
Terminology and Acronyms
7.1
Terminology
Clarification: In [SecExt], the term “ONE” or “Optical Network Element” is
used to refer to either a UNI-C client or a Transport Network Element (TNE),
as defined in [UNI1.0], [UNI1.0r2], and [UNI2.0]. When applied to the OIF
UNI, the term “ONE” should be replaced with “UNI-C” or “TNE,” as
appropriate.
7.2
Keywords
When written in ALL CAPITALS, the key words “MUST”, “MUST NOT,”
“REQUIRED,” “SHALL,” “SHALL NOT,” “SHOULD,” “SHOULD NOT,”
“RECOMMENDED,” “MAY,” and “OPTIONAL” in this document are to be
interpreted as described in IETF RFC 2119 [Bra97].
In addition, as defined in [Sch05], the following terms and their respective
interpretations are used:
SHOULD+
SHOULD–
www.oiforum.com
This term means the same as SHOULD. However it is likely
that a requirement marked as SHOULD+ will be promoted at
some future time to be a MUST.
This term means the same as SHOULD. However a
requirement marked as SHOULD– may be deprecated to a
MAY in a future version of this IA.
8
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
MUST–
This term means the same as MUST. However it is expected
that at some point this requirement will no longer be a MUST
in a future version of this IA.
7.3
Acronyms
The following acronyms or abbreviations are used in this implementation
agreement:
ABR
AES
AH
CA
CBC
CCM
CRC
CTR
DAD
DCN
DES
DH
E-NNI
ESP
GRE
ESP
HMAC
ICMP
IESG
IETF
IKE
IP
IPsec
IS-IS
LMP
LSA
MAC
MIB
MTU
Area Border Router
Advanced Encryption Standard
Authentication Header
Certification Authority
Cipher Block Chaining (Mode)
Counter with CBC-MAC (Mode)
Cyclic Redundancy Check
Counter (Mode)
Duplicate Address Detection
Data Communications Network
Data Encryption Standard
Diffie-Hellman
Exterior Network Node Interface
Encapsulating Security Payload
Generic Routing Encapsulation
Encapsulating Security Payload
Hashed Message Authentication Code
Internet Control Message Protocol
Internet Engineering Steering Group
Internet Engineering Task Force
Internet Key Exchange
Internet Protocol
IP Security
Intermediate System—Intermediate System
Link Management Protocol
Link State Advertisement
Message Authentication Code
Management Information Base
Maximum Transmission Unit
www.oiforum.com
9
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
NA
NAT
NE
NNI
OSPF
PAD
PS
RFC
RSA
RSVP
RFC
SA
SAD
SHA
SIP
SNMP
SPD
TCP
TNE
UDP
UNI
UNI-C
VPN
XML
8
Network Administrator
Network Address Translation
Network Element
Network Node Interface
Open Shortest Path First
Peer Authentication Database
Proposed Standard
Request for Comments
Rivest, Shamir, and Adleman
Resource Reservation Protocol
Request for Comments
Security Association
Security Association Database
Secure Hash Algorithm
Session Initialization Protocol
Simple Network Management Protocol
Security Policy Database
Transmission Control Protocol
Transport Network Element
User Datagram Protocol
User-Network Interface
UNI Client
Virtual Private Network
Extensible Markup Language
Applicability of Updates to IPsec
See [Abo04] (Informational) for the use of IPsec in IP Storage, which was used
as a guide to specifying the profile of IPsec in [SecExt].
8.1
IKEv1 and IKEv2
The current IKE version 1, as described in [SecExt] and modified by [Hof05a],
MUST– be included with implementations of [SecExt]. However, the reasons
for replacing IKEv1 with IKEv2 as quickly as practical are that IKEv2 is
simpler to implement, has clearer documentation, is more efficient, has fewer
options, and fixes some of the shortcomings in IKEv1. IKEv2 [Kau05]
SHOULD+ be implemented. (The current IKEv2 draft has been approved as
www.oiforum.com
10
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
PS by the IESG and is awaiting an RFC number to be assigned. It is expected
that after the IKEv2 RFC is issued, it will become the REQUIRED key
management system.)
For additional information about IKEv2, see [EH06], [Per03] (expired), and
[Kra03].
For implementations of IKEv1 or IKEv2 that allow use of public key
authentication (e.g., digital signatures), [Kor05] SHOULD+ be implemented.
For implementations of IKEv2 that allow use of a legacy authentication
system, [Tsc06] SHOULD be implemented.
Implementations of IKEv2 SHOULD measure resource consumption and use
the initial exchange with cookies whenever they determine that a denial of
service attack may be occurring.
8.2
Revisions to ESP, AH, and RFC 2401
The new version of ESP [Ken05a] and [Ken05b] and revision to the IPsec
Security Architecture in RFC2401bis [KS05] provide:
•
Extended (64-bit, implicit) sequence numbers
•
Better traffic flow protection (padding and dummy packets)
•
More flexible naming of security associations
•
Better support for multicast
•
Support for new algorithms and modes (AES, counter mode, and
combined confidentiality and integrity mode algorithms)
•
A Peer Authorization Database (PAD)
•
A new processing model with better support for VPNs and combined
mode algorithms (The concept of “SA bundles” has been dropped.)
Therefore, the new version of ESP [Ken05a] and [Ken05b] and RFC2401bis
[KS05] SHOULD+ be implemented, and the current versions [KA98a] and
[KA98c] MUST– be implemented.
Implementations that provide NAT traversal MUST follow [Hut05]. See also
[AD03] (Informational) for a discussion of NAT traversal requirements.
For dead peer detection, implementations MAY generate and MUST accept
the messages defined in [HBR04].
www.oiforum.com
11
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Both versions of AH ([KA98b] and [Ken05c]) MAY be implemented, but use
of ESP is preferred over AH in all cases.
www.oiforum.com
12
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
8.3
Transforms
It is expected that AES will replace DES and Triple DES as the REQUIRED
confidentiality algorithm for ESP and IKE, partially because it is more
efficient, and partially because it is presumed to offer better security. This
change has additional consequences. First, AES can also be used as the ESP
(and IKE) integrity algorithm, which reduces the total number of algorithms
in and code size of implementations. Second, AES is defined with new, more
efficient modes of operation (counter mode [Hou04] and combined
confidentiality and integrity mode [Hou05, VM05, MV05]). Third, it is
recommended that the security of IKE key exchanges be increased to match
the increased level of security that comes with using AES.
Implementors of these transforms, who often need pseudorandom,
unpredictable numbers or bit strings for keying material, initialization
vectors, padding, or other uses, are also referred to [ESC05].
8.3.1
IPsec Transforms
The RECOMMENDED and REQUIRED to implement suites for IPsec and
IKEv1 are defined in [Hof05b]. Suite A is MUST– and Suite B is SHOULD+.
All other IPsec transforms, including user-defined algorithms, MAY be
implemented.
8.3.2
IKEv2 Transforms
The RECOMMENDED and REQUIRED IKEv2 transforms below are adopted
and augmented from those in [Sch05] to meet the requirements in [SecExt].
All other IKEv2 transforms, including the elliptic curve groups defined in
[FS05] and user-defined algorithms, MAY be implemented.
•
The IKEv2 encrypted payload requires an encryption algorithm and an
integrity algorithm. For the encryption algorithm, 3DES-CBC [PA98]
MUST– be implemented and AES-128-CBC [FGK03] SHOULD+ be
implemented.
•
For the integrity algorithm, SHA-1 [MG98] MUST be implemented and
AES-XCBC-MAC-96 [FH03] SHOULD+ be implemented.
•
IKEv2 requires a Diffie-Hellman group. As in [Sch05], Group 2 (1024
bits) [HC98] MUST– be implemented and Group 14 (2048 bits) [KK03]
SHOULD+ be implemented. In addition, Group 5 (1536 bits) [KK03]
SHOULD be implemented.
www.oiforum.com
13
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
IKEv2 [Kau05] provides for negotiation of confidentiality algorithms (Type
11) for use in IKE and ESP, pseudo-random functions (Type 2) for use in IKE,
and integrity algorithms (Type 3) for use in IKE, AH, and ESP.
•
•
For confidentiality algorithms (Type 1), see the table below:
Algorith
m
Number
Algorithm
Name
Reference
Status
0
n/a
n/a
RESERVED
3
ENCR_3DES
[PA98]
MUST–
11
ENCR_NULL
[GK98]
MUST
12
ENCR_AES_CBC
[FGK03]
SHOULD+
13
ENCR_AES_CTR
[Hou04]
SHOULD
18, 19, 20
AES-GCM-ESP
[VM05]
SHOULD
For pseudo-random functions (Type 2), see the table below:
Algorith
m
Number
Algorithm
Name
Reference
Status
0
n/a
n/a
RESERVED
2
PRF_HMAC_SHA1
[KBC97]
MUST–
4
PRF_AES128_CBC
[Hof04],
[Hof06]
SHOULD+
These designations, “Type 1” for confidentiality (encryption) algorithms and
“Type 3” for integrity algorithms, apply only in the context of IKEv2 for
algorithm robustness and have nothing to do with the use of “Type numbers” to
describe algorithms in other contexts.
1
www.oiforum.com
14
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
•
For integrity algorithms (Type 3), see the table below:
Algorithm
Number
Algorithm
Name
Reference
Status
2
HMAC_SHA1_96]
[MG98
MUST–
5
AUTH_AES_XCBC_
96
[FH03]
SHOULD+
11
ENCR_NULL
[GK98]
MUST
18
AES-GCM-ESP
[VM05]
MAY
19
AES-GCM-ESP
[VM05]
MAY
20
AES-GCM-ESP
[VM05]
SHOULD
8.4
IPv6 Considerations
This specification of ESP and IKE works with both IPv4 and IPv6.
The following options MUST NOT be used with IPv6: link-local and site-local
addresses, NAT traversal, and Mobile IP.
Note that IPv6 (as well as IPv4) implementations of IKEv2 MUST support the
larger minimum MTU of 1280 and SHOULD support an MTU of 3000 as
specified in [Kau05].
Note that IPv6 subnet renumbering MAY break existing IPsec SAs, which
then need to be re-established. Unique local addresses (ULAs) MAY be used.
When using ESP or IKE with IPv6, ICMPv6 MUST be handled as specified in
[KS05].
Either IPv6 Autoconfiguration with DAD or DHCPv6 MAY be used with
IPv6.
IPv6 packets using IKE or ESP as specified herein MUST be allowed to traverse
firewalls and MAY be transported through IPv4 transition tunnels. Note also that
IPv6 packets to be protected with ESP Tunnel Mode MAY be encapsulated with
an IPv4 outer header.
9
www.oiforum.com
15
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Security for Link State Routing in the NNI
The OIF has specified signaling for the UNI ([UNI1.0], [UNI1.0r2], [UNI1.0r2r],
and [UNI2.0]) and NNI ([E-NNI]) and now is developing routing solutions for
the NNI ([NNI-OSPF] and [NNI-IS-IS]).
The security requirements for NNI signaling are summarized in [SecExt]. The
IETF, in [BMY03], has enumerated the sources, actions, and consequences
inherent in security threats to routing protocols. The consequences of such
attacks (see [BMY03]) can include disclosure of network configuration data,
deception, disruption, and loss of control of network functionality. The resulting
damage can include congestion, black-holing, looping, partitioning, churning,
instability, overload, starvation, eavesdropping, or delay.
Attacks against routing protocols can disrupt the establishment of peering
relationships; interfere with protocol elements such as election of a designated
router; forge or modify routing information; eavesdrop on the content or traffic
patterns of routing information; corrupt the internal state of routing databases; or
replace an authorized router with an imposter.
This IA addresses the protocol issues involved in securing OSPF and IS-IS as
used in the OIF’s NNI. It does not address (1) system security for routers; (2)
problems that result from faulty implementations; (3) physical, personnel, and
environmental security issues; (4) firewalls; (5) security for IPv6 Router
Advertisements; or (6) denial of service attacks that result, for example, from
flooding routers.
Implementations of the OIF’s Security Extension for UNI and NNI MUST provide
the same security services for the routing protocol messages that determine
forwarding of signaling messages as for the signaling protocol messages
themselves. If routing controllers communicate along the same path for which
IPsec SAs to secure signaling are specified in the Security Policy Database (SPD),
the SPD SHOULD specify use of these same SAs for routing protocol messages,
but see the cautionary note in Section 7, below. In addition, these security
services MAY be applied to routing protocol messages that determine packet
forwarding in the data plane or management plane.
Securing link state routing protocol messages with the OIF’s Security
Extension for UNI and NNI prevents modification, address spoofing, forgery,
replay, and “cut-and-paste” attacks against these protocols. It also can
provide confidentiality, hide the names of the endpoints, and disguise the
actual amount of traffic transmitted, which inhibit network mapping attacks.
Link state routing protocols, however, rely on distributing accurate topology
and configuration information across a network. To accomplish this, the
www.oiforum.com
16
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
switches trust each other to act properly. Because of this, a compromised or
mis-configured switch can do a lot of hard-to-detect damage. Protocol
security between adjacent switches cannot solve this problem.
To provide end-to-end routing protocol security, digital signatures on the
messages can be used. Such an approach has been proposed not only for
routing protocols [Per88, Ste93, Mur97] but also for secure email, XML, and
SIP. New methods exist to provide adequate security with signatures only 20
to 25 bytes long [BLS01] and to combine multiple signatures into a single,
aggregated signature [Bon03], which eliminate potential objections due to
extensive message overhead. Methods such as these may be proposed for
future OIF Control Plane protocols.
In the meantime, the OIF is working on a different approach, which may be
useful in its own right. The idea is to specify a flexible, dynamically
configurable logging and auditing capability, which, among other uses, can
be turned on to generate a trace of a Control Plane protocol whenever
needed. This capability is based on the Syslog protocol, which is currently
being revised by the IETF. For the most recent references to the underlying
Syslog mechanisms, see [SysL]. Although the Syslog transport mechanism
(unidirectional, unfragmented UDP packets) is chosen to minimize overhead,
logging may add to network congestion or overload conditions. Operators
may choose to turn logging off in such situations, manually or automatically.
9.1
Implementations not Using the Security Extension
OSPF implementations not using the OIF’s Security Extension for UNI and NNI
SHOULD use OSPFv2 with the option for cryptographic authentication
specified in Sections D.3, D.4.3, and D.5.3 of RFC 2328. IS-IS implementations
not using the OIF’s Security Extension for UNI and NNI SHOULD incorporate
the authentication mechanism specified in RFC 3567 (Informational).
Note, however, that these mechanisms do not include automated key
management.
[GHM04], the so-called hop-count-255 trick, MAY be used to verify that
untampered messages are delivered directly, router to router. Note, however,
that this mechanism does not provide cryptographic protection against
tampering or forgery.
9.2
www.oiforum.com
Securing OSPF with the Security Extension
17
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Implementations of [NNI-OSPF] that also provide [SecExt] MUST allow for
IPsec protection of OSPF messages. Wherever practical, they SHOULD do
this with the same IPsec SAs used for signaling. (Note that this is consistent
with the security in [GM05]2.) To aid in the diagnosis of multiple-hop or endto-end security problems, such implementations SHOULD also implement
[LogAud]. As an alternative to deploying logging at all routers in an Area,
implementations MAY log only at ABRs and MAY use digital signatures on
LSAs (link state advertisements) within an Area (i.e., they MAY implement
[Mur97] in addition to [SecExt]). Note, however, that aggregation of routing
information (LSAs) does not preserve signatures.
9.3
Securing IS-IS with the Security Extension
Implementations of [NNI-IS-IS] that also provide [SecExt] MUST allow for
IPsec protection of IS-IS messages. Because IS-IS runs directly over a link
layer protocol, not over IP, GRE [Far00] SHOULD be run between the IS-IS
peers. The protocol stack IS-IS/GRE/ESP/IP/<Layer 2> SHOULD be used.
The IPv4 or IPv6 next header is 50 for ESP. When using this option,
implementations MUST– use [KA98c] and SHOULD+ use [Ken05a] for ESP.
The ESP next header is 47 for GRE. The version and Reserved0 fields in the
GRE header MUST be set to 0. Because ESP secures GRE and IS-IS, [Dom00]
or [LA03] SHOULD NOT be used. Wherever practical, implementations
SHOULD protect IS-IS over GRE with the same IPsec SAs used to protect the
signaling traffic between the same two points. To aid in the diagnosis of
multiple-hop or end-to-end security problems, such implementations
SHOULD also implement [LogAud].
Note: No description of a signature option for IS-IS, which would correspond
to [Mur97] exists. Such capability is for future study.
9.4
Additional Issues
Management interfaces to routers implementing the OIF’s NNI routing
protocols, in particular implementations of MIBs for OSPF and IS-IS,
SHOULD secure these management interfaces with the methods specified in
[SecMang] and [SecManA].
The most general security solution for protocols like OSPF and IS-IS allows
the link state protocol to work correctly as long as one uncorrupted path
2
This standard recommends protecting OSPF messages with IPsec ESP, which adds confidentiality,
although it does not provide end-to-end security against the case of a misbehaving router.
www.oiforum.com
18
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
between any two points exists. There may be multiple failures, and the
corrupted routers may in fact be cooperating to carry out an attack. Perlman
(in [Per88] and [Per00]) has shown how to how achieve security in such cases,
which are called “Byzantine failures.” Addressing such threats, in whole or in
part, is for future study.
10
Security for Discovery Protocols
Discovery protocols for UNI 2.0 have not been fully defined. As this work
progresses, security requirements and specifications for discovery ought to be
reconsidered.
10.1
Use of the Security Extension with LMP
The Link Management Protocol (LMP) draft [Lan05] proposes the use of IPsec
to secure LMP, which is, in principle, consistent with this IA. However, the
following notes are added to the specification of IPsec in [Lan05]:
1. As specified in this document and in [SecExt], the confidentiality
service with ESP MUST be implemented and SHOULD be used
wherever required.
2. The specification of IPsec in [Lan05] is updated with the newer
transforms and protocols for IKEv2 and ESP, as specified above.
3. Use of IKE or IKEv2 with pre-shared keys is preferable to manual
keying.
As for routing protocols, wherever practical, LMP MAY share SAs with other
protocols protected by [SecExt] and the methods in this IA. That is, when
LMP messages are sent along a path that uses the Security Extension, the SPD
SHOULD be configured so that all LMP messages are protected with the
same IPsec SAs as other traffic secured with the Security Extension. Note that
this applies only to unicast messages; the Security Extension does not define
security for broadcast or multicast messages.
Management interfaces to systems implementing discovery protocols
SHOULD be secured with the methods specified in [SecMang] and
[SecManA].
11
Clarifications and Updates to the Security Extension
The following notes are added as clarifications to [SecExt]:
www.oiforum.com
19
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
1. The IPsec selectors for ESP Tunnel Mode MAY be set up to secure all
IP traffic between the two points.
2. The RSVP messages used in the OIF’s signaling protocols do not use
the Router Alert bit, which would interfere with the use of the
confidentiality service of IPsec.
3. ESP in tunnel mode SHOULD be used between each pair of RSVPaware routers.
Caution: If IPsec Tunnel Mode is used and the implementation treats
these IPsec tunnels as virtual interfaces, these virtual interfaces may be
assigned DCN routing protocol costs that, if advertised by the DCN
routing protocol, cause traffic between other systems to be routed
inappropriately. For IPsec implementations that have this side effect,
inappropriate DCN routing protocol costs due to such virtual
interfaces should not be advertised across the DCN routing protocol.
Note, in addition, that [KS05] allows IPsec Transport Mode to be used
with certain restrictions.
4. Transport mode IPsec SAs SHOULD be avoided.
5. The RSVP authorization object may be used for user identification in
addition to the security methods specified in this IA and in [SecExt].
12
www.oiforum.com
20
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
References
12.1
Normative references
The following references contain provisions that, through reference in this
text, constitute provisions of this specification. At the time of publication, the
versions listed were valid. Many references are subject to revision, and parties
to agreements based on this implementation agreement are encouraged to
investigate the possibility of applying the most recent editions of the
references indicated below.
[Bra97]
[DH98]
[E-NNI]
[Far00]
[FGK03]
[FH03]
[FS05]
[GHM04]
[GK98]
[HBR04]
[HC98]
[HFPS99]
www.oiforum.com
Bradner, S., “Key words for use in RFCs to Indicate
Requirement Levels,” IETF RFC 2119, March 1997.
Deering, S., and R. Hinden, “Internet Protocol, Version 6 (IPv6)
Specification,” IETF RFC 2460, December, 1998.
Optical Internetworking Forum Implementation Agreement,
“Intra-Carrier E-NNI Signaling Specification,” OIF-E-NNI-Sig01.0, February 27, 2004.
Farinacci, D., et al., “Generic Routing Encapsulation (GRE),”
IETF RFC 2784, March 2000.
Frankel, S., R. Glenn, and S. Kelly, “The AES-CBC Cipher
Algorithm and Its Use with IPsec,” IETF RFC 3602, September
2003.
Frankel, S., and H. Herbert, “The AES-XCBC-MAC-96
Algorithm and Its Use With IPsec,” IETF RFC 3566, September
2003.
Fu, D., and J. Solinas, “ECP Groups for IKE and IKEv2,” IETF
Work in Progress, draft-ietf-ipsec-ikev2-ecp-groups-02,
September 2005.
Gill, V., J. Heasley, and D. Meyer, “The Generalized TTL
Security Mechanism (GTSM),” IETF RFC 3682, February 2004.
Glenn, R., and S. Kent, “The NULL Encryption Algorithm and
Its Use With IPsec,” RFC 2410, November 1998.
Huang, G., S. Beaulieu, and D. Rochefort, “A Traffic-Based
Method of Detecting Dead IKE Peers,” IETF RFC 3706, February
2004.
Harkins, D., and D. Carrel, “The Internet Key Exchange (IKE),”
IETF RFC 2409, November 1998.
Housley, R., W. Ford, W. Polk, and D. Solo, “Internet X.509
Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile,” IETF RFC 3280, April 2002.
21
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
[Hof04]
[Hof05a]
[Hof05b]
[Hof06]
[Hou04]
[Hou05]
[Hut05]
[KA98a]
[KA98b]
[KA98c]
[Kau05]
[KBC97]
[Ken05a]
[Ken05b]
[Ken05c]
[KK03]
[Kor05]
www.oiforum.com
Hoffman, P., “The AES-XCBC-PRF-128 algorithm for IKE,” IETF
RFC 3664, January 2004.
Hoffman, P., “Algorithms for Internet Key Exchange version 1
(IKEv1),” IETF RFC 4109, May 2005.
Hoffman, P., “Cryptographic Suites for IPsec,” IETF RFC 4308,
December 2005.
Hoffman, P., “The AES-XCBC-PRF-128 Algorithm for the
Internet Key Exchange Protocol (IKE),” IETF RFC 4434,
February 2006.
Housley, R., “Using AES Counter Mode With IPsec ESP,” IETF
RFC 3686, January 2004.
Housley, R., “Using Advanced Encryption Standard (AES)
CCM Mode with IPsec Encapsulating Security Payload (ESP),”
IETF RFC 4309, DECember 2005.
Huttunen, A., et al., “UDP Encapsulation of IPsec Packets,”
IETF RFC 3948, January 2005.
Kent, S., and R. Atkinson, “Security Architecture for the Internet
Protocol,” IETF RFC 2401, November 1998.
Kent, S., and R. Atkinson, “IP Authentication Header,” IETF
RFC 2402, November 1998.
Kent, S., and R. Atkinson, “IP Encapsulating Security Payload
(ESP),” IETF RFC 2406, November 1998.
Kaufman, C., ed., “Internet Key Exchange (IKEv2) Protocol,”
IETF RFC 4306, December 2005.
Krawczyk, H., M. Bellare, and R. Canetti, “HMAC: KeyedHashing for Message Authentication,” IETF RFC 2104, February
1997.
Kent, S., “IP Encapsulating Security Payload (ESP),” IETF RFC
4303, December 2005.
Kent, S., “Extended Sequence Number (ESN) Addendum to
IPsec Domain of Interpretation (DOI) for Internet Security
Association and Key Management Protocol (ISAKMP),” IETF
RFC 4304, December 2005.
Kent, S., “IP Authentication Header,” IETF RFC 4302, December
2005.
Kivenen, T., and M. Kojo, “More Modular Exponential (MODP)
Diffie-Hellman Groups for Internet Key Exchange (IKE),” IETF
RFC 3526, May 2003.
Korver, B., “The Internet IP Security PKI Profile of
IKEv1/ISAKMP, IKEv2, and PKIX,” IETF Work in Progress,
draft-ietf-pki4ipsec-ikecert-profile-06, November 2005.
22
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
[KS05]
Kent, S., and K. Seo, “Security Architecture for the Internet
Protocol,” IETF RFC 4301, December 2005.
[LA03]
Li, T., and R. Atkinson, “Intermediate System to Intermediate
System (IS-IS) Cryptographic Authentication,” IETF RFC 3567,
July 2003 (Informational).
[Lan05]
J. Lang, Ed., “Link Management Protocol (LMP),” IETF RFC
4204, October 2005.
[LogAud]
Optical Internetworking Forum Work in Progress, “OIF Control
Plane Logging and Auditing with Syslog,” OIF Work in
Progress, July 2005.
[MG98]
Madson, C., and R. Glenn, “The Use of HMAC-SHA-1-96 within
ESP and AH,” IETF RFC 2404, November 1998.
[MSST98]
Maughan, D., M. Schertler, M. Schneider, and J. Turner,
“Internet Security Association and Key Management Protocol
(ISAKMP),” IETF RFC 2408, November 1998.
[Mur97]
Murphy, S., et al., “OSPF with Digital Signatures,” RFC 2154,
June 1997.
[MV05]
McGrew, D., and J. Viega, “The Galois/Counter Mode of
Operation (GCM),”
http://csrc.nist.gov/CryptoToolkit/modes/proposedmodes/
gcm/gcm-revised-spec.pdf, May 2005.
[NNI-OSPF] Optical Internetworking Forum Work in Progress, NNI Routing
with OSPF.
[NNI-IS-IS] Optical Internetworking Forum Work in Progress, NNI Routing
with IS-IS.
[PA98]
Pereira, R., and R. Adams, “The ESP CBC-Mode Cipher
Algorithms,” IETF RFC 2451, November 1998.
[Pip98]
Piper, D., “The Internet IP Security Domain of Interpretation for
ISAKMP,” IETF RFC 2407, November 1998.
[Sch05]
Schiller, J., “Cryptographic Algorithms for Use in the Internet
Key Exchange Version 2 (IKEv2), IETF RFC 4307,
December 2005.
[SecExt]
Optical Internetworking Forum Implementation Agreement,
“Security Extension for UNI and NNI,” OIF-SEP-01.1, May 8,
2003.
[SecMang] Optical Internetworking Forum Implementation Agreement,
“Security for Management Interfaces to Network Elements,”
OIF-SMI-01.0, September 4, 2003.
[SecManA] Optical Internetworking Forum Implementation Agreement,
“Addendum to the Security for Management Interfaces to
Network Elements,” OIF-SMI-02.1, March 31, 2006.
www.oiforum.com
23
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
[Tsc06]
Tschofenig, H., et al., “EAP IKEv2 Method,” IETF Work in
Progress, draft-tschofenig-eap-ikev2-08, January 2006.
[UNI1.0]
Optical Internetworking Forum Implementation Agreement,
“User Network Interface (UNI) 1.0 Signaling Specification,”
OIF-UNI-01.1, October 1, 2001.
[UNI1.0r2] OIF Implementation Agreement, “OIF-UNI-01.0-R2-Common User Network Interface (UNI) 1.0 Signaling Specification,
Release 2: Common Part,” OIF-UNI-01.0-R2-Common, February
27, 2004.
[UNI1.0r2r] OIF Implementation Agreement, “OIF-UNI-01.0-R2-RSVP RSVP Extensions for User Network Interface (UNI) 1.0
Signaling, Release 2,” OIF-UNI-01.0-R2-RSVP, February 27,
2004.
[UNI2.0]
Optical Internetworking Forum Work in Progress, User
Network Interface (UNI ) 2.0 Signaling Specification.
[UNI2.0c]
Optical Internetworking Forum Work in Progress, UNI 2.0
Signaling with LDP.
[UNI2.0r]
Optical Internetworking Forum Work in Progress, UNI 2.0
Signaling with RSVP.
[VM05]
Viega, J., and D. McGrew, “The Use of Galois/Counter Mode
(GCM) in IPsec ESP,” IETF RFC 4106, June 2005.
12.2
Informative references
[Abo04]
[AD03]
[BLS01]
[BMY04]
[Bon03]
[Dom00]
[EH06]
www.oiforum.com
Aboba, B., et al., “Securing Block Storage Protocols over IP,”
IETF RFC 3723, April 2004.
Aboba, B., and W. Dixon, “IPsec-NAT Compatibility
Requirements,” IETF RFC 3715, March 2004. (Informational)
Boneh, D., B. Lynn, and H. Shacham, “Short Signatures from the
Weil Pairing,” Advances in Cryptology—Asiacrypt 2001, LNCS
Vol. 2248, Springer-Verlag, 2001.
Barbir, A., S. Murphy, and Y. Yang, “Generic Threats to Routing
Protocols, IETF Work in Progress, draft-ietf-rpsec-routingthreats-07, October 2004. [In RFC Editor’s queue]
Boneh, D., et al., “Aggregate and Verifiably Encrypted
Signatures from Bilinear Maps,” Advances in Cryptology—
Eurocrypt 2003, Springer-Verlag, 2003.
Dommety, G., “Key and Sequence Number Extensions to GRE,”
IETF RFC 2890, September 2000.
Eronen, P., and P. Hoffman, “IKEv2 Clarifications and
Implementation Guidelines,” IETF Work in Progress, drafteronen-ipsec-ikev2-clarifications-08, February 2006.
24
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
[ESC05]
[GM06]
[Gut98]
[Kra03]
[KSF99]
[Moy98]
[Mur97]
[Per88]
[Per00]
[Per03]
[Ste93]
[SysL]
Donald E. Eastlake, D., J. Schiller, and S. Crocker, “Randomness
Requirements for Security,” IETF RFC 4086, June 2005.
Gupta, M., and N. Melam, “Authentication/Confidentiality for
OSPFv3,” IETF Work in Progress, draft-ietf-ospf-ospfv3-auth-08,
February 2006.
Gutmann, P., “Software Generation of Practically Strong
Random Numbers,” Seventh USENIX Security Symposium
Proceedings, The USENIX Association, 1998, pp. 243–257.
Krawczyk, H., “SIGMA: The SIGn-and-MAc approach to
Authenticated Diffie-Hellman and Its Use in the IKE Protocols,”
Advances in Cryptology—Crypto 2003, Springer-Verlag LNCS Vol.
2729, pp. 400–425. See also
http://www.ee.technion.ac.il/~hugo/sigma.html.
Kelsey, J., B. Schneier, and N. Ferguson, “Notes on the Design
and Analysis of the Yarrow Cryptographic Pseudorandom
Number Generator,” Sixth Annual Workshop on Selected Areas in
Cryptography, Springer-Verlag, 1999.
Moy, J., “OSPF Version 2,” IETF RFC 2328, April 1998.
Murphy, S. et al., “OSPF with Digital Signatures,” IETF RFC
2154, June 1997. (Experimental)
Perlman, R., Network Layer Protocols with Byzantine Robustness,
Ph.D. Thesis, Department of Electrical Engineering and
Computer Science, MIT, August 1988.
Perlman, R., Interconnections, Second Edition, Addison-Wesley,
Reading, MA, 2000.
Perlman, R., “Understanding IKEv2: Tutorial, and rationale for
decisions,” IETF Work in Progress, draft-ietf-ipsec-ikev2tutorial-02, November 2003. (expired)
Steenstrup, M., “Inter-Domain Policy Routing Protocol
Specification: Version 1,” IETF RFC 1479, July 1993.
IETF Syslog Working Group,
http://www.ietf.org/html.charters/syslog-charter.html.
13
www.oiforum.com
25
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Appendix A: Open Issues / current work items
•
Work continues in the IETF on IKEv2 clarifications and use of elliptic
curves with IKEv2.
Appendix B: List of companies belonging to OIF when document
was approved
ADVA Optical Networking
Aevix Systems
Agere Systems
Agilent Technologies
Alcatel
Altera
AMCC
Analog Devices
Anritsu
Apogee Photonics, Inc.
AT&T
Avici Systems
Azna
Big Bear Networks
Bookham
Booz-Allen & Hamilton
Broadcom
China Telecom
Ciena Corporation
Cisco Systems
CoreOptics
Cortina Systems
Cypress Semiconductor
Data Connection
Department of Defense
Deutsche Telekom
Elisa Communications
Essex Corporation
Finisar Corporation
Flextronics
Force 10 Networks
Foxconn
France Telecom
www.oiforum.com
26
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Freescale Semiconductor
Fujitsu
Furukawa America
Harris Corporation
Hi/fn
Huawei Technologies
IBM Corporation
IDT
Infinera
Intel
JDS Uniphase
KDDI R&D Laboratories
Kodeos Communications
KT Corporation
Lambda Optical Systems
Lattice Semiconductor
LSI Logic
Lucent
Marconi Communications
MCI
MergeOptics GmbH
Mindspeed
MITRE Corporation
Mitsubishi Electric Corporation
Molex
NEC
Nortel Networks
Northrop Grumman
NTT Corporation
Opnext
Optovia
OpVista Inc
PMC Sierra
Quake Technologies
RedC Optical Networks Ltd.
Redfern Integrated Optics, Inc.
Sandia National Laboratories
Santur
SBC
Scintera Networks
Siemens
Silicon Laboratories
www.oiforum.com
27
OIF-SEP-02.1
Addendum to the Security Extension for UNI and NNI
Silicon Logic Engineering
StrataLight Communications
Sycamore Networks
Syntune
Tektronix
Telcordia Technologies
Telecom Italia Lab
Tellabs
TeraSea
Texas Instruments
Time Warner Cable
Toshiba Corporation
Tyco Electronics
Verizon
Vitesse Semiconductor
Xilinx
www.oiforum.com
28