Transcript Constraints on Automated Key Management for Routing Protocols

Constraints on
Automated Key Management
for Routing Protocols
Ross Callon
IETF 71
March 2008, Philadelphia
AKM for Routing Protocols
•
•
•
•
•
Link State protocol constraints
Bootstrapping the routing protocol
Operation over Broadcast Media
Don’t take down the network
Simplicity and Comprehensibility
Link State Protocol Constraints
• OSPF & IS-IS work because every router in an
area has an identical view of the topology
– And runs identical route computation
• Authentication can be used to decide whether to
bring up a link
– Or whether two neighbors exchange IGP traffic
• Authentication must not effect whether I believe
the advertisement from a router across the area
– Different routers may get different results
Bootstrapping the Routing Protocol
• If something goes wrong with routing (or with
security), there has to be a way to recover
• If the routing protocol depends upon AKM, then
AKM can’t depend upon the routing protocol
– For OSPF & IS-IS, AKM **must** only operate
between directly attached devices, using link layer
– You can’t depend on IP to an arbitrary address
• BGP can depend upon the IGP being up
– But can’t depend on a priori inter-domain routes
– For BGP, authentication probably only effects the
preference of routes (in some sense)
Broadcast Media
• OSPF / IS-IS / RIP operate over broadcast
media (eg, Ethernet)
– A router on a broadcast LAN uses link layer
multicast to send one packet to multiple other
routers on the same LAN
• AKM will need to operate over the LAN
– And provide a key that one router can use to
send a single packet to multiple other routers
Don’t Break the Network
• The point is to keep the network up
– Authentication has to be more likely to keep
things up, than to take the network down
– It has to be simple, understandable, resilient
to mistakes
• Some configuration is allowed
– A router has to know which IGP to run
– Probably one pre-shared secret is okay also
• But: Keep it simple
Simplicity, Comprehensibility
• Many router experts are not security
experts (and vice versa)
– This is not a complete mutual understanding
• Security is much more likely to be
deployed if it is understood
– Including what it protects against, failure
modes, and how to deal with problems.
Summary
•
•
•
•
•
•
It has to work
It (AKM for RPs) has to bootstrap
It has to work over broadcast LANs
It has to be simple, foolproof
It has to solve a perceived problem
Requirements may differ by protocol
(OSPF, IS-IS, RSVP, LDP, UDP, TCP for
BGP, TCP for not-BGP, …)