Constraints on Automated Key Management for Routing Protocols
Download
Report
Transcript Constraints on Automated Key Management for Routing Protocols
Constraints on
Automated Key Management
for Routing Protocols
Ross Callon
IETF 71
March 2008, Philadelphia
AKM for Routing Protocols
•
•
•
•
•
Link State protocol constraints
Bootstrapping the routing protocol
Operation over Broadcast Media
Don’t take down the network
Simplicity and Comprehensibility
Link State Protocol Constraints
• OSPF & IS-IS work because every router in an
area has an identical view of the topology
– And runs identical route computation
• Authentication can be used to decide whether to
bring up a link
– Or whether two neighbors exchange IGP traffic
• Authentication must not effect whether I believe
the advertisement from a router across the area
– Different routers may get different results
Bootstrapping the Routing Protocol
• If something goes wrong with routing (or with
security), there has to be a way to recover
• If the routing protocol depends upon AKM, then
AKM can’t depend upon the routing protocol
– For OSPF & IS-IS, AKM **must** only operate
between directly attached devices, using link layer
– You can’t depend on IP to an arbitrary address
• BGP can depend upon the IGP being up
– But can’t depend on a priori inter-domain routes
– For BGP, authentication probably only effects the
preference of routes (in some sense)
Broadcast Media
• OSPF / IS-IS / RIP operate over broadcast
media (eg, Ethernet)
– A router on a broadcast LAN uses link layer
multicast to send one packet to multiple other
routers on the same LAN
• AKM will need to operate over the LAN
– And provide a key that one router can use to
send a single packet to multiple other routers
Don’t Break the Network
• The point is to keep the network up
– Authentication has to be more likely to keep
things up, than to take the network down
– It has to be simple, understandable, resilient
to mistakes
• Some configuration is allowed
– A router has to know which IGP to run
– Probably one pre-shared secret is okay also
• But: Keep it simple
Simplicity, Comprehensibility
• Many router experts are not security
experts (and vice versa)
– This is not a complete mutual understanding
• Security is much more likely to be
deployed if it is understood
– Including what it protects against, failure
modes, and how to deal with problems.
Summary
•
•
•
•
•
•
It has to work
It (AKM for RPs) has to bootstrap
It has to work over broadcast LANs
It has to be simple, foolproof
It has to solve a perceived problem
Requirements may differ by protocol
(OSPF, IS-IS, RSVP, LDP, UDP, TCP for
BGP, TCP for not-BGP, …)