2006.06.05 Ron Bonica
slides are at
http://www.nanog.org/mtg-0606/pdf/ron-bonica-joint%20presenters.pdf
Authentication for TCP-based routing and management
protocols, from Juniper.
A joint presentation, Alcatel, Cisco, Juniper.
Starts at NANOG at Washington 2 years ago,
security BOF; someone said they would MD5 auth
if they could update keys without bouncing their
sessions.
Suprisingly small number of people actually
using MD5 authentication.
Motivation
many ops don't authenticate TCP based routing
protocols
RFC 2385 doesn't meet operator needs.
Concerns:
CPU utilization
not so much of an issue for Juniper, [Cisco, Alcatel]
Juniper architecture separates forwarding and control
plane
Key management
hard to change keys
requires bouncing sessions
Weak cryptography
easy attacks against MD5
Alternative approaches
Application:
in the protocols (BGP, LDP, etc)
TLS
--too much of a headache
transport
TCP
Network
IKE/IPsec
Chosen Approach:
better TCP authentication
enhanced TCP auth option
Hitless key rollover
key chains configured on peer systems
time based key rollover
key identifier
Stronger cryptography
HMAC-SHA-1-96
CMAC-AES-128-96
Enhanced Authentication Option
Kind - Length T/K Alg ID Res Key ID
KEY
Key chain
contains a tolerance parameter up to 64 keys
each key contains
id [0..63]
auth algorithm
shared secret
start and end time, both for trans and receive
Sending system procedure
identify active key candidates
start-time <= system-time
end-time > system-time
if there are no candidates, log event and discard
outbound packet
If there are multiple candidates, select key with most
recent start-time for sending
Calculate MAC using active key
calculate over TCP pseudo header, TCP header, and TCP
payload
by default, include TCP options
(if you set the T bit, ignore TCP options)
Format enhanced auth option
active key ID
...
Receiving system proc.
lookup key specified by TCP option
determine whether that key is eligible
startime <= system - tolerance
end time > endtime + tolerance
[not sure if that shouldn't be
end time > system time + tolerance, actually. --MNP]
Calculate MAC
if calculated MAC matches received MAC, accept the packet
auth error procedure
discard datagram
log
do NOT send indication to originator
(doesn't adjust TCP counters)
Config example:
see examples on slide deck, they went past too
quickly.
Q: how many of us are authenticating IBGP sessions?