Re: [OSPF] FW: Using dynamically derived Traffic Keys for Routing Protocols
Manav Bhatia <manav.bhatia@alcatel-lucent.com> Thu, 14 April 2011 04:22 UTC
Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: ospf@ietfc.amsl.com
Delivered-To: ospf@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id A158AE06D3 for <ospf@ietfc.amsl.com>; Wed, 13 Apr 2011 21:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.914
X-Spam-Level:
X-Spam-Status: No, score=-5.914 tagged_above=-999 required=5 tests=[AWL=0.685, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z7UzO5JndNQM for <ospf@ietfc.amsl.com>; Wed, 13 Apr 2011 21:22:45 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfc.amsl.com (Postfix) with ESMTP id BEE2BE06B3 for <ospf@ietf.org>; Wed, 13 Apr 2011 21:22:45 -0700 (PDT)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id p3E4MdNr011209 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 13 Apr 2011 23:22:42 -0500 (CDT)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p3E4MWOm024223 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 14 Apr 2011 09:52:38 +0530
Received: from [135.250.26.32] (135.250.19.8) by INBANSXCHHUB02.in.alcatel-lucent.com (135.250.12.35) with Microsoft SMTP Server (TLS) id 8.3.106.1; Thu, 14 Apr 2011 09:52:36 +0530
Message-ID: <4DA67655.10301@alcatel-lucent.com>
Date: Thu, 14 Apr 2011 09:51:41 +0530
From: Manav Bhatia <manav.bhatia@alcatel-lucent.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Lightning/1.0b2 Thunderbird/3.1.9 ThunderBrowse/3.3.5
MIME-Version: 1.0
To: "curtis@occnc.com" <curtis@occnc.com>
References: <201104140419.p3E4J65C025986@harbor.orleans.occnc.com>
In-Reply-To: <201104140419.p3E4J65C025986@harbor.orleans.occnc.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
Cc: "ospf@ietf.org" <ospf@ietf.org>
Subject: Re: [OSPF] FW: Using dynamically derived Traffic Keys for Routing Protocols
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ospf>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Apr 2011 04:22:46 -0000
Curtis, I can write a small ID explaining how this can be used for OSPF if folks believe this is something acceptable for doing key rollovers. Cheers, Manav On 4/14/2011 9:49 AM, Curtis Villamizar wrote: > > In message<7C362EEF9C7896468B36C9B79200D8350CFD0DE257@INBANSXCHMBSA1.in.alcatel-lucent.com> > "Bhatia, Manav (Manav)" writes: >> >> OSPFers, >> >> Can a variant of this method be used to protect OSPFv2 and OSPFv3-AT? >> >> Cheers, Manav > > > Hesitant to say "me too" again for S/N reasons, but ... yes/agree > > Someone needs to write up the details though. (and Manav seems > willing to volunteer). > > Curtis > > > >>> -----Original Message----- >>> From: karp-bounces@ietf.org [mailto:karp-bounces@ietf.org] On >>> Behalf Of Bhatia, Manav (Manav) >>> Sent: Thursday, April 14, 2011 5.18 AM >>> To: karp@ietf.org >>> Subject: [karp] Using dynamically derived Traffic Keys for >>> Routing Protocols >>> >>> Hi, >>> >>> Instead of using the pre shared key (PSK) in manual keying >>> for all packets the routing protocols could use a traffic key >>> that's derived from the PSK using some key derivation >>> function. Each side could announce a random number (a nonce) >>> and the KDF could mix this with the PSK to derive the traffic >>> key per session. Benefits of this approach: >>> >>> o Key rollover becomes very easy as it's a local decision now >>> requiring now co-ordination with our peers. Each side can >>> generate a new nonce and all others recompute the traffic key >>> based on the new nonce value. Attackers cant inject packets >>> with spurious nonces as this packet will be protected using >>> the traffic key based on the nonce that others have sent. >>> >>> o Avoids inter-session replay attacks without involving non >>> volatile memory as each router will use a different nonce >>> upon booting up. >>> >>> In OSPF the nonce could be carried in the HELLO packets. >>> There could be bit carried in the HELLOs which would indicate >>> that the Hello is currently using the long lived key (or the >>> PSK). The receiver upon receiving this would authenticate the >>> packet using the PSK and would use the KDF to derive the >>> traffic key. The KDF would mix the nonce with the PSK in some >>> deterministic fashion. The receiver uses the derived traffic >>> key for signing all subsequent OSPF packets and would >>> indicate this by setting some bit (which says using traffic >>> key). It will also include its own nonce. The original sender >>> now uses the nonce that it receives and starts using the >>> traffic key derived from this nonce for all subsequent >>> packets. For a key rollover, the senders just have to choose >>> a new nonce value. This can be done as frequently as desired >>> and requires no manual intervention. >>> >>> Does this sound as going in the right direction? >>> >>> Cheers, Manav >>> >>> -- >>> Manav Bhatia, >>> Service Router Product Group (SRPG) >>> Alcatel-Lucent, India >>> _______________________________________________ >>> karp mailing list >>> karp@ietf.org >>> https://www.ietf.org/mailman/listinfo/karp >>> >> _______________________________________________ >> OSPF mailing list >> OSPF@ietf.org >> https://www.ietf.org/mailman/listinfo/ospf >
- [OSPF] FW: Using dynamically derived Traffic Keys… Bhatia, Manav (Manav)
- Re: [OSPF] FW: Using dynamically derived Traffic … Curtis Villamizar
- Re: [OSPF] FW: Using dynamically derived Traffic … Manav Bhatia
- Re: [OSPF] FW: Using dynamically derived Traffic … Curtis Villamizar
- Re: [OSPF] FW: Using dynamically derived Traffic … Manav Bhatia
- Re: [OSPF] FW: Using dynamically derived Traffic … Curtis Villamizar
- Re: [OSPF] FW: Using dynamically derived Traffic … Bhatia, Manav (Manav)