Authentication/Confidentiality for OSPFv2 draft-gupta-ospf-ospfv2-sec-00.txt

1
Authentication/Confidentiality for OSPFv2
draft-gupta-ospf-ospfv2-sec-00.txt

• Nagavenkata Suresh Melam
• nmelam_at_juniper.net
• Mukesh Gupta
• mukesh.gupta_at_tropos.com

2
Draft

• Using IPsec to protect the OSPFv2 packets
• Provides both Authentication and Encryption
• Based largely on the similar RFC 4552, written
  for OSPFv3

3
Quick Summary

• Manual symmetric keys
• Same keys in both directions
• Each IP subnet MUST be configured with same
  keys
• Should work with existing routers that also
  support IPsec

4
Details

• Transport mode is MUST and Tunnel mode MAY be
  used
• ESP is MUST and AH MAY be used
• Encryption and Authentication algorithms
• Reference to RFC 4305 that mandates different
  algorithms
• 3DES-CBC and HMAC-SHA1 MUST for Encryption and
  Authentication
• AES-CBC SHOULD for Encryption
• HMAC-MD5 MAY for Authentication
• Implementation MUST support multiple SPDs and a
  SPD selection function

5
Virtual Links

• As the addresses are learned dynamically, rules
  need to be installed into SPD after learning the
  addresses
• Different set of rules compared to rules
  configured on the IP subnets

6
Rekeying

• Keys need to be changed periodically
• Keyrollover procedure is specified in the
  document
• Suggestions for Keyrollover interval

7
IPsec Rules

• Authentication/Confidentiatlity disabled
• Authentication/Confidentiality enabled

No Source Destination Protocol Action
1 any any OSPF bypass
2 intfPrefix any OSPF protect
3 intfPrefix any ESP/OSPF or AH/OSPF protect
4 src/32 dst/32 OSPF protect
5 src/32 dst/32 ESP/OSPF or AH/OSPF protect
8
Limitations

• Manual Keying
• No sequence number support
• No protection against replay attacks
• rpsec WG discusses the issues with replay attacks

9
Future

• To resolve all the issues
• An approach based on msec WG work
• Derive the keys using GSAKMP ??

10
Thank You