LDP Hello Cryptographic Authentication draftzhengmplsldphellocryptoauth01 Vero Zheng verozhenghuawei
- Slides: 7
LDP Hello Cryptographic Authentication draft-zheng-mpls-ldp-hello-crypto-auth-01 Vero Zheng (verozheng@huawei. com) Mach Chen (mach@huawei. com) www. huawei. com MPLS WG, IETF 80, Prague, 31 Mar 2011 IETF 80 th Page 1
Problem Statement l Established LDP session could be torn down by spoofed Hello p By specifying a smaller Hold Time or changing the Transport Address p l Reported as real problem in operation networks RFC 5036 does not provide any security mechanisms for use with Hello messages p The current TCP authentication mechanism can not help here IETF 80 th Page 2
Draft Objective l l Secure the Hello message against spoofing attack p Introduces a new Cryptographic Authentication TLV p Used in LDP Hello message as an optional parameter Enhances the authentication mechanism for LDP It’s Simple, its Backward Compatible and its Secure p LSR can be configured to only accept Hello messages from specific peers when authentication is in use l It’s Simple, its Backward Compatible and its Secure IETF 80 th Page 3
Draft Status l Karp BGP/LDP/MSDP Design Team formed l draft-mahesh-bgp-ldp-msdp-analysis-00 produced IETF 80 th Page 4
Changes Since Last Version l Protection to replay attack removed l Cryptographic algorithms update p Keyed MD 5 dropped-considered not strong enough p HMAC-SHA used instead p HMAC-SHA-256 is a MUST, SHOULD support HMAC-SHA-1 and MAY support either HMAC-SHA-384 or HMAC-SHA 512 IETF 80 th Page 5
Next Steps l l l Continue to gather feedback from the list Where should we take this work? Need more feedback from security experts p IETF 80 th Present in Karp tomorrow Page 6
Thank you IETF 80 th Page 7
