Working GroupInternet Engineering Task Force (IETF) U. ChunduriInternet-DraftRequest for Comments: 7602 W. LuIntended status:Category: Standards Track A. TianExpires: October 24, 2015ISSN: 2070-1721 Ericsson Inc. N. Shen Cisco Systems, Inc.April 22,July 2015 IS-IS Extended SequencenumberNumber TLVdraft-ietf-isis-extended-sequence-no-tlv-06Abstract This document defines the Extended SequencenumberNumber TLV to protect Intermediate System to Intermediate System (IS-IS) PDUs from replay attacks. Status of This Memo ThisInternet-Draftissubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsan Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute working documents as Internet-Drafts. The listIt represents the consensus ofcurrent Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents validthe IETF community. It has received public review and has been approved fora maximumpublication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status ofsix monthsthis document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 24, 2015.http://www.rfc-editor.org/info/rfc7602. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 1.2. Acronyms . . . . . . . . . . . . . . . . . . . . . . . . 3 2. ReplayattacksAttacks and Impact on IS-ISnetworksNetworks . . . . . . . . . 4 2.1. IIHs . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2. LSPs . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.3. SNPs . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Extended Sequence Number TLV . . . . . . . . . . . . . . . . 4 3.1. Sequence Number Wrap . . . . . . . . . . . . . . . . . . 5 4. Mechanism and Packet Encoding . . . . . . . . . . . . . . . .65 4.1. IIHs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4.2. SNPs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Backward Compatibility and Deployment . . . . . . . . . . . . 6 5.1.IIHIIHs and SNPs . . . . . . . . . . . . . . . . . . . . . . 7 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8.ContributorsReferences . . . . . . . . . . . . . . . . . . . . . . . . . 89. Acknowledgements8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . .8 10. References. . . . . . . . . . . 8 Appendix A. ESSN Encoding Mechanisms . . . . . . . . . . . . . .8 10.1. Normative References10 A.1. Using Timestamps . . . . . . . . . . . . . . . . . .8 10.2. Informative References. . 10 A.2. Using Non-volatile Storage . . . . . . . . . . . . . . .810 AppendixA. ESSN Encoding Mechanisms .B. Operational/Implementation Considerations . . . . . 11 Acknowledgements . . . . . . . .9 A.1. Using Timestamp. . . . . . . . . . . . . . . . 11 Contributors . . . . .9 A.2. Using Non-Volatile Storage. . . . . . . . . . . . . . .10 Appendix B. Operational/Implementation consideration. . . . . .1011 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .1012 1. IntroductionWith the rapid development of new data center infrastructures, due to its flexibility and scalability attributes,Intermediate System to Intermediate System(IS-IS, [ISO10589])(IS-IS) [ISO10589] has been adopted widely in variousL2/L3Layer 2 / Layer 3 routing and switchingdeploymentdeployments ofthedata centers and for critical business operations. Its flexibility and scalability make it well suited for the rapid development of new data center infrastructures. Also, while technologies such asSoftware Defined NetworksSoftware-Defined Networking (SDN) may improve network management and enable new applications, their usealsohas an effect on the security requirements of the routing infrastructure. A replayed IS-IS PDU can potentially cause many problems intheIS-ISnetworks ranging fromnetworks, including bouncingadjacencies to black hole oradjacencies, blackholing, and even some form ofDenial of ServiceDenial-of-Service (DoS) attacks as explained in Section 2. This problem is also discussed insecurity considerationthe Security Considerations section, in the context of cryptographic authentication work as described in [RFC5304] andin[RFC5310]. Currently, there is no mechanism to protect IS-ISHELLOHello (IIH) PDUs(IIHs)and SequencenumberNumber PDUs (SNPs) fromthereplay attacks. However, Link State PDUs (LSPs) have a sequence number in the LSP header as defined in [ISO10589], with whichitthey can effectively mitigatetheintra-session replay attacks. But, LSPs are still susceptible to inter-session replay attacks. This document defines the Extended SequencenumberNumber (ESN) TLV to protectIntermediate System to Intermediate System (IS-IS)IS-IS PDUs from replay attacks. The new ESN TLV defined herethwartthwarts these threats and can be deployed with the authenticationmechanism asmechanisms specified in [RFC5304] andin[RFC5310] for a more secure network. Replay attacks can be effectively mitigated by deploying a group key management protocol (being developed as defined in[I-D.yeung- g-ikev2][GROUP-IKEv2] and[I-D.hartman-karp-mrkmp])[MRKMP]) with a frequent key change policy. Currently, there is no such mechanism defined for IS-IS. Even if such a mechanism is defined, usage of this TLV can be helpful to avoid replays before the keys are changed. Also, it isbelieved,believed that, even when such a key management system is deployed, there always will be somemanual key basedsystems based on manual keying thatco- existcoexist withKMP (Key Management Protocol)systems basedsystems. Theon key management protocols. The ESN TLV defined in this document ismorehelpful for such deployments. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 1.2. Acronyms CSNP - Complete Sequence Number PDU ESN - Extended Sequence Number IIH - IS-IS HelloPDUIS - Intermediate SystemKMP - Key Management Protocol (auto key management)LSP - IS-IS Link State PDUMKM - Manual Key management ProtocolsPDU - Protocol Data Unit PSNP - Partial Sequence Number PDU SNP - Sequence Number PDU 2. ReplayattacksAttacks and Impact on IS-ISnetworksNetworks Replaying a captured protocol packet to cause damage is a common threat for any protocol. Securing the packet with cryptographic authentication information alone cannot mitigate this threat completely. This section explains the replay attacks andthetheir applicabilityof the same forto each IS-IS PDU. 2.1. IIHs When an adjacency is broughtupup, an IS sends an IIH packet with an empty neighbor list (TLV6), which6); it can be sent with or without authentication information. Packets can be replayed later on the broadcastnetwork whichnetwork, and this may cause allISesISs to bounce the adjacency, thus churning the network. Note that mitigating replay is only possible when authentication information is present. 2.2. LSPs Normal operation of the IS-IS updateProcessprocess as specified in [ISO10589] provides timely recovery from all LSP replay attacks.ThereforeTherefore, the use of the extensions defined in this documentareis prohibited in LSPs. Further discussion of the vulnerability of LSPs to replay attacks can be found in[I-D.ietf- karp-isis-analysis].[ISIS-ANALYSIS]. 2.3. SNPs A replayed CSNP can result in the sending of unnecessary PSNPs on a given link. A replayed CSNP or PSNP can result in unnecessary LSP flooding on the link. 3. Extended Sequence Number TLV The Extended Sequence Number (ESN) TLV is composed of 1 octet for the Type, 1 octet that specifies the number of bytes in the Valuefieldfield, and a12 byte12-byte Value field. This TLV is defined only for IIH and SNP PDUs.x CODECode - 11.x LENGTHLength - total length of the value field, which is 12 bytes.xValue - 64-bit Extended Session Sequence Number (ESSN), which is followed by a32 bit32-bit, monotonicallyincreasing per Packet Sequence Number (PSN).increasing, per-packet sequence number. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+ | Type | +-+-+-+-+-+-+-+-+ | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extended Session Sequence Number(High Order(High-Order 32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Extended Session Sequence Number(Low Order(Low-Order 32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Packet Sequence Number (32 Bits) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Extended Sequence Number (ESN) TLV The ESN TLV defined here is optional. Though this is an optional TLV,thisit can be mandatory on a link when 'verify' mode is enabled as specified in Section 5.1. The ESN TLV MAY be present only inanyIIH PDUs andSNP PDUs.SNPs. A PDU with multiple ESN TLVs is invalid and MUST be discarded on receipt. The64 bit64-bit ESSN MUST benon-zerononzero and MUST containever increasinga number that is increased whenever it is changed due anysituationsituation, as specified in Section 3.1. Encoding the 64-bit unsigned integer ESSN value is a localmattermatter, and implementations MAY use one of the alternatives provided in Appendix A. Effectively, for each PDUwhichthat contains the ESNTLVTLV, the96 bit96-bit unsigned integer value consisting of the64 bit64-bit ESSN and32 bit32-bit Packet Sequence Number (PSN)--- where the ESSN is thehigher orderhigher-order 64 bits--- MUST be greater than the most recently received value in a PDU of the same type originated by the same IS. 3.1. Sequence Number Wrap If the 32-bit Packet Sequence Number in the ESN TLV wraps orforthe router performs a coldrestart of the router,restart, the 64-bit ESSN value MUST be set higher than the previous value. IS-IS implementations MAY use the guidelines provided in Appendix A for accomplishing this. 4. Mechanism and Packet Encoding The encoding of the ESN TLV in each applicable IS-IS PDU is detailed below. Please refer to Section 5 for appropriate operations on how tointer-opinteroperate with legacy node(s) that do not support the extensions defined in this document. If the received PDU with the ESN TLV isacceptedaccepted, then the stored value for the corresponding originator and PDU type MUST be updated with the latest value received. Please note that level information is included in the PDU type. 4.1. IIHs ESN TLV information is maintained for each type of IIH PDU being sent on a given circuit. The procedures for encoding,verificationverification, and sequence numberwrap scenarioswrapping are explained in Section 3. 4.2. SNPsA separateSeparate CSNP/PSNP ESN TLV information is maintained per PDU type, peroriginatororiginator, and per link. The procedures for encoding,verificationverification, and sequence numberwrap scenarioswrapping are explained in Section 3. 5. Backward Compatibility and Deployment The implementation and deployment of the ESN TLV can be done to support backward compatibility and gradual deployment in the network without requiring a flag day. This feature can also be deployed for the links in a certain area of the network where the maximum security mechanism is needed, or it can be deployed for the entire network. The implementation SHOULD allow the configuration of ESN TLVfeaturefeatures on each IS-IS link level. The implementation SHOULD also allow operators to control the configuration of the 'send' and/or 'verify' feature of IS-IS PDUs for the links and for the node. In this document, the 'send'operationmode is to include the ESN TLV in its own IS-ISPDUs;PDUs, and the 'verify'operationmode is to process the ESN TLV in the receiving IS-IS PDUs from neighbors.In the face ofWhen an adversarydoing an active attack,is actively attacking, it is possible to have inconsistent dataviewviews in the network, if there is a considerable delay in enablingESN TLVthe 'verify'operationmode where nodes were configured to the 'send' mode, e.g., from the firstnodeto the last nodein the networkor all nodes of a particular LANsegment, where 'send' mode is configured.segment. Thiscan happenhappens primarilybecause,because replay PDUs can potentially be accepted by the nodes where the 'verify'operationmode is still not provisioned at the time of the attack. To minimize such awindowwindow, it is recommended that provisioning of 'verify' SHOULD be done in a timely fashion by the network operators. 5.1.IIHIIHs and SNPs On the link level, the ESN TLV involves the IIH PDUs and SNPs (both CSNP and PSNP). The"send"'send' and"verify"'verify' modes described above can be set independently on each linkandand, in the case of a broadcastnetworknetwork, independentlyforon each level. To introduce ESN support without disrupting operations, ISs on a given interface are first configured to operate in 'send' mode. Once all routers operating on an interface are operating in 'send'modemode, 'verify' mode can be enabled on each IS. Once 'verify' mode is set for aninterfaceinterface, all the IIHand SNPPDUs and SNPs being sent on that interface MUST contain the ESN TLV. Any such PDU received without an ESN TLV MUST be discarded when 'verify' mode is enabled. Similarly, to safely disable ESN support on a link, 'verify' mode is disabled on all ISs on the link. Once 'verify' mode is disabled on all routers operating on aninterface are disabled from 'verify' modeinterface, 'send' mode can be disabled on each IS. Please refer to Section 5 for considerations on enabling or disabling 'verify' mode on all ISs on a link. 6. IANA Considerations A new TLVcode point iscodepoint, as defined in this document, has been assigned by IANA from theIS-IS"IS-IS TLVCodepoints Registry as defined in this document,Codepoints" registry. It is referred to as the"ExtendedExtended SequenceNumber" TLV, withNumber TLV and has the following attributes:Type DescriptionValue Name IIH LSP SNP Purge--------- --------------------- --- --- --- ----- 11 ESN TLVY N Y N Figure 2: IS-IS Codepoints Registry Entryy n y n 7. Security Considerations This document describes a mechanism to mitigate the replay attack threat as discussed in the Security Considerationssectionsections of [RFC5304] andin[RFC5310]. If an adversary interferes eitherdoesby notforward theforwarding packets ordelay the sameby delaying messages asspecifieddescribed in Section 3.3 of [RFC6862], the mechanism specified in this document cannot mitigate those threats.AlsoAlso, some of the threatsas specifieddescribed in Section 2.3 of[I-D.ietf- karp-isis-analysis][ISIS-ANALYSIS] are not addressable with the ESN TLV as specified in this document. This document does not introduce any new security concerns to IS-IS or any other specificationsreferenced in this document. 10.referenced. 8. References10.1.8.1. Normative References [ISO10589] International Organization for Standardization, "Intermediate system to intermediate system intra-domain- routing routine information exchange protocol for use in conjunction with the protocol for providing the connectionless-mode Network Service (ISO 8473)",ISO/ IECISO/IEC 10589:2002, Second Edition, Nov. 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March1997.1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC5905] Mills, D., Martin, J., Ed., Burbank, J., and W. Kasch, "Network Time Protocol Version 4: Protocol and Algorithms Specification", RFC 5905, DOI 10.17487/RFC5905, June2010. 10.2.2010, <http://www.rfc-editor.org/info/rfc5905>. 8.2. Informative References[I-D.hartman-karp-mrkmp][MRKMP] Hartman, S., Zhang, D., and G. Lebovitz, "Multicast Router Key Management Protocol (MaRK)",draft-hartman-karp- mrkmp-05 (workWork inprogress),Progress, draft-hartman-karp-mrkmp-05, September 2012.[I-D.ietf-karp-isis-analysis][ISIS-ANALYSIS] Chunduri, U., Tian, A., and W. Lu, "KARP IS-IS security analysis",draft-ietf-karp-isis-analysis-04 (workWork inprogress), MarchProgress, draft-ietf-karp-isis- analysis-07, July 2015.[I-D.weis-gdoi-mac-tek] Weis, B. and S.[GROUP-IKEv2] Rowles,"GDOI Generic Message Authentication Code Policy", draft-weis-gdoi-mac-tek-03 (workS., Yeung, A., Ed., Tran, P., and Y. Nir, "Group Key Management using IKEv2", Work inprogress), September 2011.Progress, draft-yeung-g-ikev2-08, October 2014. [RFC5304] Li, T. and R. Atkinson, "IS-IS Cryptographic Authentication", RFC 5304, DOI 10.17487/RFC5304, October2008.2008, <http://www.rfc-editor.org/info/rfc5304>. [RFC5310] Bhatia, M., Manral, V., Li, T., Atkinson, R., White, R., and M. Fanto, "IS-IS Generic Cryptographic Authentication", RFC 5310, DOI 10.17487/RFC5310, February2009. [RFC6518] Lebovitz, G. and M. Bhatia, "Keying and Authentication for Routing Protocols (KARP) Design Guidelines", RFC 6518, February 2012.2009, <http://www.rfc-editor.org/info/rfc5310>. [RFC6862] Lebovitz, G., Bhatia, M., and B. Weis, "Keying and Authentication for Routing Protocols (KARP) Overview, Threats, and Requirements", RFC 6862, DOI 10.17487/RFC6862, March2013.2013, <http://www.rfc-editor.org/info/rfc6862>. [RFC7474] Bhatia, M., Hartman, S., Zhang, D., and A. Lindem, Ed., "Security Extension for OSPFv2 When Using Manual Key Management", RFC 7474, DOI 10.17487/RFC7474, April2015.2015, <http://www.rfc-editor.org/info/rfc7474>. Appendix A. ESSN Encoding Mechanisms IS-IS nodes implementing this specification SHOULD use available mechanisms to preserve the 64-bit Extended Session Sequence Number's strictly increasing property, whenever it is changed for the deployed life of the IS-IS node (including cold restarts). ThisAppendixappendix providesonlyguidelines forachievingmaintaining thesamestrictly increasing property of the 64-bit ESSN in the ESN TLV, and implementations can resort to any similar method asfarlong asstrictly increasingthis propertyof the 64-bit ESSN in ESN TLVis maintained. A.1. UsingTimestampTimestamps One mechanism for accomplishing this is by encoding the 64-bit ESSN as the system time representedinby a 64-bit unsigned integer value. This MAY be similar to the system timestamp encoding for the NTP long format as defined in Appendix A.4 of [RFC5905].NewThe new current time MAY be used when the IS-IS node loses its sequence number state includinginwhen the Packet Sequence Numberwrap scenarios.wraps. Implementations MUST make sure while encoding the 64-bit ESN value with the current systemtime,time that itshoulddoes not default to any previous value or some default node time of thesystem;system, especially after cold restarts or any other similar events. Ingeneralgeneral, system time must be preserved across cold restarts in order for this mechanism to be feasible. One example of such implementation is to use a battery backed real-time clock (RTC). A.2. UsingNon-VolatileNon-volatile Storage One other mechanism for accomplishing thiswould beis similar to the oneasspecified in[RFC7474], to[RFC7474] -- use the 64-bit ESSN as a wrap/boot count stored in non-volatile storage. This value is incremented anytime the IS-IS node loses its sequence numberstatestate, includinginwhen the Packet Sequence Numberwrap scenarios. Thewraps. There is a drawbackofto thisapproach perapproach, which is described as follows in Section 8 of[RFC7474], if used is applicable here.[RFC7474]. It requires the IS-IS implementation to be able to save its boot count in non-volatile storage. If thenon-volatilenon- volatile storage is ever repaired or router hardware is upgraded such that the contents are lost, keys MUST be changed to prevent replay attacks. Appendix B. Operational/ImplementationconsiderationConsiderations Since the ESN is maintained perinterface,PDU type, perleveloriginator, and perPDU type,link, this scheme can be useful for monitoring the health of theIS- ISIS-IS adjacency. A Packet Sequence Number skiponthat occurs upon receiving an IIH can be recorded by the neighborswhichand can be used later to correlatewithadjacency state changes over the interface. Forinstanceinstance, inamulti-access media,allcompletely different issues on the network may be indicated when all neighborshave therecord skips from the same IIH senderorversus when only one neighborhas the Packet Sequence Number skips can indicate completely different issues on the network. Effectiverecords skips. For operational issues, effective usage of the TLV defined in this documentfor operational issuesMAY also need more system information before making concreteconclusions andconclusions; defining all that information is beyond the scope of this document.9.Acknowledgements As some sort of sequence number mechanism to thwart protocol replays is a oldmechanism,concept, the authors of this document do not make any claims on the originality of the overall protection idea described.AuthorsThe authors are thankful for the review and the valuable feedback provided by Acee Lindem and Joel Halpern. Thanks to Alia Atlas, Chris Hopps, NevilBrownleeBrownlee, and Adam W. Montville for their reviews and suggestions during IESG directorate review.Authors wouldThe authors also thank Christer Holmberg, Ben Campbell, Barry Leiba, StephenFarrellFarrell, and Alvaro Retana for their reviewsonof this document.8.ContributorsAuthorsThe authors would like to thank Les Ginsberg for his significant contribution in detailed reviews and suggestions. Authors' Addresses Uma Chunduri Ericsson Inc. 300 Holger Way, San Jose, California 95134USAUnited States Phone: 408 750-5678 Email: uma.chunduri@ericsson.com Wenhu Lu Ericsson Inc. 300 Holger Way, San Jose, California 95134USAUnited States Email: wenhu.lu@ericsson.com Albert Tian Ericsson Inc. 300 Holger Way, San Jose, California 95134USAUnited States Phone: 408 750-5210 Email: albert.tian@ericsson.com Naiming Shen Cisco Systems, Inc. 225 West Tasman Drive, San Jose, California 95134USAUnited States Email: naiming@cisco.com