IETF RFC 7492
Analysis of Bidirectional Forwarding Detection (BFD) Security According to the Keying and Authentication for Routing Protocols (KARP) Design Guidelines
standard by Internet Engineering Task Force , 03/01/2015
Most Recent
Most Recent
-
-
Available Formats
- Availability
- Priced From ( in USD )
-
Available Formats
-
- Immediate download
- $32.00
- Add to Cart
-
- Printed Edition
- Ships in 1-2 business days
- $32.00
- Add to Cart
Customers Who Bought This Also Bought
-
IETF RFC 8812
Priced From $32.00 -
IETF RFC 3629
Priced From $34.00 -
IETF RFC 7916
Priced From $42.00
About This Item
Full Description
Introduction
This document performs a gap analysis of the current state of Bidirectional Forwarding Detection [RFC5880] according to the requirements of KARP Design Guidelines [RFC6518]. Previously, the OPSEC working group has provided an analysis of cryptographic issues with BFD in "Issues with Existing Cryptographic Protection Methods for Routing Protocols" [RFC6039].
The existing BFD specifications provide a basic security solution. Key ID is provided so that the key used in securing a packet can be changed on demand. Two cryptographic algorithms (MD5 and SHA‐1) are supported for integrity protection of the control packets; the algorithms are both demonstrated to be subject to collision attacks. Routing protocols like "RIPv2 Cryptographic Authentication" [RFC4822], "IS‐IS Generic Cryptographic Authentication" [RFC5310], and "OSPFv2 HMAC‐SHA Cryptographic Authentication" [RFC5709] have started to use BFD for liveliness checks. Moving the routing protocols to a stronger algorithm while using a weaker algorithm for BFD would allow the attacker to bring down BFD in order to bring down the routing protocol. BFD therefore needs to match the routing While BFD uses a non‐decreasing, per‐packet sequence number to protect itself from intra‐connection replay attacks, it still leaves the protocol vulnerable to the inter‐session replay attacks.
