IS-IS WG

1
IS-IS WG

• IS-IS HMAC SHA Cryptographic Authentication
• draft-bhatia-manral-isis-hmac-sha-02
• Manav Bhatia, Lucent
• Vishwas Manral, IPInfusion
• Russ White, Cisco
• IETF 66, Montreal, Canada

2
IS-IS generic issues

• No sequence number hence liable to replay attacks
• Slightly less vulnerable
• Wrong packets got are silently discarded
• Works directly over Layer-2
• Entire flooding domain should have the same keys
  (changing keys difficult)
• None solved by the current draft

3
IS-IS current issues

• Provides for HMAC-MD5
• While there are no openly published attacks on
  that mechanism, some reports Dobb96a, Dobb96b
  create concern about the ultimate strength of the
  MD5 cryptographic hash function. Further, some
  end users, particularly several different
  governments, require the use of the SHA-1 hash
  function rather than any other such function for
  policy reasons.
• Mechanism specific to HMAC-MD5 only
• Though extending the TLV for future is
  intuitive, it is harder to decide which of the
  intuitive ways to enhance .TLV value- 10 Type 54
  specifies HMAC MD5, however various mechanisms to
  add new types (opaque to the type field/ Type
  value etc).

4
Proposal - 1

• This document proposes a new authentication type
  to be carried in TLV 10, called the cryptographic
  authentication (CRYPTO_AUTH value 2). This can
  be used to specify any authentication algorithm
  for authenticating and verifying IS-IS PDUs. .
• Details how HMAC-SHA authentication can be used
  in IS-IS.

5
Proposal -2

• Use any one of SHA-1, SHA-224, SHA-256,
  SHA-384 and SHA-512 NIST for this purpose to
  authenticate the IS-IS PDUs.
• Do away with the per interface keys and instead
  have key IDs that map to unique IS-IS Security
  Associations
• KeyId helps KeyRollover (prevents DoS
  amplification)

6
Proposal-3

• Allows easy extension with of new authentication
  algorithms
• Key ID can indicate a key with a different
  authentication protocol. This allows multiple
  authentication mechanisms to be used at various
  times without disrupting IS-IS peering, including
  the introduction of new authentication
  mechanisms.
• Describes procedures for sending and receiving
  side

7
Feedback?