1 / 9

Authentication for TCP-based Routing and Management Protocols

Authentication for TCP-based Routing and Management Protocols. draft-bonica-tcp-auth-02 Ron Bonica Andy Heffernan. Problem Statement. Relatively few ISPs MD5 authenticate BGP peering sessions RFC 2385. Why Don’t ISP’s Authenticate.

lsikes
Download Presentation

Authentication for TCP-based Routing and Management Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication for TCP-based Routing and Management Protocols draft-bonica-tcp-auth-02 Ron Bonica Andy Heffernan

  2. Problem Statement • Relatively few ISPs MD5 authenticate BGP peering sessions • RFC 2385

  3. Why Don’t ISP’s Authenticate • In order to update the MD5 key, you must bounce the peering session • Concerns about CPU utilization • Concerns about DoS attacks • Saturate CPU • MD5 authentication isn’t very strong

  4. Constraints Upon Solution • Hitless Key Update • Choose authentication algorithm wisely • CPU resources • Length of hash value • Strength • Never require receiving station to calculate a hash value multiple times for a single incoming TCP segment

  5. Proposed Solution • Configuration • Sending station procedures • Receiving station procedures

  6. Configuration • Configuration • Key Chain (contains multiple Authentication Elements) • Tolerance value (significant on receiver only) • Each Authentication Element contains • Authentication Element ID • Authentication Algorithm • Key • Start time

  7. Sending Station Procedure • Identify current Authentication Element • Based on start time • Generate hash value using current Authentication Element • Insert TCP Enhanced Authentication Option • Object ID (assigned by IANA) • Object Length • Authentication Element ID • Hash Value

  8. Receiving Station Procedure • Examine incoming TCP Enhanced Authentication Option • Look Up Authentication Element specified in TCP Option • Determine whether it is acceptable • Using start time, system time and tolerance parameter • Calculate hash and authenticate

  9. Choosing Hash Algorithms • Late binding of hash algorithms to TCP sessions • HMAC-SHA-1-96 is highly desirable • Relatively strong • Not computationally expensive • Twelve byte hash value

More Related