Internet Draft






INTERNET DRAFT                                          Jeremy De Clercq
<draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt>       Olivier Paridaens
                                                            Yves T'Joens
                                                      Peter De Schrijver
                                                                 Alcatel
                                                          November, 2000
                                                       Expires May, 2001

                   End to end authentication for LDP


Status of this Memo

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.


Abstract

   The Label Distribution Protocol (LDP), as currently defined, makes
   use of the TCP MD5 Signature option to protect (authentication and
   integrity) the LDP traffic between two adjacent LSR's. This document
   specifies extensions to LDP to enable end-to-end authentication
   between non-adjacent LSR's (ie not directly connected via a TCP
   connection) that are setting up an LSP. This mechanism also provides
   integrity protection of the information carried within LDP messages
   and protects against the malicious replay of LDP messages. The
   proposed mechanism requires ordered control LDP and can also be
   applied to CR-LDP.


1. Introduction



De Schrijver, et al         Expires May 2001                    [Page 1]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   In its current state, LDP specifies the use of the TCP MD5 Signature
   option in order to provide integrity and authentication of LDP
   messages (in addition to protecting the TCP dialog itself).  This
   mechanism, apart from being considered rather weak because it makes
   use of a simple keyed MD5 function, can only be used between two
   adjacent LSR's exchanging LDP messages over a TCP connection.  It
   does not cover situations where LSR's exchange LDP messages via other
   intermediate LSR's for setting up an LSP.  It can be noted that other
   technologies such as IPsec or TLS could adequately be used in place
   of the TCP MD5 Signature option in order to provide LSR hop-by-hop
   security.

   This document proposes a mechanism to enable such non-adjacent LSR's
   to authenticate LDP messages mutually exchanged.  The mechanism
   enables not only the receiving LER to authenticate the LDP message
   but also intermediate LSR's to do so.  In addition, the proposed
   solution also provides integrity protection of the information
   carried within LDP messages and anti-replay of previous messages.
   The proposed solution makes use of a digital signature attached to
   each LDP message.

   As described more precisely below, this digital signature-based
   solution also provides data integrity and can be used to protect LDP
   messages in broadcast contexts (basic discovery mechanism).  Finally,
   it also protects against replay attacks by inserting a sequence
   number in each LDP message.

   The mechanism described herein does not provide end-to-end
   confidentiality, as Labelling information is not considered of a
   confidential nature.

   It requires ordered control LDP and can be applied to CR-LDP.

   A typical scenario is when, for some reason, LER A wants to set up a
   LSP with LER B.  LER A uses ordered control LDP and sends a LDP
   request message to the first LSR on the path towards LER B. LER A
   adds authentication information to the LDP request message so that
   LER B can verify the identity of LER A requesting a LSP.  When LER B
   receives this new LDP request message, it can verify the signature
   and hence authenticate LER A.  If authentication succeeds, LER B will
   generate a LDP Map message (which could itself also be signed by LER
   B).  If authentication fails, a LDP Notification message will be sent
   to report this authentication failure (notification which can itself
   be signed by LER B).  The schema below illustrates this scenario,
   where LER B positively authenticates the LDP Request message and
   returns a signed LDP Map message.





De Schrijver, et al         Expires May 2001                    [Page 2]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   LER A                  LSR 1             LSR n                 LER B
     |                     |                 |                     |
     |                     |                 |                     |
     | signed LDP Request  |                 | signed LDP Request  |
     |------->-------------|------->---------|------->-------------|
     |                     |                 |                     |
     |                     |                 |                     |
     |                     |                 |                     |
     |                     |                 |                     |
     | signed LDP MAP      |                 | signed LDP MAP      |
     |--------<------------|-------<---------|----------<----------|
     |                     |                 |                     |


2. Conventions

   The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY" and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3. Digital Signature authentication method

   This authentication method is based on the use of a digital signature
   that is attached to each LDP message exchanged between both LER's.
   This method is bi-directional as each LER can append a signature to
   each LDP message it sends.

   The input into the signature algorithm is basically made of parts of
   the LDP message that are not subject to change end-to-end, as further
   described in section 3.2.

   Anti-replay is provided through the use of a sequence number.  This
   sequence number is added by the message originator to the LDP message
   within a (new) Nonce TLV.  The nonce value should take the form of an
   ever increasing value such as a timestamp.  Because this Nonce TLV is
   covered by the signature value (see section 3.2.1 for details), it
   cannot be changed "en route" and its increasing nature prohibits
   replaying the same or another message with that same Nonce TLV.

3.1. Digital signature-based authentication TLV's

3.1.1. Signature TLV

   A new TLV is defined to carry the digital signature value.







De Schrijver, et al         Expires May 2001                    [Page 3]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |1|1| Signature (TBD)           |              Length           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   ID Type     |    ID length  |                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
    |                             Identifier                        |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |      AlgID Length             |                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               |
    |                        Algorithm Identifier                   |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                                                               |
    |                           Signature value                     |
    |                                                               |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   U-bit: the Unknown-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should ignore it and process the rest
   of the message.

   F-bit: the Forward-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should transparently relay this TLV to
   the next LSR.

   Length: this field indicates the total length in bytes of the
   following fields.

   ID type: this field indicates the type of identifier carried in the
   Identifier field.  Possible types are defined in 8.2.

   ID Length: this field indicates the length in bytes of the Identifier
   value.

   Identifier: this field contains an identifier of the signing entity
   to be used by the LSR receiver in the signature verification process
   (to obtain the corresponding certificate if not present in the LDP
   message).

   AlgID Length: this field indicates the length in bytes of the
   Algorithm Identifier field.

   Algorithm Identifier: this field contains the signature algorithm
   identifier. Possible algorihtms are presented in section 8.1.



De Schrijver, et al         Expires May 2001                    [Page 4]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   Signature value: this field contains the signature value generated as
   described in section 3.2.1.  Its length can be deduced from the TLV
   Length field and other fields lengths.

3.1.2. Certificate TLV

   A new TLV is defined to carry a certificate.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |1|1| Certificate (TBD)         |      Length                   |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |   Cert Type   |                                               |
    +-+-+-+-+-+-+-+-+                                               |
    |                                                               |
    |                           Certificate Value                   |
    |                                                               |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   U-bit: the Unknown-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should ignore it and process the rest
   of the message.

   F-bit: the Forward-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should transparently relay this TLV to
   the next LSR.

   Length: this field indicates the length in bytes of the Cert Type and
   Certificate Value fields.

   Cert Type: this field indicates the type of certificate carried in
   this TLV.  Possible values are defined in RFC 2408 section 3.9.

   Certificate Value: this field contains the certificate value.

   The Certificate TLV must appear anywhere in the LDP message prior to
   the Signature TLV.  Several Certificate TLV's may be inserted into
   the LDP message if felt necessary for the LSR receiver to be able to
   verify the signature.  Such a list of Certificate TLV's SHOULD be
   inserted in a continuous sequence of TLV's (ie no other TLV type
   should appear in between).

3.1.3. Nonce TLV

   A new TLV is defined to carry a nonce value.




De Schrijver, et al         Expires May 2001                    [Page 5]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |1|1| Nonce (TBD)               |       Length                  |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                                                               |
    |                           Nonce value                         |
    |                                                               |
    |                                                               |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

   U-bit: the Unknown-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should ignore it and process the rest
   of the message.

   F-bit: the Forward-bit must be set to '1' because intermediate LSR's
   that do not know this new TLV should transparently relay this TLV to
   the next LSR.

   Length: this field indicates the length in bytes of the nonce value
   field.

   Nonce value: this field contains a unique value that must increase
   for every message exchanged between two LSR's.  A timestamp value is
   an example of such an increasing counter.  Both sides must keep track
   of the last value used by the partner to be able to verify the
   increasing nature of the nonce value received.

   The Nonce TLV must appear prior to the Signature TLV but not
   necessarily next to.

3.2. Digital signature-based authentication procedure

3.2.1. Sender

   When sending a LDP message, the originating LER creates and inserts a
   Nonce TLV.  Certificate TLV's are also inserted if felt adequate to
   ease the receiving LER's signature verification.  The Signature TLV
   is finally appended to the LDP message after having calculated the
   signature value.  The Identifier field in the Signature TLV is used
   to carry the signer's identity so that the receiving LSR can match
   the certificate used for signature verification with the signer's
   identity.

   The input into the signature algorithm depends on the type of
   message.

   For LDP Request and Label Mapping messages, the input is the byte



De Schrijver, et al         Expires May 2001                    [Page 6]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   stream built as described in the following figure (the Adapted Length
   represents the actual length of this byte stream, not the length of
   the real LDP Request message).  The Nonce TLV prevents re-using the
   signature value for another LDP message.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-----------------------------+-------------------------------+
    |0|      Message type           |    Adapted Length             |
    +-+-----------------------------+-------------------------------+
    |                           Nonce TLV                           |
    |                                                               |
    +---------------------------------------------------------------+
    |                                                               |
    |                             FEC TLV                           |
    +---------------------------------------------------------------+

   For LDP Notification messages, the input is the byte stream built as
   described in the following figure.

                         1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-----------------------------+-------------------------------+
    |0|      Notification           |    Adapted Length             |
    +-+-----------------------------+-------------------------------+
    |                           Nonce TLV                           |
    |                                                               |
    +---------------------------------------------------------------+
    |                                                               |
    |                          Status TLV                           |
    +---------------------------------------------------------------+

3.2.2. Receiver

   Upon receiving a LDP message, the destination LER verifies the
   signature value present in the Signature TLV.  Verification of the
   signature can be made easier thanks to the use of certificates in
   Certificate TLV's if present.  The LSR should take care of ensuring
   that any certificate taken from a Certificate TLV is still valid by
   consulting some up-to-date CRL (Certificate Revocation List).

   The input into the signature verification algorithm is built
   similarly to what is described in section 3.2.1 above.

3.2.3. Intermediary

   This mechanism enables intermediate LSR's to authenticate LDP
   messages being relayed.  The intermediate LSR can indeed easily



De Schrijver, et al         Expires May 2001                    [Page 7]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   verify the digital signature attached to the LDP message as long as
   it has a copy of the sender's public key or can find it in a
   repository or LDP message itself.

3.3. Discussion

   This mechanism relies on the use of asymmetric public-key signature
   algorithms such as RSA and DSA.  Each LSR must therefore possess its
   own key pair.  Some form of Public Key Infrastructure (PKI) is also
   necessary to create certificates for LSR's public keys and distribute
   those certificates.  Depending on the scenarios, a  minimal form of
   PKI may be to distribute the certificates within the LDP messages
   themselves, as the Certificate TLV allows it.  LSR's must also be
   preconfigured with the (possibly several) certification Authority
   (CA) root key(s).

   This mechanism does not require a prior shared knowledge between both
   LSR's (apart from having a common CA or being able to find a
   certification path between their two CA's).

   The anti-replay mechanism can only work if the receiver system is
   able to realize that the nonce value increases with each LDP message
   received.  In case of system failure so that the last sequence number
   received is forgotten, there is a potential for replay.

   It is a matter of local policy for a LSR (and implicitly mutual
   agreement between both LSR's) to decide whether to use end-to-end
   authentication when sending/receiving LDP messages with a particular
   partner.

4. New Notification message "Authentication Failed" Status Code

   A new Status Code value is required in the LDP Notification message
   Status TLV.  This code is used by an LSR to announce that a
   previously received LDP message has failed authentication.

   The U-bit and F-bit in the Status TLV must be set to '1' so as to
   enable transparent relay of the Status TLV by LSR's.

   The E-bit in the Status Code field of the Status TLV can be set to
   '0' or '1' depending on the local policy of the LSR.

   The F-bit in the Status Code field of the Status TLV MUST be set to
   '1', in alignment with the F-bit at the Status TLV level.

5. Editor's notes

   - the signature algorithm identifier could be defined as a simple



De Schrijver, et al         Expires May 2001                    [Page 8]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   integer, but it then requires some IANA registration.

6. IANA considerations

   New TLV types defined in this document must be assigned values by
   IANA. Also, a new status code must be defined to identify
   authentication failure in Notification messages.

7. Security considerations

   This specification entirely deals with security issues.

8. Algorithms and identifiers

8.1. Signature algorithms

   Implementations MUST support the use of DSA-with-SHA1 algorithm.  The
   exact encoding of the resulting signature and the algorithm
   identifier (id-dsa-with-sha1) can be found in RFC 2095 section 7.2.2.

8.2. Identifiers types

   The following types of signer's identifiers are defined.

   Value             Type 0                 IPv4 address 1
   IPv6 address 2                 FQDN

References


[LDP]   Andersson et al., "LDP Specification", draft-ietf-mpls-ldp-
        11.txt, August 2000.


Acknowledgments

The authors would like to thank Peter De Schrijver for having produced
an original version of this document.

Authors' Addresses

   Jeremy De Clercq
   Alcatel
   Fr. Wellesplein 1, 2018 Antwerpen, Belgium
   E-mail: jeremy.de_clercq@alcatel.be






De Schrijver, et al         Expires May 2001                    [Page 9]

I-D          draft-schrijvp-mpls-ldp-end-to-end-auth-02.txt     Nov 2000


   Olivier Paridaens
   Alcatel
   Fr. Wellesplein 1, 2018 Antwerpen, Belgium
   E-mail: olivier.paridaens@alcatel.be

   Yves T'joens
   Alcatel
   Fr. Wellesplein 1, 2018 Antwerpen, Belgium
   E-mail: yves.tjoens@alcatel.be

   Peter De Schrijver

Full Copyright Statement

   "Copyright (C) The Internet Society (date). All Rights Reserved. This
   document and translations of it may be copied and furnished to oth-
   ers, and derivative works that comment on or otherwise explain it or
   assist in its implementation may be prepared, copied, published and
   distributed, in whole or in part, without restriction of any kind,
   provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works. However, this docu-
   ment itself may not be modified in any way, such as by removing the
   copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of develop-
   ing Internet standards in which case the procedures for copyrights
   defined in the Internet Standards process must be followed, or as
   required to translate it into languages other than English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MER-
   CHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE."














De Schrijver, et al         Expires May 2001                   [Page 10]