One document matched: draft-atwood-pim-sm-linklocal-00.txt
Internet-Draft J. William Atwood
draft-atwood-pim-sm-linklocal-00.txt Salekul Islam
Expires: April 2005 Department of Computer Science
and Software Engineering
Concordia University
October 2004
Security Issues in PIM-SM Link-local Messages
Status of this Memo
By submitting this Internet-Draft, I certify that any applicable
patent or other IPR claims of which I am aware have been disclosed,
or will be disclosed, and any of which I become aware will be
disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document proposes some modifications to the Internet-Draft for
Protocol Independent Multicast - Sparse Mode (PIM-SM) Protocol
regarding security issues of its link-local messages. To protect
these link-local messages, in the Internet-Draft for PIM-SM a
security mechanism has been proposed that uses the IPsec
Authentication Header (AH) protocol. While using IPsec AH protocol,
the anti-replay mechanism has been disabled. This compromise makes
PIM-SM vulnerable to Denial of Service (DoS) attack. In this
document, a new proposal is presented to protect PIM link-local
messages while activating the anti-replay mechanism as well. This
proposal builds on the new Security Association lookup method that
Atwood/Islam Expires April 2005 [Page 1]
Internet-Draft PIM-SM Link-local Messages October 2004
has been specified in the Internet-Draft that revises the AH
protocol.
1. Introduction
All the PIM-SM [1] control messages have IP protocol number 103.
These messages are either unicast, or multicast with TTL = 1. The
source address used for unicast messages is a domain-wide reachable
address. For the multicast messages, a link-local address of the
interface on which the message is being sent is used as source
address and a special multicast address, ALL_PIM_ROUTERS
(224.0.0.13 in IPv4 and ff02::d in IPv6) is used as the destination
address. These messages are called link-local messages. Hello,
Join/Prune and Assert messages are included in this category. A
forged link-local message may be sent to the ALL_PIM_ROUTERS
multicast address by an attacker. This type of message affects the
construction of the distribution tree [1]. These effects vary for
different types of forged messages. Some of the effects are very
severe, whereas some are minor.
PIM-SM version 2 was originally specified in RFC 2117, and revised
in RFC 2362. A PIM-SM Internet-Draft [1] is under development,
which is intended to obsolete RFC 2362, and to correct a number of
deficiencies. The Security Considerations section of the PIM-SM
Internet-Draft is based primarily on the Authentication Header (AH)
described in RFC 2402 [8]. However, Internet-Drafts are in
progress to revise the requirements for the AH [5] and the Security
Architecture [6]. This document focuses on the security issues of
link-local messages. It provides some guidelines to take advantage
of the new permitted AH functionality, and to bring the PIM-SM
Internet-Draft into alignment with the AH Internet-Draft.
2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 and
indicate requirement levels for compliant PIM-SM implementations.
3. Authentication According to the PIM-SM Internet-Draft
In the PIM-SM Internet-Draft, IP Security (IPsec) [7] transport
mode using Authentication Header (AH) [8] is recommended to prevent
attacks generated by forged control messages. The Network
Administrator will configure the specific AH authentication
algorithm and parameters, including the choice of authentication
Atwood/Islam Expires April 2005 [Page 2]
Internet-Draft PIM-SM Link-local Messages October 2004
algorithm and the choice of keys. Once the Security Associations
have been established, all the control messages should go through
the IPsec authentication process. A PIM-SM router should
authenticate a control message before processing it, and should
reject any unauthorized PIM protocol messages.
The IPsec anti-replay option has been disabled for these Security
Associations. In the PIM-SM Internet-Draft [1], it is suggested as
follows:
"As of this writing, the IPsec anti-replay option does not
handle the case of a Security Association identified by a
multicast destination address. Thus, the anti-replay option
currently must be disabled on these Security Associations.
Until replay prevention for link-local multicast messages is
addressed, the anti-replay option SHOULD be enabled on all
security associations having a unicast destination address."
All the link-local messages of the PIM-SM protocol are sent to the
destination address, ALL_PIM_ROUTERS, which is a multicast address.
As a result, the anti-replay option must be disabled while using
the IPsec AH protocol.
The PIM-SM Internet-Draft assumes that manual configuration of
Security Associations will be performed, although it does not
preclude the use of a negotiation protocol such as the Internet Key
Exchange (IKE) [2] to establish Security Associations. The
administrator of a PIM network configures each PIM router with one
or more Security Associations and the associated value of the
Security Parameter Index (SPI).
For each link or interface of a PIM router, the Network
Administrator will define a Security Association (SA) and a
Security Parameter Index (SPI). To deploy the Security Association
mechanism successfully two different databases, the Security Policy
Database (SPD) and the Security Association Database (SAD), should
be maintained. The SPD of a router should be configured properly to
ensure the use of the associated SA for a link while sending or
receiving link-local messages by the router on that link. The SPI
is required to be set to zero by a sender router.
According to RFC 2401 [7], there is nominally a different Security
Association Database (SAD) for each router interface. The Network
Administrator has to assign a different SAD for each router
interface. Thus, although the destination address (ALL_PIM_ROUTERS)
is same for all link-local PIM packets, the selected Security
Association for an inbound PIM packet may vary depending on the
interface on which the packet has arrived.
Atwood/Islam Expires April 2005 [Page 3]
Internet-Draft PIM-SM Link-local Messages October 2004
4. Proposed Authentication Technique
The authentication mechanism [3, 4] for PIM link-local messages
presented in this document has following two criteria to achieve:
- The anti-replay mechanism of Authetication Header protocol
will be activated while sending/receiving any PIM link-local
message.
- To attain more flexibility, a PIM router will be able to
deploy a different authentication method for each directly
connected PIM router if necessary. In that case, a PIM router
will maintain a separate Security Association per peer PIM
router.
4.1 Security Association Lookup
For an SA that carries unicast traffic, three parameters (SPI,
destination address and security protocol type (AH or ESP)) are
used in the Security Association lookup process for inbound
packets. The SPI is sufficient to specify an SA. However, an
implementation may use the SPI in conjunction with the IPsec
protocol type (AH or ESP) for the SA lookup process. According to
the Internet-Drafts of IPsec Architecture [6] and AH [5] protocol,
for multicast SAs, in conjunction with the SPI, the destination
address or the destination address plus the sender address may also
be used in the SA lookup. The security protocol field is not
employed for a multicast SA lookup.
In the PIM-SM Internet-Draft, for the PIM-SM link-local messages,
the SPI is fixed and is equal to zero, the destination address is
also fixed and is equal to ALL_PIM_ROUTERS. As a result, in the SA
lookup process, using only the SPI and the destination address,
will not be adequate. A PIM-SM router uses the interface address of
its local link as the sender address for a link-local message. The
sender address of an incoming packet will be (globally) unique for
a specific sender and in conjunction with the SPI it will be
possible for a receiver to sort out the associated SA for that
sender from all the SAD entries (even if a single SAD is maintained
regardless of the number of interfaces). For this reason, the SPI
and the sender address MUST be used in the SA lookup process. As
mentioned above, to comply with the IPsec Architecture [6] and AH
[5] protocol, the destination address (i.e., ALL_PIM_ROUTERS) MAY
be used with the SPI and the sender address. It is clear that
adding the destination address to the SA lookup will not change the
results of the SA lookup process.
Atwood/Islam Expires April 2005 [Page 4]
Internet-Draft PIM-SM Link-local Messages October 2004
The AH Internet-Draft prohibits the use of SPI=0 on the wire.
Therefore, it will also be necessary to specify an SPI different
from zero, to be used for link-local messages. This will probably
require an IANA assignment to be requested.
4.2 Activating the Anti-replay Mechanism
Although link-level messages on a link constitute a multiple-
sender, multiple-receiver group, the use of the sender address for
SA lookup essentially resolves the communication into a separate SA
for each sender/destination pair. Therefore, the statement in the
AH Internet-Draft that "for a multi-sender SA, the anti-replay
features are not available" becomes irrelevant to PIM-SM link-local
message exchange. However, it may be necessary to alter the text
of the AH Internet-Draft to specifically allow this case.
To activate the anti-replay mechanism in a unicast communication,
the receiver uses the sliding window protocol and it maintains a
sequence number for this protocol. This sequence number starts from
zero. Each time the sender sends a new packet, it increments this
number by one. In a multi-sender multicast group communication, a
single sequence number for the entire group would not be enough.
The whole scenario is different for PIM link-local messages. These
messages are sent to local links with TTL = 1. A link-local message
never propagates through one router to another. Given that the
number of peer routers is small, and given that the use of the
sender address for SA lookup converts the relationship from a
multiple-sender group to multiple single-sender associations, the
anti-replay mechanism SHOULD be activated while sending PIM link-
local messages, and at that time a PIM router MUST maintain a
different sliding window for each directly connected sender.
Note that, the IPsec Architecture [6] and AH [5] protocol do not
support the use of anti-replay mechanism if the corresponding
Security Association is identified by a multicast destination
address. Although the destination address (ALL_PIM_ROUTERS) of PIM
link-local messages is a multicast address, the corresponding
Security Associations are not identified by this multicast address,
and in fact, there should be separate SA for each
sender/destination pair.
4.3 Manual Key Configuration
To establish the SAs at PIM-SM routers, manual key configuration
will be feasible, since the number of peers will be small. The
Network Administrator will configure a router manually during its
boot up process. At that time, the authentication method and the
Atwood/Islam Expires April 2005 [Page 5]
Internet-Draft PIM-SM Link-local Messages October 2004
keys per sender basis for each peer router SHOULD be configured.
The SAD entry for each sender connected with this router will be
created. The Network Admin will also configure the Security Policy
Database of a router to ensure the use of the associated SA while
sending a link-local message.
The addition of a new router to the set visible from a particular
router will clearly require a re-configuration of that router.
A negotiation protocol such as the Internet Key Exchange [2] MAY
also be used to negotiate and establish a suitable authentication
method and keys for the SA between two routers. However, a PIM
router is not expected to join/leave very frequently, so it is
doubtful that the overhead of automatic key configuration will be
justified. In any case, it will still be necessary to manually
configure the basic information that will allow the router to trust
its peers. For these reasons, manual key configuration SHOULD be
used to establish SAs.
4.4 Extended Sequence Number
In the AH Internet-Draft [5], there is a provision for a 64-bit
Extended Sequence Number (ESN) as the counter of the sliding window
used in the anti-replay protocol. Both the sender and the receiver
maintain a 64-bit counter for the sequence number, although only
the lower order 32 bits is sent in the transmission. In other
words, it will not affect the present header format of AH [8]. If
ESN is used, a sender router can send 2^64 -1 packets without any
intervention. This number is very large, and from a PIM router's
point of view, a PIM router can never exceed this number in its
lifetime. This makes it reasonable to permit manual configuration,
since the sequence number will never roll over. For this reason,
while manual configuration is used, ESN SHOULD be deployed as the
sequence number for the sliding window protocol.
5. Security Considerations
The whole document considers the security issues of PIM link-local
messages and proposes a mechanism to protect them.
References
Atwood/Islam Expires April 2005 [Page 6]
[1] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I., "Protocol
Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification
(Revised)", draft-ietf-pim-sm-v2-new-10.txt, work in progress.
[2] Harkins, D., Carrel, D, "The Internet Key Exchange (IKE)", RFC
2409.
[3] Islam, S., "Security Issues in PIM-SM Link-local Messages",
Masters Thesis, Concordia University, Montreal, Canada, December
2003.
[4] Islam, S. Atwood, J. W., "Security Issues in PIM-SM Link-local
Messages", accepted for publication in Proceedings of LCN 2004,
Tampa, FL, 2004 November 16--18, 2 pages.
[5] Kent, S, "IP Authentication Header", draft-ietf-ipsec-
rfc2402bis-07.txt, work in progress.
[6] Kent, S., Atkinson, R., "Security Architecture for the Internet
Protocol", draft-ietf-ipsec-rfc2401bis-02.txt, work in progress.
[7] Kent, S., Atkinson, R., "Security Architecture for the Internet
Protocol", RFC 2401.
[8] Kent, S. Atkinson, R., "IP Authentication Header", RFC 2402.
Author's Addresses
J. William Atwood
Department of Computer Science and Software Engineering
Concordia University
1455 de Maisonneuve Blvd. West
Montreal, Quebec, H3G 1M8
Canada
Phone: +1 514 848 2424 ext 3046
Email: bill@cse.concordia.ca
URL: http://www.cse.concordia.ca/~bill/
Salekul Islam
Department of Computer Science and Software Engineering
Concordia University
1455 de Maisonneuve Blvd. West
Montreal, Quebec, H3G 1M8
Canada
Phone: +1 514 934 3923
Email: salek_is@cse.concordia.ca
Atwood/Islam Expires April 2005 [Page 1]
Internet-Draft PIM-SM Link-local Messages October 2004
URL: http://www.cse.concordia.ca/~salek_is/
Copyright (C) The Internet Society (2004). This document is
subject to the rights, licenses and restrictions contained in BCP
78, and except as set forth therein, the authors retain all their
rights.
This document and the information contained herein are provided on
an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Atwood/Islam Expires April 2005 [Page 8]
| PAFTECH AB 2003-2026 | 2026-04-23 07:13:00 |