RFC 2154 (rfc2154) - Page 2 of 29

OSPF with Digital Signatures

Alternative Format: Original Text Document
< Previous
Next >
RFC 2154              OSPF with Digital Signatures             June 1997


   7.1 Router Public Key LSA (PKLSA) ..............................  18
   7.2 Router Public Key Certificate ..............................  20
   7.3 Signed LSA .................................................  23
   8 Configuration Information ....................................  26
   9 Remaining Vulnerabilities ....................................  26
   9.1 Area Border Routers ........................................  27
   9.2 Internal Routers ...........................................  27
   9.3 Autonomous System Border Routers ...........................  28
   10 Security Considerations .....................................  28
   11 References ..................................................  29
   12 Authors' Addresses ..........................................  29

1.  Acknowledgements

   The idea of signing routing information is not new.  Foremost, of
   course, there is the design that Radia Perlman reported in her thesis
   [4] and in her book [5] for signing link state information and for
   distribution of the public keys used in the signing.  IDPR [7] also
   recommends the use of public key based signatures of link state
   information.  Kumar and Crowcroft [2] discuss the use of secret and
   public key authentication of inter-domain routing protocols.  Finn [1]
   discusses the use of secret and public key authentication of several
   different routing protocols.  The design reported here is closest to
   that reported in [4] and [7].  It should be noted that [4] also
   presents techniques for protecting the forwarding of data packets, a
   topic that is not considered here, as we consider it not within the
   scope of the OSPF working group.

   The authors would also like to acknowledge many fruitful discussions
   with many members of the OSPF working group, particularly Fred Baker
   of Cisco Systems, Dennis Ferguson of MCI Telecommunications Corp.,
   John Moy of Cascade Communications Corp., Curtis Villamizar of ANS,
   Inc., and Rob Coltun of FORE Systems.

2.  Introduction

   It is well recognized that there is a need for greater security in
   routing protocols. OSPF currently provides "simple password"
   authentication where the password travels "in the clear", and there
   is work in progress[11] to provide keyed MD5 authentication for OSPF
   protocol packets between neighbors.  The simple password
   authentication is vulnerable because any listener can discover and
   use the password.  Keyed MD5 authentication is very useful for
   protection of protocol packets passed between neighbors, but does not
   address authentication of routing data that is flooded from source to
   eventual destination, through routers which may themselves be faulty
   or subverted.




Murphy, et. al.               Experimental
< Previous
Next >