RFC 2154 (rfc2154) - Page 2 of 29
OSPF with Digital Signatures
Alternative Format: Original Text Document
RFC 2154 OSPF with Digital Signatures June 1997
7.1 Router Public Key LSA (PKLSA) .............................. 18
7.2 Router Public Key Certificate .............................. 20
7.3 Signed LSA ................................................. 23
8 Configuration Information .................................... 26
9 Remaining Vulnerabilities .................................... 26
9.1 Area Border Routers ........................................ 27
9.2 Internal Routers ........................................... 27
9.3 Autonomous System Border Routers ........................... 28
10 Security Considerations ..................................... 28
11 References .................................................. 29
12 Authors' Addresses .......................................... 29
1. Acknowledgements
The idea of signing routing information is not new. Foremost, of
course, there is the design that Radia Perlman reported in her thesis
[4] and in her book [5] for signing link state information and for
distribution of the public keys used in the signing. IDPR [7] also
recommends the use of public key based signatures of link state
information. Kumar and Crowcroft [2] discuss the use of secret and
public key authentication of inter-domain routing protocols. Finn [1]
discusses the use of secret and public key authentication of several
different routing protocols. The design reported here is closest to
that reported in [4] and [7]. It should be noted that [4] also
presents techniques for protecting the forwarding of data packets, a
topic that is not considered here, as we consider it not within the
scope of the OSPF working group.
The authors would also like to acknowledge many fruitful discussions
with many members of the OSPF working group, particularly Fred Baker
of Cisco Systems, Dennis Ferguson of MCI Telecommunications Corp.,
John Moy of Cascade Communications Corp., Curtis Villamizar of ANS,
Inc., and Rob Coltun of FORE Systems.
2. Introduction
It is well recognized that there is a need for greater security in
routing protocols. OSPF currently provides "simple password"
authentication where the password travels "in the clear", and there
is work in progress[11] to provide keyed MD5 authentication for OSPF
protocol packets between neighbors. The simple password
authentication is vulnerable because any listener can discover and
use the password. Keyed MD5 authentication is very useful for
protection of protocol packets passed between neighbors, but does not
address authentication of routing data that is flooded from source to
eventual destination, through routers which may themselves be faulty
or subverted.
Murphy, et. al. Experimental