randy/draft-l3dl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

moved REKEY to signing

Browse source
This commit is contained in:
Randy Bush 2019-04-18 13:12:07 -07:00
parent b5fb52d76c
commit ce7fcee117
1 changed files with 32 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

82
draft-ietf-lsvr-l3dl.xml
View file

@ -685,8 +685,7 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
Ethernet frames.</t> Ethernet frames.</t>
<!-- <!--
protocol "Type = 1:8,Payload Length:16,Nonce:32,LLEI Length:8,My LLEI:64,AttrCount:8,Attribute List ...:24,Auth Type:8,Auth Length:16,Authentication Data ...:40,Sig Type:8,Signature Length:16,Signature ...:40" protocol "Type = 1:8,Payload Length:16,Nonce:32,LLEI Length:8,My LLEI:64,AttrCount:8,Attribute List ...:24,Auth Type:8,Key Length:16,Key ...:40,Sig Type:8,Signature Length:16,Signature ...:40"
protocol "Type = 42:8,Payload Length:16,New Auth Type:8,New Auth Length:16,New Authentication Data ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
--> -->
<figure> <figure>
@ -704,9 +703,9 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| AttrCount | Attribute List ... | | AttrCount | Attribute List ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Auth Type | Auth Length | ~ | Auth Type | Key Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
~ Authentication Data ... ~ ~ Key ... ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Sig Type | Signature Length | ~ | Sig Type | Signature Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
@ -716,8 +715,8 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
</figure> </figure>
<t>The Payload Length is the number of octets in all fields of the <t>The Payload Length is the number of octets in all fields of the
PDU from the Nonce to the Authentication Data, excluding the Sig PDU from the Nonce to the Key, excluding the Sig Type, the Signature
Type, the Signature Length, and the Signature.</t> Length, and the Signature.</t>
<t>The Nonce enables detection of a duplicate OPEN PDU. It SHOULD <t>The Nonce enables detection of a duplicate OPEN PDU. It SHOULD
be either a random number or the time of day. It is needed to be either a random number or the time of day. It is needed to
@ -737,18 +736,16 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
datacenter; hence there is no global registry. Nodes exchange datacenter; hence there is no global registry. Nodes exchange
their attributes only in the OPEN PDU.</t> their attributes only in the OPEN PDU.</t>
<t>Auth Type is the Signature algorithm type, see <xref <t>Auth Type is the Signature algorithm suite, see <xref
target="tlv"/>.</t> target="tlv"/>.</t>
<t>Auth Length is a 16-bit field denoting the length in octets of <t>Key Length is a 16-bit field denoting the length in octets of the
the Authentication Data, not including the Auth Type or the Auth Key, not including the Auth Type or the Key Lengths. If there is no
Lengths. If there are no Authentication Data, the Auth Type and Key, the Auth Type and key Length MUST both be zero.</t>
Auth Length MUST both be zero.</t>
<t>The Authentication Data are specific to the operational <t>The Key is specific to the operational environment. A failure to
environment. A failure to authenticate is a failure to start the authenticate is a failure to start the L3DL session, an ERROR PDU is
L3DL session, an ERROR PDU is sent (Error Code 2), and HELLOs MUST sent (Error Code 2), and HELLOs MUST be restarted.</t>
be restarted.</t>
<t>The Signature fileds are described in <xref target="tlv"/> and in <t>The Signature fileds are described in <xref target="tlv"/> and in
an asymmetric key environment serve as a proof of possession of the an asymmetric key environment serve as a proof of possession of the
@ -1205,7 +1202,7 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
| Sig Type | Signature Length | ~ | Sig Type | Signature Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
~ Signature ... ~ ~ Signature ... ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork> </artwork>
</figure> </figure>
@ -1222,56 +1219,6 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
</section> </section>
<section anchor="roll" title="NEWKEY, Key Roll">
<t>Modern key management allows for agility in 'rolling' to a new
key or even algorithm in case of key compromise or merely prudence.
Declaring a new key with an L3DL OPEN PDU would cause serious churn
in topology as a new OPEN causes a withdraw of previously announced
encapsulations. Therefore, a gentler rekeying is needed.</t>
<!--
protocol "Type = 8:8,Payload Length:16,New Auth Type:8,New Auth Length:16,New Authentication Data ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
-->
<figure>
<artwork>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = 8 | Payload Length | New Auth Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| New Auth Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
~ New Authentication Data ... | Old Sig Type |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Old Signature Length | ~
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
~ Old Signature ... |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork>
</figure>
<t>The New Auth Type, New Auth Length, and New Authentication Data
fields declare the replacement algorithm and key.</t>
<t>The NEWKEY PDU is signed using the current (soon to be old)
algorithm and key.</t>
<t>To avoid possible race conditions, the receiver SHOULD accept
signatures using either the new or old key for a configurable time
(default 30 seconds). This is intended to accommodate situations
such as senders with high peer out-degree and a single per-device
asymmetric key.</t>
<t>If the sender does not receive an ACK in the normal window,
including retransmission, then the sender MAY choose to allow a
session reset by either issuing a new OPEN or by letting the
receiver eventually have a signature failure (error code 3) on a
PDU.</t>
</section>
<section anchor="l3liveness" title="Layers 2.5 and 3 Liveness"> <section anchor="l3liveness" title="Layers 2.5 and 3 Liveness">
<t>Layer 2 liveness may be continuously tested by KEEPALIVE PDUs, <t>Layer 2 liveness may be continuously tested by KEEPALIVE PDUs,
@ -1467,8 +1414,7 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
5 IPv6 Announce / Withdraw 5 IPv6 Announce / Withdraw
6 MPLS IPv4 Announce / Withdraw 6 MPLS IPv4 Announce / Withdraw
7 MPLS IPv6 Announce / Withdraw 7 MPLS IPv6 Announce / Withdraw
8 NEWKEY 8-254 Reserved
9-254 Reserved
255 VENDOR 255 VENDOR
</artwork> </artwork>
</figure> </figure>