moved REKEY to signing
This commit is contained in:
parent
b5fb52d76c
commit
ce7fcee117
1 changed files with 32 additions and 86 deletions
|
|
@ -685,8 +685,7 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
Ethernet frames.</t>
|
Ethernet frames.</t>
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
protocol "Type = 1:8,Payload Length:16,Nonce:32,LLEI Length:8,My LLEI:64,AttrCount:8,Attribute List ...:24,Auth Type:8,Auth Length:16,Authentication Data ...:40,Sig Type:8,Signature Length:16,Signature ...:40"
|
protocol "Type = 1:8,Payload Length:16,Nonce:32,LLEI Length:8,My LLEI:64,AttrCount:8,Attribute List ...:24,Auth Type:8,Key Length:16,Key ...:40,Sig Type:8,Signature Length:16,Signature ...:40"
|
||||||
protocol "Type = 42:8,Payload Length:16,New Auth Type:8,New Auth Length:16,New Authentication Data ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
|
|
||||||
-->
|
-->
|
||||||
|
|
||||||
<figure>
|
<figure>
|
||||||
|
|
@ -704,9 +703,9 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
| AttrCount | Attribute List ... |
|
| AttrCount | Attribute List ... |
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
| Auth Type | Auth Length | ~
|
| Auth Type | Key Length | ~
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
||||||
~ Authentication Data ... ~
|
~ Key ... ~
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
| Sig Type | Signature Length | ~
|
| Sig Type | Signature Length | ~
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
||||||
|
|
@ -716,8 +715,8 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
</figure>
|
</figure>
|
||||||
|
|
||||||
<t>The Payload Length is the number of octets in all fields of the
|
<t>The Payload Length is the number of octets in all fields of the
|
||||||
PDU from the Nonce to the Authentication Data, excluding the Sig
|
PDU from the Nonce to the Key, excluding the Sig Type, the Signature
|
||||||
Type, the Signature Length, and the Signature.</t>
|
Length, and the Signature.</t>
|
||||||
|
|
||||||
<t>The Nonce enables detection of a duplicate OPEN PDU. It SHOULD
|
<t>The Nonce enables detection of a duplicate OPEN PDU. It SHOULD
|
||||||
be either a random number or the time of day. It is needed to
|
be either a random number or the time of day. It is needed to
|
||||||
|
|
@ -737,18 +736,16 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
datacenter; hence there is no global registry. Nodes exchange
|
datacenter; hence there is no global registry. Nodes exchange
|
||||||
their attributes only in the OPEN PDU.</t>
|
their attributes only in the OPEN PDU.</t>
|
||||||
|
|
||||||
<t>Auth Type is the Signature algorithm type, see <xref
|
<t>Auth Type is the Signature algorithm suite, see <xref
|
||||||
target="tlv"/>.</t>
|
target="tlv"/>.</t>
|
||||||
|
|
||||||
<t>Auth Length is a 16-bit field denoting the length in octets of
|
<t>Key Length is a 16-bit field denoting the length in octets of the
|
||||||
the Authentication Data, not including the Auth Type or the Auth
|
Key, not including the Auth Type or the Key Lengths. If there is no
|
||||||
Lengths. If there are no Authentication Data, the Auth Type and
|
Key, the Auth Type and key Length MUST both be zero.</t>
|
||||||
Auth Length MUST both be zero.</t>
|
|
||||||
|
|
||||||
<t>The Authentication Data are specific to the operational
|
<t>The Key is specific to the operational environment. A failure to
|
||||||
environment. A failure to authenticate is a failure to start the
|
authenticate is a failure to start the L3DL session, an ERROR PDU is
|
||||||
L3DL session, an ERROR PDU is sent (Error Code 2), and HELLOs MUST
|
sent (Error Code 2), and HELLOs MUST be restarted.</t>
|
||||||
be restarted.</t>
|
|
||||||
|
|
||||||
<t>The Signature fileds are described in <xref target="tlv"/> and in
|
<t>The Signature fileds are described in <xref target="tlv"/> and in
|
||||||
an asymmetric key environment serve as a proof of possession of the
|
an asymmetric key environment serve as a proof of possession of the
|
||||||
|
|
@ -1205,7 +1202,7 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
| Sig Type | Signature Length | ~
|
| Sig Type | Signature Length | ~
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ~
|
||||||
~ Signature ... ~
|
~ Signature ... ~
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
||||||
</artwork>
|
</artwork>
|
||||||
</figure>
|
</figure>
|
||||||
|
|
||||||
|
|
@ -1222,56 +1219,6 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section anchor="roll" title="NEWKEY, Key Roll">
|
|
||||||
|
|
||||||
<t>Modern key management allows for agility in 'rolling' to a new
|
|
||||||
key or even algorithm in case of key compromise or merely prudence.
|
|
||||||
Declaring a new key with an L3DL OPEN PDU would cause serious churn
|
|
||||||
in topology as a new OPEN causes a withdraw of previously announced
|
|
||||||
encapsulations. Therefore, a gentler rekeying is needed.</t>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
protocol "Type = 8:8,Payload Length:16,New Auth Type:8,New Auth Length:16,New Authentication Data ...:40,Old Sig Type:8,Old Signature Length:16,Old Signature ...:40"
|
|
||||||
-->
|
|
||||||
|
|
||||||
<figure>
|
|
||||||
<artwork>
|
|
||||||
0 1 2 3
|
|
||||||
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
| Type = 8 | Payload Length | New Auth Type |
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
| New Auth Length | ~
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|
|
||||||
~ New Authentication Data ... | Old Sig Type |
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
| Old Signature Length | ~
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+
|
|
||||||
~ Old Signature ... |
|
|
||||||
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
||||||
</artwork>
|
|
||||||
</figure>
|
|
||||||
|
|
||||||
<t>The New Auth Type, New Auth Length, and New Authentication Data
|
|
||||||
fields declare the replacement algorithm and key.</t>
|
|
||||||
|
|
||||||
<t>The NEWKEY PDU is signed using the current (soon to be old)
|
|
||||||
algorithm and key.</t>
|
|
||||||
|
|
||||||
<t>To avoid possible race conditions, the receiver SHOULD accept
|
|
||||||
signatures using either the new or old key for a configurable time
|
|
||||||
(default 30 seconds). This is intended to accommodate situations
|
|
||||||
such as senders with high peer out-degree and a single per-device
|
|
||||||
asymmetric key.</t>
|
|
||||||
|
|
||||||
<t>If the sender does not receive an ACK in the normal window,
|
|
||||||
including retransmission, then the sender MAY choose to allow a
|
|
||||||
session reset by either issuing a new OPEN or by letting the
|
|
||||||
receiver eventually have a signature failure (error code 3) on a
|
|
||||||
PDU.</t>
|
|
||||||
|
|
||||||
</section>
|
|
||||||
|
|
||||||
<section anchor="l3liveness" title="Layers 2.5 and 3 Liveness">
|
<section anchor="l3liveness" title="Layers 2.5 and 3 Liveness">
|
||||||
|
|
||||||
<t>Layer 2 liveness may be continuously tested by KEEPALIVE PDUs,
|
<t>Layer 2 liveness may be continuously tested by KEEPALIVE PDUs,
|
||||||
|
|
@ -1457,19 +1404,18 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
<figure>
|
<figure>
|
||||||
<artwork>
|
<artwork>
|
||||||
PDU
|
PDU
|
||||||
Code PDU Name
|
Code PDU Name
|
||||||
---- -------------------
|
---- -------------------
|
||||||
0 HELLO
|
0 HELLO
|
||||||
1 OPEN
|
1 OPEN
|
||||||
2 KEEPALIVE
|
2 KEEPALIVE
|
||||||
3 ACK
|
3 ACK
|
||||||
4 IPv4 Announce / Withdraw
|
4 IPv4 Announce / Withdraw
|
||||||
5 IPv6 Announce / Withdraw
|
5 IPv6 Announce / Withdraw
|
||||||
6 MPLS IPv4 Announce / Withdraw
|
6 MPLS IPv4 Announce / Withdraw
|
||||||
7 MPLS IPv6 Announce / Withdraw
|
7 MPLS IPv6 Announce / Withdraw
|
||||||
8 NEWKEY
|
8-254 Reserved
|
||||||
9-254 Reserved
|
255 VENDOR
|
||||||
255 VENDOR
|
|
||||||
</artwork>
|
</artwork>
|
||||||
</figure>
|
</figure>
|
||||||
|
|
||||||
|
|
@ -1497,9 +1443,9 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
<artwork>
|
<artwork>
|
||||||
Bit Bit Name
|
Bit Bit Name
|
||||||
---- -------------------
|
---- -------------------
|
||||||
0 Primary
|
0 Primary
|
||||||
1 Loopback
|
1 Loopback
|
||||||
2-7 Reserved
|
2-7 Reserved
|
||||||
</artwork>
|
</artwork>
|
||||||
</figure>
|
</figure>
|
||||||
|
|
||||||
|
|
@ -1513,10 +1459,10 @@ uint32_t sbox_checksum_32(const uint8_t *b, const size_t n)
|
||||||
Error
|
Error
|
||||||
Code Error Name
|
Code Error Name
|
||||||
---- -------------------
|
---- -------------------
|
||||||
0 Reserved
|
0 Reserved
|
||||||
1 Logical Link Addressing Conflict
|
1 Logical Link Addressing Conflict
|
||||||
2 Authorisation Failure in OPEN
|
2 Authorisation Failure in OPEN
|
||||||
3 Signature Failure in PDU
|
3 Signature Failure in PDU
|
||||||
</artwork>
|
</artwork>
|
||||||
</figure>
|
</figure>
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue