📄 rfc2154.txt
字号:
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| IP Address/Address Mask for each Net Range ... /
| ... /
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Router Public Key |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Certification /
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
ROUTER ID Advertising Router.
TE ID TE Id must uniquely identify one TE in the AS.
A number between 1-250. 0 reserved for null.
251-255 reserved for future needs.
TE KEY ID Must uniquely identify a particular key for a given
TE at any given time. A TE Key Id may be re-used
after all references to it are gone from the AS. A
number between 1-250. 0 reserved for null. 251-255
reserved for future needs.
RTR KEY ID Must be unique for the TE and Router at any given
time. The combination of (TE Id, Rtr Id, Rtr Key Id)
uniquely identifies a particular router key at a
given time. A Rtr Key Id may be re-used after all
references to it are gone from the AS. Create Time
resolves any conflict that could be caused by
replaying old keys. A number between 1-250. 0
reserved for null. 251-255 reserved for future
needs.
Murphy, et. al. Experimental [Page 21]
RFC 2154 OSPF with Digital Signatures June 1997
SIG ALG The signature algorithm for the Router Public Key.
The signature algorithm encompasses the hash
algorithm used as well. Currently defined value =
RSA-MD5(1). Values 2-252 are available for future
definition. Values 0 and 253-255 are reserved. The
Sig Alg value is registered with IANA. Future
signature algorithms will have to be defined or
referenced in this document, and registered with
IANA.
CREATE TIME Timestamp set by the TE. An unsigned number of
seconds since the start of January 1, 1970, GMT,
ignoring leap seconds. Used to compare two
certificates and determine which is more recent.
Requires that time synchronization for TEs, but not
for routers.
KEY FIELD LENGTH The length in bytes of the Router Public Key.
Does not include pad that may follow Router Public
Key field.
ROUTER ROLE Router (R=1), Area Border Router (ABR=2), Autonomous
System Border Router (ASBR=4), ABR and ASBR (ABR-
ASBR=6).
#NET RANGES The number of network ranges that follow. A network
range is defined to be an IP Address and an Address
Mask. This list of ranges defines the addresses that
the Router is permitted to advertise in its Router
Links LSA. Valid values are 0-255. If there are 0
ranges the router cannot advertise anything. This is
not generally useful. One range with address=0 and
mask=0 will allow a router to advertise any address.
IP ADDRESS & ADDRESS MASK
Define a range of addresses that this router may
advertise. Each is a 32 bit value. One range with
address=0 and mask=0 will allow a router to advertise
any address.
Murphy, et. al. Experimental [Page 22]
RFC 2154 OSPF with Digital Signatures June 1997
ROUTER PUBLIC KEY A key that can be used to verify the signatures
produced by this router. The internal format for the
Router Public Key is signature algorithm dependent.
A pad is added to the end of the Router Public Key
field to allow the next field to begin on a (4 byte)
word boundary.
The format used for an RSA-MD5 public key is defined
in section 3.5 of RFC2065 [10].
CERTIFICATION The Trusted Entity's signature of the certified data.
This signature can be verified with the TE public key
identified by TE Id and TE Key Id given in this
packet. The length of the certification depends on
the key size, and is stored in the PKLSA Cert Length
field. A pad is added to the end of the
Certification to allow the next field to begin on a
(4 byte) word boundary.
The format used for an RSA-MD5 signature is defined
in section 4.1.2 of RFC2065 [10].
7.3 Signed LSA
A signed LSA is an OSPF LSA with signature data and a digital
signature attached. The first bit of the LSA Type field is set to
indicate the presence of a signature. The signature follows the LSA
Data. Signature length and id fields are positioned at the end of
the signed LSA.
Murphy, et. al. Experimental [Page 23]
RFC 2154 OSPF with Digital Signatures June 1997
ANY SIGNED LSA
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| LS Age | Options | LS Type |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Link State ID |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Advertising Router |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| LS Sequence Number |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| LS Checksum | Length |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| LSA Data /
/ ... /
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Signature /
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
| Rtr Key Id | TE Id | Sign Length |
+-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+
LS AGE Defined in OSPF RFC [3].
OPTIONS Defined in OSPF RFC [3].
LS TYPE Standard LSA Type with the first bit set to indicate
the presence of security data and a signature. This
creates a new signed LSA type for each existing type.
LINK STATE ID Defined in OSPF RFC [3].
ADVERTISING ROUTER Defined in OSPF RFC [3].
LS SEQUENCE NUMBER Defined in OSPF RFC [3].
LS CHECKSUM Defined in OSPF RFC [3].
Checksum does not cover the signature.
LENGTH Defined in OSPF RFC [3].
Length does include the Signature and security
related fields at the end of the LSA.
Murphy, et. al. Experimental [Page 24]
RFC 2154 OSPF with Digital Signatures June 1997
SIGNATURE The advertising router's signature of this LSA. The
signature covers the LSA header and data starting
with the LSA header options field and ending with the
Trusted Entity certification field. For sign and
verify, the last three fields (Rtr Key Id, TE Id,
Sign Length) are appended to the Certificate. When
complete, the signature is inserted between the
Certification and the Rtr Key Id. There are two
exceptions to this coverage:
1) If the LSA was generated with an age=MaxAge, then
the signature begins with the age field (see section
3.3).
2) The checksum in the LSA Header is set to zero for
the computation & verification of the signature.
A pad is added to the end of the signature to allow
the next field to begin on a (4 byte) word boundary.
The format used for an RSA-MD5 signature is defined
in section 4.1.2 of RFC2065 [10].
RTR KEY ID Used to identify the router key used to sign this
LSA. The combination of (TE Id, Rtr Id, Rtr Key Id)
uniquely identifies a particular router key at a
given time, and can be used to look up the PKLSA for
the router key needed to verify this Signed LSA. A
number between 1-250. 0 reserved for null. 251-255
reserved for future needs.
TE ID The id of the Trusted Entity that produced the
certificate. TE Id must uniquely identify one TE in
the AS. A number between 1-250. 0 reserved for
null. 251-255 reserved for future needs.
SIGN LENGTH The length in bytes of the Signature.
Does not include pad that may follow Signature.
Murphy, et. al. Experimental [Page 25]
RFC 2154 OSPF with Digital Signatures June 1997
8. Configuration Information
Trusted Entity Information Set: (one per Trusted Entity used by this
router)
Trusted Entity ID - TE Id
Identifies the Trusted Entity within the AS (defined in 7.2).
Trusted Entity Key Id - TE Key Id
Identifies the particular key for this Trusted Entity
(defined in 7.2).
Trusted Entity Public Key
A public key for this Trusted Entity.
The format used for an RSA-MD5 public key is defined in
section 3.5 of RFC2065 [10].
Signature Algorithm < and optional parameters >
The signature algorithm for the public key (defined in 7.2).
Router Information Set: (at least o⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -