📄 rfc2154.txt
字号:
in AS External LSAs being dropped if they reach an area that has a different environment from the one in which they were created. There are special limitations in the case of a router that is an ABR and also an ASBR: see section 6. Complete connectivity is provided within the AS, because of the summarization provided by ABRs connecting signed and unsigned areas. There are limitations on connectivity to AS external routes in an AS with a mixture of signed and unsigned areas, depending on the location of AS border routers. An ASBR in a signed area will generate signed ASE LSAs. These LSAs will be flooded to every contiguously connected signed area. The connected signed areas are the "scope" of these ASEs. A host located in an area that is not in this scope, will not have connectivity to these external routes. An ASBR in an unsigned area will generate unsigned ASE LSAs. These LSAsMurphy, et. al. Experimental [Page 16]
RFC 2154 OSPF with Digital Signatures June 1997 will have a scope of all the contiguously connected unsigned areas, and will be available to hosts in this scope. To arrange complete connectivity to an ASE route in an AS with signed and unsigned areas: (1) Place the ASBR on the backbone. (2) Signed Backbone: have some ABR in each unsigned area advertise a default route to the backbone. (3) Unsigned Backbone: have some ABR in each signed area advertise a default route to the backbone. Given this design for a mixed AS, routing is available throughout the AS, but the authentication and integrity provided by this design will be effective only for routes that are inside a signed area, or traverse only signed areas. There is no mechanism for a data packet to state a preference for signed routes. The basic rules of the OSPF protocol ensure that intra-area routes are preferred to inter-area routes, that routes within the AS are preferred to AS external routes, and that inter-area routes go from area1->backbone->area2. OSPF does not allow looping, or routes of the form area1->area2- >area3. Because of these properties of OSFP routing, an AS can contain signed and unsigned areas, and achieve a predictable level of authentication.6. Special Considerations/Restrictions for the ABR-ASBR There are special restrictions and configuration considerations for a router running OSPF with Digital Signatures that is both an Area Border Router and an Autonomous System Border Router. An ASBR produces AS external LSAs that are flooded throughout the non-stub areas of the AS. An ABR that is generating digital signatures may be using a different key, certifying Trusted Entity, or signature algorithm for each of its attached areas, or it might be signing in some areas and not in others. An ABR/ASBR with no restrictions on its configuration could produce multiple versions of an ASE that would all be flooded throughout the non-stub areas of the AS. The results of this production of multiple versions of LSAs would be detrimental to performance, and could produce unpredictable routing behavior.Murphy, et. al. Experimental [Page 17]
RFC 2154 OSPF with Digital Signatures June 1997 The PKLSA of an ASBR is also flooded throughout the non-stub areas of the AS, and in the case of an ABR/ASBR there could be multiple, distinct PKLSAs for a given router, one per attached area, all being flooded throughout the AS. If two distinct PKLSAs from one ABR/ASBR router were present in one area, the key with the most recent create time would be stored, and all LSAs signed with a less recent key would be unverifiable. The simplest way to deal with this problem, and the method recommended by this document, is the following: If an ASBR must also be an ABR, then the security configuration (key, signature algorithm, certifying Trusted Entity, environment = signed/unsigned) for all attached areas must be the same. This way the PKLSA and the ASEs produced for each area match, and there is no proliferation of versions of LSAs.7. LSA formats7.1. Router Public Key LSA (PKLSA) This LSA is the vehicle for distribution of a router public key. The PKLSA is sent by one router, and stored by all the other routers in the flooding scope. The PKLSA contains the public key that other routers will use to verify the signatures created by this router. A Router PKLSA will be communicated in the usual database exchange and via flooding mechanisms. The regular period for sending this LSA is LSRefreshTime. The Router PKLSA will also be sent when there is a new key, or a key to be flushed from the system. The flooding scope of a PKLSA is the area, except in the case of ASBRs. The flooding scope of an ASBR's PKLSA is the same as that of the ASEs. The "role" of the router (RTR, ABR, ASBR, ABR-ASBR) is stored in the PKLSA inside the certificate, and can be checked during flooding.Murphy, et. al. Experimental [Page 18]
RFC 2154 OSPF with Digital Signatures June 1997 ROUTER PUBLIC KEY LSA 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Age | Options | LS Type | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Link State ID | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Advertising Router | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Sequence Number | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Checksum | Length | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Certificate (format in 7.2) / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Signature / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Cert Length | Sign Length | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ LS AGE Defined in OSPF RFC [3]. OPTIONS Defined in OSPF RFC [3]. LS TYPE 16 for Router Public Key LSA. First bit set to indicate a signed LSA. LINK STATE ID Contains the Advertising Router Id (see next field). ADVERTISING ROUTER Defined in OSPF RFC [3]. LS SEQUENCE NUMBER Defined in OSPF RFC [3]. LS CHECKSUM Defined in OSPF RFC [3]. Checksum does not cover the signature. LENGTH Defined in OSPF RFC [3]. Length does include the Signature field, Cert Length and Sign Length. CERTIFICATE Format in section 7.2.Murphy, et. al. Experimental [Page 19]
RFC 2154 OSPF with Digital Signatures June 1997 SIGNATURE The advertising router's signature of this LSA. This can be verified using the enclosed Router Public Key. The signature covers the LSA header and message starting with the LSA header options field and ending with the Trusted Entity certification field. For sign and verify, the last two fields (Cert Length and Sign Length) are appended immediately after the Certificate. When complete, the signature is inserted between the Certification and the Cert Length. There are two exceptions to this coverage: 1) If the LSA was generated with an age=MaxAge, then the signature begins with the age field (see section 3.3). 2) The checksum in the LSA Header is set to zero for the computation of the signature. A pad is added to the end of the signature field to allow the next field to begin on a (4 byte) word boundary. The format used for an RSA-MD5 signature is defined in section 4.1.2 of RFC2065 [10]. CERT LENGTH The length in bytes of the Certification inside the Certificate. Does not include pad that may follow Certification. SIGN LENGTH The length in bytes of the Signature. Does not include pad that may follow Signature.7.2. Router Public Key Certificate A router public key certificate is a package of data signed by a Trusted Entity. This certificate is included in the router PKLSA and in the router configuration information. To change any of the values in the certificate, a new certificate must be obtained from a TE.Murphy, et. al. Experimental [Page 20]
RFC 2154 OSPF with Digital Signatures June 1997 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Router Id | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | TE Id | TE Key Id | Rtr Key Id | Sig Alg | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Create Time | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Key Field Length | Router Role | #Net Ranges | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Address Mask | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | IP Address/Address Mask for each Net Range ... / | ... / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Router Public Key | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Certification / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ ROUTER ID Advertising Router. TE ID TE Id must uniquely identify one TE in the AS. A number between 1-250. 0 reserved for null. 251-255 reserved for future needs. TE KEY ID Must uniquely identify a particular key for a given TE at any given time. A TE Key Id may be re-used after all references to it are gone from the AS. A number between 1-250. 0 reserved for null. 251-255 reserved for future needs. RTR KEY ID Must be unique for the TE and Router at any given time. The combination of (TE Id, Rtr Id, Rtr Key Id) uniquely identifies a particular router key at a given time. A Rtr Key Id may be re-used after all references to it are gone from the AS. Create Time resolves any conflict that could be caused by replaying old keys. A number between 1-250. 0 reserved for null. 251-255 reserved for future needs.⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -