📄 rfc2154.txt
字号:
Murphy, et. al. Experimental [Page 21]
RFC 2154 OSPF with Digital Signatures June 1997 SIG ALG The signature algorithm for the Router Public Key. The signature algorithm encompasses the hash algorithm used as well. Currently defined value = RSA-MD5(1). Values 2-252 are available for future definition. Values 0 and 253-255 are reserved. The Sig Alg value is registered with IANA. Future signature algorithms will have to be defined or referenced in this document, and registered with IANA. CREATE TIME Timestamp set by the TE. An unsigned number of seconds since the start of January 1, 1970, GMT, ignoring leap seconds. Used to compare two certificates and determine which is more recent. Requires that time synchronization for TEs, but not for routers. KEY FIELD LENGTH The length in bytes of the Router Public Key. Does not include pad that may follow Router Public Key field. ROUTER ROLE Router (R=1), Area Border Router (ABR=2), Autonomous System Border Router (ASBR=4), ABR and ASBR (ABR- ASBR=6). #NET RANGES The number of network ranges that follow. A network range is defined to be an IP Address and an Address Mask. This list of ranges defines the addresses that the Router is permitted to advertise in its Router Links LSA. Valid values are 0-255. If there are 0 ranges the router cannot advertise anything. This is not generally useful. One range with address=0 and mask=0 will allow a router to advertise any address. IP ADDRESS & ADDRESS MASK Define a range of addresses that this router may advertise. Each is a 32 bit value. One range with address=0 and mask=0 will allow a router to advertise any address.Murphy, et. al. Experimental [Page 22]
RFC 2154 OSPF with Digital Signatures June 1997 ROUTER PUBLIC KEY A key that can be used to verify the signatures produced by this router. The internal format for the Router Public Key is signature algorithm dependent. A pad is added to the end of the Router Public Key field to allow the next field to begin on a (4 byte) word boundary. The format used for an RSA-MD5 public key is defined in section 3.5 of RFC2065 [10]. CERTIFICATION The Trusted Entity's signature of the certified data. This signature can be verified with the TE public key identified by TE Id and TE Key Id given in this packet. The length of the certification depends on the key size, and is stored in the PKLSA Cert Length field. A pad is added to the end of the Certification to allow the next field to begin on a (4 byte) word boundary. The format used for an RSA-MD5 signature is defined in section 4.1.2 of RFC2065 [10].7.3 Signed LSA A signed LSA is an OSPF LSA with signature data and a digital signature attached. The first bit of the LSA Type field is set to indicate the presence of a signature. The signature follows the LSA Data. Signature length and id fields are positioned at the end of the signed LSA.Murphy, et. al. Experimental [Page 23]
RFC 2154 OSPF with Digital Signatures June 1997 ANY SIGNED LSA 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Age | Options | LS Type | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Link State ID | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Advertising Router | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Sequence Number | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LS Checksum | Length | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | LSA Data / / ... / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Signature / +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ | Rtr Key Id | TE Id | Sign Length | +-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-*-+-+-+-+-+-+-+-+ LS AGE Defined in OSPF RFC [3]. OPTIONS Defined in OSPF RFC [3]. LS TYPE Standard LSA Type with the first bit set to indicate the presence of security data and a signature. This creates a new signed LSA type for each existing type. LINK STATE ID Defined in OSPF RFC [3]. ADVERTISING ROUTER Defined in OSPF RFC [3]. LS SEQUENCE NUMBER Defined in OSPF RFC [3]. LS CHECKSUM Defined in OSPF RFC [3]. Checksum does not cover the signature. LENGTH Defined in OSPF RFC [3]. Length does include the Signature and security related fields at the end of the LSA.Murphy, et. al. Experimental [Page 24]
RFC 2154 OSPF with Digital Signatures June 1997 SIGNATURE The advertising router's signature of this LSA. The signature covers the LSA header and data starting with the LSA header options field and ending with the Trusted Entity certification field. For sign and verify, the last three fields (Rtr Key Id, TE Id, Sign Length) are appended to the Certificate. When complete, the signature is inserted between the Certification and the Rtr Key Id. There are two exceptions to this coverage: 1) If the LSA was generated with an age=MaxAge, then the signature begins with the age field (see section 3.3). 2) The checksum in the LSA Header is set to zero for the computation & verification of the signature. A pad is added to the end of the signature to allow the next field to begin on a (4 byte) word boundary. The format used for an RSA-MD5 signature is defined in section 4.1.2 of RFC2065 [10]. RTR KEY ID Used to identify the router key used to sign this LSA. The combination of (TE Id, Rtr Id, Rtr Key Id) uniquely identifies a particular router key at a given time, and can be used to look up the PKLSA for the router key needed to verify this Signed LSA. A number between 1-250. 0 reserved for null. 251-255 reserved for future needs. TE ID The id of the Trusted Entity that produced the certificate. TE Id must uniquely identify one TE in the AS. A number between 1-250. 0 reserved for null. 251-255 reserved for future needs. SIGN LENGTH The length in bytes of the Signature. Does not include pad that may follow Signature.Murphy, et. al. Experimental [Page 25]
RFC 2154 OSPF with Digital Signatures June 19978. Configuration Information Trusted Entity Information Set: (one per Trusted Entity used by this router) Trusted Entity ID - TE Id Identifies the Trusted Entity within the AS (defined in 7.2). Trusted Entity Key Id - TE Key Id Identifies the particular key for this Trusted Entity (defined in 7.2). Trusted Entity Public Key A public key for this Trusted Entity. The format used for an RSA-MD5 public key is defined in section 3.5 of RFC2065 [10]. Signature Algorithm < and optional parameters > The signature algorithm for the public key (defined in 7.2). Router Information Set: (at least one for the router) Router Private Key The router's private key that goes with the public key in the certificate following. The format used for the private key depends on the crypto package used by your implementation. This key is not transmitted as part of this design. Our implementation uses the private key format compatible with RSAREF [9]. Router Certificate (format in 7.2). Timing Intervals: Trusted Entity Key Distribution Interval (TE_KEY_DIST_INT) The period of time, in seconds, needed to get a TE public key installed on all the routers in the TE's scope. Maximum Transit Delay (MAX_TRANSIT_DELAY) The maximum period of time, in seconds, that it should take for an LSA to reach all the routers in the AS. Router Information per attached Area: Environment flag Signed=1, Unsigned=0 9. Remaining Vulnerabilities Note that with this mechanism, one router can still distribute incorrect data in the information for which it itself is responsible. Consequently, an autonomous system employing digital signatures with this mechanism will not be completely invulnerable to routingMurphy, et. al. Experimental [Page 26]
RFC 2154 OSPF with Digital Signatures June 1997 ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -