]> Vodafone

hemant.sharma@vodafone.com

Juniper Networks

jhaas@juniper.net

Ops & Management GROW BMP Security TCP-AO for BMP This document outlines the utilization of the TCP Authentication Option (TCP-AO), as specified in , for the authentication of BGP Monitoring Protocol (BMP) sessions, as specified in . TCP-AO provides for the authentication of BMP sessions established between routers and BMP stations at the TCP layer. Discussion Venues Source for this draft and an issue tracker can be found at .

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Introduction The BGP Monitoring Protocol (BMP), as specified in , recommends the use of IPsec to address security considerations concerning the BMP session between a router and the BMP station managing BGP route collection. This document suggests the use of the TCP Authentication Option (TCP-AO) as an authentication mechanism to ensure end-to-end authentication of BMP sessions between the routers and the BMP stations. TCP-AO is also the choice of authentication for TCP-based network protocols such as BGP and LDP. A comprehensive discussion of TCP-AO is provided in .

TCP-AO Protection for BGP Monitoring Protocol (BMP) The BGP Monitoring Protocol (BMP), defined in , plays a crucial role in network management by allowing routers to share information about their BGP RIBs. This helps operators monitor and troubleshoot their networks effectively. However, the security considerations associated with BMP have become increasingly critical in light of evolving threats. This document proposes that these threats be addressed by utilizing TCP-AO to safeguard BMP sessions. TCP-AO provides protection against spoofed TCP segments and helps protect the integrity of the TCP session. Further, it provides for the authentication of session endpoints. Similar to BGP, BMP can benefit from these security properties. TCP-AO helps protect the integrity of BMP session liveness at the TCP layer. As outlined in , BMP operates as a unidirectional protocol, meaning no BMP messages are transmitted from the monitoring station to the monitored router. BMP relies on the underlying TCP session, supported by TCP keepalives , to prevent session timeouts from the station to the monitored router.

Operational Recommendations for BMP The implementation and use of TCP-AO to protect BMP session is RECOMMENDED in circumstances where the session might not otherwise be protected by alternative mechanisms such as IPsec.

Security Considerations TCP-AO is not intended as a direct substitute for IPsec, nor is it suggested as such in this document. The Security Considerations for TCP-AO in all apply to its application for BMP. TCP-AO may inhibit connectionless resets when session keys have been lost or changed. This may cause BMP sessions to linger in some circumstances; however, BGP shares this consideration. In the presence of NAT, TCP-AO requires additional support as defined in . TCP-AO does not provide for privacy for the BMP protocol's contents. When this is desired, IPsec with Encapsulating Security Payload (ESP) can help provide for such privacy.

IANA Considerations This document has no IANA actions.

References Normative References In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP-AO uses a different option identifier than TCP MD5, even though TCP-AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6, and is fully compatible with the proposed requirements for the replacement of TCP MD5. [STANDARDS-TRACK] This document defines the BGP Monitoring Protocol (BMP), which can be used to monitor BGP sessions. BMP is intended to provide a convenient interface for obtaining route views. Prior to the introduction of BMP, screen scraping was the most commonly used approach to obtaining such views. The design goals are to keep BMP simple, useful, easily implemented, and minimally service affecting. BMP is not suitable for use as a routing protocol. Informative References This RFC is an official specification for the Internet community. It incorporates by reference, amends, corrects, and supplements the primary protocol standards documents relating to hosts. [STANDARDS-TRACK] This document describes an updated version of the Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and IPv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality. This document obsoletes RFC 2406 (November 1998). [STANDARDS-TRACK] This document describes an extension to the TCP Authentication Option (TCP-AO) to support its use over connections that pass through Network Address Translators and/or Network Address and Port Translators (NATs/NAPTs). This extension changes the data used to compute traffic keys, but it does not alter TCP-AO's packet processing or key generation algorithms.

Acknowledgments This document is an outcome of the experiences gained through implementing BMP. While TCP-AO safeguards other TCP protocols, BMP currently lacks the same level of protection.