Internet DRAFT - draft-ward-bgp-ipsec
draft-ward-bgp-ipsec
Internet Draft
David Ward
Document: draft-ward-bgp-ipsec-00.txt
Cisco Systems
Expires: 2002
January 2002
Securing BGPv4 using IPsec
Status of this Memo
This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet
Engineering Task Force (IETF), its areas, and its working
groups. Note that other groups may also distribute working
documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-
Drafts as reference material or to cite them other than as "work
in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2001). All Rights Reserved.
Abstract
This document discusses how BGPv4 may utilize IPsec to provide
authentication, integrity, confidentiality and replay
protection.
Table of Contents
Status of this Memo.........................................1
Copyright Notice............................................1
Abstract....................................................1
Ward Internet Draft - Expires July 2002
1
Securing BGPv4 using IPsec
February 2002
1. Introduction.............................................2
1.1 Terminology........................................3
1.2 Requirements language..............................3
2. BGPv4 security requirements..............................3
2.1 BGPv4 Security Proposal...........................4
2.2 Rekeying issues....................................5
2.3 IKE issues.........................................6
2.4 Transform issues...................................7
3. BGPv4/IPsec inter-operability guidelines.................8
3.1 BGPv4/IPsec binding................................9
3.2 Initiating a New BGPv4 Session....................10
3.3 Graceful BGPv4 Teardown...........................11
3.4 Non-graceful BGPv4 Teardown.......................12
3.5 Fragmentation Issues..............................12
3.6 Per-packet Security Checks........................14
3.7 IPsec Packet Integrity Assumptions................14
3.8 Transport mode versus tunnel mode.................14
3.9 IPsec tunnel mode addressing considerations.......16
3.10 NAT traversal for multihop peering sessions......18
4. Security considerations.................................18
4.1 IKE and BGPv4 authentication......................18
4.2 Certificate authentication........................19
4.3 Machine versus user certificates..................20
4.4 Pre-shared keys in IKE............................21
4.5 Use of AES in counter mode........................22
Acknowledgments............................................22
References.................................................22
Author's Addresses.........................................27
1. Introduction
BGP v4, described in [1], is a connection-oriented dynamic
routing protocol. A BGP session begins with an BGP OPEN message
being sent to a configured BGP Peer over TCP, followed by a
series of other steps to complete initialization. While the BGP
session may include mutual authentication [52] and negotiation
of session parameters [53], BGP does not define its own per-
packet authentication, integrity, confidentiality or replay
protection mechanisms.
Ward Internet Draft - Expires July 2002
2
Securing BGPv4 using IPsec
February 2002
IPsec is a protocol suite used to secure communications at the
network layer between two peers. The IPsec protocol suite is
specified within the IP Security Architecture [6], IKE [7],
IPsec Authentication Header (AH) [3], and IPsec Encapsulating
Security Payload (ESP) [4] documents. IKE is the key management
protocol while AH and ESP are used to protect IP traffic.
This draft proposes use of the IPsec protocol suite for
protecting BGP v4 traffic over IP networks, and discusses how
IPsec and BGP should be used together.
1.1 Terminology
BGP BGP is a peer-peer protocol in which peers
open TCP connections to other remote peers.
Initiator The BGP peering Initiator connects to a remote
peer on a well known TCP port <170> by sending an
OPEN message.
Remote Peer The BGP Remote Peer listens on the well-known TCP
port for incoming connections, and replies over
the same connection.
1.2 Requirements language
In this document, the key words "MAY", "MUST, "MUST NOT",
"optional", "recommended", "SHOULD", and "SHOULD NOT", are
to be interpreted as described in [2].
2. BGPv4 security requirements
The BGPv4 protocol is used to transmit routing update packets
over IP networks. Therefore, both the session and data packets
of BGP are vulnerable to attack. Examples of attacks include:
[1] An adversary may try to discover user identities by
snooping data packets.
[2] An adversary may try to modify packets (both
session and data).
[3] An adversary may try to hijack the BGPv4
connection.
Ward Internet Draft - Expires July 2002
3
Securing BGPv4 using IPsec
February 2002
[4] An adversary can launch denial of service attacks
by terminating BGP connections, such as by sending a TCP
reset.
[5] An adversary may attempt to disrupt the BGP peering
negotiation so as to weaken the BGP authentication
process or gain access to peer passwords.
To address these threats, the BGPv4 security implementation MUST
provide authentication, integrity and replay protection for
control and data packets. It MUST provide confidentiality for
control and data packets. An BGPv4 security implementation MUST
also provide a scalable approach to key management.
The current BGP protocol, and drafted authentication mechanisms
do not meet the security requirements as listed. BGPv4 md5 [52]
authentication provides mutual authentication between the local
and remote peer at connection origination, and secures session
and data traffic on a per packet basis but, does not provide
per-packet authentication, integrity, confidentiality or replay
protection, therefore leaving the BGPv4 peering session
vulnerable to attack. In addition, BGPv4 peering authentication,
outlined in [1], does not provide for a protected ciphersuite
negotiation. Therefore, BGP md5 authentication provides a weak
security solution.
2.1 BGPv4 Security Proposal
To provide authentication, integrity and replay protection of
BGP Packets, BGPv4 security implementations MUST support
transport mode ESP with NULL encryption and HMAC-SHA1
authentication. All the IPsec-mandated ciphersuites (described
in RFC 2406 [4] and RFC 2402 [3]), including NULL encryption
MUST be supported. Note that although an implementation MUST
support all IPsec ciphersuites, it is an operator choice which
ones will be used. The implementations MUST implement replay,
authentication and integrity protection mechanisms of IPsec.
All BGP security compliant implementations MUST implement IPsec
ESP in transport mode for securing both BGPv4 session and data
packets. If confidentiality is not used (e.g., BGPv4 data
traffic), ESP with NULL encryption may be used. Note that AH
mode is not suggested here as it may not be supported in future
Ward Internet Draft - Expires July 2002
4
Securing BGPv4 using IPsec
February 2002
versions of IPSec and ESP with NULL encryption has the same
functionality.
BGPv4 security MUST meet the key management requirements of the
IPsec protocol suite. IKE SHOULD be supported for
authentication, security association negotiation, and key
management using the IPsec DOI [5].
2.2 Rekeying issues
It is expected that BGP sessions may need to last for very long
intervals. It is unlikely but, possible that BGP may cycle
through the 32-bit IPsec sequence number space due to this
requirement.
As a result, BGPv4 implementations operating may in the future
be required to implement the IPsec sequence number extension,
described in [49]. Sequence number extension is still not
standardized and thus, NOT a requirement for the security
implementation at the time of this publication
Note that depending on the transform in use, it is possible that
rekeying will be required prior to exhaustion of the sequence
number space. Bellare et. al. have formalized this in [51],
showing that the insecurity of CBC mode increases as O(s^2/2^n),
where n is the block size in bits, and s is the total number of
blocks encrypted.
This formula sets a limit on the bytes that can be sent on a CBC
SA before a rekey is required:
B = s * n/8 = (n/8) * 2^(n/2)
Where:
B = maximum bytes sent on the SA
n = block size in bits
This means that cipher block size as well as key length needs to
be considered in the rekey decision. 3DES uses a block size n =
64 bits (2^3 bytes); this implies that the SA must be rekeyed
before B = (64/8) * (2^32) = 2^35 bytes are sent.
In terms of the sequence number space, for a 3DES encrypted
message of 512 = 2^9 bytes (2^6 blocks) this implies that the
Ward Internet Draft - Expires July 2002
5
Securing BGPv4 using IPsec
February 2002
key has become insecure after about 2^26 messages. This is s =
2^26 * 2^6 = 2^32 blocks and (2^32)^2/2^64 = 1. With the 3DES
cipher in CBC mode, it would be prudent to rekey more often,
such as every 2^20 messages or 2^29 bytes. These exceedingly
short rekey times may make it difficult to utilize 3DES
effectively to secure BGPv4.
In comparison, AES-CBC uses a block size of 128 bits (2^4
bytes). This enables B = (128/8) * (2^64) = 2^68 bytes to be
sent prior to requiring a rekey. This means that the required
rekey times are 2^33 times longer than for 3DES. AES-CBC mode
SHOULD be used in the BGPv4 security implementation. This
alleviates the need for requiring the sequence number extension
work [49].
In terms of the sequence number space, for an AES encrypted
message of 512 = 2^9 bytes (2^5 blocks) this implies that the
key has become insecure after about 2^59 messages (2^59 *
2^5)^2/2^128 = 1. This means that the entire current ESP
sequence space of 2^32 messages could be consumed without
compromising the key. AES would still permit a safe CBC mode
construction if the ESP sequence space were expanded to 48 bits,
since (2^48 * 2^5)^2/2^128 = 2^-22.
2.3 IKE issues
As noted in [48], there are situations where it is necessary for
IKE to be implemented in firmware. With the proliferation of
IPsec host implementations, these issues are most likely to
arise in future designs.
In such situations, it is important to keep the size of the IKE
implementation within strict limits. As noted in [48] an upper
bound on the size of an IKE implementation might be considered
to be 800 KB, with 80 KB enabling implementation in a wide range
of situations.
IKE implementations currently exist which meet the requirements.
Therefore, while removal of seldom used IKE functionality (such
as the nonce authentication methods) would reduce complexity,
BGPv4 implementations typically will not require this in order
to fit within the code size budget.
Ward Internet Draft - Expires July 2002
6
Securing BGPv4 using IPsec
February 2002
2.4 Transform issues
Since BGPv4 implementations may operate in different deployment
scenarios, the ability to offer IPsec security services with
some flexibility is a goal. Since support for multiple
algorithms multiplies the complexity and expense of system
design, one of the goals of the transform selection effort is to
find a minimal set of confidentiality and authentication
algorithms that are implementable.
In this specification, we primarily concern ourselves with IPsec
transforms that have already been specified. Where existing
algorithms do not gracefully scale for easy implementation, we
further consider algorithms for which transform specifications
are not yet complete, but for which parts are expected to be
available for inclusion in products shipping within the next 12
months. As the state of the art advances, the range of feasible
algorithms will broaden and additional mandatory-to-implement
algorithms may be considered.
This draft proposes that BGPv4 security implementations utilize
IPsec transport mode ESP. Section 5 of RFC 2406 [4] states:
"A compliant ESP implementation MUST support the following
mandatory-to-implement algorithms:
- DES in CBC mode
- HMAC with MD5
- HMAC with SHA-1
- NULL Authentication algorithm
- NULL Encryption algorithm
"
The DES algorithm is specified in [29]; implementation
guidelines are found in [30], and security issues are discussed
in [31],[43], [17]. The DES IPsec transform is defined in [32]
and the 3DES in CBC mode IPsec transform is specified in [33].
The MD5 algorithm is specified in [8]; HMAC is defined in [19]
and security issues with MD5 are discussed in [19]. The HMAC-MD5
IPsec transform is specified in [24]. The HMAC-SHA1 IPsec
transform is specified in [25].
In addition to these existing algorithms, NIST is currently
evaluating the following modes [37] of AES, defined in [34],
[35]:
Ward Internet Draft - Expires July 2002
7
Securing BGPv4 using IPsec
February 2002
AES in Electronic Codebook (ECB) confidentiality mode
AES in Cipher Block Chaining (CBC) confidentiality mode
AES in Cipher Feedback (CFB) confidentiality mode
AES in Output Feedback (OFB) confidentiality mode
AES in Counter (CTR) confidentiality mode
AES CBC-MAC authentication mode
The Modes [36] effort is also considering a number of additional
algorithms, including the following:
PMAC
HMAC-SHA1 [25] is to be preferred to HMAC-MD5, due to
concerns that have been raised about the security of MD5
[9]. HMAC-SHA1 parts are currently available and an
IPsec transform specification [25] exists. As a result,
it is most practical to utilize HMAC-SHA1 as the
authentication algorithm for products shipping in the
near future. As a result, BGPv4 security implementations
MUST implement HMAC with SHA1.
The HMAC-SHA2 algorithm [28] is also under development,
including an IPsec transform [45], so that this may merit
consideration in the future. Authentication transforms also
exist that are considerably more efficient to implement than
either HMAC-SHA1 or HMAC-SHA2. UMAC [27],[44] is more efficient
to implement in software and PMAC [26] is more efficient to
implement in hardware. PMAC is currently being evaluated as
part of the NIST modes effort [36] but an IPsec transform does
not yet exist; neither does a UMAC transform.
For confidentiality, the ESP mandatory-to-implement algorithm
(DES) is unacceptable for use with BGPv4 security. As noted in
[17], DES is crackable with modest computation resources, and so
is inappropriate for use in situations requiring high levels of
security. As a result, DES SHOULD NOT be used for encrypting
BGP.
3. BGPv4/IPsec inter-operability guidelines
The following guidelines are established to meet BGPv4 security
requirements using IPsec in practical situations.
Ward Internet Draft - Expires July 2002
8
Securing BGPv4 using IPsec
February 2002
3.1 BGPv4/IPsec binding
An BGPv4 session [1], composed of one (or more) TCP connections,
is identified by the 2-tuple of the Initiator-defined identifier
and the Remote Peer-defined identifier, <ISID, TSID>. Each
connection within a given session is assigned a unique
Connection Identification, CID. The TCP connection is identified
by the 5-tuple <Source IP address, Destination IP address, TCP,
Source Port, Destination Port>. An IPsec Phase 2 SA is
identified by the 3-tuple <ESP, destination address, SPI>.
The BGPv4 session and connection information is carried within
the BGPv4 Open Message, transported over TCP. Since an BGPv4
initiator may have multiple logical and interfaces, BGPv4
sessions may be initiated from different IP addresses.
Similarly, multiple BGPv4 Remote Peers may exist behind a single
IP address (firewall, NAT gateway), so that there may be
multiple BGPv4 sessions between a given <source IP address,
destination IP address> pair.
The relationship between BGPv4 sessions, TCP connections and IKE
Phase 1 and Phase 2 SAs is as follows:
[1] An BGPv4 initiator or Remote Peer may have more
than one interface, and therefore may have multiple IP
addresses. Also, multiple BGPv4 initiators and Remote
Peers may exist behind a single IP address. As a
result, an BGPv4 Session may correspond to multiple IKE
Phase 1 Security Associations, though typically a single
IKE Phase 1 security association will exist for an
<Initiator IP address, Remote Peer IP address> tuple.
[2] The TCP connection corresponding to the BGPv4
Session is protected by a separate IKE Phase 2 SA, with
descriptors specific to that TCP connection. Each IKE
Phase 2 SA protects only a single TCP connection, and
each TCP connection is transported under only one IKE
Phase 2 SA. BGPv4 security implementations need not
verify that the IP addresses and TCP port values in the
packet match the socket information which was used to
setup the connection. This check will be performed by
IPsec, preventing malicious peers from sending commands
on inappropriate Quick Mode SAs.
Given this, all the information needed for the BGPv4/IPsec
binding is contained within the configuration for the BGPv4
Ward Internet Draft - Expires July 2002
9
Securing BGPv4 using IPsec
February 2002
Initiator and Remote Peer. This includes the binding between an
IKE Phase 1 SA and the corresponding BGPv4 sessions, as well as
the binding between an IPsec Phase 2 SA and the TCP connection
and BGPv4 connection ID.
3.2 Initiating a New BGPv4 Session
In order to create a new BGPv4 Session, an Initiator
implementing BGPv4 security first establishes IKE Phase 1 and
Phase 2 SAs, then exchanges BGPv4 control messages over an
IPsec-secured TCP connection. The BGPv4 Initiator contacts the
Remote Peer on well-known TCP port <170>. The Initiator and
Remote Peer MUST successfully complete the IKE phase 1 and Phase
2 negotiations before the initial TCP connection setup messages
are exchanged so that these messages can be IPsec protected.
From this point forward, subsequent BGPv4 connections
established within the BGPv4 session will be protected by IKE
Phase 2 SAs derived from the IKE Phase 1 SA. Note that this
requirement also for the use of both the BGPv4 IPSec security
implemenation and md5 authentication [52] but, it is not a
practial deployment scenario. The dual deployment would be
wasteful of CPU resources and would not provide an improved
security implementation or deployment.
In the Phase 2 Quick Mode exchanges used to protected individual
BGPv4 connections, the Identity Payload fields MUST be present.
These fields carry the source and destination addresses and
source and destination ports of the BGPv4 Initiator and Remote
Peers, thus binding the Phase 2 security association to specific
TCP and BGPv4 connections. The IKE Quick Mode ID payloads MUST
carry individual addresses, and MUST NOT use the IP Subnet or IP
Address Range formats.
Once the IKE Phase 2 negotiations are complete and the TCP
connection is established over IPsec, the BGPv4 Initiator MUST
send the BGPv4 OPEN command over the TCP connection secured by
the recently negotiated Quick Mode SA.
The Initiator fills in the ISID field, and leaves the TSID field
set to zero, to indicate that it is the first message of a new
session establishment exchange. The Initiator also fills in a
CID value, which is associated with the BGPv4 connection
corresponding to the TCP connection secured by the Quick Mode
SA. When the BGPv4 Remote Peer replies with its OPEN Command,
both BGPv4 devices will know the TSID, and therefore the BGPv4
session identifier <ISDI, TSID>.
Ward Internet Draft - Expires July 2002
10
Securing BGPv4 using IPsec
February 2002
At this point, a binding is established between the BGPv4
session identifier and the IKE Phase 1 SAs. A single BGPv4
session identifier may have multiple associated IKE Phase 1 SAs,
and each IKE Phase 1 SA may have multiple associated BGPv4
session identifiers. In addition, a binding is established
between the BGPv4 connection identifier CID, the TCP connection
5-tuple, and the IPsec SA, as identified by the <ESP,
destination address, SPI> combination. Each BGPv4 connection
corresponds to a single TCP connection and IPsec SA.
Within IKE, each key refresh requires that a new security
association be established. In practice there is a time
interval during which an old, about-to-expire SA and newly
established SA will both be valid. The IPsec implementation
will choose which security association to use based on local
policy, and BGPv4 concerns play no role in this selection
process.
3.3 Graceful BGPv4 Teardown
Mechanisms within BGPv4 provide for both graceful and non-
graceful teardown of BGPv4 Sessions or individual TCP
connections within a given session. The BGPv4 close or graceful
restart message is used to effect graceful teardown. This
command allows the BGPv4 Initiator to request that the session
be closed.
When the BGPv4 implementation wishes to close a session, it MUST
use the appropriate BGPv4 commands to accomplish this. After
exchanging the appropriate BGPv4 control messages for session
closure, the BGPv4 security implementation SHOULD initiate a
half-close of each TCP connection within the BGPv4 session.
Since a given IKE Phase 1 SA may be bound to multiple BGPv4
sessions (although very unlikely) and the SA can also possibly
be shared by non-BGP traffic (for the same source and
destination IP addresses) the BGPv4 implementation will only
signal the deletion the IKE Phase 1 SAs bound to the BGPv4
session if there are no remaining BGPv4 sessions bound to those
SAs. For those Phase 1 SAs that are deleted, the BGPv4 security
implementation will also signal the IKE Phase 2 SAs bound to
them. The actual responsibility of deleting the SA will be given
to the IKE implementation.
When the BGPv4 security implementation wishes to close an
individual TCP connection while leaving the parent BGPv4 session
Ward Internet Draft - Expires July 2002
11
Securing BGPv4 using IPsec
February 2002
active, it SHOULD half-close the TCP connection. This results in
a FIN being sent, putting the TCP connection into the FIN WAIT-1
state, as described in [10]. After the other side responds, the
TIME WAIT state is entered. After the expiration of the TIME
WAIT timeout, the IKE Phase 2 security association bound to the
TCP connection MUST be deleted. Closing the TCP connection prior
to deleting the IKE Phase 2 SA ensures that all the TCP packets
sent on the connection are IPsec-protected.
3.4 Non-graceful BGPv4 Teardown
If the BGPv4 security implementation becomes aware that a given
TCP connection has unexpectedly failed, it SHOULD delete the
associated IKE Phase 2 security association. If the IKE
implementation receives a Phase 2 Delete message for a security
association bound to a TCP connection, it SHOULD notify the
BGPv4 security implementation. If the TCP connection whose SA
was deleted is one which a CLOSE sequence marked for removal
from the BGPv4 session, then the IKE Phase 2 Delete message
serves as confirmation that the BGPv4 peer has executed an BGPv4
teardown process for the connection. The BGPv4 connection state
and any associated filters can now be safely removed.
BGPv4 keep-alive messages, notification and update messages
provide the capability to detect or signal when a non-graceful
restart has occurred. Whenever teardown events occur, causing
the peer session to close, the control connection teardown
mechanism defined in [1] must be used. Once the BGPv4 peering
session is deleted by either peer, any phase 1 and phase 2 SA's
which still exist as a result of the session between the peers
SHOULD be deleted. Phase 1 and phase 2 delete messages SHOULD
be sent when this occurs. This should in no way interfere with
BGPv4 Graceful Restart mechanisms [graceful restart].
3.5 Fragmentation Issues
Fragmentation can become a concern when prepending IPsec headers
to a BGP PDU. One mechanism which can be used to reduce this
problem is to utilize path MTU discovery within the TCP
transport protocol. For example, when TCP is used as the BGPv4
transport, then path MTU discovery [11]-[13], SHOULD be used to
enable the TCP endpoints to discover the correct MTU, including
effects due to IPsec encapsulation.
Ward Internet Draft - Expires July 2002
12
Securing BGPv4 using IPsec
February 2002
However, Path MTU discovery fails when appropriate ICMP messages
are not received by the host. This occurs in IPsec
implementations which drop unauthenticated ICMP packets. This
can result in blackholing in nave TCP implementations, as
described in [RFC2923]. Appropriate TCP behavior is described
in section 2.1 of [RFC2923]:
"TCP should notice that the connection is timing out.
After several timeouts, TCP should attempt to send
smaller packets, perhaps turning off the DF flag for
each packet. If this succeeds, it should continue to
turn off PMTUD for the connection for some reasonable
period of time, after which it should probe again to try
to determine if the path has changed."
If an ICMP PMTU is received by an IPsec implementation that
processes unauthenticated ICMP packets, this value should be
stored in the SA as proposed in [RFC2401], and IPsec should also
provide notification of this event to TCP so that the new MTU
value can be correctly reflected.
When certificate authentication is used, IKE fragmentation can
be encountered. This can occur when certificate chains are used,
or even when exchanging a single certificate if the key size, or
size of other certificate fields (such as the distinguished name
and other OIDs) is arge enough. Many Network Address Translators
(NATs) and firewalls do not handle fragments properly, dropping
them on inbound and/or outbound.
Routers in the path will also frequently discard fragments after
the initial one, since they typically will not contain full IP
headers that can be compared against an Access List.
As a result, where IKE fragmentation occurs, the endpoints will
often be unable to establish an IPsec security association. The
solution to this problem is to install NAT, firewall or router
code load that can properly support fragments. If this cannot be
done, then the following alternatives can be considered:
[1] Obtaining certificates by other means.
[2] Reducing the size of the certificate chain.
[3] Reducing the size of fields within the
certificates. This includes reduction in the key size,
Ward Internet Draft - Expires July 2002
13
Securing BGPv4 using IPsec
February 2002
the distinguished name or other fields. This should be
considered only as a last resort.
3.6 Per-packet Security Checks
When a packet arrives from a connection which requires security,
BGP MUST check to ensure that the packet was decrypted and/or
authenticated by IPsec. Since IPsec already verifies that the
packet arrived in the correct SA, BGPv4 can be assured that the
packet was indeed sent by a trusted peer.
When used with BGP, IPsec will negotiate a separate Phase 2 SA
for each TCP connection, with IPsec filters specific to the TCP
connection. As a result, only traffic for a single TCP
connection will flow within each IPsec Phase 2 SA. BGPv4
security implementations need not verify that the IP addresses
and TCP port values in the packet match the socket information
which was used to setup the BGPv4 connection. This check will be
performed by IPsec, preventing malicious peers from sending
BGPv4 session packets on inappropriate Quick Mode SAs.
3.7 IPsec Packet Integrity Assumptions
BGP's error detection and recovery assumes that the TCP and IP
checksums provides adequate integrity protection.
IPsec per-packet authentication and integrity protection offers
strong protection against an attacker attempting to modify
packets In transit, as well as unintentional packet
modifications caused by router malfunctions. This protection is
considerably stronger than the 16-bit TCP checksum [11]. Since
IPsec integrity protection occurs below TCP, if an error is
discovered, then the packet will be discarded and TCP
retransmission will occur, so that no recovery action need be
taken at the BGP layer.
3.8 Transport mode versus tunnel mode
With respect to the BGPv4 security implemenation, the major
differences between the IPsec tunnel mode and transport mode are
as follows:
[1] MTU considerations. Tunnel mode introduces an
additional IP header into the datagram that reflects
itself in a corresponding decrease in the path MTU seen
Ward Internet Draft - Expires July 2002
14
Securing BGPv4 using IPsec
February 2002
by packets traversing the tunnel. This may result in a
decrease in the maximum segment size of TCP connections
running over the tunnel.
[2] Address assignment and configuration. Within IPsec
tunnel mode, it is necessary for inner and outer source
addresses to be configured, and for inner and outer
destination addresses to be discovered. Within transport
mode it is only necessary to discover a single
destination address and configure a single source
address.
[3] NAT traversal. As noted in [20], IPsec tunnel mode
ESP can traverse NAT in limited circumstances, whereas
transport mode ESP cannot traverse NAT. To enable NAT
traversal in the general case, the IPsec NAT traversal
functionality described in [21], [22], [23] can be
implemented. More details are provided in the next
section.
[4] Connection-specific selectors. For both transport
and tunnel mode, it is possible to negotiate connection-
specific selectors, so that only a single BGPv4
connection will be protected by an IKE Phase 2 SA.
However, while negotiation of connection-specific
selectors is common within IPsec transport mode
implementations, IPsec security gateway implementations
typically negotiate "ANY to ANY" selectors by default.
[5] Firewall traversal. Where a BGPv4 connection is to
traverse administrative domains, the firewall
administrator may desire to verify the integrity and
authenticity of each transiting packet, rather than
opening a hole in the firewall for BGPv4. IPsec tunnel
mode lends itself to such verification, since the
firewall can terminate the tunnel mode connection while
still allowing the endpoints to communicate end-to-end.
If desired, the endpoints can in addition utilize IPsec
transport mode for end-to-end security, so that they can
also verify authenticity and integrity of each packet
for themselves. In contrast, carrying out this
verification with IPsec transport mode is more complex,
since the firewall will need to terminate the IPsec
transport mode connection and will need to act as a TCP
proxy, originating a new Ipsec transmport mode
connection from the firewall to the internal endpoint.
Ward Internet Draft - Expires July 2002
15
Securing BGPv4 using IPsec
February 2002
Such an implementation cannot provide end-to-end
authenticity or integrity protection.
[6] IPsec-application integration. Where IPsec and the
application layer protocol are implemented on the same
device or host, it is possible to enable tight
integration between them. For example, the application
layer can request and verify that connections are
protected by IPsec, and can obtain attributes of the
IPsec security association. While in transport mode
implementations the IPsec and application protocol
implementations typically reside on the same host, with
IPsec tunnel mode, they may reside on different hosts.
Where IPsec is implemented on an external gateway,
integration between the application and IPsec is
typically not possible. This limits the ability of the
application to control and verify IPsec behavior.
3.9 IPsec tunnel mode addressing considerations
IPsec tunnels include both inner and outer source as well as
destination addresses.
When used with BGPv4, the inner destination address represents
the address of the BGPv4 peer (e.g. the ultimate destination for
the packet). The inner destination address can be discovered
using SLP or can be resolved from an FQDN via DNS, so that
obtaining this address is typically not an issue.
The outer destination address represents the address of the
IPsec security gateway used to reach the peer. Several
mechanisms have been proposed for discovering the IPsec security
gateway used to reach a particular peer. [55] discusses the use
of KX Resource Records (RRs) for IPsec gateway discovery.
However, while KX RRs are supported by many DNS server
implementations, they have not yet been widely deployed.
Alternatively, DNS SRV [54] can also be used for this purpose,
as can protocols such as Tunnel Endpoint Discovery [58].
When used with BGPv4, the outer source address is configured
either statically or dynamically, using mechanisms such as
DHCPv4 [56], DHCPV6 [57], or Stateless address autoconfiguration
[57].
Ward Internet Draft - Expires July 2002
16
Securing BGPv4 using IPsec
February 2002
The inner source address SHOULD be included in the quick mode ID
when the peer establishes a tunnel mode SA with the IPsec
security gateway. This enables the IPsec security gateway to
properly route packets back to the remote peer. The inner source
address can be configured via a variety of mechanisms, depending
on the scenario. Where the BGPv4 peers are located within the
same administrative domain, it is typically possible for the
inner and outer source addresses to be the same. This will work
because the outer source address is presumably assigned from
within a prefix assigned to the administrative domain, and which
is therefore routable within the domain. Assuming that the IPsec
security gateway is aware of the inner source address used by
the connecting peer and plumbs a host route for it, then packets
arriving at the IPsec security gateway destined for the address
can be correctly encapsulated and sent down the correct tunnel.
Where BGPv4 peers are located within different administrative
domains, it may be necessary for the inner source address to be
assigned by the IPsec security gateway, effectively "joining"
the remote host to the LAN attached to the IPsec security
gateway. For example, if the remote peer were to use its
assigned (outer) source address as the inner source address,
then a number of problems might result:
[1] Intrusion detection systems sniffing the LAN behind
the IPsec security gateway would notice source addresses
originating outside the administative domain.
[2] Reply packets might not reach their destination,
since the IPsec security gateway typically does not
advertise default, but rather only the prefix that it
allocates addresses from. Since the remote peer's
address does not originate from with a prefix native to
the administrative domain, it is likely that routers
within the domain would not have a route for it, and
would send the packet off to the border router, instead
of to the IPsec security gateway.
For these reasons, for inter-domain use, assignment of inner
source addresses may be needed. The use of DHCP within IPsec
tunnel mode has been proposed for this, as described in [55].
However, this mechanism is not yet widely deployed within IPsec
security gateways. Existing IPsec tunnel mode servers typically
implement the desired functionality via proprietary extensions
to IKE.
Ward Internet Draft - Expires July 2002
17
Securing BGPv4 using IPsec
February 2002
3.10 NAT traversal for multihop peering sessions
BGP security utilizes transport mode ESP. As noted in [20],
transport mode ESP cannot traverse NAT, even though ESP itself
does not include IP header fields within its message integrity
check. This is because the 16-bit TCP checksum is calculated
based on a "pseudo-header" that includes IP header fields, and
the checksum is protected by the IPsec message integrity check.
As a result, the TCP checksum will be invalidated by a NAT
located between the BGPv4 Initiator and Remote Peer.
Since TCP checksum calculation and verification is mandatory in
both IPv4 and IPv6, it is not possible to omit checksum
verification while remaining standards compliant. In order to
enable traversal of NAT existing between BGPv4 Initiators and
Remote Peers, while remaining in compliance, BGPv4/IPsec
implementations MAY implement IPsec/IKE NAT traversal, as
described in [20]-[23].
The IPsec/IKE NAT traversal specification [23] enables UDP
encapsulation of IPsec to be negotiated if a NAT is detected in
the path. By determining the IP address of the NAT, the TCP
checksum can be calculated based on a pseudo-header including
the NAT-adjusted address and ports. If this is done prior to
calculating the IPsec message integrity check, TCP checksum
verification will not fail.
4. Security considerations
IPsec IKE negotiation MUST negotiate an authentication method
specified in the IKE RFC 2409 [7]. In this section, we discuss
authentication issues.
4.1 IKE and BGPv4 authentication
While BGPv4 provides initial authentication [52], it does not
provide per-packet authentication, integrity or replay
protection. This implies that the identity verified in the BGPv4
OPEN is not subsequently verified on reception of each packet.
With IPsec, when the identity asserted in IKE is authenticated,
the resulting derived keys are used to provide per-packet
authentication, integrity and replay protection. As a result,
Ward Internet Draft - Expires July 2002
18
Securing BGPv4 using IPsec
February 2002
the identity verified in the IKE conversation is subsequently
verified on reception of each packet.
Let us assume that the identity claimed in BGPv4 OPEN is a user
identity, while the identity claimed within IKE is a machine
identity. Since only the machine identity is verified on a per-
packet basis, there is no way for the recipient to verify that
only the user authenticated via BGPv4 OPEN is using the IPsec
SA.
In fact, IPsec implementations that only support machine
authentication typically have no way to distinguish between user
traffic within the kernel. As a result, where machine
authentication is used, once a BGPv4/IPsec SA is opened, another
user on a multi-user machine may be able to send traffic down
the IPsec SA. If a network is operated by different
administrative groups with different security privileges for
configuration or operational duties then per user authentication
may be applicable.
To limit the potential vulnerability, BGP security
implementations MUST negotiate a separate IPsec Phase 2 SA for
each BGP peering session, with descriptors specific to that
connection. This will prevent traffic for other BGP peers from
travel within the IPsec SA negotiated for another BGPv4
connection. As a result, if access to the TCP socket used for
the BGPv4 connection is exclusive to a single user, then access
to the corresponding IPsec SA will also be exclusive, even if
the IPsec implementation only supports machine authentication.
If the IPsec implementation supports user authentication, the
user identity asserted within IKE will be verified on a per-
packet basis, and stronger assurances can be provided. In this
case, the user identity asserted within IKE will be verified on
a per-packet basis. In order to provide segregation of traffic
between peers When user authentication is used, the sender MUST
ensure that only traffic from that particular user is sent down
the BGPv4 SA. Enforcement of this restriction is the
responsibility of the operating system.
4.2 Certificate authentication
When X.509 certificate authentication is chosen within IKE, the
BGPv4 Remote Peer is expected to use an IKE Certificate Request
Payload (CRP) to request from the Initiator a certificate issued
Ward Internet Draft - Expires July 2002
19
Securing BGPv4 using IPsec
February 2002
by a particular certificate authority or may use several CRPs if
several certificate authorities are trusted and configured in
its IPsec IKE authentication policy.
The BGPv4 remote peer SHOULD be able to trust several
certificate authorities in order to allow BGP session Initiators
to connect to it using their own certificate credential from
their chosen PKI. Client and server side certificate revocation
list checking MAY be enabled on a per-CA basis, since
differences in revocation list checking exist between different
PKI providers.
4.3 Machine versus user certificates
The certificate credentials provided by the BGPv4 Initiator
during the IKE negotiation MAY be those of the machine or of the
BGPv4 user (router administrator or perhaps the operator
performing BGP configuration). When machine authentication is
used, the machine certificate is typically stored on the BGPv4
Initiator and Remote Peer during an enrollment process. When
user certificates are used, the user certificate can be stored
either on the machine or on a smartcard.
Since the value of a machine certificate is inversely
proportional to the ease with which an attacker can obtain one
under false pretenses, it is advisable that the machine
certificate enrollment process be strictly controlled. For
example, only administrators may have the ability to enroll a
machine with a machine certificate.
While smartcard certificate storage lessens the probability of
compromise of the private key, smartcards are not necessarily
desirable in all situations. For example, some organizations
deploying machine certificates use them so as to restrict use of
non-approved hardware. Since user authentication can be provided
within BGPv4 (keeping in mind the weaknesses described earlier),
support for machine authentication in IPsec makes it is possible
to authenticate both the machine as well as the user.
In circumstances in which this dual assurance is considered
valuable, enabling movement of the machine certificate from one
machine to another, as would be possible if the machine
certificate were stored on a smart card, may be undesirable.
Similarly, if user certificates are deployed, it is advisable
for the user enrollment process to be strictly controlled. If
Ward Internet Draft - Expires July 2002
20
Securing BGPv4 using IPsec
February 2002
for example, a user password can be readily used to obtain a
certificate (either a temporary or a longer term one), then that
certificate has no more security value than the password. To
limit the ability of an attacker to obtain a user certificate
from a stolen password, the enrollment period can be limited,
after which password access will be turned off. Such a policy
will prevent an attacker obtaining the password of an unused
account from obtaining a user certificate once the enrollment
period has expired.
4.4 Pre-shared keys in IKE
Use of pre-shared keys in IKE main mode is vulnerable to man-in-
the-middle attacks when used with dynamically addressed
Initiators. In main mode it is necessary for SKEYID_e to be used
prior to the receipt of the identification payload. Therefore
the selection of the pre-shared key may only be based on
information contained in the IP header. However, where dynamic
IP address assignment is used, it is often not possible to
identify the required pre-shared key based on the IP address.
The main concern here is in the case of auto-configuration of
routers by a central administrative unit introducing the new
equipment into the network.
Thus when main mode pre-shared keys are used with BGPv4, the
same pre-shared key is shared by a group of Initiators and is no
longer able to function as an effective shared secret. In this
situation, neither the client nor the server identifies itself
during IKE phase 1; it is only known that both parties are a
member of the group with knowledge of the pre-shared key. This
permits anyone with access to the group pre-shared key to act as
a man-in-the-middle.
This vulnerability does not occur in aggressive mode since the
identity payload is sent earlier in the exchange, and therefore
the pre-shared key can be selected based on the identity.
However, when aggressive mode is used the user identity is
exposed and this is often considered undesirable.
As a result, where main mode is used with pre-shared keys,
unless BGPv4 performs mutual authentication, the Remote Peer is
not authenticated. This enables a rogue Remote Peer in
possession of the group pre-shared key to successfully
masquerade as the actual Remote Peer and mount a dictionary
attack on legacy authentication methods such as CHAP [47]. Such
an attack could potentially compromise many passwords at a time.
Ward Internet Draft - Expires July 2002
21
Securing BGPv4 using IPsec
February 2002
This vulnerability is widely present in existing IPsec
implementations.
To avoid this problem, BGPv4/IPsec implementations SHOULD NOT
use a group pre-shared key for IKE authentication with main
mode. If pre-shared keys are required, then aggressive mode
SHOULD be used. IKE pre-shared authentication key values SHOULD
be protected in a manner similar to the user's account password.
4.5 Use of AES in counter mode
When AES in counter mode is used, it is important to avoid reuse
of the counter with the same key, even across all time. Counter
mode creates ciphertext by XORing generated key stream with
plaintext. It is fairly easy to recover the plaintext from two
messages counter mode encrypted under the same counter value,
simply by XORing together the two packets. The implication of
this is that it is almost always an error to use IPsec manual
keying with counter mode, except when the implementation takes
heroic measures to maintain state across sessions.
Another counter mode issue is it makes forgery of correct
packets trivial. Counter mode should therefore never be used
without also using data authentication.
Acknowledgments
Thanks to Bernard Aboba of Microsoft, Steven Chiang, Mark
Knopper, and Russ White of Cisco Systems and Susan Hares of
Nexthop for reviewing this draft. Also great thanks goes to all
the authors of draft-ietf-ips-security-09.txt and RFC 3193 as
this draft is directly reusing their work and words.
References
[1] Rekhter, Y. and T. Li (editors), "A Border Gateway Protocol
4 (BGP-4)", Internet Draft draft-ietf-idr-bgp4-17.txt, January
2002.
[2] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[3] Kent,S., Atkinson, R., "IP Authentication Header", RFC
2402, November 1998.
Ward Internet Draft - Expires July 2002
22
Securing BGPv4 using IPsec
February 2002
[4] Kent,S., Atkinson, R., "IP Encapsulating Security Payload
(ESP)", RFC 2406, November 1998.
[5] Piper, D., "The Internet IP Security Domain of
Interpretation of ISAKMP", RFC 2407, November 1998.
[6] Atkinson, R., Kent, S., "Security Architecture for the
Internet Protocol", RFC 2401, November 1998.
[7] Harkins, D., Carrel, D., "The Internet Key Exchange (IKE)",
RFC 2409, November 1998.
[8] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992.
[9] Dobbertin, H., "The Status of MD5 After a Recent Attack",
CryptoBytes Vol.2 No.2, Summer 1996.
[10] Postel, J., "Transmission Control Protocol", STD 7, RFC
793, September 1981.
[11] Mogul, J., and S. Deering, "Path MTU Discovery", RFC 1191,
November 1990.
[12] Knowles, S., "IESG Advice from Experience with Path MTU
Discovery", RFC 1435, March 1993.
[13] McCann, J., Deering, S. and J. Mogul, "Path MTU Discovery
for IP version 6", RFC 1981, August 1996.
[14] Lahey, K., TCP Problems with Path MTU Discovery", RFC 2923,
September 2000.
[15] Paxon, V., "End-to-end internet packet dynamics", IEEE
Transactions on Networking 7,3 (June 1999) pg 277-292.
[16] Stone J., Partridge, C., "When the CRC and TCP checksum
disagree", ACM Sigcomm, Sept. 2000.
[17] Cracking DES, O'Reilly & Associates, Sebastapol, CA 2000.
[18] Krueger, M., et.al., "BGPv4 Requirements and Design
Considerations", draft-ietf-ips-BGPv4-reqmts-05.txt, Work in
Progress, July 2001.
Ward Internet Draft - Expires July 2002
23
Securing BGPv4 using IPsec
February 2002
[19] Krawczyk, H., Bellare, M. and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", RFC 2104, February 1997.
[20] Aboba, B., "IPsec-NAT Compatibility Requirements", draft-
ietf-IPsec-nat-reqts-00.txt, Work in Progress, June 2001.
[21] Huttunen, A. et. al., "UDP Encapsulation of IPsec Packets",
draft-ietf-IPsec-udp-encaps-00.txt, June 2001
[22] Dixon, W. et. al., "IPsec over NAT Justification for UDP
Encapsulation", draft-ietf-IPsec-udp-encaps-justification-
00.txt, June 2001
[23] Kivinen, T., et al., "Negotiation of NAT-Traversal in the
IKE",Internet draft (work in progress), draft-ietf-IPsec-nat-t-
ike-00.txt, June 2001.
[24] Madson, C., Glenn, R., "The Use of HMAC-MD5-96 within ESP
and AH", RFC 2403, November 1998.
[25] Madson, C., Glenn, R., "The Use of HMAC-SHA-1-96 within ESP
and AH", RFC 2404, November 1998.
[26] Rogaway, P., Black, J., "PMAC: Proposal to NIST for a
parallelizable message authentication code",
http://csrc.nist.gov/encryption/modes/proposedmodes/pmac/pmac-
spec.pdf
[27] Black, J., Halevi, S., Krawczyk, H., Krovetz, T., Rogaway,
P., "UMAC: Fast and provably secure message authentication",
Advancesin Cryptology - CRYPTO '99, LNCS vol. 1666, pp. 216-233.
Full version available from
http://www.cs.ucdavis.edu/~rogaway/umac
[28] "Descriptions of SHA-256, SHA-384, and SHA-512,"
http://csrc.nist.gov/cryptval/shs/sha256-384-512.pdf.
[29] U.S. DoC/NIST, "Data encryption standard (DES)", FIPS 46-3,
October 25, 1999.
[30] U.S. DoC/NIST, "Guidelines for implementing and using the
nbs data encryption standard", FIPS 74, Apr 1981.
[31] Biham, E., Shamir, A., "Differential Cryptanalysis of DES-
like cryptosystems", Journal of Cryptology Vol 4, Jan 1991.
Ward Internet Draft - Expires July 2002
24
Securing BGPv4 using IPsec
February 2002
[32] Madson, C., Doraswamy, N., "The ESP DES-CBC Cipher
Algorithm With Explicit IV", RFC 2405, November 1998.
[33] Pereira, R., Adams, R., "The ESP CBC-Mode Cipher
Algorithms", RFC 2451, November 1998.
[34] Daemen, J., Rijman, V., "AES Proposal: Rijndael," NIST AES
Proposal, June 1998.
http://csrc.nist.gov/encryption/aes/round2/AESAlgs/Rijndael/Rijn
dael.pdf
[35] Draft FIPS Publication ZZZZ, "Advanced Encryption Standard
(AES)", U.S. DoC/NIST, summer 2001.
[36] "Symmetric Key Block Cipher Modes of Operation,"
http://www.nist.gov/modes.
[37] "Recommendation for Block Cipher Modes of Operation",
National Institute of Standards and Technology (NIST) Special
Publication 800-XX, CODEN: NSPUE2, U.S. Government Printing
Office Washington, DC, July 2001.
[38] Frankel, S., Kelly, S., Glenn, R., "The AES Cipher
Algorithm and Its Use with IPsec", Internet draft (work in
progress), draft-ietf-IPsec-ciph-aes-cbc-01.txt, May 2001.
[39] Etienne, J., "The counter-mode and its use with ESP",
Internet draft (work in progress), draft-etienne-IPsec-esp-ctr-
mode-00.txt, May 2001.
[40] Lipmaa, H., Rogaway, P., Wagner, D., "CTR-MODE encryption",
Comment on mode of operations NIST, Jan 2001.
[41] Schneier, B., J. Kelsey, D. Whiting, D. Wagner, C. Hall,
and N. Ferguson, "Performance Comparison of the AES
Submissions", http://www.counterpane.com/AES-performance.html
[42] A. Bosselaers, "Performance of Pentium implementations",
http://www.esat.kuleuven.ac.be/~bosselae/
[43] Bellovin, S., "An Issue With DES-CBC When Used Without
Strong Integrity", Proceedings of the 32nd IETF, Danvers, MA,
April 1995.
[44] Krovetz, T., Black, J., Halevi, S., Hevia, A., Krawczyk,
H., Rogaway, P., "UMAC: Message Authentication Code using
Ward Internet Draft - Expires July 2002
25
Securing BGPv4 using IPsec
February 2002
Universal Hashing", Internet draft (work in progress), draft-
krovetz-umac-01.txt, October 2000.
[45] Frankel, S., Kelly, S., "The Use of SHA-256, SHA-384, and
SHA-512 within ESP, AH and IKE," Work in progress.
[46] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
RFC 2246, November 1998.
[47] Simpson, W.,"PPP Challenge Handshake Authentication
Protocol (CHAP)," RFC 1994, August 1996.
[48] Black, D., "iSCSI Security Requirements and SRP-based ESP
keys", Internet draft (work in progress), draft-black-ips-iscsi-
security-00.txt, July 2001.
[49] Steve Kent, IPsec sequence number extension proposal, IETF
50.
[50] American National Standard for Financial Services X9.52-
1998, "Triple Data Encryption Algorithm Modes of Operation",
American Bankers Association, Washington, D.C., July 29, 1998.
[51] Bellare, Desai, Jokippi, Rogaway, "A Concrete Treatment of
Symmetric Encryption: Analysis of the DES Modes of Operation",
1997, http://www-cse.ucsd.edu/users/mihir/
[52] Heffernan, Andy. Protection of BGP Sessions via the TCP
MD5 Signature Option, Internet draft, draft-ietf-idr-
rfc2385bis-00.txt, January 2002.
[53] Chandra, Scudder. Capabilities Advertisement with BGP-4,
Internet draft, draft-ietf-idr-rfc2842bis-00.txt, August 2002.
[54] Gulbrandsen , A., . Vixie, P., Esibov, L. "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[55] Gulbrandsen , A., . Vixie, P., Esibov, L. "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[56] Patel, B., Aboba, B., Kelly, S., Gupta, V., "DHCPv4
Configuration of IPsec Tunnel Mode", Internet draft (work in
progress), draft-ietf-ipsec-dhcp-13.txt, June 2001
Ward Internet Draft - Expires July 2002
26
Securing BGPv4 using IPsec
February 2002
[57] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 2373, July 1998.
[58] Fluhrer, S., "Tunnel Endpoint Discovery", Internet draft
(work in progress), draft-fluhrer-ted-00.txt, November 2001.
Author's Addresses
David Ward
Cisco
408 St Peter Street
Suit 600
St Paul MN 55102 Phone: 1 612 865 8972
Email: dward@cisco.com
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of
any intellectual property or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; neither does
it represent that it has made any effort to identify any such
rights. Information on the IETF's procedures with respect to
rights in standards-track and standards- related documentation
can be found in BCP-11. Copies of claims of rights made
available for publication and any assurances of licenses to be
made available, or the result of an attempt made to obtain a
general license or permission for the use of such proprietary
rights by implementors or users of this specification can be
obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights which may cover technology that may be
required to practice this standard. Please address the
information to the IETF Executive
Director.
Full Copyright Statement
Copyright (C) The Internet Society (2001). All Rights Reserved.
Ward Internet Draft - Expires July 2002
27
Securing BGPv4 using IPsec
February 2002
This document and translations of it may be copied and furnished
to others, and derivative works that comment on or otherwise
explain it or assist in its implementation may be prepared,
copied, published and distributed, in whole or in part, without
restriction of any kind, provided that the above copyright
notice and this paragraph are included on all such copies and
derivative works. However, this document itself may not be
modified in any way, such as by removing the copyright notice or
references to the Internet Society or other Internet
organizations, except as needed for the purpose of developing
Internet standards in which case the procedures for copyrights
defined in the Internet Standards process must be followed, or
as required to translate it into languages other than English.
The limited permissions granted above are perpetual and will not
be revoked by the Internet Society or its successors or assigns.
This document and the information contained herein is provided
on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE
OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY
IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
Ward Internet Draft - Expires July 2002
28
Securing BGPv4 using IPsec
February 2002
Expiration Date
This memo is filed as <draft-ward-bgpv4-IPsec-00.txt>, and
expires MM DD, 2002.
Ward Internet Draft - Expires July 2002
29