frr icon indicating copy to clipboard operation
frr copied to clipboard

Published 20 hours ago verified publisher icon FRRouting

Feature Request: TCP-AO (RFC 5925)

Open netravnen opened this issue 5 years ago • 9 comments
trafficstars

Feature Request: Support for TCP Authentication Option

This document specifies the TCP Authentication Option (TCP-AO), which obsoletes the TCP MD5 Signature option of RFC 2385 (TCP MD5). TCP-AO specifies the use of stronger Message Authentication Codes (MACs), protects against replays even for long-lived TCP connections, and provides more details on the association of security with TCP connections than TCP MD5. TCP-AO is compatible with either a static Master Key Tuple (MKT) configuration or an external, out-of-band MKT management mechanism; in either case, TCP-AO also protects connections when using the same MKT across repeated instances of a connection, using traffic keys derived from the MKT, and coordinates MKT changes between endpoints. The result is intended to support current infrastructure uses of TCP MD5, such as to protect long-lived connections (as used, e.g., in BGP and LDP), and to support a larger set of MACs with minimal other system and operational changes. TCP- AO uses a different option identifier than TCP MD5, even though TCP- AO and TCP MD5 are never permitted to be used simultaneously. TCP-AO supports IPv6 and is fully compatible with the proposed requirements for the replacement of TCP MD5.

Reasons to consider implementation

  • Supported in the newest NOS releases by Nokia, Juniper, and Cisco. (1)
  • Stronger verification of BGP updates as a "successor" for MD5 message authentication.

Links

  1. The Routing Table Podcast: TCP Authentication Option – Greg Hankins and Ron Bonica
  2. RFC 5925
  3. BGP YANG Model for Service Provider Networks (draft-ietf-idr-bgp-model)
  4. Was a topic during the IETF 103 hackathon
  5. Search engine results on the topic
  6. GitHub vlolteanu/linux-tcp-ao
  7. FreeBSD svn branch andre/tcp-ao/

netravnen avatar Oct 03 '20 15:10 netravnen

Someone needs to implement this in the linux kernel first. We have no way to do it from FRR until then

donaldsharp avatar Oct 03 '20 16:10 donaldsharp

I'm working on linux support and feedback would be welcome, especially regarding ABI.

https://lore.kernel.org/netdev/01383a8751e97ef826ef2adf93bfde3a08195a43.1626693859.git.cdleonard@gmail.com/ https://github.com/cdleonard/linux/commits/tcp_authopt

I tested interop using yabgp: https://github.com/smartbgp/yabgp/pull/122

cdleonard avatar Jul 19 '21 11:07 cdleonard

Posted https://github.com/FRRouting/frr/pull/9442

cdleonard avatar Aug 18 '21 20:08 cdleonard

@donaldsharp TCP AO support available in FRR now?

sakthishanmugam02 avatar Aug 10 '23 13:08 sakthishanmugam02

Nope.

ton31337 avatar Aug 10 '23 13:08 ton31337

Iteration 11 posted

https://www.phoronix.com/news/TCP-AO-Linux-Kernel-Updated

https://lore.kernel.org/lkml/[email protected]/

netravnen avatar Sep 12 '23 12:09 netravnen

stable FreeBSD tcp-ao link: https://www.freebsd.org/status/report-2013-01-2013-03.html#TCP-AO-Authentication-Option

opsec avatar Sep 26 '23 08:09 opsec

Is this supported in the kernel now, or is work ongoing? I saw this:

https://lwn.net/Articles/940178/ https://docs.kernel.org/networking/tcp_ao.html

but I don't know if support has been committed into the kernel ...

riw777 avatar Jun 24 '24 19:06 riw777

https://lore.kernel.org/all/?q=%22net/tcp_ao%22

https://docs.kernel.org/networking/tcp_ao.html

https://github.com/search?q=repo%3Atorvalds%2Flinux%20%22tcp_ao%22&type=code

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv6/tcp_ao.c

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/ipv4/tcp_ao.c

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/net/tcp_ao.h

netravnen avatar Jun 25 '24 15:06 netravnen