Network Working Group A. Zinin Request for Comments: 5613 Alcatel-Lucent Obsoletes: 4813 A. Roy Category: Standards Track L. Nguyen Cisco Systems B. Friedman Google, Inc. D. Yeung Cisco Systems August 2009
OSPF Link-Local Signaling
OSPF is a link-state intra-domain routing protocol. OSPF routers exchange information on a link using packets that follow a well- defined fixed format. The format is not flexible enough to enable new features that need to exchange arbitrary data. This document describes a backward-compatible technique to perform link-local signaling, i.e., exchange arbitrary data on a link. This document replaces the experimental specification published in RFC 4813 to bring it on the Standards Track.
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
This document describes an extension to OSPFv2 [OSPFV2] and OSPFv3 [OSPFV3] allowing additional information to be exchanged between routers on the same link. OSPFv2 and OSPFv3 packet formats are fixed and do not allow for extension. This document proposes appending an optional data block composed of Type/Length/Value (TLV) triplets to existing OSPFv2 and OSPFv3 packets to carry this additional information. Throughout this document, OSPF will be used when the specification is applicable to both OSPFv2 and OSPFv3. Similarly, OSPFv2 or OSPFv3 will be used when the text is protocol specific.
One potential way of solving this task could be introducing a new packet type. However, that would mean introducing extra packets on the network that may not be desirable and may cause backward compatibility issues. This document describes how to exchange data using standard OSPF packet types.
To perform link-local signaling (LLS), OSPF routers add a special data block to the end of OSPF packets or right after the authentication data block when cryptographic authentication is used. The length of the LLS block is not included into the length of the OSPF packet, but is included in the IPv4/IPv6 packet length. Figure 1 illustrates how the LLS data block is attached.
+---------------------+ -- -- +---------------------+ | IP Header | ^ ^ | IPv6 Header | | Length = HL+X+Y+Z | | Header Length | | Length = HL+X+Y | | | v v | | +---------------------+ -- -- +---------------------+ | OSPF Header | ^ ^ | OSPFv3 Header | | Length = X | | | | Length = X | |.....................| | X | X |.....................| | | | | | | | OSPFv2 Data | | | | OSPFv3 Data | | | v v | | +---------------------+ -- -- +---------------------+ | | ^ ^ | | | Authentication Data | | Y | Y | LLS Data | | | v v | | +---------------------+ -- -- +---------------------+ | | ^ | LLS Data | | Z | | v +---------------------+ --
Figure 1: LLS Data Block in OSPFv2 and OSPFv3
The LLS block MAY be attached to OSPF Hello and Database Description (DD) packets. The LLS block MUST NOT be attached to any other OSPF packet types on generation and MUST be ignored on reception.
The data included in the LLS block attached to a Hello packet MAY be used for dynamic signaling since Hello packets may be sent at any time. However, delivery of LLS data in Hello packets is not guaranteed. The data sent with DD packets is guaranteed to be delivered as part of the adjacency forming process.
This document does not specify how the data transmitted by the LLS mechanism should be interpreted by OSPF routers. As routers that do not understand LLS may receive these packets, changes made due to LLS block TLV's do not affect the basic routing when interacting with non-LLS routers.
A new L-bit (L stands for LLS) is introduced into the OSPF Options field (see Figures 2a and 2b). Routers set the L-bit in Hello and DD packets to indicate that the packet contains an LLS data block. In other words, the LLS data block is only examined if the L-bit is set.
+---+---+---+---+---+---+---+---+ | * | O | DC| L |N/P| MC| E | * | +---+---+---+---+---+---+---+-+-+
The Checksum field contains the standard IP checksum for the entire contents of the LLS block. Before computing the checksum, the checksum field is set to 0. If the checksum is incorrect, the OSPF packet MUST be processed, but the LLS block MUST be discarded.
Zinin, et al. Standards Track [Page 4]
RFC 5613 OSPF Link-Local Signaling August 2009
The 16-bit LLS Data Length field contains the length (in 32-bit words) of the LLS block including the header and payload.
Note that if the OSPF packet is cryptographically authenticated, the LLS data block MUST also be cryptographically authenticated. In this case, the regular LLS checksum is not calculated, but is instead set to 0.
The rest of the block contains a set of Type/Length/Value (TLV) triplets as described in Section 2.3. All TLVs MUST be 32-bit aligned (with padding if necessary).
Note that TLVs are always padded to a 32-bit boundary, but padding bytes are not included in the TLV Length field (though they are included in the LLS Data Length field in the LLS block header). Unrecognized TLV types are ignored.
This subsection describes a TLV called the Extended Options and Flags (EOF) TLV. The format of the EOF-TLV is shown in Figure 5.
Bits in the Value field do not have any semantics from the point of view of the LLS mechanism. Bits MAY be allocated to announce OSPF link-local capabilities. Bits MAY also be allocated to perform boolean link-local signaling.
Zinin, et al. Standards Track [Page 5]
RFC 5613 OSPF Link-Local Signaling August 2009
The length of the Value field in the EOF-TLV is 4 bytes.
The value of the Type field in the EOF-TLV is 1. The EOF-TLV MUST only appear once in the LLS data block.
This document defines a special TLV that is used for cryptographic authentication (CA-TLV) of the LLS data block. This TLV MUST only be included in the LLS block when cryptographic authentication is enabled on the corresponding interface. The message digest of the LLS block MUST be calculated using the same key and authentication algorithm as used for the OSPFv2 packet. The cryptographic sequence number is included in the TLV and MUST be the same as the one in the OSPFv2 authentication data for the LLS block to be considered authentic.
Figure 6: Format of Cryptographic Authentication TLV
Zinin, et al. Standards Track [Page 6]
RFC 5613 OSPF Link-Local Signaling August 2009
The value of the Type field for the CA-TLV is 2.
The Length field in the header contains the length of the data portion of the TLV including 4 bytes for Sequence Number and the length of the message digest block for the whole LLS block in bytes.
The Sequence Number field contains the cryptographic sequence number that is used to prevent simple replay attacks. For the LLS block to be considered authentic, the Sequence Number in the CA-TLV MUST match the Sequence Number in the OSPFv2 packet header Authentication field (which MUST be present). In the event of Sequence Number mismatch or Authentication failure, the whole LLS block MUST be ignored.
The CA-TLV MUST NOT appear more than once in the LLS block. Also, when present, this TLV MUST be the last TLV in the LLS block. If it appears more than once, only the first occurrence is processed and any others MUST be ignored.
The AuthData field contains the message digest calculated for the LLS data block up to the CA-TLV AuthData field (i.e., excludes the CA-TLV AuthData).
The CA-TLV is not applicable to OSPFv3 and it MUST NOT be added to any OSPFv3 packet. If found on reception, this TLV MUST be ignored.
LLS type values in the range of 32768-65536 are reserved for private use. The first four octets of the Value field MUST be the private enterprise code [ENTNUM]. This allows multiple vendor private extensions to coexist in a network.
The modifications to OSPF packet formats are compatible with standard OSPF since OSPF routers not supporting LLS will ignore the LLS data block after the OSPF packet or cryptographic message digest. As of this writing, there are implementations deployed with [RFC4813]- compliant software. Routers not implementing [RFC4813] ignore the LLS data at the end of the OSPF packet.
Careful consideration should be given to carrying additional LLS data, as it may affect the OSPF adjacency bring-up time due to additional propagation delay and/or processing time.
Security considerations inherited from OSPFv2 are described in [OSPFV2]. This technique provides the same level of security as the basic OSPFv2 protocol by allowing LLS data to be authenticated using the same cryptographic authentication that OSPFv2 uses (see Section 2.5 for more details).
Security considerations inherited from OSPFv3 are described in [OSPFV3] and [OSPFV3AUTH]. OSPFv3 utilizes IPsec for authentication and encryption. With IPsec, the AH (Authentication Header), ESP (Encapsulating Security Payload), or both are applied to the entire OSPFv3 payload including the LLS block.