1. PW security measures
PWE3 – 65th IETF
21 March 2005
Yaakov (J) Stein

2. Reminder At IETF64 security threats were presented:
PWs have special features that may be exploited by hackers
PW control plane does not mandate authentication
PW user packets have no authentication/encryption options
draft-stein-pwe3-sec-req-00.txt reviews security requirements
here we will mention a few solution ideas …

3. Control Protocol Authentication
Problem
many of the attacks in draft-stein-pwe3-sec-req-00.txt can be avoided
if it is not possible to impersonate a PE
thus PWE control protocol needs a strong authentication mechanism
Solution 1 – MD5
use MD5 signature option (shared key per peer) per RFC3036
TCP segments of every LDP message (even hellos) are authenticated
MD5 may be replaced by SHA-1 or any other message digest
Solution 2 – authentication TLV for initialization
new optional TLV in the initialization message
use public key mechanism
reject if no authentication TLV or if authentication fails

4. PW Packet Authentication
Problems
PW label is the only identifier in packet
CW sequence number can be used for DoS attack
Solution
add optional authentication field between control word and payload
(becomes a control word extension)
lightweight option
32 bit CW extension (must be negotiated via a new LDP TLV)
computed based on limited-size input, for example:
sequence number + salt
sequence number + checksum of payload
heavyweight option
64 or 128 bit CW extension (must be negotiated via a new LDP TLV)
hash of sequence number + payload
WARNING: if performed in SW enables DoS attack

5. PW Packet Encryption at IETF-64 we discussed encrypting the PW payload
Problem
PW is not reliable – may lose packets (don’t even know how many bytes lost)
so, can’t use stream cipher, CBC, CFB, etc. modes
Solution 1
use ECB mode on sequence number + payload
(including sequence number blocks replay attacks)
Solution 2
generate per-packet key based on secret key and sequence number
use ECB mode on payload