--- 1/draft-ietf-ippm-ipsec-01.txt 2014-02-14 09:14:45.426881530 -0800 +++ 2/draft-ietf-ippm-ipsec-02.txt 2014-02-14 09:14:45.454882209 -0800 @@ -1,235 +1,174 @@ IPPM WG K. Pentikousis, Ed. Internet-Draft EICT Intended status: Standards Track Y. Cui -Expires: April 24, 2014 E. Zhang +Expires: August 18, 2014 E. Zhang Huawei Technologies - October 21, 2013 + February 14, 2014 Network Performance Measurement for IPsec - draft-ietf-ippm-ipsec-01 + draft-ietf-ippm-ipsec-02 Abstract - IPsec is a mature technology with several interoperable - implementations. Indeed, the use of IPsec tunnels is increasingly - gaining popularity in several deployment scenarios, not the least in - what used to be solely areas of traditional telecommunication - protocols. Wider IPsec deployment calls for mechanisms and methods - that enable tunnel end-users, as well as operators, to measure one- - way and two-way network performance in a standardized manner. - Unfortunately, however, standard IP performance measurement security - mechanisms cannot be readily used with IPsec. This document makes - the case for employing IPsec to protect the One-way and Two-Way - Active Measurement Protocols (O/TWAMP) and proposes a method which - combines IKEv2 and O/TWAMP as defined in RFC 4656 and RFC 5357, - respectively. This specification aims, on the one hand, to ensure - that O/TWAMP can be secured with the best mechanisms we have at our - disposal today while, on the other hand, it facilitates the - applicability of O/TWAMP to networks that have already deployed - IPsec. + The O/TWAMP security mechanism requires that endpoints (i.e. both the + client and the server) possess a shared secret. Since the currently- + standardized O/TWAMP security mechanism only supports a pre-shared + key mode, large scale deployment of O/TWAMP is hindered + significantly. At the same time, recent trends point to wider IKEv2 + deployment, which in turn calls for mechanisms and methods that + enable tunnel end-users, as well as operators, to measure one-way and + two-way network performance in a standardized manner. This document + discusses the use of keys derived from an IKE SA as the shared key in + O/TWAMP. If the shared key can be derived from the IKE SA, O/TWAMP + can support cert-based key exchange, which would allow for more + flexibility and efficiency. Such key derivation can also facilitate + automatic key management. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 24, 2014. + This Internet-Draft will expire on August 18, 2014. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 5 - 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 6 - 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 7 - 3.4. O/TWAMP and IPsec . . . . . . . . . . . . . . . . . . . . 7 - 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 8 - 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 8 - 4.2. Server Greeting Message Update . . . . . . . . . . . . . 9 - 4.3. Session Key Derivation . . . . . . . . . . . . . . . . . 11 - 4.3.1. Alternative 1 . . . . . . . . . . . . . . . . . . . . 12 - 4.3.2. Alternative 2 . . . . . . . . . . . . . . . . . . . . 14 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 - 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 - 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 - 8.2. Informative References . . . . . . . . . . . . . . . . . 16 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 + 3. O/TWAMP Security . . . . . . . . . . . . . . . . . . . . . . 3 + 3.1. O/TWAMP-Control Security . . . . . . . . . . . . . . . . 4 + 3.2. O/TWAMP-Test Security . . . . . . . . . . . . . . . . . . 5 + 3.3. O/TWAMP Security Root . . . . . . . . . . . . . . . . . . 6 + 4. O/TWAMP for IPsec Networks . . . . . . . . . . . . . . . . . 6 + 4.1. Shared Key Derivation . . . . . . . . . . . . . . . . . . 6 + 4.2. Server Greeting Message Update . . . . . . . . . . . . . 7 + 4.3. Set-Up-Response Update . . . . . . . . . . . . . . . . . 9 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 10 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 + 8.2. Informative References . . . . . . . . . . . . . . . . . 11 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The One-way Active Measurement Protocol (OWAMP) [RFC4656] and the Two-Way Active Measurement Protocol (TWAMP) [RFC5357] can be used to measure network performance parameters, such as latency, bandwidth, and packet loss by sending probe packets and monitoring their experience in the network. In order to guarantee the accuracy of network measurement results, security aspects must be considered. Otherwise, attacks may occur and the authenticity of the measurement results may be violated. For example, if no protection is provided, an adversary in the middle may modify packet timestamps, thus altering the measurement results. - Cryptographic security mechanisms, such as IPsec, have been - considered during the early stage of the specification of the two - active measurement protocols mentioned above. However, due to - several reasons, it was decided to avoid tying the development and - deployment of O/TWAMP to such security mechanisms. In practice, for - many networks, the issues listed in [RFC4656], Sec. 6.6 with respect - to IPsec are still valid. However, we expect that in the near future - IPsec will be deployed in many more hosts and networks than today. - For example, IPsec tunnels may be used to secure wireless channels. - In this case, what we are interested in is measuring network - performance specifically for the traffic carried by the secured - tunnel, not over the wireless channel in general. This document - makes the case that O/TWAMP should be cognizant when IPsec and other - security mechanisms are in place and can be leveraged upon. In other - words, it is now time to specify how O/TWAMP is used in a network - environment where IPsec is already deployed. We expect that in such - an environment, measuring IP performance over IPsec tunnels with O/ - TWAMP is an important tool for operators. + The currently-standardized O/TWAMP security mechanism [RFC4656] + [RFC5357] requires that endpoints (i.e. both the client and the + server) possess a shared secret. In today's network deployments, + however, the use of pre-shared keys may not be optimal. For example, + in wireless infrastructure networks, certain network elements, which + can be seen as the two endpoints from an O/TWAMP perspective, support + certificate-based security. This is the case when one wants to + measure IP performance between an eNB and SeGW, for instance. Since + the currently standardized O/TWAMP security mechanism only supports + pre-shared key mode, large scale deployment of O/TWAMP is hindered + significantly. Furthermore, deployment and management of "shared + secrets" for massive equipment installation consumes a tremendous + amount of effort and is prone to human error. - For example, when considering the use of O/TWAMP in networks with - IPsec deployed, we can take advantage of the IPsec key exchange - protocol [RFC5996]. In particular, we note that it is not necessary - to use distinct keys in OWAMP-Control and OWAMP-Test layers. One key - for encryption and another for authentication is sufficient for both - Control and Test layers. This obviates the need to generate two keys - for each layer and reduces the complexity of O/TWAMP protocols in an - IPsec environment. This observation comes from the fact that - separate session keys in the OWAMP-Control and OWAMP-Test layers were - designed for preventing reflection attacks when employing the current - mechanism. Once IPsec is employed, such a potential threat is - alleviated. + With IKEv2 widely used, using keys derived from IKE SA as shared key + can be considered as a viable alternative. In mobile + telecommunication networks, the deployment rate of IPsec exceeds 95% + with respect to the LTE serving network. In older-technology + cellular networks, such as UMTS and GSM, IPsec use penetration is + lower, but still quite significant. If the shared key can be derived + from the IKE SA, O/TWAMP can support cert-based key exchange and make + it more flexible in practice and more efficient. The use of IKEv2 + also makes it easier to extend automatic key management. In general, + O/TWAMP measurement packets can be transmitted inside the IPsec + tunnel, as it occurs with typical user traffic, or transmitted + outside the IPsec tunnel. This may depend on the operator's policy + and is orthogonal to the mechanism described in this document. The remainder of this document is organized as follows. Section 3 - motivates this work by revisiting the arguments made in [RFC4656] - against the use of IPsec; this section also summarizes protocol - operation with respect to security. Section 4 presents a method of - binding O/TWAMP and IKEv2 for network measurements between a sender - and a receiver which both support IPsec. Finally, Section 5 - discusses the security considerations arising from the proposed - mechanisms. + summarizes O/TWAMP protocol operation with respect to security. + Section 4 presents a method of binding O/TWAMP and IKEv2 for network + measurements between the client and the server which both support + IKEv2. Finally, Section 5 discusses the security considerations + arising from the proposed mechanisms. 2. Terminology + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. -3. Motivation - - In order to motivate the solutions proposed in this document, let us - first revisit Section 6.6 of [RFC4656]. As we explain below, the - reasons originally listed therein may not apply in many cases today. - - RFC 4656 opts against using IPsec and instead favors the use of "a - simple cryptographic protocol (based on a block cipher in CBC mode)". - The first argument justifying this decision in [RFC4656] is that - partial authentication in OWAMP authentication mode is not possible - with IPsec. IPsec indeed cannot authenticate only a part of a - packet. However, in an environment where IPsec is already deployed - and actively used, partial authentication for OWAMP contradicts the - operational reasons dictating the use of IPsec. It also increases - the operational complexity of OWAMP (and TWAMP) in networks where - IPsec is actively used and may in practice limit its applicability. - - The second argument made is the need to keep separate deployment - paths between OWAMP and IPsec. In several currently deployed types - of networks IPsec is widely used to protect the data and signaling - planes. For example, in mobile telecommunication networks, the - deployment rate of IPsec exceeds 95% with respect to the LTE serving - network. In older technology cellular networks, such as UMTS and - GSM, IPsec use penetration is lower, but still quite significant. - Additionally, there is a great number of IPsec-based VPN applications - which are widely used in business applications to provide end-to-end - security over, for instance, publicly open or otherwise untrusted - IEEE 802.11 wireless LANs. At the same time, many IETF-standardized - protocols make use of IPsec/IKE, including MIPv4/v6, HIP, SCTP, BGP, - NAT and SIP, just to name a few. - - The third argument in [RFC4656] is that, effectively, the adoption of - IPsec in OWAMP may be problematic for "lightweight embedded devices." - However, since the publication of RFC 4656, a large number of - limited-resource and low-cost hardware, such as Ethernet switches, - DSL modems, set-top boxes and other such devices come with support - for IPsec "out of the box". Therefore concerns about implementation, - although likely valid a decade ago, are not well founded today. - - Finally, everyday use of IPsec applications by field technicians and - good understanding of the IPsec API by many programmers should no - longer be a reason for concern. On the contrary: By now, IPsec open - source code is available for anyone who wants to use it. Therefore, - although IPsec does need a certain level of expertise to deal with - it, in practice, most competent technical personnel and programmers - have no problems using it on a daily basis. - - OWAMP and TWAMP actually consist of two inter-related protocols: O/ - TWAMP-Control and O/TWAMP-Test. With respect to TWAMP, since "TWAMP - and OWAMP use the same protocol for establishment of Control and Test - procedures" [RFC5357] (Section 6), IPsec is also not considered. O/ - TWAMP-Control is used to initiate, start, and stop test sessions and - to fetch their results, whereas O/TWAMP-Test is used to exchange test - packets between two measurement nodes. +3. O/TWAMP Security - In the remainder of this section we review security for O/TWAMP- - Control and O/TWAMP-Test separately and then make the case for using - them over IPsec. + Security for O/TWAMP-Control and O/TWAMP-Test are reviewed separately + in this section. 3.1. O/TWAMP-Control Security O/TWAMP uses a simple cryptographic protocol which relies on o AES in Cipher Block Chaining (AES-CBC) for confidentiality o HMAC-SHA1 truncated to 128 bits for message authentication - Three modes of operation are supported: unauthenticated, - authenticated, and encrypted. The authenticated and encrypted modes + Three modes of operation are supported in the OWAMP-Control protocol: + unauthenticated, authenticated, and encrypted. Besides the above + three modes supported, the TWAMP-Control protocol also supports an + additional mode: mixed mode, i.e. the TWAMP-Control protocol operates + in encrypted mode while TWAMP-Test protocol operates in + unauthenticated mode. The authenticated, encrypted and mixed modes require that endpoints possess a shared secret, typically a passphrase. The secret key is derived from the passphrase using a password-based key derivation function PBKDF2 (PKCS#5) [RFC2898]. In the unauthenticated mode, the security parameters are left unused. - In the authenticated and encrypted modes, security parameters are - negotiated during the control connection establishment. + In the authenticated, encrypted and mixed modes, the security + parameters are negotiated during the control connection + establishment. Figure 1 illustrates the initiation stage of the O/TWAMP-Control protocol between a client and the server. In short, the client opens - a TCP connection to the server in order to be able to send OWAMP- + a TCP connection to the server in order to be able to send O/TWAMP- Control commands. The server responds with a Server Greeting, which contains the Modes, Challenge, Salt, Count, and MBZ fields (see Section 3.1 of [RFC4656]). If the client-preferred mode is available, the client responds with a Set-Up-Response message, wherein the selected Mode, as well as the KeyID, Token and Client IV are included. The Token is the concatenation of a 16-octet Challenge, a 16-octet AES Session-key used for encryption, and a 32-octet HMAC-SHA1 Session-key used for authentication. The Token is encrypted using AES-CBC. @@ -242,43 +181,43 @@ |<---- Greeting message ----| | | |----- Set-Up-Response ---->| | | |<---- Server-Start --------| | | Figure 1: Initiation of O/TWAMP-Control Encryption uses a key derived from the shared secret associated with - KeyID. In the authenticated and encrypted modes, all further + KeyID. In the authenticated, encrypted and mixed modes, all further communication is encrypted using the AES Session-key and - authenticated with the HMAC Session-key. The client encrypts - everything it transmits through the just-established O/TWAMP-Control - connection using stream encryption with Client-IV as the IV. - Correspondingly, the server encrypts its side of the connection using - Server-IV as the IV. The IVs themselves are transmitted in - cleartext. Encryption starts with the block immediately following - that containing the IV. + authenticated with the HMAC Session-key. After receiving Set-Up- + Response the server responds with a Server-Start message containing + Server-IV. The client encrypts everything it transmits through the + just-established O/TWAMP-Control connection using stream encryption + with Client- IV as the IV. Correspondingly, the server encrypts its + side of the connection using Server-IV as the IV. The IVs themselves + are transmitted in cleartext. Encryption starts with the block + immediately following that containing the IV. The AES Session-key and HMAC Session-key are generated randomly by the client. The HMAC Session-key is communicated along with the AES Session-key during O/TWAMP-Control connection setup. The HMAC Session-key is derived independently of the AES Session-key. 3.2. O/TWAMP-Test Security - The O/TWAMP-Test protocol runs over UDP, using the sender and - receiver IP and port numbers that were negotiated during the Request- - Session exchange. O/TWAMP-Test has the same three modes as with O/ - TWAMP-Control (unauthenticated, authenticated, and encrypted) and all - O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control - session mode. + The O/TWAMP-Test protocol runs over UDP, using the client and server + IP and port numbers that were negotiated during the Request-Session + exchange. O/TWAMP- Test has the same mode with O/TWAMP-Control and + all O/TWAMP-Test sessions inherit the corresponding O/TWAMP-Control + session mode except when operating in mixed mode. The O/TWAMP-Test packet format is the same in authenticated and encrypted modes. The encryption and authentication operations are, however, different. Similarly with the respective O/TWAMP-Control session, each O/TWAMP-Test session has two keys: an AES Session-key and an HMAC Session-key. However, there is a difference in how the keys are obtained: O/TWAMP-Control: the keys are generated by the client and communicated to the server during the control connection @@ -299,165 +238,82 @@ 3.3. O/TWAMP Security Root As discussed above, the AES Session-key and HMAC Session-key used in the O/TWAMP-Test protocol are derived from the AES Session-key and HMAC Session-key which are used in O/TWAMP-Control protocol. The AES Session-key and HMAC Session-key used in the O/TWAMP-Control protocol are generated randomly by the client, and encrypted with the shared secret associated with KeyID. Therefore, the security root is the shared secret key. Thus, for large deployments, key provision and management may become overly complicated. Comparatively, a - certificate-based approach using IKEv2/IPsec can automatically manage - the security root and solve this problem, as we explain in Section 4. - -3.4. O/TWAMP and IPsec - - According to [RFC4656] the "deployment paths of IPsec and OWAMP could - be separate if OWAMP does not depend on IPsec." However, the problem - that arises in practice is that the security mechanism of O/TWAMP and - IPsec cannot coexist at the same time without adding overhead or - increasing complexity. - - IPsec provides confidentiality and data integrity to IP datagrams. - Distinct protocols are provided: Authentication Header (AH), - Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE - v1/v2). AH provides only integrity protection, while ESP can also - provide encryption. IKE is used for dynamical key negotiation and - automatic key management. - - When sender and receiver implement O/TWAMP over IPsec, they need to - agree on a shared secret key during the IPsec tunnel establishment. - Subsequently, all IP packets sent by the sender are protected. If - the AH protocol is used, IP packets are transmitted in plaintext. - - The authentication part covers the entire packet. So all test - information, such as UDP port number, and the test results will be - visible to any attacker, which can intercept these test packets, and - introduce errors or forge packets that may be injected during the - transmission. In order to avoid this attack, the receiver must - validate the integrity of these packets with the negotiated secret - key. If ESP is used, IP packets are encrypted, and hence only the - receiver can use the IPsec secret key to decrypt the IP packet, and - obtain the test data in order to assess the IP network performance - based on the measurements. Both the sender and receiver must support - IPsec to generate the security secret key of IPsec. - - Currently, after the test packets are received by the receiver, it - cannot execute active measurement over IPsec. That is because the - receiver knows only the shared secret key but not the IPsec key, - while the test packets are protected by the IPsec key ultimately. - Therefore, it needs to be considered how to measure IP network - performance in an IPsec tunnel with O/TWAMP. Without this - functionality, the use of OWAMP and TWAMP over IPsec is hindered. - - Of course, backward compatibility should be considered as well. That - is, the intrinsic security method based on shared key as specified in - the O/TWAMP standards can also still be suitable for other network - settings. There should be no impact on the current security - mechanisms defined in O/TWAMP for other use cases. This document - describes possible solutions to this problem which take advantage of - the secret key derived by IPsec, in order to provision the key needed - for active network measurements based on [RFC4656] and [RFC5357]. + certificate-based approach using IKEv2 can automatically manage the + security root and solve this problem, as we explain in Section 4. 4. O/TWAMP for IPsec Networks This section presents a method of binding O/TWAMP and IKEv2 for network measurements between a client and a server which both support IPsec. In short, the shared key used for securing O/TWAMP traffic is derived using IKEv2 [RFC5996]. 4.1. Shared Key Derivation - If the AH protocol is used, the IP packets are transmitted in - plaintext, but all O/TWAMP traffic is integrity-protected by IPsec. - Therefore, even if the peers choose to opt for the unauthenticated - mode, IPsec integrity protection is extended to O/TWAMP. In the - authenticated and encrypted modes, the shared secret can be derived - from the IKEv2 Security Association (SA), or IPsec SA. + In the authenticated, encrypted and mixed modes, the shared secret + key can be derived from the IKEv2 Security Association (SA). Note + that we explicitly opt to derive the shared secret key from the IKE + SA, rather than the child SA, since the use case whereby an IKE SA + can be created without generating any child SA is possible [RFC6023]. - If the shared secret key is derived from the IKEv2 SA, SKEYSEED must - be generated firstly. SKEYSEED and its derivatives are computed as - per [RFC5996], where prf is a pseudorandom function: + If the shared secret key is derived from the IKE SA, SKEYSEED must be + generated first. SKEYSEED and its derivatives are computed as per + [RFC5996], where prf is a pseudorandom function: SKEYSEED = prf( Ni | Nr, g^ir ) Ni and Nr are, respectively, the initiator and responder nonces, which are negotiated during the initial exchange (see Section 1.2 of [RFC5996]). g^ir is the shared secret from the ephemeral Diffie- - Hellman exchange and is represented as a string of octets. Note that - this SKEYSEED can be used as the O/TWAMP shared secret key directly. - - Alternatively, the shared secret key can be generated as follows: - - Shared secret key = PRF{ SKEYSEED, Session ID } - - wherein the Session ID is the O/TWAMP-Test SID. - - If the shared secret key is derived from the IPsec SA, instead, the - shared secret key can be equal to KEYMAT, wherein - - KEYMAT = prf+( SK_d, Ni | Nr ) + Hellman exchange and is represented as a string of octets. - The term "prf+" stands for a function that outputs a pseudorandom - stream based on the inputs to a prf, while SK_d is defined in - [RFC5996] (Sections 2.13 and 1.2, respectively). The shared secret - key can alternatively be generated as follows: + The shared secret key can be generated as follows: - Shared secret key = PRF{ KEYMAT, Session ID } + Shared secret key = PRF{ SKEYSEED, "IPPM" } - wherein the session ID is is the O/TWAMP-Test SID. + The shared secret key is derived in the IPsec layer. Thus, the IPsec + keying material is not be exposed to the O/TWAMP client. Note that + the interaction between the O/TWAMP and IPsec implementations is + outside the scope of this document, which focuses on the interaction + between the O/TWAMP client and server. Of course, extracting the + shared secret key from the IPsec layer can depend on the + implementation. One possible way could be the following: at the + client side, the IPSec layer can perform a lookup in the Security + Association Database (SAD) using the IP address of the server and + thus match the corresponding IKE SA. At the server side, the IPSec + layer can look up the corresponding IKE SA by using the SPIs sent by + the client, and therefore extract the shared secret key. - If rekeying for the IKE SA and IPsec SA occurs, the corresponding key - of the SA is updated. Generally, ESP and AH SAs always exist in - pairs, with one SA in each direction. If the SA is deleted, the key - generated from the IKE SA or IPsec SA should also be updated. + If rekeying for the IKE SA or deletion of the IKE SA occurs, the + corresponding shared secret key generated from the SA can continue to + be used until the lifetime of the shared secret key expires. 4.2. Server Greeting Message Update - As discussed above, a binding association between the key generated - from IPsec and the O/TWAMP shared secret key needs to be considered. - The Security Association (SA) can be identified by the Security - Parameter Index (SPI) and protocol uniquely for a given sender and - receiver pair. Therefore, these parameters should be agreed upon - during the initiation stage of O/TWAMP-Control. At the stage that - the sender and receiver negotiate the integrity key, the IPsec - protocol and SPI MUST be checked. Only if the two parameters are - matched with the IPsec information, MUST the O/TWAMP connection be - established. - - The Security Parameter Index (SPI) and protocol type (see [RFC4301] - [RFC5996]) will need to be included in the Server Greeting of the O/ - TWAMP-Control protocol depicted in Figure 1. After the client - receives the greeting, it MUST close the connection if it receives a - greeting with an erroneous SPI and protocol value (Figure 2). - Otherwise, the client SHOULD generate the shared secret key as - discussed in Section 4.1 and respond with the server-expected Set-Up- - Response message. - - The Modes field in Figure 2 will need to allow for support of key - derivation as discussed in Section 4.1. As such, pending discussion - in the IPPM WG, Modes value 8 MUST be supported by compatible - implementations, indicating support for IPsec. Server - implementations compatible with this document MUST set the first 28 - bits of the Modes field to zero. A client compatible with this - specification MUST ignore the first 28 bits of the Modes field. For - backward compatibility, the server is obviously allowed to indicate - support for the Modes defined in [RFC4656] + To achieve a binding association between the key generated from IKE + and the O/TWAMP shared secret key, Server Greeting Message should be + updated as in Figure 2. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Protocol | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIi | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIr | + | | + | Unused (12 octets) | + | | |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Modes | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Challenge (16 octets) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Salt (16 octets) | @@ -466,265 +322,129 @@ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Count (4 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | MBZ (12 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Server Greeting format - A compatible O/TWAMP client implementation would then interpret the - originally unused 12 bits of the Server Greeting (see sec. 3.1 of - [RFC4656]) as follows: The first 4 octets of the Server Greeting - message indicate the protocol type, while the following 8 octets - indicate the initiator (SPIi) and responder (SPIr) SPIs as - illustrated in Figure 2. Note that in this case, the remaining - fields of the Server Greeting message remain as per [RFC4656]. - - EDITOR'S NOTE: - We expect that this implementation option would pose the least - backwards compatibility problems to existing O/TWAMP clients. - Robust client implementations of [RFC4656] would disregard that - the 29th Modes bit in the Server Greeting is set, and should - ignore the information contained in the newly defined fields - (Protocol, SPIi, SPIr). If the server supports other Modes, as - one would assume, the client would then indicate any of the - Modes defined in [RFC4656] and effectively indicate that it - does not support the IPsec mode. At this point, the Server - would need to use the Modes defined in [RFC4656] only. - - When using ESP, all IP packets are encrypted, and therefore only the - receiver can use the IPsec key to decrypt the IP active measurement - packets. In this case, the IPsec tunnel between the sender and - receiver provides additional security: even if the peers choose the - unauthenticated mode, IPsec encryption and integrity protection is - provided to O/TWAMP. If the sender and receiver decide to use the - authenticated or encrypted mode, the shared secret can also be - derived from IKE SA or IPsec SA. The method for key generation and - binding association is the same discussed above for the AH protocol - mode. - - There is an encryption-only configuration in ESP, though this is not - recommended due to its limitations. Since it does not produce - integrity key in this case, either encryption-only ESP should be - prohibited for O/TWAMP, or a decryption failure should be - distinguished due to possible integrity attack. - -4.3. Session Key Derivation - - Section 4.1 described a method for deriving the shared key for O/ - TWAMP by capitalizing on IPsec. This is a step forward in terms of - facilitating O/TWAMP deployment at scale in IPsec networks as it - allows for greater and secure automation of standardized network - performance measurements. We note, however, that the O/TWAMP - protocol uses distinct encryption and integrity keys for O/TWAMP- - Control and O/TWAMP-Test. Consequently, four keys are generated to - protect O/TWAMP-Control and O/TWAMP-Test messages. - - In fact, once IPsec is employed, one key for encryption and another - for authentication is sufficient for both the Control and Test - protocols. Therefore, in an IPsec environment we can further reduce - the operational complexity of O/TWAMP protocols in a straightforward - manner, as discussed below. - - EDITOR'S NOTE: - We expect that both session key derivation proposals and - optimization alternatives will be discussed in the IPPM working - group and we are looking forward to community comments and - feedback. - -4.3.1. Alternative 1 - - If an IPsec SA is established between the server and the client, or - both server and client support IPsec, the root key for O/TWAMP-based - active network measurements can be derived from the IKE or IPsec SA. - - If the root key that will be used in O/TWAMP network performance - measurements is derived from the IKE SA, SKEYSEED must be generated - first. SKEYSEED and its derivatives are computed as per [RFC5996]. - SKEYSEED can be used as the root key of O/TWAMP directly; then the - root key of O/TWAMP is equal to SKEYSEED. If the root key of O/TWAMP - is derived from the IPsec SA, the shared secret key can be equal to - KEYMAT. KEYMAT and its derivatives are computed as per usual - [RFC5996]. - - Then, the session keys for encryption and authentication can be - derived from the root key of O/TWAMP, wherein: - - Session key for enc = PRF{ root key of O/TWAMP, "O/TWAMP enc" } + The Modes field in Figure 2 will need to allow for support of key + derivation as discussed in Section 4.1. As such, pending discussion + in the IPPM WG, Modes value 8 extension MUST be supported by + implementations compatible with this document, indicating support for + deriving shared key from IKE SA. Modes value 16 indicates + authenticated mode; Modes value 32 indicates encrypted mode; and + Modes value 64 indicates mixed mode over IKEv2. - Session key for auth = PRF{ root key of O/TWAMP, "O/TWAMP auth" } + Authenticated mode over IKEv2 means that the client and server + operate in authenticated mode with the shared secret key derived from + IKE SA. Encrypted mode over IKEv2 means that the client and server + operate in encrypted mode with the shared secret key derived from IKE + SA. Mixed mode over IKEv2 means that the client and server operate + in encrypted mode for the O/TWAMP-Control protocol while operating in + unauthenticated mode for the O/TWAMP-Test protocol with shared secret + key derived from IKE SA. - The former can provide encryption protection for O/TWAMP-Control and - O/TWAMP-Test messages, while the latter can provide integrity - protection. + Server implementations compatible with this document MUST set the + first 25 bits of the Modes field to zero. A client compatible with + this specification MUST ignore the first 25 bits of the Modes field. - Note that there are cases where rekeying the IKE SA and IPsec SA is - necessary, and after which the corresponding key of SA is updated. - If the SA is deleted, the O/TWAMP shared key generated from the IKE - SA or IPsec SA should also be updated. + For backward compatibility, the server is obviously allowed to + indicate support for the Modes defined in [RFC4656] - EDITOR'S NOTE: + The choice of this set of Modes values poses the least backwards + compatibility problems to existing O/TWAMP clients. Robust client + implementations of [RFC4656] would disregard that the first 29 Modes + bits in the Server Greeting is set. If the server supports other + Modes, as one would assume, the client would then indicate any of the + Modes defined in [RFC4656] and effectively indicate that it does not + support key derivation from IKE. At this point, the Server would + need to use the Modes defined in [RFC4656] only. - In addition to optimizing session key derivation, we can also - reduce the verbosity of the Server Greeting and Set-Up-Response - messages, as explained below. Note, however, that such O/TWAMP - message simplification poses backward compatibility challenges, - which should be discussed in the IPPM WG. +4.3. Set-Up-Response Update - In this optimization, the O/TWAMP-Control message exchange flow - remains as per Figure 1. However, the optimized Server Greeting - (Figure 3) can do without the Salt and Count parameters (cf. Figure - 2) since the root key of O/TWAMP is derived from IKE SA or IPsec SA. - O/TWAMP security can rely on IPsec and the SPI can uniquely identify - the IPsec SA from which the root key was derived from. + The Set-Up-Response Message should be updated as in Figure 3. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Protocol | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIi | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIr | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Modes | + | Mode | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | - | Challenge (16 octets) | - | | - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Key ID (80 octets) | | | - | MBZ (12 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - - Figure 3: Optimized Server Greeting format - - The format of the Set-Up-Response is illustrated in Figure 4. The - Token carried in the Set-Up-Response is calculated as follows: - - Token = Enc_root-key( Challenge ) - - where Challenge is the value received earlier in the Server Greeting - (Figure 3) - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Mode | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Token (16 octets) | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Client-IV (12 octets) | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - Figure 4: Set-Up-Response in Alternative 1 - - If the server authenticates the token successfully, then the O/TWAMP- - Control message exchange flow can continue. - -4.3.2. Alternative 2 - - Another way for optimizing the shared key use is to set the O/TWAMP - session keys equal to the keys of the IPsec SA directly, i.e: - - Session key for enc = encryption key of the IPsec SA - - Session key for auth = integrity key of the IPsec SA - - The former session key can provide encryption protection for O/TWAMP- - Control and O/TWAMP-Test messages, while the latter can provide - integrity protection. The point made in the previous subsection - about rekeying the IPsec SA applies here too. - - EDITOR'S NOTE: - As noted in the previous subsection, here too we can reduce the - verbosity of the Server Greeting and Set-Up-Response messages - even further, as explained below. Note, however, that such O/ - TWAMP message simplification poses backward compatibility - challenges, which should be discussed in the IPPM WG. - - The O/TWAMP control message exchange flow remains the same (i.e. as - per Figure 1), while the Server Greeting format is illustrated in - Figure 5. The Challenge, Salt, and Count parameters can be - eliminated since the session keys of O/TWAMP are equal to the keys of - an IPsec SA directly. SPI can identify the IPsec SA where the - session keys derived from. The similarly optimized Set-Up-Response - message is illustrated in Figure 6. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Protocol | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIi | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | SPIr | - |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Modes | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - | MBZ (12 octets) | - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + Figure 3: Set-Up-Response Message - Figure 5: Optimized Server Greeting format + The Security Parameter Index (SPI)(see [RFC4301] [RFC5996]) can + uniquely identify the Security Association (SA). If the client + supports the derivation of shared secret key from IKE SA, it will + choose the corresponding mode value and carry SPIi and SPIr in the + KeyID field. SPIi and SPIr are included in Key ID field of Set-Up- + Response Message to indicate the IKE SA which O/TWAMP shared secret + key derived from. The length of SPI is 4 octets. The first 4 octets + of Key ID field carries SPIi and the second 4 octets carries SPIr. + The rest bits of the Key ID field is set to zero. - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Mode | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - | Client-IV (12 octets) | - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + A server which supports deriving shared secret from an IKE SA can + obtain the SPIi and SPIr from the first 8 octets and ignore the rest + octets of the Key ID field. Then, the client and the server can + derive the shared secret key based on the mode value and SPI. - Figure 6: Set-Up-Response in Alternative 2 + If the server can not find the IKE SA corresponding to the SPIi and + SPIr, the Accept field of Server-Start message is extended to + indicate that. Accept value 6 can be used to indicate that server is + not willing to conduct further transactions in this OWAMP-Control + session since it can not find the corresponding IKE SA. 5. Security Considerations - As the shared secret key is derived from IPsec, the key derivation - algorithm strength and limitations are as per [RFC5996]. The - strength of a key derived from a Diffie-Hellman exchange using any of - the groups defined here depends on the inherent strength of the - group, the size of the exponent used, and the entropy provided by the - random number generator employed. The strength of all keys and + As the shared secret key is derived from the IKE SA, the key + derivation algorithm strength and limitations are as per [RFC5996]. + The strength of a key derived from a Diffie-Hellman exchange using + any of the groups defined here depends on the inherent strength of + the group, the size of the exponent used, and the entropy provided by + the random number generator employed. The strength of all keys and implementation vulnerabilities, particularly Denial of Service (DoS) attacks are as defined in [RFC5996]. - EDITOR'S NOTE: - As a general note, the IPPM community may want to revisit the - arguments listed in [RFC4656], Sec. 6.6. Other widely-used - Internet security mechanisms, such as TLS and DTLS, may also be - considered for future use over and above of what is already - specified in [RFC4656] [RFC5357]. + As a more general note, the IPPM community may want to revisit the + arguments listed in [RFC4656], Sec. 6.6. Other widely-used Internet + security mechanisms, such as TLS and DTLS, may also be considered for + future use over and above of what is already specified in [RFC4656] + [RFC5357]. 6. IANA Considerations - IANA may need to allocate additional values for the Modes options - presented in this document. The values of the protocol field may - need to be assigned from the numbering space. + + IANA will need to allocate additional values for the Modes options + presented in this document. 7. Acknowledgments Emily Bi contributed to an earlier version of this document. - We thank Eric Chen and Yakov Stein for their comments on this draft, - and Al Morton for the discussion on related earlier work in IPPM WG. + We thank Eric Chen, Yakov Stein, and John Mattsson for their comments + on this draft, and Al Morton for the discussion on related earlier + work in IPPM WG. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4656] Shalunov, S., Teitelbaum, B., Karp, A., Boote, J., and M. Zekauskas, "A One-way Active Measurement Protocol @@ -739,34 +459,39 @@ 5996, September 2010. 8.2. Informative References [RFC2898] Kaliski, B., "PKCS #5: Password-Based Cryptography Specification Version 2.0", RFC 2898, September 2000. [RFC4301] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. + [RFC6023] Nir, Y., Tschofenig, H., Deng, H., and R. Singh, "A + Childless Initiation of the Internet Key Exchange Version + 2 (IKEv2) Security Association (SA)", RFC 6023, October + 2010. + Authors' Addresses Kostas Pentikousis (editor) EICT GmbH Torgauer Strasse 12-15 10829 Berlin Germany Email: k.pentikousis@eict.de + Yang Cui Huawei Technologies Otemachi First Square 1-5-1 Otemachi Chiyoda-ku, Tokyo 100-0004 Japan Email: cuiyang@huawei.com - Emma Zhang Huawei Technologies Huawei Building, Q20, No.156, Rd. BeiQing Haidian District , Beijing 100095 P. R. China Email: emma.zhanglijia@huawei.com